Skip to content



landlock_add_rule - adds a security rule to the specified ruleset


landlock_add_rule is a system call used to add a security rule to a particular ruleset. The ruleset is specified by an ruleset_fd of type int, which identifies a particular rule set. The security rule itself is identified by the rule_type of type landlock_rule_type which specifies the type of rule being added. The rule_attr is of type void and is a pointer to a buffer that holds the attributes of the rule. The flags argument is of type u32 and it is used to control the behavior of the call.

This system call can be used to add a security rule to a particular ruleset which is useful to control the behavior of applications and resources. However, it is important to note that this system call should be used with caution as incorrect rules may create a vulnerability that could be exploited.


  • ruleset_fd:int[K] - file descriptor of the ruleset.
  • rule_type:landlock_rule_type[K] - type of security rule being added.
  • rule_attr:void*[K] - pointer to a buffer containing the attributes of the rule.
  • flags:u32[K] - flags to control the behavior of the call.

Available Tags

  • K - Originated from kernel-space.
  • U - Originated from user space (for example, pointer to user space memory used to get it)
  • TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
  • OPT - Optional argument - might not always be available (passed with null value)




Kprobe + Kretprobe


Monitoring of the syscall being executed.

Example Use Case

landlock_add_rule could be used to limit access to a file by a particular user or group. The ruleset could be configured to deny any access from particular users or groups. This could be used to implement a more granular access control policy.


There are no known issues related to this system call.

  • landlock_remove_rule - removes a security rule from the specified ruleset.

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.