landlock_restrict_self(2) — Linux manual page
landlock_restrict_self(2) System Calls Manual landlock_restrict_self(2)
NAME
landlock_restrict_self - enforce a Landlock ruleset
LIBRARY
Standard C library (libc, -lc)
SYNOPSIS
#include <linux/landlock.h> /* Definition of LANDLOCK_* constants */
#include <sys/syscall.h> /* Definition of SYS_* constants */
int syscall(SYS_landlock_restrict_self, int ruleset_fd,
uint32_t flags);
DESCRIPTION
Once a Landlock ruleset is populated with the desired rules, the
landlock_restrict_self() system call enables enforcing this
ruleset on the calling thread. See landlock(7) for a global
overview.
A thread can be restricted with multiple rulesets that are then
composed together to form the thread's Landlock domain. This can
be seen as a stack of rulesets but it is implemented in a more
efficient way. A domain can only be updated in such a way that
the constraints of each past and future composed rulesets will
restrict the thread and its future children for their entire
life. It is then possible to gradually enforce tailored access
control policies with multiple independent rulesets coming from
different sources (e.g., init system configuration, user session
policy, built-in application policy). However, most applications
should only need one call to landlock_restrict_self() and they
should avoid arbitrary numbers of such calls because of the
composed rulesets limit. Instead, developers are encouraged to
build a tailored ruleset thanks to multiple calls to
landlock_add_rule(2).
In order to enforce a ruleset, either the caller must have the
CAP_SYS_ADMIN capability in its user namespace, or the thread
must already have the no_new_privs bit set. As for seccomp(2),
this avoids scenarios where unprivileged processes can affect the
behavior of privileged children (e.g., because of set-user-ID
binaries). If that bit was not already set by an ancestor of
this thread, the thread must make the following call:
prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
ruleset_fd is a Landlock ruleset file descriptor obtained with
landlock_create_ruleset(2) and fully populated with a set of
calls to landlock_add_rule(2).
flags must be 0.
RETURN VALUE
On success, landlock_restrict_self() returns 0.
ERRORS
landlock_restrict_self() can fail for the following reasons:
EOPNOTSUPP
Landlock is supported by the kernel but disabled at boot
time.
EINVAL flags is not 0.
EBADF ruleset_fd is not a file descriptor for the current
thread.
EBADFD ruleset_fd is not a ruleset file descriptor.
EPERM ruleset_fd has no read access to the underlying ruleset,
or the calling thread is not running with no_new_privs, or
it doesn't have the CAP_SYS_ADMIN in its user namespace.
E2BIG The maximum number of composed rulesets is reached for the
calling thread. This limit is currently 64.
STANDARDS
Linux.
HISTORY
Linux 5.13.
EXAMPLES
See landlock(7).
SEE ALSO
landlock_create_ruleset(2), landlock_add_rule(2), landlock(7)
COLOPHON
This page is part of the man-pages (Linux kernel and C library
user-space interface documentation) project. Information about
the project can be found at
⟨https://www.kernel.org/doc/man-pages/⟩. If you have a bug report
for this manual page, see
⟨https://git.kernel.org/pub/scm/docs/man-pages/man-pages.git/tree/CONTRIBUTING⟩.
This page was obtained from the tarball man-pages-6.9.1.tar.gz
fetched from
⟨https://mirrors.edge.kernel.org/pub/linux/docs/man-pages/⟩ on
2024-06-26. If you discover any rendering problems in this HTML
version of the page, or you believe there is a better or more up-
to-date source for the page, or you have corrections or
improvements to the information in this COLOPHON (which is not
part of the original manual page), send a mail to
man-pages@man7.org
Linux man-pages 6.9.1 2024-05-02 landlock_restrict_self(2)
Pages that refer to this page: landlock_add_rule(2), landlock_create_ruleset(2), syscalls(2), landlock(7)