€•      Œsphinx.addnodes”Œdocument”“”)”}”(Œ	rawsource”Œ ”Œchildren”]”(Œtranslations”ŒLanguagesNode”“”)”}”(hhh]”(h Œpending_xref”“”)”}”(hhh]”Œdocutils.nodes”ŒText”“”ŒChinese (Simplified)”…””}”Œparent”hsbaŒ
attributes”}”(Œids”]”Œclasses”]”Œnames”]”Œdupnames”]”Œbackrefs”]”Œ	refdomain”Œstd”Œreftype”Œdoc”Œ	reftarget”Œ*/translations/zh_CN/userspace-api/landlock”Œmodname”NŒ	classname”NŒrefexplicit”ˆuŒtagname”hhhubh)”}”(hhh]”hŒChinese (Traditional)”…””}”hh2sbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ*/translations/zh_TW/userspace-api/landlock”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒItalian”…””}”hhFsbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ*/translations/it_IT/userspace-api/landlock”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒJapanese”…””}”hhZsbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ*/translations/ja_JP/userspace-api/landlock”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒKorean”…””}”hhnsbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ*/translations/ko_KR/userspace-api/landlock”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒPortuguese (Brazilian)”…””}”hh‚sbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ*/translations/pt_BR/userspace-api/landlock”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒSpanish”…””}”hh–sbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ*/translations/sp_SP/userspace-api/landlock”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubeh}”(h]”h ]”h"]”h$]”h&]”Œcurrent_language”ŒEnglish”uh1h
hhŒ	_document”hŒsource”NŒline”NubhŒcomment”“”)”}”(hŒ SPDX-License-Identifier: GPL-2.0”h]”hŒ SPDX-License-Identifier: GPL-2.0”…””}”hh·sbah}”(h]”h ]”h"]”h$]”h&]”Œ	xml:space”Œpreserve”uh1hµhhh²hh³ŒD/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock.rst”h´Kubh¶)”}”(hŒ9Copyright Â© 2017-2020 MickaÃ«l SalaÃ¼n <mic@digikod.net>”h]”hŒ9Copyright Â© 2017-2020 MickaÃ«l SalaÃ¼n <mic@digikod.net>”…””}”hhÈsbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆuh1hµhhh²hh³hÇh´Kubh¶)”}”(hŒCopyright Â© 2019-2020 ANSSI”h]”hŒCopyright Â© 2019-2020 ANSSI”…””}”hhÖsbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆuh1hµhhh²hh³hÇh´Kubh¶)”}”(hŒ,Copyright Â© 2021-2022 Microsoft Corporation”h]”hŒ,Copyright Â© 2021-2022 Microsoft Corporation”…””}”hhäsbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆuh1hµhhh²hh³hÇh´KubhŒsection”“”)”}”(hhh]”(hŒtitle”“”)”}”(hŒ%Landlock: unprivileged access control”h]”hŒ%Landlock: unprivileged access control”…””}”(hhùh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hhôh²hh³hÇh´KubhŒ
field_list”“”)”}”(hhh]”(hŒfield”“”)”}”(hhh]”(hŒ
field_name”“”)”}”(hŒAuthor”h]”hŒAuthor”…””}”(hj  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj  h³hÇh´K ubhŒ
field_body”“”)”}”(hŒMickaÃ«l SalaÃ¼n”h]”hŒ	paragraph”“”)”}”(hj%  h]”hŒMickaÃ«l SalaÃ¼n”…””}”(hj)  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´K
hj#  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j!  hj  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  h³hÇh´K
hj	  h²hubj  )”}”(hhh]”(j  )”}”(hŒDate”h]”hŒDate”…””}”(hjE  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjB  h³hÇh´K ubj"  )”}”(hŒMarch 2026
”h]”j(  )”}”(hŒ
March 2026”h]”hŒ
March 2026”…””}”(hjW  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´KhjS  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j!  hjB  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  h³hÇh´Khj	  h²hubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hhôh²hh³hÇh´K
ubj(  )”}”(hX  The goal of Landlock is to enable restriction of ambient rights (e.g. global
filesystem or network access) for a set of processes.  Because Landlock
is a stackable LSM, it makes it possible to create safe security sandboxes as
new security layers in addition to the existing system-wide access-controls.
This kind of sandbox is expected to help mitigate the security impact of bugs or
unexpected/malicious behaviors in user space applications.  Landlock empowers
any process, including unprivileged ones, to securely restrict themselves.”h]”hX  The goal of Landlock is to enable restriction of ambient rights (e.g. global
filesystem or network access) for a set of processes.  Because Landlock
is a stackable LSM, it makes it possible to create safe security sandboxes as
new security layers in addition to the existing system-wide access-controls.
This kind of sandbox is expected to help mitigate the security impact of bugs or
unexpected/malicious behaviors in user space applications.  Landlock empowers
any process, including unprivileged ones, to securely restrict themselves.”…””}”(hjw  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´Khhôh²hubj(  )”}”(hX¥  We can quickly make sure that Landlock is enabled in the running system by
looking for "landlock: Up and running" in kernel logs (as root):
``dmesg | grep landlock || journalctl -kb -g landlock`` .
Developers can also easily check for Landlock support with a
:ref:`related system call <landlock_abi_versions>`.
If Landlock is not currently supported, we need to
:ref:`configure the kernel appropriately <kernel_support>`.”h]”(hŒWe can quickly make sure that Landlock is enabled in the running system by
looking for â€œlandlock: Up and runningâ€ in kernel logs (as root):
”…””}”(hj…  h²hh³Nh´NubhŒliteral”“”)”}”(hŒ7``dmesg | grep landlock || journalctl -kb -g landlock``”h]”hŒ3dmesg | grep landlock || journalctl -kb -g landlock”…””}”(hj  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj…  ubhŒ@ .
Developers can also easily check for Landlock support with a
”…””}”(hj…  h²hh³Nh´Nubh)”}”(hŒ2:ref:`related system call <landlock_abi_versions>`”h]”hŒinline”“”)”}”(hj£  h]”hŒrelated system call”…””}”(hj§  h²hh³Nh´Nubah}”(h]”h ]”(Œxref”Œstd”Œstd-ref”eh"]”h$]”h&]”uh1j¥  hj¡  ubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”Œuserspace-api/landlock”Œ	refdomain”j²  Œreftype”Œref”Œrefexplicit”ˆŒrefwarn”ˆŒ	reftarget”Œlandlock_abi_versions”uh1hh³hÇh´Khj…  ubhŒ5.
If Landlock is not currently supported, we need to
”…””}”(hj…  h²hh³Nh´Nubh)”}”(hŒ::ref:`configure the kernel appropriately <kernel_support>`”h]”j¦  )”}”(hjÌ  h]”hŒ"configure the kernel appropriately”…””}”(hjÎ  h²hh³Nh´Nubah}”(h]”h ]”(j±  Œstd”Œstd-ref”eh"]”h$]”h&]”uh1j¥  hjÊ  ubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”j¾  Œ	refdomain”jØ  Œreftype”Œref”Œrefexplicit”ˆŒrefwarn”ˆjÄ  Œkernel_support”uh1hh³hÇh´Khj…  ubhŒ.”…””}”(hj…  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´Khhôh²hubhó)”}”(hhh]”(hø)”}”(hŒLandlock rules”h]”hŒLandlock rules”…””}”(hj÷  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hjô  h²hh³hÇh´Kubj(  )”}”(hŒÌA Landlock rule describes an action on an object which the process intends to
perform.  A set of rules is aggregated in a ruleset, which can then restrict
the thread enforcing it, and its future children.”h]”hŒÌA Landlock rule describes an action on an object which the process intends to
perform.  A set of rules is aggregated in a ruleset, which can then restrict
the thread enforcing it, and its future children.”…””}”(hj  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´K hjô  h²hubj(  )”}”(hŒ$The two existing types of rules are:”h]”hŒ$The two existing types of rules are:”…””}”(hj  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´K$hjô  h²hubhŒdefinition_list”“”)”}”(hhh]”(hŒdefinition_list_item”“”)”}”(hŒ’Filesystem rules
For these rules, the object is a file hierarchy,
and the related filesystem actions are defined with
`filesystem access rights`.
”h]”(hŒterm”“”)”}”(hŒFilesystem rules”h]”hŒFilesystem rules”…””}”(hj.  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j,  h³hÇh´K)hj(  ubhŒ
definition”“”)”}”(hhh]”j(  )”}”(hŒ€For these rules, the object is a file hierarchy,
and the related filesystem actions are defined with
`filesystem access rights`.”h]”(hŒeFor these rules, the object is a file hierarchy,
and the related filesystem actions are defined with
”…””}”(hjA  h²hh³Nh´NubhŒtitle_reference”“”)”}”(hŒ`filesystem access rights`”h]”hŒfilesystem access rights”…””}”(hjK  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jI  hjA  ubhŒ.”…””}”(hjA  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´K'hj>  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j<  hj(  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j&  h³hÇh´K)hj#  ubj'  )”}”(hŒŠNetwork rules (since ABI v4)
For these rules, the object is a TCP port,
and the related actions are defined with `network access rights`.
”h]”(j-  )”}”(hŒNetwork rules (since ABI v4)”h]”hŒNetwork rules (since ABI v4)”…””}”(hjs  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j,  h³hÇh´K-hjo  ubj=  )”}”(hhh]”j(  )”}”(hŒlFor these rules, the object is a TCP port,
and the related actions are defined with `network access rights`.”h]”(hŒTFor these rules, the object is a TCP port,
and the related actions are defined with ”…””}”(hj„  h²hh³Nh´NubjJ  )”}”(hŒ`network access rights`”h]”hŒnetwork access rights”…””}”(hjŒ  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jI  hj„  ubhŒ.”…””}”(hj„  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´K,hj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j<  hjo  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j&  h³hÇh´K-hj#  h²hubeh}”(h]”h ]”h"]”h$]”h&]”uh1j!  hjô  h²hh³hÇh´Nubhó)”}”(hhh]”(hø)”}”(hŒ(Defining and enforcing a security policy”h]”hŒ(Defining and enforcing a security policy”…””}”(hj¹  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hj¶  h²hh³hÇh´K0ubj(  )”}”(hŒ@We first need to define the ruleset that will contain our rules.”h]”hŒ@We first need to define the ruleset that will contain our rules.”…””}”(hjÇ  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´K2hj¶  h²hubj(  )”}”(hŒÀFor this example, the ruleset will contain rules that only allow filesystem
read actions and establish a specific TCP connection. Filesystem write
actions and other TCP actions will be denied.”h]”hŒÀFor this example, the ruleset will contain rules that only allow filesystem
read actions and establish a specific TCP connection. Filesystem write
actions and other TCP actions will be denied.”…””}”(hjÕ  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´K4hj¶  h²hubj(  )”}”(hX  The ruleset then needs to handle both these kinds of actions.  This is
required for backward and forward compatibility (i.e. the kernel and user
space may not know each other's supported restrictions), hence the need
to be explicit about the denied-by-default access rights.”h]”hX  The ruleset then needs to handle both these kinds of actions.  This is
required for backward and forward compatibility (i.e. the kernel and user
space may not know each otherâ€™s supported restrictions), hence the need
to be explicit about the denied-by-default access rights.”…””}”(hjã  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´K8hj¶  h²hubhŒliteral_block”“”)”}”(hX¡  struct landlock_ruleset_attr ruleset_attr = {
    .handled_access_fs =
        LANDLOCK_ACCESS_FS_EXECUTE |
        LANDLOCK_ACCESS_FS_WRITE_FILE |
        LANDLOCK_ACCESS_FS_READ_FILE |
        LANDLOCK_ACCESS_FS_READ_DIR |
        LANDLOCK_ACCESS_FS_REMOVE_DIR |
        LANDLOCK_ACCESS_FS_REMOVE_FILE |
        LANDLOCK_ACCESS_FS_MAKE_CHAR |
        LANDLOCK_ACCESS_FS_MAKE_DIR |
        LANDLOCK_ACCESS_FS_MAKE_REG |
        LANDLOCK_ACCESS_FS_MAKE_SOCK |
        LANDLOCK_ACCESS_FS_MAKE_FIFO |
        LANDLOCK_ACCESS_FS_MAKE_BLOCK |
        LANDLOCK_ACCESS_FS_MAKE_SYM |
        LANDLOCK_ACCESS_FS_REFER |
        LANDLOCK_ACCESS_FS_TRUNCATE |
        LANDLOCK_ACCESS_FS_IOCTL_DEV |
        LANDLOCK_ACCESS_FS_RESOLVE_UNIX,
    .handled_access_net =
        LANDLOCK_ACCESS_NET_BIND_TCP |
        LANDLOCK_ACCESS_NET_CONNECT_TCP,
    .scoped =
        LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET |
        LANDLOCK_SCOPE_SIGNAL,
};”h]”hX¡  struct landlock_ruleset_attr ruleset_attr = {
    .handled_access_fs =
        LANDLOCK_ACCESS_FS_EXECUTE |
        LANDLOCK_ACCESS_FS_WRITE_FILE |
        LANDLOCK_ACCESS_FS_READ_FILE |
        LANDLOCK_ACCESS_FS_READ_DIR |
        LANDLOCK_ACCESS_FS_REMOVE_DIR |
        LANDLOCK_ACCESS_FS_REMOVE_FILE |
        LANDLOCK_ACCESS_FS_MAKE_CHAR |
        LANDLOCK_ACCESS_FS_MAKE_DIR |
        LANDLOCK_ACCESS_FS_MAKE_REG |
        LANDLOCK_ACCESS_FS_MAKE_SOCK |
        LANDLOCK_ACCESS_FS_MAKE_FIFO |
        LANDLOCK_ACCESS_FS_MAKE_BLOCK |
        LANDLOCK_ACCESS_FS_MAKE_SYM |
        LANDLOCK_ACCESS_FS_REFER |
        LANDLOCK_ACCESS_FS_TRUNCATE |
        LANDLOCK_ACCESS_FS_IOCTL_DEV |
        LANDLOCK_ACCESS_FS_RESOLVE_UNIX,
    .handled_access_net =
        LANDLOCK_ACCESS_NET_BIND_TCP |
        LANDLOCK_ACCESS_NET_CONNECT_TCP,
    .scoped =
        LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET |
        LANDLOCK_SCOPE_SIGNAL,
};”…””}”hjó  sbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆŒforce”‰Œlanguage”Œc”Œhighlight_args”}”uh1jñ  h³hÇh´K=hj¶  h²hubj(  )”}”(hŒçBecause we may not know which kernel version an application will be executed
on, it is safer to follow a best-effort security approach.  Indeed, we
should try to protect users as much as possible whatever the kernel they are
using.”h]”hŒçBecause we may not know which kernel version an application will be executed
on, it is safer to follow a best-effort security approach.  Indeed, we
should try to protect users as much as possible whatever the kernel they are
using.”…””}”(hj  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´KZhj¶  h²hubj(  )”}”(hŒTo be compatible with older Linux versions, we detect the available Landlock ABI
version, and only use the available subset of access rights:”h]”hŒTo be compatible with older Linux versions, we detect the available Landlock ABI
version, and only use the available subset of access rights:”…””}”(hj  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´K_hj¶  h²hubjò  )”}”(hX+  int abi;

abi = landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_VERSION);
if (abi < 0) {
    /* Degrades gracefully if Landlock is not handled. */
    perror("The running kernel does not enable to use Landlock");
    return 0;
}
switch (abi) {
case 1:
    /* Removes LANDLOCK_ACCESS_FS_REFER for ABI < 2 */
    ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_REFER;
    __attribute__((fallthrough));
case 2:
    /* Removes LANDLOCK_ACCESS_FS_TRUNCATE for ABI < 3 */
    ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_TRUNCATE;
    __attribute__((fallthrough));
case 3:
    /* Removes network support for ABI < 4 */
    ruleset_attr.handled_access_net &=
        ~(LANDLOCK_ACCESS_NET_BIND_TCP |
          LANDLOCK_ACCESS_NET_CONNECT_TCP);
    __attribute__((fallthrough));
case 4:
    /* Removes LANDLOCK_ACCESS_FS_IOCTL_DEV for ABI < 5 */
    ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_IOCTL_DEV;
    __attribute__((fallthrough));
case 5:
    /* Removes LANDLOCK_SCOPE_* for ABI < 6 */
    ruleset_attr.scoped &= ~(LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET |
                             LANDLOCK_SCOPE_SIGNAL);
    __attribute__((fallthrough));
case 6 ... 8:
    /* Removes LANDLOCK_ACCESS_FS_RESOLVE_UNIX for ABI < 9 */
    ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_RESOLVE_UNIX;
}”h]”hX+  int abi;

abi = landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_VERSION);
if (abi < 0) {
    /* Degrades gracefully if Landlock is not handled. */
    perror("The running kernel does not enable to use Landlock");
    return 0;
}
switch (abi) {
case 1:
    /* Removes LANDLOCK_ACCESS_FS_REFER for ABI < 2 */
    ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_REFER;
    __attribute__((fallthrough));
case 2:
    /* Removes LANDLOCK_ACCESS_FS_TRUNCATE for ABI < 3 */
    ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_TRUNCATE;
    __attribute__((fallthrough));
case 3:
    /* Removes network support for ABI < 4 */
    ruleset_attr.handled_access_net &=
        ~(LANDLOCK_ACCESS_NET_BIND_TCP |
          LANDLOCK_ACCESS_NET_CONNECT_TCP);
    __attribute__((fallthrough));
case 4:
    /* Removes LANDLOCK_ACCESS_FS_IOCTL_DEV for ABI < 5 */
    ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_IOCTL_DEV;
    __attribute__((fallthrough));
case 5:
    /* Removes LANDLOCK_SCOPE_* for ABI < 6 */
    ruleset_attr.scoped &= ~(LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET |
                             LANDLOCK_SCOPE_SIGNAL);
    __attribute__((fallthrough));
case 6 ... 8:
    /* Removes LANDLOCK_ACCESS_FS_RESOLVE_UNIX for ABI < 9 */
    ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_RESOLVE_UNIX;
}”…””}”hj"  sbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆj  ‰j  j  j  }”uh1jñ  h³hÇh´Kbhj¶  h²hubj(  )”}”(hŒNThis enables the creation of an inclusive ruleset that will contain our rules.”h]”hŒNThis enables the creation of an inclusive ruleset that will contain our rules.”…””}”(hj1  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´K‰hj¶  h²hubjò  )”}”(hŒ®int ruleset_fd;

ruleset_fd = landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
if (ruleset_fd < 0) {
    perror("Failed to create a ruleset");
    return 1;
}”h]”hŒ®int ruleset_fd;

ruleset_fd = landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
if (ruleset_fd < 0) {
    perror("Failed to create a ruleset");
    return 1;
}”…””}”hj?  sbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆj  ‰j  j  j  }”uh1jñ  h³hÇh´K‹hj¶  h²hubj(  )”}”(hX  We can now add a new rule to this ruleset thanks to the returned file
descriptor referring to this ruleset.  The rule will allow reading and
executing the file hierarchy ``/usr``.  Without another rule, write actions
would then be denied by the ruleset.  To add ``/usr`` to the ruleset, we open
it with the ``O_PATH`` flag and fill the &struct landlock_path_beneath_attr with
this file descriptor.”h]”(hŒªWe can now add a new rule to this ruleset thanks to the returned file
descriptor referring to this ruleset.  The rule will allow reading and
executing the file hierarchy ”…””}”(hjN  h²hh³Nh´NubjŽ  )”}”(hŒ``/usr``”h]”hŒ/usr”…””}”(hjV  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjN  ubhŒT.  Without another rule, write actions
would then be denied by the ruleset.  To add ”…””}”(hjN  h²hh³Nh´NubjŽ  )”}”(hŒ``/usr``”h]”hŒ/usr”…””}”(hjh  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjN  ubhŒ% to the ruleset, we open
it with the ”…””}”(hjN  h²hh³Nh´NubjŽ  )”}”(hŒ
``O_PATH``”h]”hŒO_PATH”…””}”(hjz  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjN  ubhŒP flag and fill the &struct landlock_path_beneath_attr with
this file descriptor.”…””}”(hjN  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´K•hj¶  h²hubjò  )”}”(hXQ  int err;
struct landlock_path_beneath_attr path_beneath = {
    .allowed_access =
        LANDLOCK_ACCESS_FS_EXECUTE |
        LANDLOCK_ACCESS_FS_READ_FILE |
        LANDLOCK_ACCESS_FS_READ_DIR,
};

path_beneath.parent_fd = open("/usr", O_PATH | O_CLOEXEC);
if (path_beneath.parent_fd < 0) {
    perror("Failed to open file");
    close(ruleset_fd);
    return 1;
}
err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
                        &path_beneath, 0);
close(path_beneath.parent_fd);
if (err) {
    perror("Failed to update ruleset");
    close(ruleset_fd);
    return 1;
}”h]”hXQ  int err;
struct landlock_path_beneath_attr path_beneath = {
    .allowed_access =
        LANDLOCK_ACCESS_FS_EXECUTE |
        LANDLOCK_ACCESS_FS_READ_FILE |
        LANDLOCK_ACCESS_FS_READ_DIR,
};

path_beneath.parent_fd = open("/usr", O_PATH | O_CLOEXEC);
if (path_beneath.parent_fd < 0) {
    perror("Failed to open file");
    close(ruleset_fd);
    return 1;
}
err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
                        &path_beneath, 0);
close(path_beneath.parent_fd);
if (err) {
    perror("Failed to update ruleset");
    close(ruleset_fd);
    return 1;
}”…””}”hj’  sbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆj  ‰j  j  j  }”uh1jñ  h³hÇh´Kœhj¶  h²hubj(  )”}”(hX'  It may also be required to create rules following the same logic as explained
for the ruleset creation, by filtering access rights according to the Landlock
ABI version.  In this example, this is not required because all of the requested
``allowed_access`` rights are already available in ABI 1.”h]”(hŒîIt may also be required to create rules following the same logic as explained
for the ruleset creation, by filtering access rights according to the Landlock
ABI version.  In this example, this is not required because all of the requested
”…””}”(hj¡  h²hh³Nh´NubjŽ  )”}”(hŒ``allowed_access``”h]”hŒallowed_access”…””}”(hj©  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj¡  ubhŒ' rights are already available in ABI 1.”…””}”(hj¡  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´Kµhj¶  h²hubj(  )”}”(hŒFor network access-control, we can add a set of rules that allow to use a port
number for a specific action: HTTPS connections.”h]”hŒFor network access-control, we can add a set of rules that allow to use a port
number for a specific action: HTTPS connections.”…””}”(hjÁ  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´Kºhj¶  h²hubjò  )”}”(hŒÙstruct landlock_net_port_attr net_port = {
    .allowed_access = LANDLOCK_ACCESS_NET_CONNECT_TCP,
    .port = 443,
};

err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
                        &net_port, 0);”h]”hŒÙstruct landlock_net_port_attr net_port = {
    .allowed_access = LANDLOCK_ACCESS_NET_CONNECT_TCP,
    .port = 443,
};

err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
                        &net_port, 0);”…””}”hjÏ  sbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆj  ‰j  j  j  }”uh1jñ  h³hÇh´K½hj¶  h²hubj(  )”}”(hŒÚWhen passing a non-zero ``flags`` argument to ``landlock_restrict_self()``, a
similar backwards compatibility check is needed for the restrict flags
(see sys_landlock_restrict_self() documentation for available flags):”h]”(hŒWhen passing a non-zero ”…””}”(hjÞ  h²hh³Nh´NubjŽ  )”}”(hŒ	``flags``”h]”hŒflags”…””}”(hjæ  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjÞ  ubhŒ argument to ”…””}”(hjÞ  h²hh³Nh´NubjŽ  )”}”(hŒ``landlock_restrict_self()``”h]”hŒlandlock_restrict_self()”…””}”(hjø  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjÞ  ubhŒ, a
similar backwards compatibility check is needed for the restrict flags
(see sys_landlock_restrict_self() documentation for available flags):”…””}”(hjÞ  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´KÇhj¶  h²hubjò  )”}”(hX  __u32 restrict_flags =
    LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON |
    LANDLOCK_RESTRICT_SELF_TSYNC;
switch (abi) {
case 1 ... 6:
    /* Removes logging flags for ABI < 7 */
    restrict_flags &= ~(LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF |
                        LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON |
                        LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF);
    __attribute__((fallthrough));
case 7:
    /*
     * Removes multithreaded enforcement flag for ABI < 8
     *
     * WARNING: Without this flag, calling landlock_restrict_self(2) is
     * only equivalent if the calling process is single-threaded. Below
     * ABI v8 (and as of ABI v8, when not using this flag), a Landlock
     * policy would only be enforced for the calling thread and its
     * children (and not for all threads, including parents and siblings).
     */
    restrict_flags &= ~LANDLOCK_RESTRICT_SELF_TSYNC;
}”h]”hX  __u32 restrict_flags =
    LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON |
    LANDLOCK_RESTRICT_SELF_TSYNC;
switch (abi) {
case 1 ... 6:
    /* Removes logging flags for ABI < 7 */
    restrict_flags &= ~(LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF |
                        LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON |
                        LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF);
    __attribute__((fallthrough));
case 7:
    /*
     * Removes multithreaded enforcement flag for ABI < 8
     *
     * WARNING: Without this flag, calling landlock_restrict_self(2) is
     * only equivalent if the calling process is single-threaded. Below
     * ABI v8 (and as of ABI v8, when not using this flag), a Landlock
     * policy would only be enforced for the calling thread and its
     * children (and not for all threads, including parents and siblings).
     */
    restrict_flags &= ~LANDLOCK_RESTRICT_SELF_TSYNC;
}”…””}”hj  sbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆj  ‰j  j  j  }”uh1jñ  h³hÇh´KËhj¶  h²hubj(  )”}”(hX-  The next step is to restrict the current thread from gaining more privileges
(e.g. through a SUID binary).  We now have a ruleset with the first rule
allowing read and execute access to ``/usr`` while denying all other handled
accesses for the filesystem, and a second rule allowing HTTPS connections.”h]”(hŒºThe next step is to restrict the current thread from gaining more privileges
(e.g. through a SUID binary).  We now have a ruleset with the first rule
allowing read and execute access to ”…””}”(hj  h²hh³Nh´NubjŽ  )”}”(hŒ``/usr``”h]”hŒ/usr”…””}”(hj'  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj  ubhŒk while denying all other handled
accesses for the filesystem, and a second rule allowing HTTPS connections.”…””}”(hj  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´Kähj¶  h²hubjò  )”}”(hŒif (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
    perror("Failed to restrict privileges");
    close(ruleset_fd);
    return 1;
}”h]”hŒif (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
    perror("Failed to restrict privileges");
    close(ruleset_fd);
    return 1;
}”…””}”hj?  sbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆj  ‰j  j  j  }”uh1jñ  h³hÇh´Kéhj¶  h²hubj(  )”}”(hŒCThe current thread is now ready to sandbox itself with the ruleset.”h]”hŒCThe current thread is now ready to sandbox itself with the ruleset.”…””}”(hjN  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´Kñhj¶  h²hubjò  )”}”(hŒœif (landlock_restrict_self(ruleset_fd, restrict_flags)) {
    perror("Failed to enforce ruleset");
    close(ruleset_fd);
    return 1;
}
close(ruleset_fd);”h]”hŒœif (landlock_restrict_self(ruleset_fd, restrict_flags)) {
    perror("Failed to enforce ruleset");
    close(ruleset_fd);
    return 1;
}
close(ruleset_fd);”…””}”hj\  sbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆj  ‰j  j  j  }”uh1jñ  h³hÇh´Kóhj¶  h²hubj(  )”}”(hXœ  If the ``landlock_restrict_self`` system call succeeds, the current thread is
now restricted and this policy will be enforced on all its subsequently created
children as well.  Once a thread is landlocked, there is no way to remove its
security policy; only adding more restrictions is allowed.  These threads are
now in a new Landlock domain, which is a merger of their parent one (if any)
with the new ruleset.”h]”(hŒIf the ”…””}”(hjk  h²hh³Nh´NubjŽ  )”}”(hŒ``landlock_restrict_self``”h]”hŒlandlock_restrict_self”…””}”(hjs  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjk  ubhX{   system call succeeds, the current thread is
now restricted and this policy will be enforced on all its subsequently created
children as well.  Once a thread is landlocked, there is no way to remove its
security policy; only adding more restrictions is allowed.  These threads are
now in a new Landlock domain, which is a merger of their parent one (if any)
with the new ruleset.”…””}”(hjk  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´Kühj¶  h²hubj(  )”}”(hŒBFull working code can be found in `samples/landlock/sandboxer.c`_.”h]”(hŒ"Full working code can be found in ”…””}”(hj‹  h²hh³Nh´NubhŒ	reference”“”)”}”(hŒ`samples/landlock/sandboxer.c`_”h]”hŒsamples/landlock/sandboxer.c”…””}”(hj•  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”Œsamples/landlock/sandboxer.c”Œrefuri”Œbhttps://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/samples/landlock/sandboxer.c”uh1j“  hj‹  Œresolved”KubhŒ.”…””}”(hj‹  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´Mhj¶  h²hubeh}”(h]”Œ(defining-and-enforcing-a-security-policy”ah ]”h"]”Œ(defining and enforcing a security policy”ah$]”h&]”uh1hòhjô  h²hh³hÇh´K0ubhó)”}”(hhh]”(hø)”}”(hŒGood practices”h]”hŒGood practices”…””}”(hj½  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hjº  h²hh³hÇh´Mubj(  )”}”(hXü  It is recommended to set access rights to file hierarchy leaves as much as
possible.  For instance, it is better to be able to have ``~/doc/`` as a
read-only hierarchy and ``~/tmp/`` as a read-write hierarchy, compared to
``~/`` as a read-only hierarchy and ``~/tmp/`` as a read-write hierarchy.
Following this good practice leads to self-sufficient hierarchies that do not
depend on their location (i.e. parent directories).  This is particularly
relevant when we want to allow linking or renaming.  Indeed, having consistent
access rights per directory enables changing the location of such directories
without relying on the destination directory access rights (except those that
are required for this operation, see ``LANDLOCK_ACCESS_FS_REFER``
documentation).”h]”(hŒ„It is recommended to set access rights to file hierarchy leaves as much as
possible.  For instance, it is better to be able to have ”…””}”(hjË  h²hh³Nh´NubjŽ  )”}”(hŒ
``~/doc/``”h]”hŒ~/doc/”…””}”(hjÓ  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjË  ubhŒ as a
read-only hierarchy and ”…””}”(hjË  h²hh³Nh´NubjŽ  )”}”(hŒ
``~/tmp/``”h]”hŒ~/tmp/”…””}”(hjå  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjË  ubhŒ( as a read-write hierarchy, compared to
”…””}”(hjË  h²hh³Nh´NubjŽ  )”}”(hŒ``~/``”h]”hŒ~/”…””}”(hj÷  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjË  ubhŒ as a read-only hierarchy and ”…””}”(hjË  h²hh³Nh´NubjŽ  )”}”(hŒ
``~/tmp/``”h]”hŒ~/tmp/”…””}”(hj	  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjË  ubhXÄ   as a read-write hierarchy.
Following this good practice leads to self-sufficient hierarchies that do not
depend on their location (i.e. parent directories).  This is particularly
relevant when we want to allow linking or renaming.  Indeed, having consistent
access rights per directory enables changing the location of such directories
without relying on the destination directory access rights (except those that
are required for this operation, see ”…””}”(hjË  h²hh³Nh´NubjŽ  )”}”(hŒ``LANDLOCK_ACCESS_FS_REFER``”h]”hŒLANDLOCK_ACCESS_FS_REFER”…””}”(hj  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjË  ubhŒ
documentation).”…””}”(hjË  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´Mhjº  h²hubj(  )”}”(hX  Having self-sufficient hierarchies also helps to tighten the required access
rights to the minimal set of data.  This also helps avoid sinkhole directories,
i.e. directories where data can be linked to but not linked from.  However,
this depends on data organization, which might not be controlled by developers.
In this case, granting read-write access to ``~/tmp/``, instead of write-only
access, would potentially allow moving ``~/tmp/`` to a non-readable directory
and still keep the ability to list the content of ``~/tmp/``.”h]”(hXe  Having self-sufficient hierarchies also helps to tighten the required access
rights to the minimal set of data.  This also helps avoid sinkhole directories,
i.e. directories where data can be linked to but not linked from.  However,
this depends on data organization, which might not be controlled by developers.
In this case, granting read-write access to ”…””}”(hj3  h²hh³Nh´NubjŽ  )”}”(hŒ
``~/tmp/``”h]”hŒ~/tmp/”…””}”(hj;  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj3  ubhŒ?, instead of write-only
access, would potentially allow moving ”…””}”(hj3  h²hh³Nh´NubjŽ  )”}”(hŒ
``~/tmp/``”h]”hŒ~/tmp/”…””}”(hjM  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj3  ubhŒO to a non-readable directory
and still keep the ability to list the content of ”…””}”(hj3  h²hh³Nh´NubjŽ  )”}”(hŒ
``~/tmp/``”h]”hŒ~/tmp/”…””}”(hj_  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj3  ubhŒ.”…””}”(hj3  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´Mhjº  h²hubeh}”(h]”Œgood-practices”ah ]”h"]”Œgood practices”ah$]”h&]”uh1hòhjô  h²hh³hÇh´Mubhó)”}”(hhh]”(hø)”}”(hŒ!Layers of file path access rights”h]”hŒ!Layers of file path access rights”…””}”(hj‚  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hj  h²hh³hÇh´Mubj(  )”}”(hX6  Each time a thread enforces a ruleset on itself, it updates its Landlock domain
with a new layer of policy.  This complementary policy is stacked with any
other rulesets potentially already restricting this thread.  A sandboxed thread
can then safely add more constraints to itself with a new enforced ruleset.”h]”hX6  Each time a thread enforces a ruleset on itself, it updates its Landlock domain
with a new layer of policy.  This complementary policy is stacked with any
other rulesets potentially already restricting this thread.  A sandboxed thread
can then safely add more constraints to itself with a new enforced ruleset.”…””}”(hj  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´Mhj  h²hubj(  )”}”(hX9  One policy layer grants access to a file path if at least one of its rules
encountered on the path grants the access.  A sandboxed thread can only access
a file path if all its enforced policy layers grant the access as well as all
the other system access controls (e.g. filesystem DAC, other LSM policies,
etc.).”h]”hX9  One policy layer grants access to a file path if at least one of its rules
encountered on the path grants the access.  A sandboxed thread can only access
a file path if all its enforced policy layers grant the access as well as all
the other system access controls (e.g. filesystem DAC, other LSM policies,
etc.).”…””}”(hjž  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´M$hj  h²hubeh}”(h]”Œ!layers-of-file-path-access-rights”ah ]”h"]”Œ!layers of file path access rights”ah$]”h&]”uh1hòhjô  h²hh³hÇh´Mubhó)”}”(hhh]”(hø)”}”(hŒBind mounts and OverlayFS”h]”hŒBind mounts and OverlayFS”…””}”(hj·  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hj´  h²hh³hÇh´M+ubj(  )”}”(hŒèLandlock enables restricting access to file hierarchies, which means that these
access rights can be propagated with bind mounts (cf.
Documentation/filesystems/sharedsubtree.rst) but not with
Documentation/filesystems/overlayfs.rst.”h]”hŒèLandlock enables restricting access to file hierarchies, which means that these
access rights can be propagated with bind mounts (cf.
Documentation/filesystems/sharedsubtree.rst) but not with
Documentation/filesystems/overlayfs.rst.”…””}”(hjÅ  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´M-hj´  h²hubj(  )”}”(hX²  A bind mount mirrors a source file hierarchy to a destination.  The destination
hierarchy is then composed of the exact same files, on which Landlock rules can
be tied, either via the source or the destination path.  These rules restrict
access when they are encountered on a path, which means that they can restrict
access to multiple file hierarchies at the same time, whether these hierarchies
are the result of bind mounts or not.”h]”hX²  A bind mount mirrors a source file hierarchy to a destination.  The destination
hierarchy is then composed of the exact same files, on which Landlock rules can
be tied, either via the source or the destination path.  These rules restrict
access when they are encountered on a path, which means that they can restrict
access to multiple file hierarchies at the same time, whether these hierarchies
are the result of bind mounts or not.”…””}”(hjÓ  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´M2hj´  h²hubj(  )”}”(hXø  An OverlayFS mount point consists of upper and lower layers.  These layers are
combined in a merge directory, and that merged directory becomes available at
the mount point.  This merge hierarchy may include files from the upper and
lower layers, but modifications performed on the merge hierarchy only reflect
on the upper layer.  From a Landlock policy point of view, all OverlayFS layers
and merge hierarchies are standalone and each contains their own set of files
and directories, which is different from bind mounts.  A policy restricting an
OverlayFS layer will not restrict the resulted merged hierarchy, and vice versa.
Landlock users should then only think about file hierarchies they want to allow
access to, regardless of the underlying filesystem.”h]”hXø  An OverlayFS mount point consists of upper and lower layers.  These layers are
combined in a merge directory, and that merged directory becomes available at
the mount point.  This merge hierarchy may include files from the upper and
lower layers, but modifications performed on the merge hierarchy only reflect
on the upper layer.  From a Landlock policy point of view, all OverlayFS layers
and merge hierarchies are standalone and each contains their own set of files
and directories, which is different from bind mounts.  A policy restricting an
OverlayFS layer will not restrict the resulted merged hierarchy, and vice versa.
Landlock users should then only think about file hierarchies they want to allow
access to, regardless of the underlying filesystem.”…””}”(hjá  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´M9hj´  h²hubeh}”(h]”Œbind-mounts-and-overlayfs”ah ]”h"]”Œbind mounts and overlayfs”ah$]”h&]”uh1hòhjô  h²hh³hÇh´M+ubhó)”}”(hhh]”(hø)”}”(hŒInheritance”h]”hŒInheritance”…””}”(hjú  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hj÷  h²hh³hÇh´MEubj(  )”}”(hX×  Every new thread resulting from a :manpage:`clone(2)` inherits Landlock domain
restrictions from its parent.  This is similar to seccomp inheritance (cf.
Documentation/userspace-api/seccomp_filter.rst) or any other LSM dealing with
task's :manpage:`credentials(7)`.  For instance, one process's thread may apply
Landlock rules to itself, but they will not be automatically applied to other
sibling threads (unlike POSIX thread credential changes, cf.
:manpage:`nptl(7)`).”h]”(hŒ"Every new thread resulting from a ”…””}”(hj  h²hh³Nh´Nubh Œmanpage”“”)”}”(hŒ:manpage:`clone(2)`”h]”hŒclone(2)”…””}”(hj  h²hh³Nh´Nubah}”(h]”h ]”j  ah"]”h$]”h&]”hÅhÆŒpath”Œclone(2)”Œpage”Œclone”Œsection”Œ2”uh1j  hj  ubhŒ¼ inherits Landlock domain
restrictions from its parent.  This is similar to seccomp inheritance (cf.
Documentation/userspace-api/seccomp_filter.rst) or any other LSM dealing with
taskâ€™s ”…””}”(hj  h²hh³Nh´Nubj  )”}”(hŒ:manpage:`credentials(7)`”h]”hŒcredentials(7)”…””}”(hj*  h²hh³Nh´Nubah}”(h]”h ]”j  ah"]”h$]”h&]”hÅhÆj   Œcredentials(7)”j"  Œcredentials”j$  Œ7”uh1j  hj  ubhŒ½.  For instance, one processâ€™s thread may apply
Landlock rules to itself, but they will not be automatically applied to other
sibling threads (unlike POSIX thread credential changes, cf.
”…””}”(hj  h²hh³Nh´Nubj  )”}”(hŒ:manpage:`nptl(7)`”h]”hŒnptl(7)”…””}”(hj?  h²hh³Nh´Nubah}”(h]”h ]”j  ah"]”h$]”h&]”hÅhÆj   Œnptl(7)”j"  Œnptl”j$  j:  uh1j  hj  ubhŒ).”…””}”(hj  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´MGhj÷  h²hubj(  )”}”(hX?  When a thread sandboxes itself, we have the guarantee that the related security
policy will stay enforced on all this thread's descendants.  This allows
creating standalone and modular security policies per application, which will
automatically be composed between themselves according to their runtime parent
policies.”h]”hXA  When a thread sandboxes itself, we have the guarantee that the related security
policy will stay enforced on all this threadâ€™s descendants.  This allows
creating standalone and modular security policies per application, which will
automatically be composed between themselves according to their runtime parent
policies.”…””}”(hjY  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´MOhj÷  h²hubeh}”(h]”Œinheritance”ah ]”h"]”Œinheritance”ah$]”h&]”uh1hòhjô  h²hh³hÇh´MEubhó)”}”(hhh]”(hø)”}”(hŒPtrace restrictions”h]”hŒPtrace restrictions”…””}”(hjr  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hjo  h²hh³hÇh´MVubj(  )”}”(hX  A sandboxed process has less privileges than a non-sandboxed process and must
then be subject to additional restrictions when manipulating another process.
To be allowed to use :manpage:`ptrace(2)` and related syscalls on a target
process, a sandboxed process should have a superset of the target process's
access rights, which means the tracee must be in a sub-domain of the tracer.”h]”(hŒ±A sandboxed process has less privileges than a non-sandboxed process and must
then be subject to additional restrictions when manipulating another process.
To be allowed to use ”…””}”(hj€  h²hh³Nh´Nubj  )”}”(hŒ:manpage:`ptrace(2)`”h]”hŒ	ptrace(2)”…””}”(hjˆ  h²hh³Nh´Nubah}”(h]”h ]”j  ah"]”h$]”h&]”hÅhÆj   Œ	ptrace(2)”j"  Œptrace”j$  j%  uh1j  hj€  ubhŒ¼ and related syscalls on a target
process, a sandboxed process should have a superset of the target processâ€™s
access rights, which means the tracee must be in a sub-domain of the tracer.”…””}”(hj€  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´MXhjo  h²hubeh}”(h]”Œptrace-restrictions”ah ]”h"]”Œptrace restrictions”ah$]”h&]”uh1hòhjô  h²hh³hÇh´MVŒ
referenced”Kubhó)”}”(hhh]”(hø)”}”(hŒIPC scoping”h]”hŒIPC scoping”…””}”(hj®  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hj«  h²hh³hÇh´M_ubj(  )”}”(hX`  Similar to the implicit `Ptrace restrictions`_, we may want to further restrict
interactions between sandboxes.  Therefore, at ruleset creation time, each
Landlock domain can restrict the scope for certain operations, so that these
operations can only reach out to processes within the same Landlock domain or in
a nested Landlock domain (the "scope").”h]”(hŒSimilar to the implicit ”…””}”(hj¼  h²hh³Nh´Nubj”  )”}”(hŒ`Ptrace restrictions`_”h]”hŒPtrace restrictions”…””}”(hjÄ  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”ŒPtrace restrictions”Œrefid”j¤  uh1j“  hj¼  j§  KubhX6  , we may want to further restrict
interactions between sandboxes.  Therefore, at ruleset creation time, each
Landlock domain can restrict the scope for certain operations, so that these
operations can only reach out to processes within the same Landlock domain or in
a nested Landlock domain (the â€œscopeâ€).”…””}”(hj¼  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´Mahj«  h²hubj(  )”}”(hŒ'The operations which can be scoped are:”h]”hŒ'The operations which can be scoped are:”…””}”(hjß  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´Mghj«  h²hubj"  )”}”(hhh]”(j'  )”}”(hŒˆ``LANDLOCK_SCOPE_SIGNAL``
This limits the sending of signals to target processes which run within the
same or a nested Landlock domain.
”h]”(j-  )”}”(hŒ``LANDLOCK_SCOPE_SIGNAL``”h]”jŽ  )”}”(hjö  h]”hŒLANDLOCK_SCOPE_SIGNAL”…””}”(hjø  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjô  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j,  h³hÇh´Mkhjð  ubj=  )”}”(hhh]”j(  )”}”(hŒmThis limits the sending of signals to target processes which run within the
same or a nested Landlock domain.”h]”hŒmThis limits the sending of signals to target processes which run within the
same or a nested Landlock domain.”…””}”(hj  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´Mjhj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j<  hjð  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j&  h³hÇh´Mkhjí  ubj'  )”}”(hXN  ``LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET``
This limits the set of abstract :manpage:`unix(7)` sockets to which we can
:manpage:`connect(2)` to socket addresses which were created by a process in
the same or a nested Landlock domain.

A :manpage:`sendto(2)` on a non-connected datagram socket is treated as if
it were doing an implicit :manpage:`connect(2)` and will be blocked if the
remote end does not stem from the same or a nested Landlock domain.

A :manpage:`sendto(2)` on a socket which was previously connected will not
be restricted.  This works for both datagram and stream sockets.
”h]”(j-  )”}”(hŒ'``LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET``”h]”jŽ  )”}”(hj.  h]”hŒ#LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET”…””}”(hj0  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj,  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j,  h³hÇh´Mwhj(  ubj=  )”}”(hhh]”(j(  )”}”(hŒ½This limits the set of abstract :manpage:`unix(7)` sockets to which we can
:manpage:`connect(2)` to socket addresses which were created by a process in
the same or a nested Landlock domain.”h]”(hŒ This limits the set of abstract ”…””}”(hjF  h²hh³Nh´Nubj  )”}”(hŒ:manpage:`unix(7)`”h]”hŒunix(7)”…””}”(hjN  h²hh³Nh´Nubah}”(h]”h ]”j  ah"]”h$]”h&]”hÅhÆj   Œunix(7)”j"  Œunix”j$  j:  uh1j  hjF  ubhŒ sockets to which we can
”…””}”(hjF  h²hh³Nh´Nubj  )”}”(hŒ:manpage:`connect(2)`”h]”hŒ
connect(2)”…””}”(hjb  h²hh³Nh´Nubah}”(h]”h ]”j  ah"]”h$]”h&]”hÅhÆj   Œ
connect(2)”j"  Œconnect”j$  j%  uh1j  hjF  ubhŒ] to socket addresses which were created by a process in
the same or a nested Landlock domain.”…””}”(hjF  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´MnhjC  ubj(  )”}”(hŒÙA :manpage:`sendto(2)` on a non-connected datagram socket is treated as if
it were doing an implicit :manpage:`connect(2)` and will be blocked if the
remote end does not stem from the same or a nested Landlock domain.”h]”(hŒA ”…””}”(hj|  h²hh³Nh´Nubj  )”}”(hŒ:manpage:`sendto(2)`”h]”hŒ	sendto(2)”…””}”(hj„  h²hh³Nh´Nubah}”(h]”h ]”j  ah"]”h$]”h&]”hÅhÆj   Œ	sendto(2)”j"  Œsendto”j$  j%  uh1j  hj|  ubhŒO on a non-connected datagram socket is treated as if
it were doing an implicit ”…””}”(hj|  h²hh³Nh´Nubj  )”}”(hŒ:manpage:`connect(2)`”h]”hŒ
connect(2)”…””}”(hj˜  h²hh³Nh´Nubah}”(h]”h ]”j  ah"]”h$]”h&]”hÅhÆj   Œ
connect(2)”j"  Œconnect”j$  j%  uh1j  hj|  ubhŒ_ and will be blocked if the
remote end does not stem from the same or a nested Landlock domain.”…””}”(hj|  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´MrhjC  ubj(  )”}”(hŒ‹A :manpage:`sendto(2)` on a socket which was previously connected will not
be restricted.  This works for both datagram and stream sockets.”h]”(hŒA ”…””}”(hj²  h²hh³Nh´Nubj  )”}”(hŒ:manpage:`sendto(2)`”h]”hŒ	sendto(2)”…””}”(hjº  h²hh³Nh´Nubah}”(h]”h ]”j  ah"]”h$]”h&]”hÅhÆj   Œ	sendto(2)”j"  Œsendto”j$  j%  uh1j  hj²  ubhŒu on a socket which was previously connected will not
be restricted.  This works for both datagram and stream sockets.”…””}”(hj²  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´MvhjC  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j<  hj(  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j&  h³hÇh´Mwhjí  h²hubeh}”(h]”h ]”h"]”h$]”h&]”uh1j!  hj«  h²hh³hÇh´Nubj(  )”}”(hŒÍIPC scoping does not support exceptions via :manpage:`landlock_add_rule(2)`.
If an operation is scoped within a domain, no rules can be added to allow access
to resources or processes outside of the scope.”h]”(hŒ,IPC scoping does not support exceptions via ”…””}”(hjæ  h²hh³Nh´Nubj  )”}”(hŒ:manpage:`landlock_add_rule(2)`”h]”hŒlandlock_add_rule(2)”…””}”(hjî  h²hh³Nh´Nubah}”(h]”h ]”j  ah"]”h$]”h&]”hÅhÆj   Œlandlock_add_rule(2)”j"  Œlandlock_add_rule”j$  j%  uh1j  hjæ  ubhŒ‚.
If an operation is scoped within a domain, no rules can be added to allow access
to resources or processes outside of the scope.”…””}”(hjæ  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´Myhj«  h²hubeh}”(h]”Œipc-scoping”ah ]”h"]”Œipc scoping”ah$]”h&]”uh1hòhjô  h²hh³hÇh´M_ubhó)”}”(hhh]”(hø)”}”(hŒTruncating files”h]”hŒTruncating files”…””}”(hj  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hj  h²hh³hÇh´M~ubj(  )”}”(hX  The operations covered by ``LANDLOCK_ACCESS_FS_WRITE_FILE`` and
``LANDLOCK_ACCESS_FS_TRUNCATE`` both change the contents of a file and sometimes
overlap in non-intuitive ways.  It is strongly recommended to always specify
both of these together (either granting both, or granting none).”h]”(hŒThe operations covered by ”…””}”(hj!  h²hh³Nh´NubjŽ  )”}”(hŒ!``LANDLOCK_ACCESS_FS_WRITE_FILE``”h]”hŒLANDLOCK_ACCESS_FS_WRITE_FILE”…””}”(hj)  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj!  ubhŒ and
”…””}”(hj!  h²hh³Nh´NubjŽ  )”}”(hŒ``LANDLOCK_ACCESS_FS_TRUNCATE``”h]”hŒLANDLOCK_ACCESS_FS_TRUNCATE”…””}”(hj;  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj!  ubhŒ¿ both change the contents of a file and sometimes
overlap in non-intuitive ways.  It is strongly recommended to always specify
both of these together (either granting both, or granting none).”…””}”(hj!  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´M€hj  h²hubj(  )”}”(hŒûA particularly surprising example is :manpage:`creat(2)`.  The name suggests
that this system call requires the rights to create and write files.  However,
it also requires the truncate right if an existing file under the same name is
already present.”h]”(hŒ%A particularly surprising example is ”…””}”(hjS  h²hh³Nh´Nubj  )”}”(hŒ:manpage:`creat(2)`”h]”hŒcreat(2)”…””}”(hj[  h²hh³Nh´Nubah}”(h]”h ]”j  ah"]”h$]”h&]”hÅhÆj   Œcreat(2)”j"  Œcreat”j$  j%  uh1j  hjS  ubhŒÃ.  The name suggests
that this system call requires the rights to create and write files.  However,
it also requires the truncate right if an existing file under the same name is
already present.”…””}”(hjS  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´M…hj  h²hubj(  )”}”(hŒ÷It should also be noted that truncating files does not require the
``LANDLOCK_ACCESS_FS_WRITE_FILE`` right.  Apart from the :manpage:`truncate(2)`
system call, this can also be done through :manpage:`open(2)` with the flags
``O_RDONLY | O_TRUNC``.”h]”(hŒCIt should also be noted that truncating files does not require the
”…””}”(hju  h²hh³Nh´NubjŽ  )”}”(hŒ!``LANDLOCK_ACCESS_FS_WRITE_FILE``”h]”hŒLANDLOCK_ACCESS_FS_WRITE_FILE”…””}”(hj}  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hju  ubhŒ right.  Apart from the ”…””}”(hju  h²hh³Nh´Nubj  )”}”(hŒ:manpage:`truncate(2)`”h]”hŒtruncate(2)”…””}”(hj  h²hh³Nh´Nubah}”(h]”h ]”j  ah"]”h$]”h&]”hÅhÆj   Œtruncate(2)”j"  Œtruncate”j$  j%  uh1j  hju  ubhŒ,
system call, this can also be done through ”…””}”(hju  h²hh³Nh´Nubj  )”}”(hŒ:manpage:`open(2)`”h]”hŒopen(2)”…””}”(hj£  h²hh³Nh´Nubah}”(h]”h ]”j  ah"]”h$]”h&]”hÅhÆj   Œopen(2)”j"  Œopen”j$  j%  uh1j  hju  ubhŒ with the flags
”…””}”(hju  h²hh³Nh´NubjŽ  )”}”(hŒ``O_RDONLY | O_TRUNC``”h]”hŒO_RDONLY | O_TRUNC”…””}”(hj·  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hju  ubhŒ.”…””}”(hju  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´MŠhj  h²hubj(  )”}”(hŒãAt the same time, on some filesystems, :manpage:`fallocate(2)` offers a way to
shorten file contents with ``FALLOC_FL_COLLAPSE_RANGE`` when the file is opened
for writing, sidestepping the ``LANDLOCK_ACCESS_FS_TRUNCATE`` right.”h]”(hŒ'At the same time, on some filesystems, ”…””}”(hjÏ  h²hh³Nh´Nubj  )”}”(hŒ:manpage:`fallocate(2)`”h]”hŒfallocate(2)”…””}”(hj×  h²hh³Nh´Nubah}”(h]”h ]”j  ah"]”h$]”h&]”hÅhÆj   Œfallocate(2)”j"  Œ	fallocate”j$  j%  uh1j  hjÏ  ubhŒ, offers a way to
shorten file contents with ”…””}”(hjÏ  h²hh³Nh´NubjŽ  )”}”(hŒ``FALLOC_FL_COLLAPSE_RANGE``”h]”hŒFALLOC_FL_COLLAPSE_RANGE”…””}”(hjë  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjÏ  ubhŒ7 when the file is opened
for writing, sidestepping the ”…””}”(hjÏ  h²hh³Nh´NubjŽ  )”}”(hŒ``LANDLOCK_ACCESS_FS_TRUNCATE``”h]”hŒLANDLOCK_ACCESS_FS_TRUNCATE”…””}”(hjý  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjÏ  ubhŒ right.”…””}”(hjÏ  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´Mhj  h²hubj(  )”}”(hŒBThe truncate right is associated with the opened file (see below).”h]”hŒBThe truncate right is associated with the opened file (see below).”…””}”(hj	  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´M“hj  h²hubeh}”(h]”Œtruncating-files”ah ]”h"]”Œtruncating files”ah$]”h&]”uh1hòhjô  h²hh³hÇh´M~ubhó)”}”(hhh]”(hø)”}”(hŒ'Rights associated with file descriptors”h]”hŒ'Rights associated with file descriptors”…””}”(hj.	  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hj+	  h²hh³hÇh´M–ubj(  )”}”(hXî  When opening a file, the availability of the ``LANDLOCK_ACCESS_FS_TRUNCATE`` and
``LANDLOCK_ACCESS_FS_IOCTL_DEV`` rights is associated with the newly created
file descriptor and will be used for subsequent truncation and ioctl attempts
using :manpage:`ftruncate(2)` and :manpage:`ioctl(2)`.  The behavior is similar
to opening a file for reading or writing, where permissions are checked during
:manpage:`open(2)`, but not during the subsequent :manpage:`read(2)` and
:manpage:`write(2)` calls.”h]”(hŒ-When opening a file, the availability of the ”…””}”(hj<	  h²hh³Nh´NubjŽ  )”}”(hŒ``LANDLOCK_ACCESS_FS_TRUNCATE``”h]”hŒLANDLOCK_ACCESS_FS_TRUNCATE”…””}”(hjD	  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj<	  ubhŒ and
”…””}”(hj<	  h²hh³Nh´NubjŽ  )”}”(hŒ ``LANDLOCK_ACCESS_FS_IOCTL_DEV``”h]”hŒLANDLOCK_ACCESS_FS_IOCTL_DEV”…””}”(hjV	  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj<	  ubhŒ rights is associated with the newly created
file descriptor and will be used for subsequent truncation and ioctl attempts
using ”…””}”(hj<	  h²hh³Nh´Nubj  )”}”(hŒ:manpage:`ftruncate(2)`”h]”hŒftruncate(2)”…””}”(hjh	  h²hh³Nh´Nubah}”(h]”h ]”j  ah"]”h$]”h&]”hÅhÆj   Œftruncate(2)”j"  Œ	ftruncate”j$  j%  uh1j  hj<	  ubhŒ and ”…””}”(hj<	  h²hh³Nh´Nubj  )”}”(hŒ:manpage:`ioctl(2)`”h]”hŒioctl(2)”…””}”(hj|	  h²hh³Nh´Nubah}”(h]”h ]”j  ah"]”h$]”h&]”hÅhÆj   Œioctl(2)”j"  Œioctl”j$  j%  uh1j  hj<	  ubhŒj.  The behavior is similar
to opening a file for reading or writing, where permissions are checked during
”…””}”(hj<	  h²hh³Nh´Nubj  )”}”(hŒ:manpage:`open(2)`”h]”hŒopen(2)”…””}”(hj	  h²hh³Nh´Nubah}”(h]”h ]”j  ah"]”h$]”h&]”hÅhÆj   Œopen(2)”j"  Œopen”j$  j%  uh1j  hj<	  ubhŒ , but not during the subsequent ”…””}”(hj<	  h²hh³Nh´Nubj  )”}”(hŒ:manpage:`read(2)`”h]”hŒread(2)”…””}”(hj¤	  h²hh³Nh´Nubah}”(h]”h ]”j  ah"]”h$]”h&]”hÅhÆj   Œread(2)”j"  Œread”j$  j%  uh1j  hj<	  ubhŒ and
”…””}”hj<	  sbj  )”}”(hŒ:manpage:`write(2)`”h]”hŒwrite(2)”…””}”(hj¸	  h²hh³Nh´Nubah}”(h]”h ]”j  ah"]”h$]”h&]”hÅhÆj   Œwrite(2)”j"  Œwrite”j$  j%  uh1j  hj<	  ubhŒ calls.”…””}”(hj<	  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´M˜hj+	  h²hubj(  )”}”(hX  As a consequence, it is possible that a process has multiple open file
descriptors referring to the same file, but Landlock enforces different things
when operating with these file descriptors.  This can happen when a Landlock
ruleset gets enforced and the process keeps file descriptors which were opened
both before and after the enforcement.  It is also possible to pass such file
descriptors between processes, keeping their Landlock properties, even when some
of the involved processes do not have an enforced Landlock ruleset.”h]”hX  As a consequence, it is possible that a process has multiple open file
descriptors referring to the same file, but Landlock enforces different things
when operating with these file descriptors.  This can happen when a Landlock
ruleset gets enforced and the process keeps file descriptors which were opened
both before and after the enforcement.  It is also possible to pass such file
descriptors between processes, keeping their Landlock properties, even when some
of the involved processes do not have an enforced Landlock ruleset.”…””}”(hjÒ	  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´M hj+	  h²hubeh}”(h]”Œ'rights-associated-with-file-descriptors”ah ]”h"]”Œ'rights associated with file descriptors”ah$]”h&]”uh1hòhjô  h²hh³hÇh´M–ubeh}”(h]”Œlandlock-rules”ah ]”h"]”Œlandlock rules”ah$]”h&]”uh1hòhhôh²hh³hÇh´Kubhó)”}”(hhh]”(hø)”}”(hŒCompatibility”h]”hŒCompatibility”…””}”(hjó	  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hjð	  h²hh³hÇh´M©ubhó)”}”(hhh]”(hø)”}”(hŒ"Backward and forward compatibility”h]”hŒ"Backward and forward compatibility”…””}”(hj
  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hj
  h²hh³hÇh´M¬ubj(  )”}”(hXÁ  Landlock is designed to be compatible with past and future versions of the
kernel.  This is achieved thanks to the system call attributes and the
associated bitflags, particularly the ruleset's ``handled_access_fs``.  Making
handled access rights explicit enables the kernel and user space to have a clear
contract with each other.  This is required to make sure sandboxing will not
get stricter with a system update, which could break applications.”h]”(hŒÄLandlock is designed to be compatible with past and future versions of the
kernel.  This is achieved thanks to the system call attributes and the
associated bitflags, particularly the rulesetâ€™s ”…””}”(hj
  h²hh³Nh´NubjŽ  )”}”(hŒ``handled_access_fs``”h]”hŒhandled_access_fs”…””}”(hj
  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj
  ubhŒê.  Making
handled access rights explicit enables the kernel and user space to have a clear
contract with each other.  This is required to make sure sandboxing will not
get stricter with a system update, which could break applications.”…””}”(hj
  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´M®hj
  h²hubj(  )”}”(hX­  Developers can subscribe to the `Landlock mailing list
<https://subspace.kernel.org/lists.linux.dev.html>`_ to knowingly update and
test their applications with the latest available features.  In the interest of
users, and because they may use different kernel versions, it is strongly
encouraged to follow a best-effort security approach by checking the Landlock
ABI version at runtime and only enforcing the supported features.”h]”(hŒ Developers can subscribe to the ”…””}”(hj2
  h²hh³Nh´Nubj”  )”}”(hŒK`Landlock mailing list
<https://subspace.kernel.org/lists.linux.dev.html>`_”h]”hŒLandlock mailing list”…””}”(hj:
  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”ŒLandlock mailing list”j¥  Œ0https://subspace.kernel.org/lists.linux.dev.html”uh1j“  hj2
  ubhŒtarget”“”)”}”(hŒ3
<https://subspace.kernel.org/lists.linux.dev.html>”h]”h}”(h]”Œlandlock-mailing-list”ah ]”h"]”Œlandlock mailing list”ah$]”h&]”Œrefuri”jJ
  uh1jK
  jª  Khj2
  ubhXB   to knowingly update and
test their applications with the latest available features.  In the interest of
users, and because they may use different kernel versions, it is strongly
encouraged to follow a best-effort security approach by checking the Landlock
ABI version at runtime and only enforcing the supported features.”…””}”(hj2
  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´Mµhj
  h²hubjL
  )”}”(hŒ.. _landlock_abi_versions:”h]”h}”(h]”h ]”h"]”h$]”h&]”jÔ  Œlandlock-abi-versions”uh1jK
  h´M¼hj
  h²hh³hÇubeh}”(h]”Œ"backward-and-forward-compatibility”ah ]”h"]”Œ"backward and forward compatibility”ah$]”h&]”uh1hòhjð	  h²hh³hÇh´M¬ubhó)”}”(hhh]”(hø)”}”(hŒLandlock ABI versions”h]”hŒLandlock ABI versions”…””}”(hjz
  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hjw
  h²hh³hÇh´M¿ubj(  )”}”(hŒXThe Landlock ABI version can be read with the sys_landlock_create_ruleset()
system call:”h]”hŒXThe Landlock ABI version can be read with the sys_landlock_create_ruleset()
system call:”…””}”(hjˆ
  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´MÁhjw
  h²hubjò  )”}”(hXš  int abi;

abi = landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_VERSION);
if (abi < 0) {
    switch (errno) {
    case ENOSYS:
        printf("Landlock is not supported by the current kernel.\n");
        break;
    case EOPNOTSUPP:
        printf("Landlock is currently disabled.\n");
        break;
    }
    return 0;
}
if (abi >= 2) {
    printf("Landlock supports LANDLOCK_ACCESS_FS_REFER.\n");
}”h]”hXš  int abi;

abi = landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_VERSION);
if (abi < 0) {
    switch (errno) {
    case ENOSYS:
        printf("Landlock is not supported by the current kernel.\n");
        break;
    case EOPNOTSUPP:
        printf("Landlock is currently disabled.\n");
        break;
    }
    return 0;
}
if (abi >= 2) {
    printf("Landlock supports LANDLOCK_ACCESS_FS_REFER.\n");
}”…””}”hj–
  sbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆj  ‰j  j  j  }”uh1jñ  h³hÇh´MÄhjw
  h²hubj(  )”}”(hŒuAll Landlock kernel interfaces are supported by the first ABI version unless
explicitly noted in their documentation.”h]”hŒuAll Landlock kernel interfaces are supported by the first ABI version unless
explicitly noted in their documentation.”…””}”(hj¥
  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´MØhjw
  h²hubeh}”(h]”(jn
  Œid1”eh ]”h"]”(Œlandlock abi versions”Œlandlock_abi_versions”eh$]”h&]”uh1hòhjð	  h²hh³hÇh´M¿Œexpect_referenced_by_name”}”j¹
  jd
  sŒexpect_referenced_by_id”}”jn
  jd
  subhó)”}”(hhh]”(hø)”}”(hŒLandlock errata”h]”hŒLandlock errata”…””}”(hjÃ
  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hjÀ
  h²hh³hÇh´MÜubj(  )”}”(hŒÎIn addition to ABI versions, Landlock provides an errata mechanism to track
fixes for issues that may affect backwards compatibility or require userspace
awareness.  The errata bitmask can be queried using:”h]”hŒÎIn addition to ABI versions, Landlock provides an errata mechanism to track
fixes for issues that may affect backwards compatibility or require userspace
awareness.  The errata bitmask can be queried using:”…””}”(hjÑ
  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´MÞhjÀ
  h²hubjò  )”}”(hŒ¦int errata;

errata = landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_ERRATA);
if (errata < 0) {
    /* Landlock not available or disabled */
    return 0;
}”h]”hŒ¦int errata;

errata = landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_ERRATA);
if (errata < 0) {
    /* Landlock not available or disabled */
    return 0;
}”…””}”hjß
  sbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆj  ‰j  j  j  }”uh1jñ  h³hÇh´MâhjÀ
  h²hubj(  )”}”(hŒ±The returned value is a bitmask where each bit represents a specific erratum.
If bit N is set (``errata & (1 << (N - 1))``), then erratum N has been fixed
in the running kernel.”h]”(hŒ_The returned value is a bitmask where each bit represents a specific erratum.
If bit N is set (”…””}”(hjî
  h²hh³Nh´NubjŽ  )”}”(hŒ``errata & (1 << (N - 1))``”h]”hŒerrata & (1 << (N - 1))”…””}”(hjö
  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjî
  ubhŒ7), then erratum N has been fixed
in the running kernel.”…””}”(hjî
  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´MìhjÀ
  h²hubhŒwarning”“”)”}”(hXa  **Most applications should NOT check errata.** In 99.9% of cases, checking
errata is unnecessary, increases code complexity, and can potentially
decrease protection if misused.  For example, disabling the sandbox when an
erratum is not fixed could leave the system less secure than using
Landlock's best-effort protection.  When in doubt, ignore errata.”h]”j(  )”}”(hXa  **Most applications should NOT check errata.** In 99.9% of cases, checking
errata is unnecessary, increases code complexity, and can potentially
decrease protection if misused.  For example, disabling the sandbox when an
erratum is not fixed could leave the system less secure than using
Landlock's best-effort protection.  When in doubt, ignore errata.”h]”(hŒstrong”“”)”}”(hŒ.**Most applications should NOT check errata.**”h]”hŒ*Most applications should NOT check errata.”…””}”(hj  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj  ubhX5   In 99.9% of cases, checking
errata is unnecessary, increases code complexity, and can potentially
decrease protection if misused.  For example, disabling the sandbox when an
erratum is not fixed could leave the system less secure than using
Landlockâ€™s best-effort protection.  When in doubt, ignore errata.”…””}”(hj  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´Mòhj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjÀ
  h²hh³hÇh´Nubhó)”}”(hhh]”(hø)”}”(hŒ$Erratum 1: TCP socket identification”h]”hŒ$Erratum 1: TCP socket identification”…””}”(hj;  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hj8  h³Nh´Nubj(  )”}”(hX]  This fix addresses an issue where IPv4 and IPv6 stream sockets (e.g., SMC,
MPTCP, or SCTP) were incorrectly restricted by TCP access rights during
:manpage:`bind(2)` and :manpage:`connect(2)` operations. This change ensures
that only TCP sockets are subject to TCP access rights, allowing other
protocols to operate without unnecessary restrictions.”h]”(hŒ“This fix addresses an issue where IPv4 and IPv6 stream sockets (e.g., SMC,
MPTCP, or SCTP) were incorrectly restricted by TCP access rights during
”…””}”(hjI  h²hh³Nh´Nubj  )”}”(hŒ:manpage:`bind(2)`”h]”hŒbind(2)”…””}”(hjQ  h²hh³Nh´Nubah}”(h]”h ]”j  ah"]”h$]”h&]”•      hÅhÆj   Œbind(2)”j"  Œbind”j$  j%  uh1j  hjI  ubhŒ and ”…””}”(hjI  h²hh³Nh´Nubj  )”}”(hŒ:manpage:`connect(2)`”h]”hŒ
connect(2)”…””}”(hje  h²hh³Nh´Nubah}”(h]”h ]”j  ah"]”h$]”h&]”hÅhÆj   Œ
connect(2)”j"  Œconnect”j$  j%  uh1j  hjI  ubhŒž operations. This change ensures
that only TCP sockets are subject to TCP access rights, allowing other
protocols to operate without unnecessary restrictions.”…””}”(hjI  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œh/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:504: ./security/landlock/errata/abi-4.h”h´Khj8  ubj(  )”}”(hŒImpact:”h]”hŒImpact:”…””}”(hj€  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œh/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:504: ./security/landlock/errata/abi-4.h”h´Khj8  ubj(  )”}”(hX  In kernels without this fix, using ``LANDLOCK_ACCESS_NET_BIND_TCP`` or
``LANDLOCK_ACCESS_NET_CONNECT_TCP`` would incorrectly restrict non-TCP
stream protocols (SMC, MPTCP, SCTP), potentially breaking applications
that rely on these protocols while using Landlock network restrictions.”h]”(hŒ#In kernels without this fix, using ”…””}”(hj  h²hh³Nh´NubjŽ  )”}”(hŒ ``LANDLOCK_ACCESS_NET_BIND_TCP``”h]”hŒLANDLOCK_ACCESS_NET_BIND_TCP”…””}”(hj—  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj  ubhŒ or
”…””}”(hj  h²hh³Nh´NubjŽ  )”}”(hŒ#``LANDLOCK_ACCESS_NET_CONNECT_TCP``”h]”hŒLANDLOCK_ACCESS_NET_CONNECT_TCP”…””}”(hj©  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj  ubhŒ² would incorrectly restrict non-TCP
stream protocols (SMC, MPTCP, SCTP), potentially breaking applications
that rely on these protocols while using Landlock network restrictions.”…””}”(hj  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œh/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:504: ./security/landlock/errata/abi-4.h”h´Khj8  ubeh}”(h]”Œ#erratum-1-tcp-socket-identification”ah ]”h"]”Œ$erratum 1: tcp socket identification”ah$]”h&]”uh1hòhjÀ
  h²hh³Nh´Nubhó)”}”(hhh]”(hø)”}”(hŒ!Erratum 2: Scoped signal handling”h]”hŒ!Erratum 2: Scoped signal handling”…””}”(hjÍ  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hjÊ  h³Nh´Nubj(  )”}”(hX  This fix addresses an issue where signal scoping was overly restrictive,
preventing sandboxed threads from signaling other threads within the same
process if they belonged to different domains.  Because threads are not
security boundaries, user space might assume that all threads within the same
process can send signals between themselves (see :manpage:`nptl(7)` and
:manpage:`libpsx(3)`).  Consistent with :manpage:`ptrace(2)` behavior, direct
interaction between threads of the same process should always be allowed.
This change ensures that any thread is allowed to send signals to any other
thread within the same process, regardless of their domain.”h]”(hXZ  This fix addresses an issue where signal scoping was overly restrictive,
preventing sandboxed threads from signaling other threads within the same
process if they belonged to different domains.  Because threads are not
security boundaries, user space might assume that all threads within the same
process can send signals between themselves (see ”…””}”(hjÛ  h²hh³Nh´Nubj  )”}”(hŒ:manpage:`nptl(7)`”h]”hŒnptl(7)”…””}”(hjã  h²hh³Nh´Nubah}”(h]”h ]”j  ah"]”h$]”h&]”hÅhÆj   Œnptl(7)”j"  Œnptl”j$  j:  uh1j  hjÛ  ubhŒ and
”…””}”(hjÛ  h²hh³Nh´Nubj  )”}”(hŒ:manpage:`libpsx(3)`”h]”hŒ	libpsx(3)”…””}”(hj÷  h²hh³Nh´Nubah}”(h]”h ]”j  ah"]”h$]”h&]”hÅhÆj   Œ	libpsx(3)”j"  Œlibpsx”j$  Œ3”uh1j  hjÛ  ubhŒ).  Consistent with ”…””}”(hjÛ  h²hh³Nh´Nubj  )”}”(hŒ:manpage:`ptrace(2)`”h]”hŒ	ptrace(2)”…””}”(hj  h²hh³Nh´Nubah}”(h]”h ]”j  ah"]”h$]”h&]”hÅhÆj   Œ	ptrace(2)”j"  Œptrace”j$  j%  uh1j  hjÛ  ubhŒã behavior, direct
interaction between threads of the same process should always be allowed.
This change ensures that any thread is allowed to send signals to any other
thread within the same process, regardless of their domain.”…””}”(hjÛ  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œh/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:507: ./security/landlock/errata/abi-6.h”h´KhjÊ  ubj(  )”}”(hŒImpact:”h]”hŒImpact:”…””}”(hj'  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œh/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:507: ./security/landlock/errata/abi-6.h”h´KhjÊ  ubj(  )”}”(hXÂ  This problem only manifests when the userspace process is itself using
:manpage:`libpsx(3)` or an equivalent mechanism to enforce a Landlock policy
on multiple already-running threads at once.  Programs which enforce a
Landlock policy at startup time and only then become multithreaded are not
affected.  Without this fix, signal scoping could break multi-threaded
applications that expect threads within the same process to freely signal
each other.”h]”(hŒGThis problem only manifests when the userspace process is itself using
”…””}”(hj6  h²hh³Nh´Nubj  )”}”(hŒ:manpage:`libpsx(3)`”h]”hŒ	libpsx(3)”…””}”(hj>  h²hh³Nh´Nubah}”(h]”h ]”j  ah"]”h$]”h&]”hÅhÆj   Œ	libpsx(3)”j"  Œlibpsx”j$  j  uh1j  hj6  ubhXg   or an equivalent mechanism to enforce a Landlock policy
on multiple already-running threads at once.  Programs which enforce a
Landlock policy at startup time and only then become multithreaded are not
affected.  Without this fix, signal scoping could break multi-threaded
applications that expect threads within the same process to freely signal
each other.”…””}”(hj6  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œh/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:507: ./security/landlock/errata/abi-6.h”h´KhjÊ  ubeh}”(h]”Œ erratum-2-scoped-signal-handling”ah ]”h"]”Œ!erratum 2: scoped signal handling”ah$]”h&]”uh1hòhjÀ
  h²hh³Nh´Nubhó)”}”(hhh]”(hø)”}”(hŒ*Erratum 3: Disconnected directory handling”h]”hŒ*Erratum 3: Disconnected directory handling”…””}”(hjd  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hja  h³Nh´Nubj(  )”}”(hX}  This fix addresses an issue with disconnected directories that occur when a
directory is moved outside the scope of a bind mount.  The change ensures
that evaluated access rights include both those from the disconnected file
hierarchy down to its filesystem root and those from the related mount point
hierarchy.  This prevents access right widening through rename or link
actions.”h]”hX}  This fix addresses an issue with disconnected directories that occur when a
directory is moved outside the scope of a bind mount.  The change ensures
that evaluated access rights include both those from the disconnected file
hierarchy down to its filesystem root and those from the related mount point
hierarchy.  This prevents access right widening through rename or link
actions.”…””}”(hjr  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œh/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:510: ./security/landlock/errata/abi-1.h”h´Khja  ubj(  )”}”(hŒImpact:”h]”hŒImpact:”…””}”(hj  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œh/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:510: ./security/landlock/errata/abi-1.h”h´Khja  ubj(  )”}”(hXF  Without this fix, it was possible to widen access rights through rename or
link actions involving disconnected directories, potentially bypassing
``LANDLOCK_ACCESS_FS_REFER`` restrictions.  This could allow privilege
escalation in complex mount scenarios where directories become disconnected
from their original mount points.”h]”(hŒ’Without this fix, it was possible to widen access rights through rename or
link actions involving disconnected directories, potentially bypassing
”…””}”(hj  h²hh³Nh´NubjŽ  )”}”(hŒ``LANDLOCK_ACCESS_FS_REFER``”h]”hŒLANDLOCK_ACCESS_FS_REFER”…””}”(hj˜  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj  ubhŒ˜ restrictions.  This could allow privilege
escalation in complex mount scenarios where directories become disconnected
from their original mount points.”…””}”(hj  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œh/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:510: ./security/landlock/errata/abi-1.h”h´Khja  ubeh}”(h]”Œ)erratum-3-disconnected-directory-handling”ah ]”h"]”Œ*erratum 3: disconnected directory handling”ah$]”h&]”uh1hòhjÀ
  h²hh³Nh´Nubhó)”}”(hhh]”(hø)”}”(hŒHow to check for errata”h]”hŒHow to check for errata”…””}”(hj¼  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hj¹  h²hh³hÇh´Mubj(  )”}”(hŒ\If you determine that your application needs to check for specific errata,
use this pattern:”h]”hŒ\If you determine that your application needs to check for specific errata,
use this pattern:”…””}”(hjÊ  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´Mhj¹  h²hubjò  )”}”(hXV  int errata = landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_ERRATA);
if (errata >= 0) {
    /* Check for specific erratum (1-indexed) */
    if (errata & (1 << (erratum_number - 1))) {
        /* Erratum N is fixed in this kernel */
    } else {
        /* Erratum N is NOT fixed - consider implications for your use case */
    }
}”h]”hXV  int errata = landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_ERRATA);
if (errata >= 0) {
    /* Check for specific erratum (1-indexed) */
    if (errata & (1 << (erratum_number - 1))) {
        /* Erratum N is fixed in this kernel */
    } else {
        /* Erratum N is NOT fixed - consider implications for your use case */
    }
}”…””}”hjØ  sbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆj  ‰j  j  j  }”uh1jñ  h³hÇh´Mhj¹  h²hubj(  )”}”(hŒÌ**Important:** Only check errata if your application specifically relies on
behavior that changed due to the fix.  The fixes generally make Landlock less
restrictive or more correct, not more restrictive.”h]”(j  )”}”(hŒ**Important:**”h]”hŒ
Important:”…””}”(hjë  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjç  ubhŒ¾ Only check errata if your application specifically relies on
behavior that changed due to the fix.  The fixes generally make Landlock less
restrictive or more correct, not more restrictive.”…””}”(hjç  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´Mhj¹  h²hubeh}”(h]”Œhow-to-check-for-errata”ah ]”h"]”Œhow to check for errata”ah$]”h&]”uh1hòhjÀ
  h²hh³hÇh´Mubeh}”(h]”Œlandlock-errata”ah ]”h"]”Œlandlock errata”ah$]”h&]”uh1hòhjð	  h²hh³hÇh´MÜubeh}”(h]”Œcompatibility”ah ]”h"]”Œcompatibility”ah$]”h&]”uh1hòhhôh²hh³hÇh´M©ubhó)”}”(hhh]”(hø)”}”(hŒKernel interface”h]”hŒKernel interface”…””}”(hj  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hj  h²hh³hÇh´Mubhó)”}”(hhh]”(hø)”}”(hŒAccess rights”h]”hŒAccess rights”…””}”(hj/  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hj,  h²hh³hÇh´Mubj(  )”}”(hŒ°A set of actions on kernel objects may be defined by an attribute (e.g.
:c:type:`struct landlock_path_beneath_attr <landlock_path_beneath_attr>`) including a bitmask of access.”h]”(hŒHA set of actions on kernel objects may be defined by an attribute (e.g.
”…””}”(hj=  h²hh³Nh´Nubh)”}”(hŒH:c:type:`struct landlock_path_beneath_attr <landlock_path_beneath_attr>`”h]”jŽ  )”}”(hjG  h]”hŒ!struct landlock_path_beneath_attr”…””}”(hjI  h²hh³Nh´Nubah}”(h]”h ]”(j±  j  Œc-type”eh"]”h$]”h&]”uh1j  hjE  ubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”j¾  Œ	refdomain”j  Œreftype”Œtype”Œrefexplicit”ˆŒrefwarn”‰jÄ  Œlandlock_path_beneath_attr”uh1hh³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:541: ./include/uapi/linux/landlock.h”h´KÔhj=  ubhŒ ) including a bitmask of access.”…””}”(hj=  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³jd  h´KÔhj,  h²hubhó)”}”(hhh]”(hø)”}”(hŒFilesystem flags”h]”hŒFilesystem flags”…””}”(hjr  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hjo  h³Nh´Nubj(  )”}”(hŒºThese flags enable to restrict a sandboxed process to a set of actions on
files and directories.  Files or directories opened before the sandboxing
are not subject to these restrictions.”h]”hŒºThese flags enable to restrict a sandboxed process to a set of actions on
files and directories.  Files or directories opened before the sandboxing
are not subject to these restrictions.”…””}”(hj€  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:541: ./include/uapi/linux/landlock.h”h´KÚhjo  ubj(  )”}”(hŒ0The following access rights apply only to files:”h]”hŒ0The following access rights apply only to files:”…””}”(hj  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:541: ./include/uapi/linux/landlock.h”h´KÞhjo  ubhŒbullet_list”“”)”}”(hhh]”(hŒ	list_item”“”)”}”(hŒ/``LANDLOCK_ACCESS_FS_EXECUTE``: Execute a file.”h]”j(  )”}”(hj§  h]”(jŽ  )”}”(hŒ``LANDLOCK_ACCESS_FS_EXECUTE``”h]”hŒLANDLOCK_ACCESS_FS_EXECUTE”…””}”(hj¬  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj©  ubhŒ: Execute a file.”…””}”(hj©  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:541: ./include/uapi/linux/landlock.h”h´Kàhj¥  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j£  hj   ubj¤  )”}”(hX  ``LANDLOCK_ACCESS_FS_WRITE_FILE``: Open a file with write access.  When
opening files for writing, you will often additionally need the
``LANDLOCK_ACCESS_FS_TRUNCATE`` right.  In many cases, these system calls
truncate existing files when overwriting them (e.g., :manpage:`creat(2)`).”h]”j(  )”}”(hX  ``LANDLOCK_ACCESS_FS_WRITE_FILE``: Open a file with write access.  When
opening files for writing, you will often additionally need the
``LANDLOCK_ACCESS_FS_TRUNCATE`` right.  In many cases, these system calls
truncate existing files when overwriting them (e.g., :manpage:`creat(2)`).”h]”(jŽ  )”}”(hŒ!``LANDLOCK_ACCESS_FS_WRITE_FILE``”h]”hŒLANDLOCK_ACCESS_FS_WRITE_FILE”…””}”(hjÓ  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjÏ  ubhŒg: Open a file with write access.  When
opening files for writing, you will often additionally need the
”…””}”(hjÏ  h²hh³Nh´NubjŽ  )”}”(hŒ``LANDLOCK_ACCESS_FS_TRUNCATE``”h]”hŒLANDLOCK_ACCESS_FS_TRUNCATE”…””}”(hjå  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjÏ  ubhŒ` right.  In many cases, these system calls
truncate existing files when overwriting them (e.g., ”…””}”(hjÏ  h²hh³Nh´Nubj  )”}”(hŒ:manpage:`creat(2)`”h]”hŒcreat(2)”…””}”(hj÷  h²hh³Nh´Nubah}”(h]”h ]”j  ah"]”h$]”h&]”hÅhÆj   Œcreat(2)”j"  Œcreat”j$  j%  uh1j  hjÏ  ubhŒ).”…””}”(hjÏ  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:541: ./include/uapi/linux/landlock.h”h´KáhjË  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j£  hj   ubj¤  )”}”(hŒ?``LANDLOCK_ACCESS_FS_READ_FILE``: Open a file with read access.”h]”j(  )”}”(hj  h]”(jŽ  )”}”(hŒ ``LANDLOCK_ACCESS_FS_READ_FILE``”h]”hŒLANDLOCK_ACCESS_FS_READ_FILE”…””}”(hj  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj  ubhŒ: Open a file with read access.”…””}”(hj  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:541: ./include/uapi/linux/landlock.h”h´Kåhj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j£  hj   ubj¤  )”}”(hŒð``LANDLOCK_ACCESS_FS_TRUNCATE``: Truncate a file with :manpage:`truncate(2)`,
:manpage:`ftruncate(2)`, :manpage:`creat(2)`, or :manpage:`open(2)` with
``O_TRUNC``.  This access right is available since the third version of the
Landlock ABI.”h]”j(  )”}”(hŒð``LANDLOCK_ACCESS_FS_TRUNCATE``: Truncate a file with :manpage:`truncate(2)`,
:manpage:`ftruncate(2)`, :manpage:`creat(2)`, or :manpage:`open(2)` with
``O_TRUNC``.  This access right is available since the third version of the
Landlock ABI.”h]”(jŽ  )”}”(hŒ``LANDLOCK_ACCESS_FS_TRUNCATE``”h]”hŒLANDLOCK_ACCESS_FS_TRUNCATE”…””}”(hjF  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjB  ubhŒ: Truncate a file with ”…””}”(hjB  h²hh³Nh´Nubj  )”}”(hŒ:manpage:`truncate(2)`”h]”hŒtruncate(2)”…””}”(hjX  h²hh³Nh´Nubah}”(h]”h ]”j  ah"]”h$]”h&]”hÅhÆj   Œtruncate(2)”j"  Œtruncate”j$  j%  uh1j  hjB  ubhŒ,
”…””}”(hjB  h²hh³Nh´Nubj  )”}”(hŒ:manpage:`ftruncate(2)`”h]”hŒftruncate(2)”…””}”(hjl  h²hh³Nh´Nubah}”(h]”h ]”j  ah"]”h$]”h&]”hÅhÆj   Œftruncate(2)”j"  Œ	ftruncate”j$  j%  uh1j  hjB  ubhŒ, ”…””}”(hjB  h²hh³Nh´Nubj  )”}”(hŒ:manpage:`creat(2)`”h]”hŒcreat(2)”…””}”(hj€  h²hh³Nh´Nubah}”(h]”h ]”j  ah"]”h$]”h&]”hÅhÆj   Œcreat(2)”j"  Œcreat”j$  j%  uh1j  hjB  ubhŒ, or ”…””}”(hjB  h²hh³Nh´Nubj  )”}”(hŒ:manpage:`open(2)`”h]”hŒopen(2)”…””}”(hj”  h²hh³Nh´Nubah}”(h]”h ]”j  ah"]”h$]”h&]”hÅhÆj   Œopen(2)”j"  Œopen”j$  j%  uh1j  hjB  ubhŒ with
”…””}”(hjB  h²hh³Nh´NubjŽ  )”}”(hŒ``O_TRUNC``”h]”hŒO_TRUNC”…””}”(hj¨  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjB  ubhŒN.  This access right is available since the third version of the
Landlock ABI.”…””}”(hjB  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:541: ./include/uapi/linux/landlock.h”h´Kæhj>  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j£  hj   ubj¤  )”}”(hX}  ``LANDLOCK_ACCESS_FS_IOCTL_DEV``: Invoke :manpage:`ioctl(2)` commands on an opened
character or block device.

This access right applies to all `ioctl(2)` commands implemented by device
drivers.  However, the following common IOCTL commands continue to be
invokable independent of the ``LANDLOCK_ACCESS_FS_IOCTL_DEV`` right:

* IOCTL commands targeting file descriptors (``FIOCLEX``, ``FIONCLEX``),
* IOCTL commands targeting file descriptions (``FIONBIO``, ``FIOASYNC``),
* IOCTL commands targeting file systems (``FIFREEZE``, ``FITHAW``,
  ``FIGETBSZ``, ``FS_IOC_GETFSUUID``, ``FS_IOC_GETFSSYSFSPATH``)
* Some IOCTL commands which do not make sense when used with devices, but
  whose implementations are safe and return the right error codes
  (``FS_IOC_FIEMAP``, ``FICLONE``, ``FICLONERANGE``, ``FIDEDUPERANGE``)

This access right is available since the fifth version of the Landlock
ABI.”h]”(j(  )”}”(hŒm``LANDLOCK_ACCESS_FS_IOCTL_DEV``: Invoke :manpage:`ioctl(2)` commands on an opened
character or block device.”h]”(jŽ  )”}”(hŒ ``LANDLOCK_ACCESS_FS_IOCTL_DEV``”h]”hŒLANDLOCK_ACCESS_FS_IOCTL_DEV”…””}”(hjÏ  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjË  ubhŒ	: Invoke ”…””}”(hjË  h²hh³Nh´Nubj  )”}”(hŒ:manpage:`ioctl(2)`”h]”hŒioctl(2)”…””}”(hjá  h²hh³Nh´Nubah}”(h]”h ]”j  ah"]”h$]”h&]”hÅhÆj   Œioctl(2)”j"  Œioctl”j$  j%  uh1j  hjË  ubhŒ1 commands on an opened
character or block device.”…””}”(hjË  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:541: ./include/uapi/linux/landlock.h”h´KêhjÇ  ubj(  )”}”(hŒÕThis access right applies to all `ioctl(2)` commands implemented by device
drivers.  However, the following common IOCTL commands continue to be
invokable independent of the ``LANDLOCK_ACCESS_FS_IOCTL_DEV`` right:”h]”(hŒ!This access right applies to all ”…””}”(hjü  h²hh³Nh´NubjJ  )”}”(hŒ
`ioctl(2)`”h]”hŒioctl(2)”…””}”(hj  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jI  hjü  ubhŒƒ commands implemented by device
drivers.  However, the following common IOCTL commands continue to be
invokable independent of the ”…””}”(hjü  h²hh³Nh´NubjŽ  )”}”(hŒ ``LANDLOCK_ACCESS_FS_IOCTL_DEV``”h]”hŒLANDLOCK_ACCESS_FS_IOCTL_DEV”…””}”(hj  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjü  ubhŒ right:”…””}”(hjü  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:541: ./include/uapi/linux/landlock.h”h´KíhjÇ  ubjŸ  )”}”(hhh]”(j¤  )”}”(hŒFIOCTL commands targeting file descriptors (``FIOCLEX``, ``FIONCLEX``),”h]”j(  )”}”(hj4  h]”(hŒ+IOCTL commands targeting file descriptors (”…””}”(hj6  h²hh³Nh´NubjŽ  )”}”(hŒ``FIOCLEX``”h]”hŒFIOCLEX”…””}”(hj=  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj6  ubhŒ, ”…””}”(hj6  h²hh³Nh´NubjŽ  )”}”(hŒ``FIONCLEX``”h]”hŒFIONCLEX”…””}”(hjO  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj6  ubhŒ),”…””}”(hj6  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:541: ./include/uapi/linux/landlock.h”h´Kñhj2  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j£  hj/  ubj¤  )”}”(hŒGIOCTL commands targeting file descriptions (``FIONBIO``, ``FIOASYNC``),”h]”j(  )”}”(hjp  h]”(hŒ,IOCTL commands targeting file descriptions (”…””}”(hjr  h²hh³Nh´NubjŽ  )”}”(hŒ``FIONBIO``”h]”hŒFIONBIO”…””}”(hjy  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjr  ubhŒ, ”…””}”(hjr  h²hh³Nh´NubjŽ  )”}”(hŒ``FIOASYNC``”h]”hŒFIOASYNC”…””}”(hj‹  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjr  ubhŒ),”…””}”(hjr  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:541: ./include/uapi/linux/landlock.h”h´Kòhjn  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j£  hj/  ubj¤  )”}”(hŒIOCTL commands targeting file systems (``FIFREEZE``, ``FITHAW``,
``FIGETBSZ``, ``FS_IOC_GETFSUUID``, ``FS_IOC_GETFSSYSFSPATH``)”h]”j(  )”}”(hŒIOCTL commands targeting file systems (``FIFREEZE``, ``FITHAW``,
``FIGETBSZ``, ``FS_IOC_GETFSUUID``, ``FS_IOC_GETFSSYSFSPATH``)”h]”(hŒ'IOCTL commands targeting file systems (”…””}”(hj®  h²hh³Nh´NubjŽ  )”}”(hŒ``FIFREEZE``”h]”hŒFIFREEZE”…””}”(hj¶  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj®  ubhŒ, ”…””}”(hj®  h²hh³Nh´NubjŽ  )”}”(hŒ
``FITHAW``”h]”hŒFITHAW”…””}”(hjÈ  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj®  ubhŒ,
”…””}”(hj®  h²hh³Nh´NubjŽ  )”}”(hŒ``FIGETBSZ``”h]”hŒFIGETBSZ”…””}”(hjÚ  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj®  ubhŒ, ”…””}”hj®  sbjŽ  )”}”(hŒ``FS_IOC_GETFSUUID``”h]”hŒFS_IOC_GETFSUUID”…””}”(hjì  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj®  ubhŒ, ”…””}”hj®  sbjŽ  )”}”(hŒ``FS_IOC_GETFSSYSFSPATH``”h]”hŒFS_IOC_GETFSSYSFSPATH”…””}”(hjþ  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj®  ubhŒ)”…””}”(hj®  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:541: ./include/uapi/linux/landlock.h”h´Kóhjª  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j£  hj/  ubj¤  )”}”(hŒÎSome IOCTL commands which do not make sense when used with devices, but
whose implementations are safe and return the right error codes
(``FS_IOC_FIEMAP``, ``FICLONE``, ``FICLONERANGE``, ``FIDEDUPERANGE``)
”h]”j(  )”}”(hŒÍSome IOCTL commands which do not make sense when used with devices, but
whose implementations are safe and return the right error codes
(``FS_IOC_FIEMAP``, ``FICLONE``, ``FICLONERANGE``, ``FIDEDUPERANGE``)”h]”(hŒ‰Some IOCTL commands which do not make sense when used with devices, but
whose implementations are safe and return the right error codes
(”…””}”(hj!  h²hh³Nh´NubjŽ  )”}”(hŒ``FS_IOC_FIEMAP``”h]”hŒFS_IOC_FIEMAP”…””}”(hj)  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj!  ubhŒ, ”…””}”(hj!  h²hh³Nh´NubjŽ  )”}”(hŒ``FICLONE``”h]”hŒFICLONE”…””}”(hj;  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj!  ubhŒ, ”…””}”hj!  sbjŽ  )”}”(hŒ``FICLONERANGE``”h]”hŒFICLONERANGE”…””}”(hjM  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj!  ubhŒ, ”…””}”hj!  sbjŽ  )”}”(hŒ``FIDEDUPERANGE``”h]”hŒFIDEDUPERANGE”…””}”(hj_  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj!  ubhŒ)”…””}”(hj!  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:541: ./include/uapi/linux/landlock.h”h´Kõhj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j£  hj/  ubeh}”(h]”h ]”h"]”h$]”h&]”Œbullet”Œ*”uh1jž  h³jg  h´KñhjÇ  ubj(  )”}”(hŒKThis access right is available since the fifth version of the Landlock
ABI.”h]”hŒKThis access right is available since the fifth version of the Landlock
ABI.”…””}”(hj†  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:541: ./include/uapi/linux/landlock.h”h´KùhjÇ  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j£  hj   ubj¤  )”}”(hX  ``LANDLOCK_ACCESS_FS_RESOLVE_UNIX``: Look up pathname UNIX domain sockets
(:manpage:`unix(7)`).  On UNIX domain sockets, this restricts both calls to
:manpage:`connect(2)` as well as calls to :manpage:`sendmsg(2)` with an
explicit recipient address.

This access right only applies to connections to UNIX server sockets which
were created outside of the newly created Landlock domain (e.g. from within
a parent domain or from an unrestricted process).  Newly created UNIX
servers within the same Landlock domain continue to be accessible.  In this
regard, ``LANDLOCK_ACCESS_FS_RESOLVE_UNIX`` has the same semantics as the
``LANDLOCK_SCOPE_*`` flags.

If a resolve attempt is denied, the operation returns an ``EACCES`` error,
in line with other filesystem access rights (but different to denials for
abstract UNIX domain sockets).

This access right is available since the ninth version of the Landlock ABI.

The rationale for this design is described in
:ref:`Documentation/security/landlock.rst <scoped-flags-interaction>`.
”h]”(j(  )”}”(hŒù``LANDLOCK_ACCESS_FS_RESOLVE_UNIX``: Look up pathname UNIX domain sockets
(:manpage:`unix(7)`).  On UNIX domain sockets, this restricts both calls to
:manpage:`connect(2)` as well as calls to :manpage:`sendmsg(2)` with an
explicit recipient address.”h]”(jŽ  )”}”(hŒ#``LANDLOCK_ACCESS_FS_RESOLVE_UNIX``”h]”hŒLANDLOCK_ACCESS_FS_RESOLVE_UNIX”…””}”(hj£  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjŸ  ubhŒ(: Look up pathname UNIX domain sockets
(”…””}”(hjŸ  h²hh³Nh´Nubj  )”}”(hŒ:manpage:`unix(7)`”h]”hŒunix(7)”…””}”(hjµ  h²hh³Nh´Nubah}”(h]”h ]”j  ah"]”h$]”h&]”hÅhÆj   Œunix(7)”j"  Œunix”j$  j:  uh1j  hjŸ  ubhŒ9).  On UNIX domain sockets, this restricts both calls to
”…””}”(hjŸ  h²hh³Nh´Nubj  )”}”(hŒ:manpage:`connect(2)`”h]”hŒ
connect(2)”…””}”(hjÉ  h²hh³Nh´Nubah}”(h]”h ]”j  ah"]”h$]”h&]”hÅhÆj   Œ
connect(2)”j"  Œconnect”j$  j%  uh1j  hjŸ  ubhŒ as well as calls to ”…””}”(hjŸ  h²hh³Nh´Nubj  )”}”(hŒ:manpage:`sendmsg(2)`”h]”hŒ
sendmsg(2)”…””}”(hjÝ  h²hh³Nh´Nubah}”(h]”h ]”j  ah"]”h$]”h&]”hÅhÆj   Œ
sendmsg(2)”j"  Œsendmsg”j$  j%  uh1j  hjŸ  ubhŒ$ with an
explicit recipient address.”…””}”(hjŸ  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:541: ./include/uapi/linux/landlock.h”h´Kûhj›  ubj(  )”}”(hXŽ  This access right only applies to connections to UNIX server sockets which
were created outside of the newly created Landlock domain (e.g. from within
a parent domain or from an unrestricted process).  Newly created UNIX
servers within the same Landlock domain continue to be accessible.  In this
regard, ``LANDLOCK_ACCESS_FS_RESOLVE_UNIX`` has the same semantics as the
``LANDLOCK_SCOPE_*`` flags.”h]”(hX1  This access right only applies to connections to UNIX server sockets which
were created outside of the newly created Landlock domain (e.g. from within
a parent domain or from an unrestricted process).  Newly created UNIX
servers within the same Landlock domain continue to be accessible.  In this
regard, ”…””}”(hjø  h²hh³Nh´NubjŽ  )”}”(hŒ#``LANDLOCK_ACCESS_FS_RESOLVE_UNIX``”h]”hŒLANDLOCK_ACCESS_FS_RESOLVE_UNIX”…””}”(hj   h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjø  ubhŒ has the same semantics as the
”…””}”(hjø  h²hh³Nh´NubjŽ  )”}”(hŒ``LANDLOCK_SCOPE_*``”h]”hŒLANDLOCK_SCOPE_*”…””}”(hj  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjø  ubhŒ flags.”…””}”(hjø  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:541: ./include/uapi/linux/landlock.h”h´M hj›  ubj(  )”}”(hŒ³If a resolve attempt is denied, the operation returns an ``EACCES`` error,
in line with other filesystem access rights (but different to denials for
abstract UNIX domain sockets).”h]”(hŒ9If a resolve attempt is denied, the operation returns an ”…””}”(hj+  h²hh³Nh´NubjŽ  )”}”(hŒ
``EACCES``”h]”hŒEACCES”…””}”(hj3  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj+  ubhŒp error,
in line with other filesystem access rights (but different to denials for
abstract UNIX domain sockets).”…””}”(hj+  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:541: ./include/uapi/linux/landlock.h”h´Mhj›  ubj(  )”}”(hŒKThis access right is available since the ninth version of the Landlock ABI.”h]”hŒKThis access right is available since the ninth version of the Landlock ABI.”…””}”(hjL  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:541: ./include/uapi/linux/landlock.h”h´Mhj›  ubj(  )”}”(hŒtThe rationale for this design is described in
:ref:`Documentation/security/landlock.rst <scoped-flags-interaction>`.”h]”(hŒ.The rationale for this design is described in
”…””}”(hj[  h²hh³Nh´Nubh)”}”(hŒE:ref:`Documentation/security/landlock.rst <scoped-flags-interaction>`”h]”j¦  )”}”(hje  h]”hŒ#Documentation/security/landlock.rst”…””}”(hjg  h²hh³Nh´Nubah}”(h]”h ]”(j±  Œstd”Œstd-ref”eh"]”h$]”h&]”uh1j¥  hjc  ubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”j¾  Œ	refdomain”jq  Œreftype”Œref”Œrefexplicit”ˆŒrefwarn”ˆjÄ  Œscoped-flags-interaction”uh1hh³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:541: ./include/uapi/linux/landlock.h”h´Mhj[  ubhŒ.”…””}”(hj[  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³jƒ  h´Mhj›  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j£  hj   ubeh}”(h]”h ]”h"]”h$]”h&]”j„  Œ-”uh1jž  h³jÄ  h´Kàhjo  ubj(  )”}”(hX'  Whether an opened file can be truncated with :manpage:`ftruncate(2)` or used
with `ioctl(2)` is determined during :manpage:`open(2)`, in the same way as
read and write permissions are checked during :manpage:`open(2)` using
``LANDLOCK_ACCESS_FS_READ_FILE`` and ``LANDLOCK_ACCESS_FS_WRITE_FILE``.”h]”(hŒ-Whether an opened file can be truncated with ”…””}”(hj›  h²hh³Nh´Nubj  )”}”(hŒ:manpage:`ftruncate(2)`”h]”hŒftruncate(2)”…””}”(hj£  h²hh³Nh´Nubah}”(h]”h ]”j  ah"]”h$]”h&]”hÅhÆj   Œftruncate(2)”j"  Œ	ftruncate”j$  j%  uh1j  hj›  ubhŒ or used
with ”…””}”(hj›  h²hh³Nh´NubjJ  )”}”(hŒ
`ioctl(2)`”h]”hŒioctl(2)”…””}”(hj·  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jI  hj›  ubhŒ is determined during ”…””}”(hj›  h²hh³Nh´Nubj  )”}”(hŒ:manpage:`open(2)`”h]”hŒopen(2)”…””}”(hjÉ  h²hh³Nh´Nubah}”(h]”h ]”j  ah"]”h$]”h&]”hÅhÆj   Œopen(2)”j"  Œopen”j$  j%  uh1j  hj›  ubhŒC, in the same way as
read and write permissions are checked during ”…””}”(hj›  h²hh³Nh´Nubj  )”}”(hŒ:manpage:`open(2)`”h]”hŒopen(2)”…””}”(hjÝ  h²hh³Nh´Nubah}”(h]”h ]”j  ah"]”h$]”h&]”hÅhÆj   Œopen(2)”j"  Œopen”j$  j%  uh1j  hj›  ubhŒ using
”…””}”(hj›  h²hh³Nh´NubjŽ  )”}”(hŒ ``LANDLOCK_ACCESS_FS_READ_FILE``”h]”hŒLANDLOCK_ACCESS_FS_READ_FILE”…””}”(hjñ  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj›  ubhŒ and ”…””}”(hj›  h²hh³Nh´NubjŽ  )”}”(hŒ!``LANDLOCK_ACCESS_FS_WRITE_FILE``”h]”hŒLANDLOCK_ACCESS_FS_WRITE_FILE”…””}”(hj  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj›  ubhŒ.”…””}”(hj›  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:541: ./include/uapi/linux/landlock.h”h´Mhjo  ubj(  )”}”(hŒ¦A directory can receive access rights related to files or directories.  The
following access right is applied to the directory itself, and the
directories beneath it:”h]”hŒ¦A directory can receive access rights related to files or directories.  The
following access right is applied to the directory itself, and the
directories beneath it:”…””}”(hj  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:541: ./include/uapi/linux/landlock.h”h´Mhjo  ubjŸ  )”}”(hhh]”j¤  )”}”(hŒG``LANDLOCK_ACCESS_FS_READ_DIR``: Open a directory or list its content.
”h]”j(  )”}”(hŒF``LANDLOCK_ACCESS_FS_READ_DIR``: Open a directory or list its content.”h]”(jŽ  )”}”(hŒ``LANDLOCK_ACCESS_FS_READ_DIR``”h]”hŒLANDLOCK_ACCESS_FS_READ_DIR”…””}”(hj6  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj2  ubhŒ': Open a directory or list its content.”…””}”(hj2  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:541: ./include/uapi/linux/landlock.h”h´Mhj.  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j£  hj+  ubah}”(h]”h ]”h"]”h$]”h&]”j„  jš  uh1jž  h³jN  h´Mhjo  ubj(  )”}”(hŒhHowever, the following access rights only apply to the content of a
directory, not the directory itself:”h]”hŒhHowever, the following access rights only apply to the content of a
directory, not the directory itself:”…””}”(hj[  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:541: ./include/uapi/linux/landlock.h”h´Mhjo  ubjŸ  )”}”(hhh]”(j¤  )”}”(hŒK``LANDLOCK_ACCESS_FS_REMOVE_DIR``: Remove an empty directory or rename one.”h]”j(  )”}”(hjo  h]”(jŽ  )”}”(hŒ!``LANDLOCK_ACCESS_FS_REMOVE_DIR``”h]”hŒLANDLOCK_ACCESS_FS_REMOVE_DIR”…””}”(hjt  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjq  ubhŒ*: Remove an empty directory or rename one.”…””}”(hjq  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:541: ./include/uapi/linux/landlock.h”h´Mhjm  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j£  hjj  ubj¤  )”}”(hŒ>``LANDLOCK_ACCESS_FS_REMOVE_FILE``: Unlink (or rename) a file.”h]”j(  )”}”(hj•  h]”(jŽ  )”}”(hŒ"``LANDLOCK_ACCESS_FS_REMOVE_FILE``”h]”hŒLANDLOCK_ACCESS_FS_REMOVE_FILE”…””}”(hjš  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj—  ubhŒ: Unlink (or rename) a file.”…””}”(hj—  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:541: ./include/uapi/linux/landlock.h”h´Mhj“  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j£  hjj  ubj¤  )”}”(hŒP``LANDLOCK_ACCESS_FS_MAKE_CHAR``: Create (or rename or link) a character
device.”h]”j(  )”}”(hŒP``LANDLOCK_ACCESS_FS_MAKE_CHAR``: Create (or rename or link) a character
device.”h]”(jŽ  )”}”(hŒ ``LANDLOCK_ACCESS_FS_MAKE_CHAR``”h]”hŒLANDLOCK_ACCESS_FS_MAKE_CHAR”…””}”(hjÁ  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj½  ubhŒ0: Create (or rename or link) a character
device.”…””}”(hj½  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:541: ./include/uapi/linux/landlock.h”h´M hj¹  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j£  hjj  ubj¤  )”}”(hŒ@``LANDLOCK_ACCESS_FS_MAKE_DIR``: Create (or rename) a directory.”h]”j(  )”}”(hjâ  h]”(jŽ  )”}”(hŒ``LANDLOCK_ACCESS_FS_MAKE_DIR``”h]”hŒLANDLOCK_ACCESS_FS_MAKE_DIR”…””}”(hjç  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjä  ubhŒ!: Create (or rename) a directory.”…””}”(hjä  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:541: ./include/uapi/linux/landlock.h”h´M"hjà  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j£  hjj  ubj¤  )”}”(hŒK``LANDLOCK_ACCESS_FS_MAKE_REG``: Create (or rename or link) a regular file.”h]”j(  )”}”(hj  h]”(jŽ  )”}”(hŒ``LANDLOCK_ACCESS_FS_MAKE_REG``”h]”hŒLANDLOCK_ACCESS_FS_MAKE_REG”…””}”(hj  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj
  ubhŒ,: Create (or rename or link) a regular file.”…””}”(hj
  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:541: ./include/uapi/linux/landlock.h”h´M#hj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j£  hjj  ubj¤  )”}”(hŒR``LANDLOCK_ACCESS_FS_MAKE_SOCK``: Create (or rename or link) a UNIX domain
socket.”h]”j(  )”}”(hŒR``LANDLOCK_ACCESS_FS_MAKE_SOCK``: Create (or rename or link) a UNIX domain
socket.”h]”(jŽ  )”}”(hŒ ``LANDLOCK_ACCESS_FS_MAKE_SOCK``”h]”hŒLANDLOCK_ACCESS_FS_MAKE_SOCK”…””}”(hj4  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj0  ubhŒ2: Create (or rename or link) a UNIX domain
socket.”…””}”(hj0  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:541: ./include/uapi/linux/landlock.h”h´M$hj,  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j£  hjj  ubj¤  )”}”(hŒJ``LANDLOCK_ACCESS_FS_MAKE_FIFO``: Create (or rename or link) a named pipe.”h]”j(  )”}”(hjU  h]”(jŽ  )”}”(hŒ ``LANDLOCK_ACCESS_FS_MAKE_FIFO``”h]”hŒLANDLOCK_ACCESS_FS_MAKE_FIFO”…””}”(hjZ  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjW  ubhŒ*: Create (or rename or link) a named pipe.”…””}”(hjW  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:541: ./include/uapi/linux/landlock.h”h´M&hjS  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j£  hjj  ubj¤  )”}”(hŒM``LANDLOCK_ACCESS_FS_MAKE_BLOCK``: Create (or rename or link) a block device.”h]”j(  )”}”(hj{  h]”(jŽ  )”}”(hŒ!``LANDLOCK_ACCESS_FS_MAKE_BLOCK``”h]”hŒLANDLOCK_ACCESS_FS_MAKE_BLOCK”…””}”(hj€  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj}  ubhŒ,: Create (or rename or link) a block device.”…””}”(hj}  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:541: ./include/uapi/linux/landlock.h”h´M'hjy  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j£  hjj  ubj¤  )”}”(hŒL``LANDLOCK_ACCESS_FS_MAKE_SYM``: Create (or rename or link) a symbolic link.”h]”j(  )”}”(hj¡  h]”(jŽ  )”}”(hŒ``LANDLOCK_ACCESS_FS_MAKE_SYM``”h]”hŒLANDLOCK_ACCESS_FS_MAKE_SYM”…””}”(hj¦  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj£  ubhŒ-: Create (or rename or link) a symbolic link.”…””}”(hj£  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:541: ./include/uapi/linux/landlock.h”h´M(hjŸ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j£  hjj  ubj¤  )”}”(hXé  ``LANDLOCK_ACCESS_FS_REFER``: Link or rename a file from or to a different
directory (i.e. reparent a file hierarchy).

This access right is available since the second version of the Landlock
ABI.

This is the only access right which is denied by default by any ruleset,
even if the right is not specified as handled at ruleset creation time.
The only way to make a ruleset grant this right is to explicitly allow it
for a specific directory by adding a matching rule to the ruleset.

In particular, when using the first Landlock ABI version, Landlock will
always deny attempts to reparent files between different directories.

In addition to the source and destination directories having the
``LANDLOCK_ACCESS_FS_REFER`` access right, the attempted link or rename
operation must meet the following constraints:

* The reparented file may not gain more access rights in the destination
  directory than it previously had in the source directory.  If this is
  attempted, the operation results in an ``EXDEV`` error.

* When linking or renaming, the ``LANDLOCK_ACCESS_FS_MAKE_*`` right for the
  respective file type must be granted for the destination directory.
  Otherwise, the operation results in an ``EACCES`` error.

* When renaming, the ``LANDLOCK_ACCESS_FS_REMOVE_*`` right for the
  respective file type must be granted for the source directory.  Otherwise,
  the operation results in an ``EACCES`` error.

If multiple requirements are not met, the ``EACCES`` error code takes
precedence over ``EXDEV``.
”h]”(j(  )”}”(hŒv``LANDLOCK_ACCESS_FS_REFER``: Link or rename a file from or to a different
directory (i.e. reparent a file hierarchy).”h]”(jŽ  )”}”(hŒ``LANDLOCK_ACCESS_FS_REFER``”h]”hŒLANDLOCK_ACCESS_FS_REFER”…””}”(hjÍ  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjÉ  ubhŒZ: Link or rename a file from or to a different
directory (i.e. reparent a file hierarchy).”…””}”(hjÉ  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:541: ./include/uapi/linux/landlock.h”h´M)hjÅ  ubj(  )”}”(hŒLThis access right is available since the second version of the Landlock
ABI.”h]”hŒLThis access right is available since the second version of the Landlock
ABI.”…””}”(hjæ  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:541: ./include/uapi/linux/landlock.h”h´M,hjÅ  ubj(  )”}”(hX  This is the only access right which is denied by default by any ruleset,
even if the right is not specified as handled at ruleset creation time.
The only way to make a ruleset grant this right is to explicitly allow it
for a specific directory by adding a matching rule to the ruleset.”h]”hX  This is the only access right which is denied by default by any ruleset,
even if the right is not specified as handled at ruleset creation time.
The only way to make a ruleset grant this right is to explicitly allow it
for a specific directory by adding a matching rule to the ruleset.”…””}”(hjõ  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:541: ./include/uapi/linux/landlock.h”h´M/hjÅ  ubj(  )”}”(hŒIn particular, when using the first Landlock ABI version, Landlock will
always deny attempts to reparent files between different directories.”h]”hŒIn particular, when using the first Landlock ABI version, Landlock will
always deny attempts to reparent files between different directories.”…””}”(hj  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:541: ./include/uapi/linux/landlock.h”h´M4hjÅ  ubj(  )”}”(hŒ·In addition to the source and destination directories having the
``LANDLOCK_ACCESS_FS_REFER`` access right, the attempted link or rename
operation must meet the following constraints:”h]”(hŒAIn addition to the source and destination directories having the
”…””}”(hj  h²hh³Nh´NubjŽ  )”}”(hŒ``LANDLOCK_ACCESS_FS_REFER``”h]”hŒLANDLOCK_ACCESS_FS_REFER”…””}”(hj  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj  ubhŒZ access right, the attempted link or rename
operation must meet the following constraints:”…””}”(hj  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:541: ./include/uapi/linux/landlock.h”h´M7hjÅ  ubjŸ  )”}”(hhh]”(j¤  )”}”(hŒÅThe reparented file may not gain more access rights in the destination
directory than it previously had in the source directory.  If this is
attempted, the operation results in an ``EXDEV`` error.
”h]”j(  )”}”(hŒÄThe reparented file may not gain more access rights in the destination
directory than it previously had in the source directory.  If this is
attempted, the operation results in an ``EXDEV`` error.”h]”(hŒ´The reparented file may not gain more access rights in the destination
directory than it previously had in the source directory.  If this is
attempted, the operation results in an ”…””}”(hj;  h²hh³Nh´NubjŽ  )”}”(hŒ	``EXDEV``”h]”hŒEXDEV”…””}”(hjC  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj;  ubhŒ error.”…””}”(hj;  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:541: ./include/uapi/linux/landlock.h”h´M;hj7  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j£  hj4  ubj¤  )”}”(hŒÇWhen linking or renaming, the ``LANDLOCK_ACCESS_FS_MAKE_*`` right for the
respective file type must be granted for the destination directory.
Otherwise, the operation results in an ``EACCES`` error.
”h]”j(  )”}”(hŒÆWhen linking or renaming, the ``LANDLOCK_ACCESS_FS_MAKE_*`` right for the
respective file type must be granted for the destination directory.
Otherwise, the operation results in an ``EACCES`` error.”h]”(hŒWhen linking or renaming, the ”…””}”(hjf  h²hh³Nh´NubjŽ  )”}”(hŒ``LANDLOCK_ACCESS_FS_MAKE_*``”h]”hŒLANDLOCK_ACCESS_FS_MAKE_*”…””}”(hjn  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjf  ubhŒz right for the
respective file type must be granted for the destination directory.
Otherwise, the operation results in an ”…””}”(hjf  h²hh³Nh´NubjŽ  )”}”(hŒ
``EACCES``”h]”hŒEACCES”…””}”(hj€  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjf  ubhŒ error.”…””}”(hjf  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:541: ./include/uapi/linux/landlock.h”h´M?hjb  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j£  hj4  ubj¤  )”}”(hŒºWhen renaming, the ``LANDLOCK_ACCESS_FS_REMOVE_*`` right for the
respective file type must be granted for the source directory.  Otherwise,
the operation results in an ``EACCES`` error.
”h]”j(  )”}”(hŒ¹When renaming, the ``LANDLOCK_ACCESS_FS_REMOVE_*`` right for the
respective file type must be granted for the source directory.  Otherwise,
the operation results in an ``EACCES`` error.”h]”(hŒWhen renaming, the ”…””}”(hj£  h²hh³Nh´NubjŽ  )”}”(hŒ``LANDLOCK_ACCESS_FS_REMOVE_*``”h]”hŒLANDLOCK_ACCESS_FS_REMOVE_*”…””}”(hj«  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj£  ubhŒv right for the
respective file type must be granted for the source directory.  Otherwise,
the operation results in an ”…””}”(hj£  h²hh³Nh´NubjŽ  )”}”(hŒ
``EACCES``”h]”hŒEACCES”…””}”(hj½  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj£  ubhŒ error.”…””}”(hj£  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:541: ./include/uapi/linux/landlock.h”h´MChjŸ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j£  hj4  ubeh}”(h]”h ]”h"]”h$]”h&]”j„  j…  uh1jž  h³j[  h´M;hjÅ  ubj(  )”}”(hŒ`If multiple requirements are not met, the ``EACCES`` error code takes
precedence over ``EXDEV``.”h]”(hŒ*If multiple requirements are not met, the ”…””}”(hjâ  h²hh³Nh´NubjŽ  )”}”(hŒ
``EACCES``”h]”hŒEACCES”…””}”(hjê  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjâ  ubhŒ" error code takes
precedence over ”…””}”(hjâ  h²hh³Nh´NubjŽ  )”}”(hŒ	``EXDEV``”h]”hŒEXDEV”…””}”(hjü  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjâ  ubhŒ.”…””}”(hjâ  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:541: ./include/uapi/linux/landlock.h”h´MGhjÅ  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j£  hjj  ubeh}”(h]”h ]”h"]”h$]”h&]”j„  jš  uh1jž  h³jŒ  h´Mhjo  ubj  )”}”(hXf  It is currently not possible to restrict some file-related actions
accessible through these syscall families: :manpage:`chdir(2)`,
:manpage:`stat(2)`, :manpage:`flock(2)`, :manpage:`chmod(2)`,
:manpage:`chown(2)`, :manpage:`setxattr(2)`, :manpage:`utime(2)`,
:manpage:`fcntl(2)`, :manpage:`access(2)`.
Future Landlock evolutions will enable to restrict them.”h]”j(  )”}”(hXf  It is currently not possible to restrict some file-related actions
accessible through these syscall families: :manpage:`chdir(2)`,
:manpage:`stat(2)`, :manpage:`flock(2)`, :manpage:`chmod(2)`,
:manpage:`chown(2)`, :manpage:`setxattr(2)`, :manpage:`utime(2)`,
:manpage:`fcntl(2)`, :manpage:`access(2)`.
Future Landlock evolutions will enable to restrict them.”h]”(hŒnIt is currently not possible to restrict some file-related actions
accessible through these syscall families: ”…””}”(hj%  h²hh³Nh´Nubj  )”}”(hŒ:manpage:`chdir(2)`”h]”hŒchdir(2)”…””}”(hj-  h²hh³Nh´Nubah}”(h]”h ]”j  ah"]”h$]”h&]”hÅhÆj   Œchdir(2)”j"  Œchdir”j$  j%  uh1j  hj%  ubhŒ,
”…””}”(hj%  h²hh³Nh´Nubj  )”}”(hŒ:manpage:`stat(2)`”h]”hŒstat(2)”…””}”(hjA  h²hh³Nh´Nubah}”(h]”h ]”j  ah"]”h$]”h&]”hÅhÆj   Œstat(2)”j"  Œstat”j$  j%  uh1j  hj%  ubhŒ, ”…””}”(hj%  h²hh³Nh´Nubj  )”}”(hŒ:manpage:`flock(2)`”h]”hŒflock(2)”…””}”(hjU  h²hh³Nh´Nubah}”(h]”h ]”j  ah"]”h$]”h&]”hÅhÆj   Œflock(2)”j"  Œflock”j$  j%  uh1j  hj%  ubhŒ, ”…””}”hj%  sbj  )”}”(hŒ:manpage:`chmod(2)`”h]”hŒchmod(2)”…””}”(hji  h²hh³Nh´Nubah}”(h]”h ]”j  ah"]”h$]”h&]”hÅhÆj   Œchmod(2)”j"  Œchmod”j$  j%  uh1j  hj%  ubhŒ,
”…””}”hj%  sbj  )”}”(hŒ:manpage:`chown(2)`”h]”hŒchown(2)”…””}”(hj}  h²hh³Nh´Nubah}”(h]”h ]”j  ah"]”h$]”h&]”hÅhÆj   Œchown(2)”j"  Œchown”j$  j%  uh1j  hj%  ubhŒ, ”…””}”hj%  sbj  )”}”(hŒ:manpage:`setxattr(2)`”h]”hŒsetxattr(2)”…””}”(hj‘  h²hh³Nh´Nubah}”(h]”h ]”j  ah"]”h$]”h&]”hÅhÆj   Œsetxattr(2)”j"  Œsetxattr”j$  j%  uh1j  hj%  ubhŒ, ”…””}”hj%  sbj  )”}”(hŒ:manpage:`utime(2)`”h]”hŒutime(2)”…””}”(hj¥  h²hh³Nh´Nubah}”(h]”h ]”j  ah"]”h$]”h&]”hÅhÆj   Œutime(2)”j"  Œutime”j$  j%  uh1j  hj%  ubhŒ,
”…””}”hj%  sbj  )”}”(hŒ:manpage:`fcntl(2)`”h]”hŒfcntl(2)”…””}”(hj¹  h²hh³Nh´Nubah}”(h]”h ]”j  ah"]”h$]”h&]”hÅhÆj   Œfcntl(2)”j"  Œfcntl”j$  j%  uh1j  hj%  ubhŒ, ”…””}”hj%  sbj  )”}”(hŒ:manpage:`access(2)`”h]”hŒ	access(2)”…””}”(hjÍ  h²hh³Nh´Nubah}”(h]”h ]”j  ah"]”h$]”h&]”hÅhÆj   Œ	access(2)”j"  Œaccess”j$  j%  uh1j  hj%  ubhŒ:.
Future Landlock evolutions will enable to restrict them.”…””}”(hj%  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:541: ./include/uapi/linux/landlock.h”h´MLhj!  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjo  ubeh}”(h]”Œfilesystem-flags”ah ]”h"]”Œfilesystem flags”ah$]”h&]”uh1hòhj,  h²hh³Nh´Njª  Kubhó)”}”(hhh]”(hø)”}”(hŒNetwork flags”h]”hŒNetwork flags”…””}”(hjù  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hjö  h³Nh´Nubj(  )”}”(hŒOThese flags enable to restrict a sandboxed process to a set of network
actions.”h]”hŒOThese flags enable to restrict a sandboxed process to a set of network
actions.”…””}”(hj  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:541: ./include/uapi/linux/landlock.h”h´Mmhjö  ubj(  )”}”(hŒ6The following access rights apply to TCP port numbers:”h]”hŒ6The following access rights apply to TCP port numbers:”…””}”(hj  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:541: ./include/uapi/linux/landlock.h”h´Mphjö  ubjŸ  )”}”(hhh]”(j¤  )”}”(hŒt``LANDLOCK_ACCESS_NET_BIND_TCP``: Bind TCP sockets to the given local
port. Support added in Landlock ABI version 4.”h]”j(  )”}”(hŒt``LANDLOCK_ACCESS_NET_BIND_TCP``: Bind TCP sockets to the given local
port. Support added in Landlock ABI version 4.”h]”(jŽ  )”}”(hŒ ``LANDLOCK_ACCESS_NET_BIND_TCP``”h]”hŒLANDLOCK_ACCESS_NET_BIND_TCP”…””}”(hj0  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj,  ubhŒT: Bind TCP sockets to the given local
port. Support added in Landlock ABI version 4.”…””}”(hj,  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:541: ./include/uapi/linux/landlock.h”h´Mrhj(  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j£  hj%  ubj¤  )”}”(hŒ}``LANDLOCK_ACCESS_NET_CONNECT_TCP``: Connect TCP sockets to the given
remote port. Support added in Landlock ABI version 4.

”h]”j(  )”}”(hŒ{``LANDLOCK_ACCESS_NET_CONNECT_TCP``: Connect TCP sockets to the given
remote port. Support added in Landlock ABI version 4.”h]”(jŽ  )”}”(hŒ#``LANDLOCK_ACCESS_NET_CONNECT_TCP``”h]”hŒLANDLOCK_ACCESS_NET_CONNECT_TCP”…””}”(hjW  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjS  ubhŒX: Connect TCP sockets to the given
remote port. Support added in Landlock ABI version 4.”…””}”(hjS  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:541: ./include/uapi/linux/landlock.h”h´MthjO  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j£  hj%  ubeh}”(h]”h ]”h"]”h$]”h&]”j„  jš  uh1jž  h³jH  h´Mrhjö  ubeh}”(h]”Œnetwork-flags”ah ]”h"]”Œnetwork flags”ah$]”h&]”uh1hòhj,  h²hh³Nh´Njª  Kubhó)”}”(hhh]”(hø)”}”(hŒScope flags”h]”hŒScope flags”…””}”(hj‡  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hj„  h³Nh´Nubj(  )”}”(hŒÁThese flags enable to isolate a sandboxed process from a set of IPC actions.
Setting a flag for a ruleset will isolate the Landlock domain to forbid
connections to resources outside the domain.”h]”hŒÁThese flags enable to isolate a sandboxed process from a set of IPC actions.
Setting a flag for a ruleset will isolate the Landlock domain to forbid
connections to resources outside the domain.”…””}”(hj•  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:541: ./include/uapi/linux/landlock.h”h´M‚hj„  ubj(  )”}”(hŒ/This is supported since Landlock ABI version 6.”h]”hŒ/This is supported since Landlock ABI version 6.”…””}”(hj¤  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:541: ./include/uapi/linux/landlock.h”h´M†hj„  ubj(  )”}”(hŒScopes:”h]”hŒScopes:”…””}”(hj³  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:541: ./include/uapi/linux/landlock.h”h´Mˆhj„  ubjŸ  )”}”(hhh]”(j¤  )”}”(hŒÝ``LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET``: Restrict a sandboxed process from
connecting to an abstract UNIX socket created by a process outside the
related Landlock domain (e.g., a parent domain or a non-sandboxed process).”h]”j(  )”}”(hŒÝ``LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET``: Restrict a sandboxed process from
connecting to an abstract UNIX socket created by a process outside the
related Landlock domain (e.g., a parent domain or a non-sandboxed process).”h]”(jŽ  )”}”(hŒ'``LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET``”h]”hŒ#LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET”…””}”(hjÍ  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjÉ  ubhŒ¶: Restrict a sandboxed process from
connecting to an abstract UNIX socket created by a process outside the
related Landlock domain (e.g., a parent domain or a non-sandboxed process).”…””}”(hjÉ  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:541: ./include/uapi/linux/landlock.h”h´MŠhjÅ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j£  hjÂ  ubj¤  )”}”(hŒv``LANDLOCK_SCOPE_SIGNAL``: Restrict a sandboxed process from sending a signal
to another process outside the domain.

”h]”j(  )”}”(hŒt``LANDLOCK_SCOPE_SIGNAL``: Restrict a sandboxed process from sending a signal
to another process outside the domain.”h]”(jŽ  )”}”(hŒ``LANDLOCK_SCOPE_SIGNAL``”h]”hŒLANDLOCK_SCOPE_SIGNAL”…””}”(hjô  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjð  ubhŒ[: Restrict a sandboxed process from sending a signal
to another process outside the domain.”…””}”(hjð  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:541: ./include/uapi/linux/landlock.h”h´Mhjì  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j£  hjÂ  ubeh}”(h]”h ]”h"]”h$]”h&]”j„  jš  uh1jž  h³jå  h´MŠhj„  ubeh}”(h]”Œscope-flags”ah ]”h"]”Œscope flags”ah$]”h&]”uh1hòhj,  h²hh³Nh´Njª  Kubeh}”(h]”Œaccess-rights”ah ]”h"]”Œaccess rights”ah$]”h&]”uh1hòhj  h²hh³hÇh´Mubhó)”}”(hhh]”(hø)”}”(hŒCreating a new ruleset”h]”hŒCreating a new ruleset”…””}”(hj,  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hj)  h²hh³hÇh´M!ubh Œindex”“”)”}”(hhh]”h}”(h]”h ]”h"]”h$]”h&]”Œentries”]”(Œsingle”Œ(sys_landlock_create_ruleset (C function)”Œc.sys_landlock_create_ruleset”hNt”auh1j:  hj)  h²hh³Nh´Nubh Œdesc”“”)”}”(hhh]”(h Œdesc_signature”“”)”}”(hŒ~long sys_landlock_create_ruleset (const struct landlock_ruleset_attr __user *const attr, const size_t size, const __u32 flags)”h]”h Œdesc_signature_line”“”)”}”(hŒ}long sys_landlock_create_ruleset(const struct landlock_ruleset_attr __user *const attr, const size_t size, const __u32 flags)”h]”(h Œdesc_sig_keyword_type”“”)”}”(hŒlong”h]”hŒlong”…””}”(hj^  h²hh³Nh´Nubah}”(h]”h ]”Œkt”ah"]”h$]”h&]”uh1j\  hjX  h²hh³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:547: ./security/landlock/syscalls.c”h´K¬ubh Œdesc_sig_space”“”)”}”(hŒ ”h]”hŒ ”…””}”(hjp  h²hh³Nh´Nubah}”(h]”h ]”Œw”ah"]”h$]”h&]”uh1jn  hjX  h²hh³jm  h´K¬ubh Œ	desc_name”“”)”}”(hŒsys_landlock_create_ruleset”h]”h Œdesc_sig_name”“”)”}”(hŒsys_landlock_create_ruleset”h]”hŒsys_landlock_create_ruleset”…””}”(hj‡  h²hh³Nh´Nubah}”(h]”h ]”Œn”ah"]”h$]”h&]”uh1j…  hj  ubah}”(h]”h ]”(Œsig-name”Œdescname”eh"]”h$]”h&]”hÅhÆuh1j  hjX  h²hh³jm  h´K¬ubh Œdesc_parameterlist”“”)”}”(hŒ](const struct landlock_ruleset_attr __user *const attr, const size_t size, const __u32 flags)”h]”(h Œdesc_parameter”“”)”}”(hŒ5const struct landlock_ruleset_attr __user *const attr”h]”(h Œdesc_sig_keyword”“”)”}”(hŒconst”h]”hŒconst”…””}”(hj¬  h²hh³Nh´Nubah}”(h]”h ]”Œk”ah"]”h$]”h&]”uh1jª  hj¦  ubjo  )”}”(hŒ ”h]”hŒ ”…””}”(hj»  h²hh³Nh´Nubah}”(h]”h ]”j{  ah"]”h$]”h&]”uh1jn  hj¦  ubj«  )”}”(hŒstruct”h]”hŒstruct”…””}”(hjÉ  h²hh³Nh´Nubah}”(h]”h ]”j·  ah"]”h$]”h&]”uh1jª  hj¦  ubjo  )”}”(hŒ ”h]”hŒ ”…””}”(hj×  h²hh³Nh´Nubah}”(h]”h ]”j{  ah"]”h$]”h&]”uh1jn  hj¦  ubh)”}”(hhh]”j†  )”}”(hŒlandlock_ruleset_attr”h]”hŒlandlock_ruleset_attr”…””}”(hjè  h²hh³Nh´Nubah}”(h]”h ]”j’  ah"]”h$]”h&]”uh1j…  hjå  ubah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”j  Œreftype”Œ
identifier”Œ	reftarget”jê  Œmodname”NŒ	classname”NŒc:parent_key”Œsphinx.domains.c”Œ	LookupKey”“”)”}”Œdata”]”j  ŒASTIdentifier”“”)”}”jþ  j‰  sbŒc.sys_landlock_create_ruleset”†”asbuh1hhj¦  ubjo  )”}”(hŒ ”h]”hŒ ”…””}”(hj  h²hh³Nh´Nubah}”(h]”h ]”j{  ah"]”h$]”h&]”uh1jn  hj¦  ubhŒ__user”…””}”(hj¦  h²hh³Nh´Nubjo  )”}”(hŒ ”h]”hŒ ”…””}”(hj"  h²hh³Nh´Nubah}”(h]”h ]”j{  ah"]”h$]”h&]”uh1jn  hj¦  ubh Œdesc_sig_punctuation”“”)”}”(hj…  h]”hŒ*”…””}”(hj2  h²hh³Nh´Nubah}”(h]”h ]”Œp”ah"]”h$]”h&]”uh1j0  hj¦  ubj«  )”}”(hj®  h]”hŒconst”…””}”(hj@  h²hh³Nh´Nubah}”(h]”h ]”j·  ah"]”h$]”h&]”uh1jª  hj¦  ubjo  )”}”(hŒ ”h]”hŒ ”…””}”(hjM  h²hh³Nh´Nubah}”(h]”h ]”j{  ah"]”h$]”h&]”uh1jn  hj¦  ubj†  )”}”(hŒattr”h]”hŒattr”…””}”(hj[  h²hh³Nh´Nubah}”(h]”h ]”j’  ah"]”h$]”h&]”uh1j…  hj¦  ubeh}”(h]”h ]”h"]”h$]”h&]”Œnoemph”ˆhÅhÆuh1j¤  hj   ubj¥  )”}”(hŒconst size_t size”h]”(j«  )”}”(hj®  h]”hŒconst”…””}”(hjt  h²hh³Nh´Nubah}”(h]”h ]”j·  ah"]”h$]”h&]”uh1jª  hjp  ubjo  )”}”(hŒ ”h]”hŒ ”…””}”(hj  h²hh³Nh´Nubah}”(h]”h ]”j{  ah"]”h$]”h&]”uh1jn  hjp  ubh)”}”(hhh]”j†  )”}”(hŒsize_t”h]”hŒsize_t”…””}”(hj’  h²hh³Nh´Nubah}”(h]”h ]”j’  ah"]”h$]”h&]”uh1j…  hj  ubah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”j  Œreftype”jþ  Œ	reftarget”j”  Œmodname”NŒ	classname”Nj  j  )”}”j  ]”j  Œc.sys_landlock_create_ruleset”†”asbuh1hhjp  ubjo  )”}”(hŒ ”h]”hŒ ”…””}”(hj°  h²hh³Nh´Nubah}”(h]”h ]”j{  ah"]”h$]”h&]”uh1jn  hjp  ubj†  )”}”(hŒsize”h]”hŒsize”…””}”(hj¾  h²hh³Nh´Nubah}”(h]”h ]”j’  ah"]”h$]”h&]”uh1j…  hjp  ubeh}”(h]”h ]”h"]”h$]”h&]”Œnoemph”ˆhÅhÆuh1j¤  hj   ubj¥  )”}”(hŒconst __u32 flags”h]”(j«  )”}”(hj®  h]”hŒconst”…””}”(hj×  h²hh³Nh´Nubah}”(h]”h ]”j·  ah"]”h$]”h&]”uh1jª  hjÓ  ubjo  )”}”(hŒ ”h]”hŒ ”…””}”(hjä  h²hh³Nh´Nubah}”(h]”h ]”j{  ah"]”h$]”h&]”uh1jn  hjÓ  ubh)”}”(hhh]”j†  )”}”(hŒ__u32”h]”hŒ__u32”…””}”(hjõ  h²hh³Nh´Nubah}”(h]”h ]”j’  ah"]”h$]”h&]”uh1j…  hjò  ubah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”j  Œreftype”jþ  Œ	reftarget”j÷  Œmodname”NŒ	classname”Nj  j  )”}”j  ]”j  Œc.sys_landlock_create_ruleset”†”asbuh1hhjÓ  ubjo  )”}”(hŒ ”h]”hŒ ”…””}”(hj  h²hh³Nh´Nubah}”(h]”h ]”j{  ah"]”h$]”h&]”uh1jn  hjÓ  ubj†  )”}”(hŒflags”h]”hŒflags”…””}”(hj!  h²hh³Nh´Nubah}”(h]”h ]”j’  ah"]”h$]”h&]”uh1j…  hjÓ  ubeh}”(h]”h ]”h"]”h$]”h&]”Œnoemph”ˆhÅhÆuh1j¤  hj   ubeh}”(h]”h ]”h"]”h$]”h&]”hÅhÆuh1jž  hjX  h²hh³jm  h´K¬ubeh}”(h]”h ]”h"]”h$]”h&]”hÅhÆŒadd_permalink”ˆuh1jV  Œsphinx_line_type”Œ
declarator”hjR  h²hh³jm  h´K¬ubah}”(h]”jI  ah ]”(Œsig”Œ
sig-object”eh"]”h$]”h&]”Œis_multiline”ˆŒ
_toc_parts”)Œ	_toc_name”huh1jP  h³jm  h´K¬hjM  h²hubh Œdesc_content”“”)”}”(hhh]”j(  )”}”(hŒCreate a new ruleset”h]”hŒCreate a new ruleset”…””}”(hjU  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:547: ./security/landlock/syscalls.c”h´K¬hjR  h²hubah}”(h]”h ]”h"]”h$]”h&]”uh1jP  hjM  h²hh³jm  h´K¬ubeh}”(h]”h ]”(j  Œfunction”eh"]”h$]”h&]”Œdomain”j  Œobjtype”jm  Œdesctype”jm  Œnoindex”‰Œnoindexentry”‰Œnocontentsentry”‰uh1jK  h²hhj)  h³Nh´NubhŒ	container”“”)”}”(hX‡  **Parameters**

``const struct landlock_ruleset_attr __user *const attr``
  Pointer to a :c:type:`struct landlock_ruleset_attr <landlock_ruleset_attr>` identifying the scope of
  the new ruleset.

``const size_t size``
  Size of the pointed :c:type:`struct landlock_ruleset_attr <landlock_ruleset_attr>` (needed for
  backward and forward compatibility).

``const __u32 flags``
  Supported values:

**Description**

        - ``LANDLOCK_CREATE_RULESET_VERSION``
        - ``LANDLOCK_CREATE_RULESET_ERRATA``

This system call enables to create a new Landlock ruleset.

If ``LANDLOCK_CREATE_RULESET_VERSION`` or ``LANDLOCK_CREATE_RULESET_ERRATA`` is
set, then **attr** must be NULL and **size** must be 0.


- ``EOPNOTSUPP``: Landlock is supported by the kernel but disabled at boot time;
- ``EINVAL``: unknown **flags**, or unknown access, or unknown scope, or too small
  **size**;
- ``E2BIG``: **attr** or **size** inconsistencies;
- ``EFAULT``: **attr** or **size** inconsistencies;
- ``ENOMSG``: empty :c:type:`landlock_ruleset_attr.handled_access_fs <landlock_ruleset_attr>`.

.. kernel-doc:: include/uapi/linux/landlock.h
    :identifiers: landlock_create_ruleset_flags

**Return**

The ruleset file descriptor on success, the Landlock ABI version if
``LANDLOCK_CREATE_RULESET_VERSION`` is set, the errata value if
``LANDLOCK_CREATE_RULESET_ERRATA`` is set, or -errno on failure.  Possible
returned errors are:”h]”(j(  )”}”(hŒ**Parameters**”h]”j  )”}”(hj  h]”hŒ
Parameters”…””}”(hj  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj}  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:547: ./security/landlock/syscalls.c”h´K°hjy  ubj"  )”}”(hhh]”(j'  )”}”(hŒ°``const struct landlock_ruleset_attr __user *const attr``
Pointer to a :c:type:`struct landlock_ruleset_attr <landlock_ruleset_attr>` identifying the scope of
the new ruleset.
”h]”(j-  )”}”(hŒ9``const struct landlock_ruleset_attr __user *const attr``”h]”jŽ  )”}”(hjž  h]”hŒ5const struct landlock_ruleset_attr __user *const attr”…””}”(hj   h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjœ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j,  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:547: ./security/landlock/syscalls.c”h´K¯hj˜  ubj=  )”}”(hhh]”j(  )”}”(hŒuPointer to a :c:type:`struct landlock_ruleset_attr <landlock_ruleset_attr>` identifying the scope of
the new ruleset.”h]”(hŒPointer to a ”…””}”(hj·  h²hh³Nh´Nubh)”}”(hŒ>:c:type:`struct landlock_ruleset_attr <landlock_ruleset_attr>`”h]”jŽ  )”}”(hjÁ  h]”hŒstruct landlock_ruleset_attr”…””}”(hjÃ  h²hh³Nh´Nubah}”(h]”h ]”(j±  j  Œc-type”eh"]”h$]”h&]”uh1j  hj¿  ubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”j¾  Œ	refdomain”j  Œreftype”Œtype”Œrefexplicit”ˆŒrefwarn”‰j  j  )”}”j  ]”sbjÄ  Œlandlock_ruleset_attr”uh1hh³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:547: ./security/landlock/syscalls.c”h´K®hj·  ubhŒ* identifying the scope of
the new ruleset.”…””}”(hj·  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³já  h´K®hj´  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j<  hj˜  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j&  h³j³  h´K¯hj•  ubj'  )”}”(hŒš``const size_t size``
Size of the pointed :c:type:`struct landlock_ruleset_attr <landlock_ruleset_attr>` (needed for
backward and forward compatibility).
”h]”(j-  )”}”(hŒ``const size_t size``”h]”jŽ  )”}”(hjþ  h]”hŒconst size_t size”…””}”(hj   h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjü  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j,  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:547: ./security/landlock/syscalls.c”h´K±hjø  ubj=  •      )”}”(hhh]”j(  )”}”(hŒƒSize of the pointed :c:type:`struct landlock_ruleset_attr <landlock_ruleset_attr>` (needed for
backward and forward compatibility).”h]”(hŒSize of the pointed ”…””}”(hj  h²hh³Nh´Nubh)”}”(hŒ>:c:type:`struct landlock_ruleset_attr <landlock_ruleset_attr>`”h]”jŽ  )”}”(hj!  h]”hŒstruct landlock_ruleset_attr”…””}”(hj#  h²hh³Nh´Nubah}”(h]”h ]”(j±  j  Œc-type”eh"]”h$]”h&]”uh1j  hj  ubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”j¾  Œ	refdomain”j  Œreftype”Œtype”Œrefexplicit”ˆŒrefwarn”‰j  jÝ  jÄ  Œlandlock_ruleset_attr”uh1hh³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:547: ./security/landlock/syscalls.c”h´K°hj  ubhŒ1 (needed for
backward and forward compatibility).”…””}”(hj  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³j>  h´K°hj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j<  hjø  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j&  h³j  h´K±hj•  ubj'  )”}”(hŒ(``const __u32 flags``
Supported values:
”h]”(j-  )”}”(hŒ``const __u32 flags``”h]”jŽ  )”}”(hj[  h]”hŒconst __u32 flags”…””}”(hj]  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjY  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j,  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:547: ./security/landlock/syscalls.c”h´K²hjU  ubj=  )”}”(hhh]”j(  )”}”(hŒSupported values:”h]”hŒSupported values:”…””}”(hjt  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³jp  h´K²hjq  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j<  hjU  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j&  h³jp  h´K²hj•  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j!  hjy  ubj(  )”}”(hŒ**Description**”h]”j  )”}”(hj–  h]”hŒDescription”…””}”(hj˜  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj”  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:547: ./security/landlock/syscalls.c”h´K´hjy  ubhŒblock_quote”“”)”}”(hŒK- ``LANDLOCK_CREATE_RULESET_VERSION``
- ``LANDLOCK_CREATE_RULESET_ERRATA``
”h]”jŸ  )”}”(hhh]”(j¤  )”}”(hŒ#``LANDLOCK_CREATE_RULESET_VERSION``”h]”j(  )”}”(hj·  h]”jŽ  )”}”(hj·  h]”hŒLANDLOCK_CREATE_RULESET_VERSION”…””}”(hj¼  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj¹  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:547: ./security/landlock/syscalls.c”h´K³hjµ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j£  hj²  ubj¤  )”}”(hŒ#``LANDLOCK_CREATE_RULESET_ERRATA``
”h]”j(  )”}”(hŒ"``LANDLOCK_CREATE_RULESET_ERRATA``”h]”jŽ  )”}”(hjÜ  h]”hŒLANDLOCK_CREATE_RULESET_ERRATA”…””}”(hjÞ  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjÚ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:547: ./security/landlock/syscalls.c”h´K´hjÖ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j£  hj²  ubeh}”(h]”h ]”h"]”h$]”h&]”j„  jš  uh1jž  h³jÏ  h´K³hj®  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j¬  h³jÏ  h´K³hjy  ubj(  )”}”(hŒ:This system call enables to create a new Landlock ruleset.”h]”hŒ:This system call enables to create a new Landlock ruleset.”…””}”(hj  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:547: ./security/landlock/syscalls.c”h´K¶hjy  ubj(  )”}”(hŒ‡If ``LANDLOCK_CREATE_RULESET_VERSION`` or ``LANDLOCK_CREATE_RULESET_ERRATA`` is
set, then **attr** must be NULL and **size** must be 0.”h]”(hŒIf ”…””}”(hj  h²hh³Nh´NubjŽ  )”}”(hŒ#``LANDLOCK_CREATE_RULESET_VERSION``”h]”hŒLANDLOCK_CREATE_RULESET_VERSION”…””}”(hj  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj  ubhŒ or ”…””}”(hj  h²hh³Nh´NubjŽ  )”}”(hŒ"``LANDLOCK_CREATE_RULESET_ERRATA``”h]”hŒLANDLOCK_CREATE_RULESET_ERRATA”…””}”(hj-  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj  ubhŒ is
set, then ”…””}”(hj  h²hh³Nh´Nubj  )”}”(hŒ**attr**”h]”hŒattr”…””}”(hj?  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj  ubhŒ must be NULL and ”…””}”(hj  h²hh³Nh´Nubj  )”}”(hŒ**size**”h]”hŒsize”…””}”(hjQ  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj  ubhŒ must be 0.”…””}”(hj  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:547: ./security/landlock/syscalls.c”h´K¸hjy  ubjŸ  )”}”(hhh]”(j¤  )”}”(hŒN``EOPNOTSUPP``: Landlock is supported by the kernel but disabled at boot time;”h]”j(  )”}”(hjo  h]”(jŽ  )”}”(hŒ``EOPNOTSUPP``”h]”hŒ
EOPNOTSUPP”…””}”(hjt  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjq  ubhŒ@: Landlock is supported by the kernel but disabled at boot time;”…””}”(hjq  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:547: ./security/landlock/syscalls.c”h´K¼hjm  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j£  hjj  ubj¤  )”}”(hŒZ``EINVAL``: unknown **flags**, or unknown access, or unknown scope, or too small
**size**;”h]”j(  )”}”(hŒZ``EINVAL``: unknown **flags**, or unknown access, or unknown scope, or too small
**size**;”h]”(jŽ  )”}”(hŒ
``EINVAL``”h]”hŒEINVAL”…””}”(hj›  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj—  ubhŒ
: unknown ”…””}”(hj—  h²hh³Nh´Nubj  )”}”(hŒ	**flags**”h]”hŒflags”…””}”(hj­  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj—  ubhŒ4, or unknown access, or unknown scope, or too small
”…””}”(hj—  h²hh³Nh´Nubj  )”}”(hŒ**size**”h]”hŒsize”…””}”(hj¿  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj—  ubhŒ;”…””}”(hj—  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:547: ./security/landlock/syscalls.c”h´K½hj“  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j£  hjj  ubj¤  )”}”(hŒ0``E2BIG``: **attr** or **size** inconsistencies;”h]”j(  )”}”(hjà  h]”(jŽ  )”}”(hŒ	``E2BIG``”h]”hŒE2BIG”…””}”(hjå  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjâ  ubhŒ: ”…””}”(hjâ  h²hh³Nh´Nubj  )”}”(hŒ**attr**”h]”hŒattr”…””}”(hj÷  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjâ  ubhŒ or ”…””}”(hjâ  h²hh³Nh´Nubj  )”}”(hŒ**size**”h]”hŒsize”…””}”(hj	  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjâ  ubhŒ inconsistencies;”…””}”(hjâ  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:547: ./security/landlock/syscalls.c”h´K¿hjÞ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j£  hjj  ubj¤  )”}”(hŒ1``EFAULT``: **attr** or **size** inconsistencies;”h]”j(  )”}”(hj*  h]”(jŽ  )”}”(hŒ
``EFAULT``”h]”hŒEFAULT”…””}”(hj/  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj,  ubhŒ: ”…””}”(hj,  h²hh³Nh´Nubj  )”}”(hŒ**attr**”h]”hŒattr”…””}”(hjA  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj,  ubhŒ or ”…””}”(hj,  h²hh³Nh´Nubj  )”}”(hŒ**size**”h]”hŒsize”…””}”(hjS  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj,  ubhŒ inconsistencies;”…””}”(hj,  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:547: ./security/landlock/syscalls.c”h´KÀhj(  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j£  hjj  ubj¤  )”}”(hŒ]``ENOMSG``: empty :c:type:`landlock_ruleset_attr.handled_access_fs <landlock_ruleset_attr>`.
”h]”j(  )”}”(hŒ\``ENOMSG``: empty :c:type:`landlock_ruleset_attr.handled_access_fs <landlock_ruleset_attr>`.”h]”(jŽ  )”}”(hŒ
``ENOMSG``”h]”hŒENOMSG”…””}”(hjz  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjv  ubhŒ: empty ”…””}”(hjv  h²hh³Nh´Nubh)”}”(hŒI:c:type:`landlock_ruleset_attr.handled_access_fs <landlock_ruleset_attr>`”h]”jŽ  )”}”(hjŽ  h]”hŒ'landlock_ruleset_attr.handled_access_fs”…””}”(hj  h²hh³Nh´Nubah}”(h]”h ]”(j±  j  Œc-type”eh"]”h$]”h&]”uh1j  hjŒ  ubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”j¾  Œ	refdomain”j  Œreftype”Œtype”Œrefexplicit”ˆŒrefwarn”‰j  jÝ  jÄ  Œlandlock_ruleset_attr”uh1hh³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:547: ./security/landlock/syscalls.c”h´KÁhjv  ubhŒ.”…””}”(hjv  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³j«  h´KÁhjr  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j£  hjj  ubeh}”(h]”h ]”h"]”h$]”h&]”j„  jš  uh1jž  h³jŒ  h´K¼hjy  ubj(  )”}”(hŒ	**Flags**”h]”j  )”}”(hjÄ  h]”hŒFlags”…””}”(hjÆ  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjÂ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:38: ./include/uapi/linux/landlock.h”h´K9hjy  ubj"  )”}”(hhh]”(j'  )”}”(hŒd``LANDLOCK_CREATE_RULESET_VERSION``
Get the highest supported Landlock ABI version (starting at 1).
”h]”(j-  )”}”(hŒ#``LANDLOCK_CREATE_RULESET_VERSION``”h]”jŽ  )”}”(hjã  h]”hŒLANDLOCK_CREATE_RULESET_VERSION”…””}”(hjå  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjá  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j,  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:38: ./include/uapi/linux/landlock.h”h´K<hjÝ  ubj=  )”}”(hhh]”j(  )”}”(hŒ?Get the highest supported Landlock ABI version (starting at 1).”h]”hŒ?Get the highest supported Landlock ABI version (starting at 1).”…””}”(hjü  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³jø  h´K<hjù  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j<  hjÝ  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j&  h³jø  h´K<hjÚ  ubj'  )”}”(hŒh``LANDLOCK_CREATE_RULESET_ERRATA``
Get a bitmask of fixed issues for the current Landlock ABI version.

”h]”(j-  )”}”(hŒ"``LANDLOCK_CREATE_RULESET_ERRATA``”h]”jŽ  )”}”(hj  h]”hŒLANDLOCK_CREATE_RULESET_ERRATA”…””}”(hj  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j,  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:38: ./include/uapi/linux/landlock.h”h´K@hj  ubj=  )”}”(hhh]”j(  )”}”(hŒCGet a bitmask of fixed issues for the current Landlock ABI version.”h]”hŒCGet a bitmask of fixed issues for the current Landlock ABI version.”…””}”(hj5  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:38: ./include/uapi/linux/landlock.h”h´K?hj2  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j<  hj  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j&  h³j1  h´K@hjÚ  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j!  hjy  ubj(  )”}”(hŒ
**Return**”h]”j  )”}”(hjX  h]”hŒReturn”…””}”(hjZ  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjV  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:547: ./security/landlock/syscalls.c”h´KÆhjy  ubj(  )”}”(hŒãThe ruleset file descriptor on success, the Landlock ABI version if
``LANDLOCK_CREATE_RULESET_VERSION`` is set, the errata value if
``LANDLOCK_CREATE_RULESET_ERRATA`` is set, or -errno on failure.  Possible
returned errors are:”h]”(hŒDThe ruleset file descriptor on success, the Landlock ABI version if
”…””}”(hjn  h²hh³Nh´NubjŽ  )”}”(hŒ#``LANDLOCK_CREATE_RULESET_VERSION``”h]”hŒLANDLOCK_CREATE_RULESET_VERSION”…””}”(hjv  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjn  ubhŒ is set, the errata value if
”…””}”(hjn  h²hh³Nh´NubjŽ  )”}”(hŒ"``LANDLOCK_CREATE_RULESET_ERRATA``”h]”hŒLANDLOCK_CREATE_RULESET_ERRATA”…””}”(hjˆ  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjn  ubhŒ= is set, or -errno on failure.  Possible
returned errors are:”…””}”(hjn  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:547: ./security/landlock/syscalls.c”h´K¼hjy  ubeh}”(h]”h ]”Œkernelindent”ah"]”h$]”h&]”uh1jw  hj)  h²hh³Nh´Nubj;  )”}”(hhh]”h}”(h]”h ]”h"]”h$]”h&]”Œentries”]”(jG  Œ landlock_ruleset_attr (C struct)”Œc.landlock_ruleset_attr”hNt”auh1j:  hj)  h²hh³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:550: ./include/uapi/linux/landlock.h”h´NubjL  )”}”(hhh]”(jQ  )”}”(hŒlandlock_ruleset_attr”h]”jW  )”}”(hŒstruct landlock_ruleset_attr”h]”(j«  )”}”(hjË  h]”hŒstruct”…””}”(hjÂ  h²hh³Nh´Nubah}”(h]”h ]”j·  ah"]”h$]”h&]”uh1jª  hj¾  h²hh³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:550: ./include/uapi/linux/landlock.h”h´Kubjo  )”}”(hŒ ”h]”hŒ ”…””}”(hjÐ  h²hh³Nh´Nubah}”(h]”h ]”j{  ah"]”h$]”h&]”uh1jn  hj¾  h²hh³jÏ  h´Kubj€  )”}”(hŒlandlock_ruleset_attr”h]”j†  )”}”(hj¼  h]”hŒlandlock_ruleset_attr”…””}”(hjâ  h²hh³Nh´Nubah}”(h]”h ]”j’  ah"]”h$]”h&]”uh1j…  hjÞ  ubah}”(h]”h ]”(j™  jš  eh"]”h$]”h&]”hÅhÆuh1j  hj¾  h²hh³jÏ  h´Kubeh}”(h]”h ]”h"]”h$]”h&]”hÅhÆjB  ˆuh1jV  jC  jD  hjº  h²hh³jÏ  h´Kubah}”(h]”j´  ah ]”(jH  jI  eh"]”h$]”h&]”jM  ˆjN  )jO  huh1jP  h³jÏ  h´Khj·  h²hubjQ  )”}”(hhh]”j(  )”}”(hŒRuleset definition.”h]”hŒRuleset definition.”…””}”(hj  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:550: ./include/uapi/linux/landlock.h”h´Khj  h²hubah}”(h]”h ]”h"]”h$]”h&]”uh1jP  hj·  h²hh³jÏ  h´Kubeh}”(h]”h ]”(j  Œstruct”eh"]”h$]”h&]”jq  j  jr  j  js  j  jt  ‰ju  ‰jv  ‰uh1jK  h²hhj)  h³j¶  h´Nubjx  )”}”(hXÏ  **Definition**::

  struct landlock_ruleset_attr {
      __u64 handled_access_fs;
      __u64 handled_access_net;
      __u64 scoped;
  };

**Members**

``handled_access_fs``
  Bitmask of handled filesystem actions
  (cf. `Filesystem flags`_).

``handled_access_net``
  Bitmask of handled network actions (cf. `Network
  flags`_).

``scoped``
  Bitmask of scopes (cf. `Scope flags`_)
  restricting a Landlock domain from accessing outside
  resources (e.g. IPCs).”h]”(j(  )”}”(hŒ**Definition**::”h]”(j  )”}”(hŒ**Definition**”h]”hŒ
Definition”…””}”(hj(  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj$  ubhŒ:”…””}”(hj$  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:550: ./include/uapi/linux/landlock.h”h´Khj   ubjò  )”}”(hŒnstruct landlock_ruleset_attr {
    __u64 handled_access_fs;
    __u64 handled_access_net;
    __u64 scoped;
};”h]”hŒnstruct landlock_ruleset_attr {
    __u64 handled_access_fs;
    __u64 handled_access_net;
    __u64 scoped;
};”…””}”hjA  sbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆuh1jñ  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:550: ./include/uapi/linux/landlock.h”h´Khj   ubj(  )”}”(hŒ**Members**”h]”j  )”}”(hjR  h]”hŒMembers”…””}”(hjT  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjP  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:550: ./include/uapi/linux/landlock.h”h´Khj   ubj"  )”}”(hhh]”(j'  )”}”(hŒW``handled_access_fs``
Bitmask of handled filesystem actions
(cf. `Filesystem flags`_).
”h]”(j-  )”}”(hŒ``handled_access_fs``”h]”jŽ  )”}”(hjq  h]”hŒhandled_access_fs”…””}”(hjs  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjo  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j,  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:550: ./include/uapi/linux/landlock.h”h´K)hjk  ubj=  )”}”(hhh]”j(  )”}”(hŒ@Bitmask of handled filesystem actions
(cf. `Filesystem flags`_).”h]”(hŒ+Bitmask of handled filesystem actions
(cf. ”…””}”(hjŠ  h²hh³Nh´Nubj”  )”}”(hŒ`Filesystem flags`_”h]”hŒFilesystem flags”…””}”(hj’  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”ŒFilesystem flags”jÔ  jð  uh1j“  hjŠ  j§  KubhŒ).”…””}”(hjŠ  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:550: ./include/uapi/linux/landlock.h”h´K(hj‡  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j<  hjk  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j&  h³j†  h´K)hjh  ubj'  )”}”(hŒR``handled_access_net``
Bitmask of handled network actions (cf. `Network
flags`_).
”h]”(j-  )”}”(hŒ``handled_access_net``”h]”jŽ  )”}”(hj¿  h]”hŒhandled_access_net”…””}”(hjÁ  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj½  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j,  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:550: ./include/uapi/linux/landlock.h”h´K.hj¹  ubj=  )”}”(hhh]”j(  )”}”(hŒ:Bitmask of handled network actions (cf. `Network
flags`_).”h]”(hŒ(Bitmask of handled network actions (cf. ”…””}”(hjØ  h²hh³Nh´Nubj”  )”}”(hŒ`Network
flags`_”h]”hŒNetwork
flags”…””}”(hjà  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”ŒNetwork flags”jÔ  j~  uh1j“  hjØ  j§  KubhŒ).”…””}”(hjØ  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:550: ./include/uapi/linux/landlock.h”h´K-hjÕ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j<  hj¹  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j&  h³jÔ  h´K.hjh  ubj'  )”}”(hŒ}``scoped``
Bitmask of scopes (cf. `Scope flags`_)
restricting a Landlock domain from accessing outside
resources (e.g. IPCs).”h]”(j-  )”}”(hŒ
``scoped``”h]”jŽ  )”}”(hj  h]”hŒscoped”…””}”(hj  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j,  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:550: ./include/uapi/linux/landlock.h”h´K3hj  ubj=  )”}”(hhh]”j(  )”}”(hŒrBitmask of scopes (cf. `Scope flags`_)
restricting a Landlock domain from accessing outside
resources (e.g. IPCs).”h]”(hŒBitmask of scopes (cf. ”…””}”(hj&  h²hh³Nh´Nubj”  )”}”(hŒ`Scope flags`_”h]”hŒScope flags”…””}”(hj.  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”ŒScope flags”jÔ  j  uh1j“  hj&  j§  KubhŒM)
restricting a Landlock domain from accessing outside
resources (e.g. IPCs).”…””}”(hj&  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:550: ./include/uapi/linux/landlock.h”h´K2hj#  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j<  hj  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j&  h³j"  h´K3hjh  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j!  hj   ubeh}”(h]”h ]”Œkernelindent”ah"]”h$]”h&]”uh1jw  hj)  h²hh³j¶  h´Nubj(  )”}”(hŒ**Description**”h]”j  )”}”(hjd  h]”hŒDescription”…””}”(hjf  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjb  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:550: ./include/uapi/linux/landlock.h”h´K7hj)  h²hubj(  )”}”(hŒ*Argument of sys_landlock_create_ruleset().”h]”hŒ*Argument of sys_landlock_create_ruleset().”…””}”(hjz  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:550: ./include/uapi/linux/landlock.h”h´Khj)  h²hubj(  )”}”(hX#  This structure defines a set of *handled access rights*, a set of actions on
different object types, which should be denied by default when the ruleset is
enacted.  Vice versa, access rights that are not specifically listed here are
not going to be denied by this ruleset when it is enacted.”h]”(hŒ This structure defines a set of ”…””}”(hj‰  h²hh³Nh´NubhŒemphasis”“”)”}”(hŒ*handled access rights*”h]”hŒhandled access rights”…””}”(hj“  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j‘  hj‰  ubhŒì, a set of actions on
different object types, which should be denied by default when the ruleset is
enacted.  Vice versa, access rights that are not specifically listed here are
not going to be denied by this ruleset when it is enacted.”…””}”(hj‰  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:550: ./include/uapi/linux/landlock.h”h´Khj)  h²hubj(  )”}”(hX  For historical reasons, the ``LANDLOCK_ACCESS_FS_REFER`` right is always denied
by default, even when its bit is not set in **handled_access_fs**.  In order to
add new rules with this access right, the bit must still be set explicitly
(cf. `Filesystem flags`_).”h]”(hŒFor historical reasons, the ”…””}”(hj¬  h²hh³Nh´NubjŽ  )”}”(hŒ``LANDLOCK_ACCESS_FS_REFER``”h]”hŒLANDLOCK_ACCESS_FS_REFER”…””}”(hj´  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj¬  ubhŒD right is always denied
by default, even when its bit is not set in ”…””}”(hj¬  h²hh³Nh´Nubj  )”}”(hŒ**handled_access_fs**”h]”hŒhandled_access_fs”…””}”(hjÆ  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj¬  ubhŒ_.  In order to
add new rules with this access right, the bit must still be set explicitly
(cf. ”…””}”(hj¬  h²hh³Nh´Nubj”  )”}”(hŒ`Filesystem flags`_”h]”hŒFilesystem flags”…””}”(hjØ  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”ŒFilesystem flags”jÔ  jð  uh1j“  hj¬  j§  KubhŒ).”…””}”(hj¬  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:550: ./include/uapi/linux/landlock.h”h´Khj)  h²hubj(  )”}”(hX&  The explicit listing of *handled access rights* is required for backwards
compatibility reasons.  In most use cases, processes that use Landlock will
*handle* a wide range or all access rights that they know about at build time
(and that they have tested with a kernel that supported them all).”h]”(hŒThe explicit listing of ”…””}”(hjó  h²hh³Nh´Nubj’  )”}”(hŒ*handled access rights*”h]”hŒhandled access rights”…””}”(hjû  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j‘  hjó  ubhŒg is required for backwards
compatibility reasons.  In most use cases, processes that use Landlock will
”…””}”(hjó  h²hh³Nh´Nubj’  )”}”(hŒ*handle*”h]”hŒhandle”…””}”(hj   h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j‘  hjó  ubhŒˆ a wide range or all access rights that they know about at build time
(and that they have tested with a kernel that supported them all).”…””}”(hjó  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:550: ./include/uapi/linux/landlock.h”h´Khj)  h²hubj(  )”}”(hŒ4This structure can grow in future Landlock versions.”h]”hŒ4This structure can grow in future Landlock versions.”…””}”(hj&   h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:550: ./include/uapi/linux/landlock.h”h´K"hj)  h²hubeh}”(h]”Œcreating-a-new-ruleset”ah ]”h"]”Œcreating a new ruleset”ah$]”h&]”uh1hòhj  h²hh³hÇh´M!ubhó)”}”(hhh]”(hø)”}”(hŒExtending a ruleset”h]”hŒExtending a ruleset”…””}”(hj@   h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hj=   h²hh³hÇh´M*ubj;  )”}”(hhh]”h}”(h]”h ]”h"]”h$]”h&]”Œentries”]”(jG  Œ"sys_landlock_add_rule (C function)”Œc.sys_landlock_add_rule”hNt”auh1j:  hj=   h²hh³Nh´NubjL  )”}”(hhh]”(jQ  )”}”(hŒ‘long sys_landlock_add_rule (const int ruleset_fd, const enum landlock_rule_type rule_type, const void __user *const rule_attr, const __u32 flags)”h]”jW  )”}”(hŒlong sys_landlock_add_rule(const int ruleset_fd, const enum landlock_rule_type rule_type, const void __user *const rule_attr, const __u32 flags)”h]”(j]  )”}”(hŒlong”h]”hŒlong”…””}”(hjg   h²hh³Nh´Nubah}”(h]”h ]”ji  ah"]”h$]”h&]”uh1j\  hjc   h²hh³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:556: ./security/landlock/syscalls.c”h´MŠubjo  )”}”(hŒ ”h]”hŒ ”…””}”(hjv   h²hh³Nh´Nubah}”(h]”h ]”j{  ah"]”h$]”h&]”uh1jn  hjc   h²hh³ju   h´MŠubj€  )”}”(hŒsys_landlock_add_rule”h]”j†  )”}”(hŒsys_landlock_add_rule”h]”hŒsys_landlock_add_rule”…””}”(hjˆ   h²hh³Nh´Nubah}”(h]”h ]”j’  ah"]”h$]”h&]”uh1j…  hj„   ubah}”(h]”h ]”(j™  jš  eh"]”h$]”h&]”hÅhÆuh1j  hjc   h²hh³ju   h´MŠubjŸ  )”}”(hŒv(const int ruleset_fd, const enum landlock_rule_type rule_type, const void __user *const rule_attr, const __u32 flags)”h]”(j¥  )”}”(hŒconst int ruleset_fd”h]”(j«  )”}”(hj®  h]”hŒconst”…””}”(hj¤   h²hh³Nh´Nubah}”(h]”h ]”j·  ah"]”h$]”h&]”uh1jª  hj    ubjo  )”}”(hŒ ”h]”hŒ ”…””}”(hj±   h²hh³Nh´Nubah}”(h]”h ]”j{  ah"]”h$]”h&]”uh1jn  hj    ubj]  )”}”(hŒint”h]”hŒint”…””}”(hj¿   h²hh³Nh´Nubah}”(h]”h ]”ji  ah"]”h$]”h&]”uh1j\  hj    ubjo  )”}”(hŒ ”h]”hŒ ”…””}”(hjÍ   h²hh³Nh´Nubah}”(h]”h ]”j{  ah"]”h$]”h&]”uh1jn  hj    ubj†  )”}”(hŒ
ruleset_fd”h]”hŒ
ruleset_fd”…””}”(hjÛ   h²hh³Nh´Nubah}”(h]”h ]”j’  ah"]”h$]”h&]”uh1j…  hj    ubeh}”(h]”h ]”h"]”h$]”h&]”Œnoemph”ˆhÅhÆuh1j¤  hjœ   ubj¥  )”}”(hŒ'const enum landlock_rule_type rule_type”h]”(j«  )”}”(hj®  h]”hŒconst”…””}”(hjô   h²hh³Nh´Nubah}”(h]”h ]”j·  ah"]”h$]”h&]”uh1jª  hjð   ubjo  )”}”(hŒ ”h]”hŒ ”…””}”(hj!  h²hh³Nh´Nubah}”(h]”h ]”j{  ah"]”h$]”h&]”uh1jn  hjð   ubj«  )”}”(hŒenum”h]”hŒenum”…””}”(hj!  h²hh³Nh´Nubah}”(h]”h ]”j·  ah"]”h$]”h&]”uh1jª  hjð   ubjo  )”}”(hŒ ”h]”hŒ ”…””}”(hj!  h²hh³Nh´Nubah}”(h]”h ]”j{  ah"]”h$]”h&]”uh1jn  hjð   ubh)”}”(hhh]”j†  )”}”(hŒlandlock_rule_type”h]”hŒlandlock_rule_type”…””}”(hj.!  h²hh³Nh´Nubah}”(h]”h ]”j’  ah"]”h$]”h&]”uh1j…  hj+!  ubah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”j  Œreftype”jþ  Œ	reftarget”j0!  Œmodname”NŒ	classname”Nj  j  )”}”j  ]”j  )”}”jþ  jŠ   sbŒc.sys_landlock_add_rule”†”asbuh1hhjð   ubjo  )”}”(hŒ ”h]”hŒ ”…””}”(hjN!  h²hh³Nh´Nubah}”(h]”h ]”j{  ah"]”h$]”h&]”uh1jn  hjð   ubj†  )”}”(hŒ	rule_type”h]”hŒ	rule_type”…””}”(hj\!  h²hh³Nh´Nubah}”(h]”h ]”j’  ah"]”h$]”h&]”uh1j…  hjð   ubeh}”(h]”h ]”h"]”h$]”h&]”Œnoemph”ˆhÅhÆuh1j¤  hjœ   ubj¥  )”}”(hŒ"const void __user *const rule_attr”h]”(j«  )”}”(hj®  h]”hŒconst”…””}”(hju!  h²hh³Nh´Nubah}”(h]”h ]”j·  ah"]”h$]”h&]”uh1jª  hjq!  ubjo  )”}”(hŒ ”h]”hŒ ”…””}”(hj‚!  h²hh³Nh´Nubah}”(h]”h ]”j{  ah"]”h$]”h&]”uh1jn  hjq!  ubj]  )”}”(hŒvoid”h]”hŒvoid”…””}”(hj!  h²hh³Nh´Nubah}”(h]”h ]”ji  ah"]”h$]”h&]”uh1j\  hjq!  ubjo  )”}”(hŒ ”h]”hŒ ”…””}”(hjž!  h²hh³Nh´Nubah}”(h]”h ]”j{  ah"]”h$]”h&]”uh1jn  hjq!  ubhŒ__user”…””}”(hjq!  h²hh³Nh´Nubjo  )”}”(hŒ ”h]”hŒ ”…””}”(hj°!  h²hh³Nh´Nubah}”(h]”h ]”j{  ah"]”h$]”h&]”uh1jn  hjq!  ubj1  )”}”(hj…  h]”hŒ*”…””}”(hj¾!  h²hh³Nh´Nubah}”(h]”h ]”j<  ah"]”h$]”h&]”uh1j0  hjq!  ubj«  )”}”(hj®  h]”hŒconst”…””}”(hjË!  h²hh³Nh´Nubah}”(h]”h ]”j·  ah"]”h$]”h&]”uh1jª  hjq!  ubjo  )”}”(hŒ ”h]”hŒ ”…””}”(hjØ!  h²hh³Nh´Nubah}”(h]”h ]”j{  ah"]”h$]”h&]”uh1jn  hjq!  ubj†  )”}”(hŒ	rule_attr”h]”hŒ	rule_attr”…””}”(hjæ!  h²hh³Nh´Nubah}”(h]”h ]”j’  ah"]”h$]”h&]”uh1j…  hjq!  ubeh}”(h]”h ]”h"]”h$]”h&]”Œnoemph”ˆhÅhÆuh1j¤  hjœ   ubj¥  )”}”(hŒconst __u32 flags”h]”(j«  )”}”(hj®  h]”hŒconst”…””}”(hjÿ!  h²hh³Nh´Nubah}”(h]”h ]”j·  ah"]”h$]”h&]”uh1jª  hjû!  ubjo  )”}”(hŒ ”h]”hŒ ”…””}”(hj"  h²hh³Nh´Nubah}”(h]”h ]”j{  ah"]”h$]”h&]”uh1jn  hjû!  ubh)”}”(hhh]”j†  )”}”(hŒ__u32”h]”hŒ__u32”…””}”(hj"  h²hh³Nh´Nubah}”(h]”h ]”j’  ah"]”h$]”h&]”uh1j…  hj"  ubah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”j  Œreftype”jþ  Œ	reftarget”j"  Œmodname”NŒ	classname”Nj  j  )”}”j  ]”jJ!  Œc.sys_landlock_add_rule”†”asbuh1hhjû!  ubjo  )”}”(hŒ ”h]”hŒ ”…””}”(hj;"  h²hh³Nh´Nubah}”(h]”h ]”j{  ah"]”h$]”h&]”uh1jn  hjû!  ubj†  )”}”(hŒflags”h]”hŒflags”…””}”(hjI"  h²hh³Nh´Nubah}”(h]”h ]”j’  ah"]”h$]”h&]”uh1j…  hjû!  ubeh}”(h]”h ]”h"]”h$]”h&]”Œnoemph”ˆhÅhÆuh1j¤  hjœ   ubeh}”(h]”h ]”h"]”h$]”h&]”hÅhÆuh1jž  hjc   h²hh³ju   h´MŠubeh}”(h]”h ]”h"]”h$]”h&]”hÅhÆjB  ˆuh1jV  jC  jD  hj_   h²hh³ju   h´MŠubah}”(h]”jZ   ah ]”(jH  jI  eh"]”h$]”h&]”jM  ˆjN  )jO  huh1jP  h³ju   h´MŠhj\   h²hubjQ  )”}”(hhh]”j(  )”}”(hŒAdd a new rule to a ruleset”h]”hŒAdd a new rule to a ruleset”…””}”(hjs"  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:556: ./security/landlock/syscalls.c”h´MŠhjp"  h²hubah}”(h]”h ]”h"]”h$]”h&]”uh1jP  hj\   h²hh³ju   h´MŠubeh}”(h]”h ]”(j  Œfunction”eh"]”h$]”h&]”jq  j  jr  j‹"  js  j‹"  jt  ‰ju  ‰jv  ‰uh1jK  h²hhj=   h³Nh´Nubjx  )”}”(hXÄ  **Parameters**

``const int ruleset_fd``
  File descriptor tied to the ruleset that should be extended
  with the new rule.

``const enum landlock_rule_type rule_type``
  Identify the structure type pointed to by **rule_attr**:
  ``LANDLOCK_RULE_PATH_BENEATH`` or ``LANDLOCK_RULE_NET_PORT``.

``const void __user *const rule_attr``
  Pointer to a rule (matching the **rule_type**).

``const __u32 flags``
  Must be 0.

**Description**

This system call enables to define a new rule and add it to an existing
ruleset.


- ``EOPNOTSUPP``: Landlock is supported by the kernel but disabled at boot time;
- ``EAFNOSUPPORT``: **rule_type** is ``LANDLOCK_RULE_NET_PORT`` but TCP/IP is not
  supported by the running kernel;
- ``EINVAL``: **flags** is not 0;
- ``EINVAL``: The rule accesses are inconsistent (i.e.
  :c:type:`landlock_path_beneath_attr.allowed_access <landlock_path_beneath_attr>` or
  :c:type:`landlock_net_port_attr.allowed_access <landlock_net_port_attr>` is not a subset of the ruleset
  handled accesses)
- ``EINVAL``: :c:type:`landlock_net_port_attr.port <landlock_net_port_attr>` is greater than 65535;
- ``ENOMSG``: Empty accesses (e.g. :c:type:`landlock_path_beneath_attr.allowed_access <landlock_path_beneath_attr>` is
  0);
- ``EBADF``: **ruleset_fd** is not a file descriptor for the current thread, or a
  member of **rule_attr** is not a file descriptor as expected;
- ``EBADFD``: **ruleset_fd** is not a ruleset file descriptor, or a member of
  **rule_attr** is not the expected file descriptor type;
- ``EPERM``: **ruleset_fd** has no write access to the underlying ruleset;
- ``EFAULT``: **rule_attr** was not a valid address.

**Return**

0 on success, or -errno on failure.  Possible returned errors are:”h]”(j(  )”}”(hŒ**Parameters**”h]”j  )”}”(hj•"  h]”hŒ
Parameters”…””}”(hj—"  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj“"  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:556: ./security/landlock/syscalls.c”h´MŽhj"  ubj"  )”}”(hhh]”(j'  )”}”(hŒh``const int ruleset_fd``
File descriptor tied to the ruleset that should be extended
with the new rule.
”h]”(j-  )”}”(hŒ``const int ruleset_fd``”h]”jŽ  )”}”(hj´"  h]”hŒconst int ruleset_fd”…””}”(hj¶"  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj²"  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j,  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:556: ./security/landlock/syscalls.c”h´Mhj®"  ubj=  )”}”(hhh]”j(  )”}”(hŒNFile descriptor tied to the ruleset that should be extended
with the new rule.”h]”hŒNFile descriptor tied to the ruleset that should be extended
with the new rule.”…””}”(hjÍ"  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:556: ./security/landlock/syscalls.c”h´MŒhjÊ"  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j<  hj®"  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j&  h³jÉ"  h´Mhj«"  ubj'  )”}”(hŒ£``const enum landlock_rule_type rule_type``
Identify the structure type pointed to by **rule_attr**:
``LANDLOCK_RULE_PATH_BENEATH`` or ``LANDLOCK_RULE_NET_PORT``.
”h]”(j-  )”}”(hŒ+``const enum landlock_rule_type rule_type``”h]”jŽ  )”}”(hjî"  h]”hŒ'const enum landlock_rule_type rule_type”…””}”(hjð"  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjì"  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j,  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:556: ./security/landlock/syscalls.c”h´Mhjè"  ubj=  )”}”(hhh]”j(  )”}”(hŒvIdentify the structure type pointed to by **rule_attr**:
``LANDLOCK_RULE_PATH_BENEATH`` or ``LANDLOCK_RULE_NET_PORT``.”h]”(hŒ*Identify the structure type pointed to by ”…””}”(hj#  h²hh³Nh´Nubj  )”}”(hŒ**rule_attr**”h]”hŒ	rule_attr”…””}”(hj#  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj#  ubhŒ:
”…””}”(hj#  h²hh³Nh´NubjŽ  )”}”(hŒ``LANDLOCK_RULE_PATH_BENEATH``”h]”hŒLANDLOCK_RULE_PATH_BENEATH”…””}”(hj!#  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj#  ubhŒ or ”…””}”(hj#  h²hh³Nh´NubjŽ  )”}”(hŒ``LANDLOCK_RULE_NET_PORT``”h]”hŒLANDLOCK_RULE_NET_PORT”…””}”(hj3#  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj#  ubhŒ.”…””}”(hj#  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:556: ./security/landlock/syscalls.c”h´MŽhj#  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j<  hjè"  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j&  h³j#  h´Mhj«"  ubj'  )”}”(hŒW``const void __user *const rule_attr``
Pointer to a rule (matching the **rule_type**).
”h]”(j-  )”}”(hŒ&``const void __user *const rule_attr``”h]”jŽ  )”}”(hj^#  h]”hŒ"const void __user *const rule_attr”…””}”(hj`#  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj\#  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j,  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:556: ./security/landlock/syscalls.c”h´MhjX#  ubj=  )”}”(hhh]”j(  )”}”(hŒ/Pointer to a rule (matching the **rule_type**).”h]”(hŒ Pointer to a rule (matching the ”…””}”(hjw#  h²hh³Nh´Nubj  )”}”(hŒ**rule_type**”h]”hŒ	rule_type”…””}”(hj#  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjw#  ubhŒ).”…””}”(hjw#  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³js#  h´Mhjt#  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j<  hjX#  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j&  h³js#  h´Mhj«"  ubj'  )”}”(hŒ!``const __u32 flags``
Must be 0.
”h]”(j-  )”}”(hŒ``const __u32 flags``”h]”jŽ  )”}”(hj©#  h]”hŒconst __u32 flags”…””}”(hj«#  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj§#  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j,  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:556: ./security/landlock/syscalls.c”h´M‘hj£#  ubj=  )”}”(hhh]”j(  )”}”(hŒ
Must be 0.”h]”hŒ
Must be 0.”…””}”(hjÂ#  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³j¾#  h´M‘hj¿#  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j<  hj£#  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j&  h³j¾#  h´M‘hj«"  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j!  hj"  ubj(  )”}”(hŒ**Description**”h]”j  )”}”(hjä#  h]”hŒDescription”…””}”(hjæ#  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjâ#  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:556: ./security/landlock/syscalls.c”h´M“hj"  ubj(  )”}”(hŒPThis system call enables to define a new rule and add it to an existing
ruleset.”h]”hŒPThis system call enables to define a new rule and add it to an existing
ruleset.”…””}”(hjú#  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:556: ./security/landlock/syscalls.c”h´M’hj"  ubjŸ  )”}”(hhh]”(j¤  )”}”(hŒN``EOPNOTSUPP``: Landlock is supported by the kernel but disabled at boot time;”h]”j(  )”}”(hj$  h]”(jŽ  )”}”(hŒ``EOPNOTSUPP``”h]”hŒ
EOPNOTSUPP”…””}”(hj$  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj$  ubhŒ@: Landlock is supported by the kernel but disabled at boot time;”…””}”(hj$  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:556: ./security/landlock/syscalls.c”h´M–hj$  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j£  hj	$  ubj¤  )”}”(hŒp``EAFNOSUPPORT``: **rule_type** is ``LANDLOCK_RULE_NET_PORT`` but TCP/IP is not
supported by the running kernel;”h]”j(  )”}”(hŒp``EAFNOSUPPORT``: **rule_type** is ``LANDLOCK_RULE_NET_PORT`` but TCP/IP is not
supported by the running kernel;”h]”(jŽ  )”}”(hŒ``EAFNOSUPPORT``”h]”hŒEAFNOSUPPORT”…””}”(hj:$  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj6$  ubhŒ: ”…””}”(hj6$  h²hh³Nh´Nubj  )”}”(hŒ**rule_type**”h]”hŒ	rule_type”…””}”(hjL$  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj6$  ubhŒ is ”…””}”(hj6$  h²hh³Nh´NubjŽ  )”}”(hŒ``LANDLOCK_RULE_NET_PORT``”h]”hŒLANDLOCK_RULE_NET_PORT”…””}”(hj^$  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj6$  ubhŒ3 but TCP/IP is not
supported by the running kernel;”…””}”(hj6$  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:556: ./security/landlock/syscalls.c”h´M—hj2$  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j£  hj	$  ubj¤  )”}”(hŒ``EINVAL``: **flags** is not 0;”h]”j(  )”}”(hj$  h]”(jŽ  )”}”(hŒ
``EINVAL``”h]”hŒEINVAL”…””}”(hj„$  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj$  ubhŒ: ”…””}”(hj$  h²hh³Nh´Nubj  )”}”(hŒ	**flags**”h]”hŒflags”…””}”(hj–$  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj$  ubhŒ
 is not 0;”…””}”(hj$  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:556: ./security/landlock/syscalls.c”h´M™hj}$  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j£  hj	$  ubj¤  )”}”(hX  ``EINVAL``: The rule accesses are inconsistent (i.e.
:c:type:`landlock_path_beneath_attr.allowed_access <landlock_path_beneath_attr>` or
:c:type:`landlock_net_port_attr.allowed_access <landlock_net_port_attr>` is not a subset of the ruleset
handled accesses)”h]”j(  )”}”(hX  ``EINVAL``: The rule accesses are inconsistent (i.e.
:c:type:`landlock_path_beneath_attr.allowed_access <landlock_path_beneath_attr>` or
:c:type:`landlock_net_port_attr.allowed_access <landlock_net_port_attr>` is not a subset of the ruleset
handled accesses)”h]”(jŽ  )”}”(hŒ
``EINVAL``”h]”hŒEINVAL”…””}”(hj½$  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj¹$  ubhŒ+: The rule accesses are inconsistent (i.e.
”…””}”(hj¹$  h²hh³Nh´Nubh)”}”(hŒP:c:type:`landlock_path_beneath_attr.allowed_access <landlock_path_beneath_attr>`”h]”jŽ  )”}”(hjÑ$  h]”hŒ)landlock_path_beneath_attr.allowed_access”…””}”(hjÓ$  h²hh³Nh´Nubah}”(h]”h ]”(j±  j  Œc-type”eh"]”h$]”h&]”uh1j  hjÏ$  ubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”j¾  Œ	refdomain”j  Œreftype”Œtype”Œrefexplicit”ˆŒrefwarn”‰j  jÝ  jÄ  Œlandlock_path_beneath_attr”uh1hh³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:556: ./security/landlock/syscalls.c”h´Mšhj¹$  ubhŒ or
”…””}”(hj¹$  h²hh³Nh´Nubh)”}”(hŒH:c:type:`landlock_net_port_attr.allowed_access <landlock_net_port_attr>`”h]”jŽ  )”}”(hjõ$  h]”hŒ%landlock_net_port_attr.allowed_access”…””}”(hj÷$  h²hh³Nh´Nubah}”(h]”h ]”(j±  j  Œc-type”eh"]”h$]”h&]”uh1j  hjó$  ubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”j¾  Œ	refdomain”j  Œreftype”Œtype”Œrefexplicit”ˆŒrefwarn”‰j  jÝ  jÄ  Œlandlock_net_port_attr”uh1hh³jî$  h´Mšhj¹$  ubhŒ1 is not a subset of the ruleset
handled accesses)”…””}”(hj¹$  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³jî$  h´Mšhjµ$  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j£  hj	$  ubj¤  )”}”(hŒa``EINVAL``: :c:type:`landlock_net_port_attr.port <landlock_net_port_attr>` is greater than 65535;”h]”j(  )”}”(hj$%  h]”(jŽ  )”}”(hŒ
``EINVAL``”h]”hŒEINVAL”…””}”(hj)%  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj&%  ubhŒ: ”…””}”(hj&%  h²hh³Nh´Nubh)”}”(hŒ>:c:type:`landlock_net_port_attr.port <landlock_net_port_attr>`”h]”jŽ  )”}”(hj=%  h]”hŒlandlock_net_port_attr.port”…””}”(hj?%  h²hh³Nh´Nubah}”(h]”h ]”(j±  j  Œc-type”eh"]”h$]”h&]”uh1j  hj;%  ubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”j¾  Œ	refdomain”j  Œreftype”Œtype”Œrefexplicit”ˆŒrefwarn”‰j  jÝ  jÄ  Œlandlock_net_port_attr”uh1hh³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:556: ./security/landlock/syscalls.c”h´Mžhj&%  ubhŒ is greater than 65535;”…””}”(hj&%  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³jZ%  h´Mžhj"%  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j£  hj	$  ubj¤  )”}”(hŒx``ENOMSG``: Empty accesses (e.g. :c:type:`landlock_path_beneath_attr.allowed_access <landlock_path_beneath_attr>` is
0);”h]”j(  )”}”(hŒx``ENOMSG``: Empty accesses (e.g. :c:type:`landlock_path_beneath_attr.allowed_access <landlock_path_beneath_attr>` is
0);”h]”(jŽ  )”}”(hŒ
``ENOMSG``”h]”hŒENOMSG”…””}”(hjs%  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjo%  ubhŒ: Empty accesses (e.g. ”…””}”(hjo%  h²hh³Nh´Nubh)”}”(hŒP:c:type:`landlock_path_beneath_attr.allowed_access <landlock_path_beneath_attr>`”h]”jŽ  )”}”(hj‡%  h]”hŒ)landlock_path_beneath_attr.allowed_access”…””}”(hj‰%  h²hh³Nh´Nubah}”(h]”h ]”(j±  j  Œc-type”eh"]”h$]”h&]”uh1j  hj…%  ubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”j¾  Œ	refdomain”j  Œreftype”Œtype”Œrefexplicit”ˆŒrefwarn”‰j  jÝ  jÄ  Œlandlock_path_beneath_attr”uh1hh³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:556: ./security/landlock/syscalls.c”h´MŸhjo%  ubhŒ is
0);”…””}”(hjo%  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³j¤%  h´MŸhjk%  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j£  hj	$  ubj¤  )”}”(hŒ``EBADF``: **ruleset_fd** is not a file descriptor for the current thread, or a
member of **rule_attr** is not a file descriptor as expected;”h]”j(  )”}”(hŒ``EBADF``: **ruleset_fd** is not a file descriptor for the current thread, or a
member of **rule_attr** is not a file descriptor as expected;”h]”(jŽ  )”}”(hŒ	``EBADF``”h]”hŒEBADF”…””}”(hj½%  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj¹%  ubhŒ: ”…””}”(hj¹%  h²hh³Nh´Nubj  )”}”(hŒ**ruleset_fd**”h]”hŒ
ruleset_fd”…””}”(hjÏ%  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj¹%  ubhŒA is not a file descriptor for the current thread, or a
member of ”…””}”(hj¹%  h²hh³Nh´Nubj  )”}”(hŒ**rule_attr**”h]”hŒ	rule_attr”…””}”(hjá%  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj¹%  ubhŒ& is not a file descriptor as expected;”…””}”(hj¹%  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:556: ./security/landlock/syscalls.c”h´M¡hjµ%  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j£  hj	$  ubj¤  )”}”(hŒƒ``EBADFD``: **ruleset_fd** is not a ruleset file descriptor, or a member of
**rule_attr** is not the expected file descriptor type;”h]”j(  )”}”(hŒƒ``EBADFD``: **ruleset_fd** is not a ruleset file descriptor, or a member of
**rule_attr** is not the expected file descriptor type;”h]”(jŽ  )”}”(hŒ
``EBADFD``”h]”hŒEBADFD”…””}”(hj&  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj&  ubhŒ: ”…””}”(hj&  h²hh³Nh´Nubj  )”}”(hŒ**ruleset_fd**”h]”hŒ
ruleset_fd”…””}”(hj&  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj&  ubhŒ2 is not a ruleset file descriptor, or a member of
”…””}”(hj&  h²hh³Nh´Nubj  )”}”(hŒ**rule_attr**”h]”hŒ	rule_attr”…””}”(hj,&  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj&  ubhŒ* is not the expected file descriptor type;”…””}”(hj&  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:556: ./security/landlock/syscalls.c”h´M£hj &  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j£  hj	$  ubj¤  )”}”(hŒH``EPERM``: **ruleset_fd** has no write access to the underlying ruleset;”h]”j(  )”}”(hjM&  h]”(jŽ  )”}”(hŒ	``EPERM``”h]”hŒEPERM”…””}”(hjR&  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjO&  ubhŒ: ”…””}”(hjO&  h²hh³Nh´Nubj  )”}”(hŒ**ruleset_fd**”h]”hŒ
ruleset_fd”…””}”(hjd&  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjO&  ubhŒ/ has no write access to the underlying ruleset;”…””}”(hjO&  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:556: ./security/landlock/syscalls.c”h´M¥hjK&  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j£  hj	$  ubj¤  )”}”(hŒ3``EFAULT``: **rule_attr** was not a valid address.
”h]”j(  )”}”(hŒ2``EFAULT``: **rule_attr** was not a valid address.”h]”(jŽ  )”}”(hŒ
``EFAULT``”h]”hŒEFAULT”…””}”(hj‹&  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj‡&  ubhŒ: ”…””}”(hj‡&  h²hh³Nh´Nubj  )”}”(hŒ**rule_attr**”h]”hŒ	rule_attr”…””}”(hj&  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj‡&  ubhŒ was not a valid address.”…””}”(hj‡&  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:556: ./security/landlock/syscalls.c”h´M¦hjƒ&  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j£  hj	$  ubeh}”(h]”h ]”h"]”h$]”h&]”j„  jš  uh1jž  h³j+$  h´M–hj"  ubj(  )”}”(hŒ
**Return**”h]”j  )”}”(hjÄ&  h]”hŒReturn”…””}”(hjÆ&  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjÂ&  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:556: ./security/landlock/syscalls.c”h´M¨hj"  ubj(  )”}”(hŒB0 on success, or -errno on failure.  Possible returned errors are:”h]”hŒB0 on success, or -errno on failure.  Possible returned errors are:”…””}”(hjÚ&  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:556: ./security/landlock/syscalls.c”h´M–hj"  ubeh}”(h]”h ]”Œkernelindent”ah"]”h$]”h&]”uh1jw  hj=   h²hh³Nh´Nubj;  )”}”(hhh]”h}”(h]”h ]”h"]”h$]”h&]”Œentries”]”(jG  Œlandlock_rule_type (C enum)”Œc.landlock_rule_type”hNt”auh1j:  hj=   h²hh³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:559: ./include/uapi/linux/landlock.h”h´NubjL  )”}”(hhh]”(jQ  )”}”(hŒlandlock_rule_type”h]”jW  )”}”(hŒenum landlock_rule_type”h]”(j«  )”}”(hj!  h]”hŒenum”…””}”(hj
'  h²hh³Nh´Nubah}”(h]”h ]”j·  ah"]”h$]”h&]”uh1jª  hj'  h²hh³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:559: ./include/uapi/linux/landlock.h”h´Kubjo  )”}”(hŒ ”h]”hŒ ”…””}”(hj'  h²hh³Nh´Nubah}”(h]”h ]”j{  ah"]”h$]”h&]”uh1jn  hj'  h²hh³j'  h´Kubj€  )”}”(hŒlandlock_rule_type”h]”j†  )”}”(hj'  h]”hŒlandlock_rule_type”…””}”(hj*'  h²hh³Nh´Nubah}”(h]”h ]”j’  ah"]”h$]”h&]”uh1j…  hj&'  ubah}”(h]”h ]”(j™  jš  eh"]”h$]”h&]”hÅhÆuh1j  hj'  h²hh³j'  h´Kubeh}”(h]”h ]”h"]”h$]”h&]”hÅhÆjB  ˆuh1jV  jC  jD  hj'  h²hh³j'  h´Kubah}”(h]”jü&  ah ]”(jH  jI  eh"]”h$]”h&]”jM  ˆjN  )jO  huh1jP  h³j'  h´Khjÿ&  h²hubjQ  )”}”(hhh]”j(  )”}”(hŒLandlock rule type”h]”hŒLandlock rule type”…””}”(hjL'  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:559: ./include/uapi/linux/landlock.h”h´KhjI'  h²hubah}”(h]”h ]”h"]”h$]”h&]”uh1jP  hjÿ&  h²hh³j'  h´Kubeh}”(h]”h ]”(j  Œenum”eh"]”h$]”h&]”jq  j  jr  jd'  js  jd'  jt  ‰ju  ‰jv  ‰uh1jK  h²hhj=   h³jþ&  h´Nubjx  )”}”(hŒó**Constants**

``LANDLOCK_RULE_PATH_BENEATH``
  Type of a :c:type:`struct
  landlock_path_beneath_attr <landlock_path_beneath_attr>` .

``LANDLOCK_RULE_NET_PORT``
  Type of a :c:type:`struct
  landlock_net_port_attr <landlock_net_port_attr>` .”h]”(j(  )”}”(hŒ**Constants**”h]”j  )”}”(hjn'  h]”hŒ	Constants”…””}”(hjp'  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjl'  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:559: ./include/uapi/linux/landlock.h”h´K“hjh'  ubj"  )”}”(hhh]”(j'  )”}”(hŒt``LANDLOCK_RULE_PATH_BENEATH``
Type of a :c:type:`struct
landlock_path_beneath_attr <landlock_path_beneath_attr>` .
”h]”(j-  )”}”(hŒ``LANDLOCK_RULE_PATH_BENEATH``”h]”jŽ  )”}”(hj'  h]”hŒLANDLOCK_RULE_PATH_BENEATH”…””}”(hj'  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj‹'  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j,  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:559: ./include/uapi/linux/landlock.h”h´K—hj‡'  ubj=  )”}”(hhh]”j(  )”}”(hŒTType of a :c:type:`struct
landlock_path_beneath_attr <landlock_path_beneath_attr>` .”h]”(hŒ
Type of a ”…””}”(hj¦'  h²hh³Nh´Nubh)”}”(hŒH:c:type:`struct
landlock_path_beneath_attr <landlock_path_beneath_attr>`”h]”jŽ  )”}”(hj°'  h]”hŒ!struct
landlock_path_beneath_attr”…””}”(hj²'  h²hh³Nh´Nubah}”(h]”h ]”(j±  j  Œc-type”eh"]”h$]”h&]”uh1j  hj®'  ubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”j¾  Œ	refdomain”j  Œreftype”Œtype”Œrefexplicit”ˆŒrefwarn”‰j  jÝ  jÄ  Œlandlock_path_beneath_attr”uh1hh³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:559: ./include/uapi/linux/landlock.h”h´K–hj¦'  ubhŒ .”…””}”(hj¦'  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³jÍ'  h´K–hj£'  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j<  hj‡'  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j&  h³j¢'  h´K—hj„'  ubj'  )”}”(hŒg``LANDLOCK_RULE_NET_PORT``
Type of a :c:type:`struct
landlock_net_port_attr <landlock_net_port_attr>` .”h]”(j-  )”}”(hŒ``LANDLOCK_RULE_NET_PORT``”h]”jŽ  )”}”(hjê'  h]”hŒLANDLOCK_RULE_NET_PORT”…””}”(hjì'  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjè'  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j,  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:559: ./include/uapi/linux/landlock.h”h´Kšhjä'  ubj=  )”}”(hhh]”j(  )”}”(hŒLType of a :c:type:`struct
landlock_net_port_attr <landlock_net_port_attr>` .”h]”(hŒ
Type of a ”…””}”(hj(  h²hh³Nh´Nubh)”}”(hŒ@:c:type:`struct
landlock_net_port_attr <landlock_net_port_attr>`”h]”jŽ  )”}”(hj(  h]”hŒstruct
landlock_net_port_attr”…””}”(hj(  h²hh³Nh´Nubah}”(h]”h ]”(j±  j  Œc-type”eh"]”h$]”h&]”uh1j  hj(  ubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”j¾  Œ	refdomain”j  Œreftype”Œtype”Œrefexplicit”ˆŒrefwarn”‰j  jÝ  jÄ  Œlandlock_net_port_attr”uh1hh³jÿ'  h´Kšhj(  ubhŒ .”…””}”(hj(  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³jÿ'  h´Kšhj (  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j<  hjä'  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j&  h³jÿ'  h´Kšhj„'  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j!  hjh'  ubeh}”(h]”h ]”Œkernelindent”ah"]”h$]”h&]”uh1jw  hj=   h²hh³jþ&  h´Nubj(  )”}”(hŒ**Description**”h]”j  )”}”(hjO(  h]”hŒDescription”…””}”(hjQ(  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjM(  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:559: ./include/uapi/linux/landlock.h”h´Khj=   h²hubj(  )”}”(hŒ$Argument of sys_landlock_add_rule().”h]”hŒ$Argument of sys_landlock_add_rule().”…””}”(hje(  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:559: ./include/uapi/linux/landlock.h”h´Khj=   h²hubj;  )”}”(hhh]”h}”(h]”h ]”h"]”h$]”h&]”Œentries”]”(jG  Œ%landlock_path_beneath_attr (C struct)”Œc.landlock_path_beneath_attr”hNt”auh1j:  hj=   h²hh³jþ&  h´NubjL  )”}”(hhh]”(jQ  )”}”(hŒlandlock_path_beneath_attr”h]”jW  )”}”(hŒ!struct landlock_path_beneath_attr”h]”(j«  )”}”(hjË  h]”hŒstruct”…””}”(hj(  h²hh³Nh´Nubah}”(h]”h ]”j·  ah"]”h$]”h&]”uh1jª  hj‰(  h²hh³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:559: ./include/uapi/linux/landlock.h”h´K•ubjo  )”}”(hŒ ”h]”hŒ ”…””}”(hj›(  h²hh³Nh´Nubah}”(h]”h ]”j{  ah"]”h$]”h&]”uh1jn  hj‰(  h²hh³jš(  h´K•ubj€  )”}”(hŒlandlock_path_beneath_attr”h]”j†  )”}”(hj‡(  h]”hŒlandlock_path_beneath_attr”…””}”(hj­(  h²hh³Nh´Nubah}”(h]”h ]”j’  ah"]”h$]”h&]”uh1j…  hj©(  ubah}”(h]”h ]”(j™  jš  eh"]”h$]”h&]”hÅhÆuh1j  hj‰(  h²hh³jš(  h´K•ubeh}”(h]”h ]”h"]”h$]”h&]”hÅhÆjB  ˆuh1jV  jC  jD  hj…(  h²hh³jš(  h´K•ubah}”(h]”j€(  ah ]”(jH  jI  eh"]”h$]”h&]”jM  ˆjN  )jO  huh1jP  h³jš(  h´K•hj‚(  h²hubjQ  )”}”(hhh]”j(  )”}”(hŒPath hierarchy definition”h]”hŒPath hierarchy definition”…””}”(hjÏ(  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:559: ./include/uapi/linux/landlock.h”h´K¡hjÌ(  h²hubah}”(h]”h ]”h"]”h$]”h&]”uh1jP  hj‚(  h²hh³jš(  h´K•ubeh}”(h]”h ]”(j  Œstruct”eh"]”h$]”h&]”jq  j  jr  jç(  js  jç(  jt  ‰ju  ‰jv  ‰uh1jK  h²hhj=   h³jþ&  h´Nubjx  )”}”(hXv  **Definition**::

  struct landlock_path_beneath_attr {
      __u64 allowed_access;
      __s32 parent_fd;
  };

**Members**

``allowed_access``
  Bitmask of allowed actions for this file hierarchy
  (cf. `Filesystem flags`_).

``parent_fd``
  File descriptor, preferably opened with ``O_PATH``,
  which identifies the parent directory of a file hierarchy, or just a
  file.”h]”(j(  )”}”(hŒ**Definition**::”h]”(j  )”}”(hŒ**Definition**”h]”hŒ
Definition”…””}”(hjó(  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjï(  ubhŒ:”…””}”(hjï(  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:559: ./include/uapi/linux/landlock.h”h´K¥hjë(  ubjò  )”}”(hŒUstruct landlock_path_beneath_attr {
    __u64 allowed_access;
    __s32 parent_fd;
};”h]”hŒUstruct landlock_path_beneath_attr {
    __u64 allowed_access;
    __s32 parent_fd;
};”…””}”hj)  sbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆuh1jñ  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:559: ./include/uapi/linux/landlock.h”h´K§hjë(  ubj(  )”}”(hŒ**Members**”h]”j  )”}”(hj)  h]”hŒMembers”…””}”(hj)  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj)  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:559: ./include/uapi/linux/landlock.h”h´K¬hjë(  ubj"  )”}”(hhh]”(j'  )”}”(hŒa``allowed_access``
Bitmask of allowed actions for this file hierarchy
(cf. `Filesystem flags`_).
”h]”(j-  )”}”(hŒ``allowed_access``”h]”jŽ  )”}”(hj<)  h]”hŒallowed_access”…””}”(hj>)  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj:)  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j,  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:559: ./include/uapi/linux/landlock.h”h´K©hj6)  ubj=  )”}”(hhh]”j(  )”}”(hŒMBitmask of allowed actions for this file hierarchy
(cf. `Filesystem flags`_).”h]”(hŒ8Bitmask of allowed actions for this file hierarchy
(cf. ”…””}”(hjU)  h²hh³Nh´Nubj”  )”}”(hŒ`Filesystem flags`_”h]”hŒFilesystem flags”…””}”(hj])  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”ŒFilesystem flags”jÔ  jð  uh1j“  hjU)  j§  KubhŒ).”…””}”(hjU)  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:559: ./include/uapi/linux/landlock.h”h´K¨hjR)  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j<  hj6)  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j&  h³jQ)  h´K©hj3)  ubj'  )”}”(hŒŒ``parent_fd``
File descriptor, preferably opened with ``O_PATH``,
which identifies the parent directory of a file hierarchy, or just a
file.”h]”(j-  )”}”(hŒ``parent_fd``”h]”jŽ  )”}”(hjŠ)  h]”hŒ	parent_fd”…””}”(hjŒ)  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjˆ)  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j,  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:559: ./include/uapi/linux/landlock.h”h´K®hj„)  ubj=  )”}”(hhh]”j(  )”}”(hŒ~File descriptor, preferably opened with ``O_PATH``,
which identifies the parent directory of a file hierarchy, or just a
file.”h]”(hŒ(File descriptor, preferably opened with ”…””}”(hj£)  h²hh³Nh´NubjŽ  )”}”(hŒ
``O_PATH``”h]”hŒO_PATH”…””}”(hj«)  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj£)  ubhŒL,
which identifies the parent directory of a file hierarchy, or just a
file.”…””}”(hj£)  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:559: ./include/uapi/linux/landlock.h”h´K­hj )  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j<  hj„)  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j&  h³jŸ)  h´K®hj3)  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j!  hjë(  ubeh}”(h]”h ]”Œkernelindent”ah"]”h$]”h&]”uh1jw  hj=   h²hh³jþ&  h´Nubj(  )”}”(hŒ**Description**”h]”j  )”}”(hjß)  h]”hŒDescription”…””}”(hjá)  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjÝ)  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:559: ./include/uapi/linux/landlock.h”h´K²hj=   h²hubj(  )”}”(hŒ$Argument of sys_landlock_add_rule().”h]”hŒ$Argument of sys_landlock_add_rule().”…””}”(hjõ)  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:559: ./include/uapi/linux/landlock.h”h´K¢hj=   h²hubj;  )”}”(hhh]”h}”(h]”h ]”h"]”h$]”h&]”Œentries”]”(jG  Œ!landlock_net_port_attr (C struct)”Œc.landlock_net_port_attr”hNt”auh1j:  hj=   h²hh³jþ&  h´NubjL  )”}”(hhh]”(jQ  )”}”(hŒlandlock_net_port_attr”h]”jW  )”}”(hŒstruct landlock_net_port_attr”h]”(j«  )”}”(hjË  h]”hŒstruct”…””}”(hj*  h²hh³Nh´Nubah}”(h]”h ]”j·  ah"]”h$]”h&]”uh1jª  hj*  h²hh³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:559: ./include/uapi/linux/landlock.h”h´K§ubjo  )”}”(hŒ ”h]”hŒ ”…””}”(hj+*  h²hh³Nh´Nubah}”(h]”h ]”j{  ah"]”h$]”h&]”uh1jn  hj*  h²hh³j**  h´K§ubj€  )”}”(hŒlandlock_net_port_attr”h]”j†  )”}”(hj*  h]”hŒlandlock_net_port_attr”…””}”(hj=*  h²hh³Nh´Nubah}”(h]”h ]”j’  ah"]”h$]”h&]”uh1j…  hj9*  ubah}”(h]”h ]”(j™  jš  eh"]”h$]”h&]”hÅhÆuh1j  hj*  h²hh³j**  h´K§ubeh}”(h]”h ]”h"]”h$]”h&]”hÅhÆjB  ˆuh1jV  jC  jD  hj*  h²hh³j**  h´K§ubah}”(h]”j*  ah ]”(jH  jI  eh"]”h$]”h&]”jM  ˆjN  )jO  huh1jP  h³j**  h´K§hj*  h²hubjQ  )”}”(hhh]”j(  )”}”(hŒNetwork port definition”h]”hŒNetwork port definition”…””}”(hj_*  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:559: ./include/uapi/linux/landlock.h”h´K¸hj\*  h²hubah}”(h]”h ]”h"]”h$]”h&]”uh1jP  hj*  h²hh³j**  h´K§ubeh}”(h]”h ]”(j  Œstruct”eh"]”h$]”h&]”jq  j  jr  jw*  js  jw*  jt  ‰ju  ‰jv  ‰uh1jK  h²hhj=   h³jþ&  h´Nubjx  )”}”(hX  **Definition**::

  struct landlock_net_port_attr {
      __u64 allowed_access;
      __u64 port;
  };

**Members**

``allowed_access``
  Bitmask of allowed network actions for a port
  (cf. `Network flags`_).

``port``
  Network port in host endianness.

  It should be noted that port 0 passed to :manpage:`bind(2)` will bind
  to an available port from the ephemeral port range.  This can be
  configured with the ``/proc/sys/net/ipv4/ip_local_port_range`` sysctl
  (also used for IPv6), and within that range, on a per-socket basis
  with ``setsockopt(IP_LOCAL_PORT_RANGE)``.

  A Landlock rule with port 0 and the ``LANDLOCK_ACCESS_NET_BIND_TCP``
  right means that requesting to bind on port 0 is allowed and it will
  automatically translate to binding on a kernel-assigned ephemeral
  port.”h]”(j(  )”}”(hŒ**Definition**::”h]”(j  )”}”(hŒ**Definition**”h]”hŒ
Definition”…””}”(hjƒ*  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj*  ubhŒ:”…””}”(hj*  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:559: ./include/uapi/linux/landlock.h”h´K¼hj{*  ubjò  )”}”(hŒLstruct landlock_net_port_attr {
    __u64 allowed_access;
    __u64 port;
};”h]”hŒLstruct landlock_net_port_attr {
    __u64 allowed_access;
    __u64 port;
};”…””}”hjœ*  sbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆuh1jñ  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:559: ./include/uapi/linux/landlock.h”h´K¾hj{*  ubj(  )”}”(hŒ**Members**”h]”j  )”}”(hj­*  h]”hŒMembers”…””}”(hj¯*  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj«*  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:559: ./include/uapi/linux/landlock.h”h´KÃhj{*  ubj"  )”}”(hhh]”(j'  )”}”(hŒY``allowed_access``
Bitmask of allowed network actions for a port
(cf. `Network flags`_).
”h]”(j-  )”}”(hŒ``allowed_access``”h]”jŽ  )”}”(hjÌ*  h]”hŒallowed_access”…””}”(hjÎ*  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjÊ*  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j,  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:559: ./include/uapi/linux/landlock.h”h´KÀhjÆ*  ubj=  )”}”(hhh]”j(  )”}”(hŒEBitmask of allowed network actions for a port
(cf. `Network flags`_).”h]”(hŒ3Bitmask of allowed network actions for a port
(cf. ”…””}”(hjå*  h²hh³Nh´Nubj”  )”}”(hŒ`Network flags`_”h]”hŒNetwork flags”…””}”(hjí*  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”ŒNetwork flags”jÔ  j~  uh1j“  hjå*  j§  KubhŒ).”…””}”(hjå*  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:559: ./include/uapi/linux/landlock.h”h´K¿hjâ*  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j<  hjÆ*  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j&  h³já*  h´KÀhjÃ*  ubj'  )”}”(hX7  ``port``
Network port in host endianness.

It should be noted that port 0 passed to :manpage:`bind(2)` will bind
to an available port from the ephemeral port range.  This can be
configured with the ``/proc/sys/net/ipv4/ip_local_port_range`` sysctl
(also used for IPv6), and within that range, on a per-socket basis
with ``setsockopt(IP_LOCAL_PORT_RANGE)``.

A Landlock rule with port 0 and the ``LANDLOCK_ACCESS_NET_BIND_TCP``
right means that requesting to bind on port 0 is allowed and it will
automatically translate to binding on a kernel-assigned ephemeral
port.”h]”(j-  )”}”(hŒ``port``”h]”jŽ  )”}”(hj+  h]”hŒport”…””}”(hj+  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj+  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j,  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:559: ./include/uapi/linux/landlock.h”h´KÎhj+  ubj=  )”}”(hhh]”(j(  )”}”(hŒ Network port in host endianness.”h]”hŒ Network port in host endianness.”…””}”(hj3+  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:559: ./include/uapi/linux/landlock.h”h´KÄhj0+  ubj(  )”}”(hX9  It should be noted that port 0 passed to :manpage:`bind(2)` will bind
to an available port from the ephemeral port range.  This can be
configured with the ``/proc/sys/net/ipv4/ip_local_port_range`` sysctl
(also used for IPv6), and within that range, on a per-socket basis
with ``setsockopt(IP_LOCAL_PORT_RANGE)``.”h]”(hŒ)It should be noted that port 0 passed to ”…””}”(hjB+  h²hh³Nh´Nubj  )”}”(hŒ:manpage:`bind(2)`”h]”hŒbind(2)”…””}”(hjJ+  h²hh³Nh´Nubah}”(h]”h ]”j  ah"]”h$]”h&]”hÅhÆj   Œbind(2)”j"  Œbind”j$  j%  uh1j  hjB+  ubhŒ` will bind
to an available port from the ephemeral port range.  This can be
configured with the ”…””}”(hjB+  h²hh³Nh´NubjŽ  )”}”(hŒ*``/proc/sys/net/ipv4/ip_local_port_range``”h]”hŒ&/proc/sys/net/ipv4/ip_local_port_range”…””}”(hj^+  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjB+  ubhŒP sysctl
(also used for IPv6), and within that range, on a per-socket basis
with ”…””}”(hjB+  h²hh³Nh´NubjŽ  )”}”(hŒ#``setsockopt(IP_LOCAL_PORT_RANGE)``”h]”hŒsetsockopt(IP_LOCAL_PORT_RANGE)”…””}”(hjp+  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjB+  ubhŒ.”…””}”(hjB+  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:559: ./include/uapi/linux/landlock.h”h´KÆhj0+  ubj(  )”}”(hŒÑA Landlock rule with port 0 and the ``LANDLOCK_ACCESS_NET_BIND_TCP``
right means that requesting to bind on port 0 is allowed and it will
automatically translate to binding on a kernel-assigned ephemeral
port.”h]”(hŒ$A Landlock rule with port 0 and the ”…””}”(hj‰+  h²hh³Nh´NubjŽ  )”}”(hŒ ``LANDLOCK_ACCESS_NET_BIND_TCP``”h]”hŒLANDLOCK_ACCESS_NET_BIND_TCP”…””}”(hj‘+  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj‰+  ubhŒ
right means that requesting to bind on port 0 is allowed and it will
automatically translate to binding on a kernel-assigned ephemeral
port.”…””}”(hj‰+  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:559: ./include/uapi/linux/landlock.h”h´KÌhj0+  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j<  hj+  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j&  h³j/+  h´KÎhjÃ*  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j!  hj{*  ubeh}”(h]”h ]”Œkernelindent”ah"]”h$]”h&]”uh1jw  hj=   h²hh³jþ&  h´Nubj(  )”}”(hŒ**Description**”h]”j  )”}”(hjÅ+  h]”hŒDescription”…””}”(hjÇ+  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjÃ+  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:559: ./include/uapi/linux/landlock.h”h´KÒhj=   h²hubj(  )”}”(hŒ$Argument of sys_landlock_add_rule().”h]”hŒ$Argument of sys_landlock_add_rule().”…””}”(hjÛ+  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:559: ./include/uapi/linux/landlock.h”h´K¹hj=   h²hubeh}”(h]”Œextending-a-ruleset”ah ]”h"]”Œextending a ruleset”ah$]”h&]”uh1hòhj  h²hh³hÇh´M*ubhó)”}”(hhh]”(hø)”}”(hŒEnforcing a ruleset”h]”hŒEnforcing a ruleset”…””}”(hjõ+  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hjò+  h²hh³hÇh´M4ubj;  )”}”(hhh]”h}”(h]”h ]”h"]”h$]”h&]”Œentries”]”(jG  Œ'sys_landlock_restrict_self (C function)”Œc.sys_landlock_restrict_self”hNt”auh1j:  hjò+  h²hh³Nh´NubjL  )”}”(hhh]”(jQ  )”}”(hŒIlong sys_landlock_restrict_self (const int ruleset_fd, const __u32 flags)”h]”jW  )”}”(hŒHlong sys_landlock_restrict_self(const int ruleset_fd, const __u32 flags)”h]”(j]  )”}”(hŒlong”h]”hŒlong”…””}”(hj,  h²hh³Nh´Nubah}”(h]”h ]”ji  ah"]”h$]”h&]”uh1j\  hj,  h²hh³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:566: ./security/landlock/syscalls.c”h´MÉubjo  )”}”(hŒ ”h]”hŒ ”…””}”(hj+,  h²hh³Nh´Nubah}”(h]”h ]”j{  ah"]”h$]”h&]”uh1jn  hj,  h²hh³j*,  h´MÉubj€  )”}”(hŒsys_landlock_restrict_self”•M      h]”j†  )”}”(hŒsys_landlock_restrict_self”h]”hŒsys_landlock_restrict_self”…””}”(hj=,  h²hh³Nh´Nubah}”(h]”h ]”j’  ah"]”h$]”h&]”uh1j…  hj9,  ubah}”(h]”h ]”(j™  jš  eh"]”h$]”h&]”hÅhÆuh1j  hj,  h²hh³j*,  h´MÉubjŸ  )”}”(hŒ)(const int ruleset_fd, const __u32 flags)”h]”(j¥  )”}”(hŒconst int ruleset_fd”h]”(j«  )”}”(hj®  h]”hŒconst”…””}”(hjY,  h²hh³Nh´Nubah}”(h]”h ]”j·  ah"]”h$]”h&]”uh1jª  hjU,  ubjo  )”}”(hŒ ”h]”hŒ ”…””}”(hjf,  h²hh³Nh´Nubah}”(h]”h ]”j{  ah"]”h$]”h&]”uh1jn  hjU,  ubj]  )”}”(hŒint”h]”hŒint”…””}”(hjt,  h²hh³Nh´Nubah}”(h]”h ]”ji  ah"]”h$]”h&]”uh1j\  hjU,  ubjo  )”}”(hŒ ”h]”hŒ ”…””}”(hj‚,  h²hh³Nh´Nubah}”(h]”h ]”j{  ah"]”h$]”h&]”uh1jn  hjU,  ubj†  )”}”(hŒ
ruleset_fd”h]”hŒ
ruleset_fd”…””}”(hj,  h²hh³Nh´Nubah}”(h]”h ]”j’  ah"]”h$]”h&]”uh1j…  hjU,  ubeh}”(h]”h ]”h"]”h$]”h&]”Œnoemph”ˆhÅhÆuh1j¤  hjQ,  ubj¥  )”}”(hŒconst __u32 flags”h]”(j«  )”}”(hj®  h]”hŒconst”…””}”(hj©,  h²hh³Nh´Nubah}”(h]”h ]”j·  ah"]”h$]”h&]”uh1jª  hj¥,  ubjo  )”}”(hŒ ”h]”hŒ ”…””}”(hj¶,  h²hh³Nh´Nubah}”(h]”h ]”j{  ah"]”h$]”h&]”uh1jn  hj¥,  ubh)”}”(hhh]”j†  )”}”(hŒ__u32”h]”hŒ__u32”…””}”(hjÇ,  h²hh³Nh´Nubah}”(h]”h ]”j’  ah"]”h$]”h&]”uh1j…  hjÄ,  ubah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”j  Œreftype”jþ  Œ	reftarget”jÉ,  Œmodname”NŒ	classname”Nj  j  )”}”j  ]”j  )”}”jþ  j?,  sbŒc.sys_landlock_restrict_self”†”asbuh1hhj¥,  ubjo  )”}”(hŒ ”h]”hŒ ”…””}”(hjç,  h²hh³Nh´Nubah}”(h]”h ]”j{  ah"]”h$]”h&]”uh1jn  hj¥,  ubj†  )”}”(hŒflags”h]”hŒflags”…””}”(hjõ,  h²hh³Nh´Nubah}”(h]”h ]”j’  ah"]”h$]”h&]”uh1j…  hj¥,  ubeh}”(h]”h ]”h"]”h$]”h&]”Œnoemph”ˆhÅhÆuh1j¤  hjQ,  ubeh}”(h]”h ]”h"]”h$]”h&]”hÅhÆuh1jž  hj,  h²hh³j*,  h´MÉubeh}”(h]”h ]”h"]”h$]”h&]”hÅhÆjB  ˆuh1jV  jC  jD  hj,  h²hh³j*,  h´MÉubah}”(h]”j,  ah ]”(jH  jI  eh"]”h$]”h&]”jM  ˆjN  )jO  huh1jP  h³j*,  h´MÉhj,  h²hubjQ  )”}”(hhh]”j(  )”}”(hŒ'Enforce a ruleset on the calling thread”h]”hŒ'Enforce a ruleset on the calling thread”…””}”(hj-  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:566: ./security/landlock/syscalls.c”h´MÉhj-  h²hubah}”(h]”h ]”h"]”h$]”h&]”uh1jP  hj,  h²hh³j*,  h´MÉubeh}”(h]”h ]”(j  Œfunction”eh"]”h$]”h&]”jq  j  jr  j7-  js  j7-  jt  ‰ju  ‰jv  ‰uh1jK  h²hhjò+  h³Nh´Nubjx  )”}”(hX`  **Parameters**

``const int ruleset_fd``
  File descriptor tied to the ruleset to merge with the target.

``const __u32 flags``
  Supported values:

**Description**

        - ``LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF``
        - ``LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON``
        - ``LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF``
        - ``LANDLOCK_RESTRICT_SELF_TSYNC``

This system call enforces a Landlock ruleset on the current thread.
Enforcing a ruleset requires that the task has ``CAP_SYS_ADMIN`` in its
namespace or is running with no_new_privs.  This avoids scenarios where
unprivileged tasks can affect the behavior of privileged children.


- ``EOPNOTSUPP``: Landlock is supported by the kernel but disabled at boot time;
- ``EINVAL``: **flags** contains an unknown bit.
- ``EBADF``: **ruleset_fd** is not a file descriptor for the current thread;
- ``EBADFD``: **ruleset_fd** is not a ruleset file descriptor;
- ``EPERM``: **ruleset_fd** has no read access to the underlying ruleset, or the
  current thread is not running with no_new_privs, or it doesn't have
  ``CAP_SYS_ADMIN`` in its namespace.
- ``E2BIG``: The maximum number of stacked rulesets is reached for the current
  thread.

.. kernel-doc:: include/uapi/linux/landlock.h
    :identifiers: landlock_restrict_self_flags

**Return**

0 on success, or -errno on failure.  Possible returned errors are:”h]”(j(  )”}”(hŒ**Parameters**”h]”j  )”}”(hjA-  h]”hŒ
Parameters”…””}”(hjC-  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj?-  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:566: ./security/landlock/syscalls.c”h´MÍhj;-  ubj"  )”}”(hhh]”(j'  )”}”(hŒW``const int ruleset_fd``
File descriptor tied to the ruleset to merge with the target.
”h]”(j-  )”}”(hŒ``const int ruleset_fd``”h]”jŽ  )”}”(hj`-  h]”hŒconst int ruleset_fd”…””}”(hjb-  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj^-  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j,  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:566: ./security/landlock/syscalls.c”h´MËhjZ-  ubj=  )”}”(hhh]”j(  )”}”(hŒ=File descriptor tied to the ruleset to merge with the target.”h]”hŒ=File descriptor tied to the ruleset to merge with the target.”…””}”(hjy-  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³ju-  h´MËhjv-  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j<  hjZ-  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j&  h³ju-  h´MËhjW-  ubj'  )”}”(hŒ(``const __u32 flags``
Supported values:
”h]”(j-  )”}”(hŒ``const __u32 flags``”h]”jŽ  )”}”(hj™-  h]”hŒconst __u32 flags”…””}”(hj›-  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj—-  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j,  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:566: ./security/landlock/syscalls.c”h´MÌhj“-  ubj=  )”}”(hhh]”j(  )”}”(hŒSupported values:”h]”hŒSupported values:”…””}”(hj²-  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³j®-  h´MÌhj¯-  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j<  hj“-  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j&  h³j®-  h´MÌhjW-  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j!  hj;-  ubj(  )”}”(hŒ**Description**”h]”j  )”}”(hjÔ-  h]”hŒDescription”…””}”(hjÖ-  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjÒ-  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:566: ./security/landlock/syscalls.c”h´MÎhj;-  ubj­  )”}”(hŒ¯- ``LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF``
- ``LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON``
- ``LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF``
- ``LANDLOCK_RESTRICT_SELF_TSYNC``
”h]”jŸ  )”}”(hhh]”(j¤  )”}”(hŒ,``LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF``”h]”j(  )”}”(hjó-  h]”jŽ  )”}”(hjó-  h]”hŒ(LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF”…””}”(hjø-  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjõ-  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:566: ./security/landlock/syscalls.c”h´MÍhjñ-  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j£  hjî-  ubj¤  )”}”(hŒ*``LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON``”h]”j(  )”}”(hj.  h]”jŽ  )”}”(hj.  h]”hŒ&LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON”…””}”(hj.  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj.  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:566: ./security/landlock/syscalls.c”h´MÎhj.  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j£  hjî-  ubj¤  )”}”(hŒ-``LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF``”h]”j(  )”}”(hj5.  h]”jŽ  )”}”(hj5.  h]”hŒ)LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF”…””}”(hj:.  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj7.  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:566: ./security/landlock/syscalls.c”h´MÏhj3.  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j£  hjî-  ubj¤  )”}”(hŒ!``LANDLOCK_RESTRICT_SELF_TSYNC``
”h]”j(  )”}”(hŒ ``LANDLOCK_RESTRICT_SELF_TSYNC``”h]”jŽ  )”}”(hjZ.  h]”hŒLANDLOCK_RESTRICT_SELF_TSYNC”…””}”(hj\.  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjX.  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:566: ./security/landlock/syscalls.c”h´MÐhjT.  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j£  hjî-  ubeh}”(h]”h ]”h"]”h$]”h&]”j„  jš  uh1jž  h³j.  h´MÍhjê-  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j¬  h³j.  h´MÍhj;-  ubj(  )”}”(hX  This system call enforces a Landlock ruleset on the current thread.
Enforcing a ruleset requires that the task has ``CAP_SYS_ADMIN`` in its
namespace or is running with no_new_privs.  This avoids scenarios where
unprivileged tasks can affect the behavior of privileged children.”h]”(hŒsThis system call enforces a Landlock ruleset on the current thread.
Enforcing a ruleset requires that the task has ”…””}”(hj‚.  h²hh³Nh´NubjŽ  )”}”(hŒ``CAP_SYS_ADMIN``”h]”hŒCAP_SYS_ADMIN”…””}”(hjŠ.  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj‚.  ubhŒ’ in its
namespace or is running with no_new_privs.  This avoids scenarios where
unprivileged tasks can affect the behavior of privileged children.”…””}”(hj‚.  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:566: ./security/landlock/syscalls.c”h´MÒhj;-  ubjŸ  )”}”(hhh]”(j¤  )”}”(hŒN``EOPNOTSUPP``: Landlock is supported by the kernel but disabled at boot time;”h]”j(  )”}”(hj¨.  h]”(jŽ  )”}”(hŒ``EOPNOTSUPP``”h]”hŒ
EOPNOTSUPP”…””}”(hj­.  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjª.  ubhŒ@: Landlock is supported by the kernel but disabled at boot time;”…””}”(hjª.  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:566: ./security/landlock/syscalls.c”h´MØhj¦.  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j£  hj£.  ubj¤  )”}”(hŒ.``EINVAL``: **flags** contains an unknown bit.”h]”j(  )”}”(hjÎ.  h]”(jŽ  )”}”(hŒ
``EINVAL``”h]”hŒEINVAL”…””}”(hjÓ.  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjÐ.  ubhŒ: ”…””}”(hjÐ.  h²hh³Nh´Nubj  )”}”(hŒ	**flags**”h]”hŒflags”…””}”(hjå.  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjÐ.  ubhŒ contains an unknown bit.”…””}”(hjÐ.  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:566: ./security/landlock/syscalls.c”h´MÙhjÌ.  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j£  hj£.  ubj¤  )”}”(hŒJ``EBADF``: **ruleset_fd** is not a file descriptor for the current thread;”h]”j(  )”}”(hj/  h]”(jŽ  )”}”(hŒ	``EBADF``”h]”hŒEBADF”…””}”(hj/  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj/  ubhŒ: ”…””}”(hj/  h²hh³Nh´Nubj  )”}”(hŒ**ruleset_fd**”h]”hŒ
ruleset_fd”…””}”(hj/  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj/  ubhŒ1 is not a file descriptor for the current thread;”…””}”(hj/  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:566: ./security/landlock/syscalls.c”h´MÚhj/  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j£  hj£.  ubj¤  )”}”(hŒ<``EBADFD``: **ruleset_fd** is not a ruleset file descriptor;”h]”j(  )”}”(hj>/  h]”(jŽ  )”}”(hŒ
``EBADFD``”h]”hŒEBADFD”…””}”(hjC/  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj@/  ubhŒ: ”…””}”(hj@/  h²hh³Nh´Nubj  )”}”(hŒ**ruleset_fd**”h]”hŒ
ruleset_fd”…””}”(hjU/  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj@/  ubhŒ" is not a ruleset file descriptor;”…””}”(hj@/  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:566: ./security/landlock/syscalls.c”h´MÛhj</  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j£  hj£.  ubj¤  )”}”(hŒ¶``EPERM``: **ruleset_fd** has no read access to the underlying ruleset, or the
current thread is not running with no_new_privs, or it doesn't have
``CAP_SYS_ADMIN`` in its namespace.”h]”j(  )”}”(hŒ¶``EPERM``: **ruleset_fd** has no read access to the underlying ruleset, or the
current thread is not running with no_new_privs, or it doesn't have
``CAP_SYS_ADMIN`` in its namespace.”h]”(jŽ  )”}”(hŒ	``EPERM``”h]”hŒEPERM”…””}”(hj|/  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjx/  ubhŒ: ”…””}”(hjx/  h²hh³Nh´Nubj  )”}”(hŒ**ruleset_fd**”h]”hŒ
ruleset_fd”…””}”(hjŽ/  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjx/  ubhŒ| has no read access to the underlying ruleset, or the
current thread is not running with no_new_privs, or it doesnâ€™t have
”…””}”(hjx/  h²hh³Nh´NubjŽ  )”}”(hŒ``CAP_SYS_ADMIN``”h]”hŒCAP_SYS_ADMIN”…””}”(hj /  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjx/  ubhŒ in its namespace.”…””}”(hjx/  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:566: ./security/landlock/syscalls.c”h´MÜhjt/  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j£  hj£.  ubj¤  )”}”(hŒU``E2BIG``: The maximum number of stacked rulesets is reached for the current
thread.
”h]”j(  )”}”(hŒT``E2BIG``: The maximum number of stacked rulesets is reached for the current
thread.”h]”(jŽ  )”}”(hŒ	``E2BIG``”h]”hŒE2BIG”…””}”(hjÇ/  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjÃ/  ubhŒK: The maximum number of stacked rulesets is reached for the current
thread.”…””}”(hjÃ/  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:566: ./security/landlock/syscalls.c”h´Mßhj¿/  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j£  hj£.  ubeh}”(h]”h ]”h"]”h$]”h&]”j„  jš  uh1jž  h³jÅ.  h´MØhj;-  ubj(  )”}”(hŒ	**Flags**”h]”j  )”}”(hjî/  h]”hŒFlags”…””}”(hjð/  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjì/  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:38: ./include/uapi/linux/landlock.h”h´KIhj;-  ubj(  )”}”(hX€  By default, denied accesses originating from programs that sandbox themselves
are logged via the audit subsystem. Such events typically indicate unexpected
behavior, such as bugs or exploitation attempts. However, to avoid excessive
logging, access requests denied by a domain not created by the originating
program are not logged by default. The rationale is that programs should know
their own behavior, but not necessarily the behavior of other programs.  This
default configuration is suitable for most programs that sandbox themselves.
For specific use cases, the following flags allow programs to modify this
default logging behavior.”h]”hX€  By default, denied accesses originating from programs that sandbox themselves
are logged via the audit subsystem. Such events typically indicate unexpected
behavior, such as bugs or exploitation attempts. However, to avoid excessive
logging, access requests denied by a domain not created by the originating
program are not logged by default. The rationale is that programs should know
their own behavior, but not necessarily the behavior of other programs.  This
default configuration is suitable for most programs that sandbox themselves.
For specific use cases, the following flags allow programs to modify this
default logging behavior.”…””}”(hj0  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:38: ./include/uapi/linux/landlock.h”h´KKhj;-  ubj(  )”}”(hŒ‘The ``LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF`` and
``LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON`` flags apply to the newly created
Landlock domain.”h]”(hŒThe ”…””}”(hj0  h²hh³Nh´NubjŽ  )”}”(hŒ,``LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF``”h]”hŒ(LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF”…””}”(hj0  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj0  ubhŒ and
”…””}”(hj0  h²hh³Nh´NubjŽ  )”}”(hŒ*``LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON``”h]”hŒ&LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON”…””}”(hj-0  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj0  ubhŒ2 flags apply to the newly created
Landlock domain.”…””}”(hj0  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:38: ./include/uapi/linux/landlock.h”h´KUhj;-  ubj"  )”}”(hhh]”(j'  )”}”(hX  ``LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF``
Disables logging of denied accesses originating from the thread creating
the Landlock domain, as well as its children, as long as they continue
running the same executable code (i.e., without an intervening
:manpage:`execve(2)` call). This is intended for programs that execute
unknown code without invoking :manpage:`execve(2)`, such as script
interpreters. Programs that only sandbox themselves should not set this
flag, so users can be notified of unauthorized access attempts via system
logs.
”h]”(j-  )”}”(hŒ,``LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF``”h]”jŽ  )”}”(hjO0  h]”hŒ(LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF”…””}”(hjQ0  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjM0  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j,  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:38: ./include/uapi/linux/landlock.h”h´KahjI0  ubj=  )”}”(hhh]”j(  )”}”(hXð  Disables logging of denied accesses originating from the thread creating
the Landlock domain, as well as its children, as long as they continue
running the same executable code (i.e., without an intervening
:manpage:`execve(2)` call). This is intended for programs that execute
unknown code without invoking :manpage:`execve(2)`, such as script
interpreters. Programs that only sandbox themselves should not set this
flag, so users can be notified of unauthorized access attempts via system
logs.”h]”(hŒÏDisables logging of denied accesses originating from the thread creating
the Landlock domain, as well as its children, as long as they continue
running the same executable code (i.e., without an intervening
”…””}”(hjh0  h²hh³Nh´Nubj  )”}”(hŒ:manpage:`execve(2)`”h]”hŒ	execve(2)”…””}”(hjp0  h²hh³Nh´Nubah}”(h]”h ]”j  ah"]”h$]”h&]”hÅhÆj   Œ	execve(2)”j"  Œexecve”j$  j%  uh1j  hjh0  ubhŒQ call). This is intended for programs that execute
unknown code without invoking ”…””}”(hjh0  h²hh³Nh´Nubj  )”}”(hŒ:manpage:`execve(2)`”h]”hŒ	execve(2)”…””}”(hj„0  h²hh³Nh´Nubah}”(h]”h ]”j  ah"]”h$]”h&]”hÅhÆj   Œ	execve(2)”j"  Œexecve”j$  j%  uh1j  hjh0  ubhŒ¨, such as script
interpreters. Programs that only sandbox themselves should not set this
flag, so users can be notified of unauthorized access attempts via system
logs.”…””}”(hjh0  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:38: ./include/uapi/linux/landlock.h”h´KZhje0  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j<  hjI0  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j&  h³jd0  h´KahjF0  ubj'  )”}”(hXÁ  ``LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON``
Enables logging of denied accesses after an :manpage:`execve(2)` call,
providing visibility into unauthorized access attempts by newly executed
programs within the created Landlock domain. This flag is recommended
only when all potential executables in the domain are expected to comply
with the access restrictions, as excessive audit log entries could make
it more difficult to identify critical events.
”h]”(j-  )”}”(hŒ*``LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON``”h]”jŽ  )”}”(hj±0  h]”hŒ&LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON”…””}”(hj³0  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj¯0  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j,  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:38: ./include/uapi/linux/landlock.h”h´Kihj«0  ubj=  )”}”(hhh]”j(  )”}”(hX•  Enables logging of denied accesses after an :manpage:`execve(2)` call,
providing visibility into unauthorized access attempts by newly executed
programs within the created Landlock domain. This flag is recommended
only when all potential executables in the domain are expected to comply
with the access restrictions, as excessive audit log entries could make
it more difficult to identify critical events.”h]”(hŒ,Enables logging of denied accesses after an ”…””}”(hjÊ0  h²hh³Nh´Nubj  )”}”(hŒ:manpage:`execve(2)`”h]”hŒ	execve(2)”…””}”(hjÒ0  h²hh³Nh´Nubah}”(h]”h ]”j  ah"]”h$]”h&]”hÅhÆj   Œ	execve(2)”j"  Œexecve”j$  j%  uh1j  hjÊ0  ubhXU   call,
providing visibility into unauthorized access attempts by newly executed
programs within the created Landlock domain. This flag is recommended
only when all potential executables in the domain are expected to comply
with the access restrictions, as excessive audit log entries could make
it more difficult to identify critical events.”…””}”(hjÊ0  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:38: ./include/uapi/linux/landlock.h”h´KdhjÇ0  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j<  hj«0  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j&  h³jÆ0  h´KihjF0  ubj'  )”}”(hXL  ``LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF``
Disables logging of denied accesses originating from nested Landlock
domains created by the caller or its descendants. This flag should be set
according to runtime configuration, not hardcoded, to avoid suppressing
important security events. It is useful for container runtimes or
sandboxing tools that may launch programs which themselves create
Landlock domains and could otherwise generate excessive logs. Unlike
``LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF``, this flag only affects
future nested domains, not the one being created. It can also be used
with a **ruleset_fd** value of -1 to mute subdomain logs without creating a
domain.  When combined with ``LANDLOCK_RESTRICT_SELF_TSYNC`` and a
**ruleset_fd** value of -1, this configuration is propagated to all threads
of the current process.
”h]”(j-  )”}”(hŒ-``LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF``”h]”jŽ  )”}”(hjÿ0  h]”hŒ)LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF”…””}”(hj1  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjý0  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j,  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:38: ./include/uapi/linux/landlock.h”h´Kwhjù0  ubj=  )”}”(hhh]”j(  )”}”(hX  Disables logging of denied accesses originating from nested Landlock
domains created by the caller or its descendants. This flag should be set
according to runtime configuration, not hardcoded, to avoid suppressing
important security events. It is useful for container runtimes or
sandboxing tools that may launch programs which themselves create
Landlock domains and could otherwise generate excessive logs. Unlike
``LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF``, this flag only affects
future nested domains, not the one being created. It can also be used
with a **ruleset_fd** value of -1 to mute subdomain logs without creating a
domain.  When combined with ``LANDLOCK_RESTRICT_SELF_TSYNC`` and a
**ruleset_fd** value of -1, this configuration is propagated to all threads
of the current process.”h]”(hX   Disables logging of denied accesses originating from nested Landlock
domains created by the caller or its descendants. This flag should be set
according to runtime configuration, not hardcoded, to avoid suppressing
important security events. It is useful for container runtimes or
sandboxing tools that may launch programs which themselves create
Landlock domains and could otherwise generate excessive logs. Unlike
”…””}”(hj1  h²hh³Nh´NubjŽ  )”}”(hŒ,``LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF``”h]”hŒ(LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF”…””}”(hj 1  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj1  ubhŒf, this flag only affects
future nested domains, not the one being created. It can also be used
with a ”…””}”(hj1  h²hh³Nh´Nubj  )”}”(hŒ**ruleset_fd**”h]”hŒ
ruleset_fd”…””}”(hj21  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj1  ubhŒS value of -1 to mute subdomain logs without creating a
domain.  When combined with ”…””}”(hj1  h²hh³Nh´NubjŽ  )”}”(hŒ ``LANDLOCK_RESTRICT_SELF_TSYNC``”h]”hŒLANDLOCK_RESTRICT_SELF_TSYNC”…””}”(hjD1  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj1  ubhŒ and a
”…””}”(hj1  h²hh³Nh´Nubj  )”}”(hŒ**ruleset_fd**”h]”hŒ
ruleset_fd”…””}”(hjV1  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj1  ubhŒU value of -1, this configuration is propagated to all threads
of the current process.”…””}”(hj1  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:38: ./include/uapi/linux/landlock.h”h´Klhj1  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j<  hjù0  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j&  h³j1  h´KwhjF0  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j!  hj;-  ubj(  )”}”(hŒJThe following flag supports policy enforcement in multithreaded processes:”h]”hŒJThe following flag supports policy enforcement in multithreaded processes:”…””}”(hj1  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:38: ./include/uapi/linux/landlock.h”h´Kyhj;-  ubj"  )”}”(hhh]”j'  )”}”(hXÐ  ``LANDLOCK_RESTRICT_SELF_TSYNC``
Applies the new Landlock configuration atomically to all threads of the
current process, including the Landlock domain and logging
configuration. This overrides the Landlock configuration of sibling
threads, irrespective of previously established Landlock domains and
logging configurations on these threads.

If the calling thread is running with no_new_privs, this operation
enables no_new_privs on the sibling threads as well.

”h]”(j-  )”}”(hŒ ``LANDLOCK_RESTRICT_SELF_TSYNC``”h]”jŽ  )”}”(hj™1  h]”hŒLANDLOCK_RESTRICT_SELF_TSYNC”…””}”(hj›1  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj—1  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j,  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:38: ./include/uapi/linux/landlock.h”h´K„hj“1  ubj=  )”}”(hhh]”(j(  )”}”(hX4  Applies the new Landlock configuration atomically to all threads of the
current process, including the Landlock domain and logging
configuration. This overrides the Landlock configuration of sibling
threads, irrespective of previously established Landlock domains and
logging configurations on these threads.”h]”hX4  Applies the new Landlock configuration atomically to all threads of the
current process, including the Landlock domain and logging
configuration. This overrides the Landlock configuration of sibling
threads, irrespective of previously established Landlock domains and
logging configurations on these threads.”…””}”(hj²1  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:38: ./include/uapi/linux/landlock.h”h´K|hj¯1  ubj(  )”}”(hŒwIf the calling thread is running with no_new_privs, this operation
enables no_new_privs on the sibling threads as well.”h]”hŒwIf the calling thread is running with no_new_privs, this operation
enables no_new_privs on the sibling threads as well.”…””}”(hjÁ1  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:38: ./include/uapi/linux/landlock.h”h´K‚hj¯1  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j<  hj“1  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j&  h³j®1  h´K„hj1  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j!  hj;-  ubj(  )”}”(hŒ
**Return**”h]”j  )”}”(hjä1  h]”hŒReturn”…””}”(hjæ1  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjâ1  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:566: ./security/landlock/syscalls.c”h´Måhj;-  ubj(  )”}”(hŒB0 on success, or -errno on failure.  Possible returned errors are:”h]”hŒB0 on success, or -errno on failure.  Possible returned errors are:”…””}”(hjú1  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³Œd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:566: ./security/landlock/syscalls.c”h´MØhj;-  ubeh}”(h]”h ]”Œkernelindent”ah"]”h$]”h&]”uh1jw  hjò+  h²hh³Nh´Nubeh}”(h]”Œenforcing-a-ruleset”ah ]”h"]”Œenforcing a ruleset”ah$]”h&]”uh1hòhj  h²hh³hÇh´M4ubeh}”(h]”Œkernel-interface”ah ]”h"]”Œkernel interface”ah$]”h&]”uh1hòhhôh²hh³hÇh´Mubhó)”}”(hhh]”(hø)”}”(hŒCurrent limitations”h]”hŒCurrent limitations”…””}”(hj#2  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hj 2  h²hh³hÇh´M:ubhó)”}”(hhh]”(hø)”}”(hŒ Filesystem topology modification”h]”hŒ Filesystem topology modification”…””}”(hj42  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hj12  h²hh³hÇh´M=ubj(  )”}”(hŒÂThreads sandboxed with filesystem restrictions cannot modify filesystem
topology, whether via :manpage:`mount(2)` or :manpage:`pivot_root(2)`.
However, :manpage:`chroot(2)` calls are not denied.”h]”(hŒ^Threads sandboxed with filesystem restrictions cannot modify filesystem
topology, whether via ”…””}”(hjB2  h²hh³Nh´Nubj  )”}”(hŒ:manpage:`mount(2)`”h]”hŒmount(2)”…””}”(hjJ2  h²hh³Nh´Nubah}”(h]”h ]”j  ah"]”h$]”h&]”hÅhÆj   Œmount(2)”j"  Œmount”j$  j%  uh1j  hjB2  ubhŒ or ”…””}”(hjB2  h²hh³Nh´Nubj  )”}”(hŒ:manpage:`pivot_root(2)`”h]”hŒpivot_root(2)”…””}”(hj^2  h²hh³Nh´Nubah}”(h]”h ]”j  ah"]”h$]”h&]”hÅhÆj   Œpivot_root(2)”j"  Œ
pivot_root”j$  j%  uh1j  hjB2  ubhŒ.
However, ”…””}”(hjB2  h²hh³Nh´Nubj  )”}”(hŒ:manpage:`chroot(2)`”h]”hŒ	chroot(2)”…””}”(hjr2  h²hh³Nh´Nubah}”(h]”h ]”j  ah"]”h$]”h&]”hÅhÆj   Œ	chroot(2)”j"  Œchroot”j$  j%  uh1j  hjB2  ubhŒ calls are not denied.”…””}”(hjB2  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´M?hj12  h²hubeh}”(h]”Œ filesystem-topology-modification”ah ]”h"]”Œ filesystem topology modification”ah$]”h&]”uh1hòhj 2  h²hh³hÇh´M=ubhó)”}”(hhh]”(hø)”}”(hŒSpecial filesystems”h]”hŒSpecial filesystems”…””}”(hj—2  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hj”2  h²hh³hÇh´MDubj(  )”}”(hXÌ  Access to regular files and directories can be restricted by Landlock,
according to the handled accesses of a ruleset.  However, files that do not
come from a user-visible filesystem (e.g. pipe, socket), but can still be
accessed through ``/proc/<pid>/fd/*``, cannot currently be explicitly
restricted.  Likewise, some special kernel filesystems such as nsfs, which can
be accessed through ``/proc/<pid>/ns/*``, cannot currently be explicitly
restricted.  However, thanks to the `ptrace restrictions`_, access to such
sensitive ``/proc`` files are automatically restricted according to domain
hierarchies.  Future Landlock evolutions could still enable to explicitly
restrict such paths with dedicated ruleset flags.”h]”(hŒîAccess to regular files and directories can be restricted by Landlock,
according to the handled accesses of a ruleset.  However, files that do not
come from a user-visible filesystem (e.g. pipe, socket), but can still be
accessed through ”…””}”(hj¥2  h²hh³Nh´NubjŽ  )”}”(hŒ``/proc/<pid>/fd/*``”h]”hŒ/proc/<pid>/fd/*”…””}”(hj­2  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj¥2  ubhŒ„, cannot currently be explicitly
restricted.  Likewise, some special kernel filesystems such as nsfs, which can
be accessed through ”…””}”(hj¥2  h²hh³Nh´NubjŽ  )”}”(hŒ``/proc/<pid>/ns/*``”h]”hŒ/proc/<pid>/ns/*”…””}”(hj¿2  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj¥2  ubhŒE, cannot currently be explicitly
restricted.  However, thanks to the ”…””}”(hj¥2  h²hh³Nh´Nubj”  )”}”(hŒ`ptrace restrictions`_”h]”hŒptrace restrictions”…””}”(hjÑ2  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”Œptrace restrictions”jÔ  j¤  uh1j“  hj¥2  j§  KubhŒ, access to such
sensitive ”…””}”(hj¥2  h²hh³Nh´NubjŽ  )”}”(hŒ	``/proc``”h]”hŒ/proc”…””}”(hjå2  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj¥2  ubhŒ³ files are automatically restricted according to domain
hierarchies.  Future Landlock evolutions could still enable to explicitly
restrict such paths with dedicated ruleset flags.”…””}”(hj¥2  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´MFhj”2  h²hubeh}”(h]”Œspecial-filesystems”ah ]”h"]”Œspecial filesystems”ah$]”h&]”uh1hòhj 2  h²hh³hÇh´MDubhó)”}”(hhh]”(hø)”}”(hŒRuleset layers”h]”hŒRuleset layers”…””}”(hj3  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hj3  h²hh³hÇh´MRubj(  )”}”(hXÒ  There is a limit of 16 layers of stacked rulesets.  This can be an issue for a
task willing to enforce a new ruleset in complement to its 16 inherited
rulesets.  Once this limit is reached, sys_landlock_restrict_self() returns
E2BIG.  It is then strongly suggested to carefully build rulesets once in the
life of a thread, especially for applications able to launch other applications
that may also want to sandbox themselves (e.g. shells, container managers,
etc.).”h]”hXÒ  There is a limit of 16 layers of stacked rulesets.  This can be an issue for a
task willing to enforce a new ruleset in complement to its 16 inherited
rulesets.  Once this limit is reached, sys_landlock_restrict_self() returns
E2BIG.  It is then strongly suggested to carefully build rulesets once in the
life of a thread, especially for applications able to launch other applications
that may also want to sandbox themselves (e.g. shells, container managers,
etc.).”…””}”(hj3  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´MThj3  h²hubeh}”(h]”Œruleset-layers”ah ]”h"]”Œruleset layers”ah$]”h&]”uh1hòhj 2  h²hh³hÇh´MRubhó)”}”(hhh]”(hø)”}”(hŒMemory usage”h]”hŒMemory usage”…””}”(hj/3  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hj,3  h²hh³hÇh´M]ubj(  )”}”(hŒ„Kernel memory allocated to create rulesets is accounted and can be restricted
by the Documentation/admin-guide/cgroup-v1/memory.rst.”h]”hŒ„Kernel memory allocated to create rulesets is accounted and can be restricted
by the Documentation/admin-guide/cgroup-v1/memory.rst.”…””}”(hj=3  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´M_hj,3  h²hubeh}”(h]”Œmemory-usage”ah ]”h"]”Œmemory usage”ah$]”h&]”uh1hòhj 2  h²hh³hÇh´M]ubhó)”}”(hhh]”(hø)”}”(hŒIOCTL support”h]”hŒIOCTL support”…””}”(hjV3  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hjS3  h²hh³hÇh´Mcubj(  )”}”(hŒòThe ``LANDLOCK_ACCESS_FS_IOCTL_DEV`` right restricts the use of
:manpage:`ioctl(2)`, but it only applies to *newly opened* device files.  This
means specifically that pre-existing file descriptors like stdin, stdout and
stderr are unaffected.”h]”(hŒThe ”…””}”(hjd3  h²hh³Nh´NubjŽ  )”}”(hŒ ``LANDLOCK_ACCESS_FS_IOCTL_DEV``”h]”hŒLANDLOCK_ACCESS_FS_IOCTL_DEV”…””}”(hjl3  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjd3  ubhŒ right restricts the use of
”…””}”(hjd3  h²hh³Nh´Nubj  )”}”(hŒ:manpage:`ioctl(2)`”h]”hŒioctl(2)”…””}”(hj~3  h²hh³Nh´Nubah}”(h]”h ]”j  ah"]”h$]”h&]”hÅhÆj   Œioctl(2)”j"  Œioctl”j$  j%  uh1j  hjd3  ubhŒ, but it only applies to ”…””}”(hjd3  h²hh³Nh´Nubj’  )”}”(hŒ*newly opened*”h]”hŒnewly opened”…””}”(hj’3  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j‘  hjd3  ubhŒx device files.  This
means specifically that pre-existing file descriptors like stdin, stdout and
stderr are unaffected.”…””}”(hjd3  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´MehjS3  h²hubj(  )”}”(hX  Users should be aware that TTY devices have traditionally permitted to control
other processes on the same TTY through the ``TIOCSTI`` and ``TIOCLINUX`` IOCTL
commands.  Both of these require ``CAP_SYS_ADMIN`` on modern Linux systems, but
the behavior is configurable for ``TIOCSTI``.”h]”(hŒ{Users should be aware that TTY devices have traditionally permitted to control
other processes on the same TTY through the ”…””}”(hjª3  h²hh³Nh´NubjŽ  )”}”(hŒ``TIOCSTI``”h]”hŒTIOCSTI”…””}”(hj²3  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjª3  ubhŒ and ”…””}”(hjª3  h²hh³Nh´NubjŽ  )”}”(hŒ``TIOCLINUX``”h]”hŒ	TIOCLINUX”…””}”(hjÄ3  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjª3  ubhŒ( IOCTL
commands.  Both of these require ”…””}”(hjª3  h²hh³Nh´NubjŽ  )”}”(hŒ``CAP_SYS_ADMIN``”h]”hŒCAP_SYS_ADMIN”…””}”(hjÖ3  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjª3  ubhŒ? on modern Linux systems, but
the behavior is configurable for ”…””}”(hjª3  h²hh³Nh´NubjŽ  )”}”(hŒ``TIOCSTI``”h]”hŒTIOCSTI”…””}”(hjè3  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjª3  ubhŒ.”…””}”(hjª3  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´MjhjS3  h²hubj(  )”}”(hŒÂOn older systems, it is therefore recommended to close inherited TTY file
descriptors, or to reopen them from ``/proc/self/fd/*`` without the
``LANDLOCK_ACCESS_FS_IOCTL_DEV`` right, if possible.”h]”(hŒnOn older systems, it is therefore recommended to close inherited TTY file
descriptors, or to reopen them from ”…””}”(hj 4  h²hh³Nh´NubjŽ  )”}”(hŒ``/proc/self/fd/*``”h]”hŒ/proc/self/fd/*”…””}”(hj4  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj 4  ubhŒ without the
”…””}”(hj 4  h²hh³Nh´NubjŽ  )”}”(hŒ ``LANDLOCK_ACCESS_FS_IOCTL_DEV``”h]”hŒLANDLOCK_ACCESS_FS_IOCTL_DEV”…””}”(hj4  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj 4  ubhŒ right, if possible.”…””}”(hj 4  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´MohjS3  h²hubj(  )”}”(hX1  Landlock's IOCTL support is coarse-grained at the moment, but may become more
fine-grained in the future.  Until then, users are advised to establish the
guarantees that they need through the file hierarchy, by only allowing the
``LANDLOCK_ACCESS_FS_IOCTL_DEV`` right on files where it is really required.”h]”(hŒçLandlockâ€™s IOCTL support is coarse-grained at the moment, but may become more
fine-grained in the future.  Until then, users are advised to establish the
guarantees that they need through the file hierarchy, by only allowing the
”…””}”(hj24  h²hh³Nh´NubjŽ  )”}”(hŒ ``LANDLOCK_ACCESS_FS_IOCTL_DEV``”h]”hŒLANDLOCK_ACCESS_FS_IOCTL_DEV”…””}”(hj:4  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj24  ubhŒ, right on files where it is really required.”…””}”(hj24  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´MshjS3  h²hubeh}”(h]”Œioctl-support”ah ]”h"]”Œioctl support”ah$]”h&]”uh1hòhj 2  h²hh³hÇh´Mcubeh}”(h]”Œcurrent-limitations”ah ]”h"]”Œcurrent limitations”ah$]”h&]”uh1hòhhôh²hh³hÇh´M:ubhó)”}”(hhh]”(hø)”}”(hŒPrevious limitations”h]”hŒPrevious limitations”…””}”(hje4  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hjb4  h²hh³hÇh´Myubhó)”}”(hhh]”(hø)”}”(hŒ#File renaming and linking (ABI < 2)”h]”hŒ#File renaming and linking (ABI < 2)”…””}”(hjv4  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hjs4  h²hh³hÇh´M|ubj(  )”}”(hX•  Because Landlock targets unprivileged access controls, it needs to properly
handle composition of rules.  Such property also implies rules nesting.
Properly handling multiple layers of rulesets, each one of them able to
restrict access to files, also implies inheritance of the ruleset restrictions
from a parent to its hierarchy.  Because files are identified and restricted by
their hierarchy, moving or linking a file from one directory to another implies
propagation of the hierarchy constraints, or restriction of these actions
according to the potentially lost constraints.  To protect against privilege
escalations through renaming or linking, and for the sake of simplicity,
Landlock previously limited linking and renaming to the same directory.
Starting with the Landlock ABI version 2, it is now possible to securely
control renaming and linking thanks to the new ``LANDLOCK_ACCESS_FS_REFER``
access right.”h]”(hXk  Because Landlock targets unprivileged access controls, it needs to properly
handle composition of rules.  Such property also implies rules nesting.
Properly handling multiple layers of rulesets, each one of them able to
restrict access to files, also implies inheritance of the ruleset restrictions
from a parent to its hierarchy.  Because files are identified and restricted by
their hierarchy, moving or linking a file from one directory to another implies
propagation of the hierarchy constraints, or restriction of these actions
according to the potentially lost constraints.  To protect against privilege
escalations through renaming or linking, and for the sake of simplicity,
Landlock previously limited linking and renaming to the same directory.
Starting with the Landlock ABI version 2, it is now possible to securely
control renaming and linking thanks to the new ”…””}”(hj„4  h²hh³Nh´NubjŽ  )”}”(hŒ``LANDLOCK_ACCESS_FS_REFER``”h]”hŒLANDLOCK_ACCESS_FS_REFER”…””}”(hjŒ4  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj„4  ubhŒ
access right.”…””}”(hj„4  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´M~hjs4  h²hubeh}”(h]”Œfile-renaming-and-linking-abi-2”ah ]”h"]”Œ#file renaming and linking (abi < 2)”ah$]”h&]”uh1hòhjb4  h²hh³hÇh´M|ubhó)”}”(hhh]”(hø)”}”(hŒFile truncation (ABI < 3)”h]”hŒFile truncation (ABI < 3)”…””}”(hj¯4  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hj¬4  h²hh³hÇh´Mubj(  )”}”(hŒšFile truncation could not be denied before the third Landlock ABI, so it is
always allowed when using a kernel that only supports the first or second ABI.”h]”hŒšFile truncation could not be denied before the third Landlock ABI, so it is
always allowed when using a kernel that only supports the first or second ABI.”…””}”(hj½4  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´Mhj¬4  h²hubj(  )”}”(hŒ›Starting with the Landlock ABI version 3, it is now possible to securely control
truncation thanks to the new ``LANDLOCK_ACCESS_FS_TRUNCATE`` access right.”h]”(hŒnStarting with the Landlock ABI version 3, it is now possible to securely control
truncation thanks to the new ”…””}”(hjË4  h²hh³Nh´NubjŽ  )”}”(hŒ``LANDLOCK_ACCESS_FS_TRUNCATE``”h]”hŒLANDLOCK_ACCESS_FS_TRUNCATE”…””}”(hjÓ4  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjË4  ubhŒ access right.”…””}”(hjË4  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´M’hj¬4  h²hubeh}”(h]”Œfile-truncation-abi-3”ah ]”h"]”Œfile truncation (abi < 3)”ah$]”h&]”uh1hòhjb4  h²hh³hÇh´Mubhó)”}”(hhh]”(hø)”}”(hŒTCP bind and connect (ABI < 4)”h]”hŒTCP bind and connect (ABI < 4)”…””}”(hjö4  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hjó4  h²hh³hÇh´M–ubj(  )”}”(hŒîStarting with the Landlock ABI version 4, it is now possible to restrict TCP
bind and connect actions to only a set of allowed ports thanks to the new
``LANDLOCK_ACCESS_NET_BIND_TCP`` and ``LANDLOCK_ACCESS_NET_CONNECT_TCP``
access rights.”h]”(hŒ—Starting with the Landlock ABI version 4, it is now possible to restrict TCP
bind and connect actions to only a set of allowed ports thanks to the new
”…””}”(hj5  h²hh³Nh´NubjŽ  )”}”(hŒ ``LANDLOCK_ACCESS_NET_BIND_TCP``”h]”hŒLANDLOCK_ACCESS_NET_BIND_TCP”…””}”(hj5  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj5  ubhŒ and ”…””}”(hj5  h²hh³Nh´NubjŽ  )”}”(hŒ#``LANDLOCK_ACCESS_NET_CONNECT_TCP``”h]”hŒLANDLOCK_ACCESS_NET_CONNECT_TCP”…””}”(hj5  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj5  ubhŒ
access rights.”…””}”(hj5  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´M˜hjó4  h²hubeh}”(h]”Œtcp-bind-and-connect-abi-4”ah ]”h"]”Œtcp bind and connect (abi < 4)”ah$]”h&]”uh1hòhjb4  h²hh³hÇh´M–ubhó)”}”(hhh]”(hø)”}”(hŒDevice IOCTL (ABI < 5)”h]”hŒDevice IOCTL (ABI < 5)”…””}”(hjA5  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hj>5  h²hh³hÇh´Mžubj(  )”}”(hŒ£IOCTL operations could not be denied before the fifth Landlock ABI, so
:manpage:`ioctl(2)` is always allowed when using a kernel that only supports an
earlier ABI.”h]”(hŒGIOCTL operations could not be denied before the fifth Landlock ABI, so
”…””}”(hjO5  h²hh³Nh´Nubj  )”}”(hŒ:manpage:`ioctl(2)`”h]”hŒioctl(2)”…””}”(hjW5  h²hh³Nh´Nubah}”(h]”h ]”j  ah"]”h$]”h&]”hÅhÆj   Œioctl(2)”j"  Œioctl”j$  j%  uh1j  hjO5  ubhŒI is always allowed when using a kernel that only supports an
earlier ABI.”…””}”(hjO5  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´M hj>5  h²hubj(  )”}”(hŒ¸Starting with the Landlock ABI version 5, it is possible to restrict the use of
:manpage:`ioctl(2)` on character and block devices using the new
``LANDLOCK_ACCESS_FS_IOCTL_DEV`` right.”h]”(hŒPStarting with the Landlock ABI version 5, it is possible to restrict the use of
”…””}”(hjq5  h²hh³Nh´Nubj  )”}”(hŒ:manpage:`ioctl(2)`”h]”hŒioctl(2)”…””}”(hjy5  h²hh³Nh´Nubah}”(h]”h ]”j  ah"]”h$]”h&]”hÅhÆj   Œioctl(2)”j"  Œioctl”j$  j%  uh1j  hjq5  ubhŒ. on character and block devices using the new
”…””}”(hjq5  h²hh³Nh´NubjŽ  )”}”(hŒ ``LANDLOCK_ACCESS_FS_IOCTL_DEV``”h]”hŒLANDLOCK_ACCESS_FS_IOCTL_DEV”…””}”(hj5  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjq5  ubhŒ right.”…””}”(hjq5  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´M¤hj>5  h²hubeh}”(h]”Œdevice-ioctl-abi-5”ah ]”h"]”Œdevice ioctl (abi < 5)”ah$]”h&]”uh1hòhjb4  h²hh³hÇh´Mžubhó)”}”(hhh]”(hø)”}”(hŒAbstract UNIX socket (ABI < 6)”h]”hŒAbstract UNIX socket (ABI < 6)”…””}”(hj°5  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hj­5  h²hh³hÇh´M©ubj(  )”}”(hŒÑStarting with the Landlock ABI version 6, it is possible to restrict
connections to an abstract :manpage:`unix(7)` socket by setting
``LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET`` to the ``scoped`` ruleset attribute.”h]”(hŒ`Starting with the Landlock ABI version 6, it is possible to restrict
connections to an abstract ”…””}”(hj¾5  h²hh³Nh´Nubj  )”}”(hŒ:manpage:`unix(7)`”h]”hŒunix(7)”…””}”(hjÆ5  h²hh³Nh´Nubah}”(h]”h ]”j  ah"]”h$]”h&]”hÅhÆj   Œunix(7)”j"  Œunix”j$  j:  uh1j  hj¾5  ubhŒ socket by setting
”…””}”(hj¾5  h²hh³Nh´NubjŽ  )”}”(hŒ'``LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET``”h]”hŒ#LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET”…””}”(hjÚ5  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj¾5  ubhŒ to the ”…””}”(hj¾5  h²hh³Nh´NubjŽ  )”}”(hŒ
``scoped``”h]”hŒscoped”…””}”(hjì5  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj¾5  ubhŒ ruleset attribute.”…””}”(hj¾5  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´M«hj­5  h²hubeh}”(h]”Œabstract-unix-socket-abi-6”ah ]”h"]”Œabstract unix socket (abi < 6)”ah$]”h&]”uh1hòhjb4  h²hh³hÇh´M©ubhó)”}”(hhh]”(hø)”}”(hŒSignal (ABI < 6)”h]”hŒSignal (ABI < 6)”…””}”(hj6  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hj6  h²hh³hÇh´M°ubj(  )”}”(hŒ«Starting with the Landlock ABI version 6, it is possible to restrict
:manpage:`signal(7)` sending by setting ``LANDLOCK_SCOPE_SIGNAL`` to the
``scoped`` ruleset attribute.”h]”(hŒEStarting with the Landlock ABI version 6, it is possible to restrict
”…””}”(hj6  h²hh³Nh´Nubj  )”}”(hŒ:manpage:`signal(7)`”h]”hŒ	signal(7)”…””}”(hj%6  h²hh³Nh´Nubah}”(h]”h ]”j  ah"]”h$]”h&]”hÅhÆj   Œ	signal(7)”j"  Œsignal”j$  j:  uh1j  hj6  ubhŒ sending by setting ”…””}”(hj6  h²hh³Nh´NubjŽ  )”}”(hŒ``LANDLOCK_SCOPE_SIGNAL``”h]”hŒLANDLOCK_SCOPE_SIGNAL”…””}”(hj96  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj6  ubhŒ to the
”…””}”(hj6  h²hh³Nh´NubjŽ  )”}”(hŒ
``scoped``”h]”hŒscoped”…””}”(hjK6  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj6  ubhŒ ruleset attribute.”…””}”(hj6  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´M²hj6  h²hubeh}”(h]”Œsignal-abi-6”ah ]”h"]”Œsignal (abi < 6)”ah$]”h&]”uh1hòhjb4  h²hh³hÇh´M°ubhó)”}”(hhh]”(hø)”}”(hŒLogging (ABI < 7)”h]”hŒLogging (ABI < 7)”…””}”(hjn6  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hjk6  h²hh³hÇh´M·ubj(  )”}”(hXr  Starting with the Landlock ABI version 7, it is possible to control logging of
Landlock audit events with the ``LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF``,
``LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON``, and
``LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF`` flags passed to
sys_landlock_restrict_self().  See Documentation/admin-guide/LSM/landlock.rst
for more details on audit.”h]”(hŒnStarting with the Landlock ABI version 7, it is possible to control logging of
Landlock audit events with the ”…””}”(hj|6  h²hh³Nh´NubjŽ  )”}”(hŒ,``LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF``”h]”hŒ(LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF”…””}”(hj„6  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj|6  ubhŒ,
”…””}”(hj|6  h²hh³Nh´NubjŽ  )”}”(hŒ*``LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON``”h]”hŒ&LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON”…””}”(hj–6  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj|6  ubhŒ, and
”…””}”(hj|6  h²hh³Nh´NubjŽ  )”}”(hŒ-``LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF``”h]”hŒ)LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF”…””}”(hj¨6  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj|6  ubhŒy flags passed to
sys_landlock_restrict_self().  See Documentation/admin-guide/LSM/landlock.rst
for more details on audit.”…””}”(hj|6  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´M¹hjk6  h²hubeh}”(h]”Œlogging-abi-7”ah ]”h"]”Œlogging (abi < 7)”ah$]”h&]”uh1hòhjb4  h²hh³hÇh´M·ubhó)”}”(hhh]”(hø)”}”(hŒ Thread synchronization (ABI < 8)”h]”hŒ Thread synchronization (ABI < 8)”…””}”(hjË6  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hjÈ6  h²hh³hÇh´MÁubj(  )”}”(hŒÛStarting with the Landlock ABI version 8, it is now possible to
enforce Landlock rulesets across all threads of the calling process
using the ``LANDLOCK_RESTRICT_SELF_TSYNC`` flag passed to
sys_landlock_restrict_self().”h]”(hŒŽStarting with the Landlock ABI version 8, it is now possible to
enforce Landlock rulesets across all threads of the calling process
using the ”…””}”(hjÙ6  h²hh³Nh´NubjŽ  )”}”(hŒ ``LANDLOCK_RESTRICT_SELF_TSYNC``”h]”hŒLANDLOCK_RESTRICT_SELF_TSYNC”…””}”(hjá6  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjÙ6  ubhŒ- flag passed to
sys_landlock_restrict_self().”…””}”(hjÙ6  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´MÃhjÈ6  h²hubeh}”(h]”Œthread-synchronization-abi-8”ah ]”h"]”Œ thread synchronization (abi < 8)”ah$]”h&]”uh1hòhjb4  h²hh³hÇh´MÁubhó)”}”(hhh]”(hø)”}”(hŒPathname UNIX sockets (ABI < 9)”h]”hŒPathname UNIX sockets (ABI < 9)”…””}”(hj7  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hj7  h²hh³hÇh´MÉubj(  )”}”(hŒ¾Starting with the Landlock ABI version 9, it is possible to restrict
connections to pathname UNIX domain sockets (:manpage:`unix(7)`) using
the new ``LANDLOCK_ACCESS_FS_RESOLVE_UNIX`` right.”h]”(hŒrStarting with the Landlock ABI version 9, it is possible to restrict
connections to pathname UNIX domain sockets (”…””}”(hj7  h²hh³Nh´Nubj  )”}”(hŒ:manpage:`unix(7)`”h]”hŒunix(7)”…””}”(hj7  h²hh³Nh´Nubah}”(h]”h ]”j  ah"]”h$]”h&]”hÅhÆj   Œunix(7)”j"  Œunix”j$  j:  uh1j  hj7  ubhŒ) using
the new ”…””}”(hj7  h²hh³Nh´NubjŽ  )”}”(hŒ#``LANDLOCK_ACCESS_FS_RESOLVE_UNIX``”h]”hŒLANDLOCK_ACCESS_FS_RESOLVE_UNIX”…””}”(hj.7  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj7  ubhŒ right.”…””}”(hj7  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´MËhj7  h²hubjL
  )”}”(hŒ.. _kernel_support:”h]”h}”(h]”h ]”h"]”h$]”h&]”jÔ  Œkernel-support”uh1jK
  h´MÏhj7  h²hh³hÇubeh}”(h]”Œpathname-unix-sockets-abi-9”ah ]”h"]”Œpathname unix sockets (abi < 9)”ah$]”h&]”uh1hòhjb4  h²hh³hÇh´MÉubeh}”(h]”Œprevious-limitations”ah ]”h"]”Œprevious limitations”ah$]”h&]”uh1hòhhôh²hh³hÇh´Myubhó)”}”(hhh]”(hø)”}”(hŒKernel support”h]”hŒKernel support”…””}”(hjd7  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hja7  h²hh³hÇh´MÒubhó)”}”(hhh]”(hø)”}”(hŒBuild time configuration”h]”hŒBuild time configuration”…””}”(hju7  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hjr7  h²hh³hÇh´MÕubj(  )”}”(hXÙ  Landlock was first introduced in Linux 5.13 but it must be configured at build
time with ``CONFIG_SECURITY_LANDLOCK=y``.  Landlock must also be enabled at boot
time like other security modules.  The list of security modules enabled by
default is set with ``CONFIG_LSM``.  The kernel configuration should then
contain ``CONFIG_LSM=landlock,[...]`` with ``[...]``  as the list of other
potentially useful security modules for the running system (see the
``CONFIG_LSM`` help).”h]”(hŒYLandlock was first introduced in Linux 5.13 but it must be configured at build
time with ”…””}”(hjƒ7  h²hh³Nh´NubjŽ  )”}”(hŒ``CONFIG_SECURITY_LANDLOCK=y``”h]”hŒCONFIG_SECURITY_LANDLOCK=y”…””}”(hj‹7  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjƒ7  ubhŒˆ.  Landlock must also be enabled at boot
time like other security modules.  The list of security modules enabled by
default is set with ”…””}”(hjƒ7  h²hh³Nh´NubjŽ  )”}”(hŒ``CONFIG_LSM``”h]”hŒ
CONFIG_LSM”…””}”(hj7  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjƒ7  ubhŒ0.  The kernel configuration should then
contain ”…””}”(hjƒ7  h²hh³Nh´NubjŽ  )”}”(hŒ``CONFIG_LSM=landlock,[...]``”h]”hŒCONFIG_LSM=landlock,[...]”…””}”(hj¯7  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjƒ7  ubhŒ with ”…””}”(hjƒ7  h²hh³Nh´NubjŽ  )”}”(hŒ	``[...]``”h]”hŒ[...]”…””}”(hjÁ7  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjƒ7  ubhŒ[  as the list of other
potentially useful security modules for the running system (see the
”…””}”(hjƒ7  h²hh³Nh´NubjŽ  )”}”(hŒ``CONFIG_LSM``”h]”hŒ
CONFIG_LSM”…””}”(hjÓ7  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjƒ7  ubhŒ help).”…””}”(hjƒ7  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´M×hjr7  h²hubeh}”(h]”Œbuild-time-configuration”ah ]”h"]”Œbuild time configuration”ah$]”h&]”uh1hòhja7  h²hh³hÇh´MÕubhó)”}”(hhh]”(hø)”}”(hŒBoot time configuration”h]”hŒBoot time configuration”…””}”(hjö7  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hjó7  h²hh³hÇh´Màubj(  )”}”(hŒÕIf the running kernel does not have ``landlock`` in ``CONFIG_LSM``, then we can
enable Landlock by adding ``lsm=landlock,[...]`` to
Documentation/admin-guide/kernel-parameters.rst in the boot loader
configuration.”h]”(hŒ$If the running kernel does not have ”…””}”(hj8  h²hh³Nh´NubjŽ  )”}”(hŒ``landlock``”h]”hŒlandlock”…””}”(hj8  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj8  ubhŒ in ”…””}”(hj8  h²hh³Nh´NubjŽ  )”}”(hŒ``CONFIG_LSM``”h]”hŒ
CONFIG_LSM”…””}”(hj8  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj8  ubhŒ(, then we can
enable Landlock by adding ”…””}”(hj8  h²hh³Nh´NubjŽ  )”}”(hŒ``lsm=landlock,[...]``”h]”hŒlsm=landlock,[...]”…””}”(hj08  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj8  ubhŒU to
Documentation/admin-guide/kernel-parameters.rst in the boot loader
configuration.”…””}”(hj8  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´Mâhjó7  h²hubj(  )”}”(hŒ6For example, if the current built-in configuration is:”h]”hŒ6For example, if the current built-in configuration is:”…””}”(hjH8  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´Mçhjó7  h²hubjò  )”}”(hŒ~$ zgrep -h "^CONFIG_LSM=" "/boot/config-$(uname -r)" /proc/config.gz 2>/dev/null
CONFIG_LSM="lockdown,yama,integrity,apparmor"”h]”hŒ~$ zgrep -h "^CONFIG_LSM=" "/boot/config-$(uname -r)" /proc/config.gz 2>/dev/null
CONFIG_LSM="lockdown,yama,integrity,apparmor"”…””}”hjV8  sbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆj  ‰j  Œconsole”j  }”uh1jñ  h³hÇh´Méhjó7  h²hubj(  )”}”(hŒ:...and if the cmdline doesn't contain ``landlock`` either:”h]”(hŒ(...and if the cmdline doesnâ€™t contain ”…””}”(hjf8  h²hh³Nh´NubjŽ  )”}”(hŒ``landlock``”h]”hŒlandlock”…””}”(hjn8  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjf8  ubhŒ either:”…””}”(hjf8  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´Mîhjó7  h²hubjò  )”}”(hŒW$ sed -n 's/.*\(\<lsm=\S\+\).*/\1/p' /proc/cmdline
lsm=lockdown,yama,integrity,apparmor”h]”hŒW$ sed -n 's/.*\(\<lsm=\S\+\).*/\1/p' /proc/cmdline
lsm=lockdown,yama,integrity,apparmor”…””}”hj†8  sbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆj  ‰j  Œconsole”j  }”uh1jñ  h³hÇh´Mðhjó7  h²hubj(  )”}”(hŒr...we should configure the boot loader to set a cmdline extending the ``lsm``
list with the ``landlock,`` prefix::”h]”(hŒF...we should configure the boot loader to set a cmdline extending the ”…””}”(hj–8  h²hh³Nh´NubjŽ  )”}”(hŒ``lsm``”h]”hŒlsm”…””}”(hjž8  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj–8  ubhŒ
list with the ”…””}”(hj–8  h²hh³Nh´NubjŽ  )”}”(hŒ``landlock,``”h]”hŒ	landlock,”…””}”(hj°8  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj–8  ubhŒ prefix:”…””}”(hj–8  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´Mõhjó7  h²hubjò  )”}”(hŒ-lsm=landlock,lockdown,yama,integrity,apparmor”h]”hŒ-lsm=landlock,lockdown,yama,integrity,apparmor”…””}”hjÈ8  sbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆuh1jñ  h³hÇh´Møhjó7  h²hubj(  )”}”(hŒWAfter a reboot, we can check that Landlock is up and running by looking at
kernel logs:”h]”hŒWAfter a reboot, we can check that Landlock is up and running by looking at
kernel logs:”…””}”(hjÖ8  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´Múhjó7  h²hubjò  )”}”(hXa  # dmesg | grep landlock || journalctl -kb -g landlock
[    0.000000] Command line: [...] lsm=landlock,lockdown,yama,integrity,apparmor
[    0.000000] Kernel command line: [...] lsm=landlock,lockdown,yama,integrity,apparmor
[    0.000000] LSM: initializing lsm=lockdown,capability,landlock,yama,integrity,apparmor
[    0.000000] landlock: Up and running.”h]”hXa  # dmesg | grep landlock || journalctl -kb -g landlock
[    0.000000] Command line: [...] lsm=landlock,lockdown,yama,integrity,apparmor
[    0.000000] Kernel command line: [...] lsm=landlock,lockdown,yama,integrity,apparmor
[    0.000000] LSM: initializing lsm=lockdown,capability,landlock,yama,integrity,apparmor
[    0.000000] landlock: Up and running.”…””}”hjä8  sbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆj  ‰j  Œconsole”j  }”uh1jñ  h³hÇh´Mýhjó7  h²hubj(  )”}”(hŒýThe kernel may be configured at build time to always load the ``lockdown`` and
``capability`` LSMs.  In that case, these LSMs will appear at the beginning of
the ``LSM: initializing`` log line as well, even if they are not configured in
the boot loader.”h]”(hŒ>The kernel may be configured at build time to always load the ”…””}”(hjô8  h²hh³Nh´NubjŽ  )”}”(hŒ``lockdown``”h]”hŒlockdown”…””}”(hjü8  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjô8  ubhŒ and
”…””}”(hjô8  h²hh³Nh´NubjŽ  )”}”(hŒ``capability``”h]”hŒ
capability”…””}”(hj9  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjô8  ubhŒE LSMs.  In that case, these LSMs will appear at the beginning of
the ”…””}”(hjô8  h²hh³Nh´NubjŽ  )”}”(hŒ``LSM: initializing``”h]”hŒLSM: initializing”…””}”(hj 9  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjô8  ubhŒF log line as well, even if they are not configured in
the boot loader.”…””}”(hjô8  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´Mhjó7  h²hubeh}”(h]”Œboot-time-configuration”ah ]”h"]”Œboot time configuration”ah$]”h&]”uh1hòhja7  h²hh³hÇh´Màubhó)”}”(hhh]”(hø)”}”(hŒNetwork support”h]”hŒNetwork support”…””}”(hjC9  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hj@9  h²hh³hÇh´Mubj(  )”}”(hXB  To be able to explicitly allow TCP operations (e.g., adding a network rule with
``LANDLOCK_ACCESS_NET_BIND_TCP``), the kernel must support TCP
(``CONFIG_INET=y``).  Otherwise, sys_landlock_add_rule() returns an
``EAFNOSUPPORT`` error, which can safely be ignored because this kind of TCP
operation is already not possible.”h]”(hŒPTo be able to explicitly allow TCP operations (e.g., adding a network rule with
”…””}”(hjQ9  h²hh³Nh´NubjŽ  )”}”(hŒ ``LANDLOCK_ACCESS_NET_BIND_TCP``”h]”hŒLANDLOCK_ACCESS_NET_BIND_TCP”…””}”(hjY9  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjQ9  ubhŒ ), the kernel must support TCP
(”…””}”(hjQ9  h²hh³Nh´NubjŽ  )”}”(hŒ``CONFIG_INET=y``”h]”hŒCONFIG_INET=y”…””}”(hjk9  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjQ9  ubhŒ2).  Otherwise, sys_landlock_add_rule() returns an
”…””}”(hjQ9  h²hh³Nh´NubjŽ  )”}”(hŒ``EAFNOSUPPORT``”h]”hŒEAFNOSUPPORT”…””}”(hj}9  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjQ9  ubhŒ_ error, which can safely be ignored because this kind of TCP
operation is already not possible.”…””}”(hjQ9  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´Mhj@9  h²hubeh}”(h]”Œnetwork-support”ah ]”h"]”Œnetwork support”ah$]”h&]”uh1hòhja7  h²hh³hÇh´Mubeh}”(h]”(jP7  Œid2”eh ]”h"]”(Œkernel support”Œkernel_support”eh$]”h&]”uh1hòhhôh²hh³hÇh´MÒj¼
  }”j£9  jF7  sj¾
  }”jP7  jF7  subhó)”}”(hhh]”(hø)”}”(hŒQuestions and answers”h]”hŒQuestions and answers”…””}”(hj«9  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hj¨9  h²hh³hÇh´Mubhó)”}”(hhh]”(hø)”}”(hŒ'What about user space sandbox managers?”h]”hŒ'What about user space sandbox managers?”…””}”(hj¼9  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hj¹9  h²hh³hÇh´Mubj(  )”}”(hX6  Using user space processes to enforce restrictions on kernel resources can lead
to race conditions or inconsistent evaluations (i.e. `Incorrect mirroring of
the OS code and state
<https://www.ndss-symposium.org/ndss2003/traps-and-pitfalls-practical-problems-system-call-interposition-based-security-tools/>`_).”h]”(hŒ…Using user space processes to enforce restrictions on kernel resources can lead
to race conditions or inconsistent evaluations (i.e. ”…””}”(hjÊ9  h²hh³Nh´Nubj”  )”}”(hŒ¯`Incorrect mirroring of
the OS code and state
<https://www.ndss-symposium.org/ndss2003/traps-and-pitfalls-practical-problems-system-call-interposition-based-security-tools/>`_”h]”hŒ,Incorrect mirroring of
the OS code and state”…””}”(hjÒ9  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”Œ,Incorrect mirroring of the OS code and state”j¥  Œ}https://www.ndss-symposium.org/ndss2003/traps-and-pitfalls-practical-problems-system-call-interposition-based-security-tools/”uh1j“  hjÊ9  ubjL
  )”}”(hŒ€
<https://www.ndss-symposium.org/ndss2003/traps-and-pitfalls-practical-problems-system-call-interposition-based-security-tools/>”h]”h}”(h]”Œ,incorrect-mirroring-of-the-os-code-and-state”ah ]”h"]”Œ,incorrect mirroring of the os code and state”ah$]”h&]”Œrefuri”jâ9  uh1jK
  jª  KhjÊ9  ubhŒ).”…””}”(hjÊ9  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´Mhj¹9  h²hubeh}”(h]”Œ&what-about-user-space-sandbox-managers”ah ]”h"]”Œ'what about user space sandbox managers?”ah$]”h&]”uh1hòhj¨9  h²hh³hÇh´Mubhó)”}”(hhh]”(hø)”}”(hŒ%What about namespaces and containers?”h]”hŒ%What about namespaces and containers?”…””}”(hj:  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hj:  h²hh³hÇh´Mubj(  )”}”(hXj  Namespaces can help create sandboxes but they are not designed for
access-control and then miss useful features for such use case (e.g. no
fine-grained restrictions).  Moreover, their complexity can lead to security
issues, especially when untrusted processes can manipulate them (cf.
`Controlling access to user namespaces <https://lwn.net/Articles/673597/>`_).”h]”(hX  Namespaces can help create sandboxes but they are not designed for
access-control and then miss useful features for such use case (e.g. no
fine-grained restrictions).  Moreover, their complexity can lead to security
issues, especially when untrusted processes can manipulate them (cf.
”…””}”(hj:  h²hh³Nh´Nubj”  )”}”(hŒK`Controlling access to user namespaces <https://lwn.net/Articles/673597/>`_”h]”hŒ%Controlling access to user namespaces”…””}”(hj:  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”Œ%Controlling access to user namespaces”j¥  Œ https://lwn.net/Articles/673597/”uh1j“  hj:  ubjL
  )”}”(hŒ# <https://lwn.net/Articles/673597/>”h]”h}”(h]”Œ%controlling-access-to-user-namespaces”ah ]”h"]”Œ%controlling access to user namespaces”ah$]”h&]”Œrefuri”j+:  uh1jK
  jª  Khj:  ubhŒ).”…””}”(hj:  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´M!hj:  h²hubeh}”(h]”Œ$what-about-namespaces-and-containers”ah ]”h"]”Œ%what about namespaces and containers?”ah$]”h&]”uh1hòhj¨9  h²hh³hÇh´Mubhó)”}”(hhh]”(hø)”}”(hŒ&How to disable Landlock audit records?”h]”hŒ&How to disable Landlock audit records?”…””}”(hjN:  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hjK:  h²hh³hÇh´M(ubj(  )”}”(hŒdYou might want to put in place filters as explained here:
Documentation/admin-guide/LSM/landlock.rst”h]”hŒdYou might want to put in place filters as explained here:
Documentation/admin-guide/LSM/landlock.rst”…””}”(hj\:  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´M*hjK:  h²hubeh}”(h]”Œ%how-to-disable-landlock-audit-records”ah ]”h"]”Œ&how to disable landlock audit records?”ah$]”h&]”uh1hòhj¨9  h²hh³hÇh´M(ubeh}”(h]”Œquestions-and-answers”ah ]”h"]”Œquestions and answers”ah$]”h&]”uh1hòhhôh²hh³hÇh´Mubhó)”}”(hhh]”(hø)”}”(hŒAdditional documentation”h]”hŒAdditional documentation”…””}”(hj}:  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hjz:  h²hh³hÇh´M.ubjŸ  )”}”(hhh]”(j¤  )”}”(hŒ*Documentation/admin-guide/LSM/landlock.rst”h]”j(  )”}”(hj:  h]”hŒ*Documentation/admin-guide/LSM/landlock.rst”…””}”(hj’:  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´M0hjŽ:  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j£  hj‹:  h²hh³hÇh´Nubj¤  )”}”(hŒ#Documentation/security/landlock.rst”h]”j(  )”}”(hj§:  h]”hŒ#Documentation/security/landlock.rst”…””}”(hj©:  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´M1hj¥:  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j£  hj‹:  h²hh³hÇh´Nubj¤  )”}”(hŒhttps://landlock.io
”h]”j(  )”}”(hŒhttps://landlock.io”h]”j”  )”}”(hjÂ:  h]”hŒhttps://landlock.io”…””}”(hjÄ:  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”Œrefuri”jÂ:  uh1j“  hjÀ:  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  h³hÇh´M2hj¼:  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j£  hj‹:  h²hh³hÇh´Nubeh}”(h]”h ]”h"]”h$]”h&]”j„  j…  uh1jž  h³hÇh´M0hjz:  h²hubh¶)”}”(hŒLinks”h]”hŒLinks”…””}”hjä:  sbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆuh1hµhjz:  h²hh³hÇh´M4ubjL
  )”}”(hŒ‡.. _samples/landlock/sandboxer.c:
   https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/samples/landlock/sandboxer.c”•ô      h]”h}”(h]”Œsamples-landlock-sandboxer-c”ah ]”h"]”Œsamples/landlock/sandboxer.c”ah$]”h&]”j¥  j¦  uh1jK
  h´M5hjz:  h²hh³hÇjª  Kubeh}”(h]”Œadditional-documentation”ah ]”h"]”Œadditional documentation”ah$]”h&]”uh1hòhhôh²hh³hÇh´M.ubeh}”(h]”Œ$landlock-unprivileged-access-control”ah ]”h"]”Œ%landlock: unprivileged access control”ah$]”h&]”uh1hòhhh²hh³hÇh´Kubeh}”(h]”h ]”h"]”h$]”h&]”Œsource”hÇuh1hŒcurrent_source”NŒcurrent_line”NŒsettings”Œdocutils.frontend”ŒValues”“”)”}”(h÷NŒ	generator”NŒ	datestamp”NŒsource_link”NŒ
source_url”NŒtoc_backlinks”Œentry”Œfootnote_backlinks”KŒsectnum_xform”KŒstrip_comments”NŒstrip_elements_with_classes”NŒstrip_classes”NŒreport_level”KŒ
halt_level”KŒexit_status_level”KŒdebug”NŒwarning_stream”NŒ	traceback”ˆŒinput_encoding”Œ	utf-8-sig”Œinput_encoding_error_handler”Œstrict”Œoutput_encoding”Œutf-8”Œoutput_encoding_error_handler”j1;  Œerror_encoding”Œutf-8”Œerror_encoding_error_handler”Œbackslashreplace”Œlanguage_code”Œen”Œrecord_dependencies”NŒconfig”NŒ	id_prefix”hŒauto_id_prefix”Œid”Œdump_settings”NŒdump_internals”NŒdump_transforms”NŒdump_pseudo_xml”NŒexpose_internals”NŒstrict_visitor”NŒ_disable_config”NŒ_source”hÇŒ_destination”NŒ_config_files”]”Œ7/var/lib/git/docbuild/linux/Documentation/docutils.conf”aŒfile_insertion_enabled”ˆŒraw_enabled”KŒline_length_limit”M'Œpep_references”NŒpep_base_url”Œhttps://peps.python.org/”Œpep_file_url_template”Œpep-%04d”Œrfc_references”NŒrfc_base_url”Œ&https://datatracker.ietf.org/doc/html/”Œ	tab_width”KŒtrim_footnote_reference_space”‰Œsyntax_highlight”Œlong”Œsmart_quotes”ˆŒsmartquotes_locales”]”Œcharacter_level_inline_markup”‰Œdoctitle_xform”‰Œdocinfo_xform”KŒsectsubtitle_xform”‰Œimage_loading”Œlink”Œembed_stylesheet”‰Œcloak_email_addresses”ˆŒsection_self_link”‰Œenv”NubŒreporter”NŒindirect_targets”]”Œsubstitution_defs”}”Œsubstitution_names”}”Œrefnames”}”(Œsamples/landlock/sandboxer.c”]”j•  aŒptrace restrictions”]”(jÄ  jÑ2  eŒfilesystem flags”]”(j’  jØ  j])  eŒnetwork flags”]”(jà  jí*  eŒscope flags”]”j.  auŒrefids”}”(jn
  ]”jd
  ajP7  ]”jF7  auŒnameids”}”(j;  j;  jí	  jê	  j·  j´  j|  jy  j±  j®  jô  jñ  jl  ji  j§  j¤  j  j
  j(	  j%	  jå	  jâ	  j  j  jt
  jq
  jV
  jS
  j¹
  jn
  j¸
  jµ
  j  j  jÇ  jÄ  j^  j[  j¶  j³  j  j  j2  j2  j&  j#  jó  jð  j  j~  j  j  j:   j7   jï+  jì+  j2  j2  j_4  j\4  j‘2  jŽ2  j3  jÿ2  j)3  j&3  jP3  jM3  jW4  jT4  j^7  j[7  j©4  j¦4  jð4  jí4  j;5  j85  jª5  j§5  j	6  j6  jh6  je6  jÅ6  jÂ6  jþ6  jû6  jV7  jS7  j£9  jP7  j¢9  jŸ9  jð7  jí7  j=9  j:9  jš9  j—9  jw:  jt:  jÿ9  jü9  jì9  jé9  jH:  jE:  j5:  j2:  jo:  jl:  j;  j ;  jû:  jø:  uŒ	nametypes”}”(j;  ‰jí	  ‰j·  ‰j|  ‰j±  ‰jô  ‰jl  ‰j§  ‰j  ‰j(	  ‰jå	  ‰j  ‰jt
  ‰jV
  ˆj¹
  ˆj¸
  ‰j  ‰jÇ  ‰j^  ‰j¶  ‰j  ‰j2  ‰j&  ‰jó  ‰j  ‰j  ‰j:   ‰jï+  ‰j2  ‰j_4  ‰j‘2  ‰j3  ‰j)3  ‰jP3  ‰jW4  ‰j^7  ‰j©4  ‰jð4  ‰j;5  ‰jª5  ‰j	6  ‰jh6  ‰jÅ6  ‰jþ6  ‰jV7  ‰j£9  ˆj¢9  ‰jð7  ‰j=9  ‰jš9  ‰jw:  ‰jÿ9  ‰jì9  ˆjH:  ‰j5:  ˆjo:  ‰j;  ‰jû:  ˆuh}”(j;  hôjê	  jô  j´  j¶  jy  jº  j®  j  jñ  j´  ji  j÷  j¤  jo  j
  j«  j%	  j  jâ	  j+	  j  jð	  jq
  j
  jS
  jM
  jn
  jw
  jµ
  jw
  j  jÀ
  jÄ  j8  j[  jÊ  j³  ja  j  j¹  j2  j  j#  j,  jð  jo  j~  jö  j  j„  j7   j)  jI  jR  j´  jº  jì+  j=   jZ   j_   jü&  j'  j€(  j…(  j*  j*  j2  jò+  j,  j,  j\4  j 2  jŽ2  j12  jÿ2  j”2  j&3  j3  jM3  j,3  jT4  jS3  j[7  jb4  j¦4  js4  jí4  j¬4  j85  jó4  j§5  j>5  j6  j­5  je6  j6  jÂ6  jk6  jû6  jÈ6  jS7  j7  jP7  ja7  jŸ9  ja7  jí7  jr7  j:9  jó7  j—9  j@9  jt:  j¨9  jü9  j¹9  jé9  jã9  jE:  j:  j2:  j,:  jl:  jK:  j ;  jz:  jø:  jò:  uŒfootnote_refs”}”Œcitation_refs”}”Œautofootnotes”]”Œautofootnote_refs”]”Œsymbol_footnotes”]”Œsymbol_footnote_refs”]”Œ	footnotes”]”Œ	citations”]”Œautofootnote_start”KŒsymbol_footnote_start”K Œ
id_counter”Œcollections”ŒCounter”“”}”j?;  Ks…”R”Œparse_messages”]”Œtransform_messages”]”(hŒsystem_message”“”)”}”(hhh]”j(  )”}”(hhh]”hŒ;Hyperlink target "landlock-abi-versions" is not referenced.”…””}”hj¦;  sbah}”(h]”h ]”h"]”h$]”h&]”uh1j'  hj£;  ubah}”(h]”h ]”h"]”h$]”h&]”Œlevel”KŒtype”ŒINFO”Œsource”hÇŒline”M¼uh1j¡;  ubj¢;  )”}”(hhh]”j(  )”}”(hhh]”hŒ4Hyperlink target "kernel-support" is not referenced.”…””}”hjÁ;  sbah}”(h]”h ]”h"]”h$]”h&]”uh1j'  hj¾;  ubah}”(h]”h ]”h"]”h$]”h&]”Œlevel”KŒtype”j»;  Œsource”hÇŒline”MÏuh1j¡;  ubeŒtransformer”NŒinclude_log”]”Œ
decoration”Nh²hub.