landlock_restrict_self - enforce a Landlock ruleset
Standard C library (
libc,
-lc)
#include <linux/landlock.h> /* Definition of LANDLOCK_* constants */
#include <sys/syscall.h> /* Definition of SYS_* constants */
int syscall(SYS_landlock_restrict_self, int ruleset_fd,
uint32_t flags);
Once a Landlock ruleset is populated with the desired rules, the
landlock_restrict_self() system call enables enforcing this ruleset on
the calling thread. See
landlock(7) for a global overview.
A thread can be restricted with multiple rulesets that are then composed
together to form the thread's Landlock domain. This can be seen as a stack of
rulesets but it is implemented in a more efficient way. A domain can only be
updated in such a way that the constraints of each past and future composed
rulesets will restrict the thread and its future children for their entire
life. It is then possible to gradually enforce tailored access control
policies with multiple independent rulesets coming from different sources
(e.g., init system configuration, user session policy, built-in application
policy). However, most applications should only need one call to
landlock_restrict_self() and they should avoid arbitrary numbers of
such calls because of the composed rulesets limit. Instead, developers are
encouraged to build a tailored ruleset thanks to multiple calls to
landlock_add_rule(2).
In order to enforce a ruleset, either the caller must have the
CAP_SYS_ADMIN capability in its user namespace, or the thread must
already have the
no_new_privs bit set. As for
seccomp(2), this
avoids scenarios where unprivileged processes can affect the behavior of
privileged children (e.g., because of set-user-ID binaries). If that bit was
not already set by an ancestor of this thread, the thread must make the
following call:
-
prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
ruleset_fd is a Landlock ruleset file descriptor obtained with
landlock_create_ruleset(2) and fully populated with a set of calls to
landlock_add_rule(2).
flags must be 0.
On success,
landlock_restrict_self() returns 0.
landlock_restrict_self() can fail for the following reasons:
- EOPNOTSUPP
- Landlock is supported by the kernel but disabled at boot
time.
- EINVAL
-
flags is not 0.
- EBADF
-
ruleset_fd is not a file descriptor for the current
thread.
- EBADFD
-
ruleset_fd is not a ruleset file descriptor.
- EPERM
-
ruleset_fd has no read access to the underlying
ruleset, or the calling thread is not running with no_new_privs, or
it doesn't have the CAP_SYS_ADMIN in its user namespace.
- E2BIG
- The maximum number of composed rulesets is reached for the
calling thread. This limit is currently 64.
Landlock was added in Linux 5.13.
This system call is Linux-specific.
See
landlock(7).
landlock_create_ruleset(2),
landlock_add_rule(2),
landlock(7)