Provided by: manpages-dev_6.8-2_all bug

NAME

       landlock_restrict_self - enforce a Landlock ruleset

LIBRARY

       Standard C library (libc, -lc)

SYNOPSIS

       #include <linux/landlock.h>  /* Definition of LANDLOCK_* constants */
       #include <sys/syscall.h>     /* Definition of SYS_* constants */

       int syscall(SYS_landlock_restrict_self, int ruleset_fd,
                   uint32_t flags);

DESCRIPTION

       Once  a Landlock ruleset is populated with the desired rules, the landlock_restrict_self()
       system call enables enforcing this ruleset on the calling thread.  See landlock(7)  for  a
       global overview.

       A  thread can be restricted with multiple rulesets that are then composed together to form
       the thread's Landlock domain.  This can  be  seen  as  a  stack  of  rulesets  but  it  is
       implemented  in a more efficient way.  A domain can only be updated in such a way that the
       constraints of each past and future composed rulesets will restrict  the  thread  and  its
       future  children for their entire life.  It is then possible to gradually enforce tailored
       access control policies with multiple independent rulesets coming from  different  sources
       (e.g.,  init  system  configuration,  user  session  policy, built-in application policy).
       However, most applications should only need one call to landlock_restrict_self() and  they
       should  avoid  arbitrary  numbers  of  such  calls because of the composed rulesets limit.
       Instead, developers are encouraged to build a tailored ruleset thanks to multiple calls to
       landlock_add_rule(2).

       In order to enforce a ruleset, either the caller must have the CAP_SYS_ADMIN capability in
       its user namespace, or the thread must already have the  no_new_privs  bit  set.   As  for
       seccomp(2),  this avoids scenarios where unprivileged processes can affect the behavior of
       privileged children (e.g., because of set-user-ID binaries).  If that bit was not  already
       set by an ancestor of this thread, the thread must make the following call:

              prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);

       ruleset_fd  is a Landlock ruleset file descriptor obtained with landlock_create_ruleset(2)
       and fully populated with a set of calls to landlock_add_rule(2).

       flags must be 0.

RETURN VALUE

       On success, landlock_restrict_self() returns 0.

ERRORS

       landlock_restrict_self() can fail for the following reasons:

       EOPNOTSUPP
              Landlock is supported by the kernel but disabled at boot time.

       EINVAL flags is not 0.

       EBADF  ruleset_fd is not a file descriptor for the current thread.

       EBADFD ruleset_fd is not a ruleset file descriptor.

       EPERM  ruleset_fd has no read access to the underlying ruleset, or the calling  thread  is
              not  running  with  no_new_privs,  or it doesn't have the CAP_SYS_ADMIN in its user
              namespace.

       E2BIG  The maximum number of composed rulesets is reached for the  calling  thread.   This
              limit is currently 64.

STANDARDS

       Linux.

HISTORY

       Linux 5.13.

EXAMPLES

       See landlock(7).

SEE ALSO

       landlock_create_ruleset(2), landlock_add_rule(2), landlock(7)