1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
|
.\" Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net>
.\" Copyright © 2019-2020 ANSSI
.\" Copyright © 2021 Microsoft Corporation
.\"
.\" SPDX-License-Identifier: Linux-man-pages-copyleft
.\"
.TH landlock_restrict_self 2 (date) "Linux man-pages (unreleased)"
.SH NAME
landlock_restrict_self \- enforce a Landlock ruleset
.SH LIBRARY
Standard C library
.RI ( libc ", " \-lc )
.SH SYNOPSIS
.nf
.BR "#include <linux/landlock.h>" " /* Definition of " LANDLOCK_* " constants */"
.BR "#include <sys/syscall.h>" " /* Definition of " SYS_* " constants */"
.P
.BI "int syscall(SYS_landlock_restrict_self, int " ruleset_fd ,
.BI " uint32_t " flags );
.SH DESCRIPTION
Once a Landlock ruleset is populated with the desired rules, the
.BR landlock_restrict_self ()
system call enables enforcing this ruleset on the calling thread.
See
.BR landlock (7)
for a global overview.
.P
A thread can be restricted with multiple rulesets that are then
composed together to form the thread's Landlock domain.
This can be seen as a stack of rulesets but
it is implemented in a more efficient way.
A domain can only be updated in such a way that
the constraints of each past and future composed rulesets
will restrict the thread and its future children for their entire life.
It is then possible to gradually enforce tailored access control policies
with multiple independent rulesets coming from different sources
(e.g., init system configuration, user session policy,
built-in application policy).
However, most applications should only need one call to
.BR landlock_restrict_self ()
and they should avoid arbitrary numbers of such calls because of the
composed rulesets limit.
Instead, developers are encouraged to build a tailored ruleset thanks to
multiple calls to
.BR landlock_add_rule (2).
.P
In order to enforce a ruleset, either the caller must have the
.B CAP_SYS_ADMIN
capability in its user namespace, or the thread must already have the
.I no_new_privs
bit set.
As for
.BR seccomp (2),
this avoids scenarios where unprivileged processes can affect
the behavior of privileged children (e.g., because of set-user-ID binaries).
If that bit was not already set by an ancestor of this thread,
the thread must make the following call:
.IP
.EX
prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
.EE
.P
.I ruleset_fd
is a Landlock ruleset file descriptor obtained with
.BR landlock_create_ruleset (2)
and fully populated with a set of calls to
.BR landlock_add_rule (2).
.P
.I flags
must be 0.
.SH RETURN VALUE
On success,
.BR landlock_restrict_self ()
returns 0.
.SH ERRORS
.BR landlock_restrict_self ()
can fail for the following reasons:
.TP
.B EOPNOTSUPP
Landlock is supported by the kernel but disabled at boot time.
.TP
.B EINVAL
.I flags
is not 0.
.TP
.B EBADF
.I ruleset_fd
is not a file descriptor for the current thread.
.TP
.B EBADFD
.I ruleset_fd
is not a ruleset file descriptor.
.TP
.B EPERM
.I ruleset_fd
has no read access to the underlying ruleset,
or the calling thread is not running with
.IR no_new_privs ,
or it doesn't have the
.B CAP_SYS_ADMIN
in its user namespace.
.TP
.B E2BIG
The maximum number of composed rulesets is reached for the calling thread.
This limit is currently 64.
.SH STANDARDS
Linux.
.SH HISTORY
Linux 5.13.
.SH EXAMPLES
See
.BR landlock (7).
.SH SEE ALSO
.BR landlock_create_ruleset (2),
.BR landlock_add_rule (2),
.BR landlock (7)
|
