.\" Generated by scdoc 1.11.3
.\" Complete documentation for this program is not available as a GNU info page
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.nh
.ad l
.\" Begin generated content:
.TH "SYD-LOCK" "1" "2025-02-14"
.PP
.SH NAME
.PP
syd-lock - Run a command under Landlock
.PP
.SH SYNOPSIS
.PP
\fBsyd-lock\fR \fI[-hvAV]\fR \fI[-r path].\&.\&.\&\fR \fI[-w path].\&.\&.\&\fR \fI[-b port].\&.\&.\&\fR \fI[-c port].\&.\&.\&\fR \fI{command [args.\&.\&.\&]}\fR
.PP
.SH DESCRIPTION
.PP
The \fBsyd-lock\fR utility runs a command under Landlock.\& Read-only and
read-write paths should be specified using the \fI-r\fR and \fI-w\fR parameters.\&
Path arguments must be fully-qualified, relative paths are not
permitted.\& \fIbind\fR(2) and \fIconnect\fR(2) ports may be specified using the
\fI-b\fR and \fI-c\fR parameters.\& Argument is either a single port or a closed
range in format \fBport1-port2\fR.\& Use \fI-V\fR option to check for Landlock
support.\& The specific support level may be determined by the exit code.\&
Use \fI-A\fR option to check for Landlock ABI version.\&
.PP
.SH OPTIONS
.PP
.TS
l lx
l lx
l lx
l lx
l lx
l lx
l lx
l lx.
T{
\fB-h\fR
T}	T{
Display help.\&
T}
T{
\fB-v\fR
T}	T{
Be verbose.\& Print Landlock status to standard error before running the specified command.\&
T}
T{
\fB-A\fR
T}	T{
Print ABI version on standard output and exit with ABI version as exit code, rather than running a command.\& Use for scripting.\&
T}
T{
\fB-V\fR
T}	T{
Check if Landlock is supported and print ABI version, rather than running a command.\&
T}
T{
\fB-r\fR \fIpath\fR
T}	T{
Specify a read-only path, may be repeated.\& In this context, read-only includes execute operations.\&
T}
T{
\fB-w\fR \fIpath\fR
T}	T{
Specify a read-write path, may be repeated.\& In this context, read-write includes execute and \fIioctl\fR(2) operations.\&
T}
T{
\fB-b\fR \fIport\fR
T}	T{
Specify a port for \fIbind\fR(2), may be repeated.\& Argument is either a single port or a closed range in format \fBport1-port2\fR.\&
T}
T{
\fB-c\fR \fIport\fR
T}	T{
Specify a port for \fIconnect\fR(2), may be repeated.\& Argument is either a single port or a closed range in format \fBport1-port2\fR.\&
T}
.TE
.sp 1
.SH EXIT CODES
.PP
When running a command, \fBsyd-lock\fR exits with the same exit code as the
command.\&
.PP
When running in check mode with \fI-A\fR, syd exits with ABI version as exit
code.\&
.PP
When running in check mode with \fI-V\fR, syd may exit with the following
exit codes:
.PP
.TS
l lx
l lx
l lx
l lx.
T{
\fB0\fR
T}	T{
Fully enforced
T}
T{
\fB1\fR
T}	T{
Partially enforced
T}
T{
\fB2\fR
T}	T{
Not enforced
T}
T{
\fB127\fR
T}	T{
Not supported
T}
.TE
.sp 1
.SH ABI
.PP
Landlock ABI versioning makes it possible to adjust the security policy
according to the kernel capabilities.\&
.PP
.SH HISTORY
.PP
.PD 0
.IP 1. 4
First Landlock ABI, introduced with Linux 5.\&13: https://git.\&kernel.\&org/stable/c/17ae69aba89dbfa2139b7f8024b757ab3cc42f59
.IP 2. 4
Second Landlock ABI, introduced with Linux 5.\&19: https://git.\&kernel.\&org/stable/c/cb44e4f061e16be65b8a16505e121490c66d30d0
.IP 3. 4
Third Landlock ABI, introduced with Linux 6.\&2: https://git.\&kernel.\&org/stable/c/299e2b1967578b1442128ba8b3e86ed3427d3651
.IP 4. 4
Fourth Landlock ABI, introduced with Linux 6.\&7: https://git.\&kernel.\&org/stable/c/136cc1e1f5be75f57f1e0404b94ee1c8792cb07d
.IP 5. 4
Fifth Landlock ABI, introduced with Linux 6.\&10: https://git.\&kernel.\&org/stable/c/2fc0e7892c10734c1b7c613ef04836d57d4676d5
.IP 6. 4
Sixth Landlock ABI, introduced with Linux 6.\&12.\&
.PD
.PP
.SH EXAMPLE
.PP
.nf
.RS 4
alip@syd:~|⇒  syd-lock wget -O/dev/null chesswob\&.org
alip@syd:~|⇒  syd-lock -r/ wget -O/dev/null chesswob\&.org
/dev/null: Permission denied
alip@syd:~|⇒  syd-lock -r/ -w/dev/null wget -O/dev/null chesswob\&.org
--2024-11-30 16:52:51--  http://chesswob\&.org/
Resolving chesswob\&.org\&.\&.\&. 95\&.216\&.39\&.164, fe80::468a:5bff:fe88:2141
Connecting to chesswob\&.org|95\&.216\&.39\&.164|:80\&.\&.\&. failed: Permission denied\&.
Connecting to chesswob\&.org|fe80::468a:5bff:fe88:2141|:80\&.\&.\&. failed: Permission denied\&.
Retrying\&.

^C
alip@syd:~|⇒  syd-lock -r/ -w/dev/null -c80 -c443 wget -O/dev/null chesswob\&.org
--2024-11-30 16:53:00--  http://chesswob\&.org/
Resolving chesswob\&.org\&.\&.\&. 95\&.216\&.39\&.164, fe80::468a:5bff:fe88:2141
Connecting to chesswob\&.org|95\&.216\&.39\&.164|:80\&.\&.\&. connected\&.
HTTP request sent, awaiting response\&.\&.\&. 302 Moved Temporarily
Location: https://www\&.chesswob\&.org/ [following]
--2024-11-30 16:53:00--  https://www\&.chesswob\&.org/
Resolving www\&.chesswob\&.org\&.\&.\&. 95\&.216\&.39\&.164, fe80::468a:5bff:fe88:2141
Connecting to www\&.chesswob\&.org|95\&.216\&.39\&.164|:443\&.\&.\&. connected\&.
HTTP request sent, awaiting response\&.\&.\&. 200 OK
Length: 148827 (145K) [text/html]
Saving to: ‘/dev/null’

/dev/null 100%[========================================================================================>] 145\&.34K  --\&.-KB/s    in 0\&.1s

2024-11-30 16:53:00 (1\&.04 MB/s) - ‘/dev/null’ saved [148827/148827]

alip@syd:~|⇒
.fi
.RE
.PP
.SH SEE ALSO
.PP
\fIsyd\fR(1), \fIsyd\fR(2), \fIsyd\fR(5), \fIsyd-pds\fR(1)
.PP
\fBsyd\fR homepage: https://sydbox.\&exherbolinux.\&org/
.PP
\fBLandLock\fR homepage: https://landlock.\&io/
.PP
.SH AUTHORS
.PP
Maintained by Ali Polatel.\& Up-to-date sources can be found at
https://gitlab.\&exherbo.\&org/sydbox/sydbox.\&git and bugs/patches can be
submitted to https://gitlab.\&exherbo.\&org/groups/sydbox/-/issues.\& Discuss
in #sydbox on Libera Chat.\&