landlock_restrict_self(2) — Linux manual page

landlock_restrict_self(2)  System Calls Manual landlock_restrict_self(2)

NAME         top

       landlock_restrict_self - enforce a Landlock ruleset

LIBRARY         top

       Standard C library (libc, -lc)

SYNOPSIS         top

       #include <linux/landlock.h>  /* Definition of LANDLOCK_* constants */
       #include <sys/syscall.h>     /* Definition of SYS_* constants */

       int syscall(SYS_landlock_restrict_self, int ruleset_fd,
                   uint32_t flags);

DESCRIPTION         top

       Once a Landlock ruleset is populated with the desired rules, the
       landlock_restrict_self() system call enables enforcing this
       ruleset on the calling thread.  See landlock(7) for a global
       overview.

       A thread can be restricted with multiple rulesets that are then
       composed together to form the thread's Landlock domain.  This can
       be seen as a stack of rulesets but it is implemented in a more
       efficient way.  A domain can only be updated in such a way that
       the constraints of each past and future composed rulesets will
       restrict the thread and its future children for their entire
       life.  It is then possible to gradually enforce tailored access
       control policies with multiple independent rulesets coming from
       different sources (e.g., init system configuration, user session
       policy, built-in application policy).  However, most applications
       should only need one call to landlock_restrict_self() and they
       should avoid arbitrary numbers of such calls because of the
       composed rulesets limit.  Instead, developers are encouraged to
       build a tailored ruleset thanks to multiple calls to
       landlock_add_rule(2).

       In order to enforce a ruleset, either the caller must have the
       CAP_SYS_ADMIN capability in its user namespace, or the thread
       must already have the no_new_privs bit set.  As for seccomp(2),
       this avoids scenarios where unprivileged processes can affect the
       behavior of privileged children (e.g., because of set-user-ID
       binaries).  If that bit was not already set by an ancestor of
       this thread, the thread must make the following call:

              prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);

       ruleset_fd is a Landlock ruleset file descriptor obtained with
       landlock_create_ruleset(2) and fully populated with a set of
       calls to landlock_add_rule(2).

       flags must be 0.

RETURN VALUE         top

       On success, landlock_restrict_self() returns 0.

ERRORS         top

       landlock_restrict_self() can fail for the following reasons:

       EOPNOTSUPP
              Landlock is supported by the kernel but disabled at boot
              time.

       EINVAL flags is not 0.

       EBADF  ruleset_fd is not a file descriptor for the current
              thread.

       EBADFD ruleset_fd is not a ruleset file descriptor.

       EPERM  ruleset_fd has no read access to the underlying ruleset,
              or the calling thread is not running with no_new_privs, or
              it doesn't have the CAP_SYS_ADMIN in its user namespace.

       E2BIG  The maximum number of composed rulesets is reached for the
              calling thread.  This limit is currently 64.

STANDARDS         top

       Linux.

HISTORY         top

       Linux 5.13.

EXAMPLES         top

       See landlock(7).

SEE ALSO         top

       landlock_create_ruleset(2), landlock_add_rule(2), landlock(7)

Linux man-pages (unreleased)     (date)        landlock_restrict_self(2)

Pages that refer to this page: landlock_add_rule(2),  landlock_create_ruleset(2),  syscalls(2),  landlock(7)

HTML rendering created 2023-12-22 by Michael Kerrisk, author of The Linux Programming Interface. For details of in-depth Linux/UNIX system programming training courses that I teach, look here. Hosting by jambit GmbH.