€•      Œsphinx.addnodes”Œdocument”“”)”}”(Œ	rawsource”Œ ”Œchildren”]”(Œtranslations”ŒLanguagesNode”“”)”}”(hhh]”(h Œpending_xref”“”)”}”(hhh]”Œdocutils.nodes”ŒText”“”ŒChinese (Simplified)”…””}”Œparent”hsbaŒ
attributes”}”(Œids”]”Œclasses”]”Œnames”]”Œdupnames”]”Œbackrefs”]”Œ	refdomain”Œstd”Œreftype”Œdoc”Œ	reftarget”Œ*/translations/zh_CN/userspace-api/landlock”Œmodname”NŒ	classname”NŒrefexplicit”ˆuŒtagname”hhhubh)”}”(hhh]”hŒChinese (Traditional)”…””}”hh2sbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ*/translations/zh_TW/userspace-api/landlock”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒItalian”…””}”hhFsbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ*/translations/it_IT/userspace-api/landlock”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒJapanese”…””}”hhZsbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ*/translations/ja_JP/userspace-api/landlock”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒKorean”…””}”hhnsbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ*/translations/ko_KR/userspace-api/landlock”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒSpanish”…””}”hh‚sbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ*/translations/sp_SP/userspace-api/landlock”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubeh}”(h]”h ]”h"]”h$]”h&]”Œcurrent_language”ŒEnglish”uh1h
hhŒ	_document”hŒsource”NŒline”NubhŒcomment”“”)”}”(hŒ SPDX-License-Identifier: GPL-2.0”h]”hŒ SPDX-License-Identifier: GPL-2.0”…””}”hh£sbah}”(h]”h ]”h"]”h$]”h&]”Œ	xml:space”Œpreserve”uh1h¡hhhžhhŸŒD/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock.rst”h Kubh¢)”}”(hŒ9Copyright Â© 2017-2020 MickaÃ«l SalaÃ¼n <mic@digikod.net>”h]”hŒ9Copyright Â© 2017-2020 MickaÃ«l SalaÃ¼n <mic@digikod.net>”…””}”hh´sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1h¡hhhžhhŸh³h Kubh¢)”}”(hŒCopyright Â© 2019-2020 ANSSI”h]”hŒCopyright Â© 2019-2020 ANSSI”…””}”hhÂsbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1h¡hhhžhhŸh³h Kubh¢)”}”(hŒ,Copyright Â© 2021-2022 Microsoft Corporation”h]”hŒ,Copyright Â© 2021-2022 Microsoft Corporation”…””}”hhÐsbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1h¡hhhžhhŸh³h KubhŒsection”“”)”}”(hhh]”(hŒtitle”“”)”}”(hŒ%Landlock: unprivileged access control”h]”hŒ%Landlock: unprivileged access control”…””}”(hhåhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hãhhàhžhhŸh³h KubhŒ
field_list”“”)”}”(hhh]”(hŒfield”“”)”}”(hhh]”(hŒ
field_name”“”)”}”(hŒAuthor”h]”hŒAuthor”…””}”(hhÿhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hýhhúhŸh³h K ubhŒ
field_body”“”)”}”(hŒMickaÃ«l SalaÃ¼n”h]”hŒ	paragraph”“”)”}”(hj  h]”hŒMickaÃ«l SalaÃ¼n”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h K
hj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hhúubeh}”(h]”h ]”h"]”h$]”h&]”uh1høhŸh³h K
hhõhžhubhù)”}”(hhh]”(hþ)”}”(hŒDate”h]”hŒDate”…””}”(hj1  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hýhj.  hŸh³h K ubj  )”}”(hŒMarch 2025
”h]”j  )”}”(hŒ
March 2025”h]”hŒ
March 2025”…””}”(hjC  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h Khj?  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj.  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1høhŸh³h Khhõhžhubeh}”(h]”h ]”h"]”h$]”h&]”uh1hóhhàhžhhŸh³h K
ubj  )”}”(hX  The goal of Landlock is to enable restriction of ambient rights (e.g. global
filesystem or network access) for a set of processes.  Because Landlock
is a stackable LSM, it makes it possible to create safe security sandboxes as
new security layers in addition to the existing system-wide access-controls.
This kind of sandbox is expected to help mitigate the security impact of bugs or
unexpected/malicious behaviors in user space applications.  Landlock empowers
any process, including unprivileged ones, to securely restrict themselves.”h]”hX  The goal of Landlock is to enable restriction of ambient rights (e.g. global
filesystem or network access) for a set of processes.  Because Landlock
is a stackable LSM, it makes it possible to create safe security sandboxes as
new security layers in addition to the existing system-wide access-controls.
This kind of sandbox is expected to help mitigate the security impact of bugs or
unexpected/malicious behaviors in user space applications.  Landlock empowers
any process, including unprivileged ones, to securely restrict themselves.”…””}”(hjc  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h Khhàhžhubj  )”}”(hX¥  We can quickly make sure that Landlock is enabled in the running system by
looking for "landlock: Up and running" in kernel logs (as root):
``dmesg | grep landlock || journalctl -kb -g landlock`` .
Developers can also easily check for Landlock support with a
:ref:`related system call <landlock_abi_versions>`.
If Landlock is not currently supported, we need to
:ref:`configure the kernel appropriately <kernel_support>`.”h]”(hŒWe can quickly make sure that Landlock is enabled in the running system by
looking for â€œlandlock: Up and runningâ€ in kernel logs (as root):
”…””}”(hjq  hžhhŸNh NubhŒliteral”“”)”}”(hŒ7``dmesg | grep landlock || journalctl -kb -g landlock``”h]”hŒ3dmesg | grep landlock || journalctl -kb -g landlock”…””}”(hj{  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjq  ubhŒ@ .
Developers can also easily check for Landlock support with a
”…””}”(hjq  hžhhŸNh Nubh)”}”(hŒ2:ref:`related system call <landlock_abi_versions>`”h]”hŒinline”“”)”}”(hj  h]”hŒrelated system call”…””}”(hj“  hžhhŸNh Nubah}”(h]”h ]”(Œxref”Œstd”Œstd-ref”eh"]”h$]”h&]”uh1j‘  hj  ubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”Œuserspace-api/landlock”Œ	refdomain”jž  Œreftype”Œref”Œrefexplicit”ˆŒrefwarn”ˆŒ	reftarget”Œlandlock_abi_versions”uh1hhŸh³h Khjq  ubhŒ5.
If Landlock is not currently supported, we need to
”…””}”(hjq  hžhhŸNh Nubh)”}”(hŒ::ref:`configure the kernel appropriately <kernel_support>`”h]”j’  )”}”(hj¸  h]”hŒ"configure the kernel appropriately”…””}”(hjº  hžhhŸNh Nubah}”(h]”h ]”(j  Œstd”Œstd-ref”eh"]”h$]”h&]”uh1j‘  hj¶  ubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”jª  Œ	refdomain”jÄ  Œreftype”Œref”Œrefexplicit”ˆŒrefwarn”ˆj°  Œkernel_support”uh1hhŸh³h Khjq  ubhŒ.”…””}”(hjq  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h Khhàhžhubhß)”}”(hhh]”(hä)”}”(hŒLandlock rules”h]”hŒLandlock rules”…””}”(hjã  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hãhjà  hžhhŸh³h Kubj  )”}”(hŒÌA Landlock rule describes an action on an object which the process intends to
perform.  A set of rules is aggregated in a ruleset, which can then restrict
the thread enforcing it, and its future children.”h]”hŒÌA Landlock rule describes an action on an object which the process intends to
perform.  A set of rules is aggregated in a ruleset, which can then restrict
the thread enforcing it, and its future children.”…””}”(hjñ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h K hjà  hžhubj  )”}”(hŒ$The two existing types of rules are:”h]”hŒ$The two existing types of rules are:”…””}”(hjÿ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h K$hjà  hžhubhŒdefinition_list”“”)”}”(hhh]”(hŒdefinition_list_item”“”)”}”(hŒ’Filesystem rules
For these rules, the object is a file hierarchy,
and the related filesystem actions are defined with
`filesystem access rights`.
”h]”(hŒterm”“”)”}”(hŒFilesystem rules”h]”hŒFilesystem rules”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h K)hj  ubhŒ
definition”“”)”}”(hhh]”j  )”}”(hŒ€For these rules, the object is a file hierarchy,
and the related filesystem actions are defined with
`filesystem access rights`.”h]”(hŒeFor these rules, the object is a file hierarchy,
and the related filesystem actions are defined with
”…””}”(hj-  hžhhŸNh NubhŒtitle_reference”“”)”}”(hŒ`filesystem access rights`”h]”hŒfilesystem access rights”…””}”(hj7  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j5  hj-  ubhŒ.”…””}”(hj-  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h K'hj*  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j(  hj  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h K)hj  ubj  )”}”(hŒŠNetwork rules (since ABI v4)
For these rules, the object is a TCP port,
and the related actions are defined with `network access rights`.
”h]”(j  )”}”(hŒNetwork rules (since ABI v4)”h]”hŒNetwork rules (since ABI v4)”…””}”(hj_  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h K-hj[  ubj)  )”}”(hhh]”j  )”}”(hŒlFor these rules, the object is a TCP port,
and the related actions are defined with `network access rights`.”h]”(hŒTFor these rules, the object is a TCP port,
and the related actions are defined with ”…””}”(hjp  hžhhŸNh Nubj6  )”}”(hŒ`network access rights`”h]”hŒnetwork access rights”…””}”(hjx  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j5  hjp  ubhŒ.”…””}”(hjp  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h K,hjm  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j(  hj[  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h K-hj  hžhubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hjà  hžhhŸh³h Nubhß)”}”(hhh]”(hä)”}”(hŒ(Defining and enforcing a security policy”h]”hŒ(Defining and enforcing a security policy”…””}”(hj¥  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hãhj¢  hžhhŸh³h K0ubj  )”}”(hŒ@We first need to define the ruleset that will contain our rules.”h]”hŒ@We first need to define the ruleset that will contain our rules.”…””}”(hj³  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h K2hj¢  hžhubj  )”}”(hŒÀFor this example, the ruleset will contain rules that only allow filesystem
read actions and establish a specific TCP connection. Filesystem write
actions and other TCP actions will be denied.”h]”hŒÀFor this example, the ruleset will contain rules that only allow filesystem
read actions and establish a specific TCP connection. Filesystem write
actions and other TCP actions will be denied.”…””}”(hjÁ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h K4hj¢  hžhubj  )”}”(hX  The ruleset then needs to handle both these kinds of actions.  This is
required for backward and forward compatibility (i.e. the kernel and user
space may not know each other's supported restrictions), hence the need
to be explicit about the denied-by-default access rights.”h]”hX  The ruleset then needs to handle both these kinds of actions.  This is
required for backward and forward compatibility (i.e. the kernel and user
space may not know each otherâ€™s supported restrictions), hence the need
to be explicit about the denied-by-default access rights.”…””}”(hjÏ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h K8hj¢  hžhubhŒliteral_block”“”)”}”(hXw  struct landlock_ruleset_attr ruleset_attr = {
    .handled_access_fs =
        LANDLOCK_ACCESS_FS_EXECUTE |
        LANDLOCK_ACCESS_FS_WRITE_FILE |
        LANDLOCK_ACCESS_FS_READ_FILE |
        LANDLOCK_ACCESS_FS_READ_DIR |
        LANDLOCK_ACCESS_FS_REMOVE_DIR |
        LANDLOCK_ACCESS_FS_REMOVE_FILE |
        LANDLOCK_ACCESS_FS_MAKE_CHAR |
        LANDLOCK_ACCESS_FS_MAKE_DIR |
        LANDLOCK_ACCESS_FS_MAKE_REG |
        LANDLOCK_ACCESS_FS_MAKE_SOCK |
        LANDLOCK_ACCESS_FS_MAKE_FIFO |
        LANDLOCK_ACCESS_FS_MAKE_BLOCK |
        LANDLOCK_ACCESS_FS_MAKE_SYM |
        LANDLOCK_ACCESS_FS_REFER |
        LANDLOCK_ACCESS_FS_TRUNCATE |
        LANDLOCK_ACCESS_FS_IOCTL_DEV,
    .handled_access_net =
        LANDLOCK_ACCESS_NET_BIND_TCP |
        LANDLOCK_ACCESS_NET_CONNECT_TCP,
    .scoped =
        LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET |
        LANDLOCK_SCOPE_SIGNAL,
};”h]”hXw  struct landlock_ruleset_attr ruleset_attr = {
    .handled_access_fs =
        LANDLOCK_ACCESS_FS_EXECUTE |
        LANDLOCK_ACCESS_FS_WRITE_FILE |
        LANDLOCK_ACCESS_FS_READ_FILE |
        LANDLOCK_ACCESS_FS_READ_DIR |
        LANDLOCK_ACCESS_FS_REMOVE_DIR |
        LANDLOCK_ACCESS_FS_REMOVE_FILE |
        LANDLOCK_ACCESS_FS_MAKE_CHAR |
        LANDLOCK_ACCESS_FS_MAKE_DIR |
        LANDLOCK_ACCESS_FS_MAKE_REG |
        LANDLOCK_ACCESS_FS_MAKE_SOCK |
        LANDLOCK_ACCESS_FS_MAKE_FIFO |
        LANDLOCK_ACCESS_FS_MAKE_BLOCK |
        LANDLOCK_ACCESS_FS_MAKE_SYM |
        LANDLOCK_ACCESS_FS_REFER |
        LANDLOCK_ACCESS_FS_TRUNCATE |
        LANDLOCK_ACCESS_FS_IOCTL_DEV,
    .handled_access_net =
        LANDLOCK_ACCESS_NET_BIND_TCP |
        LANDLOCK_ACCESS_NET_CONNECT_TCP,
    .scoped =
        LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET |
        LANDLOCK_SCOPE_SIGNAL,
};”…””}”hjß  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²Œforce”‰Œlanguage”Œc”Œhighlight_args”}”uh1jÝ  hŸh³h K=hj¢  hžhubj  )”}”(hŒçBecause we may not know which kernel version an application will be executed
on, it is safer to follow a best-effort security approach.  Indeed, we
should try to protect users as much as possible whatever the kernel they are
using.”h]”hŒçBecause we may not know which kernel version an application will be executed
on, it is safer to follow a best-effort security approach.  Indeed, we
should try to protect users as much as possible whatever the kernel they are
using.”…””}”(hjò  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h KYhj¢  hžhubj  )”}”(hŒTo be compatible with older Linux versions, we detect the available Landlock ABI
version, and only use the available subset of access rights:”h]”hŒTo be compatible with older Linux versions, we detect the available Landlock ABI
version, and only use the available subset of access rights:”…””}”(hj   hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h K^hj¢  hžhubjÞ  )”}”(hXu  int abi;

abi = landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_VERSION);
if (abi < 0) {
    /* Degrades gracefully if Landlock is not handled. */
    perror("The running kernel does not enable to use Landlock");
    return 0;
}
switch (abi) {
case 1:
    /* Removes LANDLOCK_ACCESS_FS_REFER for ABI < 2 */
    ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_REFER;
    __attribute__((fallthrough));
case 2:
    /* Removes LANDLOCK_ACCESS_FS_TRUNCATE for ABI < 3 */
    ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_TRUNCATE;
    __attribute__((fallthrough));
case 3:
    /* Removes network support for ABI < 4 */
    ruleset_attr.handled_access_net &=
        ~(LANDLOCK_ACCESS_NET_BIND_TCP |
          LANDLOCK_ACCESS_NET_CONNECT_TCP);
    __attribute__((fallthrough));
case 4:
    /* Removes LANDLOCK_ACCESS_FS_IOCTL_DEV for ABI < 5 */
    ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_IOCTL_DEV;
    __attribute__((fallthrough));
case 5:
    /* Removes LANDLOCK_SCOPE_* for ABI < 6 */
    ruleset_attr.scoped &= ~(LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET |
                             LANDLOCK_SCOPE_SIGNAL);
}”h]”hXu  int abi;

abi = landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_VERSION);
if (abi < 0) {
    /* Degrades gracefully if Landlock is not handled. */
    perror("The running kernel does not enable to use Landlock");
    return 0;
}
switch (abi) {
case 1:
    /* Removes LANDLOCK_ACCESS_FS_REFER for ABI < 2 */
    ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_REFER;
    __attribute__((fallthrough));
case 2:
    /* Removes LANDLOCK_ACCESS_FS_TRUNCATE for ABI < 3 */
    ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_TRUNCATE;
    __attribute__((fallthrough));
case 3:
    /* Removes network support for ABI < 4 */
    ruleset_attr.handled_access_net &=
        ~(LANDLOCK_ACCESS_NET_BIND_TCP |
          LANDLOCK_ACCESS_NET_CONNECT_TCP);
    __attribute__((fallthrough));
case 4:
    /* Removes LANDLOCK_ACCESS_FS_IOCTL_DEV for ABI < 5 */
    ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_IOCTL_DEV;
    __attribute__((fallthrough));
case 5:
    /* Removes LANDLOCK_SCOPE_* for ABI < 6 */
    ruleset_attr.scoped &= ~(LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET |
                             LANDLOCK_SCOPE_SIGNAL);
}”…””}”hj  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²jí  ‰jî  jï  jð  }”uh1jÝ  hŸh³h Kahj¢  hžhubj  )”}”(hŒNThis enables the creation of an inclusive ruleset that will contain our rules.”h]”hŒNThis enables the creation of an inclusive ruleset that will contain our rules.”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h K„hj¢  hžhubjÞ  )”}”(hŒ®int ruleset_fd;

ruleset_fd = landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
if (ruleset_fd < 0) {
    perror("Failed to create a ruleset");
    return 1;
}”h]”hŒ®int ruleset_fd;

ruleset_fd = landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
if (ruleset_fd < 0) {
    perror("Failed to create a ruleset");
    return 1;
}”…””}”hj+  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²jí  ‰jî  jï  jð  }”uh1jÝ  hŸh³h K†hj¢  hžhubj  )”}”(hX„  We can now add a new rule to this ruleset thanks to the returned file
descriptor referring to this ruleset.  The rule will only allow reading the
file hierarchy ``/usr``.  Without another rule, write actions would then be
denied by the ruleset.  To add ``/usr`` to the ruleset, we open it with the
``O_PATH`` flag and fill the &struct landlock_path_beneath_attr with this file
descriptor.”h]”(hŒ¡We can now add a new rule to this ruleset thanks to the returned file
descriptor referring to this ruleset.  The rule will only allow reading the
file hierarchy ”…””}”(hj:  hžhhŸNh Nubjz  )”}”(hŒ``/usr``”h]”hŒ/usr”…””}”(hjB  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj:  ubhŒT.  Without another rule, write actions would then be
denied by the ruleset.  To add ”…””}”(hj:  hžhhŸNh Nubjz  )”}”(hŒ``/usr``”h]”hŒ/usr”…””}”(hjT  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj:  ubhŒ% to the ruleset, we open it with the
”…””}”(hj:  hžhhŸNh Nubjz  )”}”(hŒ
``O_PATH``”h]”hŒO_PATH”…””}”(hjf  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj:  ubhŒP flag and fill the &struct landlock_path_beneath_attr with this file
descriptor.”…””}”(hj:  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h Khj¢  hžhubjÞ  )”}”(hXQ  int err;
struct landlock_path_beneath_attr path_beneath = {
    .allowed_access =
        LANDLOCK_ACCESS_FS_EXECUTE |
        LANDLOCK_ACCESS_FS_READ_FILE |
        LANDLOCK_ACCESS_FS_READ_DIR,
};

path_beneath.parent_fd = open("/usr", O_PATH | O_CLOEXEC);
if (path_beneath.parent_fd < 0) {
    perror("Failed to open file");
    close(ruleset_fd);
    return 1;
}
err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
                        &path_beneath, 0);
close(path_beneath.parent_fd);
if (err) {
    perror("Failed to update ruleset");
    close(ruleset_fd);
    return 1;
}”h]”hXQ  int err;
struct landlock_path_beneath_attr path_beneath = {
    .allowed_access =
        LANDLOCK_ACCESS_FS_EXECUTE |
        LANDLOCK_ACCESS_FS_READ_FILE |
        LANDLOCK_ACCESS_FS_READ_DIR,
};

path_beneath.parent_fd = open("/usr", O_PATH | O_CLOEXEC);
if (path_beneath.parent_fd < 0) {
    perror("Failed to open file");
    close(ruleset_fd);
    return 1;
}
err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
                        &path_beneath, 0);
close(path_beneath.parent_fd);
if (err) {
    perror("Failed to update ruleset");
    close(ruleset_fd);
    return 1;
}”…””}”hj~  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²jí  ‰jî  jï  jð  }”uh1jÝ  hŸh³h K—hj¢  hžhubj  )”}”(hX'  It may also be required to create rules following the same logic as explained
for the ruleset creation, by filtering access rights according to the Landlock
ABI version.  In this example, this is not required because all of the requested
``allowed_access`` rights are already available in ABI 1.”h]”(hŒîIt may also be required to create rules following the same logic as explained
for the ruleset creation, by filtering access rights according to the Landlock
ABI version.  In this example, this is not required because all of the requested
”…””}”(hj  hžhhŸNh Nubjz  )”}”(hŒ``allowed_access``”h]”hŒallowed_access”…””}”(hj•  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj  ubhŒ' rights are already available in ABI 1.”…””}”(hj  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h K°hj¢  hžhubj  )”}”(hŒFor network access-control, we can add a set of rules that allow to use a port
number for a specific action: HTTPS connections.”h]”hŒFor network access-control, we can add a set of rules that allow to use a port
number for a specific action: HTTPS connections.”…””}”(hj­  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h Kµhj¢  hžhubjÞ  )”}”(hŒÙstruct landlock_net_port_attr net_port = {
    .allowed_access = LANDLOCK_ACCESS_NET_CONNECT_TCP,
    .port = 443,
};

err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
                        &net_port, 0);”h]”hŒÙstruct landlock_net_port_attr net_port = {
    .allowed_access = LANDLOCK_ACCESS_NET_CONNECT_TCP,
    .port = 443,
};

err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
                        &net_port, 0);”…””}”hj»  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²jí  ‰jî  jï  jð  }”uh1jÝ  hŸh³h K¸hj¢  hžhubj  )”}”(hX!  The next step is to restrict the current thread from gaining more privileges
(e.g. through a SUID binary).  We now have a ruleset with the first rule
allowing read access to ``/usr`` while denying all other handled accesses for
the filesystem, and a second rule allowing HTTPS connections.”h]”(hŒ®The next step is to restrict the current thread from gaining more privileges
(e.g. through a SUID binary).  We now have a ruleset with the first rule
allowing read access to ”…””}”(hjÊ  hžhhŸNh Nubjz  )”}”(hŒ``/usr``”h]”hŒ/usr”…””}”(hjÒ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjÊ  ubhŒk while denying all other handled accesses for
the filesystem, and a second rule allowing HTTPS connections.”…””}”(hjÊ  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h KÂhj¢  hžhubjÞ  )”}”(hŒif (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
    perror("Failed to restrict privileges");
    close(ruleset_fd);
    return 1;
}”h]”hŒif (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
    perror("Failed to restrict privileges");
    close(ruleset_fd);
    return 1;
}”…””}”hjê  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²jí  ‰jî  jï  jð  }”uh1jÝ  hŸh³h KÇhj¢  hžhubj  )”}”(hŒCThe current thread is now ready to sandbox itself with the ruleset.”h]”hŒCThe current thread is now ready to sandbox itself with the ruleset.”…””}”(hjù  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h KÏhj¢  hžhubjÞ  )”}”(hŒif (landlock_restrict_self(ruleset_fd, 0)) {
    perror("Failed to enforce ruleset");
    close(ruleset_fd);
    return 1;
}
close(ruleset_fd);”h]”hŒif (landlock_restrict_self(ruleset_fd, 0)) {
    perror("Failed to enforce ruleset");
    close(ruleset_fd);
    return 1;
}
close(ruleset_fd);”…””}”hj  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²jí  ‰jî  jï  jð  }”uh1jÝ  hŸh³h KÑhj¢  hžhubj  )”}”(hXœ  If the ``landlock_restrict_self`` system call succeeds, the current thread is
now restricted and this policy will be enforced on all its subsequently created
children as well.  Once a thread is landlocked, there is no way to remove its
security policy; only adding more restrictions is allowed.  These threads are
now in a new Landlock domain, which is a merger of their parent one (if any)
with the new ruleset.”h]”(hŒIf the ”…””}”(hj  hžhhŸNh Nubjz  )”}”(hŒ``landlock_restrict_self``”h]”hŒlandlock_restrict_self”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj  ubhX{   system call succeeds, the current thread is
now restricted and this policy will be enforced on all its subsequently created
children as well.  Once a thread is landlocked, there is no way to remove its
security policy; only adding more restrictions is allowed.  These threads are
now in a new Landlock domain, which is a merger of their parent one (if any)
with the new ruleset.”…””}”(hj  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h KÚhj¢  hžhubj  )”}”(hŒBFull working code can be found in `samples/landlock/sandboxer.c`_.”h]”(hŒ"Full working code can be found in ”…””}”(hj6  hžhhŸNh NubhŒ	reference”“”)”}”(hŒ`samples/landlock/sandboxer.c`_”h]”hŒsamples/landlock/sandboxer.c”…””}”(hj@  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”Œsamples/landlock/sandboxer.c”Œrefuri”Œbhttps://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/samples/landlock/sandboxer.c”uh1j>  hj6  Œresolved”KubhŒ.”…””}”(hj6  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h Káhj¢  hžhubeh}”(h]”Œ(defining-and-enforcing-a-security-policy”ah ]”h"]”Œ(defining and enforcing a security policy”ah$]”h&]”uh1hÞhjà  hžhhŸh³h K0ubhß)”}”(hhh]”(hä)”}”(hŒGood practices”h]”hŒGood practices”…””}”(hjh  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hãhje  hžhhŸh³h Käubj  )”}”(hXü  It is recommended to set access rights to file hierarchy leaves as much as
possible.  For instance, it is better to be able to have ``~/doc/`` as a
read-only hierarchy and ``~/tmp/`` as a read-write hierarchy, compared to
``~/`` as a read-only hierarchy and ``~/tmp/`` as a read-write hierarchy.
Following this good practice leads to self-sufficient hierarchies that do not
depend on their location (i.e. parent directories).  This is particularly
relevant when we want to allow linking or renaming.  Indeed, having consistent
access rights per directory enables changing the location of such directories
without relying on the destination directory access rights (except those that
are required for this operation, see ``LANDLOCK_ACCESS_FS_REFER``
documentation).”h]”(hŒ„It is recommended to set access rights to file hierarchy leaves as much as
possible.  For instance, it is better to be able to have ”…””}”(hjv  hžhhŸNh Nubjz  )”}”(hŒ
``~/doc/``”h]”hŒ~/doc/”…””}”(hj~  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjv  ubhŒ as a
read-only hierarchy and ”…””}”(hjv  hžhhŸNh Nubjz  )”}”(hŒ
``~/tmp/``”h]”hŒ~/tmp/”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjv  ubhŒ( as a read-write hierarchy, compared to
”…””}”(hjv  hžhhŸNh Nubjz  )”}”(hŒ``~/``”h]”hŒ~/”…””}”(hj¢  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjv  ubhŒ as a read-only hierarchy and ”…””}”(hjv  hžhhŸNh Nubjz  )”}”(hŒ
``~/tmp/``”h]”hŒ~/tmp/”…””}”(hj´  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjv  ubhXÄ   as a read-write hierarchy.
Following this good practice leads to self-sufficient hierarchies that do not
depend on their location (i.e. parent directories).  This is particularly
relevant when we want to allow linking or renaming.  Indeed, having consistent
access rights per directory enables changing the location of such directories
without relying on the destination directory access rights (except those that
are required for this operation, see ”…””}”(hjv  hžhhŸNh Nubjz  )”}”(hŒ``LANDLOCK_ACCESS_FS_REFER``”h]”hŒLANDLOCK_ACCESS_FS_REFER”…””}”(hjÆ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjv  ubhŒ
documentation).”…””}”(hjv  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h Kæhje  hžhubj  )”}”(hX  Having self-sufficient hierarchies also helps to tighten the required access
rights to the minimal set of data.  This also helps avoid sinkhole directories,
i.e. directories where data can be linked to but not linked from.  However,
this depends on data organization, which might not be controlled by developers.
In this case, granting read-write access to ``~/tmp/``, instead of write-only
access, would potentially allow moving ``~/tmp/`` to a non-readable directory
and still keep the ability to list the content of ``~/tmp/``.”h]”(hXe  Having self-sufficient hierarchies also helps to tighten the required access
rights to the minimal set of data.  This also helps avoid sinkhole directories,
i.e. directories where data can be linked to but not linked from.  However,
this depends on data organization, which might not be controlled by developers.
In this case, granting read-write access to ”…””}”(hjÞ  hžhhŸNh Nubjz  )”}”(hŒ
``~/tmp/``”h]”hŒ~/tmp/”…””}”(hjæ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjÞ  ubhŒ?, instead of write-only
access, would potentially allow moving ”…””}”(hjÞ  hžhhŸNh Nubjz  )”}”(hŒ
``~/tmp/``”h]”hŒ~/tmp/”…””}”(hjø  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjÞ  ubhŒO to a non-readable directory
and still keep the ability to list the content of ”…””}”(hjÞ  hžhhŸNh Nubjz  )”}”(hŒ
``~/tmp/``”h]”hŒ~/tmp/”…””}”(hj
  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjÞ  ubhŒ.”…””}”(hjÞ  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h Kòhje  hžhubeh}”(h]”Œgood-practices”ah ]”h"]”Œgood practices”ah$]”h&]”uh1hÞhjà  hžhhŸh³h Käubhß)”}”(hhh]”(hä)”}”(hŒ!Layers of file path access rights”h]”hŒ!Layers of file path access rights”…””}”(hj-  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hãhj*  hžhhŸh³h Kûubj  )”}”(hX6  Each time a thread enforces a ruleset on itself, it updates its Landlock domain
with a new layer of policy.  This complementary policy is stacked with any
other rulesets potentially already restricting this thread.  A sandboxed thread
can then safely add more constraints to itself with a new enforced ruleset.”h]”hX6  Each time a thread enforces a ruleset on itself, it updates its Landlock domain
with a new layer of policy.  This complementary policy is stacked with any
other rulesets potentially already restricting this thread.  A sandboxed thread
can then safely add more constraints to itself with a new enforced ruleset.”…””}”(hj;  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h Kýhj*  hžhubj  )”}”(hX9  One policy layer grants access to a file path if at least one of its rules
encountered on the path grants the access.  A sandboxed thread can only access
a file path if all its enforced policy layers grant the access as well as all
the other system access controls (e.g. filesystem DAC, other LSM policies,
etc.).”h]”hX9  One policy layer grants access to a file path if at least one of its rules
encountered on the path grants the access.  A sandboxed thread can only access
a file path if all its enforced policy layers grant the access as well as all
the other system access controls (e.g. filesystem DAC, other LSM policies,
etc.).”…””}”(hjI  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h Mhj*  hžhubeh}”(h]”Œ!layers-of-file-path-access-rights”ah ]”h"]”Œ!layers of file path access rights”ah$]”h&]”uh1hÞhjà  hžhhŸh³h Kûubhß)”}”(hhh]”(hä)”}”(hŒBind mounts and OverlayFS”h]”hŒBind mounts and OverlayFS”…””}”(hjb  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hãhj_  hžhhŸh³h M	ubj  )”}”(hŒèLandlock enables restricting access to file hierarchies, which means that these
access rights can be propagated with bind mounts (cf.
Documentation/filesystems/sharedsubtree.rst) but not with
Documentation/filesystems/overlayfs.rst.”h]”hŒèLandlock enables restricting access to file hierarchies, which means that these
access rights can be propagated with bind mounts (cf.
Documentation/filesystems/sharedsubtree.rst) but not with
Documentation/filesystems/overlayfs.rst.”…””}”(hjp  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h Mhj_  hžhubj  )”}”(hX²  A bind mount mirrors a source file hierarchy to a destination.  The destination
hierarchy is then composed of the exact same files, on which Landlock rules can
be tied, either via the source or the destination path.  These rules restrict
access when they are encountered on a path, which means that they can restrict
access to multiple file hierarchies at the same time, whether these hierarchies
are the result of bind mounts or not.”h]”hX²  A bind mount mirrors a source file hierarchy to a destination.  The destination
hierarchy is then composed of the exact same files, on which Landlock rules can
be tied, either via the source or the destination path.  These rules restrict
access when they are encountered on a path, which means that they can restrict
access to multiple file hierarchies at the same time, whether these hierarchies
are the result of bind mounts or not.”…””}”(hj~  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h Mhj_  hžhubj  )”}”(hXø  An OverlayFS mount point consists of upper and lower layers.  These layers are
combined in a merge directory, and that merged directory becomes available at
the mount point.  This merge hierarchy may include files from the upper and
lower layers, but modifications performed on the merge hierarchy only reflect
on the upper layer.  From a Landlock policy point of view, all OverlayFS layers
and merge hierarchies are standalone and each contains their own set of files
and directories, which is different from bind mounts.  A policy restricting an
OverlayFS layer will not restrict the resulted merged hierarchy, and vice versa.
Landlock users should then only think about file hierarchies they want to allow
access to, regardless of the underlying filesystem.”h]”hXø  An OverlayFS mount point consists of upper and lower layers.  These layers are
combined in a merge directory, and that merged directory becomes available at
the mount point.  This merge hierarchy may include files from the upper and
lower layers, but modifications performed on the merge hierarchy only reflect
on the upper layer.  From a Landlock policy point of view, all OverlayFS layers
and merge hierarchies are standalone and each contains their own set of files
and directories, which is different from bind mounts.  A policy restricting an
OverlayFS layer will not restrict the resulted merged hierarchy, and vice versa.
Landlock users should then only think about file hierarchies they want to allow
access to, regardless of the underlying filesystem.”…””}”(hjŒ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h Mhj_  hžhubeh}”(h]”Œbind-mounts-and-overlayfs”ah ]”h"]”Œbind mounts and overlayfs”ah$]”h&]”uh1hÞhjà  hžhhŸh³h M	ubhß)”}”(hhh]”(hä)”}”(hŒInheritance”h]”hŒInheritance”…””}”(hj¥  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hãhj¢  hžhhŸh³h M#ubj  )”}”(hX×  Every new thread resulting from a :manpage:`clone(2)` inherits Landlock domain
restrictions from its parent.  This is similar to seccomp inheritance (cf.
Documentation/userspace-api/seccomp_filter.rst) or any other LSM dealing with
task's :manpage:`credentials(7)`.  For instance, one process's thread may apply
Landlock rules to itself, but they will not be automatically applied to other
sibling threads (unlike POSIX thread credential changes, cf.
:manpage:`nptl(7)`).”h]”(hŒ"Every new thread resulting from a ”…””}”(hj³  hžhhŸNh Nubh Œmanpage”“”)”}”(hŒ:manpage:`clone(2)`”h]”hŒclone(2)”…””}”(hj½  hžhhŸNh Nubah}”(h]”h ]”j»  ah"]”h$]”h&]”h±h²Œpath”Œclone(2)”Œpage”Œclone”Œsection”Œ2”uh1j»  hj³  ubhŒ¼ inherits Landlock domain
restrictions from its parent.  This is similar to seccomp inheritance (cf.
Documentation/userspace-api/seccomp_filter.rst) or any other LSM dealing with
taskâ€™s ”…””}”(hj³  hžhhŸNh Nubj¼  )”}”(hŒ:manpage:`credentials(7)`”h]”hŒcredentials(7)”…””}”(hjÕ  hžhhŸNh Nubah}”(h]”h ]”j»  ah"]”h$]”h&]”h±h²jË  Œcredentials(7)”jÍ  Œcredentials”jÏ  Œ7”uh1j»  hj³  ubhŒ½.  For instance, one processâ€™s thread may apply
Landlock rules to itself, but they will not be automatically applied to other
sibling threads (unlike POSIX thread credential changes, cf.
”…””}”(hj³  hžhhŸNh Nubj¼  )”}”(hŒ:manpage:`nptl(7)`”h]”hŒnptl(7)”…””}”(hjê  hžhhŸNh Nubah}”(h]”h ]”j»  ah"]”h$]”h&]”h±h²jË  Œnptl(7)”jÍ  Œnptl”jÏ  jå  uh1j»  hj³  ubhŒ).”…””}”(hj³  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h M%hj¢  hžhubj  )”}”(hX?  When a thread sandboxes itself, we have the guarantee that the related security
policy will stay enforced on all this thread's descendants.  This allows
creating standalone and modular security policies per application, which will
automatically be composed between themselves according to their runtime parent
policies.”h]”hXA  When a thread sandboxes itself, we have the guarantee that the related security
policy will stay enforced on all this threadâ€™s descendants.  This allows
creating standalone and modular security policies per application, which will
automatically be composed between themselves according to their runtime parent
policies.”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h M-hj¢  hžhubeh}”(h]”Œinheritance”ah ]”h"]”Œinheritance”ah$]”h&]”uh1hÞhjà  hžhhŸh³h M#ubhß)”}”(hhh]”(hä)”}”(hŒPtrace restrictions”h]”hŒPtrace restrictions”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hãhj  hžhhŸh³h M4ubj  )”}”(hX  A sandboxed process has less privileges than a non-sandboxed process and must
then be subject to additional restrictions when manipulating another process.
To be allowed to use :manpage:`ptrace(2)` and related syscalls on a target
process, a sandboxed process should have a superset of the target process's
access rights, which means the tracee must be in a sub-domain of the tracer.”h]”(hŒ±A sandboxed process has less privileges than a non-sandboxed process and must
then be subject to additional restrictions when manipulating another process.
To be allowed to use ”…””}”(hj+  hžhhŸNh Nubj¼  )”}”(hŒ:manpage:`ptrace(2)`”h]”hŒ	ptrace(2)”…””}”(hj3  hžhhŸNh Nubah}”(h]”h ]”j»  ah"]”h$]”h&]”h±h²jË  Œ	ptrace(2)”jÍ  Œptrace”jÏ  jÐ  uh1j»  hj+  ubhŒ¼ and related syscalls on a target
process, a sandboxed process should have a superset of the target processâ€™s
access rights, which means the tracee must be in a sub-domain of the tracer.”…””}”(hj+  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h M6hj  hžhubeh}”(h]”Œptrace-restrictions”ah ]”h"]”Œptrace restrictions”ah$]”h&]”uh1hÞhjà  hžhhŸh³h M4Œ
referenced”Kubhß)”}”(hhh]”(hä)”}”(hŒIPC scoping”h]”hŒIPC scoping”…””}”(hjY  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hãhjV  hžhhŸh³h M=ubj  )”}”(hX`  Similar to the implicit `Ptrace restrictions`_, we may want to further restrict
interactions between sandboxes.  Therefore, at ruleset creation time, each
Landlock domain can restrict the scope for certain operations, so that these
operations can only reach out to processes within the same Landlock domain or in
a nested Landlock domain (the "scope").”h]”(hŒSimilar to the implicit ”…””}”(hjg  hžhhŸNh Nubj?  )”}”(hŒ`Ptrace restrictions`_”h]”hŒPtrace restrictions”…””}”(hjo  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”ŒPtrace restrictions”Œrefid”jO  uh1j>  hjg  jR  KubhX6  , we may want to further restrict
interactions between sandboxes.  Therefore, at ruleset creation time, each
Landlock domain can restrict the scope for certain operations, so that these
operations can only reach out to processes within the same Landlock domain or in
a nested Landlock domain (the â€œscopeâ€).”…””}”(hjg  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h M?hjV  hžhubj  )”}”(hŒ'The operations which can be scoped are:”h]”hŒ'The operations which can be scoped are:”…””}”(hjŠ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h MEhjV  hžhubj  )”}”(hhh]”(j  )”}”(hŒˆ``LANDLOCK_SCOPE_SIGNAL``
This limits the sending of signals to target processes which run within the
same or a nested Landlock domain.
”h]”(j  )”}”(hŒ``LANDLOCK_SCOPE_SIGNAL``”h]”jz  )”}”(hj¡  h]”hŒLANDLOCK_SCOPE_SIGNAL”…””}”(hj£  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjŸ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h MIhj›  ubj)  )”}”(hhh]”j  )”}”(hŒmThis limits the sending of signals to target processes which run within the
same or a nested Landlock domain.”h]”hŒmThis limits the sending of signals to target processes which run within the
same or a nested Landlock domain.”…””}”(hj¹  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h MHhj¶  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j(  hj›  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h MIhj˜  ubj  )”}”(hXN  ``LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET``
This limits the set of abstract :manpage:`unix(7)` sockets to which we can
:manpage:`connect(2)` to socket addresses which were created by a process in
the same or a nested Landlock domain.

A :manpage:`sendto(2)` on a non-connected datagram socket is treated as if
it were doing an implicit :manpage:`connect(2)` and will be blocked if the
remote end does not stem from the same or a nested Landlock domain.

A :manpage:`sendto(2)` on a socket which was previously connected will not
be restricted.  This works for both datagram and stream sockets.
”h]”(j  )”}”(hŒ'``LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET``”h]”jz  )”}”(hjÙ  h]”hŒ#LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET”…””}”(hjÛ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj×  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h MUhjÓ  ubj)  )”}”(hhh]”(j  )”}”(hŒ½This limits the set of abstract :manpage:`unix(7)` sockets to which we can
:manpage:`connect(2)` to socket addresses which were created by a process in
the same or a nested Landlock domain.”h]”(hŒ This limits the set of abstract ”…””}”(hjñ  hžhhŸNh Nubj¼  )”}”(hŒ:manpage:`unix(7)`”h]”hŒunix(7)”…””}”(hjù  hžhhŸNh Nubah}”(h]”h ]”j»  ah"]”h$]”h&]”h±h²jË  Œunix(7)”jÍ  Œunix”jÏ  jå  uh1j»  hjñ  ubhŒ sockets to which we can
”…””}”(hjñ  hžhhŸNh Nubj¼  )”}”(hŒ:manpage:`connect(2)`”h]”hŒ
connect(2)”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”j»  ah"]”h$]”h&]”h±h²jË  Œ
connect(2)”jÍ  Œconnect”jÏ  jÐ  uh1j»  hjñ  ubhŒ] to socket addresses which were created by a process in
the same or a nested Landlock domain.”…””}”(hjñ  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h MLhjî  ubj  )”}”(hŒÙA :manpage:`sendto(2)` on a non-connected datagram socket is treated as if
it were doing an implicit :manpage:`connect(2)` and will be blocked if the
remote end does not stem from the same or a nested Landlock domain.”h]”(hŒA ”…””}”(hj'  hžhhŸNh Nubj¼  )”}”(hŒ:manpage:`sendto(2)`”h]”hŒ	sendto(2)”…””}”(hj/  hžhhŸNh Nubah}”(h]”h ]”j»  ah"]”h$]”h&]”h±h²jË  Œ	sendto(2)”jÍ  Œsendto”jÏ  jÐ  uh1j»  hj'  ubhŒO on a non-connected datagram socket is treated as if
it were doing an implicit ”…””}”(hj'  hžhhŸNh Nubj¼  )”}”(hŒ:manpage:`connect(2)`”h]”hŒ
connect(2)”…””}”(hjC  hžhhŸNh Nubah}”(h]”h ]”j»  ah"]”h$]”h&]”h±h²jË  Œ
connect(2)”jÍ  Œconnect”jÏ  jÐ  uh1j»  hj'  ubhŒ_ and will be blocked if the
remote end does not stem from the same or a nested Landlock domain.”…””}”(hj'  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h MPhjî  ubj  )”}”(hŒ‹A :manpage:`sendto(2)` on a socket which was previously connected will not
be restricted.  This works for both datagram and stream sockets.”h]”(hŒA ”…””}”(hj]  hžhhŸNh Nubj¼  )”}”(hŒ:manpage:`sendto(2)`”h]”hŒ	sendto(2)”…””}”(hje  hžhhŸNh Nubah}”(h]”h ]”j»  ah"]”h$]”h&]”h±h²jË  Œ	sendto(2)”jÍ  Œsendto”jÏ  jÐ  uh1j»  hj]  ubhŒu on a socket which was previously connected will not
be restricted.  This works for both datagram and stream sockets.”…””}”(hj]  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h MThjî  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j(  hjÓ  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h MUhj˜  hžhubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hjV  hžhhŸh³h Nubj  )”}”(hŒÍIPC scoping does not support exceptions via :manpage:`landlock_add_rule(2)`.
If an operation is scoped within a domain, no rules can be added to allow access
to resources or processes outside of the scope.”h]”(hŒ,IPC scoping does not support exceptions via ”…””}”(hj‘  hžhhŸNh Nubj¼  )”}”(hŒ:manpage:`landlock_add_rule(2)`”h]”hŒlandlock_add_rule(2)”…””}”(hj™  hžhhŸNh Nubah}”(h]”h ]”j»  ah"]”h$]”h&]”h±h²jË  Œlandlock_add_rule(2)”jÍ  Œlandlock_add_rule”jÏ  jÐ  uh1j»  hj‘  ubhŒ‚.
If an operation is scoped within a domain, no rules can be added to allow access
to resources or processes outside of the scope.”…””}”(hj‘  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h MWhjV  hžhubeh}”(h]”Œipc-scoping”ah ]”h"]”Œipc scoping”ah$]”h&]”uh1hÞhjà  hžhhŸh³h M=ubhß)”}”(hhh]”(hä)”}”(hŒTruncating files”h]”hŒTruncating files”…””}”(hj¾  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hãhj»  hžhhŸh³h M\ubj  )”}”(hŒìThe operations covered by ``LANDLOCK_ACCESS_FS_WRITE_FILE`` and
``LANDLOCK_ACCESS_FS_TRUNCATE`` both change the contents of a file and sometimes
overlap in non-intuitive ways.  It is recommended to always specify both of
these together.”h]”(hŒThe operations covered by ”…””}”(hjÌ  hžhhŸNh Nubjz  )”}”(hŒ!``LANDLOCK_ACCESS_FS_WRITE_FILE``”h]”hŒLANDLOCK_ACCESS_FS_WRITE_FILE”…””}”(hjÔ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjÌ  ubhŒ and
”…””}”(hjÌ  hžhhŸNh Nubjz  )”}”(hŒ``LANDLOCK_ACCESS_FS_TRUNCATE``”h]”hŒLANDLOCK_ACCESS_FS_TRUNCATE”…””}”(hjæ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjÌ  ubhŒ both change the contents of a file and sometimes
overlap in non-intuitive ways.  It is recommended to always specify both of
these together.”…””}”(hjÌ  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h M^hj»  hžhubj  )”}”(hŒûA particularly surprising example is :manpage:`creat(2)`.  The name suggests
that this system call requires the rights to create and write files.  However,
it also requires the truncate right if an existing file under the same name is
already present.”h]”(hŒ%A particularly surprising example is ”…””}”(hjþ  hžhhŸNh Nubj¼  )”}”(hŒ:manpage:`creat(2)`”h]”hŒcreat(2)”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”j»  ah"]”h$]”h&]”h±h²jË  Œcreat(2)”jÍ  Œcreat”jÏ  jÐ  uh1j»  hjþ  ubhŒÃ.  The name suggests
that this system call requires the rights to create and write files.  However,
it also requires the truncate right if an existing file under the same name is
already present.”…””}”(hjþ  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h Mchj»  hžhubj  )”}”(hŒ÷It should also be noted that truncating files does not require the
``LANDLOCK_ACCESS_FS_WRITE_FILE`` right.  Apart from the :manpage:`truncate(2)`
system call, this can also be done through :manpage:`open(2)` with the flags
``O_RDONLY | O_TRUNC``.”h]”(hŒCIt should also be noted that truncating files does not require the
”…””}”(hj   hžhhŸNh Nubjz  )”}”(hŒ!``LANDLOCK_ACCESS_FS_WRITE_FILE``”h]”hŒLANDLOCK_ACCESS_FS_WRITE_FILE”…””}”(hj(  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj   ubhŒ right.  Apart from the ”…””}”(hj   hžhhŸNh Nubj¼  )”}”(hŒ:manpage:`truncate(2)`”h]”hŒtruncate(2)”…””}”(hj:  hžhhŸNh Nubah}”(h]”h ]”j»  ah"]”h$]”h&]”h±h²jË  Œtruncate(2)”jÍ  Œtruncate”jÏ  jÐ  uh1j»  hj   ubhŒ,
system call, this can also be done through ”…””}”(hj   hžhhŸNh Nubj¼  )”}”(hŒ:manpage:`open(2)`”h]”hŒopen(2)”…””}”(hjN  hžhhŸNh Nubah}”(h]”h ]”j»  ah"]”h$]”h&]”h±h²jË  Œopen(2)”jÍ  Œopen”jÏ  jÐ  uh1j»  hj   ubhŒ with the flags
”…””}”(hj   hžhhŸNh Nubjz  )”}”(hŒ``O_RDONLY | O_TRUNC``”h]”hŒO_RDONLY | O_TRUNC”…””}”(hjb  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj   ubhŒ.”…””}”(hj   hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h Mhhj»  hžhubj  )”}”(hŒBThe truncate right is associated with the opened file (see below).”h]”hŒBThe truncate right is associated with the opened file (see below).”…””}”(hjz  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h Mmhj»  hžhubeh}”(h]”Œtruncating-files”ah ]”h"]”Œtruncating files”ah$]”h&]”uh1hÞhjà  hžhhŸh³h M\ubhß)”}”(hhh]”(hä)”}”(hŒ'Rights associated with file descriptors”h]”hŒ'Rights associated with file descriptors”…””}”(hj“  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hãhj  hžhhŸh³h Mpubj  )”}”(hXî  When opening a file, the availability of the ``LANDLOCK_ACCESS_FS_TRUNCATE`` and
``LANDLOCK_ACCESS_FS_IOCTL_DEV`` rights is associated with the newly created
file descriptor and will be used for subsequent truncation and ioctl attempts
using :manpage:`ftruncate(2)` and :manpage:`ioctl(2)`.  The behavior is similar
to opening a file for reading or writing, where permissions are checked during
:manpage:`open(2)`, but not during the subsequent :manpage:`read(2)` and
:manpage:`write(2)` calls.”h]”(hŒ-When opening a file, the availability of the ”…””}”(hj¡  hžhhŸNh Nubjz  )”}”(hŒ``LANDLOCK_ACCESS_FS_TRUNCATE``”h]”hŒLANDLOCK_ACCESS_FS_TRUNCATE”…””}”(hj©  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj¡  ubhŒ and
”…””}”(hj¡  hžhhŸNh Nubjz  )”}”(hŒ ``LANDLOCK_ACCESS_FS_IOCTL_DEV``”h]”hŒLANDLOCK_ACCESS_FS_IOCTL_DEV”…””}”(hj»  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj¡  ubhŒ rights is associated with the newly created
file descriptor and will be used for subsequent truncation and ioctl attempts
using ”…””}”(hj¡  hžhhŸNh Nubj¼  )”}”(hŒ:manpage:`ftruncate(2)`”h]”hŒftruncate(2)”…””}”(hjÍ  hžhhŸNh Nubah}”(h]”h ]”j»  ah"]”h$]”h&]”h±h²jË  Œftruncate(2)”jÍ  Œ	ftruncate”jÏ  jÐ  uh1j»  hj¡  ubhŒ and ”…””}”(hj¡  hžhhŸNh Nubj¼  )”}”(hŒ:manpage:`ioctl(2)`”h]”hŒioctl(2)”…””}”(hjá  hžhhŸNh Nubah}”(h]”h ]”j»  ah"]”h$]”h&]”h±h²jË  Œioctl(2)”jÍ  Œioctl”jÏ  jÐ  uh1j»  hj¡  ubhŒj.  The behavior is similar
to opening a file for reading or writing, where permissions are checked during
”…””}”(hj¡  hžhhŸNh Nubj¼  )”}”(hŒ:manpage:`open(2)`”h]”hŒopen(2)”…””}”(hjõ  hžhhŸNh Nubah}”(h]”h ]”j»  ah"]”h$]”h&]”h±h²jË  Œopen(2)”jÍ  Œopen”jÏ  jÐ  uh1j»  hj¡  ubhŒ , but not during the subsequent ”…””}”(hj¡  hžhhŸNh Nubj¼  )”}”(hŒ:manpage:`read(2)`”h]”hŒread(2)”…””}”(hj		  hžhhŸNh Nubah}”(h]”h ]”j»  ah"]”h$]”h&]”h±h²jË  Œread(2)”jÍ  Œread”jÏ  jÐ  uh1j»  hj¡  ubhŒ and
”…””}”hj¡  sbj¼  )”}”(hŒ:manpage:`write(2)`”h]”hŒwrite(2)”…””}”(hj	  hžhhŸNh Nubah}”(h]”h ]”j»  ah"]”h$]”h&]”h±h²jË  Œwrite(2)”jÍ  Œwrite”jÏ  jÐ  uh1j»  hj¡  ubhŒ calls.”…””}”(hj¡  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h Mrhj  hžhubj  )”}”(hX  As a consequence, it is possible that a process has multiple open file
descriptors referring to the same file, but Landlock enforces different things
when operating with these file descriptors.  This can happen when a Landlock
ruleset gets enforced and the process keeps file descriptors which were opened
both before and after the enforcement.  It is also possible to pass such file
descriptors between processes, keeping their Landlock properties, even when some
of the involved processes do not have an enforced Landlock ruleset.”h]”hX  As a consequence, it is possible that a process has multiple open file
descriptors referring to the same file, but Landlock enforces different things
when operating with these file descriptors.  This can happen when a Landlock
ruleset gets enforced and the process keeps file descriptors which were opened
both before and after the enforcement.  It is also possible to pass such file
descriptors between processes, keeping their Landlock properties, even when some
of the involved processes do not have an enforced Landlock ruleset.”…””}”(hj7	  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h Mzhj  hžhubeh}”(h]”Œ'rights-associated-with-file-descriptors”ah ]”h"]”Œ'rights associated with file descriptors”ah$]”h&]”uh1hÞhjà  hžhhŸh³h Mpubeh}”(h]”Œlandlock-rules”ah ]”h"]”Œlandlock rules”ah$]”h&]”uh1hÞhhàhžhhŸh³h Kubhß)”}”(hhh]”(hä)”}”(hŒCompatibility”h]”hŒCompatibility”…””}”(hjX	  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hãhjU	  hžhhŸh³h Mƒubhß)”}”(hhh]”(hä)”}”(hŒ"Backward and forward compatibility”h]”hŒ"Backward and forward compatibility”…””}”(hji	  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hãhjf	  hžhhŸh³h M†ubj  )”}”(hXÁ  Landlock is designed to be compatible with past and future versions of the
kernel.  This is achieved thanks to the system call attributes and the
associated bitflags, particularly the ruleset's ``handled_access_fs``.  Making
handled access rights explicit enables the kernel and user space to have a clear
contract with each other.  This is required to make sure sandboxing will not
get stricter with a system update, which could break applications.”h]”(hŒÄLandlock is designed to be compatible with past and future versions of the
kernel.  This is achieved thanks to the system call attributes and the
associated bitflags, particularly the rulesetâ€™s ”…””}”(hjw	  hžhhŸNh Nubjz  )”}”(hŒ``handled_access_fs``”h]”hŒhandled_access_fs”…””}”(hj	  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjw	  ubhŒê.  Making
handled access rights explicit enables the kernel and user space to have a clear
contract with each other.  This is required to make sure sandboxing will not
get stricter with a system update, which could break applications.”…””}”(hjw	  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h Mˆhjf	  hžhubj  )”}”(hX­  Developers can subscribe to the `Landlock mailing list
<https://subspace.kernel.org/lists.linux.dev.html>`_ to knowingly update and
test their applications with the latest available features.  In the interest of
users, and because they may use different kernel versions, it is strongly
encouraged to follow a best-effort security approach by checking the Landlock
ABI version at runtime and only enforcing the supported features.”h]”(hŒ Developers can subscribe to the ”…””}”(hj—	  hžhhŸNh Nubj?  )”}”(hŒK`Landlock mailing list
<https://subspace.kernel.org/lists.linux.dev.html>`_”h]”hŒLandlock mailing list”…””}”(hjŸ	  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”ŒLandlock mailing list”jP  Œ0https://subspace.kernel.org/lists.linux.dev.html”uh1j>  hj—	  ubhŒtarget”“”)”}”(hŒ3
<https://subspace.kernel.org/lists.linux.dev.html>”h]”h}”(h]”Œlandlock-mailing-list”ah ]”h"]”Œlandlock mailing list”ah$]”h&]”Œrefuri”j¯	  uh1j°	  jU  Khj—	  ubhXB   to knowingly update and
test their applications with the latest available features.  In the interest of
users, and because they may use different kernel versions, it is strongly
encouraged to follow a best-effort security approach by checking the Landlock
ABI version at runtime and only enforcing the supported features.”…””}”(hj—	  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h Mhjf	  hžhubj±	  )”}”(hŒ.. _landlock_abi_versions:”h]”h}”(h]”h ]”h"]”h$]”h&]”j  Œlandlock-abi-versions”uh1j°	  h M–hjf	  hžhhŸh³ubeh}”(h]”Œ"backward-and-forward-compatibility”ah ]”h"]”Œ"backward and forward compatibility”ah$]”h&]”uh1hÞhjU	  hžhhŸh³h M†ubhß)”}”(hhh]”(hä)”}”(hŒLandlock ABI versions”h]”hŒLandlock ABI versions”…””}”(hjß	  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hãhjÜ	  hžhhŸh³h M™ubj  )”}”(hŒXThe Landlock ABI version can be read with the sys_landlock_create_ruleset()
system call:”h]”hŒXThe Landlock ABI version can be read with the sys_landlock_create_ruleset()
system call:”…””}”(hjí	  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h M›hjÜ	  hžhubjÞ  )”}”(hXš  int abi;

abi = landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_VERSION);
if (abi < 0) {
    switch (errno) {
    case ENOSYS:
        printf("Landlock is not supported by the current kernel.\n");
        break;
    case EOPNOTSUPP:
        printf("Landlock is currently disabled.\n");
        break;
    }
    return 0;
}
if (abi >= 2) {
    printf("Landlock supports LANDLOCK_ACCESS_FS_REFER.\n");
}”h]”hXš  int abi;

abi = landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_VERSION);
if (abi < 0) {
    switch (errno) {
    case ENOSYS:
        printf("Landlock is not supported by the current kernel.\n");
        break;
    case EOPNOTSUPP:
        printf("Landlock is currently disabled.\n");
        break;
    }
    return 0;
}
if (abi >= 2) {
    printf("Landlock supports LANDLOCK_ACCESS_FS_REFER.\n");
}”…””}”hjû	  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²jí  ‰jî  jï  jð  }”uh1jÝ  hŸh³h MžhjÜ	  hžhubj  )”}”(hŒ¢The following kernel interfaces are implicitly supported by the first ABI
version.  Features only supported from a specific version are explicitly marked
as such.”h]”hŒ¢The following kernel interfaces are implicitly supported by the first ABI
version.  Features only supported from a specific version are explicitly marked
as such.”…””}”(hj

  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h M²hjÜ	  hžhubeh}”(h]”(jÓ	  Œid1”eh ]”h"]”(Œlandlock abi versions”Œlandlock_abi_versions”eh$]”h&]”uh1hÞhjU	  hžhhŸh³h M™Œexpect_referenced_by_name”}”j
  jÉ	  sŒexpect_referenced_by_id”}”jÓ	  jÉ	  subeh}”(h]”Œcompatibility”ah ]”h"]”Œcompatibility”ah$]”h&]”uh1hÞhhàhžhhŸh³h Mƒubhß)”}”(hhh]”(hä)”}”(hŒKernel interface”h]”hŒKernel interface”…””}”(hj0
  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hãhj-
  hžhhŸh³h M·ubhß)”}”(hhh]”(hä)”}”(hŒAccess rights”h]”hŒAccess rights”…””}”(hjA
  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hãhj>
  hžhhŸh³h Mºubj  )”}”(hŒ°A set of actions on kernel objects may be defined by an attribute (e.g.
:c:type:`struct landlock_path_beneath_attr <landlock_path_beneath_attr>`) including a bitmask of access.”h]”(hŒHA set of actions on kernel objects may be defined by an attribute (e.g.
”…””}”(hjO
  hžhhŸNh Nubh)”}”(hŒH:c:type:`struct landlock_path_beneath_attr <landlock_path_beneath_attr>`”h]”jz  )”}”(hjY
  h]”hŒ!struct landlock_path_beneath_attr”…””}”(hj[
  hžhhŸNh Nubah}”(h]”h ]”(j  jï  Œc-type”eh"]”h$]”h&]”uh1jy  hjW
  ubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”jª  Œ	refdomain”jï  Œreftype”Œtype”Œrefexplicit”ˆŒrefwarn”‰j°  Œlandlock_path_beneath_attr”uh1hhŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:444: ./include/uapi/linux/landlock.h”h KÃhjO
  ubhŒ ) including a bitmask of access.”…””}”(hjO
  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸjv
  h KÃhj>
  hžhubhß)”}”(hhh]”(hä)”}”(hŒFilesystem flags”h]”hŒFilesystem flags”…””}”(hj„
  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hãhj
  hŸNh Nubj  )”}”(hŒºThese flags enable to restrict a sandboxed process to a set of actions on
files and directories.  Files or directories opened before the sandboxing
are not subject to these restrictions.”h]”hŒºThese flags enable to restrict a sandboxed process to a set of actions on
files and directories.  Files or directories opened before the sandboxing
are not subject to these restrictions.”…””}”(hj’
  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:444: ./include/uapi/linux/landlock.h”h KÉhj
  ubj  )”}”(hŒ0The following access rights apply only to files:”h]”hŒ0The following access rights apply only to files:”…””}”(hj¡
  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:444: ./include/uapi/linux/landlock.h”h KÍhj
  ubhŒbullet_list”“”)”}”(hhh]”(hŒ	list_item”“”)”}”(hŒ/``LANDLOCK_ACCESS_FS_EXECUTE``: Execute a file.”h]”j  )”}”(hj¹
  h]”(jz  )”}”(hŒ``LANDLOCK_ACCESS_FS_EXECUTE``”h]”hŒLANDLOCK_ACCESS_FS_EXECUTE”…””}”(hj¾
  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj»
  ubhŒ: Execute a file.”…””}”(hj»
  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:444: ./include/uapi/linux/landlock.h”h KÏhj·
  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ
  hj²
  ubj¶
  )”}”(hX  ``LANDLOCK_ACCESS_FS_WRITE_FILE``: Open a file with write access.  When
opening files for writing, you will often additionally need the
``LANDLOCK_ACCESS_FS_TRUNCATE`` right.  In many cases, these system calls
truncate existing files when overwriting them (e.g., :manpage:`creat(2)`).”h]”j  )”}”(hX  ``LANDLOCK_ACCESS_FS_WRITE_FILE``: Open a file with write access.  When
opening files for writing, you will often additionally need the
``LANDLOCK_ACCESS_FS_TRUNCATE`` right.  In many cases, these system calls
truncate existing files when overwriting them (e.g., :manpage:`creat(2)`).”h]”(jz  )”}”(hŒ!``LANDLOCK_ACCESS_FS_WRITE_FILE``”h]”hŒLANDLOCK_ACCESS_FS_WRITE_FILE”…””}”(hjå
  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjá
  ubhŒg: Open a file with write access.  When
opening files for writing, you will often additionally need the
”…””}”(hjá
  hžhhŸNh Nubjz  )”}”(hŒ``LANDLOCK_ACCESS_FS_TRUNCATE``”h]”hŒLANDLOCK_ACCESS_FS_TRUNCATE”…””}”(hj÷
  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjá
  ubhŒ` right.  In many cases, these system calls
truncate existing files when overwriting them (e.g., ”…””}”(hjá
  hžhhŸNh Nubj¼  )”}”(hŒ:manpage:`creat(2)`”h]”hŒcreat(2)”…””}”(hj	  hžhhŸNh Nubah}”(h]”h ]”j»  ah"]”h$]”h&]”h±h²jË  Œcreat(2)”jÍ  Œcreat”jÏ  jÐ  uh1j»  hjá
  ubhŒ).”…””}”(hjá
  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:444: ./include/uapi/linux/landlock.h”h KÐhjÝ
  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ
  hj²
  ubj¶
  )”}”(hŒ?``LANDLOCK_ACCESS_FS_READ_FILE``: Open a file with read access.”h]”j  )”}”(hj,  h]”(jz  )”}”(hŒ ``LANDLOCK_ACCESS_FS_READ_FILE``”h]”hŒLANDLOCK_ACCESS_FS_READ_FILE”…””}”(hj1  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj.  ubhŒ: Open a file with read access.”…””}”(hj.  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:444: ./include/uapi/linux/landlock.h”h KÔhj*  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ
  hj²
  ubj¶
  )”}”(hŒñ``LANDLOCK_ACCESS_FS_TRUNCATE``: Truncate a file with :manpage:`truncate(2)`,
:manpage:`ftruncate(2)`, :manpage:`creat(2)`, or :manpage:`open(2)` with
``O_TRUNC``.  This access right is available since the third version of the
Landlock ABI.
”h]”j  )”}”(hŒð``LANDLOCK_ACCESS_FS_TRUNCATE``: Truncate a file with :manpage:`truncate(2)`,
:manpage:`ftruncate(2)`, :manpage:`creat(2)`, or :manpage:`open(2)` with
``O_TRUNC``.  This access right is available since the third version of the
Landlock ABI.”h]”(jz  )”}”(hŒ``LANDLOCK_ACCESS_FS_TRUNCATE``”h]”hŒLANDLOCK_ACCESS_FS_TRUNCATE”…””}”(hjX  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjT  ubhŒ: Truncate a file with ”…””}”(hjT  hžhhŸNh Nubj¼  )”}”(hŒ:manpage:`truncate(2)`”h]”hŒtruncate(2)”…””}”(hjj  hžhhŸNh Nubah}”(h]”h ]”j»  ah"]”h$]”h&]”h±h²jË  Œtruncate(2)”jÍ  Œtruncate”jÏ  jÐ  uh1j»  hjT  ubhŒ,
”…””}”(hjT  hžhhŸNh Nubj¼  )”}”(hŒ:manpage:`ftruncate(2)`”h]”hŒftruncate(2)”…””}”(hj~  hžhhŸNh Nubah}”(h]”h ]”j»  ah"]”h$]”h&]”h±h²jË  Œftruncate(2)”jÍ  Œ	ftruncate”jÏ  jÐ  uh1j»  hjT  ubhŒ, ”…””}”(hjT  hžhhŸNh Nubj¼  )”}”(hŒ:manpage:`creat(2)`”h]”hŒcreat(2)”…””}”(hj’  hžhhŸNh Nubah}”(h]”h ]”j»  ah"]”h$]”h&]”h±h²jË  Œcreat(2)”jÍ  Œcreat”jÏ  jÐ  uh1j»  hjT  ubhŒ, or ”…””}”(hjT  hžhhŸNh Nubj¼  )”}”(hŒ:manpage:`open(2)`”h]”hŒopen(2)”…””}”(hj¦  hžhhŸNh Nubah}”(h]”h ]”j»  ah"]”h$]”h&]”h±h²jË  Œopen(2)”jÍ  Œopen”jÏ  jÐ  uh1j»  hjT  ubhŒ with
”…””}”(hjT  hžhhŸNh Nubjz  )”}”(hŒ``O_TRUNC``”h]”hŒO_TRUNC”…””}”(hjº  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjT  ubhŒN.  This access right is available since the third version of the
Landlock ABI.”…””}”(hjT  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:444: ./include/uapi/linux/landlock.h”h KÕhjP  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ
  hj²
  ubeh}”(h]”h ]”h"]”h$]”h&]”Œbullet”Œ-”uh1j°
  hŸjÖ
  h KÏhj
  ubj  )”}”(hX'  Whether an opened file can be truncated with :manpage:`ftruncate(2)` or used
with `ioctl(2)` is determined during :manpage:`open(2)`, in the same way as
read and write permissions are checked during :manpage:`open(2)` using
``LANDLOCK_ACCESS_FS_READ_FILE`` and ``LANDLOCK_ACCESS_FS_WRITE_FILE``.”h]”(hŒ-Whether an opened file can be truncated with ”…””}”(hjá  hžhhŸNh Nubj¼  )”}”(hŒ:manpage:`ftruncate(2)`”h]”hŒftruncate(2)”…””}”(hjé  hžhhŸNh Nubah}”(h]”h ]”j»  ah"]”h$]”h&]”h±h²jË  Œftruncate(2)”jÍ  Œ	ftruncate”jÏ  jÐ  uh1j»  hjá  ubhŒ or used
with ”…””}”(hjá  hžhhŸNh Nubj6  )”}”(hŒ
`ioctl(2)`”h]”hŒioctl(2)”…””}”(hjý  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j5  hjá  ubhŒ is determined during ”…””}”(hjá  hžhhŸNh Nubj¼  )”}”(hŒ:manpage:`open(2)`”h]”hŒopen(2)”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”j»  ah"]”h$]”h&]”h±h²jË  Œopen(2)”jÍ  Œopen”jÏ  jÐ  uh1j»  hjá  ubhŒC, in the same way as
read and write permissions are checked during ”…””}”(hjá  hžhhŸNh Nubj¼  )”}”(hŒ:manpage:`open(2)`”h]”hŒopen(2)”…””}”(hj#  hžhhŸNh Nubah}”(h]”h ]”j»  ah"]”h$]”h&]”h±h²jË  Œopen(2)”jÍ  Œopen”jÏ  jÐ  uh1j»  hjá  ubhŒ using
”…””}”(hjá  hžhhŸNh Nubjz  )”}”(hŒ ``LANDLOCK_ACCESS_FS_READ_FILE``”h]”hŒLANDLOCK_ACCESS_FS_READ_FILE”…””}”(hj7  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjá  ubhŒ and ”…””}”(hjá  hžhhŸNh Nubjz  )”}”(hŒ!``LANDLOCK_ACCESS_FS_WRITE_FILE``”h]”hŒLANDLOCK_ACCESS_FS_WRITE_FILE”…””}”(hjI  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”u•      h1jy  hjá  ubhŒ.”…””}”(hjá  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:444: ./include/uapi/linux/landlock.h”h KÚhj
  ubj  )”}”(hŒ¦A directory can receive access rights related to files or directories.  The
following access right is applied to the directory itself, and the
directories beneath it:”h]”hŒ¦A directory can receive access rights related to files or directories.  The
following access right is applied to the directory itself, and the
directories beneath it:”…””}”(hjb  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:444: ./include/uapi/linux/landlock.h”h Kßhj
  ubj±
  )”}”(hhh]”j¶
  )”}”(hŒG``LANDLOCK_ACCESS_FS_READ_DIR``: Open a directory or list its content.
”h]”j  )”}”(hŒF``LANDLOCK_ACCESS_FS_READ_DIR``: Open a directory or list its content.”h]”(jz  )”}”(hŒ``LANDLOCK_ACCESS_FS_READ_DIR``”h]”hŒLANDLOCK_ACCESS_FS_READ_DIR”…””}”(hj|  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjx  ubhŒ': Open a directory or list its content.”…””}”(hjx  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:444: ./include/uapi/linux/landlock.h”h Kãhjt  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ
  hjq  ubah}”(h]”h ]”h"]”h$]”h&]”jß  jà  uh1j°
  hŸj”  h Kãhj
  ubj  )”}”(hŒhHowever, the following access rights only apply to the content of a
directory, not the directory itself:”h]”hŒhHowever, the following access rights only apply to the content of a
directory, not the directory itself:”…””}”(hj¡  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:444: ./include/uapi/linux/landlock.h”h Kåhj
  ubj±
  )”}”(hhh]”(j¶
  )”}”(hŒK``LANDLOCK_ACCESS_FS_REMOVE_DIR``: Remove an empty directory or rename one.”h]”j  )”}”(hjµ  h]”(jz  )”}”(hŒ!``LANDLOCK_ACCESS_FS_REMOVE_DIR``”h]”hŒLANDLOCK_ACCESS_FS_REMOVE_DIR”…””}”(hjº  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj·  ubhŒ*: Remove an empty directory or rename one.”…””}”(hj·  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:444: ./include/uapi/linux/landlock.h”h Kèhj³  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ
  hj°  ubj¶
  )”}”(hŒ>``LANDLOCK_ACCESS_FS_REMOVE_FILE``: Unlink (or rename) a file.”h]”j  )”}”(hjÛ  h]”(jz  )”}”(hŒ"``LANDLOCK_ACCESS_FS_REMOVE_FILE``”h]”hŒLANDLOCK_ACCESS_FS_REMOVE_FILE”…””}”(hjà  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjÝ  ubhŒ: Unlink (or rename) a file.”…””}”(hjÝ  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:444: ./include/uapi/linux/landlock.h”h KéhjÙ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ
  hj°  ubj¶
  )”}”(hŒP``LANDLOCK_ACCESS_FS_MAKE_CHAR``: Create (or rename or link) a character
device.”h]”j  )”}”(hŒP``LANDLOCK_ACCESS_FS_MAKE_CHAR``: Create (or rename or link) a character
device.”h]”(jz  )”}”(hŒ ``LANDLOCK_ACCESS_FS_MAKE_CHAR``”h]”hŒLANDLOCK_ACCESS_FS_MAKE_CHAR”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj  ubhŒ0: Create (or rename or link) a character
device.”…””}”(hj  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:444: ./include/uapi/linux/landlock.h”h Kêhjÿ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ
  hj°  ubj¶
  )”}”(hŒ@``LANDLOCK_ACCESS_FS_MAKE_DIR``: Create (or rename) a directory.”h]”j  )”}”(hj(  h]”(jz  )”}”(hŒ``LANDLOCK_ACCESS_FS_MAKE_DIR``”h]”hŒLANDLOCK_ACCESS_FS_MAKE_DIR”…””}”(hj-  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj*  ubhŒ!: Create (or rename) a directory.”…””}”(hj*  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:444: ./include/uapi/linux/landlock.h”h Kìhj&  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ
  hj°  ubj¶
  )”}”(hŒK``LANDLOCK_ACCESS_FS_MAKE_REG``: Create (or rename or link) a regular file.”h]”j  )”}”(hjN  h]”(jz  )”}”(hŒ``LANDLOCK_ACCESS_FS_MAKE_REG``”h]”hŒLANDLOCK_ACCESS_FS_MAKE_REG”…””}”(hjS  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjP  ubhŒ,: Create (or rename or link) a regular file.”…””}”(hjP  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:444: ./include/uapi/linux/landlock.h”h KíhjL  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ
  hj°  ubj¶
  )”}”(hŒR``LANDLOCK_ACCESS_FS_MAKE_SOCK``: Create (or rename or link) a UNIX domain
socket.”h]”j  )”}”(hŒR``LANDLOCK_ACCESS_FS_MAKE_SOCK``: Create (or rename or link) a UNIX domain
socket.”h]”(jz  )”}”(hŒ ``LANDLOCK_ACCESS_FS_MAKE_SOCK``”h]”hŒLANDLOCK_ACCESS_FS_MAKE_SOCK”…””}”(hjz  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjv  ubhŒ2: Create (or rename or link) a UNIX domain
socket.”…””}”(hjv  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:444: ./include/uapi/linux/landlock.h”h Kîhjr  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ
  hj°  ubj¶
  )”}”(hŒJ``LANDLOCK_ACCESS_FS_MAKE_FIFO``: Create (or rename or link) a named pipe.”h]”j  )”}”(hj›  h]”(jz  )”}”(hŒ ``LANDLOCK_ACCESS_FS_MAKE_FIFO``”h]”hŒLANDLOCK_ACCESS_FS_MAKE_FIFO”…””}”(hj   hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj  ubhŒ*: Create (or rename or link) a named pipe.”…””}”(hj  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:444: ./include/uapi/linux/landlock.h”h Kðhj™  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ
  hj°  ubj¶
  )”}”(hŒM``LANDLOCK_ACCESS_FS_MAKE_BLOCK``: Create (or rename or link) a block device.”h]”j  )”}”(hjÁ  h]”(jz  )”}”(hŒ!``LANDLOCK_ACCESS_FS_MAKE_BLOCK``”h]”hŒLANDLOCK_ACCESS_FS_MAKE_BLOCK”…””}”(hjÆ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjÃ  ubhŒ,: Create (or rename or link) a block device.”…””}”(hjÃ  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:444: ./include/uapi/linux/landlock.h”h Kñhj¿  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ
  hj°  ubj¶
  )”}”(hŒL``LANDLOCK_ACCESS_FS_MAKE_SYM``: Create (or rename or link) a symbolic link.”h]”j  )”}”(hjç  h]”(jz  )”}”(hŒ``LANDLOCK_ACCESS_FS_MAKE_SYM``”h]”hŒLANDLOCK_ACCESS_FS_MAKE_SYM”…””}”(hjì  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjé  ubhŒ-: Create (or rename or link) a symbolic link.”…””}”(hjé  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:444: ./include/uapi/linux/landlock.h”h Kòhjå  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ
  hj°  ubj¶
  )”}”(hXé  ``LANDLOCK_ACCESS_FS_REFER``: Link or rename a file from or to a different
directory (i.e. reparent a file hierarchy).

This access right is available since the second version of the Landlock
ABI.

This is the only access right which is denied by default by any ruleset,
even if the right is not specified as handled at ruleset creation time.
The only way to make a ruleset grant this right is to explicitly allow it
for a specific directory by adding a matching rule to the ruleset.

In particular, when using the first Landlock ABI version, Landlock will
always deny attempts to reparent files between different directories.

In addition to the source and destination directories having the
``LANDLOCK_ACCESS_FS_REFER`` access right, the attempted link or rename
operation must meet the following constraints:

* The reparented file may not gain more access rights in the destination
  directory than it previously had in the source directory.  If this is
  attempted, the operation results in an ``EXDEV`` error.

* When linking or renaming, the ``LANDLOCK_ACCESS_FS_MAKE_*`` right for the
  respective file type must be granted for the destination directory.
  Otherwise, the operation results in an ``EACCES`` error.

* When renaming, the ``LANDLOCK_ACCESS_FS_REMOVE_*`` right for the
  respective file type must be granted for the source directory.  Otherwise,
  the operation results in an ``EACCES`` error.

If multiple requirements are not met, the ``EACCES`` error code takes
precedence over ``EXDEV``.
”h]”(j  )”}”(hŒv``LANDLOCK_ACCESS_FS_REFER``: Link or rename a file from or to a different
directory (i.e. reparent a file hierarchy).”h]”(jz  )”}”(hŒ``LANDLOCK_ACCESS_FS_REFER``”h]”hŒLANDLOCK_ACCESS_FS_REFER”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj  ubhŒZ: Link or rename a file from or to a different
directory (i.e. reparent a file hierarchy).”…””}”(hj  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:444: ./include/uapi/linux/landlock.h”h Kóhj  ubj  )”}”(hŒLThis access right is available since the second version of the Landlock
ABI.”h]”hŒLThis access right is available since the second version of the Landlock
ABI.”…””}”(hj,  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:444: ./include/uapi/linux/landlock.h”h Köhj  ubj  )”}”(hX  This is the only access right which is denied by default by any ruleset,
even if the right is not specified as handled at ruleset creation time.
The only way to make a ruleset grant this right is to explicitly allow it
for a specific directory by adding a matching rule to the ruleset.”h]”hX  This is the only access right which is denied by default by any ruleset,
even if the right is not specified as handled at ruleset creation time.
The only way to make a ruleset grant this right is to explicitly allow it
for a specific directory by adding a matching rule to the ruleset.”…””}”(hj;  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:444: ./include/uapi/linux/landlock.h”h Kùhj  ubj  )”}”(hŒIn particular, when using the first Landlock ABI version, Landlock will
always deny attempts to reparent files between different directories.”h]”hŒIn particular, when using the first Landlock ABI version, Landlock will
always deny attempts to reparent files between different directories.”…””}”(hjJ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:444: ./include/uapi/linux/landlock.h”h Kþhj  ubj  )”}”(hŒ·In addition to the source and destination directories having the
``LANDLOCK_ACCESS_FS_REFER`` access right, the attempted link or rename
operation must meet the following constraints:”h]”(hŒAIn addition to the source and destination directories having the
”…””}”(hjY  hžhhŸNh Nubjz  )”}”(hŒ``LANDLOCK_ACCESS_FS_REFER``”h]”hŒLANDLOCK_ACCESS_FS_REFER”…””}”(hja  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjY  ubhŒZ access right, the attempted link or rename
operation must meet the following constraints:”…””}”(hjY  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:444: ./include/uapi/linux/landlock.h”h Mhj  ubj±
  )”}”(hhh]”(j¶
  )”}”(hŒÅThe reparented file may not gain more access rights in the destination
directory than it previously had in the source directory.  If this is
attempted, the operation results in an ``EXDEV`` error.
”h]”j  )”}”(hŒÄThe reparented file may not gain more access rights in the destination
directory than it previously had in the source directory.  If this is
attempted, the operation results in an ``EXDEV`` error.”h]”(hŒ´The reparented file may not gain more access rights in the destination
directory than it previously had in the source directory.  If this is
attempted, the operation results in an ”…””}”(hj  hžhhŸNh Nubjz  )”}”(hŒ	``EXDEV``”h]”hŒEXDEV”…””}”(hj‰  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj  ubhŒ error.”…””}”(hj  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:444: ./include/uapi/linux/landlock.h”h Mhj}  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ
  hjz  ubj¶
  )”}”(hŒÇWhen linking or renaming, the ``LANDLOCK_ACCESS_FS_MAKE_*`` right for the
respective file type must be granted for the destination directory.
Otherwise, the operation results in an ``EACCES`` error.
”h]”j  )”}”(hŒÆWhen linking or renaming, the ``LANDLOCK_ACCESS_FS_MAKE_*`` right for the
respective file type must be granted for the destination directory.
Otherwise, the operation results in an ``EACCES`` error.”h]”(hŒWhen linking or renaming, the ”…””}”(hj¬  hžhhŸNh Nubjz  )”}”(hŒ``LANDLOCK_ACCESS_FS_MAKE_*``”h]”hŒLANDLOCK_ACCESS_FS_MAKE_*”…””}”(hj´  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj¬  ubhŒz right for the
respective file type must be granted for the destination directory.
Otherwise, the operation results in an ”…””}”(hj¬  hžhhŸNh Nubjz  )”}”(hŒ
``EACCES``”h]”hŒEACCES”…””}”(hjÆ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj¬  ubhŒ error.”…””}”(hj¬  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:444: ./include/uapi/linux/landlock.h”h M	hj¨  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ
  hjz  ubj¶
  )”}”(hŒºWhen renaming, the ``LANDLOCK_ACCESS_FS_REMOVE_*`` right for the
respective file type must be granted for the source directory.  Otherwise,
the operation results in an ``EACCES`` error.
”h]”j  )”}”(hŒ¹When renaming, the ``LANDLOCK_ACCESS_FS_REMOVE_*`` right for the
respective file type must be granted for the source directory.  Otherwise,
the operation results in an ``EACCES`` error.”h]”(hŒWhen renaming, the ”…””}”(hjé  hžhhŸNh Nubjz  )”}”(hŒ``LANDLOCK_ACCESS_FS_REMOVE_*``”h]”hŒLANDLOCK_ACCESS_FS_REMOVE_*”…””}”(hjñ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjé  ubhŒv right for the
respective file type must be granted for the source directory.  Otherwise,
the operation results in an ”…””}”(hjé  hžhhŸNh Nubjz  )”}”(hŒ
``EACCES``”h]”hŒEACCES”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjé  ubhŒ error.”…””}”(hjé  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:444: ./include/uapi/linux/landlock.h”h Mhjå  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ
  hjz  ubeh}”(h]”h ]”h"]”h$]”h&]”jß  Œ*”uh1j°
  hŸj¡  h Mhj  ubj  )”}”(hŒ`If multiple requirements are not met, the ``EACCES`` error code takes
precedence over ``EXDEV``.”h]”(hŒ*If multiple requirements are not met, the ”…””}”(hj)  hžhhŸNh Nubjz  )”}”(hŒ
``EACCES``”h]”hŒEACCES”…””}”(hj1  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj)  ubhŒ" error code takes
precedence over ”…””}”(hj)  hžhhŸNh Nubjz  )”}”(hŒ	``EXDEV``”h]”hŒEXDEV”…””}”(hjC  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj)  ubhŒ.”…””}”(hj)  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:444: ./include/uapi/linux/landlock.h”h Mhj  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jµ
  hj°  ubeh}”(h]”h ]”h"]”h$]”h&]”jß  jà  uh1j°
  hŸjÒ  h Kèhj
  ubj  )”}”(hŒAThe following access right applies both to files and directories:”h]”hŒAThe following access right applies both to files and directories:”…””}”(hjh  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:444: ./include/uapi/linux/landlock.h”h Mhj
  ubj±
  )”}”(hhh]”j¶
  )”}”(hX~  ``LANDLOCK_ACCESS_FS_IOCTL_DEV``: Invoke :manpage:`ioctl(2)` commands on an opened
character or block device.

This access right applies to all `ioctl(2)` commands implemented by device
drivers.  However, the following common IOCTL commands continue to be
invokable independent of the ``LANDLOCK_ACCESS_FS_IOCTL_DEV`` right:

* IOCTL commands targeting file descriptors (``FIOCLEX``, ``FIONCLEX``),
* IOCTL commands targeting file descriptions (``FIONBIO``, ``FIOASYNC``),
* IOCTL commands targeting file systems (``FIFREEZE``, ``FITHAW``,
  ``FIGETBSZ``, ``FS_IOC_GETFSUUID``, ``FS_IOC_GETFSSYSFSPATH``)
* Some IOCTL commands which do not make sense when used with devices, but
  whose implementations are safe and return the right error codes
  (``FS_IOC_FIEMAP``, ``FICLONE``, ``FICLONERANGE``, ``FIDEDUPERANGE``)

This access right is available since the fifth version of the Landlock
ABI.
”h]”(j  )”}”(hŒm``LANDLOCK_ACCESS_FS_IOCTL_DEV``: Invoke :manpage:`ioctl(2)` commands on an opened
character or block device.”h]”(jz  )”}”(hŒ ``LANDLOCK_ACCESS_FS_IOCTL_DEV``”h]”hŒLANDLOCK_ACCESS_FS_IOCTL_DEV”…””}”(hj‚  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj~  ubhŒ	: Invoke ”…””}”(hj~  hžhhŸNh Nubj¼  )”}”(hŒ:manpage:`ioctl(2)`”h]”hŒioctl(2)”…””}”(hj”  hžhhŸNh Nubah}”(h]”h ]”j»  ah"]”h$]”h&]”h±h²jË  Œioctl(2)”jÍ  Œioctl”jÏ  jÐ  uh1j»  hj~  ubhŒ1 commands on an opened
character or block device.”…””}”(hj~  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:444: ./include/uapi/linux/landlock.h”h Mhjz  ubj  )”}”(hŒÕThis access right applies to all `ioctl(2)` commands implemented by device
drivers.  However, the following common IOCTL commands continue to be
invokable independent of the ``LANDLOCK_ACCESS_FS_IOCTL_DEV`` right:”h]”(hŒ!This access right applies to all ”…””}”(hj¯  hžhhŸNh Nubj6  )”}”(hŒ
`ioctl(2)`”h]”hŒioctl(2)”…””}”(hj·  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j5  hj¯  ubhŒƒ commands implemented by device
drivers.  However, the following common IOCTL commands continue to be
invokable independent of the ”…””}”(hj¯  hžhhŸNh Nubjz  )”}”(hŒ ``LANDLOCK_ACCESS_FS_IOCTL_DEV``”h]”hŒLANDLOCK_ACCESS_FS_IOCTL_DEV”…””}”(hjÉ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj¯  ubhŒ right:”…””}”(hj¯  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:444: ./include/uapi/linux/landlock.h”h Mhjz  ubj±
  )”}”(hhh]”(j¶
  )”}”(hŒFIOCTL commands targeting file descriptors (``FIOCLEX``, ``FIONCLEX``),”h]”j  )”}”(hjç  h]”(hŒ+IOCTL commands targeting file descriptors (”…””}”(hjé  hžhhŸNh Nubjz  )”}”(hŒ``FIOCLEX``”h]”hŒFIOCLEX”…””}”(hjð  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjé  ubhŒ, ”…””}”(hjé  hžhhŸNh Nubjz  )”}”(hŒ``FIONCLEX``”h]”hŒFIONCLEX”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjé  ubhŒ),”…””}”(hjé  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:444: ./include/uapi/linux/landlock.h”h Mhjå  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ
  hjâ  ubj¶
  )”}”(hŒGIOCTL commands targeting file descriptions (``FIONBIO``, ``FIOASYNC``),”h]”j  )”}”(hj#  h]”(hŒ,IOCTL commands targeting file descriptions (”…””}”(hj%  hžhhŸNh Nubjz  )”}”(hŒ``FIONBIO``”h]”hŒFIONBIO”…””}”(hj,  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj%  ubhŒ, ”…””}”(hj%  hžhhŸNh Nubjz  )”}”(hŒ``FIOASYNC``”h]”hŒFIOASYNC”…””}”(hj>  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj%  ubhŒ),”…””}”(hj%  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:444: ./include/uapi/linux/landlock.h”h Mhj!  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ
  hjâ  ubj¶
  )”}”(hŒIOCTL commands targeting file systems (``FIFREEZE``, ``FITHAW``,
``FIGETBSZ``, ``FS_IOC_GETFSUUID``, ``FS_IOC_GETFSSYSFSPATH``)”h]”j  )”}”(hŒIOCTL commands targeting file systems (``FIFREEZE``, ``FITHAW``,
``FIGETBSZ``, ``FS_IOC_GETFSUUID``, ``FS_IOC_GETFSSYSFSPATH``)”h]”(hŒ'IOCTL commands targeting file systems (”…””}”(hja  hžhhŸNh Nubjz  )”}”(hŒ``FIFREEZE``”h]”hŒFIFREEZE”…””}”(hji  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hja  ubhŒ, ”…””}”(hja  hžhhŸNh Nubjz  )”}”(hŒ
``FITHAW``”h]”hŒFITHAW”…””}”(hj{  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hja  ubhŒ,
”…””}”(hja  hžhhŸNh Nubjz  )”}”(hŒ``FIGETBSZ``”h]”hŒFIGETBSZ”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hja  ubhŒ, ”…””}”hja  sbjz  )”}”(hŒ``FS_IOC_GETFSUUID``”h]”hŒFS_IOC_GETFSUUID”…””}”(hjŸ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hja  ubhŒ, ”…””}”hja  sbjz  )”}”(hŒ``FS_IOC_GETFSSYSFSPATH``”h]”hŒFS_IOC_GETFSSYSFSPATH”…””}”(hj±  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hja  ubhŒ)”…””}”(hja  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:444: ./include/uapi/linux/landlock.h”h Mhj]  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ
  hjâ  ubj¶
  )”}”(hŒÎSome IOCTL commands which do not make sense when used with devices, but
whose implementations are safe and return the right error codes
(``FS_IOC_FIEMAP``, ``FICLONE``, ``FICLONERANGE``, ``FIDEDUPERANGE``)
”h]”j  )”}”(hŒÍSome IOCTL commands which do not make sense when used with devices, but
whose implementations are safe and return the right error codes
(``FS_IOC_FIEMAP``, ``FICLONE``, ``FICLONERANGE``, ``FIDEDUPERANGE``)”h]”(hŒ‰Some IOCTL commands which do not make sense when used with devices, but
whose implementations are safe and return the right error codes
(”…””}”(hjÔ  hžhhŸNh Nubjz  )”}”(hŒ``FS_IOC_FIEMAP``”h]”hŒFS_IOC_FIEMAP”…””}”(hjÜ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjÔ  ubhŒ, ”…””}”(hjÔ  hžhhŸNh Nubjz  )”}”(hŒ``FICLONE``”h]”hŒFICLONE”…””}”(hjî  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjÔ  ubhŒ, ”…””}”hjÔ  sbjz  )”}”(hŒ``FICLONERANGE``”h]”hŒFICLONERANGE”…””}”(hj   hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjÔ  ubhŒ, ”…””}”hjÔ  sbjz  )”}”(hŒ``FIDEDUPERANGE``”h]”hŒFIDEDUPERANGE”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjÔ  ubhŒ)”…””}”(hjÔ  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:444: ./include/uapi/linux/landlock.h”h M!hjÐ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ
  hjâ  ubeh}”(h]”h ]”h"]”h$]”h&]”jß  j(  uh1j°
  hŸj  h Mhjz  ubj  )”}”(hŒKThis access right is available since the fifth version of the Landlock
ABI.”h]”hŒKThis access right is available since the fifth version of the Landlock
ABI.”…””}”(hj7  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:444: ./include/uapi/linux/landlock.h”h M%hjz  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jµ
  hjw  ubah}”(h]”h ]”h"]”h$]”h&]”jß  jà  uh1j°
  hŸj®  h Mhj
  ubhŒwarning”“”)”}”(hXf  It is currently not possible to restrict some file-related actions
accessible through these syscall families: :manpage:`chdir(2)`,
:manpage:`stat(2)`, :manpage:`flock(2)`, :manpage:`chmod(2)`,
:manpage:`chown(2)`, :manpage:`setxattr(2)`, :manpage:`utime(2)`,
:manpage:`fcntl(2)`, :manpage:`access(2)`.
Future Landlock evolutions will enable to restrict them.”h]”j  )”}”(hXf  It is currently not possible to restrict some file-related actions
accessible through these syscall families: :manpage:`chdir(2)`,
:manpage:`stat(2)`, :manpage:`flock(2)`, :manpage:`chmod(2)`,
:manpage:`chown(2)`, :manpage:`setxattr(2)`, :manpage:`utime(2)`,
:manpage:`fcntl(2)`, :manpage:`access(2)`.
Future Landlock evolutions will enable to restrict them.”h]”(hŒnIt is currently not possible to restrict some file-related actions
accessible through these syscall families: ”…””}”(hjX  hžhhŸNh Nubj¼  )”}”(hŒ:manpage:`chdir(2)`”h]”hŒchdir(2)”…””}”(hj`  hžhhŸNh Nubah}”(h]”h ]”j»  ah"]”h$]”h&]”h±h²jË  Œchdir(2)”jÍ  Œchdir”jÏ  jÐ  uh1j»  hjX  ubhŒ,
”…””}”(hjX  hžhhŸNh Nubj¼  )”}”(hŒ:manpage:`stat(2)`”h]”hŒstat(2)”…””}”(hjt  hžhhŸNh Nubah}”(h]”h ]”j»  ah"]”h$]”h&]”h±h²jË  Œstat(2)”jÍ  Œstat”jÏ  jÐ  uh1j»  hjX  ubhŒ, ”…””}”(hjX  hžhhŸNh Nubj¼  )”}”(hŒ:manpage:`flock(2)`”h]”hŒflock(2)”…””}”(hjˆ  hžhhŸNh Nubah}”(h]”h ]”j»  ah"]”h$]”h&]”h±h²jË  Œflock(2)”jÍ  Œflock”jÏ  jÐ  uh1j»  hjX  ubhŒ, ”…””}”hjX  sbj¼  )”}”(hŒ:manpage:`chmod(2)`”h]”hŒchmod(2)”…””}”(hjœ  hžhhŸNh Nubah}”(h]”h ]”j»  ah"]”h$]”h&]”h±h²jË  Œchmod(2)”jÍ  Œchmod”jÏ  jÐ  uh1j»  hjX  ubhŒ,
”…””}”hjX  sbj¼  )”}”(hŒ:manpage:`chown(2)`”h]”hŒchown(2)”…””}”(hj°  hžhhŸNh Nubah}”(h]”h ]”j»  ah"]”h$]”h&]”h±h²jË  Œchown(2)”jÍ  Œchown”jÏ  jÐ  uh1j»  hjX  ubhŒ, ”…””}”hjX  sbj¼  )”}”(hŒ:manpage:`setxattr(2)`”h]”hŒsetxattr(2)”…””}”(hjÄ  hžhhŸNh Nubah}”(h]”h ]”j»  ah"]”h$]”h&]”h±h²jË  Œsetxattr(2)”jÍ  Œsetxattr”jÏ  jÐ  uh1j»  hjX  ubhŒ, ”…””}”hjX  sbj¼  )”}”(hŒ:manpage:`utime(2)`”h]”hŒutime(2)”…””}”(hjØ  hžhhŸNh Nubah}”(h]”h ]”j»  ah"]”h$]”h&]”h±h²jË  Œutime(2)”jÍ  Œutime”jÏ  jÐ  uh1j»  hjX  ubhŒ,
”…””}”hjX  sbj¼  )”}”(hŒ:manpage:`fcntl(2)`”h]”hŒfcntl(2)”…””}”(hjì  hžhhŸNh Nubah}”(h]”h ]”j»  ah"]”h$]”h&]”h±h²jË  Œfcntl(2)”jÍ  Œfcntl”jÏ  jÐ  uh1j»  hjX  ubhŒ, ”…””}”hjX  sbj¼  )”}”(hŒ:manpage:`access(2)`”h]”hŒ	access(2)”…””}”(hj   hžhhŸNh Nubah}”(h]”h ]”j»  ah"]”h$]”h&]”h±h²jË  Œ	access(2)”jÍ  Œaccess”jÏ  jÐ  uh1j»  hjX  ubhŒ:.
Future Landlock evolutions will enable to restrict them.”…””}”(hjX  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:444: ./include/uapi/linux/landlock.h”h M*hjT  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jR  hj
  ubeh}”(h]”Œfilesystem-flags”ah ]”h"]”Œfilesystem flags”ah$]”h&]”uh1hÞhj>
  hžhhŸNh NjU  Kubhß)”}”(hhh]”(hä)”}”(hŒNetwork flags”h]”hŒNetwork flags”…””}”(hj,  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hãhj)  hŸNh Nubj  )”}”(hŒOThese flags enable to restrict a sandboxed process to a set of network
actions.”h]”hŒOThese flags enable to restrict a sandboxed process to a set of network
actions.”…””}”(hj:  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:444: ./include/uapi/linux/landlock.h”h MJhj)  ubj  )”}”(hŒ/This is supported since Landlock ABI version 4.”h]”hŒ/This is supported since Landlock ABI version 4.”…””}”(hjI  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:444: ./include/uapi/linux/landlock.h”h MMhj)  ubj  )”}”(hŒ6The following access rights apply to TCP port numbers:”h]”hŒ6The following access rights apply to TCP port numbers:”…””}”(hjX  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:444: ./include/uapi/linux/landlock.h”h MOhj)  ubj±
  )”}”(hhh]”(j¶
  )”}”(hŒD``LANDLOCK_ACCESS_NET_BIND_TCP``: Bind a TCP socket to a local port.”h]”j  )”}”(hjl  h]”(jz  )”}”(hŒ ``LANDLOCK_ACCESS_NET_BIND_TCP``”h]”hŒLANDLOCK_ACCESS_NET_BIND_TCP”…””}”(hjq  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjn  ubhŒ$: Bind a TCP socket to a local port.”…””}”(hjn  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:444: ./include/uapi/linux/landlock.h”h MQhjj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ
  hjg  ubj¶
  )”}”(hŒT``LANDLOCK_ACCESS_NET_CONNECT_TCP``: Connect an active TCP socket to
a remote port.
”h]”j  )”}”(hŒS``LANDLOCK_ACCESS_NET_CONNECT_TCP``: Connect an active TCP socket to
a remote port.”h]”(jz  )”}”(hŒ#``LANDLOCK_ACCESS_NET_CONNECT_TCP``”h]”hŒLANDLOCK_ACCESS_NET_CONNECT_TCP”…””}”(hj˜  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj”  ubhŒ0: Connect an active TCP socket to
a remote port.”…””}”(hj”  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:444: ./include/uapi/linux/landlock.h”h MRhj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ
  hjg  ubeh}”(h]”h ]”h"]”h$]”h&]”jß  jà  uh1j°
  hŸj‰  h MQhj)  ubeh}”(h]”Œnetwork-flags”ah ]”h"]”Œnetwork flags”ah$]”h&]”uh1hÞhj>
  hžhhŸNh NjU  Kubhß)”}”(hhh]”(hä)”}”(hŒScope flags”h]”hŒScope flags”…””}”(hjÈ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hãhjÅ  hŸNh Nubj  )”}”(hŒÁThese flags enable to isolate a sandboxed process from a set of IPC actions.
Setting a flag for a ruleset will isolate the Landlock domain to forbid
connections to resources outside the domain.”h]”hŒÁThese flags enable to isolate a sandboxed process from a set of IPC actions.
Setting a flag for a ruleset will isolate the Landlock domain to forbid
connections to resources outside the domain.”…””}”(hjÖ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:444: ./include/uapi/linux/landlock.h”h M`hjÅ  ubj  )”}”(hŒ/This is supported since Landlock ABI version 6.”h]”hŒ/This is supported since Landlock ABI version 6.”…””}”(hjå  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:444: ./include/uapi/linux/landlock.h”h MdhjÅ  ubj  )”}”(hŒScopes:”h]”hŒScopes:”…””}”(hjô  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:444: ./include/uapi/linux/landlock.h”h MfhjÅ  ubj±
  )”}”(hhh]”(j¶
  )”}”(hŒÝ``LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET``: Restrict a sandboxed process from
connecting to an abstract UNIX socket created by a process outside the
related Landlock domain (e.g., a parent domain or a non-sandboxed process).”h]”j  )”}”(hŒÝ``LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET``: Restrict a sandboxed process from
connecting to an abstract UNIX socket created by a process outside the
related Landlock domain (e.g., a parent domain or a non-sandboxed process).”h]”(jz  )”}”(hŒ'``LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET``”h]”hŒ#LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj
  ubhŒ¶: Restrict a sandboxed process from
connecting to an abstract UNIX socket created by a process outside the
related Landlock domain (e.g., a parent domain or a non-sandboxed process).”…””}”(hj
  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:444: ./include/uapi/linux/landlock.h”h Mhhj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ
  hj  ubj¶
  )”}”(hŒu``LANDLOCK_SCOPE_SIGNAL``: Restrict a sandboxed process from sending a signal
to another process outside the domain.
”h]”j  )”}”(hŒt``LANDLOCK_SCOPE_SIGNAL``: Restrict a sandboxed process from sending a signal
to another process outside the domain.”h]”(jz  )”}”(hŒ``LANDLOCK_SCOPE_SIGNAL``”h]”hŒLANDLOCK_SCOPE_SIGNAL”…””}”(hj5  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj1  ubhŒ[: Restrict a sandboxed process from sending a signal
to another process outside the domain.”…””}”(hj1  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:444: ./include/uapi/linux/landlock.h”h Mkhj-  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ
  hj  ubeh}”(h]”h ]”h"]”h$]”h&]”jß  jà  uh1j°
  hŸj&  h MhhjÅ  ubeh}”(h]”Œscope-flags”ah ]”h"]”Œscope flags”ah$]”h&]”uh1hÞhj>
  hžhhŸNh NjU  Kubeh}”(h]”Œaccess-rights”ah ]”h"]”Œaccess rights”ah$]”h&]”uh1hÞhj-
  hžhhŸh³h Mºubhß)”}”(hhh]”(hä)”}”(hŒCreating a new ruleset”h]”hŒCreating a new ruleset”…””}”(hjm  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hãhjj  hžhhŸh³h MÀubh Œindex”“”)”}”(hhh]”h}”(h]”h ]”h"]”h$]”h&]”Œentries”]”(Œsingle”Œ(sys_landlock_create_ruleset (C function)”Œc.sys_landlock_create_ruleset”hNt”auh1j{  hjj  hžhhŸNh Nubh Œdesc”“”)”}”(hhh]”(h Œdesc_signature”“”)”}”(hŒ~long sys_landlock_create_ruleset (const struct landlock_ruleset_attr __user *const attr, const size_t size, const __u32 flags)”h]”h Œdesc_signature_line”“”)”}”(hŒ}long sys_landlock_create_ruleset(const struct landlock_ruleset_attr __user *const attr, const size_t size, const __u32 flags)”h]”(h Œdesc_sig_keyword_type”“”)”}”(hŒlong”h]”hŒlong”…””}”(hjŸ  hžhhŸNh Nubah}”(h]”h ]”Œkt”ah"]”h$]”h&]”uh1j  hj™  hžhhŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:450: ./security/landlock/syscalls.c”h KÂubh Œdesc_sig_space”“”)”}”(hŒ ”h]”hŒ ”…””}”(hj±  hžhhŸNh Nubah}”(h]”h ]”Œw”ah"]”h$]”h&]”uh1j¯  hj™  hžhhŸj®  h KÂubh Œ	desc_name”“”)”}”(hŒsys_landlock_create_ruleset”h]”h Œdesc_sig_name”“”)”}”(hŒsys_landlock_create_ruleset”h]”hŒsys_landlock_create_ruleset”…””}”(hjÈ  hžhhŸNh Nubah}”(h]”h ]”Œn”ah"]”h$]”h&]”uh1jÆ  hjÂ  ubah}”(h]”h ]”(Œsig-name”Œdescname”eh"]”h$]”h&]”h±h²uh1jÀ  hj™  hžhhŸj®  h KÂubh Œdesc_parameterlist”“”)”}”(hŒ](const struct landlock_ruleset_attr __user *const attr, const size_t size, const __u32 flags)”h]”(h Œdesc_parameter”“”)”}”(hŒ5const struct landlock_ruleset_attr __user *const attr”h]”(h Œdesc_sig_keyword”“”)”}”(hŒconst”h]”hŒconst”…””}”(hjí  hžhhŸNh Nubah}”(h]”h ]”Œk”ah"]”h$]”h&]”uh1jë  hjç  ubj°  )”}”(hŒ ”h]”hŒ ”…””}”(hjü  hžhhŸNh Nubah}”(h]”h ]”j¼  ah"]”h$]”h&]”uh1j¯  hjç  ubjì  )”}”(hŒstruct”h]”hŒstruct”…””}”(hj
  hžhhŸNh Nubah}”(h]”h ]”jø  ah"]”h$]”h&]”uh1jë  hjç  ubj°  )”}”(hŒ ”h]”hŒ ”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”j¼  ah"]”h$]”h&]”uh1j¯  hjç  ubh)”}”(hhh]”jÇ  )”}”(hŒlandlock_ruleset_attr”h]”hŒlandlock_ruleset_attr”…””}”(hj)  hžhhŸNh Nubah}”(h]”h ]”jÓ  ah"]”h$]”h&]”uh1jÆ  hj&  ubah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”jï  Œreftype”Œ
identifier”Œ	reftarget”j+  Œmodname”NŒ	classname”NŒc:parent_key”Œsphinx.domains.c”Œ	LookupKey”“”)”}”Œdata”]”jD  ŒASTIdentifier”“”)”}”j?  jÊ  sbŒc.sys_landlock_create_ruleset”†”asbuh1hhjç  ubj°  )”}”(hŒ ”h]”hŒ ”…””}”(hjQ  hžhhŸNh Nubah}”(h]”h ]”j¼  ah"]”h$]”h&]”uh1j¯  hjç  ubhŒ__user”…””}”(hjç  hžhhŸNh Nubj°  )”}”(hŒ ”h]”hŒ ”…””}”(hjc  hžhhŸNh Nubah}”(h]”h ]”j¼  ah"]”h$]”h&]”uh1j¯  hjç  ubh Œdesc_sig_punctuation”“”)”}”(hj(  h]”hŒ*”…””}”(hjs  hžhhŸNh Nubah}”(h]”h ]”Œp”ah"]”h$]”h&]”uh1jq  hjç  ubjì  )”}”(hjï  h]”hŒconst”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”jø  ah"]”h$]”h&]”uh1jë  hjç  ubj°  )”}”(hŒ ”h]”hŒ ”…””}”(hjŽ  hžhhŸNh Nubah}”(h]”h ]”j¼  ah"]”h$]”h&]”uh1j¯  hjç  ubjÇ  )”}”(hŒattr”h]”hŒattr”…””}”(hjœ  hžhhŸNh Nubah}”(h]”h ]”jÓ  ah"]”h$]”h&]”uh1jÆ  hjç  ubeh}”(h]”h ]”h"]”h$]”h&]”Œnoemph”ˆh±h²uh1jå  hjá  ubjæ  )”}”(hŒconst size_t size”h]”(jì  )”}”(hjï  h]”hŒconst”…””}”(hjµ  hžhhŸNh Nubah}”(h]”h ]”jø  ah"]”h$]”h&]”uh1jë  hj±  ubj°  )”}”(hŒ ”h]”hŒ ”…””}”(hjÂ  hžhhŸNh Nubah}”(h]”h ]”j¼  ah"]”h$]”h&]”uh1j¯  hj±  ubh)”}”(hhh]”jÇ  )”}”(hŒsize_t”h]”hŒsize_t”…””}”(hjÓ  hžhhŸNh Nubah}”(h]”h ]”jÓ  ah"]”h$]”h&]”uh1jÆ  hjÐ  ubah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”jï  Œreftype”j?  Œ	reftarget”jÕ  Œmodname”NŒ	classname”NjC  jF  )”}”jI  ]”jM  Œc.sys_landlock_create_ruleset”†”asbuh1hhj±  ubj°  )”}”(hŒ ”h]”hŒ ”…””}”(hjñ  hžhhŸNh Nubah}”(h]”h ]”j¼  ah"]”h$]”h&]”uh1j¯  hj±  ubjÇ  )”}”(hŒsize”h]”hŒsize”…””}”(hjÿ  hžhhŸNh Nubah}”(h]”h ]”jÓ  ah"]”h$]”h&]”uh1jÆ  hj±  ubeh}”(h]”h ]”h"]”h$]”h&]”Œnoemph”ˆh±h²uh1jå  hjá  ubjæ  )”}”(hŒconst __u32 flags”h]”(jì  )”}”(hjï  h]”hŒconst”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”jø  ah"]”h$]”h&]”uh1jë  hj  ubj°  )”}”(hŒ ”h]”hŒ ”…””}”(hj%  hžhhŸNh Nubah}”(h]”h ]”j¼  ah"]”h$]”h&]”uh1j¯  hj  ubh)”}”(hhh]”jÇ  )”}”(hŒ__u32”h]”hŒ__u32”…””}”(hj6  hžhhŸNh Nubah}”(h]”h ]”jÓ  ah"]”h$]”h&]”uh1jÆ  hj3  ubah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”jï  Œreftype”j?  Œ	reftarget”j8  Œmodname”NŒ	classname”NjC  jF  )”}”jI  ]”jM  Œc.sys_landlock_create_ruleset”†”asbuh1hhj  ubj°  )”}”(hŒ ”h]”hŒ ”…””}”(hjT  hžhhŸNh Nubah}”(h]”h ]”j¼  ah"]”h$]”h&]”uh1j¯  hj  ubjÇ  )”}”(hŒflags”h]”hŒflags”…””}”(hjb  hžhhŸNh Nubah}”(h]”h ]”jÓ  ah"]”h$]”h&]”uh1jÆ  hj  ubeh}”(h]”h ]”h"]”h$]”h&]”Œnoemph”ˆh±h²uh1jå  hjá  ubeh}”(h]”h ]”h"]”h$]”h&]”h±h²uh1jß  hj™  hžhhŸj®  h KÂubeh}”(h]”h ]”h"]”h$]”h&]”h±h²Œadd_permalink”ˆuh1j—  Œsphinx_line_type”Œ
declarator”hj“  hžhhŸj®  h KÂubah}”(h]”jŠ  ah ]”(Œsig”Œ
sig-object”eh"]”h$]”h&]”Œis_multiline”ˆŒ
_toc_parts”)Œ	_toc_name”huh1j‘  hŸj®  h KÂhjŽ  hžhubh Œdesc_content”“”)”}”(hhh]”j  )”}”(hŒCreate a new ruleset”h]”hŒCreate a new ruleset”…””}”(hj–  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:450: ./security/landlock/syscalls.c”h K¦hj“  hžhubah}”(h]”h ]”h"]”h$]”h&]”uh1j‘  hjŽ  hžhhŸj®  h KÂubeh}”(h]”h ]”(jï  Œfunction”eh"]”h$]”h&]”Œdomain”jï  Œobjtype”j®  Œdesctype”j®  Œnoindex”‰Œnoindexentry”‰Œnocontentsentry”‰uh1jŒ  hžhhjj  hŸNh NubhŒ	container”“”)”}”(hXÚ  **Parameters**

``const struct landlock_ruleset_attr __user *const attr``
  Pointer to a :c:type:`struct landlock_ruleset_attr <landlock_ruleset_attr>` identifying the scope of
  the new ruleset.

``const size_t size``
  Size of the pointed :c:type:`struct landlock_ruleset_attr <landlock_ruleset_attr>` (needed for
  backward and forward compatibility).

``const __u32 flags``
  Supported values:

  - ``LANDLOCK_CREATE_RULESET_VERSION``
  - ``LANDLOCK_CREATE_RULESET_ERRATA``

**Description**

This system call enables to create a new Landlock ruleset, and returns the
related file descriptor on success.

If ``LANDLOCK_CREATE_RULESET_VERSION`` or ``LANDLOCK_CREATE_RULESET_ERRATA`` is
set, then **attr** must be NULL and **size** must be 0.

Possible returned errors are:

- ``EOPNOTSUPP``: Landlock is supported by the kernel but disabled at boot time;
- ``EINVAL``: unknown **flags**, or unknown access, or unknown scope, or too small **size**;
- ``E2BIG``: **attr** or **size** inconsistencies;
- ``EFAULT``: **attr** or **size** inconsistencies;
- ``ENOMSG``: empty :c:type:`landlock_ruleset_attr.handled_access_fs <landlock_ruleset_attr>`.

.. kernel-doc:: include/uapi/linux/landlock.h
    :identifiers: landlock_create_ruleset_flags”h]”(j  )”}”(hŒ**Parameters**”h]”hŒstrong”“”)”}”(hjÀ  h]”hŒ
Parameters”…””}”(hjÄ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÂ  hj¾  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:450: ./security/landlock/syscalls.c”h Kªhjº  ubj  )”}”(hhh]”(j  )”}”(hŒ°``const struct landlock_ruleset_attr __user *const attr``
Pointer to a :c:type:`struct landlock_ruleset_attr <landlock_ruleset_attr>` identifying the scope of
the new ruleset.
”h]”(j  )”}”(hŒ9``const struct landlock_ruleset_attr __user *const attr``”h]”jz  )”}”(hjá  h]”hŒ5const struct landlock_ruleset_attr __user *const attr”…””}”(hjã  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjß  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:450: ./security/landlock/syscalls.c”h K©hjÛ  ubj)  )”}”(hhh]”j  )”}”(hŒuPointer to a :c:type:`struct landlock_ruleset_attr <landlock_ruleset_attr>` identifying the scope of
the new ruleset.”h]”(hŒPointer to a ”…””}”(hjú  hžhhŸNh Nubh)”}”(hŒ>:c:type:`struct landlock_ruleset_attr <landlock_ruleset_attr>`”h]”jz  )”}”(hj  h]”hŒstruct landlock_ruleset_attr”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”(j  jï  Œc-type”eh"]”h$]”h&]”uh1jy  hj  ubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”jª  Œ	refdomain”jï  Œreftype”Œtype”Œrefexplicit”ˆŒrefwarn”‰jC  jF  )”}”jI  ]”sbj°  Œlandlock_ruleset_attr”uh1hhŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:450: ./security/landlock/syscalls.c”h K¨hjú  ubhŒ* identifying the scope of
the new ruleset.”…””}”(hjú  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸj$  h K¨hj÷  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j(  hjÛ  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸjö  h K©hjØ  ubj  )”}”(hŒš``const size_t size``
Size of the pointed :c:type:`struct landlock_ruleset_attr <landlock_ruleset_attr>` (needed for
backward and forward compatibility).
”h]”(j  )”}”(hŒ``const size_t size``”h]”jz  )”}”(hjA  h]”hŒconst size_t size”…””}”(hjC  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj?  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:450: ./security/landlock/syscalls.c”h K«hj;  ubj)  )”}”(hhh]”j  )”}”(hŒƒSize of the pointed :c:type:`struct landlock_ruleset_attr <landlock_ruleset_attr>` (needed for
backward and forward compatibility).”h]”(hŒSize of the pointed ”…””}”(hjZ  hžhhŸNh Nubh)”}”(hŒ>:c:type:`struct landlock_ruleset_attr <landlock_ruleset_attr>`”h]”jz  )”}”(hjd  h]”hŒstruct landlock_ruleset_attr”…””}”(hjf  hžhhŸNh Nubah}”(h]”h ]”(j  jï  Œc-type”eh"]”h$]”h&]”uh1jy  hjb  ubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”jª  Œ	refdomain”jï  Œreftype”Œtype”Œrefexplicit”ˆŒrefwarn”‰jC  j   j°  Œlandlock_ruleset_attr”uh1hhŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:450: ./security/landlock/syscalls.c”h KªhjZ  ubhŒ1 (needed for
backward and forward compatibility).”…””}”(hjZ  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸj  h KªhjW  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j(  hj;  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸjV  h K«hjØ  ubj  )”}”(hŒt``const __u32 flags``
Supported values:

- ``LANDLOCK_CREATE_RULESET_VERSION``
- ``LANDLOCK_CREATE_RULESET_ERRATA``
”h]”(j  )”}”(hŒ``const __u32 flags``”h]”jz  )”}”(hjž  h]”hŒconst __u32 flags”…””}”(hj   hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjœ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:450: ./security/landlock/syscalls.c”h K¯hj˜  ubj)  )”}”(hhh]”(j  )”}”(hŒSupported values:”h]”hŒSupported values:”…””}”(hj·  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:450: ./security/landlock/syscalls.c”h K¬hj´  ubj±
  )”}”(hhh]”(j¶
  )”}”(hŒ#``LANDLOCK_CREATE_RULESET_VERSION``”h]”j  )”}”(hjË  h]”jz  )”}”(hjË  h]”hŒLANDLOCK_CREATE_RULESET_VERSION”…””}”(hjÐ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjÍ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:450: ./security/landlock/syscalls.c”h K®hjÉ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ
  hjÆ  ubj¶
  )”}”(hŒ#``LANDLOCK_CREATE_RULESET_ERRATA``
”h]”j  )”}”(hŒ"``LANDLOCK_CREATE_RULESET_ERRATA``”h]”jz  )”}”(hjð  h]”hŒLANDLOCK_CREATE_RULESET_ERRATA”…””}”(hjò  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjî  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸj³  h K¯hjê  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ
  hjÆ  ubeh}”(h]”h ]”h"]”h$]”h&]”jß  jà  uh1j°
  hŸjã  h K®hj´  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j(  hj˜  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸj³  h K¯hjØ  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hjº  ubj  )”}”(hŒ**Description**”h]”jÃ  )”}”(hj%  h]”hŒDescription”…””}”(hj'  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÂ  hj#  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:450: ./security/landlock/syscalls.c”h K±hjº  ubj  )”}”(hŒnThis system call enables to create a new Landlock ruleset, and returns the
related file descriptor on success.”h]”hŒnThis system call enables to create a new Landlock ruleset, and returns the
related file descriptor on success.”…””}”(hj;  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:450: ./security/landlock/syscalls.c”h K±hjº  ubj  )”}”(hŒ‡If ``LANDLOCK_CREATE_RULESET_VERSION`` or ``LANDLOCK_CREATE_RULESET_ERRATA`` is
set, then **attr** must be NULL and **size** must be 0.”h]”(hŒIf ”…””}”(hjJ  hžhhŸNh Nubjz  )”}”(hŒ#``LANDLOCK_CREATE_RULESET_VERSION``”h]”hŒLANDLOCK_CREATE_RULESET_VERSION”…””}”(hjR  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjJ  ubhŒ or ”…””}”(hjJ  hžhhŸNh Nubjz  )”}”(hŒ"``LANDLOCK_CREATE_RULESET_ERRATA``”h]”hŒLANDLOCK_CREATE_RULESET_ERRATA”…””}”(hjd  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjJ  ubhŒ is
set, then ”…””}”(hjJ  hžhhŸNh NubjÃ  )”}”(hŒ**attr**”h]”hŒattr”…””}”(hjv  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÂ  hjJ  ubhŒ must be NULL and ”…””}”(hjJ  hžhhŸNh NubjÃ  )”}”(hŒ**size**”h]”hŒsize”…””}”(hjˆ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÂ  hjJ  ubhŒ must be 0.”…””}”(hjJ  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:450: ./security/landlock/syscalls.c”h K´hjº  ubj  )”}”(hŒPossible returned errors are:”h]”hŒPossible returned errors are:”…””}”(hj¡  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:450: ./security/landlock/syscalls.c”h K·hjº  ubj±
  )”}”(hhh]”(j¶
  )”}”(hŒN``EOPNOTSUPP``: Landlock is supported by the kernel but disabled at boot time;”h]”j  )”}”(hjµ  h]”(jz  )”}”(hŒ``EOPNOTSUPP``”h]”hŒ
EOPNOTSUPP”…””}”(hjº  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj·  ubhŒ@: Landlock is supported by the kernel but disabled at boot time;”…””}”(hj·  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:450: ./security/landlock/syscalls.c”h K¹hj³  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ
  hj°  ubj¶
  )”}”(hŒZ``EINVAL``: unknown **flags**, or unknown access, or unknown scope, or too small **size**;”h]”j  )”}”(hjÛ  h]”(jz  )”}”(hŒ
``EINVAL``”h]”hŒEINVAL”…””}”(hjà  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjÝ  ubhŒ
: unknown ”…””}”(hjÝ  hžhhŸNh NubjÃ  )”}”(hŒ	**flags**”h]”hŒflags”…””}”(hjò  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÂ  hjÝ  ubhŒ4, or unknown access, or unknown scope, or too small ”…””}”(hjÝ  hžhhŸNh NubjÃ  )”}”(hŒ**size**”h]”hŒsize”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÂ  hjÝ  ubhŒ;”…””}”(hjÝ  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:450: ./security/landlock/syscalls.c”h KºhjÙ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ
  hj°  ubj¶
  )”}”(hŒ0``E2BIG``: **attr** or **size** inconsistencies;”h]”j  )”}”(hj%  h]”(jz  )”}”(hŒ	``E2BIG``”h]”hŒE2BIG”…””}”(hj*  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj'  ubhŒ: ”…””}”(hj'  hžhhŸNh NubjÃ  )”}”(hŒ**attr**”h]”hŒattr”…””}”(hj<  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÂ  hj'  ubhŒ or ”…””}”(hj'  hžhhŸNh NubjÃ  )”}”(hŒ**size**”h]”hŒsize”…””}”(hjN  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÂ  hj'  ubhŒ inconsistencies;”…””}”(hj'  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:450: ./security/landlock/syscalls.c”h K»hj#  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ
  hj°  ubj¶
  )”}”(hŒ1``EFAULT``: **attr** or **size** inconsistencies;”h]”j  )”}”(hjo  h]”(jz  )”}”(hŒ
``EFAULT``”h]”hŒEFAULT”…””}”(hjt  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjq  ubhŒ: ”…””}”(hjq  hžhhŸNh NubjÃ  )”}”(hŒ**attr**”h]”hŒattr”…””}”(hj†  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÂ  hjq  ubhŒ or ”…””}”(hjq  hžhhŸNh NubjÃ  )”}”(hŒ**size**”h]”hŒsize”…””}”(hj˜  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÂ  hjq  ubhŒ inconsistencies;”…””}”(hjq  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:450: ./security/landlock/syscalls.c”h K¼hjm  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ
  hj°  ubj¶
  )”}”(hŒ]``ENOMSG``: empty :c:type:`landlock_ruleset_attr.handled_access_fs <landlock_ruleset_attr>`.
”h]”j  )”}”(hŒ\``ENOMSG``: empty :c:type:`landlock_ruleset_attr.handled_access_fs <landlock_ruleset_attr>`.”h]”(jz  )”}”(hŒ
``ENOMSG``”h]”hŒENOMSG”…””}”(hj¿  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj»  ubhŒ: empty ”…””}”(hj»  hžhhŸNh Nubh)”}”(hŒI:c:type:`landlock_ruleset_attr.handled_access_fs <landlock_ruleset_attr>`”h]”jz  )”}”(hjÓ  h]”hŒ'landlock_ruleset_attr.handled_access_fs”…””}”(hjÕ  hžhhŸNh Nubah}”(h]”h ]”(j  jï  Œc-type”eh"]”h$]”h&]”uh1jy  hjÑ  ubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”jª  Œ	refdomain”jï  Œreftype”Œtype”Œrefexplicit”ˆŒrefwarn”‰jC  j   j°  Œlandlock_ruleset_attr”uh1hhŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:450: ./security/landlock/syscalls.c”h K½hj»  ubhŒ.”…””}”(hj»  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸjð  h K½hj·  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ
  hj°  ubeh}”(h]”h ]”h"]”h$]”h&]”jß  jà  uh1j°
  hŸjÒ  h K¹hjº  ubj  )”}”(hŒ	**Flags**”h]”jÃ  )”}”(hj	  h]”hŒFlags”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÂ  hj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:39: ./include/uapi/linux/landlock.h”h K9hjº  ubj  )”}”(hhh]”(j  )”}”(hŒd``LANDLOCK_CREATE_RULESET_VERSION``
Get the highest supported Landlock ABI version (starting at 1).
”h]”(j  )”}”(hŒ#``LANDLOCK_CREATE_RULESET_VERSION``”h]”jz  )”}”(hj(  h]”hŒLANDLOCK_CREATE_RULESET_VERSION”…””}”(hj*  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj&  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:39: ./include/uapi/linux/landlock.h”h K<hj"  ubj)  )”}”(hhh]”j  )”}”(hŒ?Get the highest supported Landlock ABI version (starting at 1).”h]”hŒ?Get the highest supported Landlock ABI version (starting at 1).”…””}”(hjA  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸj=  h K<hj>  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j(  hj"  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸj=  h K<hj  ubj  )”}”(hŒg``LANDLOCK_CREATE_RULESET_ERRATA``
Get a bitmask of fixed issues for the current Landlock ABI version.
”h]”(j  )”}”(hŒ"``LANDLOCK_CREATE_RULESET_ERRATA``”h]”jz  )”}”(hja  h]”hŒLANDLOCK_CREATE_RULESET_ERRATA”…””}”(hjc  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj_  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:39: ./include/uapi/linux/landlock.h”h K?hj[  ubj)  )”}”(hhh]”j  )”}”(hŒCGet a bitmask of fixed issues for the current Landlock ABI version.”h]”hŒCGet a bitmask of fixed issues for the current Landlock ABI version.”…””}”(hjz  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸjv  h K?hjw  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j(  hj[  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸjv  h K?hj  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hjº  ubeh}”(h]”h ]”Œkernelindent”ah"]”h$]”h&]”uh1j¸  hjj  hžhhŸNh Nubj|  )”}”(hhh]”h}”(h]”h ]”h"]”h$]”h&]”Œentries”]”(jˆ  Œ landlock_ruleset_attr (C struct)”Œc.landlock_ruleset_attr”hNt”auh1j{  hjj  hžhhŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:453: ./include/uapi/linux/landlock.h”h Nubj  )”}”(hhh]”(j’  )”}”(hŒlandlock_ruleset_attr”h]”j˜  )”}”(hŒstruct landlock_ruleset_attr”h]”(jì  )”}”(hj  h]”hŒstruct”…””}”(hj»  hžhhŸNh Nubah}”(h]”h ]”jø  ah"]”h$]”h&]”uh1jë  hj·  hžhhŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:453: ./include/uapi/linux/landlock.h”h Kubj°  )”}”(hŒ ”h]”hŒ ”…””}”(hjÉ  hžhhŸNh Nubah}”(h]”h ]”j¼  ah"]”h$]”h&]”uh1j¯  hj·  hžhhŸjÈ  h KubjÁ  )”}”(hŒlandlock_ruleset_attr”h]”jÇ  )”}”(hjµ  h]”hŒlandlock_ruleset_attr”…””}”(hjÛ  hžhhŸNh Nubah}”(h]”h ]”jÓ  ah"]”h$]”h&]”uh1jÆ  hj×  ubah}”(h]”h ]”(jÚ  jÛ  eh"]”h$]”h&]”h±h²uh1jÀ  hj·  hžhhŸjÈ  h Kubeh}”(h]”h ]”h"]”h$]”h&]”h±h²jƒ  ˆuh1j—  j„  j…  hj³  hžhhŸjÈ  h Kubah}”(h]”j­  ah ]”(j‰  jŠ  eh"]”h$]”h&]”jŽ  ˆj  )j  huh1j‘  hŸjÈ  h Khj°  hžhubj’  )”}”(hhh]”j  )”}”(hŒRuleset definition.”h]”hŒRuleset definition.”…””}”(hjý  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:453: ./include/uapi/linux/landlock.h”h Khjú  hžhubah}”(h]”h ]”h"]”h$]”h&]”uh1j‘  hj°  hžhhŸjÈ  h Kubeh}”(h]”h ]”(jï  Œstruct”eh"]”h$]”h&]”j²  jï  j³  j  j´  j  jµ  ‰j¶  ‰j·  ‰uh1jŒ  hžhhjj  hŸj¯  h Nubj¹  )”}”(hXÏ  **Definition**::

  struct landlock_ruleset_attr {
      __u64 handled_access_fs;
      __u64 handled_access_net;
      __u64 scoped;
  };

**Members**

``handled_access_fs``
  Bitmask of handled filesystem actions
  (cf. `Filesystem flags`_).

``handled_access_net``
  Bitmask of handled network actions (cf. `Network
  flags`_).

``scoped``
  Bitmask of scopes (cf. `Scope flags`_)
  restricting a Landlock domain from accessing outside
  resources (e.g. IPCs).”h]”(j  )”}”(hŒ**Definition**::”h]”(jÃ  )”}”(hŒ**Definition**”h]”hŒ
Definition”…””}”(hj!  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÂ  hj  ubhŒ:”…””}”(hj  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:453: ./include/uapi/linux/landlock.h”h Khj  ubjÞ  )”}”(hŒnstruct landlock_ruleset_attr {
    __u64 handled_access_fs;
    __u64 handled_access_net;
    __u64 scoped;
};”h]”hŒnstruct landlock_ruleset_attr {
    __u64 handled_access_fs;
    __u64 handled_access_net;
    __u64 scoped;
};”…””}”hj:  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1jÝ  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:453: ./include/uapi/linux/landlock.h”h Khj  ubj  )”}”(hŒ**Members**”h]”jÃ  )”}”(hjK  h]”hŒMembers”…””}”(hjM  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÂ  hjI  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:453: ./include/uapi/linux/landlock.h”h Khj  ubj  )”}”(hhh]”(j  )”}”(hŒW``handled_access_fs``
Bitmask of handled filesystem actions
(cf. `Filesystem flags`_).
”h]”(j  )”}”(hŒ``handled_access_fs``”h]”jz  )”}”(hjj  h]”hŒhandled_access_fs”…””}”(hjl  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjh  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:453: ./include/uapi/linux/landlock.h”h K)hjd  ubj)  )”}”(hhh]”j  )”}”(hŒ@Bitmask of handled filesystem actions
(cf. `Filesystem flags`_).”h]”(hŒ+Bitmask of handled filesystem actions
(cf. ”…””}”(hjƒ  hžhhŸNh Nubj?  )”}”(hŒ`Filesystem flags`_”h]”hŒFilesystem flags”…””}”(hj‹  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”ŒFilesystem flags”j  j#  uh1j>  hjƒ  jR  KubhŒ).”…””}”(hjƒ  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:453: ./include/uapi/linux/landlock.h”h K(hj€  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j(  hjd  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸj  h K)hja  ubj  )”}”(hŒR``handled_access_net``
Bitmask of handled network actions (cf. `Network
flags`_).
”h]”(j  )”}”(hŒ``handled_access_net``”h]”jz  )”}”(hj¸  h]”hŒhandled_access_net”…””}”(hjº  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj¶  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:453: ./include/uapi/linux/landlock.h”h K.hj²  ubj)  )”}”(hhh]”j  )”}”(hŒ:Bitmask of handled network actions (cf. `Network
flags`_).”h]”(hŒ(Bitmask of handled network actions (cf. ”…””}”(hjÑ  hžhhŸNh Nubj?  )”}”(hŒ`Network
flags`_”h]”hŒNetwork
flags”…””}”(hjÙ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”ŒNetwork flags”j  j¿  uh1j>  hjÑ  jR  KubhŒ).”…””}”(hjÑ  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:453: ./include/uapi/linux/landlock.h”h K-hjÎ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j(  hj²  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸjÍ  h K.hja  ubj  )”}”(hŒ}``scoped``
Bitmask of scopes (cf. `Scope flags`_)
restricting a Landlock domain from accessing outside
resources (e.g. IPCs).”h]”(j  )”}”(hŒ
``scoped``”h]”jz  )”}”(hj  h]”hŒscoped”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:453: ./include/uapi/linux/landlock.h”h K3hj   ubj)  )”}”(hhh]”j  )”}”(hŒrBitmask of scopes (cf. `Scope flags`_)
restricting a Landlock domain from accessing outside
resources (e.g. IPCs).”h]”(hŒBitmask of scopes (cf. ”…””}”(hj  hžhhŸNh Nubj?  )”}”(hŒ`Scope flags`_”h]”hŒScope flags”…””}”(hj'  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”ŒScope flags”j  j\  uh1j>  hj  jR  KubhŒM)
restricting a Landlock domain from accessing outside
resources (e.g. IPCs).”…””}”(hj  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:453: ./include/uapi/linux/landlock.h”h K2hj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j(  hj   ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸj  h K3hja  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hj  ubeh}”(h]”h ]”Œkernelindent”ah"]”h$]”h&]”uh1j¸  hjj  hžhhŸj¯  h Nubj  )”}”(hŒ**Description**”h]”jÃ  )”}”(hj]  h]”hŒDescription”…””}”(hj_  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÂ  hj[  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:453: ./include/uapi/linux/landlock.h”h K7hjj  hžhubj  )”}”(hŒ*Argument of sys_landlock_create_ruleset().”h]”hŒ*Argument of sys_landlock_create_ruleset().”…””}”(hjs  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:453: ./include/uapi/linux/landlock.h”h Khjj  hžhubj  )”}”(hX#  This structure defines a set of *handled access rights*, a set of actions on
different object types, which should be denied by default when the ruleset is
enacted.  Vice versa, access rights that are not specifically listed here are
not going to be denied by this ruleset when it is enacted.”h]”(hŒ This structure defines a set of ”…””}”(hj‚  hžhhŸNh NubhŒemphasis”“”)”}”(hŒ*handled access rights*”h]”hŒhandled access rights”…””}”(hjŒ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jŠ  hj‚  ubhŒì, a set of actions on
different object types, which should be denied by default when the ruleset is
enacted.  Vice versa, access rights that are not specifically listed here are
not going to be denied by this ruleset when it is enacted.”…””}”(hj‚  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:453: ./include/uapi/linux/landlock.h”h Khjj  hžhubj  )”}”(hX  For historical reasons, the ``LANDLOCK_ACCESS_FS_REFER`` right is always denied
by default, even when its bit is not set in **handled_access_fs**.  In order to
add new rules with this access right, the bit must still be set explicitly
(cf. `Filesystem flags`_).”h]”(hŒFor historical reasons, the ”…””}”(hj¥  hžhhŸNh Nubjz  )”}”(hŒ``LANDLOCK_ACCESS_FS_REFER``”h]”hŒLANDLOCK_ACCESS_FS_REFER”…””}”(hj­  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj¥  ubhŒD right is always denied
by default, even when its bit is not set in ”…””}”(hj¥  hžhhŸNh NubjÃ  )”}”(hŒ**handled_access_fs**”h]”hŒhandled_access_fs”…””}”(hj¿  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÂ  hj¥  ubhŒ_.  In order to
add new rules with this access right, the bit must still be set explicitly
(cf. ”…””}”(hj¥  hžhhŸNh Nubj?  )”}”(hŒ`Filesystem flags`_”h]”hŒFilesystem flags”…””}”(hjÑ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”ŒFilesystem flags”j  j#  uh1j>  hj¥  jR  KubhŒ).”…””}”(hj¥  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:453: ./include/uapi/linux/landlock.h”h Khjj  hžhubj  )”}”(hX&  The explicit listing of *handled access rights* is required for backwards
compatibility reasons.  In most use cases, processes that use Landlock will
*handle* a wide range or all access rights that they know about at build time
(and that they have tested with a kernel that supported them all).”h]”(hŒThe explicit listing of ”…””}”(hjì  hžhhŸNh Nubj‹  )”}”(hŒ*handled access rights*”h]”hŒhandled access rights”…””}”(hjô  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jŠ  hjì  ubhŒg is required for backwards
compatibility reasons.  In most use cases, processes that use Landlock will
”…””}”(hjì  hžhhŸNh Nubj‹  )”}”(hŒ*handle*”h]”hŒhandle”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jŠ  hjì  ubhŒˆ a wide range or all access rights that they know about at build time
(and that they have tested with a kernel that supported them all).”…””}”(hjì  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:453: ./include/uapi/linux/landlock.h”h Khjj  hžhubj  )”}”(hŒ4This structure can grow in future Landlock versions.”h]”hŒ4This structure can grow in future Landlock versions.”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:453: ./include/uapi/linux/landlock.h”h K"hjj  hžhubeh}”(h]”Œcreating-a-new-ruleset”ah ]”h"]”Œcreating a new ruleset”ah$]”h&]”uh1hÞhj-
  hžhhŸh³h MÀubhß)”}”(hhh]”(hä)”}”(hŒExtending a ruleset”h]”hŒExtending a ruleset”…””}”(hj9  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hãhj6  hžhhŸh³h MÉubj|  )”}”(hhh]”h}”(h]”h ]”h"]”h$]”h&]”Œentries”]”(jˆ  Œ"sys_landlock_add_rule (C function)”Œc.sys_landlock_add_rule”hNt”auh1j{  hj6  hžhhŸNh Nubj  )”}”(hhh]”(j’  )”}”(hŒ‘long sys_landlock_add_rule (const int ruleset_fd, const enum landlock_rule_type rule_type, const void __user *const rule_attr, const __u32 flags)”h]”j˜  )”}”(hŒlong sys_landlock_add_rule(const int ruleset_fd, const enum landlock_rule_type rule_type, const void __user *const rule_attr, const __u32 flags)”h]”(jž  )”}”(hŒlong”h]”hŒlong”…””}”(hj`  hžhhŸNh Nubah}”(h]”h ]”jª  ah"]”h$]”h&]”uh1j  hj\  hžhhŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:459: ./security/landlock/syscalls.c”h M¢ubj°  )”}”(hŒ ”h]”hŒ ”…””}”(hjo  hžhhŸNh Nubah}”(h]”h ]”j¼  ah"]”h$]”h&]”uh1j¯  hj\  hžhhŸjn  h M¢ubjÁ  )”}”(hŒsys_landlock_add_rule”h]”jÇ  )”}”(hŒsys_landlock_add_rule”h]”hŒsys_landlock_add_rule”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”jÓ  ah"]”h$]”h&]”uh1jÆ  hj}  ubah}”(h]”h ]”(jÚ  jÛ  eh"]”h$]”h&]”h±h²uh1jÀ  hj\  hžhhŸjn  h M¢ubjà  )”}”(hŒv(const int ruleset_fd, const enum landlock_rule_type rule_type, const void __user *const rule_attr, const __u32 flags)”h]”(jæ  )”}”(hŒconst int ruleset_fd”h]”(jì  )”}”(hjï  h]”hŒconst”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”jø  ah"]”h$]”h&]”uh1jë  hj™  ubj°  )”}”(hŒ ”h]”hŒ ”…””}”(hjª  hžhhŸNh Nubah}”(h]”h ]”j¼  ah"]”h$]”h&]”uh1j¯  hj™  ubjž  )”}”(hŒint”h]”hŒint”…””}”(hj¸  hžhhŸNh Nubah}”(h]”h ]”jª  ah"]”h$]”h&]”uh1j  hj™  ubj°  )”}”(hŒ ”h]”hŒ ”…””}”(hjÆ  hžhhŸNh Nubah}”(h]”h ]”j¼  ah"]”h$]”h&]”uh1j¯  hj™  ubjÇ  )”}”(hŒ
ruleset_fd”h]”hŒ
ruleset_fd”…””}”(hjÔ  hžhhŸNh Nubah}”(h]”h ]”jÓ  ah"]”h$]”h&]”uh1jÆ  hj™  ubeh}”(h]”h ]”h"]”h$]”h&]”Œnoemph”ˆh±h²uh1jå  hj•  ubjæ  )”}”(hŒ'const enum landlock_rule_type rule_type”h]”(jì  )”}”(hjï  h]”hŒconst”…””}”(hjí  hžhhŸNh Nubah}”(h]”h ]”jø  ah"]”h$]”h&]”uh1jë  hjé  ubj°  )”}”(hŒ ”h]”hŒ ”…””}”(hjú  hžhhŸNh Nubah}”(h]”h ]”j¼  ah"]”h$]”h&]”uh1j¯  hjé  ubjì  )”}”(hŒenum”h]”hŒenum”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”jø  ah"]”h$]”h&]”uh1jë  hjé  ubj°  )”}”(hŒ ”h]”hŒ ”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”j¼  ah"]”h$]”h&]”uh1j¯  hjé  ubh)”}”(hhh]”jÇ  )”}”(hŒlandlock_rule_type”h]”hŒlandlock_rule_type”…””}”(hj'  hžhhŸNh Nubah}”(h]”h ]”jÓ  ah"]”h$]”h&]”uh1jÆ  hj$  ubah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”jï  Œreftype”j?  Œ	reftarget”j)  Œmodname”NŒ	classname”NjC  jF  )”}”jI  ]”jL  )”}”j?  jƒ  sbŒc.sys_landlock_add_rule”†”asbuh1hhjé  ubj°  )”}”(hŒ ”h]”hŒ ”…””}”(hjG  hžhhŸNh Nubah}”(h]”h ]”j¼  ah"]”h$]”h&]”uh1j¯  hjé  ubjÇ  )”}”(hŒ	rule_type”h]”hŒ	rule_type”…””}”(hjU  hžhhŸNh Nubah}”(h]”h ]”jÓ  ah"]”h$]”h&]”uh1jÆ  hjé  ubeh}”(h]”h ]”h"]”h$]”h&]”Œnoemph”ˆh±h²uh1jå  hj•  ubjæ  )”}”(hŒ"const void __user *const rule_attr”h]”(jì  )”}”(hjï  h]”hŒconst”…””}”(hjn  hžhhŸNh Nubah}”(h]”h ]”jø  ah"]”h$]”h&]”uh1jë  hjj  ubj°  )”}”(hŒ ”h]”hŒ ”…””}”(hj{  hžhhŸNh Nubah}”(•      h]”h ]”j¼  ah"]”h$]”h&]”uh1j¯  hjj  ubjž  )”}”(hŒvoid”h]”hŒvoid”…””}”(hj‰  hžhhŸNh Nubah}”(h]”h ]”jª  ah"]”h$]”h&]”uh1j  hjj  ubj°  )”}”(hŒ ”h]”hŒ ”…””}”(hj—  hžhhŸNh Nubah}”(h]”h ]”j¼  ah"]”h$]”h&]”uh1j¯  hjj  ubhŒ__user”…””}”(hjj  hžhhŸNh Nubj°  )”}”(hŒ ”h]”hŒ ”…””}”(hj©  hžhhŸNh Nubah}”(h]”h ]”j¼  ah"]”h$]”h&]”uh1j¯  hjj  ubjr  )”}”(hj(  h]”hŒ*”…””}”(hj·  hžhhŸNh Nubah}”(h]”h ]”j}  ah"]”h$]”h&]”uh1jq  hjj  ubjì  )”}”(hjï  h]”hŒconst”…””}”(hjÄ  hžhhŸNh Nubah}”(h]”h ]”jø  ah"]”h$]”h&]”uh1jë  hjj  ubj°  )”}”(hŒ ”h]”hŒ ”…””}”(hjÑ  hžhhŸNh Nubah}”(h]”h ]”j¼  ah"]”h$]”h&]”uh1j¯  hjj  ubjÇ  )”}”(hŒ	rule_attr”h]”hŒ	rule_attr”…””}”(hjß  hžhhŸNh Nubah}”(h]”h ]”jÓ  ah"]”h$]”h&]”uh1jÆ  hjj  ubeh}”(h]”h ]”h"]”h$]”h&]”Œnoemph”ˆh±h²uh1jå  hj•  ubjæ  )”}”(hŒconst __u32 flags”h]”(jì  )”}”(hjï  h]”hŒconst”…””}”(hjø  hžhhŸNh Nubah}”(h]”h ]”jø  ah"]”h$]”h&]”uh1jë  hjô  ubj°  )”}”(hŒ ”h]”hŒ ”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”j¼  ah"]”h$]”h&]”uh1j¯  hjô  ubh)”}”(hhh]”jÇ  )”}”(hŒ__u32”h]”hŒ__u32”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”jÓ  ah"]”h$]”h&]”uh1jÆ  hj  ubah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”jï  Œreftype”j?  Œ	reftarget”j  Œmodname”NŒ	classname”NjC  jF  )”}”jI  ]”jC  Œc.sys_landlock_add_rule”†”asbuh1hhjô  ubj°  )”}”(hŒ ”h]”hŒ ”…””}”(hj4  hžhhŸNh Nubah}”(h]”h ]”j¼  ah"]”h$]”h&]”uh1j¯  hjô  ubjÇ  )”}”(hŒflags”h]”hŒflags”…””}”(hjB  hžhhŸNh Nubah}”(h]”h ]”jÓ  ah"]”h$]”h&]”uh1jÆ  hjô  ubeh}”(h]”h ]”h"]”h$]”h&]”Œnoemph”ˆh±h²uh1jå  hj•  ubeh}”(h]”h ]”h"]”h$]”h&]”h±h²uh1jß  hj\  hžhhŸjn  h M¢ubeh}”(h]”h ]”h"]”h$]”h&]”h±h²jƒ  ˆuh1j—  j„  j…  hjX  hžhhŸjn  h M¢ubah}”(h]”jS  ah ]”(j‰  jŠ  eh"]”h$]”h&]”jŽ  ˆj  )j  huh1j‘  hŸjn  h M¢hjU  hžhubj’  )”}”(hhh]”j  )”}”(hŒAdd a new rule to a ruleset”h]”hŒAdd a new rule to a ruleset”…””}”(hjl  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:459: ./security/landlock/syscalls.c”h M‚hji  hžhubah}”(h]”h ]”h"]”h$]”h&]”uh1j‘  hjU  hžhhŸjn  h M¢ubeh}”(h]”h ]”(jï  Œfunction”eh"]”h$]”h&]”j²  jï  j³  j„  j´  j„  jµ  ‰j¶  ‰j·  ‰uh1jŒ  hžhhj6  hŸNh Nubj¹  )”}”(hX’  **Parameters**

``const int ruleset_fd``
  File descriptor tied to the ruleset that should be extended
  with the new rule.

``const enum landlock_rule_type rule_type``
  Identify the structure type pointed to by **rule_attr**:
  ``LANDLOCK_RULE_PATH_BENEATH`` or ``LANDLOCK_RULE_NET_PORT``.

``const void __user *const rule_attr``
  Pointer to a rule (matching the **rule_type**).

``const __u32 flags``
  Must be 0.

**Description**

This system call enables to define a new rule and add it to an existing
ruleset.

Possible returned errors are:

- ``EOPNOTSUPP``: Landlock is supported by the kernel but disabled at boot time;
- ``EAFNOSUPPORT``: **rule_type** is ``LANDLOCK_RULE_NET_PORT`` but TCP/IP is not
  supported by the running kernel;
- ``EINVAL``: **flags** is not 0;
- ``EINVAL``: The rule accesses are inconsistent (i.e.
  :c:type:`landlock_path_beneath_attr.allowed_access <landlock_path_beneath_attr>` or
  :c:type:`landlock_net_port_attr.allowed_access <landlock_net_port_attr>` is not a subset of the ruleset
  handled accesses)
- ``EINVAL``: :c:type:`landlock_net_port_attr.port <landlock_net_port_attr>` is greater than 65535;
- ``ENOMSG``: Empty accesses (e.g. :c:type:`landlock_path_beneath_attr.allowed_access <landlock_path_beneath_attr>` is
  0);
- ``EBADF``: **ruleset_fd** is not a file descriptor for the current thread, or a
  member of **rule_attr** is not a file descriptor as expected;
- ``EBADFD``: **ruleset_fd** is not a ruleset file descriptor, or a member of
  **rule_attr** is not the expected file descriptor type;
- ``EPERM``: **ruleset_fd** has no write access to the underlying ruleset;
- ``EFAULT``: **rule_attr** was not a valid address.”h]”(j  )”}”(hŒ**Parameters**”h]”jÃ  )”}”(hjŽ  h]”hŒ
Parameters”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÂ  hjŒ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:459: ./security/landlock/syscalls.c”h M†hjˆ  ubj  )”}”(hhh]”(j  )”}”(hŒh``const int ruleset_fd``
File descriptor tied to the ruleset that should be extended
with the new rule.
”h]”(j  )”}”(hŒ``const int ruleset_fd``”h]”jz  )”}”(hj­  h]”hŒconst int ruleset_fd”…””}”(hj¯  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj«  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:459: ./security/landlock/syscalls.c”h M…hj§  ubj)  )”}”(hhh]”j  )”}”(hŒNFile descriptor tied to the ruleset that should be extended
with the new rule.”h]”hŒNFile descriptor tied to the ruleset that should be extended
with the new rule.”…””}”(hjÆ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:459: ./security/landlock/syscalls.c”h M„hjÃ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j(  hj§  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸjÂ  h M…hj¤  ubj  )”}”(hŒ£``const enum landlock_rule_type rule_type``
Identify the structure type pointed to by **rule_attr**:
``LANDLOCK_RULE_PATH_BENEATH`` or ``LANDLOCK_RULE_NET_PORT``.
”h]”(j  )”}”(hŒ+``const enum landlock_rule_type rule_type``”h]”jz  )”}”(hjç  h]”hŒ'const enum landlock_rule_type rule_type”…””}”(hjé  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjå  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:459: ./security/landlock/syscalls.c”h M‡hjá  ubj)  )”}”(hhh]”j  )”}”(hŒvIdentify the structure type pointed to by **rule_attr**:
``LANDLOCK_RULE_PATH_BENEATH`` or ``LANDLOCK_RULE_NET_PORT``.”h]”(hŒ*Identify the structure type pointed to by ”…””}”(hj   hžhhŸNh NubjÃ  )”}”(hŒ**rule_attr**”h]”hŒ	rule_attr”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÂ  hj   ubhŒ:
”…””}”(hj   hžhhŸNh Nubjz  )”}”(hŒ``LANDLOCK_RULE_PATH_BENEATH``”h]”hŒLANDLOCK_RULE_PATH_BENEATH”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj   ubhŒ or ”…””}”(hj   hžhhŸNh Nubjz  )”}”(hŒ``LANDLOCK_RULE_NET_PORT``”h]”hŒLANDLOCK_RULE_NET_PORT”…””}”(hj,  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj   ubhŒ.”…””}”(hj   hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:459: ./security/landlock/syscalls.c”h M†hjý  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j(  hjá  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸjü  h M‡hj¤  ubj  )”}”(hŒW``const void __user *const rule_attr``
Pointer to a rule (matching the **rule_type**).
”h]”(j  )”}”(hŒ&``const void __user *const rule_attr``”h]”jz  )”}”(hjW  h]”hŒ"const void __user *const rule_attr”…””}”(hjY  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjU  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:459: ./security/landlock/syscalls.c”h MˆhjQ  ubj)  )”}”(hhh]”j  )”}”(hŒ/Pointer to a rule (matching the **rule_type**).”h]”(hŒ Pointer to a rule (matching the ”…””}”(hjp  hžhhŸNh NubjÃ  )”}”(hŒ**rule_type**”h]”hŒ	rule_type”…””}”(hjx  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÂ  hjp  ubhŒ).”…””}”(hjp  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸjl  h Mˆhjm  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j(  hjQ  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸjl  h Mˆhj¤  ubj  )”}”(hŒ!``const __u32 flags``
Must be 0.
”h]”(j  )”}”(hŒ``const __u32 flags``”h]”jz  )”}”(hj¢  h]”hŒconst __u32 flags”…””}”(hj¤  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj   ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:459: ./security/landlock/syscalls.c”h M‰hjœ  ubj)  )”}”(hhh]”j  )”}”(hŒ
Must be 0.”h]”hŒ
Must be 0.”…””}”(hj»  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸj·  h M‰hj¸  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j(  hjœ  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸj·  h M‰hj¤  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hjˆ  ubj  )”}”(hŒ**Description**”h]”jÃ  )”}”(hjÝ  h]”hŒDescription”…””}”(hjß  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÂ  hjÛ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:459: ./security/landlock/syscalls.c”h M‹hjˆ  ubj  )”}”(hŒPThis system call enables to define a new rule and add it to an existing
ruleset.”h]”hŒPThis system call enables to define a new rule and add it to an existing
ruleset.”…””}”(hjó  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:459: ./security/landlock/syscalls.c”h M‹hjˆ  ubj  )”}”(hŒPossible returned errors are:”h]”hŒPossible returned errors are:”…””}”(hj   hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:459: ./security/landlock/syscalls.c”h MŽhjˆ  ubj±
  )”}”(hhh]”(j¶
  )”}”(hŒN``EOPNOTSUPP``: Landlock is supported by the kernel but disabled at boot time;”h]”j  )”}”(hj   h]”(jz  )”}”(hŒ``EOPNOTSUPP``”h]”hŒ
EOPNOTSUPP”…””}”(hj   hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj   ubhŒ@: Landlock is supported by the kernel but disabled at boot time;”…””}”(hj   hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:459: ./security/landlock/syscalls.c”h Mhj   ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ
  hj   ubj¶
  )”}”(hŒp``EAFNOSUPPORT``: **rule_type** is ``LANDLOCK_RULE_NET_PORT`` but TCP/IP is not
supported by the running kernel;”h]”j  )”}”(hŒp``EAFNOSUPPORT``: **rule_type** is ``LANDLOCK_RULE_NET_PORT`` but TCP/IP is not
supported by the running kernel;”h]”(jz  )”}”(hŒ``EAFNOSUPPORT``”h]”hŒEAFNOSUPPORT”…””}”(hjB   hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj>   ubhŒ: ”…””}”(hj>   hžhhŸNh NubjÃ  )”}”(hŒ**rule_type**”h]”hŒ	rule_type”…””}”(hjT   hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÂ  hj>   ubhŒ is ”…””}”(hj>   hžhhŸNh Nubjz  )”}”(hŒ``LANDLOCK_RULE_NET_PORT``”h]”hŒLANDLOCK_RULE_NET_PORT”…””}”(hjf   hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj>   ubhŒ3 but TCP/IP is not
supported by the running kernel;”…””}”(hj>   hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:459: ./security/landlock/syscalls.c”h M‘hj:   ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ
  hj   ubj¶
  )”}”(hŒ``EINVAL``: **flags** is not 0;”h]”j  )”}”(hj‡   h]”(jz  )”}”(hŒ
``EINVAL``”h]”hŒEINVAL”…””}”(hjŒ   hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj‰   ubhŒ: ”…””}”(hj‰   hžhhŸNh NubjÃ  )”}”(hŒ	**flags**”h]”hŒflags”…””}”(hjž   hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÂ  hj‰   ubhŒ
 is not 0;”…””}”(hj‰   hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:459: ./security/landlock/syscalls.c”h M“hj…   ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ
  hj   ubj¶
  )”}”(hX  ``EINVAL``: The rule accesses are inconsistent (i.e.
:c:type:`landlock_path_beneath_attr.allowed_access <landlock_path_beneath_attr>` or
:c:type:`landlock_net_port_attr.allowed_access <landlock_net_port_attr>` is not a subset of the ruleset
handled accesses)”h]”j  )”}”(hX  ``EINVAL``: The rule accesses are inconsistent (i.e.
:c:type:`landlock_path_beneath_attr.allowed_access <landlock_path_beneath_attr>` or
:c:type:`landlock_net_port_attr.allowed_access <landlock_net_port_attr>` is not a subset of the ruleset
handled accesses)”h]”(jz  )”}”(hŒ
``EINVAL``”h]”hŒEINVAL”…””}”(hjÅ   hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjÁ   ubhŒ+: The rule accesses are inconsistent (i.e.
”…””}”(hjÁ   hžhhŸNh Nubh)”}”(hŒP:c:type:`landlock_path_beneath_attr.allowed_access <landlock_path_beneath_attr>`”h]”jz  )”}”(hjÙ   h]”hŒ)landlock_path_beneath_attr.allowed_access”…””}”(hjÛ   hžhhŸNh Nubah}”(h]”h ]”(j  jï  Œc-type”eh"]”h$]”h&]”uh1jy  hj×   ubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”jª  Œ	refdomain”jï  Œreftype”Œtype”Œrefexplicit”ˆŒrefwarn”‰jC  j   j°  Œlandlock_path_beneath_attr”uh1hhŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:459: ./security/landlock/syscalls.c”h M”hjÁ   ubhŒ or
”…””}”(hjÁ   hžhhŸNh Nubh)”}”(hŒH:c:type:`landlock_net_port_attr.allowed_access <landlock_net_port_attr>`”h]”jz  )”}”(hjý   h]”hŒ%landlock_net_port_attr.allowed_access”…””}”(hjÿ   hžhhŸNh Nubah}”(h]”h ]”(j  jï  Œc-type”eh"]”h$]”h&]”uh1jy  hjû   ubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”jª  Œ	refdomain”jï  Œreftype”Œtype”Œrefexplicit”ˆŒrefwarn”‰jC  j   j°  Œlandlock_net_port_attr”uh1hhŸjö   h M”hjÁ   ubhŒ1 is not a subset of the ruleset
handled accesses)”…””}”(hjÁ   hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸjö   h M”hj½   ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ
  hj   ubj¶
  )”}”(hŒa``EINVAL``: :c:type:`landlock_net_port_attr.port <landlock_net_port_attr>` is greater than 65535;”h]”j  )”}”(hj,!  h]”(jz  )”}”(hŒ
``EINVAL``”h]”hŒEINVAL”…””}”(hj1!  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj.!  ubhŒ: ”…””}”(hj.!  hžhhŸNh Nubh)”}”(hŒ>:c:type:`landlock_net_port_attr.port <landlock_net_port_attr>`”h]”jz  )”}”(hjE!  h]”hŒlandlock_net_port_attr.port”…””}”(hjG!  hžhhŸNh Nubah}”(h]”h ]”(j  jï  Œc-type”eh"]”h$]”h&]”uh1jy  hjC!  ubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”jª  Œ	refdomain”jï  Œreftype”Œtype”Œrefexplicit”ˆŒrefwarn”‰jC  j   j°  Œlandlock_net_port_attr”uh1hhŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:459: ./security/landlock/syscalls.c”h M˜hj.!  ubhŒ is greater than 65535;”…””}”(hj.!  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸjb!  h M˜hj*!  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ
  hj   ubj¶
  )”}”(hŒx``ENOMSG``: Empty accesses (e.g. :c:type:`landlock_path_beneath_attr.allowed_access <landlock_path_beneath_attr>` is
0);”h]”j  )”}”(hŒx``ENOMSG``: Empty accesses (e.g. :c:type:`landlock_path_beneath_attr.allowed_access <landlock_path_beneath_attr>` is
0);”h]”(jz  )”}”(hŒ
``ENOMSG``”h]”hŒENOMSG”…””}”(hj{!  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjw!  ubhŒ: Empty accesses (e.g. ”…””}”(hjw!  hžhhŸNh Nubh)”}”(hŒP:c:type:`landlock_path_beneath_attr.allowed_access <landlock_path_beneath_attr>`”h]”jz  )”}”(hj!  h]”hŒ)landlock_path_beneath_attr.allowed_access”…””}”(hj‘!  hžhhŸNh Nubah}”(h]”h ]”(j  jï  Œc-type”eh"]”h$]”h&]”uh1jy  hj!  ubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”jª  Œ	refdomain”jï  Œreftype”Œtype”Œrefexplicit”ˆŒrefwarn”‰jC  j   j°  Œlandlock_path_beneath_attr”uh1hhŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:459: ./security/landlock/syscalls.c”h M™hjw!  ubhŒ is
0);”…””}”(hjw!  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸj¬!  h M™hjs!  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ
  hj   ubj¶
  )”}”(hŒ``EBADF``: **ruleset_fd** is not a file descriptor for the current thread, or a
member of **rule_attr** is not a file descriptor as expected;”h]”j  )”}”(hŒ``EBADF``: **ruleset_fd** is not a file descriptor for the current thread, or a
member of **rule_attr** is not a file descriptor as expected;”h]”(jz  )”}”(hŒ	``EBADF``”h]”hŒEBADF”…””}”(hjÅ!  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjÁ!  ubhŒ: ”…””}”(hjÁ!  hžhhŸNh NubjÃ  )”}”(hŒ**ruleset_fd**”h]”hŒ
ruleset_fd”…””}”(hj×!  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÂ  hjÁ!  ubhŒA is not a file descriptor for the current thread, or a
member of ”…””}”(hjÁ!  hžhhŸNh NubjÃ  )”}”(hŒ**rule_attr**”h]”hŒ	rule_attr”…””}”(hjé!  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÂ  hjÁ!  ubhŒ& is not a file descriptor as expected;”…””}”(hjÁ!  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:459: ./security/landlock/syscalls.c”h M›hj½!  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ
  hj   ubj¶
  )”}”(hŒƒ``EBADFD``: **ruleset_fd** is not a ruleset file descriptor, or a member of
**rule_attr** is not the expected file descriptor type;”h]”j  )”}”(hŒƒ``EBADFD``: **ruleset_fd** is not a ruleset file descriptor, or a member of
**rule_attr** is not the expected file descriptor type;”h]”(jz  )”}”(hŒ
``EBADFD``”h]”hŒEBADFD”…””}”(hj"  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj"  ubhŒ: ”…””}”(hj"  hžhhŸNh NubjÃ  )”}”(hŒ**ruleset_fd**”h]”hŒ
ruleset_fd”…””}”(hj""  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÂ  hj"  ubhŒ2 is not a ruleset file descriptor, or a member of
”…””}”(hj"  hžhhŸNh NubjÃ  )”}”(hŒ**rule_attr**”h]”hŒ	rule_attr”…””}”(hj4"  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÂ  hj"  ubhŒ* is not the expected file descriptor type;”…””}”(hj"  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:459: ./security/landlock/syscalls.c”h Mhj"  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ
  hj   ubj¶
  )”}”(hŒH``EPERM``: **ruleset_fd** has no write access to the underlying ruleset;”h]”j  )”}”(hjU"  h]”(jz  )”}”(hŒ	``EPERM``”h]”hŒEPERM”…””}”(hjZ"  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjW"  ubhŒ: ”…””}”(hjW"  hžhhŸNh NubjÃ  )”}”(hŒ**ruleset_fd**”h]”hŒ
ruleset_fd”…””}”(hjl"  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÂ  hjW"  ubhŒ/ has no write access to the underlying ruleset;”…””}”(hjW"  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:459: ./security/landlock/syscalls.c”h MŸhjS"  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ
  hj   ubj¶
  )”}”(hŒ2``EFAULT``: **rule_attr** was not a valid address.”h]”j  )”}”(hj"  h]”(jz  )”}”(hŒ
``EFAULT``”h]”hŒEFAULT”…””}”(hj’"  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj"  ubhŒ: ”…””}”(hj"  hžhhŸNh NubjÃ  )”}”(hŒ**rule_attr**”h]”hŒ	rule_attr”…””}”(hj¤"  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÂ  hj"  ubhŒ was not a valid address.”…””}”(hj"  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:459: ./security/landlock/syscalls.c”h M hj‹"  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ
  hj   ubeh}”(h]”h ]”h"]”h$]”h&]”jß  jà  uh1j°
  hŸj3   h Mhjˆ  ubeh}”(h]”h ]”Œkernelindent”ah"]”h$]”h&]”uh1j¸  hj6  hžhhŸNh Nubj|  )”}”(hhh]”h}”(h]”h ]”h"]”h$]”h&]”Œentries”]”(jˆ  Œlandlock_rule_type (C enum)”Œc.landlock_rule_type”hNt”auh1j{  hj6  hžhhŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:462: ./include/uapi/linux/landlock.h”h Nubj  )”}”(hhh]”(j’  )”}”(hŒlandlock_rule_type”h]”j˜  )”}”(hŒenum landlock_rule_type”h]”(jì  )”}”(hj
  h]”hŒenum”…””}”(hjê"  hžhhŸNh Nubah}”(h]”h ]”jø  ah"]”h$]”h&]”uh1jë  hjæ"  hžhhŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:462: ./include/uapi/linux/landlock.h”h Kubj°  )”}”(hŒ ”h]”hŒ ”…””}”(hjø"  hžhhŸNh Nubah}”(h]”h ]”j¼  ah"]”h$]”h&]”uh1j¯  hjæ"  hžhhŸj÷"  h KubjÁ  )”}”(hŒlandlock_rule_type”h]”jÇ  )”}”(hjä"  h]”hŒlandlock_rule_type”…””}”(hj
#  hžhhŸNh Nubah}”(h]”h ]”jÓ  ah"]”h$]”h&]”uh1jÆ  hj#  ubah}”(h]”h ]”(jÚ  jÛ  eh"]”h$]”h&]”h±h²uh1jÀ  hjæ"  hžhhŸj÷"  h Kubeh}”(h]”h ]”h"]”h$]”h&]”h±h²jƒ  ˆuh1j—  j„  j…  hjâ"  hžhhŸj÷"  h Kubah}”(h]”jÜ"  ah ]”(j‰  jŠ  eh"]”h$]”h&]”jŽ  ˆj  )j  huh1j‘  hŸj÷"  h Khjß"  hžhubj’  )”}”(hhh]”j  )”}”(hŒLandlock rule type”h]”hŒLandlock rule type”…””}”(hj,#  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:462: ./include/uapi/linux/landlock.h”h K€hj)#  hžhubah}”(h]”h ]”h"]”h$]”h&]”uh1j‘  hjß"  hžhhŸj÷"  h Kubeh}”(h]”h ]”(jï  Œenum”eh"]”h$]”h&]”j²  jï  j³  jD#  j´  jD#  jµ  ‰j¶  ‰j·  ‰uh1jŒ  hžhhj6  hŸjÞ"  h Nubj¹  )”}”(hŒó**Constants**

``LANDLOCK_RULE_PATH_BENEATH``
  Type of a :c:type:`struct
  landlock_path_beneath_attr <landlock_path_beneath_attr>` .

``LANDLOCK_RULE_NET_PORT``
  Type of a :c:type:`struct
  landlock_net_port_attr <landlock_net_port_attr>` .”h]”(j  )”}”(hŒ**Constants**”h]”jÃ  )”}”(hjN#  h]”hŒ	Constants”…””}”(hjP#  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÂ  hjL#  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:462: ./include/uapi/linux/landlock.h”h K„hjH#  ubj  )”}”(hhh]”(j  )”}”(hŒt``LANDLOCK_RULE_PATH_BENEATH``
Type of a :c:type:`struct
landlock_path_beneath_attr <landlock_path_beneath_attr>` .
”h]”(j  )”}”(hŒ``LANDLOCK_RULE_PATH_BENEATH``”h]”jz  )”}”(hjm#  h]”hŒLANDLOCK_RULE_PATH_BENEATH”…””}”(hjo#  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjk#  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:462: ./include/uapi/linux/landlock.h”h Kˆhjg#  ubj)  )”}”(hhh]”j  )”}”(hŒTType of a :c:type:`struct
landlock_path_beneath_attr <landlock_path_beneath_attr>` .”h]”(hŒ
Type of a ”…””}”(hj†#  hžhhŸNh Nubh)”}”(hŒH:c:type:`struct
landlock_path_beneath_attr <landlock_path_beneath_attr>`”h]”jz  )”}”(hj#  h]”hŒ!struct
landlock_path_beneath_attr”…””}”(hj’#  hžhhŸNh Nubah}”(h]”h ]”(j  jï  Œc-type”eh"]”h$]”h&]”uh1jy  hjŽ#  ubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”jª  Œ	refdomain”jï  Œreftype”Œtype”Œrefexplicit”ˆŒrefwarn”‰jC  j   j°  Œlandlock_path_beneath_attr”uh1hhŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:462: ./include/uapi/linux/landlock.h”h K‡hj†#  ubhŒ .”…””}”(hj†#  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸj­#  h K‡hjƒ#  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j(  hjg#  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸj‚#  h Kˆhjd#  ubj  )”}”(hŒg``LANDLOCK_RULE_NET_PORT``
Type of a :c:type:`struct
landlock_net_port_attr <landlock_net_port_attr>` .”h]”(j  )”}”(hŒ``LANDLOCK_RULE_NET_PORT``”h]”jz  )”}”(hjÊ#  h]”hŒLANDLOCK_RULE_NET_PORT”…””}”(hjÌ#  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjÈ#  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:462: ./include/uapi/linux/landlock.h”h K‹hjÄ#  ubj)  )”}”(hhh]”j  )”}”(hŒLType of a :c:type:`struct
landlock_net_port_attr <landlock_net_port_attr>` .”h]”(hŒ
Type of a ”…””}”(hjã#  hžhhŸNh Nubh)”}”(hŒ@:c:type:`struct
landlock_net_port_attr <landlock_net_port_attr>`”h]”jz  )”}”(hjí#  h]”hŒstruct
landlock_net_port_attr”…””}”(hjï#  hžhhŸNh Nubah}”(h]”h ]”(j  jï  Œc-type”eh"]”h$]”h&]”uh1jy  hjë#  ubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”jª  Œ	refdomain”jï  Œreftype”Œtype”Œrefexplicit”ˆŒrefwarn”‰jC  j   j°  Œlandlock_net_port_attr”uh1hhŸjß#  h K‹hjã#  ubhŒ .”…””}”(hjã#  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸjß#  h K‹hjà#  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j(  hjÄ#  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸjß#  h K‹hjd#  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hjH#  ubeh}”(h]”h ]”Œkernelindent”ah"]”h$]”h&]”uh1j¸  hj6  hžhhŸjÞ"  h Nubj  )”}”(hŒ**Description**”h]”jÃ  )”}”(hj/$  h]”hŒDescription”…””}”(hj1$  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÂ  hj-$  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:462: ./include/uapi/linux/landlock.h”h Khj6  hžhubj  )”}”(hŒ$Argument of sys_landlock_add_rule().”h]”hŒ$Argument of sys_landlock_add_rule().”…””}”(hjE$  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:462: ./include/uapi/linux/landlock.h”h Khj6  hžhubj|  )”}”(hhh]”h}”(h]”h ]”h"]”h$]”h&]”Œentries”]”(jˆ  Œ%landlock_path_beneath_attr (C struct)”Œc.landlock_path_beneath_attr”hNt”auh1j{  hj6  hžhhŸjÞ"  h Nubj  )”}”(hhh]”(j’  )”}”(hŒlandlock_path_beneath_attr”h]”j˜  )”}”(hŒ!struct landlock_path_beneath_attr”h]”(jì  )”}”(hj  h]”hŒstruct”…””}”(hjm$  hžhhŸNh Nubah}”(h]”h ]”jø  ah"]”h$]”h&]”uh1jë  hji$  hžhhŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:462: ./include/uapi/linux/landlock.h”h K†ubj°  )”}”(hŒ ”h]”hŒ ”…””}”(hj{$  hžhhŸNh Nubah}”(h]”h ]”j¼  ah"]”h$]”h&]”uh1j¯  hji$  hžhhŸjz$  h K†ubjÁ  )”}”(hŒlandlock_path_beneath_attr”h]”jÇ  )”}”(hjg$  h]”hŒlandlock_path_beneath_attr”…””}”(hj$  hžhhŸNh Nubah}”(h]”h ]”jÓ  ah"]”h$]”h&]”uh1jÆ  hj‰$  ubah}”(h]”h ]”(jÚ  jÛ  eh"]”h$]”h&]”h±h²uh1jÀ  hji$  hžhhŸjz$  h K†ubeh}”(h]”h ]”h"]”h$]”h&]”h±h²jƒ  ˆuh1j—  j„  j…  hje$  hžhhŸjz$  h K†ubah}”(h]”j`$  ah ]”(j‰  jŠ  eh"]”h$]”h&]”jŽ  ˆj  )j  huh1j‘  hŸjz$  h K†hjb$  hžhubj’  )”}”(hhh]”j  )”}”(hŒPath hierarchy definition”h]”hŒPath hierarchy definition”…””}”(hj¯$  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:462: ./include/uapi/linux/landlock.h”h K’hj¬$  hžhubah}”(h]”h ]”h"]”h$]”h&]”uh1j‘  hjb$  hžhhŸjz$  h K†ubeh}”(h]”h ]”(jï  Œstruct”eh"]”h$]”h&]”j²  jï  j³  jÇ$  j´  jÇ$  jµ  ‰j¶  ‰j·  ‰uh1jŒ  hžhhj6  hŸjÞ"  h Nubj¹  )”}”(hXv  **Definition**::

  struct landlock_path_beneath_attr {
      __u64 allowed_access;
      __s32 parent_fd;
  };

**Members**

``allowed_access``
  Bitmask of allowed actions for this file hierarchy
  (cf. `Filesystem flags`_).

``parent_fd``
  File descriptor, preferably opened with ``O_PATH``,
  which identifies the parent directory of a file hierarchy, or just a
  file.”h]”(j  )”}”(hŒ**Definition**::”h]”(jÃ  )”}”(hŒ**Definition**”h]”hŒ
Definition”…””}”(hjÓ$  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÂ  hjÏ$  ubhŒ:”…””}”(hjÏ$  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:462: ./include/uapi/linux/landlock.h”h K–hjË$  ubjÞ  )”}”(hŒUstruct landlock_path_beneath_attr {
    __u64 allowed_access;
    __s32 parent_fd;
};”h]”hŒUstruct landlock_path_beneath_attr {
    __u64 allowed_access;
    __s32 parent_fd;
};”…””}”hjì$  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1jÝ  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:462: ./include/uapi/linux/landlock.h”h K˜hjË$  ubj  )”}”(hŒ**Members**”h]”jÃ  )”}”(hjý$  h]”hŒMembers”…””}”(hjÿ$  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÂ  hjû$  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:462: ./include/uapi/linux/landlock.h”h KhjË$  ubj  )”}”(hhh]”(j  )”}”(hŒa``allowed_access``
Bitmask of allowed actions for this file hierarchy
(cf. `Filesystem flags`_).
”h]”(j  )”}”(hŒ``allowed_access``”h]”jz  )”}”(hj%  h]”hŒallowed_access”…””}”(hj%  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj%  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:462: ./include/uapi/linux/landlock.h”h Kšhj%  ubj)  )”}”(hhh]”j  )”}”(hŒMBitmask of allowed actions for this file hierarchy
(cf. `Filesystem flags`_).”h]”(hŒ8Bitmask of allowed actions for this file hierarchy
(cf. ”…””}”(hj5%  hžhhŸNh Nubj?  )”}”(hŒ`Filesystem flags`_”h]”hŒFilesystem flags”…””}”(hj=%  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”ŒFilesystem flags”j  j#  uh1j>  hj5%  jR  KubhŒ).”…””}”(hj5%  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:462: ./include/uapi/linux/landlock.h”h K™hj2%  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j(  hj%  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸj1%  h Kšhj%  ubj  )”}”(hŒŒ``parent_fd``
File descriptor, preferably opened with ``O_PATH``,
which identifies the parent directory of a file hierarchy, or just a
file.”h]”(j  )”}”(hŒ``parent_fd``”h]”jz  )”}”(hjj%  h]”hŒ	parent_fd”…””}”(hjl%  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjh%  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:462: ./include/uapi/linux/landlock.h”h KŸhjd%  ubj)  )”}”(hhh]”j  )”}”(hŒ~File descriptor, preferably opened with ``O_PATH``,
which identifies the parent directory of a file hierarchy, or just a
file.”h]”(hŒ(File descriptor, preferably opened with ”…””}”(hjƒ%  hžhhŸNh Nubjz  )”}”(hŒ
``O_PATH``”h]”hŒO_PATH”…””}”(hj‹%  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjƒ%  ubhŒL,
which identifies the parent directory of a file hierarchy, or just a
file.”…””}”(hjƒ%  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:462: ./include/uapi/linux/landlock.h”h Kžhj€%  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j(  hjd%  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸj%  h KŸhj%  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hjË$  ubeh}”(h]”h ]”Œkernelindent”ah"]”h$]”h&]”uh1j¸  hj6  hžhhŸjÞ"  h Nubj  )”}”(hŒ**Description**”h]”jÃ  )”}”(hj¿%  h]”hŒDescription”…””}”(hjÁ%  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÂ  hj½%  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:462: ./include/uapi/linux/landlock.h”h K£hj6  hžhubj  )”}”(hŒ$Argument of sys_landlock_add_rule().”h]”hŒ$Argument of sys_landlock_add_rule().”…””}”(hjÕ%  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:462: ./include/uapi/linux/landlock.h”h K“hj6  hžhubj|  )”}”(hhh]”h}”(h]”h ]”h"]”h$]”h&]”Œentries”]”(jˆ  Œ!landlock_net_port_attr (C struct)”Œc.landlock_net_port_attr”hNt”auh1j{  hj6  hžhhŸjÞ"  h Nubj  )”}”(hhh]”(j’  )”}”(hŒlandlock_net_port_attr”h]”j˜  )”}”(hŒstruct landlock_net_port_attr”h]”(jì  )”}”(hj  h]”hŒstruct”…””}”(hjý%  hžhhŸNh Nubah}”(h]”h ]”jø  ah"]”h$]”h&]”uh1jë  hjù%  hžhhŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:462: ./include/uapi/linux/landlock.h”h K˜ubj°  )”}”(hŒ ”h]”hŒ ”…””}”(hj&  hžhhŸNh Nubah}”(h]”h ]”j¼  ah"]”h$]”h&]”uh1j¯  hjù%  hžhhŸj
&  h K˜ubjÁ  )”}”(hŒlandlock_net_port_attr”h]”jÇ  )”}”(hj÷%  h]”hŒlandlock_net_port_attr”…””}”(hj&  hžhhŸNh Nubah}”(h]”h ]”jÓ  ah"]”h$]”h&]”uh1jÆ  hj&  ubah}”(h]”h ]”(jÚ  jÛ  eh"]”h$]”h&]”h±h²uh1jÀ  hjù%  hžhhŸj
&  h K˜ubeh}”(h]”h ]”h"]”h$]”h&]”h±h²jƒ  ˆuh1j—  j„  j…  hjõ%  hžhhŸj
&  h K˜ubah}”(h]”jð%  ah ]”(j‰  jŠ  eh"]”h$]”h&]”jŽ  ˆj  )j  huh1j‘  hŸj
&  h K˜hjò%  hžhubj’  )”}”(hhh]”j  )”}”(hŒNetwork port definition”h]”hŒNetwork port definition”…””}”(hj?&  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:462: ./include/uapi/linux/landlock.h”h K©hj<&  hžhubah}”(h]”h ]”h"]”h$]”h&]”uh1j‘  hjò%  hžhhŸj
&  h K˜ubeh}”(h]”h ]”(jï  Œstruct”eh"]”h$]”h&]”j²  jï  j³  jW&  j´  jW&  jµ  ‰j¶  ‰j·  ‰uh1jŒ  hžhhj6  hŸjÞ"  h Nubj¹  )”}”(hX¹  **Definition**::

  struct landlock_net_port_attr {
      __u64 allowed_access;
      __u64 port;
  };

**Members**

``allowed_access``
  Bitmask of allowed network actions for a port
  (cf. `Network flags`_).

``port``
  Network port in host endianness.

  It should be noted that port 0 passed to :manpage:`bind(2)` will bind
  to an available port from the ephemeral port range.  This can be
  configured with the ``/proc/sys/net/ipv4/ip_local_port_range`` sysctl
  (also used for IPv6).

  A Landlock rule with port 0 and the ``LANDLOCK_ACCESS_NET_BIND_TCP``
  right means that requesting to bind on port 0 is allowed and it will
  automatically translate to binding on the related port range.”h]”(j  )”}”(hŒ**Definition**::”h]”(jÃ  )”}”(hŒ**Definition**”h]”hŒ
Definition”…””}”(hjc&  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÂ  hj_&  ubhŒ:”…””}”(hj_&  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:462: ./include/uapi/linux/landlock.h”h K­hj[&  ubjÞ  )”}”(hŒLstruct landlock_net_port_attr {
    __u64 allowed_access;
    __u64 port;
};”h]”hŒLstruct landlock_net_port_attr {
    __u64 allowed_access;
    __u64 port;
};”…””}”hj|&  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1jÝ  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:462: ./include/uapi/linux/landlock.h”h K¯hj[&  ubj  )”}”(hŒ**Members**”h]”jÃ  )”}”(hj&  h]”hŒMembers”…””}”(hj&  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÂ  hj‹&  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:462: ./include/uapi/linux/landlock.h”h K´hj[&  ubj  )”}”(hhh]”(j  )”}”(hŒY``allowed_access``
Bitmask of allowed network actions for a port
(cf. `Network flags`_).
”h]”(j  )”}”(hŒ``allowed_access``”h]”jz  )”}”(hj¬&  h]”hŒallowed_access”…””}”(hj®&  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjª&  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:462: ./include/uapi/linux/landlock.h”h K±hj¦&  ubj)  )”}”(hhh]”j  )”}”(hŒEBitmask of allowed network actions for a port
(cf. `Network flags`_).”h]”(hŒ3Bitmask of allowed network actions for a port
(cf. ”…””}”(hjÅ&  hžhhŸNh Nubj?  )”}”(hŒ`Network flags`_”h]”hŒNetwork flags”…””}”(hjÍ&  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”ŒNetwork flags”j  j¿  uh1j>  hjÅ&  jR  KubhŒ).”…””}”(hjÅ&  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:462: ./include/uapi/linux/landlock.h”h K°hjÂ&  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j(  hj¦&  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸjÁ&  h K±hj£&  ubj  )”}”(hXÖ  ``port``
Network port in host endianness.

It should be noted that port 0 passed to :manpage:`bind(2)` will bind
to an available port from the ephemeral port range.  This can be
configured with the ``/proc/sys/net/ipv4/ip_local_port_range`` sysctl
(also used for IPv6).

A Landlock rule with port 0 and the ``LANDLOCK_ACCESS_NET_BIND_TCP``
right means that requesting to bind on port 0 is allowed and it will
automatically translate to binding on the related port range.”h]”(j  )”}”(hŒ``port``”h]”jz  )”}”(hjú&  h]”hŒport”…””}”(hjü&  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjø&  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:462: ./include/uapi/linux/landlock.h”h K½hjô&  ubj)  )”}”(hhh]”(j  )”}”(hŒ Network port in host endianness.”h]”hŒ Network port in host endianness.”…””}”(hj'  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:462: ./include/uapi/linux/landlock.h”h Kµhj'  ubj  )”}”(hŒâIt should be noted that port 0 passed to :manpage:`bind(2)` will bind
to an available port from the ephemeral port range.  This can be
configured with the ``/proc/sys/net/ipv4/ip_local_port_range`` sysctl
(also used for IPv6).”h]”(hŒ)It should be noted that port 0 passed to ”…””}”(hj"'  hžhhŸNh Nubj¼  )”}”(hŒ:manpage:`bind(2)`”h]”hŒbind(2)”…””}”(hj*'  hžhhŸNh Nubah}”(h]”h ]”j»  ah"]”h$]”h&]”h±h²jË  Œbind(2)”jÍ  Œbind”jÏ  jÐ  uh1j»  hj"'  ubhŒ` will bind
to an available port from the ephemeral port range.  This can be
configured with the ”…””}”(hj"'  hžhhŸNh Nubjz  )”}”(hŒ*``/proc/sys/net/ipv4/ip_local_port_range``”h]”hŒ&/proc/sys/net/ipv4/ip_local_port_range”…””}”(hj>'  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj"'  ubhŒ sysctl
(also used for IPv6).”…””}”(hj"'  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:462: ./include/uapi/linux/landlock.h”h K·hj'  ubj  )”}”(hŒÇA Landlock rule with port 0 and the ``LANDLOCK_ACCESS_NET_BIND_TCP``
right means that requesting to bind on port 0 is allowed and it will
automatically translate to binding on the related port range.”h]”(hŒ$A Landlock rule with port 0 and the ”…””}”(hjW'  hžhhŸNh Nubjz  )”}”(hŒ ``LANDLOCK_ACCESS_NET_BIND_TCP``”h]”hŒLANDLOCK_ACCESS_NET_BIND_TCP”…””}”(hj_'  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjW'  ubhŒƒ
right means that requesting to bind on port 0 is allowed and it will
automatically translate to binding on the related port range.”…””}”(hjW'  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:462: ./include/uapi/linux/landlock.h”h K¼hj'  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j(  hjô&  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸj'  h K½hj£&  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hj[&  ubeh}”(h]”h ]”Œkernelindent”ah"]”h$]”h&]”uh1j¸  hj6  hžhhŸjÞ"  h Nubj  )”}”(hŒ**Description**”h]”jÃ  )”}”(hj“'  h]”hŒDescription”…””}”(hj•'  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÂ  hj‘'  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:462: ./include/uapi/linux/landlock.h”h KÁhj6  hžhubj  )”}”(hŒ$Argument of sys_landlock_add_rule().”h]”hŒ$Argument of sys_landlock_add_rule().”…””}”(hj©'  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:462: ./include/uapi/linux/landlock.h”h Kªhj6  hžhubeh}”(h]”Œextending-a-ruleset”ah ]”h"]”Œextending a ruleset”ah$]”h&]”uh1hÞhj-
  hžhhŸh³h MÉubhß)”}”(hhh]”(hä)”}”(hŒEnforcing a ruleset”h]”hŒEnforcing a ruleset”…””}”(hjÃ'  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hãhjÀ'  hžhhŸh³h MÓubj|  )”}”(hhh]”h}”(h]”h ]”h"]”h$]”h&]”Œentries”]”(jˆ  Œ'sys_landlock_restrict_self (C function)”Œc.sys_landlock_restrict_self”hNt”auh1j{  hjÀ'  hžhhŸNh Nubj  )”}”(hhh]”(j’  )”}”(hŒIlong sys_landlock_restrict_self (const int ruleset_fd, const __u32 flags)”h]”j˜  )”}”(hŒHlong sys_landlock_restrict_self(const int ruleset_fd, const __u32 flags)”h]”(jž  )”}”(hŒlong”h]”hŒlong”…””}”(hjê'  hžhhŸNh Nubah}”(h]”h ]”jª  ah"]”h$]”h&]”uh1j  hjæ'  hžhhŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:469: ./security/landlock/syscalls.c”h MÞubj°  )”}”(hŒ ”h]”hŒ ”…””}”(hjù'  hžhhŸNh Nubah}”(h]”h ]”j¼  ah"]”h$]”h&]”uh1j¯  hjæ'  hžhhŸjø'  h MÞubjÁ  )”}”(hŒsys_landlock_restrict_self”h]”jÇ  )”}”(hŒsys_landlock_restrict_self”h]”hŒsys_landlock_restrict_self”…””}”(hj(  hžhhŸNh Nubah}”(h]”h ]”jÓ  ah"]”h$]”h&]”uh1jÆ  hj(  ubah}”(h]”h ]”(jÚ  jÛ  eh"]”h$]”h&]”h±h²uh1jÀ  hjæ'  hžhhŸjø'  h MÞubjà  )”}”(hŒ)(const int ruleset_fd, const __u32 flags)”h]”(jæ  )”}”(hŒconst int ruleset_fd”h]”(jì  )”}”(hjï  h]”hŒconst”…””}”(hj'(  hžhhŸNh Nubah}”(h]”h ]”jø  ah"]”h$]”h&]”uh1jë  hj#(  ubj°  )”}”(hŒ ”h]”hŒ ”…””}”(hj4(  hžhhŸNh Nubah}”(h]”h ]”j¼  ah"]”h$]”h&]”uh1j¯  hj#(  ubjž  )”}”(hŒint”h]”hŒint”…””}”(hjB(  hžhhŸNh Nubah}”(h]”h ]”jª  ah"]”h$]”h&]”uh1j  hj#(  ubj°  )”}”(hŒ ”h]”hŒ ”…””}”(hjP(  hžhhŸNh Nubah}”(h]”h ]”j¼  ah"]”h$]”h&]”uh1j¯  hj#(  ubjÇ  )”}”(hŒ
ruleset_fd”h]”hŒ
ruleset_fd”…””}”(hj^(  hžhhŸNh Nubah}”(h]”h ]”jÓ  ah"]”h$]”h&]”uh1jÆ  hj#(  ubeh}”(h]”h ]”h"]”h$]”h&]”Œnoemph”ˆh±h²uh1jå  hj(  ubjæ  )”}”(hŒconst __u32 flags”h]”(jì  )”}”(hjï  h]”hŒconst”…””}”(hjw(  hžhhŸNh Nubah}”(h]”h ]”jø  ah"]”h$]”h&]”uh1jë  hjs(  ubj°  )”}”(hŒ ”h]”hŒ ”…””}”(hj„(  hžhhŸNh Nubah}”(h]”h ]”j¼  ah"]”h$]”h&]”uh1j¯  hjs(  ubh)”}”(hhh]”jÇ  )”}”(hŒ__u32”h]”hŒ__u32”…””}”(hj•(  hžhhŸNh Nubah}”(h]”h ]”jÓ  ah"]”h$]”h&]”uh1jÆ  hj’(  ubah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”jï  Œreftype”j?  Œ	reftarget”j—(  Œmodname”NŒ	classname”NjC  jF  )”}”jI  ]”jL  )”}”j?  j(  sbŒc.sys_landlock_restrict_self”†”asbuh1hhjs(  ubj°  )”}”(hŒ ”h]”hŒ ”…””}”(hjµ(  hžhhŸNh Nubah}”(h]”h ]”j¼  ah"]”h$]”h&]”uh1j¯  hjs(  ubjÇ  )”}”(hŒflags”h]”hŒflags”…””}”(hjÃ(  hžhhŸNh Nubah}”(h]”h ]”jÓ  ah"]”h$]”h&]”uh1jÆ  hjs(  ubeh}”(h]”h ]”h"]”h$]”h&]”Œnoemph”ˆh±h²uh1jå  hj(  ubeh}”(h]”h ]”h"]”h$]”h&]”h±h²uh1jß  hjæ'  hžhhŸjø'  h MÞubeh}”(h]”h ]”h"]”h$]”h&]”h±h²jƒ  ˆuh1j—  j„  j…  hjâ'  hžhhŸjø'  h MÞubah}”(h]”jÝ'  ah ]”(j‰  jŠ  eh"]”h$]”h&]”jŽ  ˆj  )j  huh1j‘  hŸjø'  h MÞhjß'  hžhubj’  )”}”(hhh]”j  )”}”(hŒ'Enforce a ruleset on the calling thread”h]”hŒ'Enforce a ruleset on the calling thread”…””}”(hjí(  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:469: ./security/landlock/syscalls.c”h MÁhjê(  hžhubah}”(h]”h ]”h"]”h$]”h&]”uh1j‘  hjß'  hžhhŸjø'  h MÞubeh}”(h]”h ]”(jï  Œfunction”eh"]”h$]”h&]”j²  jï  j³  j)  j´  j)  jµ  ‰j¶  ‰j·  ‰uh1jŒ  hžhhjÀ'  hŸNh Nubj¹  )”}”(hXü  **Parameters**

``const int ruleset_fd``
  File descriptor tied to the ruleset to merge with the target.

``const __u32 flags``
  Supported values:

  - ``LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF``
  - ``LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON``
  - ``LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF``

**Description**

This system call enables to enforce a Landlock ruleset on the current
thread.  Enforcing a ruleset requires that the task has ``CAP_SYS_ADMIN`` in its
namespace or is running with no_new_privs.  This avoids scenarios where
unprivileged tasks can affect the behavior of privileged children.

Possible returned errors are:

- ``EOPNOTSUPP``: Landlock is supported by the kernel but disabled at boot time;
- ``EINVAL``: **flags** contains an unknown bit.
- ``EBADF``: **ruleset_fd** is not a file descriptor for the current thread;
- ``EBADFD``: **ruleset_fd** is not a ruleset file descriptor;
- ``EPERM``: **ruleset_fd** has no read access to the underlying ruleset, or the
  current thread is not running with no_new_privs, or it doesn't have
  ``CAP_SYS_ADMIN`` in its namespace.
- ``E2BIG``: The maximum number of stacked rulesets is reached for the current
  thread.

.. kernel-doc:: include/uapi/linux/landlock.h
    :identifiers: landlock_restrict_self_flags”h]”(j  )”}”(hŒ**Parameters**”h]”jÃ  )”}”(hj)  h]”hŒ
Parameters”…””}”(hj)  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÂ  hj)  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:469: ./security/landlock/syscalls.c”h MÅhj	)  ubj  )”}”(hhh]”(j  )”}”(hŒW``const int ruleset_fd``
File descriptor tied to the ruleset to merge with the target.
”h]”(j  )”}”(hŒ``const int ruleset_fd``”h]”jz  )”}”(hj.)  h]”hŒconst int ruleset_fd”…””}”(hj0)  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj,)  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:469: ./security/landlock/syscalls.c”h MÃhj()  ubj)  )”}”(hhh]”j  )”}”(hŒ=File descriptor tied to the ruleset to merge with the target.”h]”hŒ=File descriptor tied to the ruleset to merge with the target.”…””}”(hjG)  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸjC)  h MÃhjD)  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j(  hj()  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸjC)  h MÃhj%)  ubj  )”}”(hŒµ``const __u32 flags``
Supported values:

- ``LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF``
- ``LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON``
- ``LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF``
”h]”(j  )”}”(hŒ``const __u32 flags``”h]”jz  )”}”(hjg)  h]”hŒconst __u32 flags”…””}”(hji)  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hje)  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:469: ./security/landlock/syscalls.c”h MÈhja)  ubj)  )”}”(hhh]”(j  )”}”(hŒSupported values:”h]”hŒSupported values:”…””}”(hj€)  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:469: ./security/landlock/syscalls.c”h MÄhj})  ubj±
  )”}”(hhh]”(j¶
  )”}”(hŒ,``LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF``”h]”j  )”}”(hj”)  h]”jz  )”}”(hj”)  h]”hŒ(LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF”…””}”(hj™)  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj–)  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:469: ./security/landlock/syscalls.c”h MÆhj’)  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ
  hj)  ubj¶
  )”}”(hŒ*``LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON``”h]”j  )”}”(hjµ)  h]”jz  )”}”(hjµ)  h]”hŒ&LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON”…””}”(hjº)  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj·)  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:469: ./security/landlock/syscalls.c”h MÇhj³)  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ
  hj)  ubj¶
  )”}”(hŒ.``LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF``
”h]”j  )”}”(hŒ-``LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF``”h]”jz  )”}”(hjÚ)  h]”hŒ)LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF”…””}”(hjÜ)  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjØ)  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸj|)  h MÈhjÔ)  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ
  hj)  ubeh}”(h]”h ]”h"]”h$]”h&]”jß  jà  uh1j°
  hŸj¬)  h MÆhj})  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j(  hja)  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸj|)  h MÈhj%)  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hj	)  ubj  )”}”(hŒ**Description**”h]”jÃ  )”}”(hj*  h]”hŒDescription”…””}”(hj*  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÂ  hj*  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:469: ./security/landlock/syscalls.c”h MÊhj	)  ubj  )”}”(hX!  This system call enables to enforce a Landlock ruleset on the current
thread.  Enforcing a ruleset requires that the task has ``CAP_SYS_ADMIN`` in its
namespace or is running with no_new_privs.  This avoids scenarios where
unprivileged tasks can affect the behavior of privileged children.”h]”(hŒ~This system call enables to enforce a Landlock ruleset on the current
thread.  Enforcing a ruleset requires that the task has ”…””}”(hj%*  hžhhŸNh Nubjz  )”}”(hŒ``CAP_SYS_ADMIN``”h]”hŒCAP_SYS_ADMIN”…””}”(hj-*  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj%*  ubhŒ’ in its
namespace or is running with no_new_privs.  This avoids scenarios where
unprivileged tasks can affect the behavior of privileged children.”…””}”(hj%*  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:469: ./security/landlock/syscalls.c”h MÊhj	)  ubj  )”}”(hŒPossible returned errors are:”h]”hŒPossible returned errors are:”…””}”(hjF*  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:469: ./security/landlock/syscalls.c”h MÏhj	)  ubj±
  )”}”(hhh]”(j¶
  )”}”(hŒN``EOPNOTSUPP``: Landlock is supported by the kernel but disabled at boot time;”h]”j  )”}”(hjZ*  h]”(jz  )”}”(hŒ``EOPNOTSUPP``”h]”hŒ
EOPNOTSUPP”…””}”(hj_*  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj\*  ubhŒ@: Landlock is supported by the kernel but disabled at boot time;”…””}”(hj\*  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:469: ./security/landlock/syscalls.c”h MÑhjX*  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ
  hjU*  ubj¶
  )”}”(hŒ.``EINVAL``: **flags** contains an unknown bit.”h]”j  )”}”(hj€*  h]”(jz  )”}”(hŒ
``EINVAL``”h]”hŒEINVAL”…””}”(hj…*  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj‚*  ubhŒ: ”…””}”(hj‚*  hžhhŸNh NubjÃ  )”}”(hŒ	**flags**”h]”hŒflags”…””}”(hj—*  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÂ  hj‚*  ubhŒ contains an unknown bit.”…””}”(hj‚*  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:469: ./security/landlock/syscalls.c”h MÒhj~*  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ
  hjU*  ubj¶
  )”}”(hŒJ``EBADF``: **ruleset_fd** is not a file descriptor for the current thread;”h]”j  )”}”(hj¸*  h]”(jz  )”}”(hŒ	``EBADF``”h]”hŒEBADF”…””}”(hj½*  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjº*  ubhŒ: ”…””}”(hjº*  hžhhŸNh NubjÃ  )”}”(hŒ**ruleset_fd**”h]”hŒ
ruleset_fd”…””}”(hjÏ*  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÂ  hjº*  ubhŒ1 is not a file descriptor for the current thread;”…””}”(hjº*  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:469: ./security/landlock/syscalls.c”h MÓhj¶*  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ
  hjU*  ubj¶
  )”}”(hŒ<``EBADFD``: **ruleset_fd** is not a ruleset file descriptor;”h]”j  )”}”(hjð*  h]”(jz  )”}”(hŒ
``EBADFD``”h]”hŒEBADFD”…””}”(hjõ*  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjò*  ubhŒ: ”…””}”(hjò*  hžhhŸNh NubjÃ  )”}”(hŒ**ruleset_fd**”h]”hŒ
ruleset_fd”…””}”(hj+  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÂ  hjò*  ubhŒ" is not a ruleset file descriptor;”…””}”(hjò*  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:469: ./security/landlock/syscalls.c”h MÔhjî*  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ
  hjU*  ubj¶
  )”}”(hŒ¶``EPERM``: **ruleset_fd** has no read access to the underlying ruleset, or the
current thread is not running with no_new_privs, or it doesn't have
``CAP_SYS_ADMIN`` in its namespace.”h]”j  )”}”(hŒ¶``EPERM``: **ruleset_fd** has no read access to the underlying ruleset, or the
current thread is not running with no_new_privs, or it doesn't have
``CAP_SYS_ADMIN`` in its namespace.”h]”(jz  )”}”(hŒ	``EPERM``”h]”hŒEPERM”…””}”(hj.+  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj*+  ubhŒ: ”…””}”(hj*+  hžhhŸNh NubjÃ  )”}”(hŒ**ruleset_fd**”h]”hŒ
ruleset_fd”…””}”(hj@+  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÂ  hj*+  ubhŒ| has no read access to the underlying ruleset, or the
current thread is not running with no_new_privs, or it doesnâ€™t have
”…””}”(hj*+  hžhhŸNh Nubjz  )”}”(hŒ``CAP_SYS_ADMIN``”h]”hŒCAP_SYS_ADMIN”…””}”(hjR+  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj*+  ubhŒ in its namespace.”…””}”(hj*+  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:469: ./security/landlock/syscalls.c”h MÕhj&+  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ
  hjU*  ubj¶
  )”}”(hŒU``E2BIG``: The maximum number of stacked rulesets is reached for the current
thread.
”h]”j  )”}”(hŒT``E2BIG``: The maximum number of stacked rulesets is reached for the current
thread.”h]”(jz  )”}”(hŒ	``E2BIG``”h]”hŒE2BIG”…””}”(hjy+  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hju+  ubhŒK: The maximum number of stacked rulesets is reached for the current
thread.”…””}”(hju+  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:469: ./security/landlock/syscalls.c”h MØhjq+  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ
  hjU*  ubeh}”(h]”h ]”h"]”h$]”h&]”jß  jà  uh1j°
  hŸjw*  h MÑhj	)  ubj  )”}”(hŒ	**Flags**”h]”jÃ  )”}”(hj +  h]”hŒFlags”…””}”(hj¢+  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÂ  hjž+  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:38: ./include/uapi/linux/landlock.h”h KIhj	)  ubj  )”}”(hX€  By default, denied accesses originating from programs that sandbox themselves
are logged via the audit subsystem. Such events typically indicate unexpected
behavior, such as bugs or exploitation attempts. However, to avoid excessive
logging, access requests denied by a domain not created by the originating
program are not logged by default. The rationale is that programs should know
their own behavior, but not necessarily the behavior of other programs.  This
default configuration is suitable for most programs that sandbox themselves.
For specific use cases, the following flags allow programs to modify this
default logging behavior.”h]”hX€  By default, denied accesses originating from programs that sandbox themselves
are logged via the audit subsystem. Such events typically indicate unexpected
behavior, such as bugs or exploitation attempts. However, to avoid excessive
logging, access requests denied by a domain not created by the originating
program are not logged by default. The rationale is that programs should know
their own behavior, but not necessarily the behavior of other programs.  This
default configuration is suitable for most programs that sandbox themselves.
For specific use cases, the following flags allow programs to modify this
default logging behavior.”…””}”(hj¶+  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:38: ./include/uapi/linux/landlock.h”h KKhj	)  ubj  )”}”(hŒ‘The ``LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF`` and
``LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON`` flags apply to the newly created
Landlock domain.”h]”(hŒThe ”…””}”(hjÅ+  hžhhŸNh Nubjz  )”}”(hŒ,``LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF``”h]”hŒ(LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF”…””}”(hjÍ+  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjÅ+  ubhŒ and
”…””}”(hjÅ+  hžhhŸNh Nubjz  )”}”(hŒ*``LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON``”h]”hŒ&LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON”…””}”(hjß+  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjÅ+  ubhŒ2 flags apply to the newly created
Landlock domain.”…””}”(hjÅ+  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:38: ./include/uapi/linux/landlock.h”h KUhj	)  ubj  )”}”(hhh]”(j  )”}”(hX  ``LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF``
Disables logging of denied accesses originating from the thread creating
the Landlock domain, as well as its children, as long as they continue
running the same executable code (i.e., without an intervening
:manpage:`execve(2)` call). This is intended for programs that execute
unknown code without invoking :manpage:`execve(2)`, such as script
interpreters. Programs that only sandbox themselves should not set this
flag, so users can be notified of unauthorized access attempts via system
logs.
”h]”(j  )”}”(hŒ,``LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF``”h]”jz  )”}”(hj,  h]”hŒ(LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF”…””}”(hj,  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjÿ+  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:38: ./include/uapi/linux/landlock.h”h Kahjû+  ubj)  )”}”(hhh]”j  )”}”(hXð  Disables logging of denied accesses originating from the thread creating
the Landlock domain, as well as its children, as long as they continue
running the same executable code (i.e., without an intervening
:manpage:`execve(2)` call). This is intended for programs that execute
unknown code without invoking :manpage:`execve(2)`, such as script
interpreters. Programs that only sandbox themselves should not set this
flag, so users can be notified of unauthorized access attempts via system
logs.”h]”(hŒÏDisables logging of denied accesses originating from the thread creating
the Landlock domain, as well as its children, as long as they continue
running the same executable code (i.e., without an intervening
”…””}”(hj,  hžhhŸNh Nubj¼  )”}”(hŒ:manpage:`execve(2)`”h]”hŒ	execve(2)”…””}”(hj",  hžhhŸNh Nubah}”(h]”h ]”j»  ah"]”h$]”h&]”h±h²jË  Œ	execve(2)”jÍ  Œexecve”jÏ  jÐ  uh1j»  hj,  ubhŒQ call). This is intended for programs that execute
unknown code without invoking ”…””}”(hj,  hžhhŸNh Nubj¼  )”}”(hŒ:manpage:`execve(2)`”h]”hŒ	execve(2)”…””}”(hj6,  hžhhŸNh Nubah}”(h]”h ]”j»  ah"]”h$]”h&]”h±h²jË  Œ	execve(2)”jÍ  Œexecve”jÏ  jÐ  uh1j»  hj,  ubhŒ¨, such as script
interpreters. Programs that only sandbox themselves should not set this
flag, so users can be notified of unauthorized access attempts via system
logs.”…””}”(hj,  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:38: ./include/uapi/linux/landlock.h”h KZhj,  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j(  hjû+  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸj,  h Kahjø+  ubj  )”}”(hXÁ  ``LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON``
Enables logging of denied accesses after an :manpage:`execve(2)` call,
providing visibility into unauthorized access attempts by newly executed
programs within the created Landlock domain. This flag is recommended
only when all potential executables in the domain are expected to comply
with the access restrictions, as excessive audit log entries could make
it more difficult to identify critical events.
”h]”(j  )”}”(hŒ*``LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON``”h]”jz  )”}”(hjc,  h]”hŒ&LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON”…””}”(hje,  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hja,  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:38: ./include/uapi/linux/landlock.h”h Kihj],  ubj)  )”}”(hhh]”j  )”}”(hX•  Enables logging of denied accesses after an :manpage:`execve(2)` call,
providing visibility into unauthorized access attempts by newly executed
programs within the created Landlock domain. This flag is recommended
only when all potential executables in the domain are expected to comply
with the access restrictions, as excessive audit log entries could make
it more difficult to identify critical events.”h]”(hŒ,Enables logging of denied accesses after an ”…””}”(hj|,  hžhhŸNh Nubj¼  )”}”(hŒ:manpage:`execve(2)`”h]”hŒ	execve(2)”…””}”(hj„,  hžhhŸNh Nubah}”(h]”h ]”j»  ah"]”h$]”h&]”h±h²jË  Œ	execve(2)”jÍ  Œexecve”jÏ  jÐ  uh1j»  hj|,  ubhXU   call,
providing visibility into unauthorized access attempts by newly executed
programs within the created Landlock domain. This flag is recommended
only when all potential executables in the domain are expected to comply
with the access restrictions, as excessive audit log entries could make
it more difficult to identify critical events.”…””}”(hj|,  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:38: ./include/uapi/linux/landlock.h”h Kdhjy,  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j(  hj],  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸjx,  h Kihjø+  ubj  )”}”(hX­  ``LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF``
Disables logging of denied accesses originating from nested Landlock
domains created by the caller or its descendants. This flag should be set
according to runtime configuration, not hardcoded, to avoid suppressing
important security events. It is useful for container runtimes or
sandboxing tools that may launch programs which themselves create
Landlock domains and could otherwise generate excessive logs. Unlike
``LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF``, this flag only affects
future nested domains, not the one being created. It can also be used
with a **ruleset_fd** value of -1 to mute subdomain logs without creating a
domain.
”h]”(j  )”}”(hŒ-``LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF``”h]”jz  )”}”(hj±,  h]”hŒ)LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF”…””}”(hj³,  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj¯,  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:38: ./include/uapi/linux/landlock.h”h Kuhj«,  ubj)  )”}”(hhh]”j  )”}”(hX~  Disables logging of denied accesses originating from nested Landlock
domains created by the caller or its descendants. This flag should be set
according to runtime configuration, not hardcoded, to avoid suppressing
important security events. It is useful for container runtimes or
sandboxing tools that may launch programs which themselves create
Landlock domains and could otherwise generate excessive logs. Unlike
``LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF``, this flag only affects
future nested domains, not the one being created. It can also be used
with a **ruleset_fd** value of -1 to mute subdomain logs without creating a
domain.”h]”(hX   Disables logging of denied accesses originating from nested Landlock
domains created by the caller or its descendants. This flag should be set
according to runtime configuration, not hardcoded, to avoid suppressing
important security events. It is useful for container runtimes or
sandboxing tools that may launch programs which themselves create
Landlock domains and could otherwise generate excessive logs. Unlike
”…””}”(hjÊ,  hžhhŸNh Nubjz  )”}”(hŒ,``LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF``”h]”hŒ(LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF”…””}”(hjÒ,  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjÊ,  ubhŒf, this flag only affects
future nested domains, not the one being created. It can also be used
with a ”…””}”(hjÊ,  hžhhŸNh NubjÃ  )”}”(hŒ**ruleset_fd**”h]”hŒ
ruleset_fd”…””}”(hjä,  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÂ  hjÊ,  ubhŒ> value of -1 to mute subdomain logs without creating a
domain.”…””}”(hjÊ,  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸŒd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:38: ./include/uapi/linux/landlock.h”h KlhjÇ,  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j(  hj«,  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸjÆ,  h Kuhjø+  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hj	)  ubeh}”(h]”h ]”Œkernelindent”ah"]”h$]”h&]”uh1j¸  hjÀ'  hžhhŸNh Nubeh}”(h]”Œenforcing-a-ruleset”ah ]”h"]”Œenforcing a ruleset”ah$]”h&]”uh1hÞhj-
  hžhhŸh³h MÓubeh}”(h]”Œkernel-interface”ah ]”h"]”Œkernel interface”ah$]”h&]”uh1hÞhhàhžhhŸh³h M·ubhß)”}”(hhh]”(hä)”}”(hŒCurrent limitations”h]”hŒCurrent limitations”…””}”(hj)-  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hãhj&-  hžhhŸh³h MÙubhß)”}”(hhh]”(hä)”}”(hŒ Filesystem topology modification”h]”hŒ Filesystem topology modification”…””}”(hj:-  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hãhj7-  hžhhŸh³h MÜubj  )”}”(hŒÂThreads sandboxed with filesystem restrictions cannot modify filesystem
topology, whether via :manpage:`mount(2)` or :manpage:`pivot_root(2)`.
However, :manpage:`chroot(2)` calls are not denied.”h]”(hŒ^Threads sandboxed with filesystem restrictions cannot modify filesystem
topology, whether via ”…””}”(hjH-  hžhhŸNh Nubj¼  )”}”(hŒ:manpage:`mount(2)`”h]”hŒmount(2)”…””}”(hjP-  hžhhŸNh Nubah}”(h]”h ]”j»  ah"]”h$]”h&]”h±h²jË  Œmount(2)”jÍ  Œmount”jÏ  jÐ  uh1j»  hjH-  ubhŒ or ”…””}”(hjH-  hžhhŸNh Nubj¼  )”}”(hŒ:manpage:`pivot_root(2)`”h]”hŒpivot_root(2)”…””}”(hjd-  hžhhŸNh Nubah}”(h]”h ]”j»  ah"]”h$]”h&]”h±h²jË  Œpivot_root(2)”jÍ  Œ
pivot_root”jÏ  jÐ  uh1j»  hjH-  ubhŒ.
However, ”…””}”(hjH-  hžhhŸNh Nubj¼  )”}”(hŒ:manpage:`chroot(2)`”h]”hŒ	chroot(2)”…””}”(hjx-  hžhhŸNh Nubah}”(h]”h ]”j»  ah"]”h$]”h&]”h±h²jË  Œ	chroot(2)”jÍ  Œchroot”jÏ  jÐ  uh1j»  hjH-  ubhŒ calls are not denied.”…””}”(hjH-  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h MÞhj7-  hžhubeh}”(h]”Œ filesystem-topology-modification”ah ]”h"]”Œ filesystem topology modification”ah$]”h&]”uh1hÞhj&-  hžhhŸh³h MÜubhß)”}”(hhh]”(hä)”}”(hŒSpecial filesystems”h]”hŒSpecial filesystems”…””}”(hj-  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hãhjš-  hžhhŸh³h Mãubj  )”}”(hXÌ  Access to regular files and directories can be restricted by Landlock,
according to the handled accesses of a ruleset.  However, files that do not
come from a user-visible filesystem (e.g. pipe, socket), but can still be
accessed through ``/proc/<pid>/fd/*``, cannot currently be explicitly
restricted.  Likewise, some special kernel filesystems such as nsfs, which can
be accessed through ``/proc/<pid>/ns/*``, cannot currently be explicitly
restricted.  However, thanks to the `ptrace restrictions`_, access to such
sensitive ``/proc`` files are automatically restricted according to domain
hierarchies.  Future Landlock evolutions could still enable to explicitly
restrict such paths with dedicated ruleset flags.”h]”(hŒîAccess to regular files and directories can be restricted by Landlock,
according to the handled accesses of a ruleset.  However, files that do not
come from a user-visible filesystem (e.g. pipe, socket), but can still be
accessed through ”…””}”(hj«-  hžhhŸNh Nubjz  )”}”(hŒ``/proc/<pid>/fd/*``”h]”hŒ/proc/<pid>/fd/*”…””}”(hj³-  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj«-  ubhŒ„, cannot currently be explicitly
restricted.  Likewise, some special kernel filesystems such as nsfs, which can
be accessed through ”…””}”(hj«-  hžhhŸNh Nubjz  )”}”(hŒ``/proc/<pid>/ns/*``”h]”hŒ/proc/<pid>/ns/*”…””}”(hjÅ-  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj«-  ubhŒE, cannot currently be explicitly
restricted.  However, thanks to the ”…””}”(hj«-  hžhhŸNh Nubj?  )”}”(hŒ`ptrace restrictions`_”h]”hŒptrace restrictions”…””•      }”(hj×-  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”Œptrace restrictions”j  jO  uh1j>  hj«-  jR  KubhŒ, access to such
sensitive ”…””}”(hj«-  hžhhŸNh Nubjz  )”}”(hŒ	``/proc``”h]”hŒ/proc”…””}”(hjë-  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj«-  ubhŒ³ files are automatically restricted according to domain
hierarchies.  Future Landlock evolutions could still enable to explicitly
restrict such paths with dedicated ruleset flags.”…””}”(hj«-  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h Måhjš-  hžhubeh}”(h]”Œspecial-filesystems”ah ]”h"]”Œspecial filesystems”ah$]”h&]”uh1hÞhj&-  hžhhŸh³h Mãubhß)”}”(hhh]”(hä)”}”(hŒRuleset layers”h]”hŒRuleset layers”…””}”(hj.  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hãhj.  hžhhŸh³h Mñubj  )”}”(hXÒ  There is a limit of 16 layers of stacked rulesets.  This can be an issue for a
task willing to enforce a new ruleset in complement to its 16 inherited
rulesets.  Once this limit is reached, sys_landlock_restrict_self() returns
E2BIG.  It is then strongly suggested to carefully build rulesets once in the
life of a thread, especially for applications able to launch other applications
that may also want to sandbox themselves (e.g. shells, container managers,
etc.).”h]”hXÒ  There is a limit of 16 layers of stacked rulesets.  This can be an issue for a
task willing to enforce a new ruleset in complement to its 16 inherited
rulesets.  Once this limit is reached, sys_landlock_restrict_self() returns
E2BIG.  It is then strongly suggested to carefully build rulesets once in the
life of a thread, especially for applications able to launch other applications
that may also want to sandbox themselves (e.g. shells, container managers,
etc.).”…””}”(hj.  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h Móhj.  hžhubeh}”(h]”Œruleset-layers”ah ]”h"]”Œruleset layers”ah$]”h&]”uh1hÞhj&-  hžhhŸh³h Mñubhß)”}”(hhh]”(hä)”}”(hŒMemory usage”h]”hŒMemory usage”…””}”(hj5.  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hãhj2.  hžhhŸh³h Müubj  )”}”(hŒ„Kernel memory allocated to create rulesets is accounted and can be restricted
by the Documentation/admin-guide/cgroup-v1/memory.rst.”h]”hŒ„Kernel memory allocated to create rulesets is accounted and can be restricted
by the Documentation/admin-guide/cgroup-v1/memory.rst.”…””}”(hjC.  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h Mþhj2.  hžhubeh}”(h]”Œmemory-usage”ah ]”h"]”Œmemory usage”ah$]”h&]”uh1hÞhj&-  hžhhŸh³h Müubhß)”}”(hhh]”(hä)”}”(hŒIOCTL support”h]”hŒIOCTL support”…””}”(hj\.  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hãhjY.  hžhhŸh³h Mubj  )”}”(hŒòThe ``LANDLOCK_ACCESS_FS_IOCTL_DEV`` right restricts the use of
:manpage:`ioctl(2)`, but it only applies to *newly opened* device files.  This
means specifically that pre-existing file descriptors like stdin, stdout and
stderr are unaffected.”h]”(hŒThe ”…””}”(hjj.  hžhhŸNh Nubjz  )”}”(hŒ ``LANDLOCK_ACCESS_FS_IOCTL_DEV``”h]”hŒLANDLOCK_ACCESS_FS_IOCTL_DEV”…””}”(hjr.  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjj.  ubhŒ right restricts the use of
”…””}”(hjj.  hžhhŸNh Nubj¼  )”}”(hŒ:manpage:`ioctl(2)`”h]”hŒioctl(2)”…””}”(hj„.  hžhhŸNh Nubah}”(h]”h ]”j»  ah"]”h$]”h&]”h±h²jË  Œioctl(2)”jÍ  Œioctl”jÏ  jÐ  uh1j»  hjj.  ubhŒ, but it only applies to ”…””}”(hjj.  hžhhŸNh Nubj‹  )”}”(hŒ*newly opened*”h]”hŒnewly opened”…””}”(hj˜.  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jŠ  hjj.  ubhŒx device files.  This
means specifically that pre-existing file descriptors like stdin, stdout and
stderr are unaffected.”…””}”(hjj.  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h MhjY.  hžhubj  )”}”(hX  Users should be aware that TTY devices have traditionally permitted to control
other processes on the same TTY through the ``TIOCSTI`` and ``TIOCLINUX`` IOCTL
commands.  Both of these require ``CAP_SYS_ADMIN`` on modern Linux systems, but
the behavior is configurable for ``TIOCSTI``.”h]”(hŒ{Users should be aware that TTY devices have traditionally permitted to control
other processes on the same TTY through the ”…””}”(hj°.  hžhhŸNh Nubjz  )”}”(hŒ``TIOCSTI``”h]”hŒTIOCSTI”…””}”(hj¸.  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj°.  ubhŒ and ”…””}”(hj°.  hžhhŸNh Nubjz  )”}”(hŒ``TIOCLINUX``”h]”hŒ	TIOCLINUX”…””}”(hjÊ.  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj°.  ubhŒ( IOCTL
commands.  Both of these require ”…””}”(hj°.  hžhhŸNh Nubjz  )”}”(hŒ``CAP_SYS_ADMIN``”h]”hŒCAP_SYS_ADMIN”…””}”(hjÜ.  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj°.  ubhŒ? on modern Linux systems, but
the behavior is configurable for ”…””}”(hj°.  hžhhŸNh Nubjz  )”}”(hŒ``TIOCSTI``”h]”hŒTIOCSTI”…””}”(hjî.  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj°.  ubhŒ.”…””}”(hj°.  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h M	hjY.  hžhubj  )”}”(hŒÂOn older systems, it is therefore recommended to close inherited TTY file
descriptors, or to reopen them from ``/proc/self/fd/*`` without the
``LANDLOCK_ACCESS_FS_IOCTL_DEV`` right, if possible.”h]”(hŒnOn older systems, it is therefore recommended to close inherited TTY file
descriptors, or to reopen them from ”…””}”(hj/  hžhhŸNh Nubjz  )”}”(hŒ``/proc/self/fd/*``”h]”hŒ/proc/self/fd/*”…””}”(hj/  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj/  ubhŒ without the
”…””}”(hj/  hžhhŸNh Nubjz  )”}”(hŒ ``LANDLOCK_ACCESS_FS_IOCTL_DEV``”h]”hŒLANDLOCK_ACCESS_FS_IOCTL_DEV”…””}”(hj /  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj/  ubhŒ right, if possible.”…””}”(hj/  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h MhjY.  hžhubj  )”}”(hX1  Landlock's IOCTL support is coarse-grained at the moment, but may become more
fine-grained in the future.  Until then, users are advised to establish the
guarantees that they need through the file hierarchy, by only allowing the
``LANDLOCK_ACCESS_FS_IOCTL_DEV`` right on files where it is really required.”h]”(hŒçLandlockâ€™s IOCTL support is coarse-grained at the moment, but may become more
fine-grained in the future.  Until then, users are advised to establish the
guarantees that they need through the file hierarchy, by only allowing the
”…””}”(hj8/  hžhhŸNh Nubjz  )”}”(hŒ ``LANDLOCK_ACCESS_FS_IOCTL_DEV``”h]”hŒLANDLOCK_ACCESS_FS_IOCTL_DEV”…””}”(hj@/  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj8/  ubhŒ, right on files where it is really required.”…””}”(hj8/  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h MhjY.  hžhubeh}”(h]”Œioctl-support”ah ]”h"]”Œioctl support”ah$]”h&]”uh1hÞhj&-  hžhhŸh³h Mubeh}”(h]”Œcurrent-limitations”ah ]”h"]”Œcurrent limitations”ah$]”h&]”uh1hÞhhàhžhhŸh³h MÙubhß)”}”(hhh]”(hä)”}”(hŒPrevious limitations”h]”hŒPrevious limitations”…””}”(hjk/  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hãhjh/  hžhhŸh³h Mubhß)”}”(hhh]”(hä)”}”(hŒ#File renaming and linking (ABI < 2)”h]”hŒ#File renaming and linking (ABI < 2)”…””}”(hj|/  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hãhjy/  hžhhŸh³h Mubj  )”}”(hX•  Because Landlock targets unprivileged access controls, it needs to properly
handle composition of rules.  Such property also implies rules nesting.
Properly handling multiple layers of rulesets, each one of them able to
restrict access to files, also implies inheritance of the ruleset restrictions
from a parent to its hierarchy.  Because files are identified and restricted by
their hierarchy, moving or linking a file from one directory to another implies
propagation of the hierarchy constraints, or restriction of these actions
according to the potentially lost constraints.  To protect against privilege
escalations through renaming or linking, and for the sake of simplicity,
Landlock previously limited linking and renaming to the same directory.
Starting with the Landlock ABI version 2, it is now possible to securely
control renaming and linking thanks to the new ``LANDLOCK_ACCESS_FS_REFER``
access right.”h]”(hXk  Because Landlock targets unprivileged access controls, it needs to properly
handle composition of rules.  Such property also implies rules nesting.
Properly handling multiple layers of rulesets, each one of them able to
restrict access to files, also implies inheritance of the ruleset restrictions
from a parent to its hierarchy.  Because files are identified and restricted by
their hierarchy, moving or linking a file from one directory to another implies
propagation of the hierarchy constraints, or restriction of these actions
according to the potentially lost constraints.  To protect against privilege
escalations through renaming or linking, and for the sake of simplicity,
Landlock previously limited linking and renaming to the same directory.
Starting with the Landlock ABI version 2, it is now possible to securely
control renaming and linking thanks to the new ”…””}”(hjŠ/  hžhhŸNh Nubjz  )”}”(hŒ``LANDLOCK_ACCESS_FS_REFER``”h]”hŒLANDLOCK_ACCESS_FS_REFER”…””}”(hj’/  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjŠ/  ubhŒ
access right.”…””}”(hjŠ/  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h Mhjy/  hžhubeh}”(h]”Œfile-renaming-and-linking-abi-2”ah ]”h"]”Œ#file renaming and linking (abi < 2)”ah$]”h&]”uh1hÞhjh/  hžhhŸh³h Mubhß)”}”(hhh]”(hä)”}”(hŒFile truncation (ABI < 3)”h]”hŒFile truncation (ABI < 3)”…””}”(hjµ/  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hãhj²/  hžhhŸh³h M,ubj  )”}”(hŒšFile truncation could not be denied before the third Landlock ABI, so it is
always allowed when using a kernel that only supports the first or second ABI.”h]”hŒšFile truncation could not be denied before the third Landlock ABI, so it is
always allowed when using a kernel that only supports the first or second ABI.”…””}”(hjÃ/  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h M.hj²/  hžhubj  )”}”(hŒ›Starting with the Landlock ABI version 3, it is now possible to securely control
truncation thanks to the new ``LANDLOCK_ACCESS_FS_TRUNCATE`` access right.”h]”(hŒnStarting with the Landlock ABI version 3, it is now possible to securely control
truncation thanks to the new ”…””}”(hjÑ/  hžhhŸNh Nubjz  )”}”(hŒ``LANDLOCK_ACCESS_FS_TRUNCATE``”h]”hŒLANDLOCK_ACCESS_FS_TRUNCATE”…””}”(hjÙ/  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjÑ/  ubhŒ access right.”…””}”(hjÑ/  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h M1hj²/  hžhubeh}”(h]”Œfile-truncation-abi-3”ah ]”h"]”Œfile truncation (abi < 3)”ah$]”h&]”uh1hÞhjh/  hžhhŸh³h M,ubhß)”}”(hhh]”(hä)”}”(hŒTCP bind and connect (ABI < 4)”h]”hŒTCP bind and connect (ABI < 4)”…””}”(hjü/  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hãhjù/  hžhhŸh³h M5ubj  )”}”(hŒîStarting with the Landlock ABI version 4, it is now possible to restrict TCP
bind and connect actions to only a set of allowed ports thanks to the new
``LANDLOCK_ACCESS_NET_BIND_TCP`` and ``LANDLOCK_ACCESS_NET_CONNECT_TCP``
access rights.”h]”(hŒ—Starting with the Landlock ABI version 4, it is now possible to restrict TCP
bind and connect actions to only a set of allowed ports thanks to the new
”…””}”(hj
0  hžhhŸNh Nubjz  )”}”(hŒ ``LANDLOCK_ACCESS_NET_BIND_TCP``”h]”hŒLANDLOCK_ACCESS_NET_BIND_TCP”…””}”(hj0  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj
0  ubhŒ and ”…””}”(hj
0  hžhhŸNh Nubjz  )”}”(hŒ#``LANDLOCK_ACCESS_NET_CONNECT_TCP``”h]”hŒLANDLOCK_ACCESS_NET_CONNECT_TCP”…””}”(hj$0  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj
0  ubhŒ
access rights.”…””}”(hj
0  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h M7hjù/  hžhubeh}”(h]”Œtcp-bind-and-connect-abi-4”ah ]”h"]”Œtcp bind and connect (abi < 4)”ah$]”h&]”uh1hÞhjh/  hžhhŸh³h M5ubhß)”}”(hhh]”(hä)”}”(hŒDevice IOCTL (ABI < 5)”h]”hŒDevice IOCTL (ABI < 5)”…””}”(hjG0  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hãhjD0  hžhhŸh³h M=ubj  )”}”(hŒ£IOCTL operations could not be denied before the fifth Landlock ABI, so
:manpage:`ioctl(2)` is always allowed when using a kernel that only supports an
earlier ABI.”h]”(hŒGIOCTL operations could not be denied before the fifth Landlock ABI, so
”…””}”(hjU0  hžhhŸNh Nubj¼  )”}”(hŒ:manpage:`ioctl(2)`”h]”hŒioctl(2)”…””}”(hj]0  hžhhŸNh Nubah}”(h]”h ]”j»  ah"]”h$]”h&]”h±h²jË  Œioctl(2)”jÍ  Œioctl”jÏ  jÐ  uh1j»  hjU0  ubhŒI is always allowed when using a kernel that only supports an
earlier ABI.”…””}”(hjU0  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h M?hjD0  hžhubj  )”}”(hŒ¸Starting with the Landlock ABI version 5, it is possible to restrict the use of
:manpage:`ioctl(2)` on character and block devices using the new
``LANDLOCK_ACCESS_FS_IOCTL_DEV`` right.”h]”(hŒPStarting with the Landlock ABI version 5, it is possible to restrict the use of
”…””}”(hjw0  hžhhŸNh Nubj¼  )”}”(hŒ:manpage:`ioctl(2)`”h]”hŒioctl(2)”…””}”(hj0  hžhhŸNh Nubah}”(h]”h ]”j»  ah"]”h$]”h&]”h±h²jË  Œioctl(2)”jÍ  Œioctl”jÏ  jÐ  uh1j»  hjw0  ubhŒ. on character and block devices using the new
”…””}”(hjw0  hžhhŸNh Nubjz  )”}”(hŒ ``LANDLOCK_ACCESS_FS_IOCTL_DEV``”h]”hŒLANDLOCK_ACCESS_FS_IOCTL_DEV”…””}”(hj“0  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjw0  ubhŒ right.”…””}”(hjw0  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h MChjD0  hžhubeh}”(h]”Œdevice-ioctl-abi-5”ah ]”h"]”Œdevice ioctl (abi < 5)”ah$]”h&]”uh1hÞhjh/  hžhhŸh³h M=ubhß)”}”(hhh]”(hä)”}”(hŒAbstract UNIX socket (ABI < 6)”h]”hŒAbstract UNIX socket (ABI < 6)”…””}”(hj¶0  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hãhj³0  hžhhŸh³h MHubj  )”}”(hŒÑStarting with the Landlock ABI version 6, it is possible to restrict
connections to an abstract :manpage:`unix(7)` socket by setting
``LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET`` to the ``scoped`` ruleset attribute.”h]”(hŒ`Starting with the Landlock ABI version 6, it is possible to restrict
connections to an abstract ”…””}”(hjÄ0  hžhhŸNh Nubj¼  )”}”(hŒ:manpage:`unix(7)`”h]”hŒunix(7)”…””}”(hjÌ0  hžhhŸNh Nubah}”(h]”h ]”j»  ah"]”h$]”h&]”h±h²jË  Œunix(7)”jÍ  Œunix”jÏ  jå  uh1j»  hjÄ0  ubhŒ socket by setting
”…””}”(hjÄ0  hžhhŸNh Nubjz  )”}”(hŒ'``LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET``”h]”hŒ#LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET”…””}”(hjà0  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjÄ0  ubhŒ to the ”…””}”(hjÄ0  hžhhŸNh Nubjz  )”}”(hŒ
``scoped``”h]”hŒscoped”…””}”(hjò0  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjÄ0  ubhŒ ruleset attribute.”…””}”(hjÄ0  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h MJhj³0  hžhubeh}”(h]”Œabstract-unix-socket-abi-6”ah ]”h"]”Œabstract unix socket (abi < 6)”ah$]”h&]”uh1hÞhjh/  hžhhŸh³h MHubhß)”}”(hhh]”(hä)”}”(hŒSignal (ABI < 6)”h]”hŒSignal (ABI < 6)”…””}”(hj1  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hãhj1  hžhhŸh³h MOubj  )”}”(hŒ«Starting with the Landlock ABI version 6, it is possible to restrict
:manpage:`signal(7)` sending by setting ``LANDLOCK_SCOPE_SIGNAL`` to the
``scoped`` ruleset attribute.”h]”(hŒEStarting with the Landlock ABI version 6, it is possible to restrict
”…””}”(hj#1  hžhhŸNh Nubj¼  )”}”(hŒ:manpage:`signal(7)`”h]”hŒ	signal(7)”…””}”(hj+1  hžhhŸNh Nubah}”(h]”h ]”j»  ah"]”h$]”h&]”h±h²jË  Œ	signal(7)”jÍ  Œsignal”jÏ  jå  uh1j»  hj#1  ubhŒ sending by setting ”…””}”(hj#1  hžhhŸNh Nubjz  )”}”(hŒ``LANDLOCK_SCOPE_SIGNAL``”h]”hŒLANDLOCK_SCOPE_SIGNAL”…””}”(hj?1  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj#1  ubhŒ to the
”…””}”(hj#1  hžhhŸNh Nubjz  )”}”(hŒ
``scoped``”h]”hŒscoped”…””}”(hjQ1  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj#1  ubhŒ ruleset attribute.”…””}”(hj#1  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h MQhj1  hžhubeh}”(h]”Œsignal-abi-6”ah ]”h"]”Œsignal (abi < 6)”ah$]”h&]”uh1hÞhjh/  hžhhŸh³h MOubhß)”}”(hhh]”(hä)”}”(hŒLogging (ABI < 7)”h]”hŒLogging (ABI < 7)”…””}”(hjt1  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hãhjq1  hžhhŸh³h MVubj  )”}”(hXr  Starting with the Landlock ABI version 7, it is possible to control logging of
Landlock audit events with the ``LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF``,
``LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON``, and
``LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF`` flags passed to
sys_landlock_restrict_self().  See Documentation/admin-guide/LSM/landlock.rst
for more details on audit.”h]”(hŒnStarting with the Landlock ABI version 7, it is possible to control logging of
Landlock audit events with the ”…””}”(hj‚1  hžhhŸNh Nubjz  )”}”(hŒ,``LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF``”h]”hŒ(LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF”…””}”(hjŠ1  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj‚1  ubhŒ,
”…””}”(hj‚1  hžhhŸNh Nubjz  )”}”(hŒ*``LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON``”h]”hŒ&LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON”…””}”(hjœ1  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj‚1  ubhŒ, and
”…””}”(hj‚1  hžhhŸNh Nubjz  )”}”(hŒ-``LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF``”h]”hŒ)LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF”…””}”(hj®1  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj‚1  ubhŒy flags passed to
sys_landlock_restrict_self().  See Documentation/admin-guide/LSM/landlock.rst
for more details on audit.”…””}”(hj‚1  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h MXhjq1  hžhubj±	  )”}”(hŒ.. _kernel_support:”h]”h}”(h]”h ]”h"]”h$]”h&]”j  Œkernel-support”uh1j°	  h M_hjq1  hžhhŸh³ubeh}”(h]”Œlogging-abi-7”ah ]”h"]”Œlogging (abi < 7)”ah$]”h&]”uh1hÞhjh/  hžhhŸh³h MVubeh}”(h]”Œprevious-limitations”ah ]”h"]”Œprevious limitations”ah$]”h&]”uh1hÞhhàhžhhŸh³h Mubhß)”}”(hhh]”(hä)”}”(hŒKernel support”h]”hŒKernel support”…””}”(hjä1  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hãhjá1  hžhhŸh³h Mbubhß)”}”(hhh]”(hä)”}”(hŒBuild time configuration”h]”hŒBuild time configuration”…””}”(hjõ1  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hãhjò1  hžhhŸh³h Meubj  )”}”(hXÙ  Landlock was first introduced in Linux 5.13 but it must be configured at build
time with ``CONFIG_SECURITY_LANDLOCK=y``.  Landlock must also be enabled at boot
time like other security modules.  The list of security modules enabled by
default is set with ``CONFIG_LSM``.  The kernel configuration should then
contain ``CONFIG_LSM=landlock,[...]`` with ``[...]``  as the list of other
potentially useful security modules for the running system (see the
``CONFIG_LSM`` help).”h]”(hŒYLandlock was first introduced in Linux 5.13 but it must be configured at build
time with ”…””}”(hj2  hžhhŸNh Nubjz  )”}”(hŒ``CONFIG_SECURITY_LANDLOCK=y``”h]”hŒCONFIG_SECURITY_LANDLOCK=y”…””}”(hj2  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj2  ubhŒˆ.  Landlock must also be enabled at boot
time like other security modules.  The list of security modules enabled by
default is set with ”…””}”(hj2  hžhhŸNh Nubjz  )”}”(hŒ``CONFIG_LSM``”h]”hŒ
CONFIG_LSM”…””}”(hj2  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj2  ubhŒ0.  The kernel configuration should then
contain ”…””}”(hj2  hžhhŸNh Nubjz  )”}”(hŒ``CONFIG_LSM=landlock,[...]``”h]”hŒCONFIG_LSM=landlock,[...]”…””}”(hj/2  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj2  ubhŒ with ”…””}”(hj2  hžhhŸNh Nubjz  )”}”(hŒ	``[...]``”h]”hŒ[...]”…””}”(hjA2  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj2  ubhŒ[  as the list of other
potentially useful security modules for the running system (see the
”…””}”(hj2  hžhhŸNh Nubjz  )”}”(hŒ``CONFIG_LSM``”h]”hŒ
CONFIG_LSM”…””}”(hjS2  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj2  ubhŒ help).”…””}”(hj2  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h Mghjò1  hžhubeh}”(h]”Œbuild-time-configuration”ah ]”h"]”Œbuild time configuration”ah$]”h&]”uh1hÞhjá1  hžhhŸh³h Meubhß)”}”(hhh]”(hä)”}”(hŒBoot time configuration”h]”hŒBoot time configuration”…””}”(hjv2  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hãhjs2  hžhhŸh³h Mpubj  )”}”(hŒÕIf the running kernel does not have ``landlock`` in ``CONFIG_LSM``, then we can
enable Landlock by adding ``lsm=landlock,[...]`` to
Documentation/admin-guide/kernel-parameters.rst in the boot loader
configuration.”h]”(hŒ$If the running kernel does not have ”…””}”(hj„2  hžhhŸNh Nubjz  )”}”(hŒ``landlock``”h]”hŒlandlock”…””}”(hjŒ2  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj„2  ubhŒ in ”…””}”(hj„2  hžhhŸNh Nubjz  )”}”(hŒ``CONFIG_LSM``”h]”hŒ
CONFIG_LSM”…””}”(hjž2  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj„2  ubhŒ(, then we can
enable Landlock by adding ”…””}”(hj„2  hžhhŸNh Nubjz  )”}”(hŒ``lsm=landlock,[...]``”h]”hŒlsm=landlock,[...]”…””}”(hj°2  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj„2  ubhŒU to
Documentation/admin-guide/kernel-parameters.rst in the boot loader
configuration.”…””}”(hj„2  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h Mrhjs2  hžhubj  )”}”(hŒ6For example, if the current built-in configuration is:”h]”hŒ6For example, if the current built-in configuration is:”…””}”(hjÈ2  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h Mwhjs2  hžhubjÞ  )”}”(hŒ~$ zgrep -h "^CONFIG_LSM=" "/boot/config-$(uname -r)" /proc/config.gz 2>/dev/null
CONFIG_LSM="lockdown,yama,integrity,apparmor"”h]”hŒ~$ zgrep -h "^CONFIG_LSM=" "/boot/config-$(uname -r)" /proc/config.gz 2>/dev/null
CONFIG_LSM="lockdown,yama,integrity,apparmor"”…””}”hjÖ2  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²jí  ‰jî  Œconsole”jð  }”uh1jÝ  hŸh³h Myhjs2  hžhubj  )”}”(hŒ:...and if the cmdline doesn't contain ``landlock`` either:”h]”(hŒ(...and if the cmdline doesnâ€™t contain ”…””}”(hjæ2  hžhhŸNh Nubjz  )”}”(hŒ``landlock``”h]”hŒlandlock”…””}”(hjî2  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjæ2  ubhŒ either:”…””}”(hjæ2  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h M~hjs2  hžhubjÞ  )”}”(hŒW$ sed -n 's/.*\(\<lsm=\S\+\).*/\1/p' /proc/cmdline
lsm=lockdown,yama,integrity,apparmor”h]”hŒW$ sed -n 's/.*\(\<lsm=\S\+\).*/\1/p' /proc/cmdline
lsm=lockdown,yama,integrity,apparmor”…””}”hj3  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²jí  ‰jî  Œconsole”jð  }”uh1jÝ  hŸh³h M€hjs2  hžhubj  )”}”(hŒr...we should configure the boot loader to set a cmdline extending the ``lsm``
list with the ``landlock,`` prefix::”h]”(hŒF...we should configure the boot loader to set a cmdline extending the ”…””}”(hj3  hžhhŸNh Nubjz  )”}”(hŒ``lsm``”h]”hŒlsm”…””}”(hj3  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj3  ubhŒ
list with the ”…””}”(hj3  hžhhŸNh Nubjz  )”}”(hŒ``landlock,``”h]”hŒ	landlock,”…””}”(hj03  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hj3  ubhŒ prefix:”…””}”(hj3  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h M…hjs2  hžhubjÞ  )”}”(hŒ-lsm=landlock,lockdown,yama,integrity,apparmor”h]”hŒ-lsm=landlock,lockdown,yama,integrity,apparmor”…””}”hjH3  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1jÝ  hŸh³h Mˆhjs2  hžhubj  )”}”(hŒWAfter a reboot, we can check that Landlock is up and running by looking at
kernel logs:”h]”hŒWAfter a reboot, we can check that Landlock is up and running by looking at
kernel logs:”…””}”(hjV3  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h MŠhjs2  hžhubjÞ  )”}”(hXa  # dmesg | grep landlock || journalctl -kb -g landlock
[    0.000000] Command line: [...] lsm=landlock,lockdown,yama,integrity,apparmor
[    0.000000] Kernel command line: [...] lsm=landlock,lockdown,yama,integrity,apparmor
[    0.000000] LSM: initializing lsm=lockdown,capability,landlock,yama,integrity,apparmor
[    0.000000] landlock: Up and running.”h]”hXa  # dmesg | grep landlock || journalctl -kb -g landlock
[    0.000000] Command line: [...] lsm=landlock,lockdown,yama,integrity,apparmor
[    0.000000] Kernel command line: [...] lsm=landlock,lockdown,yama,integrity,apparmor
[    0.000000] LSM: initializing lsm=lockdown,capability,landlock,yama,integrity,apparmor
[    0.000000] landlock: Up and running.”…””}”hjd3  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²jí  ‰jî  Œconsole”jð  }”uh1jÝ  hŸh³h Mhjs2  hžhubj  )”}”(hŒýThe kernel may be configured at build time to always load the ``lockdown`` and
``capability`` LSMs.  In that case, these LSMs will appear at the beginning of
the ``LSM: initializing`` log line as well, even if they are not configured in
the boot loader.”h]”(hŒ>The kernel may be configured at build time to always load the ”…””}”(hjt3  hžhhŸNh Nubjz  )”}”(hŒ``lockdown``”h]”hŒlockdown”…””}”(hj|3  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjt3  ubhŒ and
”…””}”(hjt3  hžhhŸNh Nubjz  )”}”(hŒ``capability``”h]”hŒ
capability”…””}”(hjŽ3  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjt3  ubhŒE LSMs.  In that case, these LSMs will appear at the beginning of
the ”…””}”(hjt3  hžhhŸNh Nubjz  )”}”(hŒ``LSM: initializing``”h]”hŒLSM: initializing”…””}”(hj 3  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjt3  ubhŒF log line as well, even if they are not configured in
the boot loader.”…””}”(hjt3  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h M•hjs2  hžhubeh}”(h]”Œboot-time-configuration”ah ]”h"]”Œboot time configuration”ah$]”h&]”uh1hÞhjá1  hžhhŸh³h Mpubhß)”}”(hhh]”(hä)”}”(hŒNetwork support”h]”hŒNetwork support”…””}”(hjÃ3  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hãhjÀ3  hžhhŸh³h M›ubj  )”}”(hXB  To be able to explicitly allow TCP operations (e.g., adding a network rule with
``LANDLOCK_ACCESS_NET_BIND_TCP``), the kernel must support TCP
(``CONFIG_INET=y``).  Otherwise, sys_landlock_add_rule() returns an
``EAFNOSUPPORT`` error, which can safely be ignored because this kind of TCP
operation is already not possible.”h]”(hŒPTo be able to explicitly allow TCP operations (e.g., adding a network rule with
”…””}”(hjÑ3  hžhhŸNh Nubjz  )”}”(hŒ ``LANDLOCK_ACCESS_NET_BIND_TCP``”h]”hŒLANDLOCK_ACCESS_NET_BIND_TCP”…””}”(hjÙ3  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjÑ3  ubhŒ ), the kernel must support TCP
(”…””}”(hjÑ3  hžhhŸNh Nubjz  )”}”(hŒ``CONFIG_INET=y``”h]”hŒCONFIG_INET=y”…””}”(hjë3  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjÑ3  ubhŒ2).  Otherwise, sys_landlock_add_rule() returns an
”…””}”(hjÑ3  hžhhŸNh Nubjz  )”}”(hŒ``EAFNOSUPPORT``”h]”hŒEAFNOSUPPORT”…””}”(hjý3  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hjÑ3  ubhŒ_ error, which can safely be ignored because this kind of TCP
operation is already not possible.”…””}”(hjÑ3  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h MhjÀ3  hžhubeh}”(h]”Œnetwork-support”ah ]”h"]”Œnetwork support”ah$]”h&]”uh1hÞhjá1  hžhhŸh³h M›ubeh}”(h]”(jÐ1  Œid2”eh ]”h"]”(Œkernel support”Œkernel_support”eh$]”h&]”uh1hÞhhàhžhhŸh³h Mbj!
  }”j#4  jÆ1  sj#
  }”jÐ1  jÆ1  subhß)”}”(hhh]”(hä)”}”(hŒQuestions and answers”h]”hŒQuestions and answers”…””}”(hj+4  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hãhj(4  hžhhŸh³h M¤ubhß)”}”(hhh]”(hä)”}”(hŒ'What about user space sandbox managers?”h]”hŒ'What about user space sandbox managers?”…””}”(hj<4  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hãhj94  hžhhŸh³h M§ubj  )”}”(hX6  Using user space processes to enforce restrictions on kernel resources can lead
to race conditions or inconsistent evaluations (i.e. `Incorrect mirroring of
the OS code and state
<https://www.ndss-symposium.org/ndss2003/traps-and-pitfalls-practical-problems-system-call-interposition-based-security-tools/>`_).”h]”(hŒ…Using user space processes to enforce restrictions on kernel resources can lead
to race conditions or inconsistent evaluations (i.e. ”…””}”(hjJ4  hžhhŸNh Nubj?  )”}”(hŒ¯`Incorrect mirroring of
the OS code and state
<https://www.ndss-symposium.org/ndss2003/traps-and-pitfalls-practical-problems-system-call-interposition-based-security-tools/>`_”h]”hŒ,Incorrect mirroring of
the OS code and state”…””}”(hjR4  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”Œ,Incorrect mirroring of the OS code and state”jP  Œ}https://www.ndss-symposium.org/ndss2003/traps-and-pitfalls-practical-problems-system-call-interposition-based-security-tools/”uh1j>  hjJ4  ubj±	  )”}”(hŒ€
<https://www.ndss-symposium.org/ndss2003/traps-and-pitfalls-practical-problems-system-call-interposition-based-security-tools/>”h]”h}”(h]”Œ,incorrect-mirroring-of-the-os-code-and-state”ah ]”h"]”Œ,incorrect mirroring of the os code and state”ah$]”h&]”Œrefuri”jb4  uh1j°	  jU  KhjJ4  ubhŒ).”…””}”(hjJ4  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h M©hj94  hžhubeh}”(h]”Œ&what-about-user-space-sandbox-managers”ah ]”h"]”Œ'what about user space sandbox managers?”ah$]”h&]”uh1hÞhj(4  hžhhŸh³h M§ubhß)”}”(hhh]”(hä)”}”(hŒ%What about namespaces and containers?”h]”hŒ%What about namespaces and containers?”…””}”(hj…4  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hãhj‚4  hžhhŸh³h M¯ubj  )”}”(hXj  Namespaces can help create sandboxes but they are not designed for
access-control and then miss useful features for such use case (e.g. no
fine-grained restrictions).  Moreover, their complexity can lead to security
issues, especially when untrusted processes can manipulate them (cf.
`Controlling access to user namespaces <https://lwn.net/Articles/673597/>`_).”h]”(hX  Namespaces can help create sandboxes but they are not designed for
access-control and then miss useful features for such use case (e.g. no
fine-grained restrictions).  Moreover, their complexity can lead to security
issues, especially when untrusted processes can manipulate them (cf.
”…””}”(hj“4  hžhhŸNh Nubj?  )”}”(hŒK`Controlling access to user namespaces <https://lwn.net/Articles/673597/>`_”h]”hŒ%Controlling access to user namespaces”…””}”(hj›4  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”Œ%Controlling access to user namespaces”jP  Œ https://lwn.net/Articles/673597/”uh1j>  hj“4  ubj±	  )”}”(hŒ# <https://lwn.net/Articles/673597/>”h]”h}”(h]”Œ%controlling-access-to-user-namespaces”ah ]”h"]”Œ%controlling access to user namespaces”ah$]”h&]”Œrefuri”j«4  uh1j°	  jU  Khj“4  ubhŒ).”…””}”(hj“4  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h M±hj‚4  hžhubeh}”(h]”Œ$what-about-namespaces-and-containers”ah ]”h"]”Œ%what about namespaces and containers?”ah$]”h&]”uh1hÞhj(4  hžhhŸh³h M¯ubhß)”}”(hhh]”(hä)”}”(hŒ&How to disable Landlock audit records?”h]”hŒ&How to disable Landlock audit records?”…””}”(hjÎ4  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hãhjË4  hžhhŸh³h M¸ubj  )”}”(hŒdYou might want to put in place filters as explained here:
Documentation/admin-guide/LSM/landlock.rst”h]”hŒdYou might want to put in place filters as explained here:
Documentation/admin-guide/LSM/landlock.rst”…””}”(hjÜ4  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h MºhjË4  hžhubeh}”(h]”Œ%how-to-disable-landlock-audit-records”ah ]”h"]”Œ&how to disable landlock audit records?”ah$]”h&]”uh1hÞhj(4  hžhhŸh³h M¸ubeh}”(h]”Œquestions-and-answers”ah ]”h"]”Œquestions and answers”ah$]”h&]”uh1hÞhhàhžhhŸh³h M¤ubhß)”}”(hhh]”(hä)”}”(hŒAdditional documentation”h]”hŒAdditional documentation”…””}”(hjý4  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hãhjú4  hžhhŸh³h M¾ubj±
  )”}”(hhh]”(j¶
  )”}”(hŒ*Documentation/admin-guide/LSM/landlock.rst”h]”j  )”}”(hj5  h]”hŒ*Documentation/admin-guide/LSM/landlock.rst”…””}”(hj5  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h MÀhj5  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ
  hj5  hžhhŸh³h Nubj¶
  )”}”(hŒ#Documentation/security/landlock.rst”h]”j  )”}”(hj'5  h]”hŒ#Documentation/security/landlock.rst”…””}”(hj)5  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h MÁhj%5  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ
  hj5  hžhhŸh³h Nubj¶
  )”}”(hŒhttps://landlock.io
”h]”j  )”}”(hŒhttps://landlock.io”h]”j?  )”}”(hjB5  h]”hŒhttps://landlock.io”…””}”(hjD5  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œrefuri”jB5  uh1j>  hj@5  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hŸh³h MÂhj<5  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ
  hj5  hžhhŸh³h Nubeh}”(h]”h ]”h"]”h$]”h&]”jß  j(  uh1j°
  hŸh³h MÀhjú4  hžhubh¢)”}”(hŒLinks”h]”hŒLinks”…””}”hjd5  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1h¡hjú4  hžhhŸh³h MÄubj±	  )”}”(hŒ‡.. _samples/landlock/sandboxer.c:
   https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/samples/landlock/sandboxer.c”h]”h}”(h]”Œsamples-landlock-sandboxer-c”ah ]”h"]”Œsamples/landlock/sandboxer.c”ah$]”h&]”jP  jQ  uh1j°	  h MÅhjú4  hžhhŸh³jU  Kubeh}”(h]”Œadditional-documentation”ah ]”h"]”Œadditional documentation”ah$]”h&]”uh1hÞhhàhžhhŸh³h M¾ubeh}”(h]”Œ$landlock-unprivileged-access-control”ah ]”h"]”Œ%landlock: unprivileged access control”ah$]”h&]”uh1hÞhhhžhhŸh³h Kubeh}”(h]”h ]”h"]”h$]”h&]”Œsource”h³uh1hŒcurrent_source”NŒcurrent_line”NŒsettings”Œdocutils.frontend”ŒValues”“”)”}”(hãNŒ	generator”NŒ	datestamp”NŒsource_link”NŒ
source_url”NŒtoc_backlinks”Œentry”Œfootnote_backlinks”KŒsectnum_xform”KŒstrip_comments”NŒstrip_elements_with_classes”NŒstrip_classes”NŒreport_level”KŒ
halt_level”KŒexit_status_level”KŒdebug”NŒwarning_stream”NŒ	traceback”ˆŒinput_encoding”Œ	utf-8-sig”Œinput_encoding_error_handler”Œstrict”Œoutput_encoding”Œutf-8”Œoutput_encoding_error_handler”j±5  Œerror_encoding”Œutf-8”Œerror_encoding_error_handler”Œbackslashreplace”Œlanguage_code”Œen”Œrecord_dependencies”NŒconfig”NŒ	id_prefix”hŒauto_id_prefix”Œid”Œdump_settings”NŒdump_internals”NŒdump_transforms”NŒdump_pseudo_xml”NŒexpose_internals”NŒstrict_visitor”NŒ_disable_config”NŒ_source”h³Œ_destination”NŒ_config_files”]”Œ7/var/lib/git/docbuild/linux/Documentation/docutils.conf”aŒfile_insertion_enabled”ˆŒraw_enabled”KŒline_length_limit”M'Œpep_references”NŒpep_base_url”Œhttps://peps.python.org/”Œpep_file_url_template”Œpep-%04d”Œrfc_references”NŒrfc_base_url”Œ&https://datatracker.ietf.org/doc/html/”Œ	tab_width”KŒtrim_footnote_reference_space”‰Œsyntax_highlight”Œlong”Œsmart_quotes”ˆŒsmartquotes_locales”]”Œcharacter_level_inline_markup”‰Œdoctitle_xform”‰Œdocinfo_xform”KŒsectsubtitle_xform”‰Œimage_loading”Œlink”Œembed_stylesheet”‰Œcloak_email_addresses”ˆŒsection_self_link”‰Œenv”NubŒreporter”NŒindirect_targets”]”Œsubstitution_defs”}”Œsubstitution_names”}”Œrefnames”}”(Œsamples/landlock/sandboxer.c”]”j@  aŒptrace restrictions”]”(jo  j×-  eŒfilesystem flags”]”(j‹  jÑ  j=%  eŒnetwork flags”]”(jÙ  jÍ&  eŒscope flags”]”j'  auŒrefids”}”(jÓ	  ]”jÉ	  ajÐ1  ]”jÆ1  auŒnameids”}”(j‹5  jˆ5  jR	  jO	  jb  j_  j'  j$  j\  jY  jŸ  jœ  j  j  jR  jO  j¸  jµ  j  jŠ  jJ	  jG	  j*
  j'
  jÙ	  jÖ	  j»	  j¸	  j
  jÓ	  j
  j
  j#-  j -  jg  jd  j&  j#  jÂ  j¿  j_  j\  j3  j0  j½'  jº'  j-  j-  je/  jb/  j—-  j”-  j.  j.  j/.  j,.  jV.  jS.  j]/  jZ/  jÞ1  jÛ1  j¯/  j¬/  jö/  jó/  jA0  j>0  j°0  j­0  j1  j1  jn1  jk1  jÖ1  jÓ1  j#4  jÐ1  j"4  j4  jp2  jm2  j½3  jº3  j4  j4  j÷4  jô4  j4  j|4  jl4  ji4  jÈ4  jÅ4  jµ4  j²4  jï4  jì4  jƒ5  j€5  j{5  jx5  uŒ	nametypes”}”(j‹5  ‰jR	  ‰jb  ‰j'  ‰j\  ‰jŸ  ‰j  ‰jR  ‰j¸  ‰j  ‰jJ	  ‰j*
  ‰jÙ	  ‰j»	  ˆj
  ˆj
  ‰j#-  ‰jg  ‰j&  ‰jÂ  ‰j_  ‰j3  ‰j½'  ‰j-  ‰je/  ‰j—-  ‰j.  ‰j/.  ‰jV.  ‰j]/  ‰jÞ1  ‰j¯/  ‰jö/  ‰jA0  ‰j°0  ‰j1  ‰jn1  ‰jÖ1  ‰j#4  ˆj"4  ‰jp2  ‰j½3  ‰j4  ‰j÷4  ‰j4  ‰jl4  ˆjÈ4  ‰jµ4  ˆjï4  ‰jƒ5  ‰j{5  ˆuh}”(jˆ5  hàjO	  jà  j_  j¢  j$  je  jY  j*  jœ  j_  j  j¢  jO  j  jµ  jV  jŠ  j»  jG	  j  j'
  jU	  jÖ	  jf	  j¸	  j²	  jÓ	  jÜ	  j
  jÜ	  j -  j-
  jd  j>
  j#  j
  j¿  j)  j\  jÅ  j0  jj  jŠ  j“  j­  j³  jº'  j6  jS  jX  jÜ"  jâ"  j`$  je$  jð%  jõ%  j-  jÀ'  jÝ'  jâ'  jb/  j&-  j”-  j7-  j.  jš-  j,.  j.  jS.  j2.  jZ/  jY.  jÛ1  jh/  j¬/  jy/  jó/  j²/  j>0  jù/  j­0  jD0  j1  j³0  jk1  j1  jÓ1  jq1  jÐ1  já1  j4  já1  jm2  jò1  jº3  js2  j4  jÀ3  jô4  j(4  j|4  j94  ji4  jc4  jÅ4  j‚4  j²4  j¬4  jì4  jË4  j€5  jú4  jx5  jr5  uŒfootnote_refs”}”Œcitation_refs”}”Œautofootnotes”]”Œautofootnote_refs”]”Œsymbol_footnotes”]”Œsymbol_footnote_refs”]”Œ	footnotes”]”Œ	citations”]”Œautofootnote_start”KŒsymbol_footnote_start”K Œ
id_counter”Œcollections”ŒCounter”“”}”j¿5  Ks…”R”Œparse_messages”]”Œtransform_messages”]”(hŒsystem_message”“”)”}”(hhh]”j  )”}”(hhh]”hŒ;Hyperlink target "landlock-abi-versions" is not referenced.”…””}”hj&6  sbah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj#6  ubah}”(h]”h ]”h"]”h$]”h&]”Œlevel”KŒtype”ŒINFO”Œsource”h³Œline”M–uh1j!6  ubj"6  )”}”(hhh]”j  )”}”(hhh]”hŒ4Hyperlink target "kernel-support" is not referenced.”…””}”hjA6  sbah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj>6  ubah}”(h]”h ]”h"]”h$]”h&]”Œlevel”KŒtype”j;6  Œsource”h³Œline”M_uh1j!6  ubeŒtransformer”NŒinclude_log”]”Œ
decoration”Nhžhub.