Expand description
Landlock LSM for unprivileged filesystem and network access control.
Landlock is a Linux Security Module (LSM) that allows unprivileged processes to restrict their own access to the filesystem and network. Unlike traditional DAC/MAC, Landlock can be used without root privileges.
§ABI Versions
| ABI | Kernel | Features |
|---|---|---|
| 1 | 5.13 | Basic filesystem access |
| 2 | 5.19 | REFER (cross-directory rename/link) |
| 3 | 6.2 | TRUNCATE (file truncation) |
| 4 | 6.7 | IOCTL_DEV, TCP network access |
| 5 | 6.12 | SCOPE_SIGNAL, SCOPE_ABSTRACT_UNIX_SOCKET |
§Usage
ⓘ
let attr = LandlockRulesetAttr {
handled_access_fs: fs_access_for_abi(abi),
handled_access_net: net_access_for_abi(abi),
};
let ruleset_fd = landlock_create_ruleset(&attr)?;
// Add rules for allowed paths
let rule = LandlockPathBeneathAttr { allowed_access, parent_fd };
landlock_add_rule_path(&ruleset_fd, &rule)?;
// Restrict self - no going back after this!
landlock_restrict_self(&ruleset_fd)?;§Important
- Once
landlock_restrict_selfis called, it cannot be undone - Access not explicitly allowed is denied
- Network blocking requires ABI 4+ (kernel 6.7+)
Structs§
Constants§
- LANDLOCK_
ACCESS_ FS_ EXECUTE - LANDLOCK_
ACCESS_ FS_ IOCTL_ DEV - LANDLOCK_
ACCESS_ FS_ MAKE_ BLOCK - LANDLOCK_
ACCESS_ FS_ MAKE_ CHAR - LANDLOCK_
ACCESS_ FS_ MAKE_ DIR - LANDLOCK_
ACCESS_ FS_ MAKE_ FIFO - LANDLOCK_
ACCESS_ FS_ MAKE_ REG - LANDLOCK_
ACCESS_ FS_ MAKE_ SOCK - LANDLOCK_
ACCESS_ FS_ MAKE_ SYM - LANDLOCK_
ACCESS_ FS_ READ_ DIR - LANDLOCK_
ACCESS_ FS_ READ_ FILE - LANDLOCK_
ACCESS_ FS_ REFER - LANDLOCK_
ACCESS_ FS_ REMOVE_ DIR - LANDLOCK_
ACCESS_ FS_ REMOVE_ FILE - LANDLOCK_
ACCESS_ FS_ TRUNCATE - LANDLOCK_
ACCESS_ FS_ WRITE_ FILE - LANDLOCK_
ACCESS_ NET_ BIND_ TCP - LANDLOCK_
ACCESS_ NET_ CONNECT_ TCP - LANDLOCK_
SCOPE_ ABSTRACT_ UNIX_ SOCKET - Block abstract unix socket connections outside the sandbox.
- LANDLOCK_
SCOPE_ SIGNAL - Block signals to processes outside the sandbox.
Functions§
- fs_
access_ for_ abi - Returns the filesystem access flags for the given ABI version.
- landlock_
abi_ version - Returns the Landlock ABI version supported by the kernel.
- landlock_
add_ rule_ path - Adds a path-based rule to a Landlock ruleset.
- landlock_
create_ ruleset - Creates a new Landlock ruleset.
- landlock_
restrict_ self - Restricts the calling thread to the given Landlock ruleset.
- net_
access_ for_ abi - Returns the network access flags for the given ABI version.
- scope_
for_ abi - Returns the scoped restriction flags for the given ABI version.