Lines Matching +refs:is +refs:pre +refs:merge
13 The goal of Landlock is to enable restriction of ambient rights (e.g. global
15 is a stackable LSM, it makes it possible to create safe security sandboxes as
17 This kind of sandbox is expected to help mitigate the security impact of bugs or
21 We can quickly make sure that Landlock is enabled in the running system by
26 If Landlock is not currently supported, we need to
33 perform. A set of rules is aggregated in a ruleset, which can then restrict
39 For these rules, the object is a file hierarchy,
44 For these rules, the object is a TCP port,
56 The ruleset then needs to handle both these kinds of actions. This is
90 on, it is safer to follow a best-effort security approach. Indeed, we
103 /* Degrades gracefully if Landlock is not handled. */
178 ABI version. In this example, this is not required because all of the requested
194 The next step is to restrict the current thread from gaining more privileges
207 The current thread is now ready to sandbox itself with the ruleset.
218 If the ``landlock_restrict_self`` system call succeeds, the current thread is
220 children as well. Once a thread is landlocked, there is no way to remove its
221 security policy; only adding more restrictions is allowed. These threads are
222 now in a new Landlock domain, which is a merger of their parent one (if any)
230 It is recommended to set access rights to file hierarchy leaves as much as
231 possible. For instance, it is better to be able to have ``~/doc/`` as a
235 depend on their location (i.e. parent directories). This is particularly
254 with a new layer of policy. This complementary policy is stacked with any
273 hierarchy is then composed of the exact same files, on which Landlock rules can
280 combined in a merge directory, and that merged directory becomes available at
281 the mount point. This merge hierarchy may include files from the upper and
282 lower layers, but modifications performed on the merge hierarchy only reflect
284 and merge hierarchies are standalone and each contains their own set of files
285 and directories, which is different from bind mounts. A policy restricting an
294 restrictions from its parent. This is similar to seccomp inheritance (cf.
336 A :manpage:`sendto(2)` on a non-connected datagram socket is treated as if
344 If an operation is scoped within a domain, no rules can be added to allow access
352 overlap in non-intuitive ways. It is recommended to always specify both of
355 A particularly surprising example is :manpage:`creat(2)`. The name suggests
357 it also requires the truncate right if an existing file under the same name is
365 The truncate right is associated with the opened file (see below).
371 ``LANDLOCK_ACCESS_FS_IOCTL_DEV`` rights is associated with the newly created
373 using :manpage:`ftruncate(2)` and :manpage:`ioctl(2)`. The behavior is similar
378 As a consequence, it is possible that a process has multiple open file
382 both before and after the enforcement. It is also possible to pass such file
392 Landlock is designed to be compatible with past and future versions of the
393 kernel. This is achieved thanks to the system call attributes and the
396 contract with each other. This is required to make sure sandboxing will not
402 users, and because they may use different kernel versions, it is strongly
422 printf("Landlock is not supported by the current kernel.\n");
425 printf("Landlock is currently disabled.\n");
499 There is a limit of 16 layers of stacked rulesets. This can be an issue for a
501 rulesets. Once this limit is reached, sys_landlock_restrict_self() returns
502 E2BIG. It is then strongly suggested to carefully build rulesets once in the
510 Kernel memory allocated to create rulesets is accounted and can be restricted
518 means specifically that pre-existing file descriptors like stdin, stdout and
524 the behavior is configurable for ``TIOCSTI``.
526 On older systems, it is therefore recommended to close inherited TTY file
530 Landlock's IOCTL support is coarse-grained at the moment, but may become more
533 ``LANDLOCK_ACCESS_FS_IOCTL_DEV`` right on files where it is really required.
551 Starting with the Landlock ABI version 2, it is now possible to securely
558 File truncation could not be denied before the third Landlock ABI, so it is
561 Starting with the Landlock ABI version 3, it is now possible to securely control
567 Starting with the Landlock ABI version 4, it is now possible to restrict TCP
576 :manpage:`ioctl(2)` is always allowed when using a kernel that only supports an
579 Starting with the Landlock ABI version 5, it is possible to restrict the use of
586 Starting with the Landlock ABI version 6, it is possible to restrict
593 Starting with the Landlock ABI version 6, it is possible to restrict
600 Starting with the Landlock ABI version 7, it is possible to control logging of
618 default is set with ``CONFIG_LSM``. The kernel configuration should then
631 For example, if the current built-in configuration is:
650 After a reboot, we can check that Landlock is up and running by looking at
673 operation is already not possible.