Documentation/admin-guide/LSM/landlock.rst

Source file repositories/reference/linux-study-clean/Documentation/admin-guide/LSM/landlock.rst

File Facts

System
Linux kernel
Corpus path
Documentation/admin-guide/LSM/landlock.rst
Extension
.rst
Size
8720 bytes
Lines
195
Domain
Support Tooling And Documentation
Bucket
Documentation
Inferred role
Support Tooling And Documentation: documentation
Status
atlas-only

Why This File Exists

Repository support layer: documentation, build tooling, samples, user-space helper tools, generated initramfs support, licenses, and validation utilities.

Dependency Surface

Detected Declarations

Annotated Snippet

.. SPDX-License-Identifier: GPL-2.0
.. Copyright © 2025 Microsoft Corporation

================================
Landlock: system-wide management
================================

:Author: Mickaël Salaün
:Date: June 2026

Landlock can leverage the audit framework to log events.

User space documentation can be found here:
Documentation/userspace-api/landlock.rst.

Audit
=====

Denied access requests are logged by default for a sandboxed program if `audit`
is enabled.  This default behavior can be changed with the
sys_landlock_restrict_self() flags (cf.
Documentation/userspace-api/landlock.rst), or suppressed on a per-object
basis by using ``LANDLOCK_ADD_RULE_QUIET`` (ABI 10+).  Landlock logs can
also be masked thanks to audit rules.  Landlock can generate 2 audit
record types.

Record types
------------

AUDIT_LANDLOCK_ACCESS
    This record type identifies a denied access request to a kernel resource.
    The ``domain`` field indicates the ID of the domain that blocked the
    request.  The ``blockers`` field indicates the cause(s) of this denial
    (separated by a comma), and the following fields identify the kernel object
    (similar to SELinux).  There may be more than one of this record type per
    audit event.

    Example with a file link request generating two records in the same event::

        domain=195ba459b blockers=fs.refer path="/usr/bin" dev="vda2" ino=351
        domain=195ba459b blockers=fs.make_reg,fs.refer path="/usr/local" dev="vda2" ino=365


    The ``blockers`` field uses dot-separated prefixes to indicate the type of
    restriction that caused the denial:

    **fs.*** - Filesystem access rights (ABI 1+):
        - fs.execute, fs.write_file, fs.read_file, fs.read_dir
        - fs.remove_dir, fs.remove_file
        - fs.make_char, fs.make_dir, fs.make_reg, fs.make_sock
        - fs.make_fifo, fs.make_block, fs.make_sym
        - fs.refer (ABI 2+)
        - fs.truncate (ABI 3+)
        - fs.ioctl_dev (ABI 5+)

    **net.*** - Network access rights (ABI 4+):
        - net.bind_tcp - TCP port binding was denied
        - net.connect_tcp - TCP connection was denied
        - net.bind_udp - UDP port binding was denied
        - net.connect_send_udp - UDP connection and send was denied

    **scope.*** - IPC scoping restrictions (ABI 6+):
        - scope.abstract_unix_socket - Abstract UNIX socket connection denied
        - scope.signal - Signal sending denied

    Multiple blockers can appear in a single event (comma-separated) when
    multiple access rights are missing. For example, creating a regular file
    in a directory that lacks both ``make_reg`` and ``refer`` rights would show
    ``blockers=fs.make_reg,fs.refer``.

Annotation

Implementation Notes