Lines Matching refs:ruleset
33 perform. A set of rules is aggregated in a ruleset, which can then restrict
50 We first need to define the ruleset that will contain our rules.
52 For this example, the ruleset will contain rules that only allow filesystem
56 The ruleset then needs to handle both these kinds of actions. This is
132 This enables the creation of an inclusive ruleset that will contain our rules.
140 perror("Failed to create a ruleset");
144 We can now add a new rule to this ruleset thanks to the returned file
145 descriptor referring to this ruleset. The rule will only allow reading the
147 denied by the ruleset. To add ``/usr`` to the ruleset, we open it with the
171 perror("Failed to update ruleset");
177 for the ruleset creation, by filtering access rights according to the Landlock
195 (e.g. through a SUID binary). We now have a ruleset with the first rule
207 The current thread is now ready to sandbox itself with the ruleset.
212 perror("Failed to enforce ruleset");
223 with the new ruleset.
253 Each time a thread enforces a ruleset on itself, it updates its Landlock domain
256 can then safely add more constraints to itself with a new enforced ruleset.
321 for a set of actions by specifying it on a ruleset. For example, if a
382 ruleset gets enforced and the process keeps file descriptors which were opened
385 of the involved processes do not have an enforced Landlock ruleset.
395 associated bitflags, particularly the ruleset's ``handled_access_fs``. Making
448 Creating a new ruleset
457 Extending a ruleset
467 Enforcing a ruleset
487 according to the handled accesses of a ruleset. However, files that do not
495 restrict such paths with dedicated ruleset flags.
501 task willing to enforce a new ruleset in complement to its 16 inherited
545 restrict access to files, also implies inheritance of the ruleset restrictions
589 ``LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET`` to the ``scoped`` ruleset attribute.
596 ``scoped`` ruleset attribute.