|
HTML rendering created 2024-06-26 by Michael Kerrisk, author of The Linux Programming Interface. For details of in-depth Linux/UNIX system programming training courses that I teach, look here. Hosting by jambit GmbH. |
|
|
NAME | LIBRARY | SYNOPSIS | DESCRIPTION | RETURN VALUE | ERRORS | STANDARDS | HISTORY | EXAMPLES | SEE ALSO | COLOPHON |
|
|
|
landlock_add_rule(2) System Calls Manual landlock_add_rule(2)
landlock_add_rule - add a new Landlock rule to a ruleset
Standard C library (libc, -lc)
#include <linux/landlock.h> /* Definition of LANDLOCK_* constants */
#include <sys/syscall.h> /* Definition of SYS_* constants */
int syscall(SYS_landlock_add_rule, int ruleset_fd,
enum landlock_rule_type rule_type,
const void *rule_attr, uint32_t flags);
A Landlock rule describes an action on an object. An object is
currently a file hierarchy, and the related filesystem actions
are defined with a set of access rights. This
landlock_add_rule() system call enables adding a new Landlock
rule to an existing ruleset created with
landlock_create_ruleset(2). See landlock(7) for a global
overview.
ruleset_fd is a Landlock ruleset file descriptor obtained with
landlock_create_ruleset(2).
rule_type identifies the structure type pointed to by rule_attr.
Currently, Linux supports the following rule_type value:
LANDLOCK_RULE_PATH_BENEATH
This defines the object type as a file hierarchy. In this
case, rule_attr points to the following structure:
struct landlock_path_beneath_attr {
__u64 allowed_access;
__s32 parent_fd;
} __attribute__((packed));
allowed_access contains a bitmask of allowed filesystem
actions for this file hierarchy (see Filesystem actions in
landlock(7)).
parent_fd is an opened file descriptor, preferably with
the O_PATH flag, which identifies the parent directory of
the file hierarchy or just a file.
flags must be 0.
On success, landlock_add_rule() returns 0.
landlock_add_rule() can fail for the following reasons:
EOPNOTSUPP
Landlock is supported by the kernel but disabled at boot
time.
EINVAL flags is not 0, or the rule accesses are inconsistent
(i.e., rule_attr->allowed_access is not a subset of the
ruleset handled accesses).
ENOMSG Empty accesses (i.e., rule_attr->allowed_access is 0).
EBADF ruleset_fd is not a file descriptor for the current
thread, or a member of rule_attr is not a file descriptor
as expected.
EBADFD ruleset_fd is not a ruleset file descriptor, or a member
of rule_attr is not the expected file descriptor type.
EPERM ruleset_fd has no write access to the underlying ruleset.
EFAULT rule_attr was not a valid address.
Linux.
Linux 5.13.
See landlock(7).
landlock_create_ruleset(2), landlock_restrict_self(2),
landlock(7)
This page is part of the man-pages (Linux kernel and C library
user-space interface documentation) project. Information about
the project can be found at
⟨https://www.kernel.org/doc/man-pages/⟩. If you have a bug report
for this manual page, see
⟨https://git.kernel.org/pub/scm/docs/man-pages/man-pages.git/tree/CONTRIBUTING⟩.
This page was obtained from the tarball man-pages-6.9.1.tar.gz
fetched from
⟨https://mirrors.edge.kernel.org/pub/linux/docs/man-pages/⟩ on
2024-06-26. If you discover any rendering problems in this HTML
version of the page, or you believe there is a better or more up-
to-date source for the page, or you have corrections or
improvements to the information in this COLOPHON (which is not
part of the original manual page), send a mail to
man-pages@man7.org
Linux man-pages 6.9.1 2024-05-02 landlock_add_rule(2)
Pages that refer to this page: landlock_create_ruleset(2), landlock_restrict_self(2), syscalls(2), landlock(7)
|
HTML rendering created 2024-06-26 by Michael Kerrisk, author of The Linux Programming Interface. For details of in-depth Linux/UNIX system programming training courses that I teach, look here. Hosting by jambit GmbH. |
|