1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
|
.\" Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net>
.\" Copyright © 2019-2020 ANSSI
.\" Copyright © 2021 Microsoft Corporation
.\"
.\" SPDX-License-Identifier: Linux-man-pages-copyleft
.\"
.TH landlock_add_rule 2 2023-10-31 "Linux man-pages 6.7"
.SH NAME
landlock_add_rule \- add a new Landlock rule to a ruleset
.SH LIBRARY
Standard C library
.RI ( libc ", " \-lc )
.SH SYNOPSIS
.nf
.BR "#include <linux/landlock.h>" " /* Definition of " LANDLOCK_* " constants */"
.BR "#include <sys/syscall.h>" " /* Definition of " SYS_* " constants */"
.P
.BI "int syscall(SYS_landlock_add_rule, int " ruleset_fd ,
.BI " enum landlock_rule_type " rule_type ,
.BI " const void *" rule_attr ", uint32_t " flags );
.fi
.SH DESCRIPTION
A Landlock rule describes an action on an object.
An object is currently a file hierarchy,
and the related filesystem actions
are defined with a set of access rights.
This
.BR landlock_add_rule ()
system call enables adding a new Landlock rule to an existing ruleset
created with
.BR landlock_create_ruleset (2).
See
.BR landlock (7)
for a global overview.
.P
.I ruleset_fd
is a Landlock ruleset file descriptor obtained with
.BR landlock_create_ruleset (2).
.P
.I rule_type
identifies the structure type pointed to by
.IR rule_attr .
Currently, Linux supports the following
.I rule_type
value:
.TP
.B LANDLOCK_RULE_PATH_BENEATH
This defines the object type as a file hierarchy.
In this case,
.I rule_attr
points to the following structure:
.IP
.in +4n
.EX
struct landlock_path_beneath_attr {
__u64 allowed_access;
__s32 parent_fd;
} __attribute__((packed));
.EE
.in
.IP
.I allowed_access
contains a bitmask of allowed filesystem actions for this file hierarchy
(see
.B Filesystem actions
in
.BR landlock (7)).
.IP
.I parent_fd
is an opened file descriptor, preferably with the
.I O_PATH
flag,
which identifies the parent directory of the file hierarchy or
just a file.
.P
.I flags
must be 0.
.SH RETURN VALUE
On success,
.BR landlock_add_rule ()
returns 0.
.SH ERRORS
.BR landlock_add_rule ()
can fail for the following reasons:
.TP
.B EOPNOTSUPP
Landlock is supported by the kernel but disabled at boot time.
.TP
.B EINVAL
.I flags
is not 0, or the rule accesses are inconsistent (i.e.,
.I rule_attr\->allowed_access
is not a subset of the ruleset handled accesses).
.TP
.B ENOMSG
Empty accesses (i.e.,
.I rule_attr\->allowed_access
is 0).
.TP
.B EBADF
.I ruleset_fd
is not a file descriptor for the current thread,
or a member of
.I rule_attr
is not a file descriptor as expected.
.TP
.B EBADFD
.I ruleset_fd
is not a ruleset file descriptor,
or a member of
.I rule_attr
is not the expected file descriptor type.
.TP
.B EPERM
.I ruleset_fd
has no write access to the underlying ruleset.
.TP
.B EFAULT
.I rule_attr
was not a valid address.
.SH STANDARDS
Linux.
.SH HISTORY
Linux 5.13.
.SH EXAMPLES
See
.BR landlock (7).
.SH SEE ALSO
.BR landlock_create_ruleset (2),
.BR landlock_restrict_self (2),
.BR landlock (7)
|
