1 files changed, 59 insertions, 0 deletions

diff --git a/run_landlock.1 b/run_landlock.1
new file mode 100644
index 0000000..f5fd3ae
--- /dev/null
+++ b/run_landlock.1
@@ -0,0 +1,59 @@
+.TH run_landlock 1 run_landlock\-VERSION
+.SH NAME
+run_landlock \- Execute a command in Landlock
+.SH SYNOPSIS
+.B run_landlock
+.RB [ \-hv ]
+.RB [[ \-r
+.IR "type subject actions" "] ...]"
+.I command
+.RI [ arguments ...]
+.SH DESCRIPTION
+.B run_landlock
+executes the specified
+.I command
+inside a Landlock sandbox environment.
+.SH OPTIONS
+.TP
+.B \-h
+Prints a short help message to stdout, then exits.
+.TP
+.BI \-r " type subject actions"
+Authorizes a list of comma-separated
+.I actions
+on the given
+.IR subject .
+The
+.I type
+argument specifies the type of the subject (either 'path' or 'port'). This option
+can appear multiple times.
+.TP
+.B \-v
+Prints version information to stdout, then exits.
+.SH ACTIONS
+Actions can be referenced by their lower-case, snake-case names. For example, to reference the
+.B LANDLOCK_ACCESS_FS_REFER
+action, use 'fs_refer'. run_landlock also implements two special
+actions, 'fs_all' and 'net_all', which combine every action of a given type.
+.P
+run_landlock supports Landlock ABI version 5. To learn more about Landlock and Landlock actions, see
+.BR landlock (7).
+.SH EXAMPLE
+This example shows how to execute
+.BR ls (1)
+in the current directory using run_landlock. Since most systems are dynamically
+linked, it is often required grant read and execute access to the entire
+filesystem in order to call any executable at all.
+.P
+.in +4n
+.EX
+run_landlock
+    -r path . fs_read_dir
+    -r path / fs_read_file,fs_execute
+    ls
+.EE
+.in
+.SH AUTHOR
+B. Bergeron <[email protected]>
+.SH SEE ALSO
+.BR landlock "(7), " strace (1)