Landlock File Execution Problem
If a process grants the LANDLOCK_ACCESS_FS_EXECUTE right on a file path, this is often not enough to execute the file. The underlying reason is that many programs require more files than just the executable itself to run:
- Shared libraries are commonly loaded from locations such as
/liband/usr/lib. The exact resolution order is documented in ld.so(8). - Resources and configuration files are dependent on the program.
- On Unix, configuration files are traditionally stored in
/etcor as “dotfiles” in$HOME. More modern programs use the XDG Base Directory Specification – these config files will often be found in$HOME/.config.
- On Unix, configuration files are traditionally stored in
A good way to learn about the paths that a process is accessing during startup is the strace utility. Use the -f option to trace a process including its subprocesses.