18e2dd47bSMickaël Salaün.. SPDX-License-Identifier: GPL-2.0 28e2dd47bSMickaël Salaün.. Copyright © 2025 Microsoft Corporation 38e2dd47bSMickaël Salaün 48e2dd47bSMickaël Salaün================================ 58e2dd47bSMickaël SalaünLandlock: system-wide management 68e2dd47bSMickaël Salaün================================ 78e2dd47bSMickaël Salaün 88e2dd47bSMickaël Salaün:Author: Mickaël Salaün 9*de4b09abSSamasth Norway Ananda:Date: January 2026 108e2dd47bSMickaël Salaün 118e2dd47bSMickaël SalaünLandlock can leverage the audit framework to log events. 128e2dd47bSMickaël Salaün 138e2dd47bSMickaël SalaünUser space documentation can be found here: 148e2dd47bSMickaël SalaünDocumentation/userspace-api/landlock.rst. 158e2dd47bSMickaël Salaün 168e2dd47bSMickaël SalaünAudit 178e2dd47bSMickaël Salaün===== 188e2dd47bSMickaël Salaün 198e2dd47bSMickaël SalaünDenied access requests are logged by default for a sandboxed program if `audit` 208e2dd47bSMickaël Salaünis enabled. This default behavior can be changed with the 218e2dd47bSMickaël Salaünsys_landlock_restrict_self() flags (cf. 228e2dd47bSMickaël SalaünDocumentation/userspace-api/landlock.rst). Landlock logs can also be masked 238e2dd47bSMickaël Salaünthanks to audit rules. Landlock can generate 2 audit record types. 248e2dd47bSMickaël Salaün 258e2dd47bSMickaël SalaünRecord types 268e2dd47bSMickaël Salaün------------ 278e2dd47bSMickaël Salaün 288e2dd47bSMickaël SalaünAUDIT_LANDLOCK_ACCESS 298e2dd47bSMickaël Salaün This record type identifies a denied access request to a kernel resource. 308e2dd47bSMickaël Salaün The ``domain`` field indicates the ID of the domain that blocked the 318e2dd47bSMickaël Salaün request. The ``blockers`` field indicates the cause(s) of this denial 328e2dd47bSMickaël Salaün (separated by a comma), and the following fields identify the kernel object 338e2dd47bSMickaël Salaün (similar to SELinux). There may be more than one of this record type per 348e2dd47bSMickaël Salaün audit event. 358e2dd47bSMickaël Salaün 368e2dd47bSMickaël Salaün Example with a file link request generating two records in the same event:: 378e2dd47bSMickaël Salaün 388e2dd47bSMickaël Salaün domain=195ba459b blockers=fs.refer path="/usr/bin" dev="vda2" ino=351 398e2dd47bSMickaël Salaün domain=195ba459b blockers=fs.make_reg,fs.refer path="/usr/local" dev="vda2" ino=365 408e2dd47bSMickaël Salaün 41*de4b09abSSamasth Norway Ananda 42*de4b09abSSamasth Norway Ananda The ``blockers`` field uses dot-separated prefixes to indicate the type of 43*de4b09abSSamasth Norway Ananda restriction that caused the denial: 44*de4b09abSSamasth Norway Ananda 45*de4b09abSSamasth Norway Ananda **fs.*** - Filesystem access rights (ABI 1+): 46*de4b09abSSamasth Norway Ananda - fs.execute, fs.write_file, fs.read_file, fs.read_dir 47*de4b09abSSamasth Norway Ananda - fs.remove_dir, fs.remove_file 48*de4b09abSSamasth Norway Ananda - fs.make_char, fs.make_dir, fs.make_reg, fs.make_sock 49*de4b09abSSamasth Norway Ananda - fs.make_fifo, fs.make_block, fs.make_sym 50*de4b09abSSamasth Norway Ananda - fs.refer (ABI 2+) 51*de4b09abSSamasth Norway Ananda - fs.truncate (ABI 3+) 52*de4b09abSSamasth Norway Ananda - fs.ioctl_dev (ABI 5+) 53*de4b09abSSamasth Norway Ananda 54*de4b09abSSamasth Norway Ananda **net.*** - Network access rights (ABI 4+): 55*de4b09abSSamasth Norway Ananda - net.bind_tcp - TCP port binding was denied 56*de4b09abSSamasth Norway Ananda - net.connect_tcp - TCP connection was denied 57*de4b09abSSamasth Norway Ananda 58*de4b09abSSamasth Norway Ananda **scope.*** - IPC scoping restrictions (ABI 6+): 59*de4b09abSSamasth Norway Ananda - scope.abstract_unix_socket - Abstract UNIX socket connection denied 60*de4b09abSSamasth Norway Ananda - scope.signal - Signal sending denied 61*de4b09abSSamasth Norway Ananda 62*de4b09abSSamasth Norway Ananda Multiple blockers can appear in a single event (comma-separated) when 63*de4b09abSSamasth Norway Ananda multiple access rights are missing. For example, creating a regular file 64*de4b09abSSamasth Norway Ananda in a directory that lacks both ``make_reg`` and ``refer`` rights would show 65*de4b09abSSamasth Norway Ananda ``blockers=fs.make_reg,fs.refer``. 66*de4b09abSSamasth Norway Ananda 67*de4b09abSSamasth Norway Ananda The object identification fields (path, dev, ino for filesystem; opid, 68*de4b09abSSamasth Norway Ananda ocomm for signals) depend on the type of access being blocked and provide 69*de4b09abSSamasth Norway Ananda context about what resource was involved in the denial. 70*de4b09abSSamasth Norway Ananda 71*de4b09abSSamasth Norway Ananda 728e2dd47bSMickaël SalaünAUDIT_LANDLOCK_DOMAIN 738e2dd47bSMickaël Salaün This record type describes the status of a Landlock domain. The ``status`` 748e2dd47bSMickaël Salaün field can be either ``allocated`` or ``deallocated``. 758e2dd47bSMickaël Salaün 768e2dd47bSMickaël Salaün The ``allocated`` status is part of the same audit event and follows 778e2dd47bSMickaël Salaün the first logged ``AUDIT_LANDLOCK_ACCESS`` record of a domain. It identifies 788e2dd47bSMickaël Salaün Landlock domain information at the time of the sys_landlock_restrict_self() 798e2dd47bSMickaël Salaün call with the following fields: 808e2dd47bSMickaël Salaün 818e2dd47bSMickaël Salaün - the ``domain`` ID 828e2dd47bSMickaël Salaün - the enforcement ``mode`` 838e2dd47bSMickaël Salaün - the domain creator's ``pid`` 848e2dd47bSMickaël Salaün - the domain creator's ``uid`` 858e2dd47bSMickaël Salaün - the domain creator's executable path (``exe``) 868e2dd47bSMickaël Salaün - the domain creator's command line (``comm``) 878e2dd47bSMickaël Salaün 888e2dd47bSMickaël Salaün Example:: 898e2dd47bSMickaël Salaün 908e2dd47bSMickaël Salaün domain=195ba459b status=allocated mode=enforcing pid=300 uid=0 exe="/root/sandboxer" comm="sandboxer" 918e2dd47bSMickaël Salaün 928e2dd47bSMickaël Salaün The ``deallocated`` status is an event on its own and it identifies a 938e2dd47bSMickaël Salaün Landlock domain release. After such event, it is guarantee that the 948e2dd47bSMickaël Salaün related domain ID will never be reused during the lifetime of the system. 958e2dd47bSMickaël Salaün The ``domain`` field indicates the ID of the domain which is released, and 968e2dd47bSMickaël Salaün the ``denials`` field indicates the total number of denied access request, 978e2dd47bSMickaël Salaün which might not have been logged according to the audit rules and 988e2dd47bSMickaël Salaün sys_landlock_restrict_self()'s flags. 998e2dd47bSMickaël Salaün 1008e2dd47bSMickaël Salaün Example:: 1018e2dd47bSMickaël Salaün 1028e2dd47bSMickaël Salaün domain=195ba459b status=deallocated denials=3 1038e2dd47bSMickaël Salaün 1048e2dd47bSMickaël Salaün 1058e2dd47bSMickaël SalaünEvent samples 1068e2dd47bSMickaël Salaün-------------- 1078e2dd47bSMickaël Salaün 1088e2dd47bSMickaël SalaünHere are two examples of log events (see serial numbers). 1098e2dd47bSMickaël Salaün 1108e2dd47bSMickaël SalaünIn this example a sandboxed program (``kill``) tries to send a signal to the 1118e2dd47bSMickaël Salaüninit process, which is denied because of the signal scoping restriction 1128e2dd47bSMickaël Salaün(``LL_SCOPED=s``):: 1138e2dd47bSMickaël Salaün 1148e2dd47bSMickaël Salaün $ LL_FS_RO=/ LL_FS_RW=/ LL_SCOPED=s LL_FORCE_LOG=1 ./sandboxer kill 1 1158e2dd47bSMickaël Salaün 1168e2dd47bSMickaël SalaünThis command generates two events, each identified with a unique serial 1178e2dd47bSMickaël Salaünnumber following a timestamp (``msg=audit(1729738800.268:30)``). The first 1188e2dd47bSMickaël Salaünevent (serial ``30``) contains 4 records. The first record 1198e2dd47bSMickaël Salaün(``type=LANDLOCK_ACCESS``) shows an access denied by the domain `1a6fdc66f`. 120*de4b09abSSamasth Norway AnandaThe cause of this denial is signal scoping restriction 1218e2dd47bSMickaël Salaün(``blockers=scope.signal``). The process that would have receive this signal 1228e2dd47bSMickaël Salaünis the init process (``opid=1 ocomm="systemd"``). 1238e2dd47bSMickaël Salaün 1248e2dd47bSMickaël SalaünThe second record (``type=LANDLOCK_DOMAIN``) describes (``status=allocated``) 1258e2dd47bSMickaël Salaündomain `1a6fdc66f`. This domain was created by process ``286`` executing the 1268e2dd47bSMickaël Salaün``/root/sandboxer`` program launched by the root user. 1278e2dd47bSMickaël Salaün 1288e2dd47bSMickaël SalaünThe third record (``type=SYSCALL``) describes the syscall, its provided 1298e2dd47bSMickaël Salaünarguments, its result (``success=no exit=-1``), and the process that called it. 1308e2dd47bSMickaël Salaün 1318e2dd47bSMickaël SalaünThe fourth record (``type=PROCTITLE``) shows the command's name as an 1328e2dd47bSMickaël Salaünhexadecimal value. This can be translated with ``python -c 1338e2dd47bSMickaël Salaün'print(bytes.fromhex("6B696C6C0031"))'``. 1348e2dd47bSMickaël Salaün 1358e2dd47bSMickaël SalaünFinally, the last record (``type=LANDLOCK_DOMAIN``) is also the only one from 1368e2dd47bSMickaël Salaünthe second event (serial ``31``). It is not tied to a direct user space action 1378e2dd47bSMickaël Salaünbut an asynchronous one to free resources tied to a Landlock domain 1388e2dd47bSMickaël Salaün(``status=deallocated``). This can be useful to know that the following logs 1398e2dd47bSMickaël Salaünwill not concern the domain ``1a6fdc66f`` anymore. This record also summarize 1408e2dd47bSMickaël Salaünthe number of requests this domain denied (``denials=1``), whether they were 1418e2dd47bSMickaël Salaünlogged or not. 1428e2dd47bSMickaël Salaün 1438e2dd47bSMickaël Salaün.. code-block:: 1448e2dd47bSMickaël Salaün 1458e2dd47bSMickaël Salaün type=LANDLOCK_ACCESS msg=audit(1729738800.268:30): domain=1a6fdc66f blockers=scope.signal opid=1 ocomm="systemd" 1468e2dd47bSMickaël Salaün type=LANDLOCK_DOMAIN msg=audit(1729738800.268:30): domain=1a6fdc66f status=allocated mode=enforcing pid=286 uid=0 exe="/root/sandboxer" comm="sandboxer" 1478e2dd47bSMickaël Salaün type=SYSCALL msg=audit(1729738800.268:30): arch=c000003e syscall=62 success=no exit=-1 [..] ppid=272 pid=286 auid=0 uid=0 gid=0 [...] comm="kill" [...] 1488e2dd47bSMickaël Salaün type=PROCTITLE msg=audit(1729738800.268:30): proctitle=6B696C6C0031 1498e2dd47bSMickaël Salaün type=LANDLOCK_DOMAIN msg=audit(1729738800.324:31): domain=1a6fdc66f status=deallocated denials=1 1508e2dd47bSMickaël Salaün 1518e2dd47bSMickaël SalaünHere is another example showcasing filesystem access control:: 1528e2dd47bSMickaël Salaün 1538e2dd47bSMickaël Salaün $ LL_FS_RO=/ LL_FS_RW=/tmp LL_FORCE_LOG=1 ./sandboxer sh -c "echo > /etc/passwd" 1548e2dd47bSMickaël Salaün 1558e2dd47bSMickaël SalaünThe related audit logs contains 8 records from 3 different events (serials 33, 1568e2dd47bSMickaël Salaün34 and 35) created by the same domain `1a6fdc679`:: 1578e2dd47bSMickaël Salaün 1588e2dd47bSMickaël Salaün type=LANDLOCK_ACCESS msg=audit(1729738800.221:33): domain=1a6fdc679 blockers=fs.write_file path="/dev/tty" dev="devtmpfs" ino=9 1598e2dd47bSMickaël Salaün type=LANDLOCK_DOMAIN msg=audit(1729738800.221:33): domain=1a6fdc679 status=allocated mode=enforcing pid=289 uid=0 exe="/root/sandboxer" comm="sandboxer" 1608e2dd47bSMickaël Salaün type=SYSCALL msg=audit(1729738800.221:33): arch=c000003e syscall=257 success=no exit=-13 [...] ppid=272 pid=289 auid=0 uid=0 gid=0 [...] comm="sh" [...] 1618e2dd47bSMickaël Salaün type=PROCTITLE msg=audit(1729738800.221:33): proctitle=7368002D63006563686F203E202F6574632F706173737764 1628e2dd47bSMickaël Salaün type=LANDLOCK_ACCESS msg=audit(1729738800.221:34): domain=1a6fdc679 blockers=fs.write_file path="/etc/passwd" dev="vda2" ino=143821 1638e2dd47bSMickaël Salaün type=SYSCALL msg=audit(1729738800.221:34): arch=c000003e syscall=257 success=no exit=-13 [...] ppid=272 pid=289 auid=0 uid=0 gid=0 [...] comm="sh" [...] 1648e2dd47bSMickaël Salaün type=PROCTITLE msg=audit(1729738800.221:34): proctitle=7368002D63006563686F203E202F6574632F706173737764 1658e2dd47bSMickaël Salaün type=LANDLOCK_DOMAIN msg=audit(1729738800.261:35): domain=1a6fdc679 status=deallocated denials=2 1668e2dd47bSMickaël Salaün 1678e2dd47bSMickaël Salaün 1688e2dd47bSMickaël SalaünEvent filtering 1698e2dd47bSMickaël Salaün--------------- 1708e2dd47bSMickaël Salaün 1718e2dd47bSMickaël SalaünIf you get spammed with audit logs related to Landlock, this is either an 1728e2dd47bSMickaël Salaünattack attempt or a bug in the security policy. We can put in place some 1738e2dd47bSMickaël Salaünfilters to limit noise with two complementary ways: 1748e2dd47bSMickaël Salaün 1758e2dd47bSMickaël Salaün- with sys_landlock_restrict_self()'s flags if we can fix the sandboxed 1768e2dd47bSMickaël Salaün programs, 1778e2dd47bSMickaël Salaün- or with audit rules (see :manpage:`auditctl(8)`). 1788e2dd47bSMickaël Salaün 1798e2dd47bSMickaël SalaünAdditional documentation 1808e2dd47bSMickaël Salaün======================== 1818e2dd47bSMickaël Salaün 1828e2dd47bSMickaël Salaün* `Linux Audit Documentation`_ 1838e2dd47bSMickaël Salaün* Documentation/userspace-api/landlock.rst 1848e2dd47bSMickaël Salaün* Documentation/security/landlock.rst 1858e2dd47bSMickaël Salaün* https://landlock.io 1868e2dd47bSMickaël Salaün 1878e2dd47bSMickaël Salaün.. Links 1888e2dd47bSMickaël Salaün.. _Linux Audit Documentation: 1898e2dd47bSMickaël Salaün https://github.com/linux-audit/audit-documentation/wiki 190