diff options
Diffstat (limited to '')
| -rw-r--r-- | templates/man7/landlock.7.pot | 1333 |
1 files changed, 1333 insertions, 0 deletions
diff --git a/templates/man7/landlock.7.pot b/templates/man7/landlock.7.pot new file mode 100644 index 00000000..d826272a --- /dev/null +++ b/templates/man7/landlock.7.pot @@ -0,0 +1,1333 @@ +# SOME DESCRIPTIVE TITLE +# Copyright (C) YEAR Free Software Foundation, Inc. +# This file is distributed under the same license as the PACKAGE package. +# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR. +# +#, fuzzy +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"POT-Creation-Date: 2024-03-01 17:00+0100\n" +"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" +"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" +"Language-Team: LANGUAGE <LL@li.org>\n" +"Language: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. type: TH +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "Landlock" +msgstr "" + +#. type: TH +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +#, no-wrap +msgid "2023-10-31" +msgstr "" + +#. type: TH +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +#, no-wrap +msgid "Linux man-pages 6.06" +msgstr "" + +#. type: SH +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "NAME" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "Landlock - unprivileged access-control" +msgstr "" + +#. type: SH +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "DESCRIPTION" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"Landlock is an access-control system that enables any processes to securely " +"restrict themselves and their future children. Because Landlock is a " +"stackable Linux Security Module (LSM), it makes it possible to create safe " +"security sandboxes as new security layers in addition to the existing system-" +"wide access-controls. This kind of sandbox is expected to help mitigate the " +"security impact of bugs, and unexpected or malicious behaviors in " +"applications." +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"A Landlock security policy is a set of access rights (e.g., open a file in " +"read-only, make a directory, etc.) tied to a file hierarchy. Such policy " +"can be configured and enforced by processes for themselves using three " +"system calls:" +msgstr "" + +#. type: IP +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "\\[bu]" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "B<landlock_create_ruleset>(2) creates a new ruleset;" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "B<landlock_add_rule>(2) adds a new rule to a ruleset;" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "B<landlock_restrict_self>(2) enforces a ruleset on the calling thread." +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"To be able to use these system calls, the running kernel must support " +"Landlock and it must be enabled at boot time." +msgstr "" + +#. type: SS +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "Landlock rules" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"A Landlock rule describes an action on an object. An object is currently a " +"file hierarchy, and the related filesystem actions are defined with access " +"rights (see B<landlock_add_rule>(2)). A set of rules is aggregated in a " +"ruleset, which can then restrict the thread enforcing it, and its future " +"children." +msgstr "" + +#. type: SS +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "Filesystem actions" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"These flags enable to restrict a sandboxed process to a set of actions on " +"files and directories. Files or directories opened before the sandboxing " +"are not subject to these restrictions. See B<landlock_add_rule>(2) and " +"B<landlock_create_ruleset>(2) for more context." +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "A file can only receive these access rights:" +msgstr "" + +#. type: TP +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "B<LANDLOCK_ACCESS_FS_EXECUTE>" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "Execute a file." +msgstr "" + +#. type: TP +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "B<LANDLOCK_ACCESS_FS_WRITE_FILE>" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "Open a file with write access." +msgstr "" + +#. type: Plain text +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"When opening files for writing, you will often additionally need the " +"B<LANDLOCK_ACCESS_FS_TRUNCATE> right. In many cases, these system calls " +"truncate existing files when overwriting them (e.g., B<creat>(2))." +msgstr "" + +#. type: TP +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "B<LANDLOCK_ACCESS_FS_READ_FILE>" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "Open a file with read access." +msgstr "" + +#. type: TP +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "B<LANDLOCK_ACCESS_FS_TRUNCATE>" +msgstr "" + +#. type: Plain text +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"Truncate a file with B<truncate>(2), B<ftruncate>(2), B<creat>(2), or " +"B<open>(2) with B<O_TRUNC>. Whether an opened file can be truncated with " +"B<ftruncate>(2) is determined during B<open>(2), in the same way as read " +"and write permissions are checked during B<open>(2) using " +"B<LANDLOCK_ACCESS_FS_READ_FILE> and B<LANDLOCK_ACCESS_FS_WRITE_FILE>. This " +"access right is available since the third version of the Landlock ABI." +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"A directory can receive access rights related to files or directories. The " +"following access right is applied to the directory itself, and the " +"directories beneath it:" +msgstr "" + +#. type: TP +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "B<LANDLOCK_ACCESS_FS_READ_DIR>" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "Open a directory or list its content." +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"However, the following access rights only apply to the content of a " +"directory, not the directory itself:" +msgstr "" + +#. type: TP +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "B<LANDLOCK_ACCESS_FS_REMOVE_DIR>" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "Remove an empty directory or rename one." +msgstr "" + +#. type: TP +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "B<LANDLOCK_ACCESS_FS_REMOVE_FILE>" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "Unlink (or rename) a file." +msgstr "" + +#. type: TP +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "B<LANDLOCK_ACCESS_FS_MAKE_CHAR>" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "Create (or rename or link) a character device." +msgstr "" + +#. type: TP +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "B<LANDLOCK_ACCESS_FS_MAKE_DIR>" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "Create (or rename) a directory." +msgstr "" + +#. type: TP +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "B<LANDLOCK_ACCESS_FS_MAKE_REG>" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "Create (or rename or link) a regular file." +msgstr "" + +#. type: TP +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "B<LANDLOCK_ACCESS_FS_MAKE_SOCK>" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "Create (or rename or link) a UNIX domain socket." +msgstr "" + +#. type: TP +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "B<LANDLOCK_ACCESS_FS_MAKE_FIFO>" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "Create (or rename or link) a named pipe." +msgstr "" + +#. type: TP +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "B<LANDLOCK_ACCESS_FS_MAKE_BLOCK>" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "Create (or rename or link) a block device." +msgstr "" + +#. type: TP +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "B<LANDLOCK_ACCESS_FS_MAKE_SYM>" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "Create (or rename or link) a symbolic link." +msgstr "" + +#. type: TP +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "B<LANDLOCK_ACCESS_FS_REFER>" +msgstr "" + +#. type: Plain text +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"Link or rename a file from or to a different directory (i.e., reparent a " +"file hierarchy)." +msgstr "" + +#. type: Plain text +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"This access right is available since the second version of the Landlock ABI." +msgstr "" + +#. type: Plain text +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"This is the only access right which is denied by default by any ruleset, " +"even if the right is not specified as handled at ruleset creation time. The " +"only way to make a ruleset grant this right is to explicitly allow it for a " +"specific directory by adding a matching rule to the ruleset." +msgstr "" + +#. type: Plain text +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"In particular, when using the first Landlock ABI version, Landlock will " +"always deny attempts to reparent files between different directories." +msgstr "" + +#. type: Plain text +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"In addition to the source and destination directories having the " +"B<LANDLOCK_ACCESS_FS_REFER> access right, the attempted link or rename " +"operation must meet the following constraints:" +msgstr "" + +#. type: Plain text +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"The reparented file may not gain more access rights in the destination " +"directory than it previously had in the source directory. If this is " +"attempted, the operation results in an B<EXDEV> error." +msgstr "" + +#. type: Plain text +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"When linking or renaming, the B<LANDLOCK_ACCESS_FS_MAKE_>I<*> right for the " +"respective file type must be granted for the destination directory. " +"Otherwise, the operation results in an B<EACCES> error." +msgstr "" + +#. type: Plain text +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"When renaming, the B<LANDLOCK_ACCESS_FS_REMOVE_>I<*> right for the " +"respective file type must be granted for the source directory. Otherwise, " +"the operation results in an B<EACCES> error." +msgstr "" + +#. type: Plain text +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"If multiple requirements are not met, the B<EACCES> error code takes " +"precedence over B<EXDEV>." +msgstr "" + +#. type: SS +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "Layers of file path access rights" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"Each time a thread enforces a ruleset on itself, it updates its Landlock " +"domain with a new layer of policy. Indeed, this complementary policy is " +"composed with the potentially other rulesets already restricting this " +"thread. A sandboxed thread can then safely add more constraints to itself " +"with a new enforced ruleset." +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"One policy layer grants access to a file path if at least one of its rules " +"encountered on the path grants the access. A sandboxed thread can only " +"access a file path if all its enforced policy layers grant the access as " +"well as all the other system access controls (e.g., filesystem DAC, other " +"LSM policies, etc.)." +msgstr "" + +#. type: SS +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "Bind mounts and OverlayFS" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"Landlock enables restricting access to file hierarchies, which means that " +"these access rights can be propagated with bind mounts (cf. " +"B<mount_namespaces>(7)) but not with OverlayFS." +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"A bind mount mirrors a source file hierarchy to a destination. The " +"destination hierarchy is then composed of the exact same files, on which " +"Landlock rules can be tied, either via the source or the destination path. " +"These rules restrict access when they are encountered on a path, which means " +"that they can restrict access to multiple file hierarchies at the same time, " +"whether these hierarchies are the result of bind mounts or not." +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"An OverlayFS mount point consists of upper and lower layers. These layers " +"are combined in a merge directory, result of the mount point. This merge " +"hierarchy may include files from the upper and lower layers, but " +"modifications performed on the merge hierarchy only reflect on the upper " +"layer. From a Landlock policy point of view, each of the OverlayFS layers " +"and merge hierarchies is standalone and contains its own set of files and " +"directories, which is different from a bind mount. A policy restricting an " +"OverlayFS layer will not restrict the resulted merged hierarchy, and vice " +"versa. Landlock users should then only think about file hierarchies they " +"want to allow access to, regardless of the underlying filesystem." +msgstr "" + +#. type: SS +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "Inheritance" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"Every new thread resulting from a B<clone>(2) inherits Landlock domain " +"restrictions from its parent. This is similar to the B<seccomp>(2) " +"inheritance or any other LSM dealing with tasks' B<credentials>(7). For " +"instance, one process's thread may apply Landlock rules to itself, but they " +"will not be automatically applied to other sibling threads (unlike POSIX " +"thread credential changes, cf. B<nptl>(7))." +msgstr "" + +#. type: Plain text +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-tumbleweed +msgid "" +"When a thread sandboxes itself, we have the guarantee that the related " +"security policy will stay enforced on all this thread's descendants. This " +"allows creating standalone and modular security policies per application, " +"which will automatically be composed between themselves according to their " +"run-time parent policies." +msgstr "" + +#. type: SS +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "Ptrace restrictions" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"A sandboxed process has less privileges than a non-sandboxed process and " +"must then be subject to additional restrictions when manipulating another " +"process. To be allowed to use B<ptrace>(2) and related syscalls on a " +"target process, a sandboxed process should have a subset of the target " +"process rules, which means the tracee must be in a sub-domain of the tracer." +msgstr "" + +#. type: SS +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "Truncating files" +msgstr "" + +#. type: Plain text +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"The operations covered by B<LANDLOCK_ACCESS_FS_WRITE_FILE> and " +"B<LANDLOCK_ACCESS_FS_TRUNCATE> both change the contents of a file and " +"sometimes overlap in non-intuitive ways. It is recommended to always " +"specify both of these together." +msgstr "" + +#. type: Plain text +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"A particularly surprising example is B<creat>(2). The name suggests that " +"this system call requires the rights to create and write files. However, it " +"also requires the truncate right if an existing file under the same name is " +"already present." +msgstr "" + +#. type: Plain text +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"It should also be noted that truncating files does not require the " +"B<LANDLOCK_ACCESS_FS_WRITE_FILE> right. Apart from the B<truncate>(2) " +"system call, this can also be done through B<open>(2) with the flags " +"I<O_RDONLY\\ |\\ O_TRUNC>." +msgstr "" + +#. type: Plain text +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"When opening a file, the availability of the B<LANDLOCK_ACCESS_FS_TRUNCATE> " +"right is associated with the newly created file descriptor and will be used " +"for subsequent truncation attempts using B<ftruncate>(2). The behavior is " +"similar to opening a file for reading or writing, where permissions are " +"checked during B<open>(2), but not during the subsequent B<read>(2) and " +"B<write>(2) calls." +msgstr "" + +#. type: Plain text +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"As a consequence, it is possible to have multiple open file descriptors for " +"the same file, where one grants the right to truncate the file and the other " +"does not. It is also possible to pass such file descriptors between " +"processes, keeping their Landlock properties, even when these processes do " +"not have an enforced Landlock ruleset." +msgstr "" + +#. type: SH +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "VERSIONS" +msgstr "" + +#. type: Plain text +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-leap-15-6 opensuse-tumbleweed +msgid "Landlock was introduced in Linux 5.13." +msgstr "" + +#. type: Plain text +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"To determine which Landlock features are available, users should query the " +"Landlock ABI version:" +msgstr "" + +#. type: tbl table +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "ABI" +msgstr "" + +#. type: tbl table +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "Kernel" +msgstr "" + +#. type: tbl table +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "Newly introduced access rights" +msgstr "" + +#. type: tbl table +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "_" +msgstr "" + +#. type: tbl table +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "1" +msgstr "" + +#. type: tbl table +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "5.13" +msgstr "" + +#. type: tbl table +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "LANDLOCK_ACCESS_FS_EXECUTE" +msgstr "" + +#. type: tbl table +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "\\^" +msgstr "" + +#. type: tbl table +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "LANDLOCK_ACCESS_FS_WRITE_FILE" +msgstr "" + +#. type: tbl table +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "LANDLOCK_ACCESS_FS_READ_FILE" +msgstr "" + +#. type: tbl table +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "LANDLOCK_ACCESS_FS_READ_DIR" +msgstr "" + +#. type: tbl table +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "LANDLOCK_ACCESS_FS_REMOVE_DIR" +msgstr "" + +#. type: tbl table +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "LANDLOCK_ACCESS_FS_REMOVE_FILE" +msgstr "" + +#. type: tbl table +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "LANDLOCK_ACCESS_FS_MAKE_CHAR" +msgstr "" + +#. type: tbl table +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "LANDLOCK_ACCESS_FS_MAKE_DIR" +msgstr "" + +#. type: tbl table +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "LANDLOCK_ACCESS_FS_MAKE_REG" +msgstr "" + +#. type: tbl table +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "LANDLOCK_ACCESS_FS_MAKE_SOCK" +msgstr "" + +#. type: tbl table +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "LANDLOCK_ACCESS_FS_MAKE_FIFO" +msgstr "" + +#. type: tbl table +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "LANDLOCK_ACCESS_FS_MAKE_BLOCK" +msgstr "" + +#. type: tbl table +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "LANDLOCK_ACCESS_FS_MAKE_SYM" +msgstr "" + +#. type: tbl table +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "2" +msgstr "" + +#. type: tbl table +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "5.19" +msgstr "" + +#. type: tbl table +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "LANDLOCK_ACCESS_FS_REFER" +msgstr "" + +#. type: tbl table +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "3" +msgstr "" + +#. type: tbl table +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "6.2" +msgstr "" + +#. type: tbl table +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "LANDLOCK_ACCESS_FS_TRUNCATE" +msgstr "" + +#. type: Plain text +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"Users should use the Landlock ABI version rather than the kernel version to " +"determine which features are available. The mainline kernel versions listed " +"here are only included for orientation. Kernels from other sources may " +"contain backported features, and their version numbers may not match." +msgstr "" + +#. type: Plain text +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"To query the running kernel's Landlock ABI version, programs may pass the " +"B<LANDLOCK_CREATE_RULESET_VERSION> flag to B<landlock_create_ruleset>(2)." +msgstr "" + +#. type: Plain text +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"When building fallback mechanisms for compatibility with older kernels, " +"users are advised to consider the special semantics of the " +"B<LANDLOCK_ACCESS_FS_REFER> access right: In ABI v1, linking and moving of " +"files between different directories is always forbidden, so programs relying " +"on such operations are only compatible with Landlock ABI v2 and higher." +msgstr "" + +#. type: SH +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "NOTES" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"Landlock is enabled by B<CONFIG_SECURITY_LANDLOCK>. The I<lsm=lsm1,...," +"lsmN> command line parameter controls the sequence of the initialization of " +"Linux Security Modules. It must contain the string I<landlock> to enable " +"Landlock. If the command line parameter is not specified, the " +"initialization falls back to the value of the deprecated I<security=> " +"command line parameter and further to the value of B<CONFIG_LSM>. We can " +"check that Landlock is enabled by looking for I<landlock: Up and running.> " +"in kernel logs." +msgstr "" + +#. type: SH +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "CAVEATS" +msgstr "" + +#. type: Plain text +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"It is currently not possible to restrict some file-related actions " +"accessible through these system call families: B<chdir>(2), B<stat>(2), " +"B<flock>(2), B<chmod>(2), B<chown>(2), B<setxattr>(2), B<utime>(2), " +"B<ioctl>(2), B<fcntl>(2), B<access>(2). Future Landlock evolutions will " +"enable to restrict them." +msgstr "" + +#. type: SH +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "EXAMPLES" +msgstr "" + +#. type: Plain text +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-tumbleweed +msgid "We first need to create the ruleset that will contain our rules." +msgstr "" + +#. type: Plain text +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-tumbleweed +msgid "" +"For this example, the ruleset will contain rules that only allow read " +"actions, but write actions will be denied. The ruleset then needs to handle " +"both of these kinds of actions. See the B<DESCRIPTION> section for the " +"description of filesystem actions." +msgstr "" + +#. type: Plain text +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-tumbleweed +#, no-wrap +msgid "" +"struct landlock_ruleset_attr attr = {0};\n" +"int ruleset_fd;\n" +"\\&\n" +"attr.handled_access_fs =\n" +" LANDLOCK_ACCESS_FS_EXECUTE |\n" +" LANDLOCK_ACCESS_FS_WRITE_FILE |\n" +" LANDLOCK_ACCESS_FS_READ_FILE |\n" +" LANDLOCK_ACCESS_FS_READ_DIR |\n" +" LANDLOCK_ACCESS_FS_REMOVE_DIR |\n" +" LANDLOCK_ACCESS_FS_REMOVE_FILE |\n" +" LANDLOCK_ACCESS_FS_MAKE_CHAR |\n" +" LANDLOCK_ACCESS_FS_MAKE_DIR |\n" +" LANDLOCK_ACCESS_FS_MAKE_REG |\n" +" LANDLOCK_ACCESS_FS_MAKE_SOCK |\n" +" LANDLOCK_ACCESS_FS_MAKE_FIFO |\n" +" LANDLOCK_ACCESS_FS_MAKE_BLOCK |\n" +" LANDLOCK_ACCESS_FS_MAKE_SYM |\n" +" LANDLOCK_ACCESS_FS_REFER |\n" +" LANDLOCK_ACCESS_FS_TRUNCATE;\n" +msgstr "" + +#. type: Plain text +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-tumbleweed +msgid "" +"To be compatible with older Linux versions, we detect the available Landlock " +"ABI version, and only use the available subset of access rights:" +msgstr "" + +#. type: Plain text +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-tumbleweed +#, no-wrap +msgid "" +"/*\n" +" * Table of available file system access rights by ABI version,\n" +" * numbers hardcoded to keep the example short.\n" +" */\n" +"__u64 landlock_fs_access_rights[] = {\n" +" (LANDLOCK_ACCESS_FS_MAKE_SYM E<lt>E<lt> 1) - 1, /* v1 */\n" +" (LANDLOCK_ACCESS_FS_REFER E<lt>E<lt> 1) - 1, /* v2: add \"refer\" */\n" +" (LANDLOCK_ACCESS_FS_TRUNCATE E<lt>E<lt> 1) - 1, /* v3: add \"truncate\" */\n" +"};\n" +"\\&\n" +"int abi = landlock_create_ruleset(NULL, 0,\n" +" LANDLOCK_CREATE_RULESET_VERSION);\n" +"if (abi == -1) {\n" +" /*\n" +" * Kernel too old, not compiled with Landlock,\n" +" * or Landlock was not enabled at boot time.\n" +" */\n" +" perror(\"Unable to use Landlock\");\n" +" return; /* Graceful fallback: Do nothing. */\n" +"}\n" +"abi = MIN(abi, 3);\n" +"\\&\n" +"/* Only use the available rights in the ruleset. */\n" +"attr.handled_access_fs &= landlock_fs_access_rights[abi - 1];\n" +msgstr "" + +#. type: Plain text +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-tumbleweed +msgid "" +"The available access rights for each ABI version are listed in the " +"B<VERSIONS> section." +msgstr "" + +#. type: Plain text +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-tumbleweed +msgid "" +"If our program needed to create hard links or rename files between different " +"directories (B<LANDLOCK_ACCESS_FS_REFER>), we would require the following " +"change to the backwards compatibility logic: Directory reparenting is not " +"possible in a process restricted with Landlock ABI version 1. Therefore, if " +"the program needed to do file reparenting, and if only Landlock ABI version " +"1 was available, we could not restrict the process." +msgstr "" + +#. type: Plain text +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-tumbleweed +msgid "" +"Now that the ruleset attributes are determined, we create the Landlock " +"ruleset and acquire a file descriptor as a handle to it, using " +"B<landlock_create_ruleset>(2):" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "" +"ruleset_fd = landlock_create_ruleset(&attr, sizeof(attr), 0);\n" +"if (ruleset_fd == -1) {\n" +" perror(\"Failed to create a ruleset\");\n" +" exit(EXIT_FAILURE);\n" +"}\n" +msgstr "" + +#. type: Plain text +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-tumbleweed +msgid "" +"We can now add a new rule to the ruleset through the ruleset's file " +"descriptor. The requested access rights must be a subset of the access " +"rights which were specified in I<attr.handled_access_fs> at ruleset creation " +"time." +msgstr "" + +#. type: Plain text +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-tumbleweed +msgid "" +"In this example, the rule will only allow reading the file hierarchy I</" +"usr>. Without another rule, write actions would then be denied by the " +"ruleset. To add I</usr> to the ruleset, we open it with the I<O_PATH> flag " +"and fill the I<struct landlock_path_beneath_attr> with this file descriptor." +msgstr "" + +#. type: Plain text +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-tumbleweed +#, no-wrap +msgid "" +"struct landlock_path_beneath_attr path_beneath = {0};\n" +"int err;\n" +"\\&\n" +"path_beneath.allowed_access =\n" +" LANDLOCK_ACCESS_FS_EXECUTE |\n" +" LANDLOCK_ACCESS_FS_READ_FILE |\n" +" LANDLOCK_ACCESS_FS_READ_DIR;\n" +"\\&\n" +"path_beneath.parent_fd = open(\"/usr\", O_PATH | O_CLOEXEC);\n" +"if (path_beneath.parent_fd == -1) {\n" +" perror(\"Failed to open file\");\n" +" close(ruleset_fd);\n" +" exit(EXIT_FAILURE);\n" +"}\n" +"err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,\n" +" &path_beneath, 0);\n" +"close(path_beneath.parent_fd);\n" +"if (err) {\n" +" perror(\"Failed to update ruleset\");\n" +" close(ruleset_fd);\n" +" exit(EXIT_FAILURE);\n" +"}\n" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"We now have a ruleset with one rule allowing read access to I</usr> while " +"denying all other handled accesses for the filesystem. The next step is to " +"restrict the current thread from gaining more privileges (e.g., thanks to a " +"set-user-ID binary)." +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "" +"if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {\n" +" perror(\"Failed to restrict privileges\");\n" +" close(ruleset_fd);\n" +" exit(EXIT_FAILURE);\n" +"}\n" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "The current thread is now ready to sandbox itself with the ruleset." +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "" +"if (landlock_restrict_self(ruleset_fd, 0)) {\n" +" perror(\"Failed to enforce ruleset\");\n" +" close(ruleset_fd);\n" +" exit(EXIT_FAILURE);\n" +"}\n" +"close(ruleset_fd);\n" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"If the B<landlock_restrict_self>(2) system call succeeds, the current " +"thread is now restricted and this policy will be enforced on all its " +"subsequently created children as well. Once a thread is landlocked, there " +"is no way to remove its security policy; only adding more restrictions is " +"allowed. These threads are now in a new Landlock domain, merge of their " +"parent one (if any) with the new ruleset." +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"Full working code can be found in E<.UR https://git.kernel.org/\\:pub/\\:scm/" +"\\:linux/\\:kernel/\\:git/\\:stable/\\:linux.git/\\:tree/\\:samples/\\:" +"landlock/\\:sandboxer.c> E<.UE>" +msgstr "" + +#. type: SH +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "SEE ALSO" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"B<landlock_create_ruleset>(2), B<landlock_add_rule>(2), " +"B<landlock_restrict_self>(2)" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "E<.UR https://landlock.io/> E<.UE>" +msgstr "" + +#. type: TH +#: debian-bookworm +#, no-wrap +msgid "2023-02-05" +msgstr "" + +#. type: TH +#: debian-bookworm +#, no-wrap +msgid "Linux man-pages 6.03" +msgstr "" + +#. type: Plain text +#: debian-bookworm opensuse-leap-15-6 +msgid "" +"When a thread sandboxes itself, we have the guarantee that the related " +"security policy will stay enforced on all this thread's descendants. This " +"allows creating standalone and modular security policies per application, " +"which will automatically be composed between themselves according to their " +"runtime parent policies." +msgstr "" + +#. type: Plain text +#: debian-bookworm +msgid "Landlock was added in Linux 5.13." +msgstr "" + +#. type: Plain text +#: debian-bookworm +msgid "" +"It is currently not possible to restrict some file-related actions " +"accessible through these system call families: B<chdir>(2), B<truncate>(2), " +"B<stat>(2), B<flock>(2), B<chmod>(2), B<chown>(2), B<setxattr>(2), " +"B<utime>(2), B<ioctl>(2), B<fcntl>(2), B<access>(2). Future Landlock " +"evolutions will enable to restrict them." +msgstr "" + +#. type: Plain text +#: debian-bookworm opensuse-leap-15-6 +msgid "" +"We first need to create the ruleset that will contain our rules. For this " +"example, the ruleset will contain rules that only allow read actions, but " +"write actions will be denied. The ruleset then needs to handle both of " +"these kinds of actions. See below for the description of filesystem actions." +msgstr "" + +#. type: Plain text +#: debian-bookworm opensuse-leap-15-6 +#, no-wrap +msgid "" +"struct landlock_ruleset_attr attr = {0};\n" +"int ruleset_fd;\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm +#, no-wrap +msgid "" +"attr.handled_access_fs =\n" +" LANDLOCK_ACCESS_FS_EXECUTE |\n" +" LANDLOCK_ACCESS_FS_WRITE_FILE |\n" +" LANDLOCK_ACCESS_FS_READ_FILE |\n" +" LANDLOCK_ACCESS_FS_READ_DIR |\n" +" LANDLOCK_ACCESS_FS_REMOVE_DIR |\n" +" LANDLOCK_ACCESS_FS_REMOVE_FILE |\n" +" LANDLOCK_ACCESS_FS_MAKE_CHAR |\n" +" LANDLOCK_ACCESS_FS_MAKE_DIR |\n" +" LANDLOCK_ACCESS_FS_MAKE_REG |\n" +" LANDLOCK_ACCESS_FS_MAKE_SOCK |\n" +" LANDLOCK_ACCESS_FS_MAKE_FIFO |\n" +" LANDLOCK_ACCESS_FS_MAKE_BLOCK |\n" +" LANDLOCK_ACCESS_FS_MAKE_SYM;\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm opensuse-leap-15-6 +msgid "" +"We can now add a new rule to this ruleset thanks to the returned file " +"descriptor referring to this ruleset. The rule will only allow reading the " +"file hierarchy I</usr>. Without another rule, write actions would then be " +"denied by the ruleset. To add I</usr> to the ruleset, we open it with the " +"I<O_PATH> flag and fill the I<struct landlock_path_beneath_attr> with this " +"file descriptor." +msgstr "" + +#. type: Plain text +#: debian-bookworm opensuse-leap-15-6 +#, no-wrap +msgid "" +"struct landlock_path_beneath_attr path_beneath = {0};\n" +"int err;\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm opensuse-leap-15-6 +#, no-wrap +msgid "" +"path_beneath.allowed_access =\n" +" LANDLOCK_ACCESS_FS_EXECUTE |\n" +" LANDLOCK_ACCESS_FS_READ_FILE |\n" +" LANDLOCK_ACCESS_FS_READ_DIR;\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm opensuse-leap-15-6 +#, no-wrap +msgid "" +"path_beneath.parent_fd = open(\"/usr\", O_PATH | O_CLOEXEC);\n" +"if (path_beneath.parent_fd == -1) {\n" +" perror(\"Failed to open file\");\n" +" close(ruleset_fd);\n" +" exit(EXIT_FAILURE);\n" +"}\n" +"err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,\n" +" &path_beneath, 0);\n" +"close(path_beneath.parent_fd);\n" +"if (err) {\n" +" perror(\"Failed to update ruleset\");\n" +" close(ruleset_fd);\n" +" exit(EXIT_FAILURE);\n" +"}\n" +msgstr "" + +#. type: TH +#: debian-unstable opensuse-tumbleweed +#, no-wrap +msgid "2023-05-03" +msgstr "" + +#. type: TH +#: debian-unstable opensuse-tumbleweed +#, no-wrap +msgid "Linux man-pages 6.05.01" +msgstr "" + +#. type: TH +#: opensuse-leap-15-6 +#, no-wrap +msgid "2023-04-02" +msgstr "" + +#. type: TH +#: opensuse-leap-15-6 +#, no-wrap +msgid "Linux man-pages 6.04" +msgstr "" + +#. type: Plain text +#: opensuse-leap-15-6 +#, no-wrap +msgid "" +"attr.handled_access_fs =\n" +" LANDLOCK_ACCESS_FS_EXECUTE |\n" +" LANDLOCK_ACCESS_FS_WRITE_FILE |\n" +" LANDLOCK_ACCESS_FS_READ_FILE |\n" +" LANDLOCK_ACCESS_FS_READ_DIR |\n" +" LANDLOCK_ACCESS_FS_REMOVE_DIR |\n" +" LANDLOCK_ACCESS_FS_REMOVE_FILE |\n" +" LANDLOCK_ACCESS_FS_MAKE_CHAR |\n" +" LANDLOCK_ACCESS_FS_MAKE_DIR |\n" +" LANDLOCK_ACCESS_FS_MAKE_REG |\n" +" LANDLOCK_ACCESS_FS_MAKE_SOCK |\n" +" LANDLOCK_ACCESS_FS_MAKE_FIFO |\n" +" LANDLOCK_ACCESS_FS_MAKE_BLOCK |\n" +" LANDLOCK_ACCESS_FS_MAKE_SYM |\n" +" LANDLOCK_ACCESS_FS_REFER |\n" +" LANDLOCK_ACCESS_FS_TRUNCATE;\n" +msgstr "" |