landlock_create_ruleset(2) — Linux manual page

landlock_create_ruleset(2) System Calls Manuallandlock_create_ruleset(2)

NAME

       landlock_create_ruleset - create a new Landlock ruleset

LIBRARY

       Standard C library (libc, -lc)

SYNOPSIS

       #include <linux/landlock.h>  /* Definition of LANDLOCK_* constants */
       #include <sys/syscall.h>     /* Definition of SYS_* constants */

       int syscall(SYS_landlock_create_ruleset,
                   const struct landlock_ruleset_attr *attr,
                   size_t size , uint32_t flags);

DESCRIPTION

       A Landlock ruleset identifies a set of rules (i.e., actions on
       objects).  This landlock_create_ruleset() system call enables
       creating a new file descriptor identifying a ruleset.  This file
       descriptor can then be used by landlock_add_rule(2) and
       landlock_restrict_self(2).  See landlock(7) for a global
       overview.

       attr specifies the properties of the new ruleset.  It points to
       the following structure:

                  struct landlock_ruleset_attr {
                      __u64 handled_access_fs;
                  };

              handled_access_fs is a bitmask of actions that is handled
              by this ruleset and should then be forbidden if no rule
              explicitly allows them (see Filesystem actions in
              landlock(7)).  This enables simply restricting ambient
              rights (e.g., global filesystem access) and is needed for
              compatibility reasons.

       size must be specified as sizeof(struct landlock_ruleset_attr)
       for compatibility reasons.

       flags must be 0 if attr is used.  Otherwise, flags can be set to:

       LANDLOCK_CREATE_RULESET_VERSION
              If attr is NULL and size is 0, then the returned value is
              the highest supported Landlock ABI version (starting at
              1).  This version can be used for a best-effort security
              approach, which is encouraged when user space is not
              pinned to a specific kernel version.  All features
              documented in these man pages are available with the
              version 1.

RETURN VALUE

       On success, landlock_create_ruleset() returns a new Landlock
       ruleset file descriptor, or a Landlock ABI version, according to
       flags.

ERRORS

       landlock_create_ruleset() can fail for the following reasons:

       EOPNOTSUPP
              Landlock is supported by the kernel but disabled at boot
              time.

       EINVAL Unknown flags, or unknown access, or too small size.

       E2BIG  size is too big.

       EFAULT attr was not a valid address.

       ENOMSG Empty accesses (i.e., attr->handled_access_fs is 0).

STANDARDS

       Linux.

HISTORY

       Linux 5.13.

EXAMPLES

       See landlock(7).

SEE ALSO

       landlock_add_rule(2), landlock_restrict_self(2), landlock(7)

COLOPHON

       This page is part of the man-pages (Linux kernel and C library
       user-space interface documentation) project.  Information about
       the project can be found at 
       ⟨https://www.kernel.org/doc/man-pages/⟩.  If you have a bug report
       for this manual page, see
       ⟨https://git.kernel.org/pub/scm/docs/man-pages/man-pages.git/tree/CONTRIBUTING⟩.
       This page was obtained from the tarball man-pages-6.9.1.tar.gz
       fetched from
       ⟨https://mirrors.edge.kernel.org/pub/linux/docs/man-pages/⟩ on
       2024-06-26.  If you discover any rendering problems in this HTML
       version of the page, or you believe there is a better or more up-
       to-date source for the page, or you have corrections or
       improvements to the information in this COLOPHON (which is not
       part of the original manual page), send a mail to
       man-pages@man7.org

Linux man-pages 6.9.1          2024-05-02     landlock_create_ruleset(2)

Pages that refer to this page: landlock_add_rule(2), landlock_restrict_self(2), syscalls(2), landlock(7)

---