Skip to content

landlock_restrict_self

Intro

landlock_restrict_self - restrict the current process from creating new objects

Description

This system call creates the specified restrictions on the current process. Specifically, it prevents the process from creating any new objects or changing the labels or container of existing objects. This is useful when a process needs to be restricted from unintended activities, such as creating new executable files, opening a socket, or executing code. The restrictions are enforced on the entire process and cannot be circumvented by the process itself.

The system call takes two parameters - a file descriptor, ruleset_fd, to a ruleset object that defines the restrictions and flags that control the behavior of the system call. The ruleset file descriptor can point to either a ruleset object or a filesystem object.

The flags parameter can be used to control how the new restriction is applied. For example, setting the PARSE_ARGUMENT flag will cause the system call to parse the arguments before applying the new restriction. This can help prevent undesired system call behaviors.

Arguments

  • ruleset_fd: int[U] - a file descriptor pointing to a ruleset object or a filesystem object.
  • flags: u32[U] - a bitmask of flags that control the behavior of the system call.

Available Tags

  • K - Originated from kernel-space.
  • U - Originated from user space (for example, pointer to user space memory used to get it)
  • TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
  • OPT - Optional argument - might not always be available (passed with null value)

Hooks

sys_landlock_restrict_self

Type

Kprobe

Purpose

This system call is hooked to restrict the current process from creating new objects or changing the labels or container of existing objects.

Example Use Case

landlock_restrict_self can be used to limit the capabilities of an untrusted process, such as one downloaded from an unverified source on the internet. By setting the appropriate restrictions on the file descriptor supplied as an argument, it is possible to limit the actions taken by a potentially malicious process.

Issues

The flags argument is optional, which can create issues where certain side effects of the system call are not taken into consideration.

  • landlock_unrestrict_self: remove the previously set restrictions imposed by landlock_restrict_self
  • landlock_get_restrictions: retrieve the restrictions previously set by landlock_restrict_self

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.