landlock_restrict_self - Online Linux Manual PageSection : 2
Updated : 2022-10-30
Source : Linux man-pages 6.03

NAMElandlock_restrict_self − enforce a Landlock ruleset

LIBRARYStandard C library (libc, −lc)

SYNOPSIS#include <linux/landlock.h> /* Definition of LANDLOCK_* constants */ #include <sys/syscall.h> /* Definition of SYS_* constants */int syscall(SYS_landlock_restrict_self, int ruleset_fd, uint32_t flags);

DESCRIPTION Once a Landlock ruleset is populated with the desired rules, the landlock_restrict_self() system call enables enforcing this ruleset on the calling thread. See landlock(7) for a global overview. A thread can be restricted with multiple rulesets that are then composed together to form the thread's Landlock domain. This can be seen as a stack of rulesets but it is implemented in a more efficient way. A domain can only be updated in such a way that the constraints of each past and future composed rulesets will restrict the thread and its future children for their entire life. It is then possible to gradually enforce tailored access control policies with multiple independent rulesets coming from different sources (e.g., init system configuration, user session policy, built-in application policy). However, most applications should only need one call to landlock_restrict_self() and they should avoid arbitrary numbers of such calls because of the composed rulesets limit. Instead, developers are encouraged to build a tailored ruleset thanks to multiple calls to landlock_add_rule(2). In order to enforce a ruleset, either the caller must have the CAP_SYS_ADMIN capability in its user namespace, or the thread must already have the no_new_privs bit set. As for seccomp(2), this avoids scenarios where unprivileged processes can affect the behavior of privileged children (e.g., because of set-user-ID binaries). If that bit was not already set by an ancestor of this thread, the thread must make the following call: prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);ruleset_fd is a Landlock ruleset file descriptor obtained with landlock_create_ruleset(2) and fully populated with a set of calls to landlock_add_rule(2). flags must be 0.

RETURN VALUEOn success, landlock_restrict_self() returns 0.

ERRORSlandlock_restrict_self() can fail for the following reasons: EOPNOTSUPP  Landlock is supported by the kernel but disabled at boot time. EINVAL  flags is not 0. EBADF  ruleset_fd is not a file descriptor for the current thread. EBADFD  ruleset_fd is not a ruleset file descriptor. EPERM  ruleset_fd has no read access to the underlying ruleset, or the calling thread is not running with no_new_privs, or it doesn't have the CAP_SYS_ADMIN in its user namespace. E2BIG  The maximum number of composed rulesets is reached for the calling thread. This limit is currently 64.

VERSIONSLandlock was added in Linux 5.13.

STANDARDSThis system call is Linux-specific.

EXAMPLESSee landlock(7).

SEE ALSOlandlock_create_ruleset(2), landlock_add_rule(2), landlock(7)
0
Johanes Gumabo
Data Size   :   10,310 byte
man-landlock_restrict_self.2Build   :   2024-12-05, 20:55   :  
Visitor Screen   :   x
Visitor Counter ( page / site )   :   2 / 197,911
Visitor ID   :     :  
Visitor IP   :   3.144.91.130   :  
Visitor Provider   :   AMAZON-02   :  
Provider Position ( lat x lon )   :   39.962500 x -83.006100   :   x
Provider Accuracy Radius ( km )   :   1000   :  
Provider City   :   Columbus   :  
Provider Province   :   Ohio ,   :   ,
Provider Country   :   United States   :  
Provider Continent   :   North America   :  
Visitor Recorder   :   Version   :  
Visitor Recorder   :   Library   :  
Online Linux Manual Page   :   Version   :   Online Linux Manual Page - Fedora.40 - march=x86-64 - mtune=generic - 24.12.05
Online Linux Manual Page   :   Library   :   lib_c - 24.10.03 - march=x86-64 - mtune=generic - Fedora.40
Online Linux Manual Page   :   Library   :   lib_m - 24.10.03 - march=x86-64 - mtune=generic - Fedora.40
Data Base   :   Version   :   Online Linux Manual Page Database - 24.04.13 - march=x86-64 - mtune=generic - fedora-38
Data Base   :   Library   :   lib_c - 23.02.07 - march=x86-64 - mtune=generic - fedora.36

Very long time ago, I have the best tutor, Wenzel Svojanovsky . If someone knows the email address of Wenzel Svojanovsky , please send an email to johanes_gumabo@yahoo.co.id .
If error, please print screen and send to johanes_gumabo@yahoo.co.id
Under development. Support me via PayPal.