landlock_restrict_self¶
Intro¶
landlock_restrict_self
- restrict the current process from creating new objects
Description¶
This system call creates the specified restrictions on the current process. Specifically, it prevents the process from creating any new objects or changing the labels or container of existing objects. This is useful when a process needs to be restricted from unintended activities, such as creating new executable files, opening a socket, or executing code. The restrictions are enforced on the entire process and cannot be circumvented by the process itself.
The system call takes two parameters - a file descriptor, ruleset_fd
, to a ruleset object that defines the restrictions and flags
that control the behavior of the system call. The ruleset file descriptor can point to either a ruleset object or a filesystem object.
The flags
parameter can be used to control how the new restriction is applied. For example, setting the PARSE_ARGUMENT
flag will cause the system call to parse the arguments before applying the new restriction. This can help prevent undesired system call behaviors.
Arguments¶
ruleset_fd
:int
[U] - a file descriptor pointing to a ruleset object or a filesystem object.flags
:u32
[U] - a bitmask of flags that control the behavior of the system call.
Available Tags¶
- K - Originated from kernel-space.
- U - Originated from user space (for example, pointer to user space memory used to get it)
- TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
- OPT - Optional argument - might not always be available (passed with null value)
Hooks¶
sys_landlock_restrict_self¶
Type¶
Kprobe
Purpose¶
This system call is hooked to restrict the current process from creating new objects or changing the labels or container of existing objects.
Example Use Case¶
landlock_restrict_self
can be used to limit the capabilities of an untrusted process, such as one downloaded from an unverified source on the internet. By setting the appropriate restrictions on the file descriptor supplied as an argument, it is possible to limit the actions taken by a potentially malicious process.
Issues¶
The flags
argument is optional, which can create issues where certain side effects of the system call are not taken into consideration.
Related Events¶
- landlock_unrestrict_self: remove the previously set restrictions imposed by
landlock_restrict_self
- landlock_get_restrictions: retrieve the restrictions previously set by
landlock_restrict_self
This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.