Landlock Abi Versioning
Descriptions of Landlock ABI levels
| ABI | Landlock News | Stable kernel | Features |
|---|---|---|---|
| V1 | LLN1 | v5.13 | Landlock, file system access rights |
| V2 | LLN2 | v5.19 | “Refer” access right |
| V3 | LLN3 | v6.2 | File Truncation access right |
| V4 | LLN4 | v6.7 | TCP connect/bind access rights |
| V5 | LLN4 | v6.10 | Device IOCTL access right |
| V6 | LLN5 | v6.12 | “Scoped” access rights: Abstract Unix Sockets, Signals |
| V7 | LLN5 | v6.15 | Audit logging |
⚠️ The Linux version serves as orientation. To test for feature availability, always use landlock_create_ruleset(2).
See LandlockRulesetEnforcement for details.
📚 Canonical description of Landlock ABI levels in the kernel documentation
In tabular form
File system access rights
| Access right | Value | 1 | 2 | 3 | 4 | 5 | 6 | 7 |
|---|---|---|---|---|---|---|---|---|
LANDLOCK_ACCESS_FS_EXECUTE |
(1ULL << 0) |
✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
LANDLOCK_ACCESS_FS_WRITE_FILE |
(1ULL << 1) |
✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
LANDLOCK_ACCESS_FS_READ_FILE |
(1ULL << 2) |
✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
LANDLOCK_ACCESS_FS_READ_DIR |
(1ULL << 3) |
✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
LANDLOCK_ACCESS_FS_REMOVE_DIR |
(1ULL << 4) |
✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
LANDLOCK_ACCESS_FS_REMOVE_FILE |
(1ULL << 5) |
✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
LANDLOCK_ACCESS_FS_MAKE_CHAR |
(1ULL << 6) |
✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
LANDLOCK_ACCESS_FS_MAKE_DIR |
(1ULL << 7) |
✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
LANDLOCK_ACCESS_FS_MAKE_REG |
(1ULL << 8) |
✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
LANDLOCK_ACCESS_FS_MAKE_SOCK |
(1ULL << 9) |
✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
LANDLOCK_ACCESS_FS_MAKE_FIFO |
(1ULL << 10) |
✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
LANDLOCK_ACCESS_FS_MAKE_BLOCK |
(1ULL << 11) |
✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
LANDLOCK_ACCESS_FS_MAKE_SYM |
(1ULL << 12) |
✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
LANDLOCK_ACCESS_FS_REFER |
(1ULL << 13) |
❌ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
LANDLOCK_ACCESS_FS_TRUNCATE |
(1ULL << 14) |
❌ | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ |
LANDLOCK_ACCESS_FS_IOCTL_DEV |
(1ULL << 15) |
❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ✅ |
Network access rights
| Access right | Value | 1 | 2 | 3 | 4 | 5 | 6 | 7 |
|---|---|---|---|---|---|---|---|---|
LANDLOCK_ACCESS_NET_BIND_TCP |
(1ULL << 0) |
❌ | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ |
LANDLOCK_ACCESS_NET_CONNECT_TCP |
(1ULL << 1) |
❌ | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ |
Scoped restrictions
| Scoped restriction | Value | 1 | 2 | 3 | 4 | 5 | 6 | 7 |
|---|---|---|---|---|---|---|---|---|
LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET |
(1ULL << 0) |
❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ |
LANDLOCK_SCOPED_SIGNAL |
(1ULL << 1) |
❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ |
Features which are not access rights
Audit logging is available since Landlock ABI v7.
| Feature | 1 | 2 | 3 | 4 | 5 | 6 | 7 |
|---|---|---|---|---|---|---|---|
| Audit logging | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ |