NAME

syd-lock - Run a command under Landlock

SYNOPSIS

syd-lock [-hvAV] [-r path]... [-w path]... [-b port]... [-c port]... {command [args...]}

DESCRIPTION

The syd-lock utility runs a command under Landlock. Read-only and read-write paths should be specified using the -r and -w parameters. Path arguments must be fully-qualified, relative paths are not permitted. bind(2) and connect(2) ports may be specified using the -b and -c parameters. Argument is either a single port or a closed range in format port1-port2. Use -V option to check for Landlock support. The specific support level may be determined by the exit code. Use -A option to check for Landlock ABI version.

OPTIONS

EXIT CODES

When running a command, syd-lock exits with the same exit code as the command.

When running in check mode with -A, syd exits with ABI version as exit code.

When running in check mode with -V, syd may exit with the following exit codes:

ABI

Landlock ABI versioning makes it possible to adjust the security policy according to the kernel capabilities.

HISTORY

1.

First Landlock ABI, introduced with Linux 5.13: https://git.kernel.org/stable/c/17ae69aba89dbfa2139b7f8024b757ab3cc42f59

2.

Second Landlock ABI, introduced with Linux 5.19: https://git.kernel.org/stable/c/cb44e4f061e16be65b8a16505e121490c66d30d0

3.

Third Landlock ABI, introduced with Linux 6.2: https://git.kernel.org/stable/c/299e2b1967578b1442128ba8b3e86ed3427d3651

4.

Fourth Landlock ABI, introduced with Linux 6.7: https://git.kernel.org/stable/c/136cc1e1f5be75f57f1e0404b94ee1c8792cb07d

5.

Fifth Landlock ABI, introduced with Linux 6.10: https://git.kernel.org/stable/c/2fc0e7892c10734c1b7c613ef04836d57d4676d5

6.

Sixth Landlock ABI, introduced with Linux 6.12.

EXAMPLE

alip@syd:~|⇒  syd-lock wget -O/dev/null chesswob.org
alip@syd:~|⇒  syd-lock -r/ wget -O/dev/null chesswob.org
/dev/null: Permission denied
alip@syd:~|⇒  syd-lock -r/ -w/dev/null wget -O/dev/null chesswob.org
--2024-11-30 16:52:51--  http://chesswob.org/
Resolving chesswob.org... 95.216.39.164, fe80::468a:5bff:fe88:2141
Connecting to chesswob.org|95.216.39.164|:80... failed: Permission denied.
Connecting to chesswob.org|fe80::468a:5bff:fe88:2141|:80... failed: Permission denied.
Retrying.
^C
alip@syd:~|⇒  syd-lock -r/ -w/dev/null -c80 -c443 wget -O/dev/null chesswob.org
--2024-11-30 16:53:00--  http://chesswob.org/
Resolving chesswob.org... 95.216.39.164, fe80::468a:5bff:fe88:2141
Connecting to chesswob.org|95.216.39.164|:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: https://www.chesswob.org/ [following]
--2024-11-30 16:53:00--  https://www.chesswob.org/
Resolving www.chesswob.org... 95.216.39.164, fe80::468a:5bff:fe88:2141
Connecting to www.chesswob.org|95.216.39.164|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 148827 (145K) [text/html]
Saving to: ‘/dev/null’
/dev/null 100%[========================================================================================>] 145.34K  --.-KB/s    in 0.1s
2024-11-30 16:53:00 (1.04 MB/s) - ‘/dev/null’ saved [148827/148827]
alip@syd:~|⇒

SEE ALSO

syd(1), syd(2), syd(5), syd-pds(1)

syd homepage: https://sydbox.exherbolinux.org/

LandLock homepage: https://landlock.io/

AUTHORS

Maintained by Ali Polatel. Up-to-date sources can be found at https://gitlab.exherbo.org/sydbox/sydbox.git and bugs/patches can be submitted to https://gitlab.exherbo.org/groups/sydbox/-/issues. Discuss in #sydbox on Libera Chat.