HTML rendering created 2025-09-06 byMichael Kerrisk, author ofThe Linux Programming Interface. For details of in-depthLinux/UNIX system programming training courses that I teach, lookhere. Hosting byjambit GmbH. |  |
NAME |LIBRARY |SYNOPSIS |DESCRIPTION |RETURN VALUE |ERRORS |STANDARDS |HISTORY |EXAMPLES |SEE ALSO |COLOPHON | |
landlock_restrict_self(2) System Calls Manuallandlock_restrict_self(2)landlock_restrict_self - enforce a Landlock ruleset
Standard C library (libc,-lc)
#include <linux/landlock.h>/* Definition ofLANDLOCK_*constants */#include <sys/syscall.h>/* Definition ofSYS_*constants */int syscall(SYS_landlock_restrict_self, intruleset_fd,uint32_tflags);
Once a Landlock ruleset is populated with the desired rules, thelandlock_restrict_self() system call enforces this ruleset on the calling thread. Seelandlock(7) for a global overview. A thread can be restricted with multiple rulesets that are then composed together to form the thread's Landlock domain. This can be seen as a stack of rulesets but it is implemented in a more efficient way. A domain can only be updated in such a way that the constraints of each past and future composed rulesets will restrict the thread and its future children for their entire life. It is then possible to gradually enforce tailored access control policies with multiple independent rulesets coming from different sources (e.g., init system configuration, user session policy, built-in application policy). However, most applications should only need one call tolandlock_restrict_self() and they should avoid arbitrary numbers of such calls because of the composed rulesets limit. Instead, developers are encouraged to build a single tailored ruleset with multiple calls tolandlock_add_rule(2). In order to enforce a ruleset, either the caller must have theCAP_SYS_ADMINcapability in its user namespace, or the thread must already have theno_new_privs bit set. As forseccomp(2), this avoids scenarios where unprivileged processes can affect the behavior of privileged children (e.g., because of set-user-ID binaries). If that bit was not already set by an ancestor of this thread, the thread must make the following call: prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);ruleset_fd is a Landlock ruleset file descriptor obtained withlandlock_create_ruleset(2) and fully populated with a set of calls tolandlock_add_rule(2).flags must be 0.
On success,landlock_restrict_self() returns 0. On error, -1 is returned anderrno is set to indicate the error.
landlock_restrict_self() can fail for the following reasons:EOPNOTSUPP Landlock is supported by the kernel but disabled at boot time.EINVALflags is not 0.EBADFruleset_fd is not a file descriptor for the current thread.EBADFDruleset_fd is not a ruleset file descriptor.EPERMruleset_fd has no read access to the underlying ruleset, or the calling thread is not running withno_new_privs, or it doesn't have theCAP_SYS_ADMINin its user namespace.E2BIGThe maximum number of composed rulesets is reached for the calling thread. This limit is currently 64.
Linux.
Linux 5.13.
Seelandlock(7).
landlock_create_ruleset(2),landlock_add_rule(2),landlock(7)
This page is part of theman-pages (Linux kernel and C library user-space interface documentation) project. Information about the project can be found at ⟨https://www.kernel.org/doc/man-pages/⟩. If you have a bug report for this manual page, see ⟨https://git.kernel.org/pub/scm/docs/man-pages/man-pages.git/tree/CONTRIBUTING⟩. This page was obtained from the tarball man-pages-6.15.tar.gz fetched from ⟨https://mirrors.edge.kernel.org/pub/linux/docs/man-pages/⟩ on 2025-08-11. If you discover any rendering problems in this HTML version of the page, or you believe there is a better or more up- to-date source for the page, or you have corrections or improvements to the information in this COLOPHON (which isnot part of the original manual page), send a mail to man-pages@man7.orgLinux man-pages 6.15 2025-05-17landlock_restrict_self(2)Pages that refer to this page:landlock_add_rule(2), landlock_create_ruleset(2), syscalls(2), landlock(7)
HTML rendering created 2025-09-06 byMichael Kerrisk, author ofThe Linux Programming Interface. For details of in-depthLinux/UNIX system programming training courses that I teach, lookhere. Hosting byjambit GmbH. | |