man7.org > Linux > man-pages

Linux/UNIX system programming training

landlock_create_ruleset(2) — Linux manual page

NAME | LIBRARY | SYNOPSIS | DESCRIPTION | RETURN VALUE | ERRORS | STANDARDS | HISTORY | EXAMPLES | SEE ALSO 

landlock_create_ruleset(2) System Calls Manuallandlock_create_ruleset(2)

NAME         top

       landlock_create_ruleset - create a new Landlock ruleset

LIBRARY         top

       Standard C library (libc, -lc)

SYNOPSIS         top

       #include <linux/landlock.h>  /* Definition of LANDLOCK_* constants */
       #include <sys/syscall.h>     /* Definition of SYS_* constants */

       int syscall(SYS_landlock_create_ruleset,
                   const struct landlock_ruleset_attr *attr,
                   size_t size , uint32_t flags);

DESCRIPTION         top

       A Landlock ruleset identifies a set of rules (i.e., actions on
       objects).  This landlock_create_ruleset() system call enables
       creating a new file descriptor identifying a ruleset.  This file
       descriptor can then be used by landlock_add_rule(2) and
       landlock_restrict_self(2).  See landlock(7) for a global
       overview.

       attr specifies the properties of the new ruleset.  It points to
       the following structure:

                  struct landlock_ruleset_attr {
                      __u64 handled_access_fs;
                  };

              handled_access_fs is a bitmask of actions that is handled
              by this ruleset and should then be forbidden if no rule
              explicitly allows them (see Filesystem actions in
              landlock(7)).  This enables simply restricting ambient
              rights (e.g., global filesystem access) and is needed for
              compatibility reasons.

       size must be specified as sizeof(struct landlock_ruleset_attr)
       for compatibility reasons.

       flags must be 0 if attr is used.  Otherwise, flags can be set to:

       LANDLOCK_CREATE_RULESET_VERSION
              If attr is NULL and size is 0, then the returned value is
              the highest supported Landlock ABI version (starting at
              1).  This version can be used for a best-effort security
              approach, which is encouraged when user space is not
              pinned to a specific kernel version.  All features
              documented in these man pages are available with the
              version 1.

RETURN VALUE         top

       On success, landlock_create_ruleset() returns a new Landlock
       ruleset file descriptor, or a Landlock ABI version, according to
       flags.

ERRORS         top

       landlock_create_ruleset() can fail for the following reasons:

       EOPNOTSUPP
              Landlock is supported by the kernel but disabled at boot
              time.

       EINVAL Unknown flags, or unknown access, or too small size.

       E2BIG  size is too big.

       EFAULT attr was not a valid address.

       ENOMSG Empty accesses (i.e., attr->handled_access_fs is 0).

STANDARDS         top

       Linux.

HISTORY         top

       Linux 5.13.

EXAMPLES         top

       See landlock(7).

SEE ALSO         top

       landlock_add_rule(2), landlock_restrict_self(2), landlock(7)

Linux man-pages (unreleased)     (date)       landlock_create_ruleset(2)

Pages that refer to this page: landlock_add_rule(2)landlock_restrict_self(2)syscalls(2)landlock(7)

HTML rendering created 2023-12-22 by Michael Kerrisk, author of The Linux Programming Interface.

For details of in-depth Linux/UNIX system programming training courses that I teach, look here.

Hosting by jambit GmbH.

Cover of TLPI