Provided by: manpages-dev_6.03-1_all bug


       landlock_add_rule - add a new Landlock rule to a ruleset


       Standard C library (libc, -lc)


       #include <linux/landlock.h>  /* Definition of LANDLOCK_* constants */
       #include <sys/syscall.h>     /* Definition of SYS_* constants */

       int syscall(SYS_landlock_add_rule, int ruleset_fd,
                   enum landlock_rule_type rule_type,
                   const void *rule_attr, uint32_t flags);


       A  Landlock  rule  describes  an  action  on  an  object.   An  object is currently a file
       hierarchy, and the related filesystem actions are defined with a  set  of  access  rights.
       This  landlock_add_rule()  system  call  enables adding a new Landlock rule to an existing
       ruleset created with landlock_create_ruleset(2).  See landlock(7) for a global overview.

       ruleset_fd is a Landlock ruleset file descriptor obtained with landlock_create_ruleset(2).

       rule_type identifies the  structure  type  pointed  to  by  rule_attr.   Currently,  Linux
       supports the following rule_type value:

              This  defines  the object type as a file hierarchy.  In this case, rule_attr points
              to the following structure:

                  struct landlock_path_beneath_attr {
                      __u64 allowed_access;
                      __s32 parent_fd;
                  } __attribute__((packed));

              allowed_access contains a bitmask of  allowed  filesystem  actions  for  this  file
              hierarchy (see Filesystem actions in landlock(7)).

              parent_fd  is  an  opened  file  descriptor, preferably with the O_PATH flag, which
              identifies the parent directory of the file hierarchy or just a file.

       flags must be 0.


       On success, landlock_add_rule() returns 0.


       landlock_add_rule() can failed for the following reasons:

              Landlock is supported by the kernel but disabled at boot time.

       EINVAL flags   is   not   0,   or   the   rule   accesses    are    inconsistent    (i.e.,
              rule_attr->allowed_access is not a subset of the ruleset handled accesses).

       ENOMSG Empty accesses (i.e., rule_attr->allowed_access is 0).

       EBADF  ruleset_fd  is  not  a  file  descriptor  for  the  current  thread, or a member of
              rule_attr is not a file descriptor as expected.

       EBADFD ruleset_fd is not a ruleset file descriptor, or a member of rule_attr  is  not  the
              expected file descriptor type.

       EPERM  ruleset_fd has no write access to the underlying ruleset.

       EFAULT rule_attr was not a valid address.


       Landlock was added in Linux 5.13.


       This system call is Linux-specific.


       See landlock(7).


       landlock_create_ruleset(2), landlock_restrict_self(2), landlock(7)