landlock_restrict_self(2) System Calls Manual landlock_restrict_self(2) NAME landlock_restrict_self - enforce a Landlock ruleset LIBRARY Standard C library (libc, -lc) SYNOPSIS #include <linux/landlock.h> /* Definition of LANDLOCK_* constants */ #include <sys/syscall.h> /* Definition of SYS_* constants */ int syscall(SYS_landlock_restrict_self, int ruleset_fd, uint32_t flags); DESCRIPTION Once a Landlock ruleset is populated with the desired rules, the land- lock_restrict_self() system call enables enforcing this ruleset on the calling thread. See landlock(7) for a global overview. A thread can be restricted with multiple rulesets that are then com- posed together to form the thread's Landlock domain. This can be seen as a stack of rulesets but it is implemented in a more efficient way. A domain can only be updated in such a way that the constraints of each past and future composed rulesets will restrict the thread and its fu- ture children for their entire life. It is then possible to gradually enforce tailored access control policies with multiple independent rulesets coming from different sources (e.g., init system configura- tion, user session policy, built-in application policy). However, most applications should only need one call to landlock_restrict_self() and they should avoid arbitrary numbers of such calls because of the com- posed rulesets limit. Instead, developers are encouraged to build a tailored ruleset thanks to multiple calls to landlock_add_rule(2). In order to enforce a ruleset, either the caller must have the CAP_SYS_ADMIN capability in its user namespace, or the thread must al- ready have the no_new_privs bit set. As for seccomp(2), this avoids scenarios where unprivileged processes can affect the behavior of priv- ileged children (e.g., because of set-user-ID binaries). If that bit was not already set by an ancestor of this thread, the thread must make the following call: prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); ruleset_fd is a Landlock ruleset file descriptor obtained with land- lock_create_ruleset(2) and fully populated with a set of calls to land- lock_add_rule(2). flags must be 0. RETURN VALUE On success, landlock_restrict_self() returns 0. ERRORS landlock_restrict_self() can fail for the following reasons: EOPNOTSUPP Landlock is supported by the kernel but disabled at boot time. EINVAL flags is not 0. EBADF ruleset_fd is not a file descriptor for the current thread. EBADFD ruleset_fd is not a ruleset file descriptor. EPERM ruleset_fd has no read access to the underlying ruleset, or the calling thread is not running with no_new_privs, or it doesn't have the CAP_SYS_ADMIN in its user namespace. E2BIG The maximum number of composed rulesets is reached for the call- ing thread. This limit is currently 64. VERSIONS Landlock was added in Linux 5.13. STANDARDS This system call is Linux-specific. EXAMPLES See landlock(7). SEE ALSO landlock_create_ruleset(2), landlock_add_rule(2), landlock(7) Linux man-pages 6.03 2022-10-30 landlock_restrict_self(2)
Generated by dwww version 1.15 on Tue Jun 18 10:34:21 CEST 2024.