sphinx.addnodesdocument)}( rawsourcechildren]( translations LanguagesNode)}(hhh](h pending_xref)}(hhh]docutils.nodesTextChinese (Simplified)}parenthsba attributes}(ids]classes]names]dupnames]backrefs] refdomainstdreftypedoc reftarget*/translations/zh_CN/userspace-api/landlockmodnameN classnameN refexplicitutagnamehhh ubh)}(hhh]hChinese (Traditional)}hh2sbah}(h]h ]h"]h$]h&] refdomainh)reftypeh+ reftarget*/translations/zh_TW/userspace-api/landlockmodnameN classnameN refexplicituh1hhh ubh)}(hhh]hItalian}hhFsbah}(h]h ]h"]h$]h&] refdomainh)reftypeh+ reftarget*/translations/it_IT/userspace-api/landlockmodnameN classnameN refexplicituh1hhh ubh)}(hhh]hJapanese}hhZsbah}(h]h ]h"]h$]h&] refdomainh)reftypeh+ reftarget*/translations/ja_JP/userspace-api/landlockmodnameN classnameN refexplicituh1hhh ubh)}(hhh]hKorean}hhnsbah}(h]h ]h"]h$]h&] refdomainh)reftypeh+ reftarget*/translations/ko_KR/userspace-api/landlockmodnameN classnameN refexplicituh1hhh ubh)}(hhh]hSpanish}hhsbah}(h]h ]h"]h$]h&] refdomainh)reftypeh+ reftarget*/translations/sp_SP/userspace-api/landlockmodnameN classnameN refexplicituh1hhh ubeh}(h]h ]h"]h$]h&]current_languageEnglishuh1h hh _documenthsourceNlineNubhcomment)}(h SPDX-License-Identifier: GPL-2.0h]h SPDX-License-Identifier: GPL-2.0}hhsbah}(h]h ]h"]h$]h&] xml:spacepreserveuh1hhhhhhD/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock.rsthKubh)}(h9Copyright © 2017-2020 Mickaël Salaün h]h9Copyright © 2017-2020 Mickaël Salaün }hhsbah}(h]h ]h"]h$]h&]hhuh1hhhhhhhhKubh)}(hCopyright © 2019-2020 ANSSIh]hCopyright © 2019-2020 ANSSI}hhsbah}(h]h ]h"]h$]h&]hhuh1hhhhhhhhKubh)}(h,Copyright © 2021-2022 Microsoft Corporationh]h,Copyright © 2021-2022 Microsoft Corporation}hhsbah}(h]h ]h"]h$]h&]hhuh1hhhhhhhhKubhsection)}(hhh](htitle)}(h%Landlock: unprivileged access controlh]h%Landlock: unprivileged access control}(hhhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhhhhhKubh field_list)}(hhh](hfield)}(hhh](h field_name)}(hAuthorh]hAuthor}(hhhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhhhKubh field_body)}(hMickaël Salaünh]h paragraph)}(hjh]hMickaël Salaün}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhK hjubah}(h]h ]h"]h$]h&]uh1j hhubeh}(h]h ]h"]h$]h&]uh1hhhhK hhhhubh)}(hhh](h)}(hDateh]hDate}(hj1hhhNhNubah}(h]h ]h"]h$]h&]uh1hhj.hhhKubj)}(h January 2026 h]j)}(h January 2026h]h January 2026}(hjChhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhK hj?ubah}(h]h ]h"]h$]h&]uh1j hj.ubeh}(h]h ]h"]h$]h&]uh1hhhhK hhhhubeh}(h]h ]h"]h$]h&]uh1hhhhhhhhK ubj)}(hXThe goal of Landlock is to enable restriction of ambient rights (e.g. global filesystem or network access) for a set of processes. Because Landlock is a stackable LSM, it makes it possible to create safe security sandboxes as new security layers in addition to the existing system-wide access-controls. This kind of sandbox is expected to help mitigate the security impact of bugs or unexpected/malicious behaviors in user space applications. Landlock empowers any process, including unprivileged ones, to securely restrict themselves.h]hXThe goal of Landlock is to enable restriction of ambient rights (e.g. global filesystem or network access) for a set of processes. Because Landlock is a stackable LSM, it makes it possible to create safe security sandboxes as new security layers in addition to the existing system-wide access-controls. This kind of sandbox is expected to help mitigate the security impact of bugs or unexpected/malicious behaviors in user space applications. Landlock empowers any process, including unprivileged ones, to securely restrict themselves.}(hjchhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhK hhhhubj)}(hXWe can quickly make sure that Landlock is enabled in the running system by looking for "landlock: Up and running" in kernel logs (as root): ``dmesg | grep landlock || journalctl -kb -g landlock`` . Developers can also easily check for Landlock support with a :ref:`related system call `. If Landlock is not currently supported, we need to :ref:`configure the kernel appropriately `.h](hWe can quickly make sure that Landlock is enabled in the running system by looking for “landlock: Up and running” in kernel logs (as root): }(hjqhhhNhNubhliteral)}(h7``dmesg | grep landlock || journalctl -kb -g landlock``h]h3dmesg | grep landlock || journalctl -kb -g landlock}(hj{hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjqubh@ . Developers can also easily check for Landlock support with a }(hjqhhhNhNubh)}(h2:ref:`related system call `h]hinline)}(hjh]hrelated system call}(hjhhhNhNubah}(h]h ](xrefstdstd-refeh"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]refdocuserspace-api/landlock refdomainjreftyperef refexplicitrefwarn reftargetlandlock_abi_versionsuh1hhhhKhjqubh5. If Landlock is not currently supported, we need to }(hjqhhhNhNubh)}(h::ref:`configure the kernel appropriately `h]j)}(hjh]h"configure the kernel appropriately}(hjhhhNhNubah}(h]h ](jstdstd-refeh"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]refdocj refdomainjreftyperef refexplicitrefwarnjkernel_supportuh1hhhhKhjqubh.}(hjqhhhNhNubeh}(h]h ]h"]h$]h&]uh1jhhhKhhhhubh)}(hhh](h)}(hLandlock rulesh]hLandlock rules}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjhhhhhKubj)}(hA Landlock rule describes an action on an object which the process intends to perform. A set of rules is aggregated in a ruleset, which can then restrict the thread enforcing it, and its future children.h]hA Landlock rule describes an action on an object which the process intends to perform. A set of rules is aggregated in a ruleset, which can then restrict the thread enforcing it, and its future children.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhK hjhhubj)}(h$The two existing types of rules are:h]h$The two existing types of rules are:}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhK$hjhhubhdefinition_list)}(hhh](hdefinition_list_item)}(hFilesystem rules For these rules, the object is a file hierarchy, and the related filesystem actions are defined with `filesystem access rights`. h](hterm)}(hFilesystem rulesh]hFilesystem rules}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhK)hjubh definition)}(hhh]j)}(hFor these rules, the object is a file hierarchy, and the related filesystem actions are defined with `filesystem access rights`.h](heFor these rules, the object is a file hierarchy, and the related filesystem actions are defined with }(hj-hhhNhNubhtitle_reference)}(h`filesystem access rights`h]hfilesystem access rights}(hj7hhhNhNubah}(h]h ]h"]h$]h&]uh1j5hj-ubh.}(hj-hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhhhK'hj*ubah}(h]h ]h"]h$]h&]uh1j(hjubeh}(h]h ]h"]h$]h&]uh1jhhhK)hjubj)}(hNetwork rules (since ABI v4) For these rules, the object is a TCP port, and the related actions are defined with `network access rights`. h](j)}(hNetwork rules (since ABI v4)h]hNetwork rules (since ABI v4)}(hj_hhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhK-hj[ubj))}(hhh]j)}(hlFor these rules, the object is a TCP port, and the related actions are defined with `network access rights`.h](hTFor these rules, the object is a TCP port, and the related actions are defined with }(hjphhhNhNubj6)}(h`network access rights`h]hnetwork access rights}(hjxhhhNhNubah}(h]h ]h"]h$]h&]uh1j5hjpubh.}(hjphhhNhNubeh}(h]h ]h"]h$]h&]uh1jhhhK,hjmubah}(h]h ]h"]h$]h&]uh1j(hj[ubeh}(h]h ]h"]h$]h&]uh1jhhhK-hjhhubeh}(h]h ]h"]h$]h&]uh1j hjhhhhhNubh)}(hhh](h)}(h(Defining and enforcing a security policyh]h(Defining and enforcing a security policy}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjhhhhhK0ubj)}(h@We first need to define the ruleset that will contain our rules.h]h@We first need to define the ruleset that will contain our rules.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhK2hjhhubj)}(hFor this example, the ruleset will contain rules that only allow filesystem read actions and establish a specific TCP connection. Filesystem write actions and other TCP actions will be denied.h]hFor this example, the ruleset will contain rules that only allow filesystem read actions and establish a specific TCP connection. Filesystem write actions and other TCP actions will be denied.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhK4hjhhubj)}(hXThe ruleset then needs to handle both these kinds of actions. This is required for backward and forward compatibility (i.e. the kernel and user space may not know each other's supported restrictions), hence the need to be explicit about the denied-by-default access rights.h]hXThe ruleset then needs to handle both these kinds of actions. This is required for backward and forward compatibility (i.e. the kernel and user space may not know each other’s supported restrictions), hence the need to be explicit about the denied-by-default access rights.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhK8hjhhubh literal_block)}(hXwstruct landlock_ruleset_attr ruleset_attr = { .handled_access_fs = LANDLOCK_ACCESS_FS_EXECUTE | LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SOCK | LANDLOCK_ACCESS_FS_MAKE_FIFO | LANDLOCK_ACCESS_FS_MAKE_BLOCK | LANDLOCK_ACCESS_FS_MAKE_SYM | LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_TRUNCATE | LANDLOCK_ACCESS_FS_IOCTL_DEV, .handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP | LANDLOCK_ACCESS_NET_CONNECT_TCP, .scoped = LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET | LANDLOCK_SCOPE_SIGNAL, };h]hXwstruct landlock_ruleset_attr ruleset_attr = { .handled_access_fs = LANDLOCK_ACCESS_FS_EXECUTE | LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SOCK | LANDLOCK_ACCESS_FS_MAKE_FIFO | LANDLOCK_ACCESS_FS_MAKE_BLOCK | LANDLOCK_ACCESS_FS_MAKE_SYM | LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_TRUNCATE | LANDLOCK_ACCESS_FS_IOCTL_DEV, .handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP | LANDLOCK_ACCESS_NET_CONNECT_TCP, .scoped = LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET | LANDLOCK_SCOPE_SIGNAL, };}hjsbah}(h]h ]h"]h$]h&]hhforcelanguagechighlight_args}uh1jhhhK=hjhhubj)}(hBecause we may not know which kernel version an application will be executed on, it is safer to follow a best-effort security approach. Indeed, we should try to protect users as much as possible whatever the kernel they are using.h]hBecause we may not know which kernel version an application will be executed on, it is safer to follow a best-effort security approach. Indeed, we should try to protect users as much as possible whatever the kernel they are using.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhKYhjhhubj)}(hTo be compatible with older Linux versions, we detect the available Landlock ABI version, and only use the available subset of access rights:h]hTo be compatible with older Linux versions, we detect the available Landlock ABI version, and only use the available subset of access rights:}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhK^hjhhubj)}(hXuint abi; abi = landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_VERSION); if (abi < 0) { /* Degrades gracefully if Landlock is not handled. */ perror("The running kernel does not enable to use Landlock"); return 0; } switch (abi) { case 1: /* Removes LANDLOCK_ACCESS_FS_REFER for ABI < 2 */ ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_REFER; __attribute__((fallthrough)); case 2: /* Removes LANDLOCK_ACCESS_FS_TRUNCATE for ABI < 3 */ ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_TRUNCATE; __attribute__((fallthrough)); case 3: /* Removes network support for ABI < 4 */ ruleset_attr.handled_access_net &= ~(LANDLOCK_ACCESS_NET_BIND_TCP | LANDLOCK_ACCESS_NET_CONNECT_TCP); __attribute__((fallthrough)); case 4: /* Removes LANDLOCK_ACCESS_FS_IOCTL_DEV for ABI < 5 */ ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_IOCTL_DEV; __attribute__((fallthrough)); case 5: /* Removes LANDLOCK_SCOPE_* for ABI < 6 */ ruleset_attr.scoped &= ~(LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET | LANDLOCK_SCOPE_SIGNAL); }h]hXuint abi; abi = landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_VERSION); if (abi < 0) { /* Degrades gracefully if Landlock is not handled. */ perror("The running kernel does not enable to use Landlock"); return 0; } switch (abi) { case 1: /* Removes LANDLOCK_ACCESS_FS_REFER for ABI < 2 */ ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_REFER; __attribute__((fallthrough)); case 2: /* Removes LANDLOCK_ACCESS_FS_TRUNCATE for ABI < 3 */ ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_TRUNCATE; __attribute__((fallthrough)); case 3: /* Removes network support for ABI < 4 */ ruleset_attr.handled_access_net &= ~(LANDLOCK_ACCESS_NET_BIND_TCP | LANDLOCK_ACCESS_NET_CONNECT_TCP); __attribute__((fallthrough)); case 4: /* Removes LANDLOCK_ACCESS_FS_IOCTL_DEV for ABI < 5 */ ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_IOCTL_DEV; __attribute__((fallthrough)); case 5: /* Removes LANDLOCK_SCOPE_* for ABI < 6 */ ruleset_attr.scoped &= ~(LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET | LANDLOCK_SCOPE_SIGNAL); }}hjsbah}(h]h ]h"]h$]h&]hhjjjj}uh1jhhhKahjhhubj)}(hNThis enables the creation of an inclusive ruleset that will contain our rules.h]hNThis enables the creation of an inclusive ruleset that will contain our rules.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhKhjhhubj)}(hint ruleset_fd; ruleset_fd = landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0); if (ruleset_fd < 0) { perror("Failed to create a ruleset"); return 1; }h]hint ruleset_fd; ruleset_fd = landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0); if (ruleset_fd < 0) { perror("Failed to create a ruleset"); return 1; }}hj+sbah}(h]h ]h"]h$]h&]hhjjjj}uh1jhhhKhjhhubj)}(hXWe can now add a new rule to this ruleset thanks to the returned file descriptor referring to this ruleset. The rule will allow reading and executing the file hierarchy ``/usr``. Without another rule, write actions would then be denied by the ruleset. To add ``/usr`` to the ruleset, we open it with the ``O_PATH`` flag and fill the &struct landlock_path_beneath_attr with this file descriptor.h](hWe can now add a new rule to this ruleset thanks to the returned file descriptor referring to this ruleset. The rule will allow reading and executing the file hierarchy }(hj:hhhNhNubjz)}(h``/usr``h]h/usr}(hjBhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj:ubhT. Without another rule, write actions would then be denied by the ruleset. To add }(hj:hhhNhNubjz)}(h``/usr``h]h/usr}(hjThhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj:ubh% to the ruleset, we open it with the }(hj:hhhNhNubjz)}(h ``O_PATH``h]hO_PATH}(hjfhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj:ubhP flag and fill the &struct landlock_path_beneath_attr with this file descriptor.}(hj:hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhhhKhjhhubj)}(hXQint err; struct landlock_path_beneath_attr path_beneath = { .allowed_access = LANDLOCK_ACCESS_FS_EXECUTE | LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR, }; path_beneath.parent_fd = open("/usr", O_PATH | O_CLOEXEC); if (path_beneath.parent_fd < 0) { perror("Failed to open file"); close(ruleset_fd); return 1; } err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, &path_beneath, 0); close(path_beneath.parent_fd); if (err) { perror("Failed to update ruleset"); close(ruleset_fd); return 1; }h]hXQint err; struct landlock_path_beneath_attr path_beneath = { .allowed_access = LANDLOCK_ACCESS_FS_EXECUTE | LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR, }; path_beneath.parent_fd = open("/usr", O_PATH | O_CLOEXEC); if (path_beneath.parent_fd < 0) { perror("Failed to open file"); close(ruleset_fd); return 1; } err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, &path_beneath, 0); close(path_beneath.parent_fd); if (err) { perror("Failed to update ruleset"); close(ruleset_fd); return 1; }}hj~sbah}(h]h ]h"]h$]h&]hhjjjj}uh1jhhhKhjhhubj)}(hX'It may also be required to create rules following the same logic as explained for the ruleset creation, by filtering access rights according to the Landlock ABI version. In this example, this is not required because all of the requested ``allowed_access`` rights are already available in ABI 1.h](hIt may also be required to create rules following the same logic as explained for the ruleset creation, by filtering access rights according to the Landlock ABI version. In this example, this is not required because all of the requested }(hjhhhNhNubjz)}(h``allowed_access``h]hallowed_access}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjubh' rights are already available in ABI 1.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1jhhhKhjhhubj)}(hFor network access-control, we can add a set of rules that allow to use a port number for a specific action: HTTPS connections.h]hFor network access-control, we can add a set of rules that allow to use a port number for a specific action: HTTPS connections.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhKhjhhubj)}(hstruct landlock_net_port_attr net_port = { .allowed_access = LANDLOCK_ACCESS_NET_CONNECT_TCP, .port = 443, }; err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, &net_port, 0);h]hstruct landlock_net_port_attr net_port = { .allowed_access = LANDLOCK_ACCESS_NET_CONNECT_TCP, .port = 443, }; err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, &net_port, 0);}hjsbah}(h]h ]h"]h$]h&]hhjjjj}uh1jhhhKhjhhubj)}(hWhen passing a non-zero ``flags`` argument to ``landlock_restrict_self()``, a similar backwards compatibility check is needed for the restrict flags (see sys_landlock_restrict_self() documentation for available flags):h](hWhen passing a non-zero }(hjhhhNhNubjz)}(h ``flags``h]hflags}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjubh argument to }(hjhhhNhNubjz)}(h``landlock_restrict_self()``h]hlandlock_restrict_self()}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjubh, a similar backwards compatibility check is needed for the restrict flags (see sys_landlock_restrict_self() documentation for available flags):}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1jhhhKhjhhubj)}(hXO__u32 restrict_flags = LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON; if (abi < 7) { /* Clear logging flags unsupported before ABI 7. */ restrict_flags &= ~(LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF | LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON | LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF); }h]hXO__u32 restrict_flags = LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON; if (abi < 7) { /* Clear logging flags unsupported before ABI 7. */ restrict_flags &= ~(LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF | LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON | LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF); }}hjsbah}(h]h ]h"]h$]h&]hhjjjj}uh1jhhhKhjhhubj)}(hX-The next step is to restrict the current thread from gaining more privileges (e.g. through a SUID binary). We now have a ruleset with the first rule allowing read and execute access to ``/usr`` while denying all other handled accesses for the filesystem, and a second rule allowing HTTPS connections.h](hThe next step is to restrict the current thread from gaining more privileges (e.g. through a SUID binary). We now have a ruleset with the first rule allowing read and execute access to }(hj hhhNhNubjz)}(h``/usr``h]h/usr}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj ubhk while denying all other handled accesses for the filesystem, and a second rule allowing HTTPS connections.}(hj hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhhhKhjhhubj)}(hif (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { perror("Failed to restrict privileges"); close(ruleset_fd); return 1; }h]hif (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { perror("Failed to restrict privileges"); close(ruleset_fd); return 1; }}hj+sbah}(h]h ]h"]h$]h&]hhjjjj}uh1jhhhKhjhhubj)}(hCThe current thread is now ready to sandbox itself with the ruleset.h]hCThe current thread is now ready to sandbox itself with the ruleset.}(hj:hhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhKhjhhubj)}(hif (landlock_restrict_self(ruleset_fd, restrict_flags)) { perror("Failed to enforce ruleset"); close(ruleset_fd); return 1; } close(ruleset_fd);h]hif (landlock_restrict_self(ruleset_fd, restrict_flags)) { perror("Failed to enforce ruleset"); close(ruleset_fd); return 1; } close(ruleset_fd);}hjHsbah}(h]h ]h"]h$]h&]hhjjjj}uh1jhhhKhjhhubj)}(hXIf the ``landlock_restrict_self`` system call succeeds, the current thread is now restricted and this policy will be enforced on all its subsequently created children as well. Once a thread is landlocked, there is no way to remove its security policy; only adding more restrictions is allowed. These threads are now in a new Landlock domain, which is a merger of their parent one (if any) with the new ruleset.h](hIf the }(hjWhhhNhNubjz)}(h``landlock_restrict_self``h]hlandlock_restrict_self}(hj_hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjWubhX{ system call succeeds, the current thread is now restricted and this policy will be enforced on all its subsequently created children as well. Once a thread is landlocked, there is no way to remove its security policy; only adding more restrictions is allowed. These threads are now in a new Landlock domain, which is a merger of their parent one (if any) with the new ruleset.}(hjWhhhNhNubeh}(h]h ]h"]h$]h&]uh1jhhhKhjhhubj)}(hBFull working code can be found in `samples/landlock/sandboxer.c`_.h](h"Full working code can be found in }(hjwhhhNhNubh reference)}(h`samples/landlock/sandboxer.c`_h]hsamples/landlock/sandboxer.c}(hjhhhNhNubah}(h]h ]h"]h$]h&]namesamples/landlock/sandboxer.crefuribhttps://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/samples/landlock/sandboxer.cuh1jhjwresolvedKubh.}(hjwhhhNhNubeh}(h]h ]h"]h$]h&]uh1jhhhKhjhhubeh}(h](defining-and-enforcing-a-security-policyah ]h"](defining and enforcing a security policyah$]h&]uh1hhjhhhhhK0ubh)}(hhh](h)}(hGood practicesh]hGood practices}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjhhhhhKubj)}(hXIt is recommended to set access rights to file hierarchy leaves as much as possible. For instance, it is better to be able to have ``~/doc/`` as a read-only hierarchy and ``~/tmp/`` as a read-write hierarchy, compared to ``~/`` as a read-only hierarchy and ``~/tmp/`` as a read-write hierarchy. Following this good practice leads to self-sufficient hierarchies that do not depend on their location (i.e. parent directories). This is particularly relevant when we want to allow linking or renaming. Indeed, having consistent access rights per directory enables changing the location of such directories without relying on the destination directory access rights (except those that are required for this operation, see ``LANDLOCK_ACCESS_FS_REFER`` documentation).h](hIt is recommended to set access rights to file hierarchy leaves as much as possible. For instance, it is better to be able to have }(hjhhhNhNubjz)}(h ``~/doc/``h]h~/doc/}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjubh as a read-only hierarchy and }(hjhhhNhNubjz)}(h ``~/tmp/``h]h~/tmp/}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjubh( as a read-write hierarchy, compared to }(hjhhhNhNubjz)}(h``~/``h]h~/}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjubh as a read-only hierarchy and }(hjhhhNhNubjz)}(h ``~/tmp/``h]h~/tmp/}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjubhX as a read-write hierarchy. Following this good practice leads to self-sufficient hierarchies that do not depend on their location (i.e. parent directories). This is particularly relevant when we want to allow linking or renaming. Indeed, having consistent access rights per directory enables changing the location of such directories without relying on the destination directory access rights (except those that are required for this operation, see }(hjhhhNhNubjz)}(h``LANDLOCK_ACCESS_FS_REFER``h]hLANDLOCK_ACCESS_FS_REFER}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjubh documentation).}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1jhhhKhjhhubj)}(hXHaving self-sufficient hierarchies also helps to tighten the required access rights to the minimal set of data. This also helps avoid sinkhole directories, i.e. directories where data can be linked to but not linked from. However, this depends on data organization, which might not be controlled by developers. In this case, granting read-write access to ``~/tmp/``, instead of write-only access, would potentially allow moving ``~/tmp/`` to a non-readable directory and still keep the ability to list the content of ``~/tmp/``.h](hXeHaving self-sufficient hierarchies also helps to tighten the required access rights to the minimal set of data. This also helps avoid sinkhole directories, i.e. directories where data can be linked to but not linked from. However, this depends on data organization, which might not be controlled by developers. In this case, granting read-write access to }(hjhhhNhNubjz)}(h ``~/tmp/``h]h~/tmp/}(hj'hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjubh?, instead of write-only access, would potentially allow moving }(hjhhhNhNubjz)}(h ``~/tmp/``h]h~/tmp/}(hj9hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjubhO to a non-readable directory and still keep the ability to list the content of }(hjhhhNhNubjz)}(h ``~/tmp/``h]h~/tmp/}(hjKhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjubh.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1jhhhMhjhhubeh}(h]good-practicesah ]h"]good practicesah$]h&]uh1hhjhhhhhKubh)}(hhh](h)}(h!Layers of file path access rightsh]h!Layers of file path access rights}(hjnhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjkhhhhhM ubj)}(hX6Each time a thread enforces a ruleset on itself, it updates its Landlock domain with a new layer of policy. This complementary policy is stacked with any other rulesets potentially already restricting this thread. A sandboxed thread can then safely add more constraints to itself with a new enforced ruleset.h]hX6Each time a thread enforces a ruleset on itself, it updates its Landlock domain with a new layer of policy. This complementary policy is stacked with any other rulesets potentially already restricting this thread. A sandboxed thread can then safely add more constraints to itself with a new enforced ruleset.}(hj|hhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhM hjkhhubj)}(hX9One policy layer grants access to a file path if at least one of its rules encountered on the path grants the access. A sandboxed thread can only access a file path if all its enforced policy layers grant the access as well as all the other system access controls (e.g. filesystem DAC, other LSM policies, etc.).h]hX9One policy layer grants access to a file path if at least one of its rules encountered on the path grants the access. A sandboxed thread can only access a file path if all its enforced policy layers grant the access as well as all the other system access controls (e.g. filesystem DAC, other LSM policies, etc.).}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhMhjkhhubeh}(h]!layers-of-file-path-access-rightsah ]h"]!layers of file path access rightsah$]h&]uh1hhjhhhhhM ubh)}(hhh](h)}(hBind mounts and OverlayFSh]hBind mounts and OverlayFS}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjhhhhhMubj)}(hLandlock enables restricting access to file hierarchies, which means that these access rights can be propagated with bind mounts (cf. Documentation/filesystems/sharedsubtree.rst) but not with Documentation/filesystems/overlayfs.rst.h]hLandlock enables restricting access to file hierarchies, which means that these access rights can be propagated with bind mounts (cf. Documentation/filesystems/sharedsubtree.rst) but not with Documentation/filesystems/overlayfs.rst.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhMhjhhubj)}(hXA bind mount mirrors a source file hierarchy to a destination. The destination hierarchy is then composed of the exact same files, on which Landlock rules can be tied, either via the source or the destination path. These rules restrict access when they are encountered on a path, which means that they can restrict access to multiple file hierarchies at the same time, whether these hierarchies are the result of bind mounts or not.h]hXA bind mount mirrors a source file hierarchy to a destination. The destination hierarchy is then composed of the exact same files, on which Landlock rules can be tied, either via the source or the destination path. These rules restrict access when they are encountered on a path, which means that they can restrict access to multiple file hierarchies at the same time, whether these hierarchies are the result of bind mounts or not.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhMhjhhubj)}(hXAn OverlayFS mount point consists of upper and lower layers. These layers are combined in a merge directory, and that merged directory becomes available at the mount point. This merge hierarchy may include files from the upper and lower layers, but modifications performed on the merge hierarchy only reflect on the upper layer. From a Landlock policy point of view, all OverlayFS layers and merge hierarchies are standalone and each contains their own set of files and directories, which is different from bind mounts. A policy restricting an OverlayFS layer will not restrict the resulted merged hierarchy, and vice versa. Landlock users should then only think about file hierarchies they want to allow access to, regardless of the underlying filesystem.h]hXAn OverlayFS mount point consists of upper and lower layers. These layers are combined in a merge directory, and that merged directory becomes available at the mount point. This merge hierarchy may include files from the upper and lower layers, but modifications performed on the merge hierarchy only reflect on the upper layer. From a Landlock policy point of view, all OverlayFS layers and merge hierarchies are standalone and each contains their own set of files and directories, which is different from bind mounts. A policy restricting an OverlayFS layer will not restrict the resulted merged hierarchy, and vice versa. Landlock users should then only think about file hierarchies they want to allow access to, regardless of the underlying filesystem.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhM%hjhhubeh}(h]bind-mounts-and-overlayfsah ]h"]bind mounts and overlayfsah$]h&]uh1hhjhhhhhMubh)}(hhh](h)}(h Inheritanceh]h Inheritance}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjhhhhhM1ubj)}(hXEvery new thread resulting from a :manpage:`clone(2)` inherits Landlock domain restrictions from its parent. This is similar to seccomp inheritance (cf. Documentation/userspace-api/seccomp_filter.rst) or any other LSM dealing with task's :manpage:`credentials(7)`. For instance, one process's thread may apply Landlock rules to itself, but they will not be automatically applied to other sibling threads (unlike POSIX thread credential changes, cf. :manpage:`nptl(7)`).h](h"Every new thread resulting from a }(hjhhhNhNubhmanpage)}(h:manpage:`clone(2)`h]hclone(2)}(hjhhhNhNubah}(h]h ]jah"]h$]h&]hhpathclone(2)pageclonesection2uh1jhjubh inherits Landlock domain restrictions from its parent. This is similar to seccomp inheritance (cf. Documentation/userspace-api/seccomp_filter.rst) or any other LSM dealing with task’s }(hjhhhNhNubj)}(h:manpage:`credentials(7)`h]hcredentials(7)}(hjhhhNhNubah}(h]h ]jah"]h$]h&]hhj credentials(7)j credentialsj7uh1jhjubh. For instance, one process’s thread may apply Landlock rules to itself, but they will not be automatically applied to other sibling threads (unlike POSIX thread credential changes, cf. }(hjhhhNhNubj)}(h:manpage:`nptl(7)`h]hnptl(7)}(hj+hhhNhNubah}(h]h ]jah"]h$]h&]hhj nptl(7)jnptljj&uh1jhjubh).}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1jhhhM3hjhhubj)}(hX?When a thread sandboxes itself, we have the guarantee that the related security policy will stay enforced on all this thread's descendants. This allows creating standalone and modular security policies per application, which will automatically be composed between themselves according to their runtime parent policies.h]hXAWhen a thread sandboxes itself, we have the guarantee that the related security policy will stay enforced on all this thread’s descendants. This allows creating standalone and modular security policies per application, which will automatically be composed between themselves according to their runtime parent policies.}(hjEhhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhM;hjhhubeh}(h] inheritanceah ]h"] inheritanceah$]h&]uh1hhjhhhhhM1ubh)}(hhh](h)}(hPtrace restrictionsh]hPtrace restrictions}(hj^hhhNhNubah}(h]h ]h"]h$]h&]uh1hhj[hhhhhMBubj)}(hXA sandboxed process has less privileges than a non-sandboxed process and must then be subject to additional restrictions when manipulating another process. To be allowed to use :manpage:`ptrace(2)` and related syscalls on a target process, a sandboxed process should have a superset of the target process's access rights, which means the tracee must be in a sub-domain of the tracer.h](hA sandboxed process has less privileges than a non-sandboxed process and must then be subject to additional restrictions when manipulating another process. To be allowed to use }(hjlhhhNhNubj)}(h:manpage:`ptrace(2)`h]h ptrace(2)}(hjthhhNhNubah}(h]h ]jah"]h$]h&]hhj  ptrace(2)jptracejjuh1jhjlubh and related syscalls on a target process, a sandboxed process should have a superset of the target process’s access rights, which means the tracee must be in a sub-domain of the tracer.}(hjlhhhNhNubeh}(h]h ]h"]h$]h&]uh1jhhhMDhj[hhubeh}(h]ptrace-restrictionsah ]h"]ptrace restrictionsah$]h&]uh1hhjhhhhhMB referencedKubh)}(hhh](h)}(h IPC scopingh]h IPC scoping}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjhhhhhMKubj)}(hX`Similar to the implicit `Ptrace restrictions`_, we may want to further restrict interactions between sandboxes. Therefore, at ruleset creation time, each Landlock domain can restrict the scope for certain operations, so that these operations can only reach out to processes within the same Landlock domain or in a nested Landlock domain (the "scope").h](hSimilar to the implicit }(hjhhhNhNubj)}(h`Ptrace restrictions`_h]hPtrace restrictions}(hjhhhNhNubah}(h]h ]h"]h$]h&]namePtrace restrictionsrefidjuh1jhjjKubhX6, we may want to further restrict interactions between sandboxes. Therefore, at ruleset creation time, each Landlock domain can restrict the scope for certain operations, so that these operations can only reach out to processes within the same Landlock domain or in a nested Landlock domain (the “scope”).}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1jhhhMMhjhhubj)}(h'The operations which can be scoped are:h]h'The operations which can be scoped are:}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhMShjhhubj)}(hhh](j)}(h``LANDLOCK_SCOPE_SIGNAL`` This limits the sending of signals to target processes which run within the same or a nested Landlock domain. h](j)}(h``LANDLOCK_SCOPE_SIGNAL``h]jz)}(hjh]hLANDLOCK_SCOPE_SIGNAL}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjubah}(h]h ]h"]h$]h&]uh1jhhhMWhjubj))}(hhh]j)}(hmThis limits the sending of signals to target processes which run within the same or a nested Landlock domain.h]hmThis limits the sending of signals to target processes which run within the same or a nested Landlock domain.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhMVhjubah}(h]h ]h"]h$]h&]uh1j(hjubeh}(h]h ]h"]h$]h&]uh1jhhhMWhjubj)}(hXN``LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET`` This limits the set of abstract :manpage:`unix(7)` sockets to which we can :manpage:`connect(2)` to socket addresses which were created by a process in the same or a nested Landlock domain. A :manpage:`sendto(2)` on a non-connected datagram socket is treated as if it were doing an implicit :manpage:`connect(2)` and will be blocked if the remote end does not stem from the same or a nested Landlock domain. A :manpage:`sendto(2)` on a socket which was previously connected will not be restricted. This works for both datagram and stream sockets. h](j)}(h'``LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET``h]jz)}(hjh]h#LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjubah}(h]h ]h"]h$]h&]uh1jhhhMchjubj))}(hhh](j)}(hThis limits the set of abstract :manpage:`unix(7)` sockets to which we can :manpage:`connect(2)` to socket addresses which were created by a process in the same or a nested Landlock domain.h](h This limits the set of abstract }(hj2hhhNhNubj)}(h:manpage:`unix(7)`h]hunix(7)}(hj:hhhNhNubah}(h]h ]jah"]h$]h&]hhj unix(7)junixjj&uh1jhj2ubh sockets to which we can }(hj2hhhNhNubj)}(h:manpage:`connect(2)`h]h connect(2)}(hjNhhhNhNubah}(h]h ]jah"]h$]h&]hhj  connect(2)jconnectjjuh1jhj2ubh] to socket addresses which were created by a process in the same or a nested Landlock domain.}(hj2hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhhhMZhj/ubj)}(hA :manpage:`sendto(2)` on a non-connected datagram socket is treated as if it were doing an implicit :manpage:`connect(2)` and will be blocked if the remote end does not stem from the same or a nested Landlock domain.h](hA }(hjhhhhNhNubj)}(h:manpage:`sendto(2)`h]h sendto(2)}(hjphhhNhNubah}(h]h ]jah"]h$]h&]hhj  sendto(2)jsendtojjuh1jhjhubhO on a non-connected datagram socket is treated as if it were doing an implicit }(hjhhhhNhNubj)}(h:manpage:`connect(2)`h]h connect(2)}(hjhhhNhNubah}(h]h ]jah"]h$]h&]hhj  connect(2)jconnectjjuh1jhjhubh_ and will be blocked if the remote end does not stem from the same or a nested Landlock domain.}(hjhhhhNhNubeh}(h]h ]h"]h$]h&]uh1jhhhM^hj/ubj)}(hA :manpage:`sendto(2)` on a socket which was previously connected will not be restricted. This works for both datagram and stream sockets.h](hA }(hjhhhNhNubj)}(h:manpage:`sendto(2)`h]h sendto(2)}(hjhhhNhNubah}(h]h ]jah"]h$]h&]hhj  sendto(2)jsendtojjuh1jhjubhu on a socket which was previously connected will not be restricted. This works for both datagram and stream sockets.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1jhhhMbhj/ubeh}(h]h ]h"]h$]h&]uh1j(hjubeh}(h]h ]h"]h$]h&]uh1jhhhMchjhhubeh}(h]h ]h"]h$]h&]uh1j hjhhhhhNubj)}(hIPC scoping does not support exceptions via :manpage:`landlock_add_rule(2)`. If an operation is scoped within a domain, no rules can be added to allow access to resources or processes outside of the scope.h](h,IPC scoping does not support exceptions via }(hjhhhNhNubj)}(h:manpage:`landlock_add_rule(2)`h]hlandlock_add_rule(2)}(hjhhhNhNubah}(h]h ]jah"]h$]h&]hhj landlock_add_rule(2)jlandlock_add_rulejjuh1jhjubh. If an operation is scoped within a domain, no rules can be added to allow access to resources or processes outside of the scope.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1jhhhMehjhhubeh}(h] ipc-scopingah ]h"] ipc scopingah$]h&]uh1hhjhhhhhMKubh)}(hhh](h)}(hTruncating filesh]hTruncating files}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjhhhhhMjubj)}(hThe operations covered by ``LANDLOCK_ACCESS_FS_WRITE_FILE`` and ``LANDLOCK_ACCESS_FS_TRUNCATE`` both change the contents of a file and sometimes overlap in non-intuitive ways. It is recommended to always specify both of these together.h](hThe operations covered by }(hj hhhNhNubjz)}(h!``LANDLOCK_ACCESS_FS_WRITE_FILE``h]hLANDLOCK_ACCESS_FS_WRITE_FILE}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj ubh and }(hj hhhNhNubjz)}(h``LANDLOCK_ACCESS_FS_TRUNCATE``h]hLANDLOCK_ACCESS_FS_TRUNCATE}(hj'hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj ubh both change the contents of a file and sometimes overlap in non-intuitive ways. It is recommended to always specify both of these together.}(hj hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhhhMlhjhhubj)}(hA particularly surprising example is :manpage:`creat(2)`. The name suggests that this system call requires the rights to create and write files. However, it also requires the truncate right if an existing file under the same name is already present.h](h%A particularly surprising example is }(hj?hhhNhNubj)}(h:manpage:`creat(2)`h]hcreat(2)}(hjGhhhNhNubah}(h]h ]jah"]h$]h&]hhj creat(2)jcreatjjuh1jhj?ubh. The name suggests that this system call requires the rights to create and write files. However, it also requires the truncate right if an existing file under the same name is already present.}(hj?hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhhhMqhjhhubj)}(hIt should also be noted that truncating files does not require the ``LANDLOCK_ACCESS_FS_WRITE_FILE`` right. Apart from the :manpage:`truncate(2)` system call, this can also be done through :manpage:`open(2)` with the flags ``O_RDONLY | O_TRUNC``.h](hCIt should also be noted that truncating files does not require the }(hjahhhNhNubjz)}(h!``LANDLOCK_ACCESS_FS_WRITE_FILE``h]hLANDLOCK_ACCESS_FS_WRITE_FILE}(hjihhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjaubh right. Apart from the }(hjahhhNhNubj)}(h:manpage:`truncate(2)`h]h truncate(2)}(hj{hhhNhNubah}(h]h ]jah"]h$]h&]hhj  truncate(2)jtruncatejjuh1jhjaubh, system call, this can also be done through }(hjahhhNhNubj)}(h:manpage:`open(2)`h]hopen(2)}(hjhhhNhNubah}(h]h ]jah"]h$]h&]hhj open(2)jopenjjuh1jhjaubh with the flags }(hjahhhNhNubjz)}(h``O_RDONLY | O_TRUNC``h]hO_RDONLY | O_TRUNC}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjaubh.}(hjahhhNhNubeh}(h]h ]h"]h$]h&]uh1jhhhMvhjhhubj)}(hBThe truncate right is associated with the opened file (see below).h]hBThe truncate right is associated with the opened file (see below).}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhM{hjhhubeh}(h]truncating-filesah ]h"]truncating filesah$]h&]uh1hhjhhhhhMjubh)}(hhh](h)}(h'Rights associated with file descriptorsh]h'Rights associated with file descriptors}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjhhhhhM~ubj)}(hXWhen opening a file, the availability of the ``LANDLOCK_ACCESS_FS_TRUNCATE`` and ``LANDLOCK_ACCESS_FS_IOCTL_DEV`` rights is associated with the newly created file descriptor and will be used for subsequent truncation and ioctl attempts using :manpage:`ftruncate(2)` and :manpage:`ioctl(2)`. The behavior is similar to opening a file for reading or writing, where permissions are checked during :manpage:`open(2)`, but not during the subsequent :manpage:`read(2)` and :manpage:`write(2)` calls.h](h-When opening a file, the availability of the }(hjhhhNhNubjz)}(h``LANDLOCK_ACCESS_FS_TRUNCATE``h]hLANDLOCK_ACCESS_FS_TRUNCATE}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjubh and }(hjhhhNhNubjz)}(h ``LANDLOCK_ACCESS_FS_IOCTL_DEV``h]hLANDLOCK_ACCESS_FS_IOCTL_DEV}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjubh rights is associated with the newly created file descriptor and will be used for subsequent truncation and ioctl attempts using }(hjhhhNhNubj)}(h:manpage:`ftruncate(2)`h]h ftruncate(2)}(hj hhhNhNubah}(h]h ]jah"]h$]h&]hhj  ftruncate(2)j ftruncatejjuh1jhjubh and }(hjhhhNhNubj)}(h:manpage:`ioctl(2)`h]hioctl(2)}(hj" hhhNhNubah}(h]h ]jah"]h$]h&]hhj ioctl(2)jioctljjuh1jhjubhj. The behavior is similar to opening a file for reading or writing, where permissions are checked during }(hjhhhNhNubj)}(h:manpage:`open(2)`h]hopen(2)}(hj6 hhhNhNubah}(h]h ]jah"]h$]h&]hhj open(2)jopenjjuh1jhjubh , but not during the subsequent }(hjhhhNhNubj)}(h:manpage:`read(2)`h]hread(2)}(hjJ hhhNhNubah}(h]h ]jah"]h$]h&]hhj read(2)jreadjjuh1jhjubh and }hjsbj)}(h:manpage:`write(2)`h]hwrite(2)}(hj^ hhhNhNubah}(h]h ]jah"]h$]h&]hhj write(2)jwritejjuh1jhjubh calls.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1jhhhMhjhhubj)}(hXAs a consequence, it is possible that a process has multiple open file descriptors referring to the same file, but Landlock enforces different things when operating with these file descriptors. This can happen when a Landlock ruleset gets enforced and the process keeps file descriptors which were opened both before and after the enforcement. It is also possible to pass such file descriptors between processes, keeping their Landlock properties, even when some of the involved processes do not have an enforced Landlock ruleset.h]hXAs a consequence, it is possible that a process has multiple open file descriptors referring to the same file, but Landlock enforces different things when operating with these file descriptors. This can happen when a Landlock ruleset gets enforced and the process keeps file descriptors which were opened both before and after the enforcement. It is also possible to pass such file descriptors between processes, keeping their Landlock properties, even when some of the involved processes do not have an enforced Landlock ruleset.}(hjx hhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhMhjhhubeh}(h]'rights-associated-with-file-descriptorsah ]h"]'rights associated with file descriptorsah$]h&]uh1hhjhhhhhM~ubeh}(h]landlock-rulesah ]h"]landlock rulesah$]h&]uh1hhhhhhhhKubh)}(hhh](h)}(h Compatibilityh]h Compatibility}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhj hhhhhMubh)}(hhh](h)}(h"Backward and forward compatibilityh]h"Backward and forward compatibility}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhj hhhhhMubj)}(hXLandlock is designed to be compatible with past and future versions of the kernel. This is achieved thanks to the system call attributes and the associated bitflags, particularly the ruleset's ``handled_access_fs``. Making handled access rights explicit enables the kernel and user space to have a clear contract with each other. This is required to make sure sandboxing will not get stricter with a system update, which could break applications.h](hLandlock is designed to be compatible with past and future versions of the kernel. This is achieved thanks to the system call attributes and the associated bitflags, particularly the ruleset’s }(hj hhhNhNubjz)}(h``handled_access_fs``h]hhandled_access_fs}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj ubh. Making handled access rights explicit enables the kernel and user space to have a clear contract with each other. This is required to make sure sandboxing will not get stricter with a system update, which could break applications.}(hj hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhhhMhj hhubj)}(hXDevelopers can subscribe to the `Landlock mailing list `_ to knowingly update and test their applications with the latest available features. In the interest of users, and because they may use different kernel versions, it is strongly encouraged to follow a best-effort security approach by checking the Landlock ABI version at runtime and only enforcing the supported features.h](h Developers can subscribe to the }(hj hhhNhNubj)}(hK`Landlock mailing list `_h]hLandlock mailing list}(hj hhhNhNubah}(h]h ]h"]h$]h&]nameLandlock mailing listj0https://subspace.kernel.org/lists.linux.dev.htmluh1jhj ubhtarget)}(h3 h]h}(h]landlock-mailing-listah ]h"]landlock mailing listah$]h&]refurij uh1j jKhj ubhXB to knowingly update and test their applications with the latest available features. In the interest of users, and because they may use different kernel versions, it is strongly encouraged to follow a best-effort security approach by checking the Landlock ABI version at runtime and only enforcing the supported features.}(hj hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhhhMhj hhubj )}(h.. _landlock_abi_versions:h]h}(h]h ]h"]h$]h&]jlandlock-abi-versionsuh1j hMhj hhhhubeh}(h]"backward-and-forward-compatibilityah ]h"]"backward and forward compatibilityah$]h&]uh1hhj hhhhhMubh)}(hhh](h)}(hLandlock ABI versionsh]hLandlock ABI versions}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhj hhhhhMubj)}(hXThe Landlock ABI version can be read with the sys_landlock_create_ruleset() system call:h]hXThe Landlock ABI version can be read with the sys_landlock_create_ruleset() system call:}(hj. hhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhMhj hhubj)}(hXint abi; abi = landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_VERSION); if (abi < 0) { switch (errno) { case ENOSYS: printf("Landlock is not supported by the current kernel.\n"); break; case EOPNOTSUPP: printf("Landlock is currently disabled.\n"); break; } return 0; } if (abi >= 2) { printf("Landlock supports LANDLOCK_ACCESS_FS_REFER.\n"); }h]hXint abi; abi = landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_VERSION); if (abi < 0) { switch (errno) { case ENOSYS: printf("Landlock is not supported by the current kernel.\n"); break; case EOPNOTSUPP: printf("Landlock is currently disabled.\n"); break; } return 0; } if (abi >= 2) { printf("Landlock supports LANDLOCK_ACCESS_FS_REFER.\n"); }}hj< sbah}(h]h ]h"]h$]h&]hhjjjj}uh1jhhhMhj hhubj)}(huAll Landlock kernel interfaces are supported by the first ABI version unless explicitly noted in their documentation.h]huAll Landlock kernel interfaces are supported by the first ABI version unless explicitly noted in their documentation.}(hjK hhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhMhj hhubeh}(h](j id1eh ]h"](landlock abi versionslandlock_abi_versionseh$]h&]uh1hhj hhhhhMexpect_referenced_by_name}j_ j sexpect_referenced_by_id}j j subh)}(hhh](h)}(hLandlock erratah]hLandlock errata}(hji hhhNhNubah}(h]h ]h"]h$]h&]uh1hhjf hhhhhMubj)}(hIn addition to ABI versions, Landlock provides an errata mechanism to track fixes for issues that may affect backwards compatibility or require userspace awareness. The errata bitmask can be queried using:h]hIn addition to ABI versions, Landlock provides an errata mechanism to track fixes for issues that may affect backwards compatibility or require userspace awareness. The errata bitmask can be queried using:}(hjw hhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhMhjf hhubj)}(hint errata; errata = landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_ERRATA); if (errata < 0) { /* Landlock not available or disabled */ return 0; }h]hint errata; errata = landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_ERRATA); if (errata < 0) { /* Landlock not available or disabled */ return 0; }}hj sbah}(h]h ]h"]h$]h&]hhjjjj}uh1jhhhMhjf hhubj)}(hThe returned value is a bitmask where each bit represents a specific erratum. If bit N is set (``errata & (1 << (N - 1))``), then erratum N has been fixed in the running kernel.h](h_The returned value is a bitmask where each bit represents a specific erratum. If bit N is set (}(hj hhhNhNubjz)}(h``errata & (1 << (N - 1))``h]herrata & (1 << (N - 1))}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj ubh7), then erratum N has been fixed in the running kernel.}(hj hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhhhMhjf hhubhwarning)}(hXa**Most applications should NOT check errata.** In 99.9% of cases, checking errata is unnecessary, increases code complexity, and can potentially decrease protection if misused. For example, disabling the sandbox when an erratum is not fixed could leave the system less secure than using Landlock's best-effort protection. When in doubt, ignore errata.h]j)}(hXa**Most applications should NOT check errata.** In 99.9% of cases, checking errata is unnecessary, increases code complexity, and can potentially decrease protection if misused. For example, disabling the sandbox when an erratum is not fixed could leave the system less secure than using Landlock's best-effort protection. When in doubt, ignore errata.h](hstrong)}(h.**Most applications should NOT check errata.**h]h*Most applications should NOT check errata.}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1j hj ubhX5 In 99.9% of cases, checking errata is unnecessary, increases code complexity, and can potentially decrease protection if misused. For example, disabling the sandbox when an erratum is not fixed could leave the system less secure than using Landlock’s best-effort protection. When in doubt, ignore errata.}(hj hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhhhMhj ubah}(h]h ]h"]h$]h&]uh1j hjf hhhhhNubh)}(hhh](h)}(h$Erratum 1: TCP socket identificationh]h$Erratum 1: TCP socket identification}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhj hNhNubj)}(hX]This fix addresses an issue where IPv4 and IPv6 stream sockets (e.g., SMC, MPTCP, or SCTP) were incorrectly restricted by TCP access rights during :manpage:`bind(2)` and :manpage:`connect(2)` operations. This change ensures that only TCP sockets are subject to TCP access rights, allowing other protocols to operate without unnecessary restrictions.h](hThis fix addresses an issue where IPv4 and IPv6 stream sockets (e.g., SMC, MPTCP, or SCTP) were incorrectly restricted by TCP access rights during }(hj hhhNhNubj)}(h:manpage:`bind(2)`h]hbind(2)}(hj hhhNhNubah}(h]h ]jah"]h$]h&]hhj bind(2)jbindjjuh1jhj ubh and }(hj hhhNhNubj)}(h:manpage:`connect(2)`h]h connect(2)}(hj hhhNhNubah}(h]h ]jah"]h$]h&]hhj  connect(2)jconnectjjuh1jhj ubh operations. This change ensures that only TCP sockets are subject to TCP access rights, allowing other protocols to operate without unnecessary restrictions.}(hj hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhh/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:480: ./security/landlock/errata/abi-4.hhKhj ubj)}(hImpact:h]hImpact:}(hj& hhhNhNubah}(h]h ]h"]h$]h&]uh1jhh/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:480: ./security/landlock/errata/abi-4.hhK hj ubj)}(hXIn kernels without this fix, using ``LANDLOCK_ACCESS_NET_BIND_TCP`` or ``LANDLOCK_ACCESS_NET_CONNECT_TCP`` would incorrectly restrict non-TCP stream protocols (SMC, MPTCP, SCTP), potentially breaking applications that rely on these protocols while using Landlock network restrictions.h](h#In kernels without this fix, using }(hj5 hhhNhNubjz)}(h ``LANDLOCK_ACCESS_NET_BIND_TCP``h]hLANDLOCK_ACCESS_NET_BIND_TCP}(hj= hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj5 ubh or }(hj5 hhhNhNubjz)}(h#``LANDLOCK_ACCESS_NET_CONNECT_TCP``h]hLANDLOCK_ACCESS_NET_CONNECT_TCP}(hjO hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj5 ubh would incorrectly restrict non-TCP stream protocols (SMC, MPTCP, SCTP), potentially breaking applications that rely on these protocols while using Landlock network restrictions.}(hj5 hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhh/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:480: ./security/landlock/errata/abi-4.hhKhj ubeh}(h]#erratum-1-tcp-socket-identificationah ]h"]$erratum 1: tcp socket identificationah$]h&]uh1hhjf hhhNhNubh)}(hhh](h)}(h!Erratum 2: Scoped signal handlingh]h!Erratum 2: Scoped signal handling}(hjs hhhNhNubah}(h]h ]h"]h$]h&]uh1hhjp hNhNubj)}(hXThis fix addresses an issue where signal scoping was overly restrictive, preventing sandboxed threads from signaling other threads within the same process if they belonged to different domains. Because threads are not security boundaries, user space might assume that all threads within the same process can send signals between themselves (see :manpage:`nptl(7)` and :manpage:`libpsx(3)`). Consistent with :manpage:`ptrace(2)` behavior, direct interaction between threads of the same process should always be allowed. This change ensures that any thread is allowed to send signals to any other thread within the same process, regardless of their domain.h](hXZThis fix addresses an issue where signal scoping was overly restrictive, preventing sandboxed threads from signaling other threads within the same process if they belonged to different domains. Because threads are not security boundaries, user space might assume that all threads within the same process can send signals between themselves (see }(hj hhhNhNubj)}(h:manpage:`nptl(7)`h]hnptl(7)}(hj hhhNhNubah}(h]h ]jah"]h$]h&]hhj nptl(7)jnptljj&uh1jhj ubh and }(hj hhhNhNubj)}(h:manpage:`libpsx(3)`h]h libpsx(3)}(hj hhhNhNubah}(h]h ]jah"]h$]h&]hhj  libpsx(3)jlibpsxj3uh1jhj ubh). Consistent with }(hj hhhNhNubj)}(h:manpage:`ptrace(2)`h]h ptrace(2)}(hj hhhNhNubah}(h]h ]jah"]h$]h&]hhj  ptrace(2)jptracejjuh1jhj ubh behavior, direct interaction between threads of the same process should always be allowed. This change ensures that any thread is allowed to send signals to any other thread within the same process, regardless of their domain.}(hj hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhh/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:483: ./security/landlock/errata/abi-6.hhKhjp ubj)}(hImpact:h]hImpact:}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1jhh/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:483: ./security/landlock/errata/abi-6.hhKhjp ubj)}(hXThis problem only manifests when the userspace process is itself using :manpage:`libpsx(3)` or an equivalent mechanism to enforce a Landlock policy on multiple already-running threads at once. Programs which enforce a Landlock policy at startup time and only then become multithreaded are not affected. Without this fix, signal scoping could break multi-threaded applications that expect threads within the same process to freely signal each other.h](hGThis problem only manifests when the userspace process is itself using }(hj hhhNhNubj)}(h:manpage:`libpsx(3)`h]h libpsx(3)}(hj hhhNhNubah}(h]h ]jah"]h$]h&]hhj  libpsx(3)jlibpsxjj uh1jhj ubhXg or an equivalent mechanism to enforce a Landlock policy on multiple already-running threads at once. Programs which enforce a Landlock policy at startup time and only then become multithreaded are not affected. Without this fix, signal scoping could break multi-threaded applications that expect threads within the same process to freely signal each other.}(hj hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhh/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:483: ./security/landlock/errata/abi-6.hhKhjp ubeh}(h] erratum-2-scoped-signal-handlingah ]h"]!erratum 2: scoped signal handlingah$]h&]uh1hhjf hhhNhNubh)}(hhh](h)}(h*Erratum 3: Disconnected directory handlingh]h*Erratum 3: Disconnected directory handling}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhj hNhNubj)}(hX}This fix addresses an issue with disconnected directories that occur when a directory is moved outside the scope of a bind mount. The change ensures that evaluated access rights include both those from the disconnected file hierarchy down to its filesystem root and those from the related mount point hierarchy. This prevents access right widening through rename or link actions.h]hX}This fix addresses an issue with disconnected directories that occur when a directory is moved outside the scope of a bind mount. The change ensures that evaluated access rights include both those from the disconnected file hierarchy down to its filesystem root and those from the related mount point hierarchy. This prevents access right widening through rename or link actions.}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1jhh/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:486: ./security/landlock/errata/abi-1.hhKhj ubj)}(hImpact:h]hImpact:}(hj' hhhNhNubah}(h]h ]h"]h$]h&]uh1jhh/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:486: ./security/landlock/errata/abi-1.hhKhj ubj)}(hXFWithout this fix, it was possible to widen access rights through rename or link actions involving disconnected directories, potentially bypassing ``LANDLOCK_ACCESS_FS_REFER`` restrictions. This could allow privilege escalation in complex mount scenarios where directories become disconnected from their original mount points.h](hWithout this fix, it was possible to widen access rights through rename or link actions involving disconnected directories, potentially bypassing }(hj6 hhhNhNubjz)}(h``LANDLOCK_ACCESS_FS_REFER``h]hLANDLOCK_ACCESS_FS_REFER}(hj> hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj6 ubh restrictions. This could allow privilege escalation in complex mount scenarios where directories become disconnected from their original mount points.}(hj6 hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhh/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:486: ./security/landlock/errata/abi-1.hhKhj ubeh}(h])erratum-3-disconnected-directory-handlingah ]h"]*erratum 3: disconnected directory handlingah$]h&]uh1hhjf hhhNhNubh)}(hhh](h)}(hHow to check for erratah]hHow to check for errata}(hjb hhhNhNubah}(h]h ]h"]h$]h&]uh1hhj_ hhhhhMubj)}(h\If you determine that your application needs to check for specific errata, use this pattern:h]h\If you determine that your application needs to check for specific errata, use this pattern:}(hjp hhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhMhj_ hhubj)}(hXVint errata = landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_ERRATA); if (errata >= 0) { /* Check for specific erratum (1-indexed) */ if (errata & (1 << (erratum_number - 1))) { /* Erratum N is fixed in this kernel */ } else { /* Erratum N is NOT fixed - consider implications for your use case */ } }h]hXVint errata = landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_ERRATA); if (errata >= 0) { /* Check for specific erratum (1-indexed) */ if (errata & (1 << (erratum_number - 1))) { /* Erratum N is fixed in this kernel */ } else { /* Erratum N is NOT fixed - consider implications for your use case */ } }}hj~ sbah}(h]h ]h"]h$]h&]hhjjjj}uh1jhhhMhj_ hhubj)}(h**Important:** Only check errata if your application specifically relies on behavior that changed due to the fix. The fixes generally make Landlock less restrictive or more correct, not more restrictive.h](j )}(h**Important:**h]h Important:}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1j hj ubh Only check errata if your application specifically relies on behavior that changed due to the fix. The fixes generally make Landlock less restrictive or more correct, not more restrictive.}(hj hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhhhMhj_ hhubeh}(h]how-to-check-for-errataah ]h"]how to check for errataah$]h&]uh1hhjf hhhhhMubeh}(h]landlock-errataah ]h"]landlock errataah$]h&]uh1hhj hhhhhMubeh}(h] compatibilityah ]h"] compatibilityah$]h&]uh1hhhhhhhhMubh)}(hhh](h)}(hKernel interfaceh]hKernel interface}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhj hhhhhMubh)}(hhh](h)}(h Access rightsh]h Access rights}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhj hhhhhMubj)}(hA set of actions on kernel objects may be defined by an attribute (e.g. :c:type:`struct landlock_path_beneath_attr `) including a bitmask of access.h](hHA set of actions on kernel objects may be defined by an attribute (e.g. }(hj hhhNhNubh)}(hH:c:type:`struct landlock_path_beneath_attr `h]jz)}(hj h]h!struct landlock_path_beneath_attr}(hj hhhNhNubah}(h]h ](jjc-typeeh"]h$]h&]uh1jyhj ubah}(h]h ]h"]h$]h&]refdocj refdomainjreftypetype refexplicitrefwarnjlandlock_path_beneath_attruh1hhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:517: ./include/uapi/linux/landlock.hhKhj ubh ) including a bitmask of access.}(hj hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhj hKhj hhubh)}(hhh](h)}(hFilesystem flagsh]hFilesystem flags}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhj hNhNubj)}(hThese flags enable to restrict a sandboxed process to a set of actions on files and directories. Files or directories opened before the sandboxing are not subject to these restrictions.h]hThese flags enable to restrict a sandboxed process to a set of actions on files and directories. Files or directories opened before the sandboxing are not subject to these restrictions.}(hj& hhhNhNubah}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:517: ./include/uapi/linux/landlock.hhKhj ubj)}(h0The following access rights apply only to files:h]h0The following access rights apply only to files:}(hj5 hhhNhNubah}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:517: ./include/uapi/linux/landlock.hhKhj ubh bullet_list)}(hhh](h list_item)}(h/``LANDLOCK_ACCESS_FS_EXECUTE``: Execute a file.h]j)}(hjM h](jz)}(h``LANDLOCK_ACCESS_FS_EXECUTE``h]hLANDLOCK_ACCESS_FS_EXECUTE}(hjR hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjO ubh: Execute a file.}(hjO hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:517: ./include/uapi/linux/landlock.hhKhjK ubah}(h]h ]h"]h$]h&]uh1jI hjF ubjJ )}(hX``LANDLOCK_ACCESS_FS_WRITE_FILE``: Open a file with write access. When opening files for writing, you will often additionally need the ``LANDLOCK_ACCESS_FS_TRUNCATE`` right. In many cases, these system calls truncate existing files when overwriting them (e.g., :manpage:`creat(2)`).h]j)}(hX``LANDLOCK_ACCESS_FS_WRITE_FILE``: Open a file with write access. When opening files for writing, you will often additionally need the ``LANDLOCK_ACCESS_FS_TRUNCATE`` right. In many cases, these system calls truncate existing files when overwriting them (e.g., :manpage:`creat(2)`).h](jz)}(h!``LANDLOCK_ACCESS_FS_WRITE_FILE``h]hLANDLOCK_ACCESS_FS_WRITE_FILE}(hjy hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhju ubhg: Open a file with write access. When opening files for writing, you will often additionally need the }(hju hhhNhNubjz)}(h``LANDLOCK_ACCESS_FS_TRUNCATE``h]hLANDLOCK_ACCESS_FS_TRUNCATE}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhju ubh` right. In many cases, these system calls truncate existing files when overwriting them (e.g., }(hju hhhNhNubj)}(h:manpage:`creat(2)`h]hcreat(2)}(hj hhhNhNubah}(h]h ]jah"]h$]h&]hhj creat(2)jcreatjjuh1jhju ubh).}(hju hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:517: ./include/uapi/linux/landlock.hhKhjq ubah}(h]h ]h"]h$]h&]uh1jI hjF ubjJ )}(h?``LANDLOCK_ACCESS_FS_READ_FILE``: Open a file with read access.h]j)}(hj h](jz)}(h ``LANDLOCK_ACCESS_FS_READ_FILE``h]hLANDLOCK_ACCESS_FS_READ_FILE}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj ubh: Open a file with read access.}(hj hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:517: ./include/uapi/linux/landlock.hhKhj ubah}(h]h ]h"]h$]h&]uh1jI hjF ubjJ )}(h``LANDLOCK_ACCESS_FS_TRUNCATE``: Truncate a file with :manpage:`truncate(2)`, :manpage:`ftruncate(2)`, :manpage:`creat(2)`, or :manpage:`open(2)` with ``O_TRUNC``. This access right is available since the third version of the Landlock ABI.h]j)}(h``LANDLOCK_ACCESS_FS_TRUNCATE``: Truncate a file with :manpage:`truncate(2)`, :manpage:`ftruncate(2)`, :manpage:`creat(2)`, or :manpage:`open(2)` with ``O_TRUNC``. This access right is available since the third version of the Landlock ABI.h](jz)}(h``LANDLOCK_ACCESS_FS_TRUNCATE``h]hLANDLOCK_ACCESS_FS_TRUNCATE}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj ubh: Truncate a file with }(hj hhhNhNubj)}(h:manpage:`truncate(2)`h]h truncate(2)}(hj hhhNhNubah}(h]h ]jah"]h$]h&]hhj  truncate(2)jtruncatejjuh1jhj ubh, }(hj hhhNhNubj)}(h:manpage:`ftruncate(2)`h]h ftruncate(2)}(hjhhhNhNubah}(h]h ]jah"]h$]h&]hhj  ftruncate(2)j ftruncatejjuh1jhj ubh, }(hj hhhNhNubj)}(h:manpage:`creat(2)`h]hcreat(2)}(hj&hhhNhNubah}(h]h ]jah"]h$]h&]hhj creat(2)jcreatjjuh1jhj ubh, or }(hj hhhNhNubj)}(h:manpage:`open(2)`h]hopen(2)}(hj:hhhNhNubah}(h]h ]jah"]h$]h&]hhj open(2)jopenjjuh1jhj ubh with }(hj hhhNhNubjz)}(h ``O_TRUNC``h]hO_TRUNC}(hjNhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj ubhN. This access right is available since the third version of the Landlock ABI.}(hj hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:517: ./include/uapi/linux/landlock.hhKhj ubah}(h]h ]h"]h$]h&]uh1jI hjF ubjJ )}(hX~``LANDLOCK_ACCESS_FS_IOCTL_DEV``: Invoke :manpage:`ioctl(2)` commands on an opened character or block device. This access right applies to all `ioctl(2)` commands implemented by device drivers. However, the following common IOCTL commands continue to be invokable independent of the ``LANDLOCK_ACCESS_FS_IOCTL_DEV`` right: * IOCTL commands targeting file descriptors (``FIOCLEX``, ``FIONCLEX``), * IOCTL commands targeting file descriptions (``FIONBIO``, ``FIOASYNC``), * IOCTL commands targeting file systems (``FIFREEZE``, ``FITHAW``, ``FIGETBSZ``, ``FS_IOC_GETFSUUID``, ``FS_IOC_GETFSSYSFSPATH``) * Some IOCTL commands which do not make sense when used with devices, but whose implementations are safe and return the right error codes (``FS_IOC_FIEMAP``, ``FICLONE``, ``FICLONERANGE``, ``FIDEDUPERANGE``) This access right is available since the fifth version of the Landlock ABI. h](j)}(hm``LANDLOCK_ACCESS_FS_IOCTL_DEV``: Invoke :manpage:`ioctl(2)` commands on an opened character or block device.h](jz)}(h ``LANDLOCK_ACCESS_FS_IOCTL_DEV``h]hLANDLOCK_ACCESS_FS_IOCTL_DEV}(hjuhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjqubh : Invoke }(hjqhhhNhNubj)}(h:manpage:`ioctl(2)`h]hioctl(2)}(hjhhhNhNubah}(h]h ]jah"]h$]h&]hhj ioctl(2)jioctljjuh1jhjqubh1 commands on an opened character or block device.}(hjqhhhNhNubeh}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:517: ./include/uapi/linux/landlock.hhKhjmubj)}(hThis access right applies to all `ioctl(2)` commands implemented by device drivers. However, the following common IOCTL commands continue to be invokable independent of the ``LANDLOCK_ACCESS_FS_IOCTL_DEV`` right:h](h!This access right applies to all }(hjhhhNhNubj6)}(h `ioctl(2)`h]hioctl(2)}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1j5hjubh commands implemented by device drivers. However, the following common IOCTL commands continue to be invokable independent of the }(hjhhhNhNubjz)}(h ``LANDLOCK_ACCESS_FS_IOCTL_DEV``h]hLANDLOCK_ACCESS_FS_IOCTL_DEV}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjubh right:}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:517: ./include/uapi/linux/landlock.hhKhjmubjE )}(hhh](jJ )}(hFIOCTL commands targeting file descriptors (``FIOCLEX``, ``FIONCLEX``),h]j)}(hjh](h+IOCTL commands targeting file descriptors (}(hjhhhNhNubjz)}(h ``FIOCLEX``h]hFIOCLEX}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjubh, }(hjhhhNhNubjz)}(h ``FIONCLEX``h]hFIONCLEX}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjubh),}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:517: ./include/uapi/linux/landlock.hhKhjubah}(h]h ]h"]h$]h&]uh1jI hjubjJ )}(hGIOCTL commands targeting file descriptions (``FIONBIO``, ``FIOASYNC``),h]j)}(hjh](h,IOCTL commands targeting file descriptions (}(hjhhhNhNubjz)}(h ``FIONBIO``h]hFIONBIO}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjubh, }(hjhhhNhNubjz)}(h ``FIOASYNC``h]hFIOASYNC}(hj1hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjubh),}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:517: ./include/uapi/linux/landlock.hhKhjubah}(h]h ]h"]h$]h&]uh1jI hjubjJ )}(hIOCTL commands targeting file systems (``FIFREEZE``, ``FITHAW``, ``FIGETBSZ``, ``FS_IOC_GETFSUUID``, ``FS_IOC_GETFSSYSFSPATH``)h]j)}(hIOCTL commands targeting file systems (``FIFREEZE``, ``FITHAW``, ``FIGETBSZ``, ``FS_IOC_GETFSUUID``, ``FS_IOC_GETFSSYSFSPATH``)h](h'IOCTL commands targeting file systems (}(hjThhhNhNubjz)}(h ``FIFREEZE``h]hFIFREEZE}(hj\hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjTubh, }(hjThhhNhNubjz)}(h ``FITHAW``h]hFITHAW}(hjnhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjTubh, }(hjThhhNhNubjz)}(h ``FIGETBSZ``h]hFIGETBSZ}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjTubh, }hjTsbjz)}(h``FS_IOC_GETFSUUID``h]hFS_IOC_GETFSUUID}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjTubh, }hjTsbjz)}(h``FS_IOC_GETFSSYSFSPATH``h]hFS_IOC_GETFSSYSFSPATH}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjTubh)}(hjThhhNhNubeh}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:517: ./include/uapi/linux/landlock.hhKhjPubah}(h]h ]h"]h$]h&]uh1jI hjubjJ )}(hSome IOCTL commands which do not make sense when used with devices, but whose implementations are safe and return the right error codes (``FS_IOC_FIEMAP``, ``FICLONE``, ``FICLONERANGE``, ``FIDEDUPERANGE``) h]j)}(hSome IOCTL commands which do not make sense when used with devices, but whose implementations are safe and return the right error codes (``FS_IOC_FIEMAP``, ``FICLONE``, ``FICLONERANGE``, ``FIDEDUPERANGE``)h](hSome IOCTL commands which do not make sense when used with devices, but whose implementations are safe and return the right error codes (}(hjhhhNhNubjz)}(h``FS_IOC_FIEMAP``h]h FS_IOC_FIEMAP}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjubh, }(hjhhhNhNubjz)}(h ``FICLONE``h]hFICLONE}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjubh, }hjsbjz)}(h``FICLONERANGE``h]h FICLONERANGE}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjubh, }hjsbjz)}(h``FIDEDUPERANGE``h]h FIDEDUPERANGE}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjubh)}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:517: ./include/uapi/linux/landlock.hhKhjubah}(h]h ]h"]h$]h&]uh1jI hjubeh}(h]h ]h"]h$]h&]bullet*uh1jD hj hKhjmubj)}(hKThis access right is available since the fifth version of the Landlock ABI.h]hKThis access right is available since the fifth version of the Landlock ABI.}(hj,hhhNhNubah}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:517: ./include/uapi/linux/landlock.hhKhjmubeh}(h]h ]h"]h$]h&]uh1jI hjF ubeh}(h]h ]h"]h$]h&]j*-uh1jD hjj hKhj ubj)}(hX'Whether an opened file can be truncated with :manpage:`ftruncate(2)` or used with `ioctl(2)` is determined during :manpage:`open(2)`, in the same way as read and write permissions are checked during :manpage:`open(2)` using ``LANDLOCK_ACCESS_FS_READ_FILE`` and ``LANDLOCK_ACCESS_FS_WRITE_FILE``.h](h-Whether an opened file can be truncated with }(hjHhhhNhNubj)}(h:manpage:`ftruncate(2)`h]h ftruncate(2)}(hjPhhhNhNubah}(h]h ]jah"]h$]h&]hhj  ftruncate(2)j ftruncatejjuh1jhjHubh or used with }(hjHhhhNhNubj6)}(h `ioctl(2)`h]hioctl(2)}(hjdhhhNhNubah}(h]h ]h"]h$]h&]uh1j5hjHubh is determined during }(hjHhhhNhNubj)}(h:manpage:`open(2)`h]hopen(2)}(hjvhhhNhNubah}(h]h ]jah"]h$]h&]hhj open(2)jopenjjuh1jhjHubhC, in the same way as read and write permissions are checked during }(hjHhhhNhNubj)}(h:manpage:`open(2)`h]hopen(2)}(hjhhhNhNubah}(h]h ]jah"]h$]h&]hhj open(2)jopenjjuh1jhjHubh using }(hjHhhhNhNubjz)}(h ``LANDLOCK_ACCESS_FS_READ_FILE``h]hLANDLOCK_ACCESS_FS_READ_FILE}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjHubh and }(hjHhhhNhNubjz)}(h!``LANDLOCK_ACCESS_FS_WRITE_FILE``h]hLANDLOCK_ACCESS_FS_WRITE_FILE}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjHubh.}(hjHhhhNhNubeh}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:517: ./include/uapi/linux/landlock.hhKhj ubj)}(hA directory can receive access rights related to files or directories. The following access right is applied to the directory itself, and the directories beneath it:h]hA directory can receive access rights related to files or directories. The following access right is applied to the directory itself, and the directories beneath it:}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:517: ./include/uapi/linux/landlock.hhKhj ubjE )}(hhh]jJ )}(hG``LANDLOCK_ACCESS_FS_READ_DIR``: Open a directory or list its content. h]j)}(hF``LANDLOCK_ACCESS_FS_READ_DIR``: Open a directory or list its content.h](jz)}(h``LANDLOCK_ACCESS_FS_READ_DIR``h]hLANDLOCK_ACCESS_FS_READ_DIR}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjubh': Open a directory or list its content.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:517: ./include/uapi/linux/landlock.hhMhjubah}(h]h ]h"]h$]h&]uh1jI hjubah}(h]h ]h"]h$]h&]j*jGuh1jD hjhMhj ubj)}(hhHowever, the following access rights only apply to the content of a directory, not the directory itself:h]hhHowever, the following access rights only apply to the content of a directory, not the directory itself:}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:517: ./include/uapi/linux/landlock.hhMhj ubjE )}(hhh](jJ )}(hK``LANDLOCK_ACCESS_FS_REMOVE_DIR``: Remove an empty directory or rename one.h]j)}(hjh](jz)}(h!``LANDLOCK_ACCESS_FS_REMOVE_DIR``h]hLANDLOCK_ACCESS_FS_REMOVE_DIR}(hj!hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjubh*: Remove an empty directory or rename one.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:517: ./include/uapi/linux/landlock.hhMhjubah}(h]h ]h"]h$]h&]uh1jI hjubjJ )}(h>``LANDLOCK_ACCESS_FS_REMOVE_FILE``: Unlink (or rename) a file.h]j)}(hjBh](jz)}(h"``LANDLOCK_ACCESS_FS_REMOVE_FILE``h]hLANDLOCK_ACCESS_FS_REMOVE_FILE}(hjGhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjDubh: Unlink (or rename) a file.}(hjDhhhNhNubeh}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:517: ./include/uapi/linux/landlock.hhM hj@ubah}(h]h ]h"]h$]h&]uh1jI hjubjJ )}(hP``LANDLOCK_ACCESS_FS_MAKE_CHAR``: Create (or rename or link) a character device.h]j)}(hP``LANDLOCK_ACCESS_FS_MAKE_CHAR``: Create (or rename or link) a character device.h](jz)}(h ``LANDLOCK_ACCESS_FS_MAKE_CHAR``h]hLANDLOCK_ACCESS_FS_MAKE_CHAR}(hjnhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjjubh0: Create (or rename or link) a character device.}(hjjhhhNhNubeh}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:517: ./include/uapi/linux/landlock.hhM hjfubah}(h]h ]h"]h$]h&]uh1jI hjubjJ )}(h@``LANDLOCK_ACCESS_FS_MAKE_DIR``: Create (or rename) a directory.h]j)}(hjh](jz)}(h``LANDLOCK_ACCESS_FS_MAKE_DIR``h]hLANDLOCK_ACCESS_FS_MAKE_DIR}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjubh!: Create (or rename) a directory.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:517: ./include/uapi/linux/landlock.hhM hjubah}(h]h ]h"]h$]h&]uh1jI hjubjJ )}(hK``LANDLOCK_ACCESS_FS_MAKE_REG``: Create (or rename or link) a regular file.h]j)}(hjh](jz)}(h``LANDLOCK_ACCESS_FS_MAKE_REG``h]hLANDLOCK_ACCESS_FS_MAKE_REG}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjubh,: Create (or rename or link) a regular file.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:517: ./include/uapi/linux/landlock.hhM hjubah}(h]h ]h"]h$]h&]uh1jI hjubjJ )}(hR``LANDLOCK_ACCESS_FS_MAKE_SOCK``: Create (or rename or link) a UNIX domain socket.h]j)}(hR``LANDLOCK_ACCESS_FS_MAKE_SOCK``: Create (or rename or link) a UNIX domain socket.h](jz)}(h ``LANDLOCK_ACCESS_FS_MAKE_SOCK``h]hLANDLOCK_ACCESS_FS_MAKE_SOCK}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjubh2: Create (or rename or link) a UNIX domain socket.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:517: ./include/uapi/linux/landlock.hhMhjubah}(h]h ]h"]h$]h&]uh1jI hjubjJ )}(hJ``LANDLOCK_ACCESS_FS_MAKE_FIFO``: Create (or rename or link) a named pipe.h]j)}(hjh](jz)}(h ``LANDLOCK_ACCESS_FS_MAKE_FIFO``h]hLANDLOCK_ACCESS_FS_MAKE_FIFO}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjubh*: Create (or rename or link) a named pipe.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:517: ./include/uapi/linux/landlock.hhMhjubah}(h]h ]h"]h$]h&]uh1jI hjubjJ )}(hM``LANDLOCK_ACCESS_FS_MAKE_BLOCK``: Create (or rename or link) a block device.h]j)}(hj(h](jz)}(h!``LANDLOCK_ACCESS_FS_MAKE_BLOCK``h]hLANDLOCK_ACCESS_FS_MAKE_BLOCK}(hj-hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj*ubh,: Create (or rename or link) a block device.}(hj*hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:517: ./include/uapi/linux/landlock.hhMhj&ubah}(h]h ]h"]h$]h&]uh1jI hjubjJ )}(hL``LANDLOCK_ACCESS_FS_MAKE_SYM``: Create (or rename or link) a symbolic link.h]j)}(hjNh](jz)}(h``LANDLOCK_ACCESS_FS_MAKE_SYM``h]hLANDLOCK_ACCESS_FS_MAKE_SYM}(hjShhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjPubh-: Create (or rename or link) a symbolic link.}(hjPhhhNhNubeh}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:517: ./include/uapi/linux/landlock.hhMhjLubah}(h]h ]h"]h$]h&]uh1jI hjubjJ )}(hX``LANDLOCK_ACCESS_FS_REFER``: Link or rename a file from or to a different directory (i.e. reparent a file hierarchy). This access right is available since the second version of the Landlock ABI. This is the only access right which is denied by default by any ruleset, even if the right is not specified as handled at ruleset creation time. The only way to make a ruleset grant this right is to explicitly allow it for a specific directory by adding a matching rule to the ruleset. In particular, when using the first Landlock ABI version, Landlock will always deny attempts to reparent files between different directories. In addition to the source and destination directories having the ``LANDLOCK_ACCESS_FS_REFER`` access right, the attempted link or rename operation must meet the following constraints: * The reparented file may not gain more access rights in the destination directory than it previously had in the source directory. If this is attempted, the operation results in an ``EXDEV`` error. * When linking or renaming, the ``LANDLOCK_ACCESS_FS_MAKE_*`` right for the respective file type must be granted for the destination directory. Otherwise, the operation results in an ``EACCES`` error. * When renaming, the ``LANDLOCK_ACCESS_FS_REMOVE_*`` right for the respective file type must be granted for the source directory. Otherwise, the operation results in an ``EACCES`` error. If multiple requirements are not met, the ``EACCES`` error code takes precedence over ``EXDEV``. h](j)}(hv``LANDLOCK_ACCESS_FS_REFER``: Link or rename a file from or to a different directory (i.e. reparent a file hierarchy).h](jz)}(h``LANDLOCK_ACCESS_FS_REFER``h]hLANDLOCK_ACCESS_FS_REFER}(hjzhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjvubhZ: Link or rename a file from or to a different directory (i.e. reparent a file hierarchy).}(hjvhhhNhNubeh}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:517: ./include/uapi/linux/landlock.hhMhjrubj)}(hLThis access right is available since the second version of the Landlock ABI.h]hLThis access right is available since the second version of the Landlock ABI.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:517: ./include/uapi/linux/landlock.hhMhjrubj)}(hXThis is the only access right which is denied by default by any ruleset, even if the right is not specified as handled at ruleset creation time. The only way to make a ruleset grant this right is to explicitly allow it for a specific directory by adding a matching rule to the ruleset.h]hXThis is the only access right which is denied by default by any ruleset, even if the right is not specified as handled at ruleset creation time. The only way to make a ruleset grant this right is to explicitly allow it for a specific directory by adding a matching rule to the ruleset.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:517: ./include/uapi/linux/landlock.hhMhjrubj)}(hIn particular, when using the first Landlock ABI version, Landlock will always deny attempts to reparent files between different directories.h]hIn particular, when using the first Landlock ABI version, Landlock will always deny attempts to reparent files between different directories.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:517: ./include/uapi/linux/landlock.hhMhjrubj)}(hIn addition to the source and destination directories having the ``LANDLOCK_ACCESS_FS_REFER`` access right, the attempted link or rename operation must meet the following constraints:h](hAIn addition to the source and destination directories having the }(hjhhhNhNubjz)}(h``LANDLOCK_ACCESS_FS_REFER``h]hLANDLOCK_ACCESS_FS_REFER}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjubhZ access right, the attempted link or rename operation must meet the following constraints:}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:517: ./include/uapi/linux/landlock.hhM!hjrubjE )}(hhh](jJ )}(hThe reparented file may not gain more access rights in the destination directory than it previously had in the source directory. If this is attempted, the operation results in an ``EXDEV`` error. h]j)}(hThe reparented file may not gain more access rights in the destination directory than it previously had in the source directory. If this is attempted, the operation results in an ``EXDEV`` error.h](hThe reparented file may not gain more access rights in the destination directory than it previously had in the source directory. If this is attempted, the operation results in an }(hjhhhNhNubjz)}(h ``EXDEV``h]hEXDEV}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjubh error.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:517: ./include/uapi/linux/landlock.hhM%hjubah}(h]h ]h"]h$]h&]uh1jI hjubjJ )}(hWhen linking or renaming, the ``LANDLOCK_ACCESS_FS_MAKE_*`` right for the respective file type must be granted for the destination directory. Otherwise, the operation results in an ``EACCES`` error. h]j)}(hWhen linking or renaming, the ``LANDLOCK_ACCESS_FS_MAKE_*`` right for the respective file type must be granted for the destination directory. Otherwise, the operation results in an ``EACCES`` error.h](hWhen linking or renaming, the }(hjhhhNhNubjz)}(h``LANDLOCK_ACCESS_FS_MAKE_*``h]hLANDLOCK_ACCESS_FS_MAKE_*}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjubhz right for the respective file type must be granted for the destination directory. Otherwise, the operation results in an }(hjhhhNhNubjz)}(h ``EACCES``h]hEACCES}(hj-hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjubh error.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:517: ./include/uapi/linux/landlock.hhM)hjubah}(h]h ]h"]h$]h&]uh1jI hjubjJ )}(hWhen renaming, the ``LANDLOCK_ACCESS_FS_REMOVE_*`` right for the respective file type must be granted for the source directory. Otherwise, the operation results in an ``EACCES`` error. h]j)}(hWhen renaming, the ``LANDLOCK_ACCESS_FS_REMOVE_*`` right for the respective file type must be granted for the source directory. Otherwise, the operation results in an ``EACCES`` error.h](hWhen renaming, the }(hjPhhhNhNubjz)}(h``LANDLOCK_ACCESS_FS_REMOVE_*``h]hLANDLOCK_ACCESS_FS_REMOVE_*}(hjXhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjPubhv right for the respective file type must be granted for the source directory. Otherwise, the operation results in an }(hjPhhhNhNubjz)}(h ``EACCES``h]hEACCES}(hjjhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjPubh error.}(hjPhhhNhNubeh}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:517: ./include/uapi/linux/landlock.hhM-hjLubah}(h]h ]h"]h$]h&]uh1jI hjubeh}(h]h ]h"]h$]h&]j*j+uh1jD hjhM%hjrubj)}(h`If multiple requirements are not met, the ``EACCES`` error code takes precedence over ``EXDEV``.h](h*If multiple requirements are not met, the }(hjhhhNhNubjz)}(h ``EACCES``h]hEACCES}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjubh" error code takes precedence over }(hjhhhNhNubjz)}(h ``EXDEV``h]hEXDEV}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjubh.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:517: ./include/uapi/linux/landlock.hhM1hjrubeh}(h]h ]h"]h$]h&]uh1jI hjubeh}(h]h ]h"]h$]h&]j*jGuh1jD hj9hMhj ubj )}(hXfIt is currently not possible to restrict some file-related actions accessible through these syscall families: :manpage:`chdir(2)`, :manpage:`stat(2)`, :manpage:`flock(2)`, :manpage:`chmod(2)`, :manpage:`chown(2)`, :manpage:`setxattr(2)`, :manpage:`utime(2)`, :manpage:`fcntl(2)`, :manpage:`access(2)`. Future Landlock evolutions will enable to restrict them.h]j)}(hXfIt is currently not possible to restrict some file-related actions accessible through these syscall families: :manpage:`chdir(2)`, :manpage:`stat(2)`, :manpage:`flock(2)`, :manpage:`chmod(2)`, :manpage:`chown(2)`, :manpage:`setxattr(2)`, :manpage:`utime(2)`, :manpage:`fcntl(2)`, :manpage:`access(2)`. Future Landlock evolutions will enable to restrict them.h](hnIt is currently not possible to restrict some file-related actions accessible through these syscall families: }(hjhhhNhNubj)}(h:manpage:`chdir(2)`h]hchdir(2)}(hjhhhNhNubah}(h]h ]jah"]h$]h&]hhj chdir(2)jchdirjjuh1jhjubh, }(hjhhhNhNubj)}(h:manpage:`stat(2)`h]hstat(2)}(hjhhhNhNubah}(h]h ]jah"]h$]h&]hhj stat(2)jstatjjuh1jhjubh, }(hjhhhNhNubj)}(h:manpage:`flock(2)`h]hflock(2)}(hjhhhNhNubah}(h]h ]jah"]h$]h&]hhj flock(2)jflockjjuh1jhjubh, }hjsbj)}(h:manpage:`chmod(2)`h]hchmod(2)}(hjhhhNhNubah}(h]h ]jah"]h$]h&]hhj chmod(2)jchmodjjuh1jhjubh, }hjsbj)}(h:manpage:`chown(2)`h]hchown(2)}(hj*hhhNhNubah}(h]h ]jah"]h$]h&]hhj chown(2)jchownjjuh1jhjubh, }hjsbj)}(h:manpage:`setxattr(2)`h]h setxattr(2)}(hj>hhhNhNubah}(h]h ]jah"]h$]h&]hhj  setxattr(2)jsetxattrjjuh1jhjubh, }hjsbj)}(h:manpage:`utime(2)`h]hutime(2)}(hjRhhhNhNubah}(h]h ]jah"]h$]h&]hhj utime(2)jutimejjuh1jhjubh, }hjsbj)}(h:manpage:`fcntl(2)`h]hfcntl(2)}(hjfhhhNhNubah}(h]h ]jah"]h$]h&]hhj fcntl(2)jfcntljjuh1jhjubh, }hjsbj)}(h:manpage:`access(2)`h]h access(2)}(hjzhhhNhNubah}(h]h ]jah"]h$]h&]hhj  access(2)jaccessjjuh1jhjubh:. Future Landlock evolutions will enable to restrict them.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:517: ./include/uapi/linux/landlock.hhM6hjubah}(h]h ]h"]h$]h&]uh1j hj ubeh}(h]filesystem-flagsah ]h"]filesystem flagsah$]h&]uh1hhj hhhNhNjKubh)}(hhh](h)}(h Network flagsh]h Network flags}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjhNhNubj)}(hOThese flags enable to restrict a sandboxed process to a set of network actions.h]hOThese flags enable to restrict a sandboxed process to a set of network actions.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:517: ./include/uapi/linux/landlock.hhMVhjubj)}(h6The following access rights apply to TCP port numbers:h]h6The following access rights apply to TCP port numbers:}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:517: ./include/uapi/linux/landlock.hhMYhjubjE )}(hhh](jJ )}(ht``LANDLOCK_ACCESS_NET_BIND_TCP``: Bind TCP sockets to the given local port. Support added in Landlock ABI version 4.h]j)}(ht``LANDLOCK_ACCESS_NET_BIND_TCP``: Bind TCP sockets to the given local port. Support added in Landlock ABI version 4.h](jz)}(h ``LANDLOCK_ACCESS_NET_BIND_TCP``h]hLANDLOCK_ACCESS_NET_BIND_TCP}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjubhT: Bind TCP sockets to the given local port. Support added in Landlock ABI version 4.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:517: ./include/uapi/linux/landlock.hhM[hjubah}(h]h ]h"]h$]h&]uh1jI hjubjJ )}(h}``LANDLOCK_ACCESS_NET_CONNECT_TCP``: Connect TCP sockets to the given remote port. Support added in Landlock ABI version 4. h]j)}(h{``LANDLOCK_ACCESS_NET_CONNECT_TCP``: Connect TCP sockets to the given remote port. Support added in Landlock ABI version 4.h](jz)}(h#``LANDLOCK_ACCESS_NET_CONNECT_TCP``h]hLANDLOCK_ACCESS_NET_CONNECT_TCP}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjubhX: Connect TCP sockets to the given remote port. Support added in Landlock ABI version 4.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:517: ./include/uapi/linux/landlock.hhM]hjubah}(h]h ]h"]h$]h&]uh1jI hjubeh}(h]h ]h"]h$]h&]j*jGuh1jD hjhM[hjubeh}(h] network-flagsah ]h"] network flagsah$]h&]uh1hhj hhhNhNjKubh)}(hhh](h)}(h Scope flagsh]h Scope flags}(hj4hhhNhNubah}(h]h ]h"]h$]h&]uh1hhj1hNhNubj)}(hThese flags enable to isolate a sandboxed process from a set of IPC actions. Setting a flag for a ruleset will isolate the Landlock domain to forbid connections to resources outside the domain.h]hThese flags enable to isolate a sandboxed process from a set of IPC actions. Setting a flag for a ruleset will isolate the Landlock domain to forbid connections to resources outside the domain.}(hjBhhhNhNubah}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:517: ./include/uapi/linux/landlock.hhMkhj1ubj)}(h/This is supported since Landlock ABI version 6.h]h/This is supported since Landlock ABI version 6.}(hjQhhhNhNubah}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:517: ./include/uapi/linux/landlock.hhMohj1ubj)}(hScopes:h]hScopes:}(hj`hhhNhNubah}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:517: ./include/uapi/linux/landlock.hhMqhj1ubjE )}(hhh](jJ )}(h``LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET``: Restrict a sandboxed process from connecting to an abstract UNIX socket created by a process outside the related Landlock domain (e.g., a parent domain or a non-sandboxed process).h]j)}(h``LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET``: Restrict a sandboxed process from connecting to an abstract UNIX socket created by a process outside the related Landlock domain (e.g., a parent domain or a non-sandboxed process).h](jz)}(h'``LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET``h]h#LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET}(hjzhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjvubh: Restrict a sandboxed process from connecting to an abstract UNIX socket created by a process outside the related Landlock domain (e.g., a parent domain or a non-sandboxed process).}(hjvhhhNhNubeh}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:517: ./include/uapi/linux/landlock.hhMshjrubah}(h]h ]h"]h$]h&]uh1jI hjoubjJ )}(hv``LANDLOCK_SCOPE_SIGNAL``: Restrict a sandboxed process from sending a signal to another process outside the domain. h]j)}(ht``LANDLOCK_SCOPE_SIGNAL``: Restrict a sandboxed process from sending a signal to another process outside the domain.h](jz)}(h``LANDLOCK_SCOPE_SIGNAL``h]hLANDLOCK_SCOPE_SIGNAL}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjubh[: Restrict a sandboxed process from sending a signal to another process outside the domain.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:517: ./include/uapi/linux/landlock.hhMvhjubah}(h]h ]h"]h$]h&]uh1jI hjoubeh}(h]h ]h"]h$]h&]j*jGuh1jD hjhMshj1ubeh}(h] scope-flagsah ]h"] scope flagsah$]h&]uh1hhj hhhNhNjKubeh}(h] access-rightsah ]h"] access rightsah$]h&]uh1hhj hhhhhMubh)}(hhh](h)}(hCreating a new ruleseth]hCreating a new ruleset}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjhhhhhM ubhindex)}(hhh]h}(h]h ]h"]h$]h&]entries](single(sys_landlock_create_ruleset (C function)c.sys_landlock_create_rulesethNtauh1jhjhhhNhNubhdesc)}(hhh](hdesc_signature)}(h~long sys_landlock_create_ruleset (const struct landlock_ruleset_attr __user *const attr, const size_t size, const __u32 flags)h]hdesc_signature_line)}(h}long sys_landlock_create_ruleset(const struct landlock_ruleset_attr __user *const attr, const size_t size, const __u32 flags)h](hdesc_sig_keyword_type)}(hlongh]hlong}(hj hhhNhNubah}(h]h ]ktah"]h$]h&]uh1j hjhhhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:523: ./security/landlock/syscalls.chKubhdesc_sig_space)}(h h]h }(hjhhhNhNubah}(h]h ]wah"]h$]h&]uh1jhjhhhjhKubh desc_name)}(hsys_landlock_create_ruleseth]h desc_sig_name)}(hsys_landlock_create_ruleseth]hsys_landlock_create_ruleset}(hj4hhhNhNubah}(h]h ]nah"]h$]h&]uh1j2hj.ubah}(h]h ](sig-namedescnameeh"]h$]h&]hhuh1j,hjhhhjhKubhdesc_parameterlist)}(h](const struct landlock_ruleset_attr __user *const attr, const size_t size, const __u32 flags)h](hdesc_parameter)}(h5const struct landlock_ruleset_attr __user *const attrh](hdesc_sig_keyword)}(hconsth]hconst}(hjYhhhNhNubah}(h]h ]kah"]h$]h&]uh1jWhjSubj)}(h h]h }(hjhhhhNhNubah}(h]h ]j(ah"]h$]h&]uh1jhjSubjX)}(hstructh]hstruct}(hjvhhhNhNubah}(h]h ]jdah"]h$]h&]uh1jWhjSubj)}(h h]h }(hjhhhNhNubah}(h]h ]j(ah"]h$]h&]uh1jhjSubh)}(hhh]j3)}(hlandlock_ruleset_attrh]hlandlock_ruleset_attr}(hjhhhNhNubah}(h]h ]j?ah"]h$]h&]uh1j2hjubah}(h]h ]h"]h$]h&] refdomainjreftype identifier reftargetjmodnameN classnameN c:parent_keysphinx.domains.c LookupKey)}data]j ASTIdentifier)}jj6sbc.sys_landlock_create_rulesetasbuh1hhjSubj)}(h h]h }(hjhhhNhNubah}(h]h ]j(ah"]h$]h&]uh1jhjSubh__user}(hjShhhNhNubj)}(h h]h }(hjhhhNhNubah}(h]h ]j(ah"]h$]h&]uh1jhjSubhdesc_sig_punctuation)}(hj+h]h*}(hjhhhNhNubah}(h]h ]pah"]h$]h&]uh1jhjSubjX)}(hj[h]hconst}(hjhhhNhNubah}(h]h ]jdah"]h$]h&]uh1jWhjSubj)}(h h]h }(hjhhhNhNubah}(h]h ]j(ah"]h$]h&]uh1jhjSubj3)}(hattrh]hattr}(hjhhhNhNubah}(h]h ]j?ah"]h$]h&]uh1j2hjSubeh}(h]h ]h"]h$]h&]noemphhhuh1jQhjMubjR)}(hconst size_t sizeh](jX)}(hj[h]hconst}(hj!hhhNhNubah}(h]h ]jdah"]h$]h&]uh1jWhjubj)}(h h]h }(hj.hhhNhNubah}(h]h ]j(ah"]h$]h&]uh1jhjubh)}(hhh]j3)}(hsize_th]hsize_t}(hj?hhhNhNubah}(h]h ]j?ah"]h$]h&]uh1j2hj<ubah}(h]h ]h"]h$]h&] refdomainjreftypej reftargetjAmodnameN classnameNjj)}j]jc.sys_landlock_create_rulesetasbuh1hhjubj)}(h h]h }(hj]hhhNhNubah}(h]h ]j(ah"]h$]h&]uh1jhjubj3)}(hsizeh]hsize}(hjkhhhNhNubah}(h]h ]j?ah"]h$]h&]uh1j2hjubeh}(h]h ]h"]h$]h&]noemphhhuh1jQhjMubjR)}(hconst __u32 flagsh](jX)}(hj[h]hconst}(hjhhhNhNubah}(h]h ]jdah"]h$]h&]uh1jWhjubj)}(h h]h }(hjhhhNhNubah}(h]h ]j(ah"]h$]h&]uh1jhjubh)}(hhh]j3)}(h__u32h]h__u32}(hjhhhNhNubah}(h]h ]j?ah"]h$]h&]uh1j2hjubah}(h]h ]h"]h$]h&] refdomainjreftypej reftargetjmodnameN classnameNjj)}j]jc.sys_landlock_create_rulesetasbuh1hhjubj)}(h h]h }(hjhhhNhNubah}(h]h ]j(ah"]h$]h&]uh1jhjubj3)}(hflagsh]hflags}(hjhhhNhNubah}(h]h ]j?ah"]h$]h&]uh1j2hjubeh}(h]h ]h"]h$]h&]noemphhhuh1jQhjMubeh}(h]h ]h"]h$]h&]hhuh1jKhjhhhjhKubeh}(h]h ]h"]h$]h&]hh add_permalinkuh1jsphinx_line_type declaratorhjhhhjhKubah}(h]jah ](sig sig-objecteh"]h$]h&] is_multiline _toc_parts) _toc_namehuh1jhjhKhjhhubh desc_content)}(hhh]j)}(hCreate a new ruleseth]hCreate a new ruleset}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:523: ./security/landlock/syscalls.chKhjhhubah}(h]h ]h"]h$]h&]uh1jhjhhhjhKubeh}(h]h ](jfunctioneh"]h$]h&]domainjobjtypejdesctypejnoindex noindexentrynocontentsentryuh1jhhhjhNhNubh container)}(hX**Parameters** ``const struct landlock_ruleset_attr __user *const attr`` Pointer to a :c:type:`struct landlock_ruleset_attr ` identifying the scope of the new ruleset. ``const size_t size`` Size of the pointed :c:type:`struct landlock_ruleset_attr ` (needed for backward and forward compatibility). ``const __u32 flags`` Supported values: **Description** - ``LANDLOCK_CREATE_RULESET_VERSION`` - ``LANDLOCK_CREATE_RULESET_ERRATA`` This system call enables to create a new Landlock ruleset, and returns the related file descriptor on success. If ``LANDLOCK_CREATE_RULESET_VERSION`` or ``LANDLOCK_CREATE_RULESET_ERRATA`` is set, then **attr** must be NULL and **size** must be 0. Possible returned errors are: - ``EOPNOTSUPP``: Landlock is supported by the kernel but disabled at boot time; - ``EINVAL``: unknown **flags**, or unknown access, or unknown scope, or too small **size**; - ``E2BIG``: **attr** or **size** inconsistencies; - ``EFAULT``: **attr** or **size** inconsistencies; - ``ENOMSG``: empty :c:type:`landlock_ruleset_attr.handled_access_fs `. .. kernel-doc:: include/uapi/linux/landlock.h :identifiers: landlock_create_ruleset_flagsh](j)}(h**Parameters**h]j )}(hj,h]h Parameters}(hj.hhhNhNubah}(h]h ]h"]h$]h&]uh1j hj*ubah}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:523: ./security/landlock/syscalls.chKhj&ubj)}(hhh](j)}(h``const struct landlock_ruleset_attr __user *const attr`` Pointer to a :c:type:`struct landlock_ruleset_attr ` identifying the scope of the new ruleset. h](j)}(h9``const struct landlock_ruleset_attr __user *const attr``h]jz)}(hjKh]h5const struct landlock_ruleset_attr __user *const attr}(hjMhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjIubah}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:523: ./security/landlock/syscalls.chKhjEubj))}(hhh]j)}(huPointer to a :c:type:`struct landlock_ruleset_attr ` identifying the scope of the new ruleset.h](h Pointer to a }(hjdhhhNhNubh)}(h>:c:type:`struct landlock_ruleset_attr `h]jz)}(hjnh]hstruct landlock_ruleset_attr}(hjphhhNhNubah}(h]h ](jjc-typeeh"]h$]h&]uh1jyhjlubah}(h]h ]h"]h$]h&]refdocj refdomainjreftypetype refexplicitrefwarnjj)}j]sbjlandlock_ruleset_attruh1hhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:523: ./security/landlock/syscalls.chKhjdubh* identifying the scope of the new ruleset.}(hjdhhhNhNubeh}(h]h ]h"]h$]h&]uh1jhjhKhjaubah}(h]h ]h"]h$]h&]uh1j(hjEubeh}(h]h ]h"]h$]h&]uh1jhj`hKhjBubj)}(h``const size_t size`` Size of the pointed :c:type:`struct landlock_ruleset_attr ` (needed for backward and forward compatibility). h](j)}(h``const size_t size``h]jz)}(hjh]hconst size_t size}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjubah}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:523: ./security/landlock/syscalls.chKhjubj))}(hhh]j)}(hSize of the pointed :c:type:`struct landlock_ruleset_attr ` (needed for backward and forward compatibility).h](hSize of the pointed }(hjhhhNhNubh)}(h>:c:type:`struct landlock_ruleset_attr `h]jz)}(hjh]hstruct landlock_ruleset_attr}(hjhhhNhNubah}(h]h ](jjc-typeeh"]h$]h&]uh1jyhjubah}(h]h ]h"]h$]h&]refdocj refdomainjreftypetype refexplicitrefwarnjjjlandlock_ruleset_attruh1hhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:523: ./security/landlock/syscalls.chKhjubh1 (needed for backward and forward compatibility).}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1jhjhKhjubah}(h]h ]h"]h$]h&]uh1j(hjubeh}(h]h ]h"]h$]h&]uh1jhjhKhjBubj)}(h(``const __u32 flags`` Supported values: h](j)}(h``const __u32 flags``h]jz)}(hjh]hconst __u32 flags}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjubah}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:523: ./security/landlock/syscalls.chKhjubj))}(hhh]j)}(hSupported values:h]hSupported values:}(hj!hhhNhNubah}(h]h ]h"]h$]h&]uh1jhjhKhjubah}(h]h ]h"]h$]h&]uh1j(hjubeh}(h]h ]h"]h$]h&]uh1jhjhKhjBubeh}(h]h ]h"]h$]h&]uh1j hj&ubj)}(h**Description**h]j )}(hjCh]h Description}(hjEhhhNhNubah}(h]h ]h"]h$]h&]uh1j hjAubah}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:523: ./security/landlock/syscalls.chKhj&ubh block_quote)}(hK- ``LANDLOCK_CREATE_RULESET_VERSION`` - ``LANDLOCK_CREATE_RULESET_ERRATA`` h]jE )}(hhh](jJ )}(h#``LANDLOCK_CREATE_RULESET_VERSION``h]j)}(hjdh]jz)}(hjdh]hLANDLOCK_CREATE_RULESET_VERSION}(hjihhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjfubah}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:523: ./security/landlock/syscalls.chKhjbubah}(h]h ]h"]h$]h&]uh1jI hj_ubjJ )}(h#``LANDLOCK_CREATE_RULESET_ERRATA`` h]j)}(h"``LANDLOCK_CREATE_RULESET_ERRATA``h]jz)}(hjh]hLANDLOCK_CREATE_RULESET_ERRATA}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjubah}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:523: ./security/landlock/syscalls.chKhjubah}(h]h ]h"]h$]h&]uh1jI hj_ubeh}(h]h ]h"]h$]h&]j*jGuh1jD hj|hKhj[ubah}(h]h ]h"]h$]h&]uh1jYhj|hKhj&ubj)}(hnThis system call enables to create a new Landlock ruleset, and returns the related file descriptor on success.h]hnThis system call enables to create a new Landlock ruleset, and returns the related file descriptor on success.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:523: ./security/landlock/syscalls.chKhj&ubj)}(hIf ``LANDLOCK_CREATE_RULESET_VERSION`` or ``LANDLOCK_CREATE_RULESET_ERRATA`` is set, then **attr** must be NULL and **size** must be 0.h](hIf }(hjhhhNhNubjz)}(h#``LANDLOCK_CREATE_RULESET_VERSION``h]hLANDLOCK_CREATE_RULESET_VERSION}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjubh or }(hjhhhNhNubjz)}(h"``LANDLOCK_CREATE_RULESET_ERRATA``h]hLANDLOCK_CREATE_RULESET_ERRATA}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjubh is set, then }(hjhhhNhNubj )}(h**attr**h]hattr}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1j hjubh must be NULL and }(hjhhhNhNubj )}(h**size**h]hsize}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1j hjubh must be 0.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:523: ./security/landlock/syscalls.chKhj&ubj)}(hPossible returned errors are:h]hPossible returned errors are:}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:523: ./security/landlock/syscalls.chKhj&ubjE )}(hhh](jJ )}(hN``EOPNOTSUPP``: Landlock is supported by the kernel but disabled at boot time;h]j)}(hj+h](jz)}(h``EOPNOTSUPP``h]h EOPNOTSUPP}(hj0hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj-ubh@: Landlock is supported by the kernel but disabled at boot time;}(hj-hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:523: ./security/landlock/syscalls.chKhj)ubah}(h]h ]h"]h$]h&]uh1jI hj&ubjJ )}(hZ``EINVAL``: unknown **flags**, or unknown access, or unknown scope, or too small **size**;h]j)}(hjQh](jz)}(h ``EINVAL``h]hEINVAL}(hjVhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjSubh : unknown }(hjShhhNhNubj )}(h **flags**h]hflags}(hjhhhhNhNubah}(h]h ]h"]h$]h&]uh1j hjSubh4, or unknown access, or unknown scope, or too small }(hjShhhNhNubj )}(h**size**h]hsize}(hjzhhhNhNubah}(h]h ]h"]h$]h&]uh1j hjSubh;}(hjShhhNhNubeh}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:523: ./security/landlock/syscalls.chKhjOubah}(h]h ]h"]h$]h&]uh1jI hj&ubjJ )}(h0``E2BIG``: **attr** or **size** inconsistencies;h]j)}(hjh](jz)}(h ``E2BIG``h]hE2BIG}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjubh: }(hjhhhNhNubj )}(h**attr**h]hattr}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1j hjubh or }(hjhhhNhNubj )}(h**size**h]hsize}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1j hjubh inconsistencies;}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:523: ./security/landlock/syscalls.chKhjubah}(h]h ]h"]h$]h&]uh1jI hj&ubjJ )}(h1``EFAULT``: **attr** or **size** inconsistencies;h]j)}(hjh](jz)}(h ``EFAULT``h]hEFAULT}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjubh: }(hjhhhNhNubj )}(h**attr**h]hattr}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1j hjubh or }(hjhhhNhNubj )}(h**size**h]hsize}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1j hjubh inconsistencies;}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:523: ./security/landlock/syscalls.chKhjubah}(h]h ]h"]h$]h&]uh1jI hj&ubjJ )}(h]``ENOMSG``: empty :c:type:`landlock_ruleset_attr.handled_access_fs `. h]j)}(h\``ENOMSG``: empty :c:type:`landlock_ruleset_attr.handled_access_fs `.h](jz)}(h ``ENOMSG``h]hENOMSG}(hj5hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj1ubh: empty }(hj1hhhNhNubh)}(hI:c:type:`landlock_ruleset_attr.handled_access_fs `h]jz)}(hjIh]h'landlock_ruleset_attr.handled_access_fs}(hjKhhhNhNubah}(h]h ](jjc-typeeh"]h$]h&]uh1jyhjGubah}(h]h ]h"]h$]h&]refdocj refdomainjreftypetype refexplicitrefwarnjjjlandlock_ruleset_attruh1hhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:523: ./security/landlock/syscalls.chKhj1ubh.}(hj1hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhjfhKhj-ubah}(h]h ]h"]h$]h&]uh1jI hj&ubeh}(h]h ]h"]h$]h&]j*jGuh1jD hjHhKhj&ubj)}(h **Flags**h]j )}(hjh]hFlags}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1j hj}ubah}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:39: ./include/uapi/linux/landlock.hhK9hj&ubj)}(hhh](j)}(hd``LANDLOCK_CREATE_RULESET_VERSION`` Get the highest supported Landlock ABI version (starting at 1). h](j)}(h#``LANDLOCK_CREATE_RULESET_VERSION``h]jz)}(hjh]hLANDLOCK_CREATE_RULESET_VERSION}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjubah}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:39: ./include/uapi/linux/landlock.hhK` or :c:type:`landlock_net_port_attr.allowed_access ` is not a subset of the ruleset handled accesses) - ``EINVAL``: :c:type:`landlock_net_port_attr.port ` is greater than 65535; - ``ENOMSG``: Empty accesses (e.g. :c:type:`landlock_path_beneath_attr.allowed_access ` is 0); - ``EBADF``: **ruleset_fd** is not a file descriptor for the current thread, or a member of **rule_attr** is not a file descriptor as expected; - ``EBADFD``: **ruleset_fd** is not a ruleset file descriptor, or a member of **rule_attr** is not the expected file descriptor type; - ``EPERM``: **ruleset_fd** has no write access to the underlying ruleset; - ``EFAULT``: **rule_attr** was not a valid address.h](j)}(h**Parameters**h]j )}(hj!h]h Parameters}(hj!hhhNhNubah}(h]h ]h"]h$]h&]uh1j hj!ubah}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:532: ./security/landlock/syscalls.chMhj ubj)}(hhh](j)}(hh``const int ruleset_fd`` File descriptor tied to the ruleset that should be extended with the new rule. h](j)}(h``const int ruleset_fd``h]jz)}(hj$!h]hconst int ruleset_fd}(hj&!hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj"!ubah}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:532: ./security/landlock/syscalls.chMhj!ubj))}(hhh]j)}(hNFile descriptor tied to the ruleset that should be extended with the new rule.h]hNFile descriptor tied to the ruleset that should be extended with the new rule.}(hj=!hhhNhNubah}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:532: ./security/landlock/syscalls.chMhj:!ubah}(h]h ]h"]h$]h&]uh1j(hj!ubeh}(h]h ]h"]h$]h&]uh1jhj9!hMhj!ubj)}(h``const enum landlock_rule_type rule_type`` Identify the structure type pointed to by **rule_attr**: ``LANDLOCK_RULE_PATH_BENEATH`` or ``LANDLOCK_RULE_NET_PORT``. h](j)}(h+``const enum landlock_rule_type rule_type``h]jz)}(hj^!h]h'const enum landlock_rule_type rule_type}(hj`!hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj\!ubah}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:532: ./security/landlock/syscalls.chMhjX!ubj))}(hhh]j)}(hvIdentify the structure type pointed to by **rule_attr**: ``LANDLOCK_RULE_PATH_BENEATH`` or ``LANDLOCK_RULE_NET_PORT``.h](h*Identify the structure type pointed to by }(hjw!hhhNhNubj )}(h **rule_attr**h]h rule_attr}(hj!hhhNhNubah}(h]h ]h"]h$]h&]uh1j hjw!ubh: }(hjw!hhhNhNubjz)}(h``LANDLOCK_RULE_PATH_BENEATH``h]hLANDLOCK_RULE_PATH_BENEATH}(hj!hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjw!ubh or }(hjw!hhhNhNubjz)}(h``LANDLOCK_RULE_NET_PORT``h]hLANDLOCK_RULE_NET_PORT}(hj!hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjw!ubh.}(hjw!hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:532: ./security/landlock/syscalls.chMhjt!ubah}(h]h ]h"]h$]h&]uh1j(hjX!ubeh}(h]h ]h"]h$]h&]uh1jhjs!hMhj!ubj)}(hW``const void __user *const rule_attr`` Pointer to a rule (matching the **rule_type**). h](j)}(h&``const void __user *const rule_attr``h]jz)}(hj!h]h"const void __user *const rule_attr}(hj!hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj!ubah}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:532: ./security/landlock/syscalls.chMhj!ubj))}(hhh]j)}(h/Pointer to a rule (matching the **rule_type**).h](h Pointer to a rule (matching the }(hj!hhhNhNubj )}(h **rule_type**h]h rule_type}(hj!hhhNhNubah}(h]h ]h"]h$]h&]uh1j hj!ubh).}(hj!hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhj!hMhj!ubah}(h]h ]h"]h$]h&]uh1j(hj!ubeh}(h]h ]h"]h$]h&]uh1jhj!hMhj!ubj)}(h!``const __u32 flags`` Must be 0. h](j)}(h``const __u32 flags``h]jz)}(hj"h]hconst __u32 flags}(hj"hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj"ubah}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:532: ./security/landlock/syscalls.chMhj"ubj))}(hhh]j)}(h Must be 0.h]h Must be 0.}(hj2"hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj."hMhj/"ubah}(h]h ]h"]h$]h&]uh1j(hj"ubeh}(h]h ]h"]h$]h&]uh1jhj."hMhj!ubeh}(h]h ]h"]h$]h&]uh1j hj ubj)}(h**Description**h]j )}(hjT"h]h Description}(hjV"hhhNhNubah}(h]h ]h"]h$]h&]uh1j hjR"ubah}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:532: ./security/landlock/syscalls.chMhj ubj)}(hPThis system call enables to define a new rule and add it to an existing ruleset.h]hPThis system call enables to define a new rule and add it to an existing ruleset.}(hjj"hhhNhNubah}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:532: ./security/landlock/syscalls.chMhj ubj)}(hPossible returned errors are:h]hPossible returned errors are:}(hjy"hhhNhNubah}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:532: ./security/landlock/syscalls.chMhj ubjE )}(hhh](jJ )}(hN``EOPNOTSUPP``: Landlock is supported by the kernel but disabled at boot time;h]j)}(hj"h](jz)}(h``EOPNOTSUPP``h]h EOPNOTSUPP}(hj"hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj"ubh@: Landlock is supported by the kernel but disabled at boot time;}(hj"hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:532: ./security/landlock/syscalls.chMhj"ubah}(h]h ]h"]h$]h&]uh1jI hj"ubjJ )}(hp``EAFNOSUPPORT``: **rule_type** is ``LANDLOCK_RULE_NET_PORT`` but TCP/IP is not supported by the running kernel;h]j)}(hp``EAFNOSUPPORT``: **rule_type** is ``LANDLOCK_RULE_NET_PORT`` but TCP/IP is not supported by the running kernel;h](jz)}(h``EAFNOSUPPORT``h]h EAFNOSUPPORT}(hj"hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj"ubh: }(hj"hhhNhNubj )}(h **rule_type**h]h rule_type}(hj"hhhNhNubah}(h]h ]h"]h$]h&]uh1j hj"ubh is }(hj"hhhNhNubjz)}(h``LANDLOCK_RULE_NET_PORT``h]hLANDLOCK_RULE_NET_PORT}(hj"hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj"ubh3 but TCP/IP is not supported by the running kernel;}(hj"hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:532: ./security/landlock/syscalls.chMhj"ubah}(h]h ]h"]h$]h&]uh1jI hj"ubjJ )}(h``EINVAL``: **flags** is not 0;h]j)}(hj"h](jz)}(h ``EINVAL``h]hEINVAL}(hj#hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj#ubh: }(hj#hhhNhNubj )}(h **flags**h]hflags}(hj#hhhNhNubah}(h]h ]h"]h$]h&]uh1j hj#ubh is not 0;}(hj#hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:532: ./security/landlock/syscalls.chMhj"ubah}(h]h ]h"]h$]h&]uh1jI hj"ubjJ )}(hX``EINVAL``: The rule accesses are inconsistent (i.e. :c:type:`landlock_path_beneath_attr.allowed_access ` or :c:type:`landlock_net_port_attr.allowed_access ` is not a subset of the ruleset handled accesses)h]j)}(hX``EINVAL``: The rule accesses are inconsistent (i.e. :c:type:`landlock_path_beneath_attr.allowed_access ` or :c:type:`landlock_net_port_attr.allowed_access ` is not a subset of the ruleset handled accesses)h](jz)}(h ``EINVAL``h]hEINVAL}(hj<#hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj8#ubh+: The rule accesses are inconsistent (i.e. }(hj8#hhhNhNubh)}(hP:c:type:`landlock_path_beneath_attr.allowed_access `h]jz)}(hjP#h]h)landlock_path_beneath_attr.allowed_access}(hjR#hhhNhNubah}(h]h ](jjc-typeeh"]h$]h&]uh1jyhjN#ubah}(h]h ]h"]h$]h&]refdocj refdomainjreftypetype refexplicitrefwarnjjjlandlock_path_beneath_attruh1hhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:532: ./security/landlock/syscalls.chMhj8#ubh or }(hj8#hhhNhNubh)}(hH:c:type:`landlock_net_port_attr.allowed_access `h]jz)}(hjt#h]h%landlock_net_port_attr.allowed_access}(hjv#hhhNhNubah}(h]h ](jjc-typeeh"]h$]h&]uh1jyhjr#ubah}(h]h ]h"]h$]h&]refdocj refdomainjreftypetype refexplicitrefwarnjjjlandlock_net_port_attruh1hhjm#hMhj8#ubh1 is not a subset of the ruleset handled accesses)}(hj8#hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhjm#hMhj4#ubah}(h]h ]h"]h$]h&]uh1jI hj"ubjJ )}(ha``EINVAL``: :c:type:`landlock_net_port_attr.port ` is greater than 65535;h]j)}(hj#h](jz)}(h ``EINVAL``h]hEINVAL}(hj#hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj#ubh: }(hj#hhhNhNubh)}(h>:c:type:`landlock_net_port_attr.port `h]jz)}(hj#h]hlandlock_net_port_attr.port}(hj#hhhNhNubah}(h]h ](jjc-typeeh"]h$]h&]uh1jyhj#ubah}(h]h ]h"]h$]h&]refdocj refdomainjreftypetype refexplicitrefwarnjjjlandlock_net_port_attruh1hhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:532: ./security/landlock/syscalls.chMhj#ubh is greater than 65535;}(hj#hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhj#hMhj#ubah}(h]h ]h"]h$]h&]uh1jI hj"ubjJ )}(hx``ENOMSG``: Empty accesses (e.g. :c:type:`landlock_path_beneath_attr.allowed_access ` is 0);h]j)}(hx``ENOMSG``: Empty accesses (e.g. :c:type:`landlock_path_beneath_attr.allowed_access ` is 0);h](jz)}(h ``ENOMSG``h]hENOMSG}(hj#hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj#ubh: Empty accesses (e.g. }(hj#hhhNhNubh)}(hP:c:type:`landlock_path_beneath_attr.allowed_access `h]jz)}(hj$h]h)landlock_path_beneath_attr.allowed_access}(hj$hhhNhNubah}(h]h ](jjc-typeeh"]h$]h&]uh1jyhj$ubah}(h]h ]h"]h$]h&]refdocj refdomainjreftypetype refexplicitrefwarnjjjlandlock_path_beneath_attruh1hhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:532: ./security/landlock/syscalls.chMhj#ubh is 0);}(hj#hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhj#$hMhj#ubah}(h]h ]h"]h$]h&]uh1jI hj"ubjJ )}(h``EBADF``: **ruleset_fd** is not a file descriptor for the current thread, or a member of **rule_attr** is not a file descriptor as expected;h]j)}(h``EBADF``: **ruleset_fd** is not a file descriptor for the current thread, or a member of **rule_attr** is not a file descriptor as expected;h](jz)}(h ``EBADF``h]hEBADF}(hj<$hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj8$ubh: }(hj8$hhhNhNubj )}(h**ruleset_fd**h]h ruleset_fd}(hjN$hhhNhNubah}(h]h ]h"]h$]h&]uh1j hj8$ubhA is not a file descriptor for the current thread, or a member of }(hj8$hhhNhNubj )}(h **rule_attr**h]h rule_attr}(hj`$hhhNhNubah}(h]h ]h"]h$]h&]uh1j hj8$ubh& is not a file descriptor as expected;}(hj8$hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:532: ./security/landlock/syscalls.chMhj4$ubah}(h]h ]h"]h$]h&]uh1jI hj"ubjJ )}(h``EBADFD``: **ruleset_fd** is not a ruleset file descriptor, or a member of **rule_attr** is not the expected file descriptor type;h]j)}(h``EBADFD``: **ruleset_fd** is not a ruleset file descriptor, or a member of **rule_attr** is not the expected file descriptor type;h](jz)}(h ``EBADFD``h]hEBADFD}(hj$hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj$ubh: }(hj$hhhNhNubj )}(h**ruleset_fd**h]h ruleset_fd}(hj$hhhNhNubah}(h]h ]h"]h$]h&]uh1j hj$ubh2 is not a ruleset file descriptor, or a member of }(hj$hhhNhNubj )}(h **rule_attr**h]h rule_attr}(hj$hhhNhNubah}(h]h ]h"]h$]h&]uh1j hj$ubh* is not the expected file descriptor type;}(hj$hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:532: ./security/landlock/syscalls.chMhj$ubah}(h]h ]h"]h$]h&]uh1jI hj"ubjJ )}(hH``EPERM``: **ruleset_fd** has no write access to the underlying ruleset;h]j)}(hj$h](jz)}(h ``EPERM``h]hEPERM}(hj$hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj$ubh: }(hj$hhhNhNubj )}(h**ruleset_fd**h]h ruleset_fd}(hj$hhhNhNubah}(h]h ]h"]h$]h&]uh1j hj$ubh/ has no write access to the underlying ruleset;}(hj$hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:532: ./security/landlock/syscalls.chMhj$ubah}(h]h ]h"]h$]h&]uh1jI hj"ubjJ )}(h2``EFAULT``: **rule_attr** was not a valid address.h]j)}(hj%h](jz)}(h ``EFAULT``h]hEFAULT}(hj %hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj%ubh: }(hj%hhhNhNubj )}(h **rule_attr**h]h rule_attr}(hj%hhhNhNubah}(h]h ]h"]h$]h&]uh1j hj%ubh was not a valid address.}(hj%hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:532: ./security/landlock/syscalls.chMhj%ubah}(h]h ]h"]h$]h&]uh1jI hj"ubeh}(h]h ]h"]h$]h&]j*jGuh1jD hj"hMhj ubeh}(h]h ] kernelindentah"]h$]h&]uh1j$hjhhhNhNubj)}(hhh]h}(h]h ]h"]h$]h&]entries](jlandlock_rule_type (C enum)c.landlock_rule_typehNtauh1jhjhhhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:535: ./include/uapi/linux/landlock.hhNubj)}(hhh](j)}(hlandlock_rule_typeh]j)}(henum landlock_rule_typeh](jX)}(hjh]henum}(hja%hhhNhNubah}(h]h ]jdah"]h$]h&]uh1jWhj]%hhhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:535: ./include/uapi/linux/landlock.hhKubj)}(h h]h }(hjo%hhhNhNubah}(h]h ]j(ah"]h$]h&]uh1jhj]%hhhjn%hKubj-)}(hlandlock_rule_typeh]j3)}(hj[%h]hlandlock_rule_type}(hj%hhhNhNubah}(h]h ]j?ah"]h$]h&]uh1j2hj}%ubah}(h]h ](jFjGeh"]h$]h&]hhuh1j,hj]%hhhjn%hKubeh}(h]h ]h"]h$]h&]hhjuh1jjjhjY%hhhjn%hKubah}(h]jS%ah ](jjeh"]h$]h&]jj)jhuh1jhjn%hKhjV%hhubj)}(hhh]j)}(hLandlock rule typeh]hLandlock rule type}(hj%hhhNhNubah}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:535: ./include/uapi/linux/landlock.hhKhj%hhubah}(h]h ]h"]h$]h&]uh1jhjV%hhhjn%hKubeh}(h]h ](jenumeh"]h$]h&]jjjj%j j%j!j"j#uh1jhhhjhjU%hNubj%)}(h**Constants** ``LANDLOCK_RULE_PATH_BENEATH`` Type of a :c:type:`struct landlock_path_beneath_attr ` . ``LANDLOCK_RULE_NET_PORT`` Type of a :c:type:`struct landlock_net_port_attr ` .h](j)}(h **Constants**h]j )}(hj%h]h Constants}(hj%hhhNhNubah}(h]h ]h"]h$]h&]uh1j hj%ubah}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:535: ./include/uapi/linux/landlock.hhKhj%ubj)}(hhh](j)}(ht``LANDLOCK_RULE_PATH_BENEATH`` Type of a :c:type:`struct landlock_path_beneath_attr ` . h](j)}(h``LANDLOCK_RULE_PATH_BENEATH``h]jz)}(hj%h]hLANDLOCK_RULE_PATH_BENEATH}(hj%hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj%ubah}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:535: ./include/uapi/linux/landlock.hhKhj%ubj))}(hhh]j)}(hTType of a :c:type:`struct landlock_path_beneath_attr ` .h](h Type of a }(hj%hhhNhNubh)}(hH:c:type:`struct landlock_path_beneath_attr `h]jz)}(hj&h]h!struct landlock_path_beneath_attr}(hj &hhhNhNubah}(h]h ](jjc-typeeh"]h$]h&]uh1jyhj&ubah}(h]h ]h"]h$]h&]refdocj refdomainjreftypetype refexplicitrefwarnjjjlandlock_path_beneath_attruh1hhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:535: ./include/uapi/linux/landlock.hhKhj%ubh .}(hj%hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhj$&hKhj%ubah}(h]h ]h"]h$]h&]uh1j(hj%ubeh}(h]h ]h"]h$]h&]uh1jhj%hKhj%ubj)}(hg``LANDLOCK_RULE_NET_PORT`` Type of a :c:type:`struct landlock_net_port_attr ` .h](j)}(h``LANDLOCK_RULE_NET_PORT``h]jz)}(hjA&h]hLANDLOCK_RULE_NET_PORT}(hjC&hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj?&ubah}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:535: ./include/uapi/linux/landlock.hhKhj;&ubj))}(hhh]j)}(hLType of a :c:type:`struct landlock_net_port_attr ` .h](h Type of a }(hjZ&hhhNhNubh)}(h@:c:type:`struct landlock_net_port_attr `h]jz)}(hjd&h]hstruct landlock_net_port_attr}(hjf&hhhNhNubah}(h]h ](jjc-typeeh"]h$]h&]uh1jyhjb&ubah}(h]h ]h"]h$]h&]refdocj refdomainjreftypetype refexplicitrefwarnjjjlandlock_net_port_attruh1hhjV&hKhjZ&ubh .}(hjZ&hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhjV&hKhjW&ubah}(h]h ]h"]h$]h&]uh1j(hj;&ubeh}(h]h ]h"]h$]h&]uh1jhjV&hKhj%ubeh}(h]h ]h"]h$]h&]uh1j hj%ubeh}(h]h ] kernelindentah"]h$]h&]uh1j$hjhhhjU%hNubj)}(h**Description**h]j )}(hj&h]h Description}(hj&hhhNhNubah}(h]h ]h"]h$]h&]uh1j hj&ubah}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:535: ./include/uapi/linux/landlock.hhKhjhhubj)}(h$Argument of sys_landlock_add_rule().h]h$Argument of sys_landlock_add_rule().}(hj&hhhNhNubah}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:535: ./include/uapi/linux/landlock.hhKhjhhubj)}(hhh]h}(h]h ]h"]h$]h&]entries](j%landlock_path_beneath_attr (C struct)c.landlock_path_beneath_attrhNtauh1jhjhhhjU%hNubj)}(hhh](j)}(hlandlock_path_beneath_attrh]j)}(h!struct landlock_path_beneath_attrh](jX)}(hjxh]hstruct}(hj&hhhNhNubah}(h]h ]jdah"]h$]h&]uh1jWhj&hhhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:535: ./include/uapi/linux/landlock.hhKubj)}(h h]h }(hj&hhhNhNubah}(h]h ]j(ah"]h$]h&]uh1jhj&hhhj&hKubj-)}(hlandlock_path_beneath_attrh]j3)}(hj&h]hlandlock_path_beneath_attr}(hj'hhhNhNubah}(h]h ]j?ah"]h$]h&]uh1j2hj'ubah}(h]h ](jFjGeh"]h$]h&]hhuh1j,hj&hhhj&hKubeh}(h]h ]h"]h$]h&]hhjuh1jjjhj&hhhj&hKubah}(h]j&ah ](jjeh"]h$]h&]jj)jhuh1jhj&hKhj&hhubj)}(hhh]j)}(hPath hierarchy definitionh]hPath hierarchy definition}(hj&'hhhNhNubah}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:535: ./include/uapi/linux/landlock.hhKhj#'hhubah}(h]h ]h"]h$]h&]uh1jhj&hhhj&hKubeh}(h]h ](jstructeh"]h$]h&]jjjj>'j j>'j!j"j#uh1jhhhjhjU%hNubj%)}(hXv**Definition**:: struct landlock_path_beneath_attr { __u64 allowed_access; __s32 parent_fd; }; **Members** ``allowed_access`` Bitmask of allowed actions for this file hierarchy (cf. `Filesystem flags`_). ``parent_fd`` File descriptor, preferably opened with ``O_PATH``, which identifies the parent directory of a file hierarchy, or just a file.h](j)}(h**Definition**::h](j )}(h**Definition**h]h Definition}(hjJ'hhhNhNubah}(h]h ]h"]h$]h&]uh1j hjF'ubh:}(hjF'hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:535: ./include/uapi/linux/landlock.hhKhjB'ubj)}(hUstruct landlock_path_beneath_attr { __u64 allowed_access; __s32 parent_fd; };h]hUstruct landlock_path_beneath_attr { __u64 allowed_access; __s32 parent_fd; };}hjc'sbah}(h]h ]h"]h$]h&]hhuh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:535: ./include/uapi/linux/landlock.hhKhjB'ubj)}(h **Members**h]j )}(hjt'h]hMembers}(hjv'hhhNhNubah}(h]h ]h"]h$]h&]uh1j hjr'ubah}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:535: ./include/uapi/linux/landlock.hhKhjB'ubj)}(hhh](j)}(ha``allowed_access`` Bitmask of allowed actions for this file hierarchy (cf. `Filesystem flags`_). h](j)}(h``allowed_access``h]jz)}(hj'h]hallowed_access}(hj'hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj'ubah}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:535: ./include/uapi/linux/landlock.hhKhj'ubj))}(hhh]j)}(hMBitmask of allowed actions for this file hierarchy (cf. `Filesystem flags`_).h](h8Bitmask of allowed actions for this file hierarchy (cf. }(hj'hhhNhNubj)}(h`Filesystem flags`_h]hFilesystem flags}(hj'hhhNhNubah}(h]h ]h"]h$]h&]nameFilesystem flagsjjuh1jhj'jKubh).}(hj'hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:535: ./include/uapi/linux/landlock.hhKhj'ubah}(h]h ]h"]h$]h&]uh1j(hj'ubeh}(h]h ]h"]h$]h&]uh1jhj'hKhj'ubj)}(h``parent_fd`` File descriptor, preferably opened with ``O_PATH``, which identifies the parent directory of a file hierarchy, or just a file.h](j)}(h ``parent_fd``h]jz)}(hj'h]h parent_fd}(hj'hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj'ubah}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:535: ./include/uapi/linux/landlock.hhKhj'ubj))}(hhh]j)}(h~File descriptor, preferably opened with ``O_PATH``, which identifies the parent directory of a file hierarchy, or just a file.h](h(File descriptor, preferably opened with }(hj'hhhNhNubjz)}(h ``O_PATH``h]hO_PATH}(hj(hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj'ubhL, which identifies the parent directory of a file hierarchy, or just a file.}(hj'hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:535: ./include/uapi/linux/landlock.hhKhj'ubah}(h]h ]h"]h$]h&]uh1j(hj'ubeh}(h]h ]h"]h$]h&]uh1jhj'hKhj'ubeh}(h]h ]h"]h$]h&]uh1j hjB'ubeh}(h]h ] kernelindentah"]h$]h&]uh1j$hjhhhjU%hNubj)}(h**Description**h]j )}(hj6(h]h Description}(hj8(hhhNhNubah}(h]h ]h"]h$]h&]uh1j hj4(ubah}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:535: ./include/uapi/linux/landlock.hhKhjhhubj)}(h$Argument of sys_landlock_add_rule().h]h$Argument of sys_landlock_add_rule().}(hjL(hhhNhNubah}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:535: ./include/uapi/linux/landlock.hhKhjhhubj)}(hhh]h}(h]h ]h"]h$]h&]entries](j!landlock_net_port_attr (C struct)c.landlock_net_port_attrhNtauh1jhjhhhjU%hNubj)}(hhh](j)}(hlandlock_net_port_attrh]j)}(hstruct landlock_net_port_attrh](jX)}(hjxh]hstruct}(hjt(hhhNhNubah}(h]h ]jdah"]h$]h&]uh1jWhjp(hhhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:535: ./include/uapi/linux/landlock.hhKubj)}(h h]h }(hj(hhhNhNubah}(h]h ]j(ah"]h$]h&]uh1jhjp(hhhj(hKubj-)}(hlandlock_net_port_attrh]j3)}(hjn(h]hlandlock_net_port_attr}(hj(hhhNhNubah}(h]h ]j?ah"]h$]h&]uh1j2hj(ubah}(h]h ](jFjGeh"]h$]h&]hhuh1j,hjp(hhhj(hKubeh}(h]h ]h"]h$]h&]hhjuh1jjjhjl(hhhj(hKubah}(h]jg(ah ](jjeh"]h$]h&]jj)jhuh1jhj(hKhji(hhubj)}(hhh]j)}(hNetwork port definitionh]hNetwork port definition}(hj(hhhNhNubah}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:535: ./include/uapi/linux/landlock.hhKhj(hhubah}(h]h ]h"]h$]h&]uh1jhji(hhhj(hKubeh}(h]h ](jstructeh"]h$]h&]jjjj(j j(j!j"j#uh1jhhhjhjU%hNubj%)}(hX**Definition**:: struct landlock_net_port_attr { __u64 allowed_access; __u64 port; }; **Members** ``allowed_access`` Bitmask of allowed network actions for a port (cf. `Network flags`_). ``port`` Network port in host endianness. It should be noted that port 0 passed to :manpage:`bind(2)` will bind to an available port from the ephemeral port range. This can be configured with the ``/proc/sys/net/ipv4/ip_local_port_range`` sysctl (also used for IPv6), and within that range, on a per-socket basis with ``setsockopt(IP_LOCAL_PORT_RANGE)``. A Landlock rule with port 0 and the ``LANDLOCK_ACCESS_NET_BIND_TCP`` right means that requesting to bind on port 0 is allowed and it will automatically translate to binding on a kernel-assigned ephemeral port.h](j)}(h**Definition**::h](j )}(h**Definition**h]h Definition}(hj(hhhNhNubah}(h]h ]h"]h$]h&]uh1j hj(ubh:}(hj(hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:535: ./include/uapi/linux/landlock.hhKhj(ubj)}(hLstruct landlock_net_port_attr { __u64 allowed_access; __u64 port; };h]hLstruct landlock_net_port_attr { __u64 allowed_access; __u64 port; };}hj(sbah}(h]h ]h"]h$]h&]hhuh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:535: ./include/uapi/linux/landlock.hhKhj(ubj)}(h **Members**h]j )}(hj)h]hMembers}(hj)hhhNhNubah}(h]h ]h"]h$]h&]uh1j hj)ubah}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:535: ./include/uapi/linux/landlock.hhKhj(ubj)}(hhh](j)}(hY``allowed_access`` Bitmask of allowed network actions for a port (cf. `Network flags`_). h](j)}(h``allowed_access``h]jz)}(hj#)h]hallowed_access}(hj%)hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj!)ubah}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:535: ./include/uapi/linux/landlock.hhKhj)ubj))}(hhh]j)}(hEBitmask of allowed network actions for a port (cf. `Network flags`_).h](h3Bitmask of allowed network actions for a port (cf. }(hj<)hhhNhNubj)}(h`Network flags`_h]h Network flags}(hjD)hhhNhNubah}(h]h ]h"]h$]h&]name Network flagsjj+uh1jhj<)jKubh).}(hj<)hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:535: ./include/uapi/linux/landlock.hhKhj9)ubah}(h]h ]h"]h$]h&]uh1j(hj)ubeh}(h]h ]h"]h$]h&]uh1jhj8)hKhj)ubj)}(hX7``port`` Network port in host endianness. It should be noted that port 0 passed to :manpage:`bind(2)` will bind to an available port from the ephemeral port range. This can be configured with the ``/proc/sys/net/ipv4/ip_local_port_range`` sysctl (also used for IPv6), and within that range, on a per-socket basis with ``setsockopt(IP_LOCAL_PORT_RANGE)``. A Landlock rule with port 0 and the ``LANDLOCK_ACCESS_NET_BIND_TCP`` right means that requesting to bind on port 0 is allowed and it will automatically translate to binding on a kernel-assigned ephemeral port.h](j)}(h``port``h]jz)}(hjq)h]hport}(hjs)hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjo)ubah}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:535: ./include/uapi/linux/landlock.hhKhjk)ubj))}(hhh](j)}(h Network port in host endianness.h]h Network port in host endianness.}(hj)hhhNhNubah}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:535: ./include/uapi/linux/landlock.hhKhj)ubj)}(hX9It should be noted that port 0 passed to :manpage:`bind(2)` will bind to an available port from the ephemeral port range. This can be configured with the ``/proc/sys/net/ipv4/ip_local_port_range`` sysctl (also used for IPv6), and within that range, on a per-socket basis with ``setsockopt(IP_LOCAL_PORT_RANGE)``.h](h)It should be noted that port 0 passed to }(hj)hhhNhNubj)}(h:manpage:`bind(2)`h]hbind(2)}(hj)hhhNhNubah}(h]h ]jah"]h$]h&]hhj bind(2)jbindjjuh1jhj)ubh` will bind to an available port from the ephemeral port range. This can be configured with the }(hj)hhhNhNubjz)}(h*``/proc/sys/net/ipv4/ip_local_port_range``h]h&/proc/sys/net/ipv4/ip_local_port_range}(hj)hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj)ubhP sysctl (also used for IPv6), and within that range, on a per-socket basis with }(hj)hhhNhNubjz)}(h#``setsockopt(IP_LOCAL_PORT_RANGE)``h]hsetsockopt(IP_LOCAL_PORT_RANGE)}(hj)hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj)ubh.}(hj)hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:535: ./include/uapi/linux/landlock.hhKhj)ubj)}(hA Landlock rule with port 0 and the ``LANDLOCK_ACCESS_NET_BIND_TCP`` right means that requesting to bind on port 0 is allowed and it will automatically translate to binding on a kernel-assigned ephemeral port.h](h$A Landlock rule with port 0 and the }(hj)hhhNhNubjz)}(h ``LANDLOCK_ACCESS_NET_BIND_TCP``h]hLANDLOCK_ACCESS_NET_BIND_TCP}(hj)hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj)ubh right means that requesting to bind on port 0 is allowed and it will automatically translate to binding on a kernel-assigned ephemeral port.}(hj)hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:535: ./include/uapi/linux/landlock.hhKhj)ubeh}(h]h ]h"]h$]h&]uh1j(hjk)ubeh}(h]h ]h"]h$]h&]uh1jhj)hKhj)ubeh}(h]h ]h"]h$]h&]uh1j hj(ubeh}(h]h ] kernelindentah"]h$]h&]uh1j$hjhhhjU%hNubj)}(h**Description**h]j )}(hj*h]h Description}(hj*hhhNhNubah}(h]h ]h"]h$]h&]uh1j hj*ubah}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:535: ./include/uapi/linux/landlock.hhKhjhhubj)}(h$Argument of sys_landlock_add_rule().h]h$Argument of sys_landlock_add_rule().}(hj2*hhhNhNubah}(h]h ]h"]h$]h&]uh1jhe/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:535: ./include/uapi/linux/landlock.hhKhjhhubeh}(h]extending-a-rulesetah ]h"]extending a rulesetah$]h&]uh1hhj hhhhhMubh)}(hhh](h)}(hEnforcing a ruleseth]hEnforcing a ruleset}(hjL*hhhNhNubah}(h]h ]h"]h$]h&]uh1hhjI*hhhhhMubj)}(hhh]h}(h]h ]h"]h$]h&]entries](j'sys_landlock_restrict_self (C function)c.sys_landlock_restrict_selfhNtauh1jhjI*hhhNhNubj)}(hhh](j)}(hIlong sys_landlock_restrict_self (const int ruleset_fd, const __u32 flags)h]j)}(hHlong sys_landlock_restrict_self(const int ruleset_fd, const __u32 flags)h](j )}(hlongh]hlong}(hjs*hhhNhNubah}(h]h ]jah"]h$]h&]uh1j hjo*hhhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:542: ./security/landlock/syscalls.chMubj)}(h h]h }(hj*hhhNhNubah}(h]h ]j(ah"]h$]h&]uh1jhjo*hhhj*hMubj-)}(hsys_landlock_restrict_selfh]j3)}(hsys_landlock_restrict_selfh]hsys_landlock_restrict_self}(hj*hhhNhNubah}(h]h ]j?ah"]h$]h&]uh1j2hj*ubah}(h]h ](jFjGeh"]h$]h&]hhuh1j,hjo*hhhj*hMubjL)}(h)(const int ruleset_fd, const __u32 flags)h](jR)}(hconst int ruleset_fdh](jX)}(hj[h]hconst}(hj*hhhNhNubah}(h]h ]jdah"]h$]h&]uh1jWhj*ubj)}(h h]h }(hj*hhhNhNubah}(h]h ]j(ah"]h$]h&]uh1jhj*ubj )}(hinth]hint}(hj*hhhNhNubah}(h]h ]jah"]h$]h&]uh1j hj*ubj)}(h h]h }(hj*hhhNhNubah}(h]h ]j(ah"]h$]h&]uh1jhj*ubj3)}(h ruleset_fdh]h ruleset_fd}(hj*hhhNhNubah}(h]h ]j?ah"]h$]h&]uh1j2hj*ubeh}(h]h ]h"]h$]h&]noemphhhuh1jQhj*ubjR)}(hconst __u32 flagsh](jX)}(hj[h]hconst}(hj+hhhNhNubah}(h]h ]jdah"]h$]h&]uh1jWhj*ubj)}(h h]h }(hj +hhhNhNubah}(h]h ]j(ah"]h$]h&]uh1jhj*ubh)}(hhh]j3)}(h__u32h]h__u32}(hj+hhhNhNubah}(h]h ]j?ah"]h$]h&]uh1j2hj+ubah}(h]h ]h"]h$]h&] refdomainjreftypej reftargetj +modnameN classnameNjj)}j]j)}jj*sbc.sys_landlock_restrict_selfasbuh1hhj*ubj)}(h h]h }(hj>+hhhNhNubah}(h]h ]j(ah"]h$]h&]uh1jhj*ubj3)}(hflagsh]hflags}(hjL+hhhNhNubah}(h]h ]j?ah"]h$]h&]uh1j2hj*ubeh}(h]h ]h"]h$]h&]noemphhhuh1jQhj*ubeh}(h]h ]h"]h$]h&]hhuh1jKhjo*hhhj*hMubeh}(h]h ]h"]h$]h&]hhjuh1jjjhjk*hhhj*hMubah}(h]jf*ah ](jjeh"]h$]h&]jj)jhuh1jhj*hMhjh*hhubj)}(hhh]j)}(h'Enforce a ruleset on the calling threadh]h'Enforce a ruleset on the calling thread}(hjv+hhhNhNubah}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:542: ./security/landlock/syscalls.chMhjs+hhubah}(h]h ]h"]h$]h&]uh1jhjh*hhhj*hMubeh}(h]h ](jfunctioneh"]h$]h&]jjjj+j j+j!j"j#uh1jhhhjI*hNhNubj%)}(hX.**Parameters** ``const int ruleset_fd`` File descriptor tied to the ruleset to merge with the target. ``const __u32 flags`` Supported values: **Description** - ``LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF`` - ``LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON`` - ``LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF`` - ``LANDLOCK_RESTRICT_SELF_TSYNC`` This system call enforces a Landlock ruleset on the current thread. Enforcing a ruleset requires that the task has ``CAP_SYS_ADMIN`` in its namespace or is running with no_new_privs. This avoids scenarios where unprivileged tasks can affect the behavior of privileged children. Possible returned errors are: - ``EOPNOTSUPP``: Landlock is supported by the kernel but disabled at boot time; - ``EINVAL``: **flags** contains an unknown bit. - ``EBADF``: **ruleset_fd** is not a file descriptor for the current thread; - ``EBADFD``: **ruleset_fd** is not a ruleset file descriptor; - ``EPERM``: **ruleset_fd** has no read access to the underlying ruleset, or the current thread is not running with no_new_privs, or it doesn't have ``CAP_SYS_ADMIN`` in its namespace. - ``E2BIG``: The maximum number of stacked rulesets is reached for the current thread. .. kernel-doc:: include/uapi/linux/landlock.h :identifiers: landlock_restrict_self_flagsh](j)}(h**Parameters**h]j )}(hj+h]h Parameters}(hj+hhhNhNubah}(h]h ]h"]h$]h&]uh1j hj+ubah}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:542: ./security/landlock/syscalls.chMhj+ubj)}(hhh](j)}(hW``const int ruleset_fd`` File descriptor tied to the ruleset to merge with the target. h](j)}(h``const int ruleset_fd``h]jz)}(hj+h]hconst int ruleset_fd}(hj+hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj+ubah}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:542: ./security/landlock/syscalls.chMhj+ubj))}(hhh]j)}(h=File descriptor tied to the ruleset to merge with the target.h]h=File descriptor tied to the ruleset to merge with the target.}(hj+hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj+hMhj+ubah}(h]h ]h"]h$]h&]uh1j(hj+ubeh}(h]h ]h"]h$]h&]uh1jhj+hMhj+ubj)}(h(``const __u32 flags`` Supported values: h](j)}(h``const __u32 flags``h]jz)}(hj+h]hconst __u32 flags}(hj+hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj+ubah}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:542: ./security/landlock/syscalls.chMhj+ubj))}(hhh]j)}(hSupported values:h]hSupported values:}(hj ,hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj,hMhj,ubah}(h]h ]h"]h$]h&]uh1j(hj+ubeh}(h]h ]h"]h$]h&]uh1jhj,hMhj+ubeh}(h]h ]h"]h$]h&]uh1j hj+ubj)}(h**Description**h]j )}(hj+,h]h Description}(hj-,hhhNhNubah}(h]h ]h"]h$]h&]uh1j hj),ubah}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:542: ./security/landlock/syscalls.chMhj+ubjZ)}(h- ``LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF`` - ``LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON`` - ``LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF`` - ``LANDLOCK_RESTRICT_SELF_TSYNC`` h]jE )}(hhh](jJ )}(h,``LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF``h]j)}(hjJ,h]jz)}(hjJ,h]h(LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF}(hjO,hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjL,ubah}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:542: ./security/landlock/syscalls.chMhjH,ubah}(h]h ]h"]h$]h&]uh1jI hjE,ubjJ )}(h*``LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON``h]j)}(hjk,h]jz)}(hjk,h]h&LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON}(hjp,hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjm,ubah}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:542: ./security/landlock/syscalls.chMhji,ubah}(h]h ]h"]h$]h&]uh1jI hjE,ubjJ )}(h-``LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF``h]j)}(hj,h]jz)}(hj,h]h)LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF}(hj,hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj,ubah}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:542: ./security/landlock/syscalls.chMhj,ubah}(h]h ]h"]h$]h&]uh1jI hjE,ubjJ )}(h!``LANDLOCK_RESTRICT_SELF_TSYNC`` h]j)}(h ``LANDLOCK_RESTRICT_SELF_TSYNC``h]jz)}(hj,h]hLANDLOCK_RESTRICT_SELF_TSYNC}(hj,hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj,ubah}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:542: ./security/landlock/syscalls.chMhj,ubah}(h]h ]h"]h$]h&]uh1jI hjE,ubeh}(h]h ]h"]h$]h&]j*jGuh1jD hjb,hMhjA,ubah}(h]h ]h"]h$]h&]uh1jYhjb,hMhj+ubj)}(hXThis system call enforces a Landlock ruleset on the current thread. Enforcing a ruleset requires that the task has ``CAP_SYS_ADMIN`` in its namespace or is running with no_new_privs. This avoids scenarios where unprivileged tasks can affect the behavior of privileged children.h](hsThis system call enforces a Landlock ruleset on the current thread. Enforcing a ruleset requires that the task has }(hj,hhhNhNubjz)}(h``CAP_SYS_ADMIN``h]h CAP_SYS_ADMIN}(hj,hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj,ubh in its namespace or is running with no_new_privs. This avoids scenarios where unprivileged tasks can affect the behavior of privileged children.}(hj,hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:542: ./security/landlock/syscalls.chMhj+ubj)}(hPossible returned errors are:h]hPossible returned errors are:}(hj,hhhNhNubah}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:542: ./security/landlock/syscalls.chMhj+ubjE )}(hhh](jJ )}(hN``EOPNOTSUPP``: Landlock is supported by the kernel but disabled at boot time;h]j)}(hj-h](jz)}(h``EOPNOTSUPP``h]h EOPNOTSUPP}(hj-hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj-ubh@: Landlock is supported by the kernel but disabled at boot time;}(hj-hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:542: ./security/landlock/syscalls.chMhj -ubah}(h]h ]h"]h$]h&]uh1jI hj -ubjJ )}(h.``EINVAL``: **flags** contains an unknown bit.h]j)}(hj4-h](jz)}(h ``EINVAL``h]hEINVAL}(hj9-hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj6-ubh: }(hj6-hhhNhNubj )}(h **flags**h]hflags}(hjK-hhhNhNubah}(h]h ]h"]h$]h&]uh1j hj6-ubh contains an unknown bit.}(hj6-hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:542: ./security/landlock/syscalls.chMhj2-ubah}(h]h ]h"]h$]h&]uh1jI hj -ubjJ )}(hJ``EBADF``: **ruleset_fd** is not a file descriptor for the current thread;h]j)}(hjl-h](jz)}(h ``EBADF``h]hEBADF}(hjq-hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjn-ubh: }(hjn-hhhNhNubj )}(hN**ruleset_fd**h]h ruleset_fd}(hj-hhhNhNubah}(h]h ]h"]h$]h&]uh1j hjn-ubh1 is not a file descriptor for the current thread;}(hjn-hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:542: ./security/landlock/syscalls.chMhjj-ubah}(h]h ]h"]h$]h&]uh1jI hj -ubjJ )}(h<``EBADFD``: **ruleset_fd** is not a ruleset file descriptor;h]j)}(hj-h](jz)}(h ``EBADFD``h]hEBADFD}(hj-hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj-ubh: }(hj-hhhNhNubj )}(h**ruleset_fd**h]h ruleset_fd}(hj-hhhNhNubah}(h]h ]h"]h$]h&]uh1j hj-ubh" is not a ruleset file descriptor;}(hj-hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:542: ./security/landlock/syscalls.chMhj-ubah}(h]h ]h"]h$]h&]uh1jI hj -ubjJ )}(h``EPERM``: **ruleset_fd** has no read access to the underlying ruleset, or the current thread is not running with no_new_privs, or it doesn't have ``CAP_SYS_ADMIN`` in its namespace.h]j)}(h``EPERM``: **ruleset_fd** has no read access to the underlying ruleset, or the current thread is not running with no_new_privs, or it doesn't have ``CAP_SYS_ADMIN`` in its namespace.h](jz)}(h ``EPERM``h]hEPERM}(hj-hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj-ubh: }(hj-hhhNhNubj )}(h**ruleset_fd**h]h ruleset_fd}(hj-hhhNhNubah}(h]h ]h"]h$]h&]uh1j hj-ubh| has no read access to the underlying ruleset, or the current thread is not running with no_new_privs, or it doesn’t have }(hj-hhhNhNubjz)}(h``CAP_SYS_ADMIN``h]h CAP_SYS_ADMIN}(hj.hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj-ubh in its namespace.}(hj-hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:542: ./security/landlock/syscalls.chMhj-ubah}(h]h ]h"]h$]h&]uh1jI hj -ubjJ )}(hU``E2BIG``: The maximum number of stacked rulesets is reached for the current thread. h]j)}(hT``E2BIG``: The maximum number of stacked rulesets is reached for the current thread.h](jz)}(h ``E2BIG``h]hE2BIG}(hj-.hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj).ubhK: The maximum number of stacked rulesets is reached for the current thread.}(hj).hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:542: ./security/landlock/syscalls.chMhj%.ubah}(h]h ]h"]h$]h&]uh1jI hj -ubeh}(h]h ]h"]h$]h&]j*jGuh1jD hj+-hMhj+ubj)}(h **Flags**h]j )}(hjT.h]hFlags}(hjV.hhhNhNubah}(h]h ]h"]h$]h&]uh1j hjR.ubah}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:39: ./include/uapi/linux/landlock.hhKIhj+ubj)}(hXBy default, denied accesses originating from programs that sandbox themselves are logged via the audit subsystem. Such events typically indicate unexpected behavior, such as bugs or exploitation attempts. However, to avoid excessive logging, access requests denied by a domain not created by the originating program are not logged by default. The rationale is that programs should know their own behavior, but not necessarily the behavior of other programs. This default configuration is suitable for most programs that sandbox themselves. For specific use cases, the following flags allow programs to modify this default logging behavior.h]hXBy default, denied accesses originating from programs that sandbox themselves are logged via the audit subsystem. Such events typically indicate unexpected behavior, such as bugs or exploitation attempts. However, to avoid excessive logging, access requests denied by a domain not created by the originating program are not logged by default. The rationale is that programs should know their own behavior, but not necessarily the behavior of other programs. This default configuration is suitable for most programs that sandbox themselves. For specific use cases, the following flags allow programs to modify this default logging behavior.}(hjj.hhhNhNubah}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:39: ./include/uapi/linux/landlock.hhKKhj+ubj)}(hThe ``LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF`` and ``LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON`` flags apply to the newly created Landlock domain.h](hThe }(hjy.hhhNhNubjz)}(h,``LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF``h]h(LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF}(hj.hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjy.ubh and }(hjy.hhhNhNubjz)}(h*``LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON``h]h&LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON}(hj.hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjy.ubh2 flags apply to the newly created Landlock domain.}(hjy.hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:39: ./include/uapi/linux/landlock.hhKUhj+ubj)}(hhh](j)}(hX``LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF`` Disables logging of denied accesses originating from the thread creating the Landlock domain, as well as its children, as long as they continue running the same executable code (i.e., without an intervening :manpage:`execve(2)` call). This is intended for programs that execute unknown code without invoking :manpage:`execve(2)`, such as script interpreters. Programs that only sandbox themselves should not set this flag, so users can be notified of unauthorized access attempts via system logs. h](j)}(h,``LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF``h]jz)}(hj.h]h(LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF}(hj.hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj.ubah}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:39: ./include/uapi/linux/landlock.hhKahj.ubj))}(hhh]j)}(hXDisables logging of denied accesses originating from the thread creating the Landlock domain, as well as its children, as long as they continue running the same executable code (i.e., without an intervening :manpage:`execve(2)` call). This is intended for programs that execute unknown code without invoking :manpage:`execve(2)`, such as script interpreters. Programs that only sandbox themselves should not set this flag, so users can be notified of unauthorized access attempts via system logs.h](hDisables logging of denied accesses originating from the thread creating the Landlock domain, as well as its children, as long as they continue running the same executable code (i.e., without an intervening }(hj.hhhNhNubj)}(h:manpage:`execve(2)`h]h execve(2)}(hj.hhhNhNubah}(h]h ]jah"]h$]h&]hhj  execve(2)jexecvejjuh1jhj.ubhQ call). This is intended for programs that execute unknown code without invoking }(hj.hhhNhNubj)}(h:manpage:`execve(2)`h]h execve(2)}(hj.hhhNhNubah}(h]h ]jah"]h$]h&]hhj  execve(2)jexecvejjuh1jhj.ubh, such as script interpreters. Programs that only sandbox themselves should not set this flag, so users can be notified of unauthorized access attempts via system logs.}(hj.hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:39: ./include/uapi/linux/landlock.hhKZhj.ubah}(h]h ]h"]h$]h&]uh1j(hj.ubeh}(h]h ]h"]h$]h&]uh1jhj.hKahj.ubj)}(hX``LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON`` Enables logging of denied accesses after an :manpage:`execve(2)` call, providing visibility into unauthorized access attempts by newly executed programs within the created Landlock domain. This flag is recommended only when all potential executables in the domain are expected to comply with the access restrictions, as excessive audit log entries could make it more difficult to identify critical events. h](j)}(h*``LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON``h]jz)}(hj/h]h&LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON}(hj/hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj/ubah}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:39: ./include/uapi/linux/landlock.hhKihj/ubj))}(hhh]j)}(hXEnables logging of denied accesses after an :manpage:`execve(2)` call, providing visibility into unauthorized access attempts by newly executed programs within the created Landlock domain. This flag is recommended only when all potential executables in the domain are expected to comply with the access restrictions, as excessive audit log entries could make it more difficult to identify critical events.h](h,Enables logging of denied accesses after an }(hj0/hhhNhNubj)}(h:manpage:`execve(2)`h]h execve(2)}(hj8/hhhNhNubah}(h]h ]jah"]h$]h&]hhj  execve(2)jexecvejjuh1jhj0/ubhXU call, providing visibility into unauthorized access attempts by newly executed programs within the created Landlock domain. This flag is recommended only when all potential executables in the domain are expected to comply with the access restrictions, as excessive audit log entries could make it more difficult to identify critical events.}(hj0/hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:39: ./include/uapi/linux/landlock.hhKdhj-/ubah}(h]h ]h"]h$]h&]uh1j(hj/ubeh}(h]h ]h"]h$]h&]uh1jhj,/hKihj.ubj)}(hX``LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF`` Disables logging of denied accesses originating from nested Landlock domains created by the caller or its descendants. This flag should be set according to runtime configuration, not hardcoded, to avoid suppressing important security events. It is useful for container runtimes or sandboxing tools that may launch programs which themselves create Landlock domains and could otherwise generate excessive logs. Unlike ``LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF``, this flag only affects future nested domains, not the one being created. It can also be used with a **ruleset_fd** value of -1 to mute subdomain logs without creating a domain. h](j)}(h-``LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF``h]jz)}(hje/h]h)LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF}(hjg/hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjc/ubah}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:39: ./include/uapi/linux/landlock.hhKuhj_/ubj))}(hhh]j)}(hX~Disables logging of denied accesses originating from nested Landlock domains created by the caller or its descendants. This flag should be set according to runtime configuration, not hardcoded, to avoid suppressing important security events. It is useful for container runtimes or sandboxing tools that may launch programs which themselves create Landlock domains and could otherwise generate excessive logs. Unlike ``LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF``, this flag only affects future nested domains, not the one being created. It can also be used with a **ruleset_fd** value of -1 to mute subdomain logs without creating a domain.h](hXDisables logging of denied accesses originating from nested Landlock domains created by the caller or its descendants. This flag should be set according to runtime configuration, not hardcoded, to avoid suppressing important security events. It is useful for container runtimes or sandboxing tools that may launch programs which themselves create Landlock domains and could otherwise generate excessive logs. Unlike }(hj~/hhhNhNubjz)}(h,``LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF``h]h(LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF}(hj/hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj~/ubhf, this flag only affects future nested domains, not the one being created. It can also be used with a }(hj~/hhhNhNubj )}(h**ruleset_fd**h]h ruleset_fd}(hj/hhhNhNubah}(h]h ]h"]h$]h&]uh1j hj~/ubh> value of -1 to mute subdomain logs without creating a domain.}(hj~/hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:39: ./include/uapi/linux/landlock.hhKlhj{/ubah}(h]h ]h"]h$]h&]uh1j(hj_/ubeh}(h]h ]h"]h$]h&]uh1jhjz/hKuhj.ubeh}(h]h ]h"]h$]h&]uh1j hj+ubj)}(hJThe following flag supports policy enforcement in multithreaded processes:h]hJThe following flag supports policy enforcement in multithreaded processes:}(hj/hhhNhNubah}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:39: ./include/uapi/linux/landlock.hhKwhj+ubj)}(hhh]j)}(hX``LANDLOCK_RESTRICT_SELF_TSYNC`` Applies the new Landlock configuration atomically to all threads of the current process, including the Landlock domain and logging configuration. This overrides the Landlock configuration of sibling threads, irrespective of previously established Landlock domains and logging configurations on these threads. If the calling thread is running with no_new_privs, this operation enables no_new_privs on the sibling threads as well. h](j)}(h ``LANDLOCK_RESTRICT_SELF_TSYNC``h]jz)}(hj/h]hLANDLOCK_RESTRICT_SELF_TSYNC}(hj/hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj/ubah}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:39: ./include/uapi/linux/landlock.hhKhj/ubj))}(hhh](j)}(hX4Applies the new Landlock configuration atomically to all threads of the current process, including the Landlock domain and logging configuration. This overrides the Landlock configuration of sibling threads, irrespective of previously established Landlock domains and logging configurations on these threads.h]hX4Applies the new Landlock configuration atomically to all threads of the current process, including the Landlock domain and logging configuration. This overrides the Landlock configuration of sibling threads, irrespective of previously established Landlock domains and logging configurations on these threads.}(hj/hhhNhNubah}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:39: ./include/uapi/linux/landlock.hhKzhj/ubj)}(hwIf the calling thread is running with no_new_privs, this operation enables no_new_privs on the sibling threads as well.h]hwIf the calling thread is running with no_new_privs, this operation enables no_new_privs on the sibling threads as well.}(hj0hhhNhNubah}(h]h ]h"]h$]h&]uh1jhd/var/lib/git/docbuild/linux/Documentation/userspace-api/landlock:39: ./include/uapi/linux/landlock.hhKhj/ubeh}(h]h ]h"]h$]h&]uh1j(hj/ubeh}(h]h ]h"]h$]h&]uh1jhj/hKhj/ubah}(h]h ]h"]h$]h&]uh1j hj+ubeh}(h]h ] kernelindentah"]h$]h&]uh1j$hjI*hhhNhNubeh}(h]enforcing-a-rulesetah ]h"]enforcing a rulesetah$]h&]uh1hhj hhhhhMubeh}(h]kernel-interfaceah ]h"]kernel interfaceah$]h&]uh1hhhhhhhhMubh)}(hhh](h)}(hCurrent limitationsh]hCurrent limitations}(hj>0hhhNhNubah}(h]h ]h"]h$]h&]uh1hhj;0hhhhhM"ubh)}(hhh](h)}(h Filesystem topology modificationh]h Filesystem topology modification}(hjO0hhhNhNubah}(h]h ]h"]h$]h&]uh1hhjL0hhhhhM%ubj)}(hThreads sandboxed with filesystem restrictions cannot modify filesystem topology, whether via :manpage:`mount(2)` or :manpage:`pivot_root(2)`. However, :manpage:`chroot(2)` calls are not denied.h](h^Threads sandboxed with filesystem restrictions cannot modify filesystem topology, whether via }(hj]0hhhNhNubj)}(h:manpage:`mount(2)`h]hmount(2)}(hje0hhhNhNubah}(h]h ]jah"]h$]h&]hhj mount(2)jmountjjuh1jhj]0ubh or }(hj]0hhhNhNubj)}(h:manpage:`pivot_root(2)`h]h pivot_root(2)}(hjy0hhhNhNubah}(h]h ]jah"]h$]h&]hhj  pivot_root(2)j pivot_rootjjuh1jhj]0ubh . However, }(hj]0hhhNhNubj)}(h:manpage:`chroot(2)`h]h chroot(2)}(hj0hhhNhNubah}(h]h ]jah"]h$]h&]hhj  chroot(2)jchrootjjuh1jhj]0ubh calls are not denied.}(hj]0hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhhhM'hjL0hhubeh}(h] filesystem-topology-modificationah ]h"] filesystem topology modificationah$]h&]uh1hhj;0hhhhhM%ubh)}(hhh](h)}(hSpecial filesystemsh]hSpecial filesystems}(hj0hhhNhNubah}(h]h ]h"]h$]h&]uh1hhj0hhhhhM,ubj)}(hXAccess to regular files and directories can be restricted by Landlock, according to the handled accesses of a ruleset. However, files that do not come from a user-visible filesystem (e.g. pipe, socket), but can still be accessed through ``/proc//fd/*``, cannot currently be explicitly restricted. Likewise, some special kernel filesystems such as nsfs, which can be accessed through ``/proc//ns/*``, cannot currently be explicitly restricted. However, thanks to the `ptrace restrictions`_, access to such sensitive ``/proc`` files are automatically restricted according to domain hierarchies. Future Landlock evolutions could still enable to explicitly restrict such paths with dedicated ruleset flags.h](hAccess to regular files and directories can be restricted by Landlock, according to the handled accesses of a ruleset. However, files that do not come from a user-visible filesystem (e.g. pipe, socket), but can still be accessed through }(hj0hhhNhNubjz)}(h``/proc//fd/*``h]h/proc//fd/*}(hj0hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj0ubh, cannot currently be explicitly restricted. Likewise, some special kernel filesystems such as nsfs, which can be accessed through }(hj0hhhNhNubjz)}(h``/proc//ns/*``h]h/proc//ns/*}(hj0hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj0ubhE, cannot currently be explicitly restricted. However, thanks to the }(hj0hhhNhNubj)}(h`ptrace restrictions`_h]hptrace restrictions}(hj0hhhNhNubah}(h]h ]h"]h$]h&]nameptrace restrictionsjjuh1jhj0jKubh, access to such sensitive }(hj0hhhNhNubjz)}(h ``/proc``h]h/proc}(hj1hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj0ubh files are automatically restricted according to domain hierarchies. Future Landlock evolutions could still enable to explicitly restrict such paths with dedicated ruleset flags.}(hj0hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhhhM.hj0hhubeh}(h]special-filesystemsah ]h"]special filesystemsah$]h&]uh1hhj;0hhhhhM,ubh)}(hhh](h)}(hRuleset layersh]hRuleset layers}(hj#1hhhNhNubah}(h]h ]h"]h$]h&]uh1hhj 1hhhhhM:ubj)}(hXThere is a limit of 16 layers of stacked rulesets. This can be an issue for a task willing to enforce a new ruleset in complement to its 16 inherited rulesets. Once this limit is reached, sys_landlock_restrict_self() returns E2BIG. It is then strongly suggested to carefully build rulesets once in the life of a thread, especially for applications able to launch other applications that may also want to sandbox themselves (e.g. shells, container managers, etc.).h]hXThere is a limit of 16 layers of stacked rulesets. This can be an issue for a task willing to enforce a new ruleset in complement to its 16 inherited rulesets. Once this limit is reached, sys_landlock_restrict_self() returns E2BIG. It is then strongly suggested to carefully build rulesets once in the life of a thread, especially for applications able to launch other applications that may also want to sandbox themselves (e.g. shells, container managers, etc.).}(hj11hhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhM<hj 1hhubeh}(h]ruleset-layersah ]h"]ruleset layersah$]h&]uh1hhj;0hhhhhM:ubh)}(hhh](h)}(h Memory usageh]h Memory usage}(hjJ1hhhNhNubah}(h]h ]h"]h$]h&]uh1hhjG1hhhhhMEubj)}(hKernel memory allocated to create rulesets is accounted and can be restricted by the Documentation/admin-guide/cgroup-v1/memory.rst.h]hKernel memory allocated to create rulesets is accounted and can be restricted by the Documentation/admin-guide/cgroup-v1/memory.rst.}(hjX1hhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhMGhjG1hhubeh}(h] memory-usageah ]h"] memory usageah$]h&]uh1hhj;0hhhhhMEubh)}(hhh](h)}(h IOCTL supporth]h IOCTL support}(hjq1hhhNhNubah}(h]h ]h"]h$]h&]uh1hhjn1hhhhhMKubj)}(hThe ``LANDLOCK_ACCESS_FS_IOCTL_DEV`` right restricts the use of :manpage:`ioctl(2)`, but it only applies to *newly opened* device files. This means specifically that pre-existing file descriptors like stdin, stdout and stderr are unaffected.h](hThe }(hj1hhhNhNubjz)}(h ``LANDLOCK_ACCESS_FS_IOCTL_DEV``h]hLANDLOCK_ACCESS_FS_IOCTL_DEV}(hj1hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj1ubh right restricts the use of }(hj1hhhNhNubj)}(h:manpage:`ioctl(2)`h]hioctl(2)}(hj1hhhNhNubah}(h]h ]jah"]h$]h&]hhj ioctl(2)jioctljjuh1jhj1ubh, but it only applies to }(hj1hhhNhNubj)}(h*newly opened*h]h newly opened}(hj1hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj1ubhx device files. This means specifically that pre-existing file descriptors like stdin, stdout and stderr are unaffected.}(hj1hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhhhMMhjn1hhubj)}(hXUsers should be aware that TTY devices have traditionally permitted to control other processes on the same TTY through the ``TIOCSTI`` and ``TIOCLINUX`` IOCTL commands. Both of these require ``CAP_SYS_ADMIN`` on modern Linux systems, but the behavior is configurable for ``TIOCSTI``.h](h{Users should be aware that TTY devices have traditionally permitted to control other processes on the same TTY through the }(hj1hhhNhNubjz)}(h ``TIOCSTI``h]hTIOCSTI}(hj1hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj1ubh and }(hj1hhhNhNubjz)}(h ``TIOCLINUX``h]h TIOCLINUX}(hj1hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj1ubh( IOCTL commands. Both of these require }(hj1hhhNhNubjz)}(h``CAP_SYS_ADMIN``h]h CAP_SYS_ADMIN}(hj1hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj1ubh? on modern Linux systems, but the behavior is configurable for }(hj1hhhNhNubjz)}(h ``TIOCSTI``h]hTIOCSTI}(hj2hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj1ubh.}(hj1hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhhhMRhjn1hhubj)}(hOn older systems, it is therefore recommended to close inherited TTY file descriptors, or to reopen them from ``/proc/self/fd/*`` without the ``LANDLOCK_ACCESS_FS_IOCTL_DEV`` right, if possible.h](hnOn older systems, it is therefore recommended to close inherited TTY file descriptors, or to reopen them from }(hj2hhhNhNubjz)}(h``/proc/self/fd/*``h]h/proc/self/fd/*}(hj#2hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj2ubh without the }(hj2hhhNhNubjz)}(h ``LANDLOCK_ACCESS_FS_IOCTL_DEV``h]hLANDLOCK_ACCESS_FS_IOCTL_DEV}(hj52hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj2ubh right, if possible.}(hj2hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhhhMWhjn1hhubj)}(hX1Landlock's IOCTL support is coarse-grained at the moment, but may become more fine-grained in the future. Until then, users are advised to establish the guarantees that they need through the file hierarchy, by only allowing the ``LANDLOCK_ACCESS_FS_IOCTL_DEV`` right on files where it is really required.h](hLandlock’s IOCTL support is coarse-grained at the moment, but may become more fine-grained in the future. Until then, users are advised to establish the guarantees that they need through the file hierarchy, by only allowing the }(hjM2hhhNhNubjz)}(h ``LANDLOCK_ACCESS_FS_IOCTL_DEV``h]hLANDLOCK_ACCESS_FS_IOCTL_DEV}(hjU2hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjM2ubh, right on files where it is really required.}(hjM2hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhhhM[hjn1hhubeh}(h] ioctl-supportah ]h"] ioctl supportah$]h&]uh1hhj;0hhhhhMKubeh}(h]current-limitationsah ]h"]current limitationsah$]h&]uh1hhhhhhhhM"ubh)}(hhh](h)}(hPrevious limitationsh]hPrevious limitations}(hj2hhhNhNubah}(h]h ]h"]h$]h&]uh1hhj}2hhhhhMaubh)}(hhh](h)}(h#File renaming and linking (ABI < 2)h]h#File renaming and linking (ABI < 2)}(hj2hhhNhNubah}(h]h ]h"]h$]h&]uh1hhj2hhhhhMdubj)}(hXBecause Landlock targets unprivileged access controls, it needs to properly handle composition of rules. Such property also implies rules nesting. Properly handling multiple layers of rulesets, each one of them able to restrict access to files, also implies inheritance of the ruleset restrictions from a parent to its hierarchy. Because files are identified and restricted by their hierarchy, moving or linking a file from one directory to another implies propagation of the hierarchy constraints, or restriction of these actions according to the potentially lost constraints. To protect against privilege escalations through renaming or linking, and for the sake of simplicity, Landlock previously limited linking and renaming to the same directory. Starting with the Landlock ABI version 2, it is now possible to securely control renaming and linking thanks to the new ``LANDLOCK_ACCESS_FS_REFER`` access right.h](hXkBecause Landlock targets unprivileged access controls, it needs to properly handle composition of rules. Such property also implies rules nesting. Properly handling multiple layers of rulesets, each one of them able to restrict access to files, also implies inheritance of the ruleset restrictions from a parent to its hierarchy. Because files are identified and restricted by their hierarchy, moving or linking a file from one directory to another implies propagation of the hierarchy constraints, or restriction of these actions according to the potentially lost constraints. To protect against privilege escalations through renaming or linking, and for the sake of simplicity, Landlock previously limited linking and renaming to the same directory. Starting with the Landlock ABI version 2, it is now possible to securely control renaming and linking thanks to the new }(hj2hhhNhNubjz)}(h``LANDLOCK_ACCESS_FS_REFER``h]hLANDLOCK_ACCESS_FS_REFER}(hj2hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj2ubh access right.}(hj2hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhhhMfhj2hhubeh}(h]file-renaming-and-linking-abi-2ah ]h"]#file renaming and linking (abi < 2)ah$]h&]uh1hhj}2hhhhhMdubh)}(hhh](h)}(hFile truncation (ABI < 3)h]hFile truncation (ABI < 3)}(hj2hhhNhNubah}(h]h ]h"]h$]h&]uh1hhj2hhhhhMuubj)}(hFile truncation could not be denied before the third Landlock ABI, so it is always allowed when using a kernel that only supports the first or second ABI.h]hFile truncation could not be denied before the third Landlock ABI, so it is always allowed when using a kernel that only supports the first or second ABI.}(hj2hhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhMwhj2hhubj)}(hStarting with the Landlock ABI version 3, it is now possible to securely control truncation thanks to the new ``LANDLOCK_ACCESS_FS_TRUNCATE`` access right.h](hnStarting with the Landlock ABI version 3, it is now possible to securely control truncation thanks to the new }(hj2hhhNhNubjz)}(h``LANDLOCK_ACCESS_FS_TRUNCATE``h]hLANDLOCK_ACCESS_FS_TRUNCATE}(hj2hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj2ubh access right.}(hj2hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhhhMzhj2hhubeh}(h]file-truncation-abi-3ah ]h"]file truncation (abi < 3)ah$]h&]uh1hhj}2hhhhhMuubh)}(hhh](h)}(hTCP bind and connect (ABI < 4)h]hTCP bind and connect (ABI < 4)}(hj3hhhNhNubah}(h]h ]h"]h$]h&]uh1hhj3hhhhhM~ubj)}(hStarting with the Landlock ABI version 4, it is now possible to restrict TCP bind and connect actions to only a set of allowed ports thanks to the new ``LANDLOCK_ACCESS_NET_BIND_TCP`` and ``LANDLOCK_ACCESS_NET_CONNECT_TCP`` access rights.h](hStarting with the Landlock ABI version 4, it is now possible to restrict TCP bind and connect actions to only a set of allowed ports thanks to the new }(hj3hhhNhNubjz)}(h ``LANDLOCK_ACCESS_NET_BIND_TCP``h]hLANDLOCK_ACCESS_NET_BIND_TCP}(hj'3hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj3ubh and }(hj3hhhNhNubjz)}(h#``LANDLOCK_ACCESS_NET_CONNECT_TCP``h]hLANDLOCK_ACCESS_NET_CONNECT_TCP}(hj93hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj3ubh access rights.}(hj3hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhhhMhj3hhubeh}(h]tcp-bind-and-connect-abi-4ah ]h"]tcp bind and connect (abi < 4)ah$]h&]uh1hhj}2hhhhhM~ubh)}(hhh](h)}(hDevice IOCTL (ABI < 5)h]hDevice IOCTL (ABI < 5)}(hj\3hhhNhNubah}(h]h ]h"]h$]h&]uh1hhjY3hhhhhMubj)}(hIOCTL operations could not be denied before the fifth Landlock ABI, so :manpage:`ioctl(2)` is always allowed when using a kernel that only supports an earlier ABI.h](hGIOCTL operations could not be denied before the fifth Landlock ABI, so }(hjj3hhhNhNubj)}(h:manpage:`ioctl(2)`h]hioctl(2)}(hjr3hhhNhNubah}(h]h ]jah"]h$]h&]hhj ioctl(2)jioctljjuh1jhjj3ubhI is always allowed when using a kernel that only supports an earlier ABI.}(hjj3hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhhhMhjY3hhubj)}(hStarting with the Landlock ABI version 5, it is possible to restrict the use of :manpage:`ioctl(2)` on character and block devices using the new ``LANDLOCK_ACCESS_FS_IOCTL_DEV`` right.h](hPStarting with the Landlock ABI version 5, it is possible to restrict the use of }(hj3hhhNhNubj)}(h:manpage:`ioctl(2)`h]hioctl(2)}(hj3hhhNhNubah}(h]h ]jah"]h$]h&]hhj ioctl(2)jioctljjuh1jhj3ubh. on character and block devices using the new }(hj3hhhNhNubjz)}(h ``LANDLOCK_ACCESS_FS_IOCTL_DEV``h]hLANDLOCK_ACCESS_FS_IOCTL_DEV}(hj3hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj3ubh right.}(hj3hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhhhMhjY3hhubeh}(h]device-ioctl-abi-5ah ]h"]device ioctl (abi < 5)ah$]h&]uh1hhj}2hhhhhMubh)}(hhh](h)}(hAbstract UNIX socket (ABI < 6)h]hAbstract UNIX socket (ABI < 6)}(hj3hhhNhNubah}(h]h ]h"]h$]h&]uh1hhj3hhhhhMubj)}(hStarting with the Landlock ABI version 6, it is possible to restrict connections to an abstract :manpage:`unix(7)` socket by setting ``LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET`` to the ``scoped`` ruleset attribute.h](h`Starting with the Landlock ABI version 6, it is possible to restrict connections to an abstract }(hj3hhhNhNubj)}(h:manpage:`unix(7)`h]hunix(7)}(hj3hhhNhNubah}(h]h ]jah"]h$]h&]hhj unix(7)junixjj&uh1jhj3ubh socket by setting }(hj3hhhNhNubjz)}(h'``LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET``h]h#LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET}(hj3hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj3ubh to the }(hj3hhhNhNubjz)}(h ``scoped``h]hscoped}(hj4hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj3ubh ruleset attribute.}(hj3hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhhhMhj3hhubeh}(h]abstract-unix-socket-abi-6ah ]h"]abstract unix socket (abi < 6)ah$]h&]uh1hhj}2hhhhhMubh)}(hhh](h)}(hSignal (ABI < 6)h]hSignal (ABI < 6)}(hj*4hhhNhNubah}(h]h ]h"]h$]h&]uh1hhj'4hhhhhMubj)}(hStarting with the Landlock ABI version 6, it is possible to restrict :manpage:`signal(7)` sending by setting ``LANDLOCK_SCOPE_SIGNAL`` to the ``scoped`` ruleset attribute.h](hEStarting with the Landlock ABI version 6, it is possible to restrict }(hj84hhhNhNubj)}(h:manpage:`signal(7)`h]h signal(7)}(hj@4hhhNhNubah}(h]h ]jah"]h$]h&]hhj  signal(7)jsignaljj&uh1jhj84ubh sending by setting }(hj84hhhNhNubjz)}(h``LANDLOCK_SCOPE_SIGNAL``h]hLANDLOCK_SCOPE_SIGNAL}(hjT4hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj84ubh to the }(hj84hhhNhNubjz)}(h ``scoped``h]hscoped}(hjf4hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj84ubh ruleset attribute.}(hj84hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhhhMhj'4hhubeh}(h] signal-abi-6ah ]h"]signal (abi < 6)ah$]h&]uh1hhj}2hhhhhMubh)}(hhh](h)}(hLogging (ABI < 7)h]hLogging (ABI < 7)}(hj4hhhNhNubah}(h]h ]h"]h$]h&]uh1hhj4hhhhhMubj)}(hXrStarting with the Landlock ABI version 7, it is possible to control logging of Landlock audit events with the ``LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF``, ``LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON``, and ``LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF`` flags passed to sys_landlock_restrict_self(). See Documentation/admin-guide/LSM/landlock.rst for more details on audit.h](hnStarting with the Landlock ABI version 7, it is possible to control logging of Landlock audit events with the }(hj4hhhNhNubjz)}(h,``LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF``h]h(LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF}(hj4hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj4ubh, }(hj4hhhNhNubjz)}(h*``LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON``h]h&LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON}(hj4hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj4ubh, and }(hj4hhhNhNubjz)}(h-``LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF``h]h)LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF}(hj4hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj4ubhy flags passed to sys_landlock_restrict_self(). See Documentation/admin-guide/LSM/landlock.rst for more details on audit.}(hj4hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhhhMhj4hhubeh}(h] logging-abi-7ah ]h"]logging (abi < 7)ah$]h&]uh1hhj}2hhhhhMubh)}(hhh](h)}(h Thread synchronization (ABI < 8)h]h Thread synchronization (ABI < 8)}(hj4hhhNhNubah}(h]h ]h"]h$]h&]uh1hhj4hhhhhMubj)}(hStarting with the Landlock ABI version 8, it is now possible to enforce Landlock rulesets across all threads of the calling process using the ``LANDLOCK_RESTRICT_SELF_TSYNC`` flag passed to sys_landlock_restrict_self().h](hStarting with the Landlock ABI version 8, it is now possible to enforce Landlock rulesets across all threads of the calling process using the }(hj4hhhNhNubjz)}(h ``LANDLOCK_RESTRICT_SELF_TSYNC``h]hLANDLOCK_RESTRICT_SELF_TSYNC}(hj4hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj4ubh- flag passed to sys_landlock_restrict_self().}(hj4hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhhhMhj4hhubj )}(h.. _kernel_support:h]h}(h]h ]h"]h$]h&]jkernel-supportuh1j hMhj4hhhhubeh}(h]thread-synchronization-abi-8ah ]h"] thread synchronization (abi < 8)ah$]h&]uh1hhj}2hhhhhMubeh}(h]previous-limitationsah ]h"]previous limitationsah$]h&]uh1hhhhhhhhMaubh)}(hhh](h)}(hKernel supporth]hKernel support}(hj25hhhNhNubah}(h]h ]h"]h$]h&]uh1hhj/5hhhhhMubh)}(hhh](h)}(hBuild time configurationh]hBuild time configuration}(hjC5hhhNhNubah}(h]h ]h"]h$]h&]uh1hhj@5hhhhhMubj)}(hXLandlock was first introduced in Linux 5.13 but it must be configured at build time with ``CONFIG_SECURITY_LANDLOCK=y``. Landlock must also be enabled at boot time like other security modules. The list of security modules enabled by default is set with ``CONFIG_LSM``. The kernel configuration should then contain ``CONFIG_LSM=landlock,[...]`` with ``[...]`` as the list of other potentially useful security modules for the running system (see the ``CONFIG_LSM`` help).h](hYLandlock was first introduced in Linux 5.13 but it must be configured at build time with }(hjQ5hhhNhNubjz)}(h``CONFIG_SECURITY_LANDLOCK=y``h]hCONFIG_SECURITY_LANDLOCK=y}(hjY5hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjQ5ubh. Landlock must also be enabled at boot time like other security modules. The list of security modules enabled by default is set with }(hjQ5hhhNhNubjz)}(h``CONFIG_LSM``h]h CONFIG_LSM}(hjk5hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjQ5ubh0. The kernel configuration should then contain }(hjQ5hhhNhNubjz)}(h``CONFIG_LSM=landlock,[...]``h]hCONFIG_LSM=landlock,[...]}(hj}5hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjQ5ubh with }(hjQ5hhhNhNubjz)}(h ``[...]``h]h[...]}(hj5hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjQ5ubh[ as the list of other potentially useful security modules for the running system (see the }(hjQ5hhhNhNubjz)}(h``CONFIG_LSM``h]h CONFIG_LSM}(hj5hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhjQ5ubh help).}(hjQ5hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhhhMhj@5hhubeh}(h]build-time-configurationah ]h"]build time configurationah$]h&]uh1hhj/5hhhhhMubh)}(hhh](h)}(hBoot time configurationh]hBoot time configuration}(hj5hhhNhNubah}(h]h ]h"]h$]h&]uh1hhj5hhhhhMubj)}(hIf the running kernel does not have ``landlock`` in ``CONFIG_LSM``, then we can enable Landlock by adding ``lsm=landlock,[...]`` to Documentation/admin-guide/kernel-parameters.rst in the boot loader configuration.h](h$If the running kernel does not have }(hj5hhhNhNubjz)}(h ``landlock``h]hlandlock}(hj5hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj5ubh in }(hj5hhhNhNubjz)}(h``CONFIG_LSM``h]h CONFIG_LSM}(hj5hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj5ubh(, then we can enable Landlock by adding }(hj5hhhNhNubjz)}(h``lsm=landlock,[...]``h]hlsm=landlock,[...]}(hj5hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj5ubhU to Documentation/admin-guide/kernel-parameters.rst in the boot loader configuration.}(hj5hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhhhMhj5hhubj)}(h6For example, if the current built-in configuration is:h]h6For example, if the current built-in configuration is:}(hj6hhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhMhj5hhubj)}(h~$ zgrep -h "^CONFIG_LSM=" "/boot/config-$(uname -r)" /proc/config.gz 2>/dev/null CONFIG_LSM="lockdown,yama,integrity,apparmor"h]h~$ zgrep -h "^CONFIG_LSM=" "/boot/config-$(uname -r)" /proc/config.gz 2>/dev/null CONFIG_LSM="lockdown,yama,integrity,apparmor"}hj$6sbah}(h]h ]h"]h$]h&]hhjjconsolej}uh1jhhhMhj5hhubj)}(h:...and if the cmdline doesn't contain ``landlock`` either:h](h(...and if the cmdline doesn’t contain }(hj46hhhNhNubjz)}(h ``landlock``h]hlandlock}(hj<6hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj46ubh either:}(hj46hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhhhMhj5hhubj)}(hW$ sed -n 's/.*\(\The kernel may be configured at build time to always load the }(hj6hhhNhNubjz)}(h ``lockdown``h]hlockdown}(hj6hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj6ubh and }(hj6hhhNhNubjz)}(h``capability``h]h capability}(hj6hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj6ubhE LSMs. In that case, these LSMs will appear at the beginning of the }(hj6hhhNhNubjz)}(h``LSM: initializing``h]hLSM: initializing}(hj6hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj6ubhF log line as well, even if they are not configured in the boot loader.}(hj6hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhhhMhj5hhubeh}(h]boot-time-configurationah ]h"]boot time configurationah$]h&]uh1hhj/5hhhhhMubh)}(hhh](h)}(hNetwork supporth]hNetwork support}(hj7hhhNhNubah}(h]h ]h"]h$]h&]uh1hhj7hhhhhMubj)}(hXBTo be able to explicitly allow TCP operations (e.g., adding a network rule with ``LANDLOCK_ACCESS_NET_BIND_TCP``), the kernel must support TCP (``CONFIG_INET=y``). Otherwise, sys_landlock_add_rule() returns an ``EAFNOSUPPORT`` error, which can safely be ignored because this kind of TCP operation is already not possible.h](hPTo be able to explicitly allow TCP operations (e.g., adding a network rule with }(hj7hhhNhNubjz)}(h ``LANDLOCK_ACCESS_NET_BIND_TCP``h]hLANDLOCK_ACCESS_NET_BIND_TCP}(hj'7hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj7ubh ), the kernel must support TCP (}(hj7hhhNhNubjz)}(h``CONFIG_INET=y``h]h CONFIG_INET=y}(hj97hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj7ubh2). Otherwise, sys_landlock_add_rule() returns an }(hj7hhhNhNubjz)}(h``EAFNOSUPPORT``h]h EAFNOSUPPORT}(hjK7hhhNhNubah}(h]h ]h"]h$]h&]uh1jyhj7ubh_ error, which can safely be ignored because this kind of TCP operation is already not possible.}(hj7hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhhhMhj7hhubeh}(h]network-supportah ]h"]network supportah$]h&]uh1hhj/5hhhhhMubeh}(h](j5id2eh ]h"](kernel supportkernel_supporteh$]h&]uh1hhhhhhhhMjb }jq7j5sjd }j5j5subh)}(hhh](h)}(hQuestions and answersh]hQuestions and answers}(hjy7hhhNhNubah}(h]h ]h"]h$]h&]uh1hhjv7hhhhhMubh)}(hhh](h)}(h'What about user space sandbox managers?h]h'What about user space sandbox managers?}(hj7hhhNhNubah}(h]h ]h"]h$]h&]uh1hhj7hhhhhMubj)}(hX6Using user space processes to enforce restrictions on kernel resources can lead to race conditions or inconsistent evaluations (i.e. `Incorrect mirroring of the OS code and state `_).h](hUsing user space processes to enforce restrictions on kernel resources can lead to race conditions or inconsistent evaluations (i.e. }(hj7hhhNhNubj)}(h`Incorrect mirroring of the OS code and state `_h]h,Incorrect mirroring of the OS code and state}(hj7hhhNhNubah}(h]h ]h"]h$]h&]name,Incorrect mirroring of the OS code and statej}https://www.ndss-symposium.org/ndss2003/traps-and-pitfalls-practical-problems-system-call-interposition-based-security-tools/uh1jhj7ubj )}(h h]h}(h],incorrect-mirroring-of-the-os-code-and-stateah ]h"],incorrect mirroring of the os code and stateah$]h&]refurij7uh1j jKhj7ubh).}(hj7hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhhhMhj7hhubeh}(h]&what-about-user-space-sandbox-managersah ]h"]'what about user space sandbox managers?ah$]h&]uh1hhjv7hhhhhMubh)}(hhh](h)}(h%What about namespaces and containers?h]h%What about namespaces and containers?}(hj7hhhNhNubah}(h]h ]h"]h$]h&]uh1hhj7hhhhhMubj)}(hXjNamespaces can help create sandboxes but they are not designed for access-control and then miss useful features for such use case (e.g. no fine-grained restrictions). Moreover, their complexity can lead to security issues, especially when untrusted processes can manipulate them (cf. `Controlling access to user namespaces `_).h](hXNamespaces can help create sandboxes but they are not designed for access-control and then miss useful features for such use case (e.g. no fine-grained restrictions). Moreover, their complexity can lead to security issues, especially when untrusted processes can manipulate them (cf. }(hj7hhhNhNubj)}(hK`Controlling access to user namespaces `_h]h%Controlling access to user namespaces}(hj7hhhNhNubah}(h]h ]h"]h$]h&]name%Controlling access to user namespacesj https://lwn.net/Articles/673597/uh1jhj7ubj )}(h# h]h}(h]%controlling-access-to-user-namespacesah ]h"]%controlling access to user namespacesah$]h&]refurij7uh1j jKhj7ubh).}(hj7hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhhhMhj7hhubeh}(h]$what-about-namespaces-and-containersah ]h"]%what about namespaces and containers?ah$]h&]uh1hhjv7hhhhhMubh)}(hhh](h)}(h&How to disable Landlock audit records?h]h&How to disable Landlock audit records?}(hj8hhhNhNubah}(h]h ]h"]h$]h&]uh1hhj8hhhhhM ubj)}(hdYou might want to put in place filters as explained here: Documentation/admin-guide/LSM/landlock.rsth]hdYou might want to put in place filters as explained here: Documentation/admin-guide/LSM/landlock.rst}(hj*8hhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhM hj8hhubeh}(h]%how-to-disable-landlock-audit-recordsah ]h"]&how to disable landlock audit records?ah$]h&]uh1hhjv7hhhhhM ubeh}(h]questions-and-answersah ]h"]questions and answersah$]h&]uh1hhhhhhhhMubh)}(hhh](h)}(hAdditional documentationh]hAdditional documentation}(hjK8hhhNhNubah}(h]h ]h"]h$]h&]uh1hhjH8hhhhhMubjE )}(hhh](jJ )}(h*Documentation/admin-guide/LSM/landlock.rsth]j)}(hj^8h]h*Documentation/admin-guide/LSM/landlock.rst}(hj`8hhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhMhj\8ubah}(h]h ]h"]h$]h&]uh1jI hjY8hhhhhNubjJ )}(h#Documentation/security/landlock.rsth]j)}(hju8h]h#Documentation/security/landlock.rst}(hjw8hhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhMhjs8ubah}(h]h ]h"]h$]h&]uh1jI hjY8hhhhhNubjJ )}(hhttps://landlock.io h]j)}(hhttps://landlock.ioh]j)}(hj8h]hhttps://landlock.io}(hj8hhhNhNubah}(h]h ]h"]h$]h&]refurij8uh1jhj8ubah}(h]h ]h"]h$]h&]uh1jhhhMhj8ubah}(h]h ]h"]h$]h&]uh1jI hjY8hhhhhNubeh}(h]h ]h"]h$]h&]j*j+uh1jD hhhMhjH8hhubh)}(hLinksh]hLinks}hj8sbah}(h]h ]h"]h$]h&]hhuh1hhjH8hhhhhMubj )}(h.. _samples/landlock/sandboxer.c: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/samples/landlock/sandboxer.ch]h}(h]samples-landlock-sandboxer-cah ]h"]samples/landlock/sandboxer.cah$]h&]jjuh1j hMhjH8hhhhjKubeh}(h]additional-documentationah ]h"]additional documentationah$]h&]uh1hhhhhhhhMubeh}(h]$landlock-unprivileged-access-controlah ]h"]%landlock: unprivileged access controlah$]h&]uh1hhhhhhhhKubeh}(h]h ]h"]h$]h&]sourcehuh1hcurrent_sourceN current_lineNsettingsdocutils.frontendValues)}(hN generatorN datestampN source_linkN source_urlN toc_backlinksentryfootnote_backlinksK sectnum_xformKstrip_commentsNstrip_elements_with_classesN strip_classesN report_levelK halt_levelKexit_status_levelKdebugNwarning_streamN tracebackinput_encoding utf-8-siginput_encoding_error_handlerstrictoutput_encodingutf-8output_encoding_error_handlerj8error_encodingutf-8error_encoding_error_handlerbackslashreplace language_codeenrecord_dependenciesNconfigN id_prefixhauto_id_prefixid dump_settingsNdump_internalsNdump_transformsNdump_pseudo_xmlNexpose_internalsNstrict_visitorN_disable_configN_sourceh _destinationN _config_files]7/var/lib/git/docbuild/linux/Documentation/docutils.confafile_insertion_enabled raw_enabledKline_length_limitM'pep_referencesN pep_base_urlhttps://peps.python.org/pep_file_url_templatepep-%04drfc_referencesN rfc_base_url&https://datatracker.ietf.org/doc/html/ tab_widthKtrim_footnote_reference_spacesyntax_highlightlong smart_quotessmartquotes_locales]character_level_inline_markupdoctitle_xform docinfo_xformKsectsubtitle_xform image_loadinglinkembed_stylesheetcloak_email_addressessection_self_linkenvNubreporterNindirect_targets]substitution_defs}substitution_names}refnames}(samples/landlock/sandboxer.c]japtrace restrictions](jj0efilesystem flags](jjHj'e network flags](jPjD)e scope flags]jaurefids}(j ]j aj5]j5aunameids}(j8j8j j jjjhjejjjjjXjUjjjjjjj j j j j j j j j_ j j^ j[ j j jm jj j j j\ jY j j j80j50jjjjj.j+jjjjjF*jC*j00j-0jz2jw2j0j0j1j1jD1jA1jk1jh1jr2jo2j,5j)5j2j2j 3j3jV3jS3j3j3j$4j!4j4j4j4j4j$5j!5jq7j5jp7jm7j5j5j 7j7jh7je7jE8jB8j7j7j7j7j8j8j8j8j=8j:8j8j8j8j8u nametypes}(j8j jjhjjjXjjjj j j j j_ j^ j jm j j\ j j80jjj.jjjF*j00jz2j0j1jD1jk1jr2j,5j2j 3jV3j3j$4j4j4j$5jq7jp7j5j 7jh7jE8j7j7j8j8j=8j8j8uh}(j8hj jjjjejjjkjjjUjjj[jjjjj jj j j j j j j j j[ j j jf jj j j jp jY j j j_ j50j jj jj j+jjj1jjjjj$j*jC*jjjjS%jY%j&j&jg(jl(j-0jI*jf*jk*jw2j;0j0jL0j1j0jA1j 1jh1jG1jo2jn1j)5j}2j2j2j3j2jS3j3j3jY3j!4j3j4j'4j4j4j!5j4j5j/5jm7j/5j5j@5j7j5je7j7jB8jv7j7j7j7j7j8j7j8j7j:8j8j8jH8j8j8u footnote_refs} citation_refs} autofootnotes]autofootnote_refs]symbol_footnotes]symbol_footnote_refs] footnotes] citations]autofootnote_startKsymbol_footnote_startK id_counter collectionsCounter}j 9KsRparse_messages]transform_messages](hsystem_message)}(hhh]j)}(hhh]h;Hyperlink target "landlock-abi-versions" is not referenced.}hjt9sbah}(h]h ]h"]h$]h&]uh1jhjq9ubah}(h]h ]h"]h$]h&]levelKtypeINFOsourcehlineMuh1jo9ubjp9)}(hhh]j)}(hhh]h4Hyperlink target "kernel-support" is not referenced.}hj9sbah}(h]h ]h"]h$]h&]uh1jhj9ubah}(h]h ]h"]h$]h&]levelKtypej9sourcehlineMuh1jo9ube transformerN include_log] decorationNhhub.