Landlock Socket Type Control
💾 Patch Set V4 (V3, V2) (Mikhail Ivanov) | 🐞 Bugtracker
Warning: The LandlockSocketTypeControl feature for restricting the use of socket(2) is not stable yet (as of November 2025).
This work-in-progress patch set restricts invocations of socket(2) to specific combinations of a socket’s protocol family and socket type.
API
struct landlock_ruleset_attr is extended by the new field:
__u64 handled_access_socket
with the possible access right:
LANDLOCK_ACCESS_SOCKET_CREATE
When these are passed during ruleset creation, the creation of new sockets through socket(2) will be forbidden by default when the ruleset is enforced.
To add an exception for a specific combination of a socket’s family, type and protocol, fill the struct:
struct landlock_socket_attr {
__u64 allowed_access;
__s32 family;
__s32 type;
__s32 protocol;
};
and add it as an exception to the ruleset using landlock_add_rule(2):
struct landlock_socket_attr attr = {
.allowed_access = LANDLOCK_ACCESS_SOCKET_CREATE,
.family = AF_INET6,
.type = SOCK_STREAM,
.protocol = -1, /* wildcard */
};
if (landlock_add_rule(ruleset_fd, LANDLOCK_RULE_SOCKET, &attr, 0) == -1)
warn("landlock_add_rule (socket)");
To match any value of type or protocol in a rule,
you can use the wildcard value -1.