blob: f5fd3ae13c2f79527a046d67dcaea517c58026ba (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
|
.TH run_landlock 1 run_landlock\-VERSION
.SH NAME
run_landlock \- Execute a command in Landlock
.SH SYNOPSIS
.B run_landlock
.RB [ \-hv ]
.RB [[ \-r
.IR "type subject actions" "] ...]"
.I command
.RI [ arguments ...]
.SH DESCRIPTION
.B run_landlock
executes the specified
.I command
inside a Landlock sandbox environment.
.SH OPTIONS
.TP
.B \-h
Prints a short help message to stdout, then exits.
.TP
.BI \-r " type subject actions"
Authorizes a list of comma-separated
.I actions
on the given
.IR subject .
The
.I type
argument specifies the type of the subject (either 'path' or 'port'). This option
can appear multiple times.
.TP
.B \-v
Prints version information to stdout, then exits.
.SH ACTIONS
Actions can be referenced by their lower-case, snake-case names. For example, to reference the
.B LANDLOCK_ACCESS_FS_REFER
action, use 'fs_refer'. run_landlock also implements two special
actions, 'fs_all' and 'net_all', which combine every action of a given type.
.P
run_landlock supports Landlock ABI version 5. To learn more about Landlock and Landlock actions, see
.BR landlock (7).
.SH EXAMPLE
This example shows how to execute
.BR ls (1)
in the current directory using run_landlock. Since most systems are dynamically
linked, it is often required grant read and execute access to the entire
filesystem in order to call any executable at all.
.P
.in +4n
.EX
run_landlock
-r path . fs_read_dir
-r path / fs_read_file,fs_execute
ls
.EE
.in
.SH AUTHOR
B. Bergeron <[email protected]>
.SH SEE ALSO
.BR landlock "(7), " strace (1)
|
