Landlock File System Control

This Landlock feature restricts the use of the file system.

API

The corresponding field in struct landlock_ruleset_attr is:

__u64 handled_access_fs

with a long list of possible access rights, which are documented in the kernel documentation.

See LandlockAbiVersioning for the availability of these rights per Landlock ABI version.

When these access rights are passed during ruleset creation, the corresponding file system actions will be forbidden by default when the ruleset is enforced.

⚠️ The LANDLOCK_ACCESS_FS_REFER right has special semantics and is always forbidden by default.

This means that the associated file system actions can not be performed with Landlock ABI v1, where LANDLOCK_ACCESS_FS_REFER is not known yet. See LandlockBestEffortMode for recommendations about how to handle that.

To add an exception for a specific file or directory hierarchy in the file system, fill the struct landlock_path_beneath_attr:

struct landlock_path_beneath_attr {
    __u64 allowed_access;
    __s32 parent_fd;
};

and add it as an exception to the ruleset using landlock_add_rule(2):

landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, &attr, 0);

During this call, parent_fd must be an open file descriptor which was preferably opened with open(2)’s O_PATH flag.

A mathematical description of how file system access rights interact across the file system hierarchy and in the presence of nested rulesets can be found at LandlockFileSystemCompositionModel.