diff options
Diffstat (limited to 'man2/landlock_restrict_self.2')
| -rw-r--r-- | man2/landlock_restrict_self.2 | 116 |
1 files changed, 0 insertions, 116 deletions
diff --git a/man2/landlock_restrict_self.2 b/man2/landlock_restrict_self.2 deleted file mode 100644 index c82181b..0000000 --- a/man2/landlock_restrict_self.2 +++ /dev/null @@ -1,116 +0,0 @@ -.\" Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net> -.\" Copyright © 2019-2020 ANSSI -.\" Copyright © 2021 Microsoft Corporation -.\" -.\" SPDX-License-Identifier: Linux-man-pages-copyleft -.\" -.TH landlock_restrict_self 2 2023-10-31 "Linux man-pages 6.7" -.SH NAME -landlock_restrict_self \- enforce a Landlock ruleset -.SH LIBRARY -Standard C library -.RI ( libc ", " \-lc ) -.SH SYNOPSIS -.nf -.BR "#include <linux/landlock.h>" " /* Definition of " LANDLOCK_* " constants */" -.BR "#include <sys/syscall.h>" " /* Definition of " SYS_* " constants */" -.P -.BI "int syscall(SYS_landlock_restrict_self, int " ruleset_fd , -.BI " uint32_t " flags ); -.SH DESCRIPTION -Once a Landlock ruleset is populated with the desired rules, the -.BR landlock_restrict_self () -system call enables enforcing this ruleset on the calling thread. -See -.BR landlock (7) -for a global overview. -.P -A thread can be restricted with multiple rulesets that are then -composed together to form the thread's Landlock domain. -This can be seen as a stack of rulesets but -it is implemented in a more efficient way. -A domain can only be updated in such a way that -the constraints of each past and future composed rulesets -will restrict the thread and its future children for their entire life. -It is then possible to gradually enforce tailored access control policies -with multiple independent rulesets coming from different sources -(e.g., init system configuration, user session policy, -built-in application policy). -However, most applications should only need one call to -.BR landlock_restrict_self () -and they should avoid arbitrary numbers of such calls because of the -composed rulesets limit. -Instead, developers are encouraged to build a tailored ruleset thanks to -multiple calls to -.BR landlock_add_rule (2). -.P -In order to enforce a ruleset, either the caller must have the -.B CAP_SYS_ADMIN -capability in its user namespace, or the thread must already have the -.I no_new_privs -bit set. -As for -.BR seccomp (2), -this avoids scenarios where unprivileged processes can affect -the behavior of privileged children (e.g., because of set-user-ID binaries). -If that bit was not already set by an ancestor of this thread, -the thread must make the following call: -.IP -.EX -prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); -.EE -.P -.I ruleset_fd -is a Landlock ruleset file descriptor obtained with -.BR landlock_create_ruleset (2) -and fully populated with a set of calls to -.BR landlock_add_rule (2). -.P -.I flags -must be 0. -.SH RETURN VALUE -On success, -.BR landlock_restrict_self () -returns 0. -.SH ERRORS -.BR landlock_restrict_self () -can fail for the following reasons: -.TP -.B EOPNOTSUPP -Landlock is supported by the kernel but disabled at boot time. -.TP -.B EINVAL -.I flags -is not 0. -.TP -.B EBADF -.I ruleset_fd -is not a file descriptor for the current thread. -.TP -.B EBADFD -.I ruleset_fd -is not a ruleset file descriptor. -.TP -.B EPERM -.I ruleset_fd -has no read access to the underlying ruleset, -or the calling thread is not running with -.IR no_new_privs , -or it doesn't have the -.B CAP_SYS_ADMIN -in its user namespace. -.TP -.B E2BIG -The maximum number of composed rulesets is reached for the calling thread. -This limit is currently 64. -.SH STANDARDS -Linux. -.SH HISTORY -Linux 5.13. -.SH EXAMPLES -See -.BR landlock (7). -.SH SEE ALSO -.BR landlock_create_ruleset (2), -.BR landlock_add_rule (2), -.BR landlock (7) |