xref: /linux/Documentation/admin-guide/LSM/landlock.rst (revision bba2c3615bd6cfee7456d1130f2e6b01b3f4e9ba) 
1.. SPDX-License-Identifier: GPL-2.0
2.. Copyright © 2025 Microsoft Corporation
3
4================================
5Landlock: system-wide management
6================================
7
8:Author: Mickaël Salaün
9:Date: June 2026
10
11Landlock can leverage the audit framework to log events.
12
13User space documentation can be found here:
14Documentation/userspace-api/landlock.rst.
15
16Audit
17=====
18
19Denied access requests are logged by default for a sandboxed program if `audit`
20is enabled.  This default behavior can be changed with the
21sys_landlock_restrict_self() flags (cf.
22Documentation/userspace-api/landlock.rst), or suppressed on a per-object
23basis by using ``LANDLOCK_ADD_RULE_QUIET`` (ABI 10+).  Landlock logs can
24also be masked thanks to audit rules.  Landlock can generate 2 audit
25record types.
26
27Record types
28------------
29
30AUDIT_LANDLOCK_ACCESS
31    This record type identifies a denied access request to a kernel resource.
32    The ``domain`` field indicates the ID of the domain that blocked the
33    request.  The ``blockers`` field indicates the cause(s) of this denial
34    (separated by a comma), and the following fields identify the kernel object
35    (similar to SELinux).  There may be more than one of this record type per
36    audit event.
37
38    Example with a file link request generating two records in the same event::
39
40        domain=195ba459b blockers=fs.refer path="/usr/bin" dev="vda2" ino=351
41        domain=195ba459b blockers=fs.make_reg,fs.refer path="/usr/local" dev="vda2" ino=365
42
43
44    The ``blockers`` field uses dot-separated prefixes to indicate the type of
45    restriction that caused the denial:
46
47    **fs.*** - Filesystem access rights (ABI 1+):
48        - fs.execute, fs.write_file, fs.read_file, fs.read_dir
49        - fs.remove_dir, fs.remove_file
50        - fs.make_char, fs.make_dir, fs.make_reg, fs.make_sock
51        - fs.make_fifo, fs.make_block, fs.make_sym
52        - fs.refer (ABI 2+)
53        - fs.truncate (ABI 3+)
54        - fs.ioctl_dev (ABI 5+)
55
56    **net.*** - Network access rights (ABI 4+):
57        - net.bind_tcp - TCP port binding was denied
58        - net.connect_tcp - TCP connection was denied
59        - net.bind_udp - UDP port binding was denied
60        - net.connect_send_udp - UDP connection and send was denied
61
62    **scope.*** - IPC scoping restrictions (ABI 6+):
63        - scope.abstract_unix_socket - Abstract UNIX socket connection denied
64        - scope.signal - Signal sending denied
65
66    Multiple blockers can appear in a single event (comma-separated) when
67    multiple access rights are missing. For example, creating a regular file
68    in a directory that lacks both ``make_reg`` and ``refer`` rights would show
69    ``blockers=fs.make_reg,fs.refer``.
70
71    The object identification fields (path, dev, ino for filesystem; opid,
72    ocomm for signals) depend on the type of access being blocked and provide
73    context about what resource was involved in the denial.
74
75
76AUDIT_LANDLOCK_DOMAIN
77    This record type describes the status of a Landlock domain.  The ``status``
78    field can be either ``allocated`` or ``deallocated``.
79
80    The ``allocated`` status is part of the same audit event and follows
81    the first logged ``AUDIT_LANDLOCK_ACCESS`` record of a domain.  It identifies
82    Landlock domain information at the time of the sys_landlock_restrict_self()
83    call with the following fields:
84
85    - the ``domain`` ID
86    - the enforcement ``mode``
87    - the domain creator's ``pid``
88    - the domain creator's ``uid``
89    - the domain creator's executable path (``exe``)
90    - the domain creator's command line (``comm``)
91
92    Example::
93
94        domain=195ba459b status=allocated mode=enforcing pid=300 uid=0 exe="/root/sandboxer" comm="sandboxer"
95
96    The ``deallocated`` status is an event on its own and it identifies a
97    Landlock domain release.  After such event, it is guarantee that the
98    related domain ID will never be reused during the lifetime of the system.
99    The ``domain`` field indicates the ID of the domain which is released, and
100    the ``denials`` field indicates the total number of denied access request,
101    which might not have been logged according to the audit rules and
102    sys_landlock_restrict_self()'s flags.
103
104    Example::
105
106        domain=195ba459b status=deallocated denials=3
107
108
109Event samples
110--------------
111
112Here are two examples of log events (see serial numbers).
113
114In this example a sandboxed program (``kill``) tries to send a signal to the
115init process, which is denied because of the signal scoping restriction
116(``LL_SCOPED=s``)::
117
118  $ LL_FS_RO=/ LL_FS_RW=/ LL_SCOPED=s LL_FORCE_LOG=1 ./sandboxer kill 1
119
120This command generates two events, each identified with a unique serial
121number following a timestamp (``msg=audit(1729738800.268:30)``).  The first
122event (serial ``30``) contains 4 records.  The first record
123(``type=LANDLOCK_ACCESS``) shows an access denied by the domain `1a6fdc66f`.
124The cause of this denial is signal scoping restriction
125(``blockers=scope.signal``).  The process that would have receive this signal
126is the init process (``opid=1 ocomm="systemd"``).
127
128The second record (``type=LANDLOCK_DOMAIN``) describes (``status=allocated``)
129domain `1a6fdc66f`.  This domain was created by process ``286`` executing the
130``/root/sandboxer`` program launched by the root user.
131
132The third record (``type=SYSCALL``) describes the syscall, its provided
133arguments, its result (``success=no exit=-1``), and the process that called it.
134
135The fourth record (``type=PROCTITLE``) shows the command's name as an
136hexadecimal value.  This can be translated with ``python -c
137'print(bytes.fromhex("6B696C6C0031"))'``.
138
139Finally, the last record (``type=LANDLOCK_DOMAIN``) is also the only one from
140the second event (serial ``31``).  It is not tied to a direct user space action
141but an asynchronous one to free resources tied to a Landlock domain
142(``status=deallocated``).  This can be useful to know that the following logs
143will not concern the domain ``1a6fdc66f`` anymore.  This record also summarize
144the number of requests this domain denied (``denials=1``), whether they were
145logged or not.
146
147.. code-block::
148
149  type=LANDLOCK_ACCESS msg=audit(1729738800.268:30): domain=1a6fdc66f blockers=scope.signal opid=1 ocomm="systemd"
150  type=LANDLOCK_DOMAIN msg=audit(1729738800.268:30): domain=1a6fdc66f status=allocated mode=enforcing pid=286 uid=0 exe="/root/sandboxer" comm="sandboxer"
151  type=SYSCALL msg=audit(1729738800.268:30): arch=c000003e syscall=62 success=no exit=-1 [..] ppid=272 pid=286 auid=0 uid=0 gid=0 [...] comm="kill" [...]
152  type=PROCTITLE msg=audit(1729738800.268:30): proctitle=6B696C6C0031
153  type=LANDLOCK_DOMAIN msg=audit(1729738800.324:31): domain=1a6fdc66f status=deallocated denials=1
154
155Here is another example showcasing filesystem access control::
156
157  $ LL_FS_RO=/ LL_FS_RW=/tmp LL_FORCE_LOG=1 ./sandboxer sh -c "echo > /etc/passwd"
158
159The related audit logs contains 8 records from 3 different events (serials 33,
16034 and 35) created by the same domain `1a6fdc679`::
161
162  type=LANDLOCK_ACCESS msg=audit(1729738800.221:33): domain=1a6fdc679 blockers=fs.write_file path="/dev/tty" dev="devtmpfs" ino=9
163  type=LANDLOCK_DOMAIN msg=audit(1729738800.221:33): domain=1a6fdc679 status=allocated mode=enforcing pid=289 uid=0 exe="/root/sandboxer" comm="sandboxer"
164  type=SYSCALL msg=audit(1729738800.221:33): arch=c000003e syscall=257 success=no exit=-13 [...] ppid=272 pid=289 auid=0 uid=0 gid=0 [...] comm="sh" [...]
165  type=PROCTITLE msg=audit(1729738800.221:33): proctitle=7368002D63006563686F203E202F6574632F706173737764
166  type=LANDLOCK_ACCESS msg=audit(1729738800.221:34): domain=1a6fdc679 blockers=fs.write_file path="/etc/passwd" dev="vda2" ino=143821
167  type=SYSCALL msg=audit(1729738800.221:34): arch=c000003e syscall=257 success=no exit=-13 [...] ppid=272 pid=289 auid=0 uid=0 gid=0 [...] comm="sh" [...]
168  type=PROCTITLE msg=audit(1729738800.221:34): proctitle=7368002D63006563686F203E202F6574632F706173737764
169  type=LANDLOCK_DOMAIN msg=audit(1729738800.261:35): domain=1a6fdc679 status=deallocated denials=2
170
171
172Event filtering
173---------------
174
175If you get spammed with audit logs related to Landlock, this is either an
176attack attempt or a bug in the security policy.  We can put in place some
177filters to limit noise with two complementary ways:
178
179- with sys_landlock_restrict_self()'s flags, or
180  ``LANDLOCK_ADD_RULE_QUIET`` (ABI 10+) if we can fix the sandboxed
181  programs,
182- or with audit rules (see :manpage:`auditctl(8)`).
183
184Additional documentation
185========================
186
187* `Linux Audit Documentation`_
188* Documentation/userspace-api/landlock.rst
189* Documentation/security/landlock.rst
190* https://landlock.io
191
192.. Links
193.. _Linux Audit Documentation:
194   https://github.com/linux-audit/audit-documentation/wiki
195