summaryrefslogtreecommitdiffstats
path: root/man2/landlock_restrict_self.2
diff options
context:
space:
mode:
Diffstat (limited to 'man2/landlock_restrict_self.2')
-rw-r--r--man2/landlock_restrict_self.2116
1 files changed, 0 insertions, 116 deletions
diff --git a/man2/landlock_restrict_self.2 b/man2/landlock_restrict_self.2
deleted file mode 100644
index c82181b..0000000
--- a/man2/landlock_restrict_self.2
+++ /dev/null
@@ -1,116 +0,0 @@
-.\" Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net>
-.\" Copyright © 2019-2020 ANSSI
-.\" Copyright © 2021 Microsoft Corporation
-.\"
-.\" SPDX-License-Identifier: Linux-man-pages-copyleft
-.\"
-.TH landlock_restrict_self 2 2023-10-31 "Linux man-pages 6.7"
-.SH NAME
-landlock_restrict_self \- enforce a Landlock ruleset
-.SH LIBRARY
-Standard C library
-.RI ( libc ", " \-lc )
-.SH SYNOPSIS
-.nf
-.BR "#include <linux/landlock.h>" " /* Definition of " LANDLOCK_* " constants */"
-.BR "#include <sys/syscall.h>" " /* Definition of " SYS_* " constants */"
-.P
-.BI "int syscall(SYS_landlock_restrict_self, int " ruleset_fd ,
-.BI " uint32_t " flags );
-.SH DESCRIPTION
-Once a Landlock ruleset is populated with the desired rules, the
-.BR landlock_restrict_self ()
-system call enables enforcing this ruleset on the calling thread.
-See
-.BR landlock (7)
-for a global overview.
-.P
-A thread can be restricted with multiple rulesets that are then
-composed together to form the thread's Landlock domain.
-This can be seen as a stack of rulesets but
-it is implemented in a more efficient way.
-A domain can only be updated in such a way that
-the constraints of each past and future composed rulesets
-will restrict the thread and its future children for their entire life.
-It is then possible to gradually enforce tailored access control policies
-with multiple independent rulesets coming from different sources
-(e.g., init system configuration, user session policy,
-built-in application policy).
-However, most applications should only need one call to
-.BR landlock_restrict_self ()
-and they should avoid arbitrary numbers of such calls because of the
-composed rulesets limit.
-Instead, developers are encouraged to build a tailored ruleset thanks to
-multiple calls to
-.BR landlock_add_rule (2).
-.P
-In order to enforce a ruleset, either the caller must have the
-.B CAP_SYS_ADMIN
-capability in its user namespace, or the thread must already have the
-.I no_new_privs
-bit set.
-As for
-.BR seccomp (2),
-this avoids scenarios where unprivileged processes can affect
-the behavior of privileged children (e.g., because of set-user-ID binaries).
-If that bit was not already set by an ancestor of this thread,
-the thread must make the following call:
-.IP
-.EX
-prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
-.EE
-.P
-.I ruleset_fd
-is a Landlock ruleset file descriptor obtained with
-.BR landlock_create_ruleset (2)
-and fully populated with a set of calls to
-.BR landlock_add_rule (2).
-.P
-.I flags
-must be 0.
-.SH RETURN VALUE
-On success,
-.BR landlock_restrict_self ()
-returns 0.
-.SH ERRORS
-.BR landlock_restrict_self ()
-can fail for the following reasons:
-.TP
-.B EOPNOTSUPP
-Landlock is supported by the kernel but disabled at boot time.
-.TP
-.B EINVAL
-.I flags
-is not 0.
-.TP
-.B EBADF
-.I ruleset_fd
-is not a file descriptor for the current thread.
-.TP
-.B EBADFD
-.I ruleset_fd
-is not a ruleset file descriptor.
-.TP
-.B EPERM
-.I ruleset_fd
-has no read access to the underlying ruleset,
-or the calling thread is not running with
-.IR no_new_privs ,
-or it doesn't have the
-.B CAP_SYS_ADMIN
-in its user namespace.
-.TP
-.B E2BIG
-The maximum number of composed rulesets is reached for the calling thread.
-This limit is currently 64.
-.SH STANDARDS
-Linux.
-.SH HISTORY
-Linux 5.13.
-.SH EXAMPLES
-See
-.BR landlock (7).
-.SH SEE ALSO
-.BR landlock_create_ruleset (2),
-.BR landlock_add_rule (2),
-.BR landlock (7)