# SOME DESCRIPTIVE TITLE # Copyright (C) YEAR Free Software Foundation, Inc. # This file is distributed under the same license as the PACKAGE package. # FIRST AUTHOR , YEAR. # #, fuzzy msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "POT-Creation-Date: 2024-06-01 05:59+0200\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" "Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. type: TH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Landlock" msgstr "" #. type: TH #: archlinux debian-unstable opensuse-tumbleweed #, no-wrap msgid "2024-05-02" msgstr "" #. type: TH #: archlinux debian-unstable #, no-wrap msgid "Linux man-pages 6.8" msgstr "" #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "NAME" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "Landlock - unprivileged access-control" msgstr "" #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "DESCRIPTION" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Landlock is an access-control system that enables any processes to securely " "restrict themselves and their future children. Because Landlock is a " "stackable Linux Security Module (LSM), it makes it possible to create safe " "security sandboxes as new security layers in addition to the existing system-" "wide access-controls. This kind of sandbox is expected to help mitigate the " "security impact of bugs, and unexpected or malicious behaviors in " "applications." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "A Landlock security policy is a set of access rights (e.g., open a file in " "read-only, make a directory, etc.) tied to a file hierarchy. Such policy " "can be configured and enforced by processes for themselves using three " "system calls:" msgstr "" #. type: IP #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "\\[bu]" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "B(2) creates a new ruleset;" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "B(2) adds a new rule to a ruleset;" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "B(2) enforces a ruleset on the calling thread." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "To be able to use these system calls, the running kernel must support " "Landlock and it must be enabled at boot time." msgstr "" #. type: SS #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Landlock rules" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "A Landlock rule describes an action on an object. An object is currently a " "file hierarchy, and the related filesystem actions are defined with access " "rights (see B(2)). A set of rules is aggregated in a " "ruleset, which can then restrict the thread enforcing it, and its future " "children." msgstr "" #. type: SS #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Filesystem actions" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "These flags enable to restrict a sandboxed process to a set of actions on " "files and directories. Files or directories opened before the sandboxing " "are not subject to these restrictions. See B(2) and " "B(2) for more context." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "A file can only receive these access rights:" msgstr "" #. type: TP #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "B" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "Execute a file." msgstr "" #. type: TP #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "B" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "Open a file with write access." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed msgid "" "When opening files for writing, you will often additionally need the " "B right. In many cases, these system calls " "truncate existing files when overwriting them (e.g., B(2))." msgstr "" #. type: TP #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "B" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "Open a file with read access." msgstr "" #. type: TP #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "B" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Truncate a file with B(2), B(2), B(2), or " "B(2) with B. Whether an opened file can be truncated with " "B(2) is determined during B(2), in the same way as read " "and write permissions are checked during B(2) using " "B and B. This " "access right is available since the third version of the Landlock ABI." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "A directory can receive access rights related to files or directories. The " "following access right is applied to the directory itself, and the " "directories beneath it:" msgstr "" #. type: TP #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "B" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "Open a directory or list its content." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "However, the following access rights only apply to the content of a " "directory, not the directory itself:" msgstr "" #. type: TP #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "B" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "Remove an empty directory or rename one." msgstr "" #. type: TP #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "B" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "Unlink (or rename) a file." msgstr "" #. type: TP #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "B" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "Create (or rename or link) a character device." msgstr "" #. type: TP #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "B" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "Create (or rename) a directory." msgstr "" #. type: TP #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "B" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "Create (or rename or link) a regular file." msgstr "" #. type: TP #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "B" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "Create (or rename or link) a UNIX domain socket." msgstr "" #. type: TP #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "B" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "Create (or rename or link) a named pipe." msgstr "" #. type: TP #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "B" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "Create (or rename or link) a block device." msgstr "" #. type: TP #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "B" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "Create (or rename or link) a symbolic link." msgstr "" #. type: TP #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "B" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Link or rename a file from or to a different directory (i.e., reparent a " "file hierarchy)." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed msgid "" "This access right is available since the second version of the Landlock ABI." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed msgid "" "This is the only access right which is denied by default by any ruleset, " "even if the right is not specified as handled at ruleset creation time. The " "only way to make a ruleset grant this right is to explicitly allow it for a " "specific directory by adding a matching rule to the ruleset." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed msgid "" "In particular, when using the first Landlock ABI version, Landlock will " "always deny attempts to reparent files between different directories." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed msgid "" "In addition to the source and destination directories having the " "B access right, the attempted link or rename " "operation must meet the following constraints:" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The reparented file may not gain more access rights in the destination " "directory than it previously had in the source directory. If this is " "attempted, the operation results in an B error." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed msgid "" "When linking or renaming, the BI<*> right for the " "respective file type must be granted for the destination directory. " "Otherwise, the operation results in an B error." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed msgid "" "When renaming, the BI<*> right for the " "respective file type must be granted for the source directory. Otherwise, " "the operation results in an B error." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed msgid "" "If multiple requirements are not met, the B error code takes " "precedence over B." msgstr "" #. type: SS #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Layers of file path access rights" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Each time a thread enforces a ruleset on itself, it updates its Landlock " "domain with a new layer of policy. Indeed, this complementary policy is " "composed with the potentially other rulesets already restricting this " "thread. A sandboxed thread can then safely add more constraints to itself " "with a new enforced ruleset." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "One policy layer grants access to a file path if at least one of its rules " "encountered on the path grants the access. A sandboxed thread can only " "access a file path if all its enforced policy layers grant the access as " "well as all the other system access controls (e.g., filesystem DAC, other " "LSM policies, etc.)." msgstr "" #. type: SS #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Bind mounts and OverlayFS" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Landlock enables restricting access to file hierarchies, which means that " "these access rights can be propagated with bind mounts (cf. " "B(7)) but not with OverlayFS." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "A bind mount mirrors a source file hierarchy to a destination. The " "destination hierarchy is then composed of the exact same files, on which " "Landlock rules can be tied, either via the source or the destination path. " "These rules restrict access when they are encountered on a path, which means " "that they can restrict access to multiple file hierarchies at the same time, " "whether these hierarchies are the result of bind mounts or not." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "An OverlayFS mount point consists of upper and lower layers. These layers " "are combined in a merge directory, result of the mount point. This merge " "hierarchy may include files from the upper and lower layers, but " "modifications performed on the merge hierarchy only reflect on the upper " "layer. From a Landlock policy point of view, each of the OverlayFS layers " "and merge hierarchies is standalone and contains its own set of files and " "directories, which is different from a bind mount. A policy restricting an " "OverlayFS layer will not restrict the resulted merged hierarchy, and vice " "versa. Landlock users should then only think about file hierarchies they " "want to allow access to, regardless of the underlying filesystem." msgstr "" #. type: SS #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Inheritance" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Every new thread resulting from a B(2) inherits Landlock domain " "restrictions from its parent. This is similar to the B(2) " "inheritance or any other LSM dealing with tasks' B(7). For " "instance, one process's thread may apply Landlock rules to itself, but they " "will not be automatically applied to other sibling threads (unlike POSIX " "thread credential changes, cf. B(7))." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "" "When a thread sandboxes itself, we have the guarantee that the related " "security policy will stay enforced on all this thread's descendants. This " "allows creating standalone and modular security policies per application, " "which will automatically be composed between themselves according to their " "run-time parent policies." msgstr "" #. type: SS #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Ptrace restrictions" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "A sandboxed process has less privileges than a non-sandboxed process and " "must then be subject to additional restrictions when manipulating another " "process. To be allowed to use B(2) and related syscalls on a " "target process, a sandboxed process should have a subset of the target " "process rules, which means the tracee must be in a sub-domain of the tracer." msgstr "" #. type: SS #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Truncating files" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The operations covered by B and " "B both change the contents of a file and " "sometimes overlap in non-intuitive ways. It is recommended to always " "specify both of these together." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed msgid "" "A particularly surprising example is B(2). The name suggests that " "this system call requires the rights to create and write files. However, it " "also requires the truncate right if an existing file under the same name is " "already present." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed msgid "" "It should also be noted that truncating files does not require the " "B right. Apart from the B(2) " "system call, this can also be done through B(2) with the flags " "I." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed msgid "" "When opening a file, the availability of the B " "right is associated with the newly created file descriptor and will be used " "for subsequent truncation attempts using B(2). The behavior is " "similar to opening a file for reading or writing, where permissions are " "checked during B(2), but not during the subsequent B(2) and " "B(2) calls." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed msgid "" "As a consequence, it is possible to have multiple open file descriptors for " "the same file, where one grants the right to truncate the file and the other " "does not. It is also possible to pass such file descriptors between " "processes, keeping their Landlock properties, even when these processes do " "not have an enforced Landlock ruleset." msgstr "" #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "VERSIONS" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed msgid "Landlock was introduced in Linux 5.13." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed msgid "" "To determine which Landlock features are available, users should query the " "Landlock ABI version:" msgstr "" #. type: tbl table #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "ABI" msgstr "" #. type: tbl table #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Kernel" msgstr "" #. type: tbl table #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Newly introduced access rights" msgstr "" #. type: tbl table #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "_" msgstr "" #. type: tbl table #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "1" msgstr "" #. type: tbl table #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "5.13" msgstr "" #. type: tbl table #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "LANDLOCK_ACCESS_FS_EXECUTE" msgstr "" #. type: tbl table #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "\\^" msgstr "" #. type: tbl table #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "LANDLOCK_ACCESS_FS_WRITE_FILE" msgstr "" #. type: tbl table #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "LANDLOCK_ACCESS_FS_READ_FILE" msgstr "" #. type: tbl table #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "LANDLOCK_ACCESS_FS_READ_DIR" msgstr "" #. type: tbl table #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "LANDLOCK_ACCESS_FS_REMOVE_DIR" msgstr "" #. type: tbl table #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "LANDLOCK_ACCESS_FS_REMOVE_FILE" msgstr "" #. type: tbl table #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "LANDLOCK_ACCESS_FS_MAKE_CHAR" msgstr "" #. type: tbl table #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "LANDLOCK_ACCESS_FS_MAKE_DIR" msgstr "" #. type: tbl table #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "LANDLOCK_ACCESS_FS_MAKE_REG" msgstr "" #. type: tbl table #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "LANDLOCK_ACCESS_FS_MAKE_SOCK" msgstr "" #. type: tbl table #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "LANDLOCK_ACCESS_FS_MAKE_FIFO" msgstr "" #. type: tbl table #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "LANDLOCK_ACCESS_FS_MAKE_BLOCK" msgstr "" #. type: tbl table #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "LANDLOCK_ACCESS_FS_MAKE_SYM" msgstr "" #. type: tbl table #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "2" msgstr "" #. type: tbl table #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "5.19" msgstr "" #. type: tbl table #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "LANDLOCK_ACCESS_FS_REFER" msgstr "" #. type: tbl table #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "3" msgstr "" #. type: tbl table #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "6.2" msgstr "" #. type: tbl table #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "LANDLOCK_ACCESS_FS_TRUNCATE" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Users should use the Landlock ABI version rather than the kernel version to " "determine which features are available. The mainline kernel versions listed " "here are only included for orientation. Kernels from other sources may " "contain backported features, and their version numbers may not match." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed msgid "" "To query the running kernel's Landlock ABI version, programs may pass the " "B flag to B(2)." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed msgid "" "When building fallback mechanisms for compatibility with older kernels, " "users are advised to consider the special semantics of the " "B access right: In ABI v1, linking and moving of " "files between different directories is always forbidden, so programs relying " "on such operations are only compatible with Landlock ABI v2 and higher." msgstr "" #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "NOTES" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Landlock is enabled by B. The I command line parameter controls the sequence of the initialization of " "Linux Security Modules. It must contain the string I to enable " "Landlock. If the command line parameter is not specified, the " "initialization falls back to the value of the deprecated I " "command line parameter and further to the value of B. We can " "check that Landlock is enabled by looking for I " "in kernel logs." msgstr "" #. type: SH #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "CAVEATS" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed msgid "" "It is currently not possible to restrict some file-related actions " "accessible through these system call families: B(2), B(2), " "B(2), B(2), B(2), B(2), B(2), " "B(2), B(2), B(2). Future Landlock evolutions will " "enable to restrict them." msgstr "" #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "EXAMPLES" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "We first need to create the ruleset that will contain our rules." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "" "For this example, the ruleset will contain rules that only allow read " "actions, but write actions will be denied. The ruleset then needs to handle " "both of these kinds of actions. See the B section for the " "description of filesystem actions." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed #, no-wrap msgid "" "struct landlock_ruleset_attr attr = {0};\n" "int ruleset_fd;\n" "\\&\n" "attr.handled_access_fs =\n" " LANDLOCK_ACCESS_FS_EXECUTE |\n" " LANDLOCK_ACCESS_FS_WRITE_FILE |\n" " LANDLOCK_ACCESS_FS_READ_FILE |\n" " LANDLOCK_ACCESS_FS_READ_DIR |\n" " LANDLOCK_ACCESS_FS_REMOVE_DIR |\n" " LANDLOCK_ACCESS_FS_REMOVE_FILE |\n" " LANDLOCK_ACCESS_FS_MAKE_CHAR |\n" " LANDLOCK_ACCESS_FS_MAKE_DIR |\n" " LANDLOCK_ACCESS_FS_MAKE_REG |\n" " LANDLOCK_ACCESS_FS_MAKE_SOCK |\n" " LANDLOCK_ACCESS_FS_MAKE_FIFO |\n" " LANDLOCK_ACCESS_FS_MAKE_BLOCK |\n" " LANDLOCK_ACCESS_FS_MAKE_SYM |\n" " LANDLOCK_ACCESS_FS_REFER |\n" " LANDLOCK_ACCESS_FS_TRUNCATE;\n" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "" "To be compatible with older Linux versions, we detect the available Landlock " "ABI version, and only use the available subset of access rights:" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed #, no-wrap msgid "" "/*\n" " * Table of available file system access rights by ABI version,\n" " * numbers hardcoded to keep the example short.\n" " */\n" "__u64 landlock_fs_access_rights[] = {\n" " (LANDLOCK_ACCESS_FS_MAKE_SYM EE 1) - 1, /* v1 */\n" " (LANDLOCK_ACCESS_FS_REFER EE 1) - 1, /* v2: add \"refer\" */\n" " (LANDLOCK_ACCESS_FS_TRUNCATE EE 1) - 1, /* v3: add \"truncate\" */\n" "};\n" "\\&\n" "int abi = landlock_create_ruleset(NULL, 0,\n" " LANDLOCK_CREATE_RULESET_VERSION);\n" "if (abi == -1) {\n" " /*\n" " * Kernel too old, not compiled with Landlock,\n" " * or Landlock was not enabled at boot time.\n" " */\n" " perror(\"Unable to use Landlock\");\n" " return; /* Graceful fallback: Do nothing. */\n" "}\n" "abi = MIN(abi, 3);\n" "\\&\n" "/* Only use the available rights in the ruleset. */\n" "attr.handled_access_fs &= landlock_fs_access_rights[abi - 1];\n" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "" "The available access rights for each ABI version are listed in the " "B section." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "" "If our program needed to create hard links or rename files between different " "directories (B), we would require the following " "change to the backwards compatibility logic: Directory reparenting is not " "possible in a process restricted with Landlock ABI version 1. Therefore, if " "the program needed to do file reparenting, and if only Landlock ABI version " "1 was available, we could not restrict the process." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "" "Now that the ruleset attributes are determined, we create the Landlock " "ruleset and acquire a file descriptor as a handle to it, using " "B(2):" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "" "ruleset_fd = landlock_create_ruleset(&attr, sizeof(attr), 0);\n" "if (ruleset_fd == -1) {\n" " perror(\"Failed to create a ruleset\");\n" " exit(EXIT_FAILURE);\n" "}\n" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "" "We can now add a new rule to the ruleset through the ruleset's file " "descriptor. The requested access rights must be a subset of the access " "rights which were specified in I at ruleset creation " "time." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "" "In this example, the rule will only allow reading the file hierarchy I. Without another rule, write actions would then be denied by the " "ruleset. To add I to the ruleset, we open it with the I flag " "and fill the I with this file descriptor." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed #, no-wrap msgid "" "struct landlock_path_beneath_attr path_beneath = {0};\n" "int err;\n" "\\&\n" "path_beneath.allowed_access =\n" " LANDLOCK_ACCESS_FS_EXECUTE |\n" " LANDLOCK_ACCESS_FS_READ_FILE |\n" " LANDLOCK_ACCESS_FS_READ_DIR;\n" "\\&\n" "path_beneath.parent_fd = open(\"/usr\", O_PATH | O_CLOEXEC);\n" "if (path_beneath.parent_fd == -1) {\n" " perror(\"Failed to open file\");\n" " close(ruleset_fd);\n" " exit(EXIT_FAILURE);\n" "}\n" "err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,\n" " &path_beneath, 0);\n" "close(path_beneath.parent_fd);\n" "if (err) {\n" " perror(\"Failed to update ruleset\");\n" " close(ruleset_fd);\n" " exit(EXIT_FAILURE);\n" "}\n" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "We now have a ruleset with one rule allowing read access to I while " "denying all other handled accesses for the filesystem. The next step is to " "restrict the current thread from gaining more privileges (e.g., thanks to a " "set-user-ID binary)." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "" "if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {\n" " perror(\"Failed to restrict privileges\");\n" " close(ruleset_fd);\n" " exit(EXIT_FAILURE);\n" "}\n" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "The current thread is now ready to sandbox itself with the ruleset." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "" "if (landlock_restrict_self(ruleset_fd, 0)) {\n" " perror(\"Failed to enforce ruleset\");\n" " close(ruleset_fd);\n" " exit(EXIT_FAILURE);\n" "}\n" "close(ruleset_fd);\n" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "If the B(2) system call succeeds, the current " "thread is now restricted and this policy will be enforced on all its " "subsequently created children as well. Once a thread is landlocked, there " "is no way to remove its security policy; only adding more restrictions is " "allowed. These threads are now in a new Landlock domain, merge of their " "parent one (if any) with the new ruleset." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Full working code can be found in E<.UR https://git.kernel.org/\\:pub/\\:scm/" "\\:linux/\\:kernel/\\:git/\\:stable/\\:linux.git/\\:tree/\\:samples/\\:" "landlock/\\:sandboxer.c> E<.UE>" msgstr "" #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "SEE ALSO" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "B(2), B(2), " "B(2)" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "E<.UR https://landlock.io/> E<.UE>" msgstr "" #. type: TH #: debian-bookworm #, no-wrap msgid "2023-02-05" msgstr "" #. type: TH #: debian-bookworm #, no-wrap msgid "Linux man-pages 6.03" msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 msgid "" "When a thread sandboxes itself, we have the guarantee that the related " "security policy will stay enforced on all this thread's descendants. This " "allows creating standalone and modular security policies per application, " "which will automatically be composed between themselves according to their " "runtime parent policies." msgstr "" #. type: Plain text #: debian-bookworm msgid "Landlock was added in Linux 5.13." msgstr "" #. type: Plain text #: debian-bookworm msgid "" "It is currently not possible to restrict some file-related actions " "accessible through these system call families: B(2), B(2), " "B(2), B(2), B(2), B(2), B(2), " "B(2), B(2), B(2), B(2). Future Landlock " "evolutions will enable to restrict them." msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 msgid "" "We first need to create the ruleset that will contain our rules. For this " "example, the ruleset will contain rules that only allow read actions, but " "write actions will be denied. The ruleset then needs to handle both of " "these kinds of actions. See below for the description of filesystem actions." msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" "struct landlock_ruleset_attr attr = {0};\n" "int ruleset_fd;\n" msgstr "" #. type: Plain text #: debian-bookworm #, no-wrap msgid "" "attr.handled_access_fs =\n" " LANDLOCK_ACCESS_FS_EXECUTE |\n" " LANDLOCK_ACCESS_FS_WRITE_FILE |\n" " LANDLOCK_ACCESS_FS_READ_FILE |\n" " LANDLOCK_ACCESS_FS_READ_DIR |\n" " LANDLOCK_ACCESS_FS_REMOVE_DIR |\n" " LANDLOCK_ACCESS_FS_REMOVE_FILE |\n" " LANDLOCK_ACCESS_FS_MAKE_CHAR |\n" " LANDLOCK_ACCESS_FS_MAKE_DIR |\n" " LANDLOCK_ACCESS_FS_MAKE_REG |\n" " LANDLOCK_ACCESS_FS_MAKE_SOCK |\n" " LANDLOCK_ACCESS_FS_MAKE_FIFO |\n" " LANDLOCK_ACCESS_FS_MAKE_BLOCK |\n" " LANDLOCK_ACCESS_FS_MAKE_SYM;\n" msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 msgid "" "We can now add a new rule to this ruleset thanks to the returned file " "descriptor referring to this ruleset. The rule will only allow reading the " "file hierarchy I. Without another rule, write actions would then be " "denied by the ruleset. To add I to the ruleset, we open it with the " "I flag and fill the I with this " "file descriptor." msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" "struct landlock_path_beneath_attr path_beneath = {0};\n" "int err;\n" msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" "path_beneath.allowed_access =\n" " LANDLOCK_ACCESS_FS_EXECUTE |\n" " LANDLOCK_ACCESS_FS_READ_FILE |\n" " LANDLOCK_ACCESS_FS_READ_DIR;\n" msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" "path_beneath.parent_fd = open(\"/usr\", O_PATH | O_CLOEXEC);\n" "if (path_beneath.parent_fd == -1) {\n" " perror(\"Failed to open file\");\n" " close(ruleset_fd);\n" " exit(EXIT_FAILURE);\n" "}\n" "err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,\n" " &path_beneath, 0);\n" "close(path_beneath.parent_fd);\n" "if (err) {\n" " perror(\"Failed to update ruleset\");\n" " close(ruleset_fd);\n" " exit(EXIT_FAILURE);\n" "}\n" msgstr "" #. type: TH #: fedora-40 fedora-rawhide mageia-cauldron #, no-wrap msgid "2023-10-31" msgstr "" #. type: TH #: fedora-40 mageia-cauldron #, no-wrap msgid "Linux man-pages 6.06" msgstr "" #. type: TH #: fedora-rawhide #, no-wrap msgid "Linux man-pages 6.7" msgstr "" #. type: TH #: opensuse-leap-15-6 #, no-wrap msgid "2023-04-02" msgstr "" #. type: TH #: opensuse-leap-15-6 #, no-wrap msgid "Linux man-pages 6.04" msgstr "" #. type: Plain text #: opensuse-leap-15-6 #, no-wrap msgid "" "attr.handled_access_fs =\n" " LANDLOCK_ACCESS_FS_EXECUTE |\n" " LANDLOCK_ACCESS_FS_WRITE_FILE |\n" " LANDLOCK_ACCESS_FS_READ_FILE |\n" " LANDLOCK_ACCESS_FS_READ_DIR |\n" " LANDLOCK_ACCESS_FS_REMOVE_DIR |\n" " LANDLOCK_ACCESS_FS_REMOVE_FILE |\n" " LANDLOCK_ACCESS_FS_MAKE_CHAR |\n" " LANDLOCK_ACCESS_FS_MAKE_DIR |\n" " LANDLOCK_ACCESS_FS_MAKE_REG |\n" " LANDLOCK_ACCESS_FS_MAKE_SOCK |\n" " LANDLOCK_ACCESS_FS_MAKE_FIFO |\n" " LANDLOCK_ACCESS_FS_MAKE_BLOCK |\n" " LANDLOCK_ACCESS_FS_MAKE_SYM |\n" " LANDLOCK_ACCESS_FS_REFER |\n" " LANDLOCK_ACCESS_FS_TRUNCATE;\n" msgstr "" #. type: TH #: opensuse-tumbleweed #, no-wrap msgid "Linux man-pages (unreleased)" msgstr ""