landlock_create_ruleset - create a new Landlock ruleset
Standard C library (
libc,
-lc)
#include <linux/landlock.h> /* Definition of LANDLOCK_* constants */
#include <sys/syscall.h> /* Definition of SYS_* constants */
int syscall(SYS_landlock_create_ruleset,
const struct landlock_ruleset_attr *attr,
size_t size , uint32_t flags);
A Landlock ruleset identifies a set of rules (i.e., actions on objects). This
landlock_create_ruleset() system call enables creating a new file
descriptor identifying a ruleset. This file descriptor can then be used by
landlock_add_rule(2) and
landlock_restrict_self(2). See
landlock(7) for a global overview.
attr specifies the properties of the new ruleset. It points to the
following structure:
-
struct landlock_ruleset_attr {
__u64 handled_access_fs;
};
-
handled_access_fs is a bitmask of actions that is
handled by this ruleset and should then be forbidden if no rule explicitly
allows them (see Filesystem actions in landlock(7)). This
enables simply restricting ambient rights (e.g., global filesystem access)
and is needed for compatibility reasons.
size must be specified as
sizeof(struct landlock_ruleset_attr) for
compatibility reasons.
flags must be 0 if
attr is used. Otherwise,
flags can be
set to:
- LANDLOCK_CREATE_RULESET_VERSION
- If attr is NULL and size is 0, then the
returned value is the highest supported Landlock ABI version (starting at
1). This version can be used for a best-effort security approach, which is
encouraged when user space is not pinned to a specific kernel version. All
features documented in these man pages are available with the version
1.
On success,
landlock_create_ruleset() returns a new Landlock ruleset file
descriptor, or a Landlock ABI version, according to
flags.
landlock_create_ruleset() can fail for the following reasons:
- EOPNOTSUPP
- Landlock is supported by the kernel but disabled at boot
time.
- EINVAL
- Unknown flags, or unknown access, or too small
size.
- E2BIG
-
size is too big.
- EFAULT
-
attr was not a valid address.
- ENOMSG
- Empty accesses (i.e., attr->handled_access_fs is
0).
Landlock was added in Linux 5.13.
This system call is Linux-specific.
See
landlock(7).
landlock_add_rule(2),
landlock_restrict_self(2),
landlock(7)