man7.org > Linux > man-pages

Linux/UNIX system programming training

landlock_add_rule(2) — Linux manual page

NAME | LIBRARY | SYNOPSIS | DESCRIPTION | RETURN VALUE | ERRORS | STANDARDS | HISTORY | EXAMPLES | SEE ALSO 

landlock_add_rule(2)       System Calls Manual      landlock_add_rule(2)

NAME         top

       landlock_add_rule - add a new Landlock rule to a ruleset

LIBRARY         top

       Standard C library (libc, -lc)

SYNOPSIS         top

       #include <linux/landlock.h>  /* Definition of LANDLOCK_* constants */
       #include <sys/syscall.h>     /* Definition of SYS_* constants */

       int syscall(SYS_landlock_add_rule, int ruleset_fd,
                   enum landlock_rule_type rule_type,
                   const void *rule_attr, uint32_t flags);

DESCRIPTION         top

       A Landlock rule describes an action on an object.  An object is
       currently a file hierarchy, and the related filesystem actions
       are defined with a set of access rights.  This
       landlock_add_rule() system call enables adding a new Landlock
       rule to an existing ruleset created with
       landlock_create_ruleset(2).  See landlock(7) for a global
       overview.

       ruleset_fd is a Landlock ruleset file descriptor obtained with
       landlock_create_ruleset(2).

       rule_type identifies the structure type pointed to by rule_attr.
       Currently, Linux supports the following rule_type value:

       LANDLOCK_RULE_PATH_BENEATH
              This defines the object type as a file hierarchy.  In this
              case, rule_attr points to the following structure:

                  struct landlock_path_beneath_attr {
                      __u64 allowed_access;
                      __s32 parent_fd;
                  } __attribute__((packed));

              allowed_access contains a bitmask of allowed filesystem
              actions for this file hierarchy (see Filesystem actions in
              landlock(7)).

              parent_fd is an opened file descriptor, preferably with
              the O_PATH flag, which identifies the parent directory of
              the file hierarchy or just a file.

       flags must be 0.

RETURN VALUE         top

       On success, landlock_add_rule() returns 0.

ERRORS         top

       landlock_add_rule() can fail for the following reasons:

       EOPNOTSUPP
              Landlock is supported by the kernel but disabled at boot
              time.

       EINVAL flags is not 0, or the rule accesses are inconsistent
              (i.e., rule_attr->allowed_access is not a subset of the
              ruleset handled accesses).

       ENOMSG Empty accesses (i.e., rule_attr->allowed_access is 0).

       EBADF  ruleset_fd is not a file descriptor for the current
              thread, or a member of rule_attr is not a file descriptor
              as expected.

       EBADFD ruleset_fd is not a ruleset file descriptor, or a member
              of rule_attr is not the expected file descriptor type.

       EPERM  ruleset_fd has no write access to the underlying ruleset.

       EFAULT rule_attr was not a valid address.

STANDARDS         top

       Linux.

HISTORY         top

       Linux 5.13.

EXAMPLES         top

       See landlock(7).

SEE ALSO         top

       landlock_create_ruleset(2), landlock_restrict_self(2),
       landlock(7)

Linux man-pages (unreleased)     (date)             landlock_add_rule(2)

Pages that refer to this page: landlock_create_ruleset(2)landlock_restrict_self(2)syscalls(2)landlock(7)

HTML rendering created 2023-12-22 by Michael Kerrisk, author of The Linux Programming Interface.

For details of in-depth Linux/UNIX system programming training courses that I teach, look here.

Hosting by jambit GmbH.

Cover of TLPI