| SYD-LOCK(1) | General Commands Manual | SYD-LOCK(1) |
syd-lock - Run a program under landlock(7)
syd-lock [-bchrvwASUV] [-C level] [-E errata] [-F flag]... [-l category[,category...]{+|-}path|port[-port]]... {command [args...]}
syd-lock utility runs a program under landlock(7). The program is confined by the given landlock(7) categories. Supported categories are read, write, exec, ioctl, create, delete, rename, symlink, truncate, readdir, mkdir, rmdir, mkbdev, mkcdev, mkfifo, bind, and connect. Categories other than bind and connect must specify paths to be confined. Both absolute and relative paths are permitted. Categories bind and connect must specify a network port or closed port range separated by dash. Zero is a valid port number to confine binds and connects to ephemeral ports. bind category also supports absolute UNIX domain socket paths to confine their creation via mknod(2). For full details and specific behavior of each landlock(7) category, refer to the Sandboxing and Lock Sandboxing sections of the syd(7) manual page.
| -h | Display help. |
| -v | Be verbose. Print landlock(7) status to stderr(3) before running the program. |
| -V | Print landlock(7) ABI version on stdout(3). |
| -A | Print landlock(7) ABI version on stdout(3) and exit with it as exit code. Use for scripting. |
| -l cat[,cat...]{+|-}path|port[-port] | Add or remove a landlock(7) rule with categories and an associated resource (path or port), may be repeated. |
| Join categories and resource by either a "+" (plus) for add or a "-" (minus) for remove. | |
| Resource must be a path for all categories except bind and connect. | |
| Resource must be a port or a dash-delimited closed port range for bind and connect. | |
| Resource may also be a UNIX domain socket path for bind to confine mknod(2) with S_IFSOCK. | |
| Both absolute and relative paths are permitted for all categories except bind which requires an absolute path. | |
| Paths are stored as hash sets and ports as fixed bit sets to make stacking options simple and predictable. | |
| -C level | Set landlock(7) compatibility level. Must be one of hard-requirement, soft-requirement, and best-effort. |
| Default is hard-requirement to adhere to the principle of secure defaults. | |
| Level can be given shortly as hard (or h), soft (or s) and best (or b). | |
| -E errata | Query supported landlock(7) errata fixes. Use -E list to print list of known erratas. |
| The argument may be a name or number. Use a number to query undefined erratas. | |
| Multiple erratas may be specified split by commas. | |
| -F flags | Set landlock_restrict_self(2) flags. Use -F list to print a list of flags. |
| See the FLAGS section for information on flags and their functionality. | |
| -S | Enable scoped signals introduced with landlock(7) ABI 6. |
| -U | Enable scoped UNIX abstract sockets introduced with landlock(7) ABI 6. |
| -r path | Specify a read-only path, may be repeated. Equivalent to -l read,readdir,exec,ioctl+path. |
| -w path | Specify a read-write path, may be repeated. Equivalent to -l all+path. |
| -b port[-port] | Specify a port for bind(2), may be repeated. Equivalent to -l bind+port. |
| -c port[-port] | Specify a port for connect(2), may be repeated. Equivalent to -l connect+port. |
landlock(7) categories and their associated resources (paths or ports) are given with the -l option. This option accepts a comma separated list of categories, followed by either a "+" (plus) or a "-" (minus) symbol indicating to add or remove the given rule. Rulesets store paths as hash sets and ports as fixed bit sets to allow for simple and predictable stacking of multiple -l options. Use -V option to check for landlock(7) support in the Linux kernel. The specific support level may be determined by the exit code. Use -A option to check for landlock(7) ABI version.
landlock(7) ABI versioning makes it possible to adjust the security policy according to kernel capabilities. syd-lock has support for landlock(7) ABI 7 which is new in Linux-6.15. See the HISTORY section for information on when each landlock(7) ABI was introduced to the Linux kernel.
As of version 3.38.0, multiple categories may be specified split by commas and the following sets are defined to streamline sandbox profile composition. Names are intentionally chosen to be consistent with OpenBSD's pledge(2):
| all | All filesystem access rights |
| rpath | read, readdir |
| wpath | write, truncate |
| cpath | create, delete, rename |
| dpath | mkbdev, mkcdev |
| spath | mkfifo, symlink |
| tpath | mkdir, rmdir |
| inet | bind, connect |
As of version 3.35.0, landlock(7) compatibility level may be set using the -C option to one of the following levels: hard-requirement, or just hard or h, soft-requirement, or just short or s, and best-effort, or just best or b. Default is hard-requirement to adhere to the principle of secure defaults. In this level the requested landlock(7) restrictions are taken into account only if they are supported by the running system; if any requested feature is not supported, the operation returns a compatibility error and the sandbox is not entered. File open(2) errors during sandbox setup, including the ENOENT ("No such file or directory") errno(3), return a fatal error in this level. In soft-requirement level the requested restrictions are taken into account if they are supported by the running system, or the entire sandboxing request is silently ignored otherwise; no compatibility error is returned. In best-effort level the requested restrictions are taken into account if they are supported by the running system, and any unsupported restrictions are silently ignored; no compatibility error is returned. In soft-requirement and best-effort levels file open(2) errors with the ENOENT ("No such file or directory") errno(3) are silently ignored. Other file open(2) errors are fatal.
As of version 3.38.0, landlock(7) flags may be set using the -F option. Flags may be specified using their names or numerical values. Multiple flags may be set at once by specifying them as a comma-separated list. Flags are supported beginning with landlock(7) ABI 7 which is new in Linux-6.15. List of supported flags are given below. Setting a flag on an unsupported ABI is a NO-OP unless otherwise noted.
| log_same_exec_off | 1: Disables logging of denied accesses originating from the thread creating the landlock(7) domain, as well as its children, as long as they continue running the same executable code (i.e., without an intervening execve(2) call). This is intended for programs that execute unknown code without invoking execve(2), such as script interpreters. Programs that only sandbox themselves should not set this flag, so users can be notified of unauthorized access attempts via system logs. This flag requires landlock(7) ABI 7 support which is new in Linux-6.15. |
| log_new_exec_on | 2: Enables logging of denied accesses after an execve(2) call, providing visibility into unauthorized access attempts by newly executed programs within the created landlock(7) domain. This flag is recommended only when all potential executables in the domain are expected to comply with the access restrictions, as excessive audit log entries could make it more difficult to identify critical events. This flag requires landlock(7) ABI 7 support which is new in Linux-6.15. |
| log_subdomains_off | 4: Disables logging of denied accesses originating from nested landlock(7) domains created by the caller or its descendants. This flag should be set according to runtime configuration, not hardcoded, to avoid suppressing important security events. It is useful for container runtimes or sandboxing tools that may launch programs which themselves create landlock(7) domains and could otherwise generate excessive logs. Unlike log_same_exec_off, this flag only affects future nested domains, not the one being created. This flag requires landlock(7) ABI 7 support which is new in Linux-6.15. |
As of version 3.35.0, the default landlock(7) compatibility level has been changed from best-effort to hard-requirement, and ENOENT (No such file or directory) errors are made fatal unless level is set to best-effort. This adheres to the principle of secure defaults and above all avoids the silent and dangerous trap where a non-existing file or directory which had been denied access (and skipped) at startup is created after and landlock(7) ends up allowing access to the newly created file or directory. For more information, see: https://landlock.io/rust-landlock/landlock/trait.Compatible.html
Consider combining syd-lock(1) use with syd-mdwe(1) to get W^X memory protections. See syd-mdwe(1) manual page for more information.
Refer to the following links for more information:
syd-lock exits with the same code as the child process on clean exit. On unclean termination, exit code is set to 128 plus signal number. In case executing the child process fails syd-lock(1) exits with the errno(3) number. syd-lock -A exits with the landlock(7) ABI version as exit code.
syd-lock -E exits with one of the following exit codes:
| 0 | All erratas are available. |
| 1 | Some erratas are not available. |
| 2 | No erratas are available. |
syd-lock -V exits with one of the following exit codes based on support for the latest landlock(7) ABI:
| 0 | Fully enforced |
| 1 | Partially enforced |
| 2 | Not enforced |
| 127 | Not supported |
syd-lock exits with 22 (EINVAL) for invalid CLI arguments.
$ syd-lock wget -O/dev/null chesswob.org $ syd-lock -l read,exec+/ wget -O/dev/null chesswob.org /dev/null: Permission denied $ syd-lock -l read,exec+/ -l write+/dev/null wget -O/dev/null chesswob.org Prepended http:// to 'chesswob.org' --2025-04-30 16:24:35-- http://chesswob.org/ Resolving chesswob.org (chesswob.org)... 95.216.39.164, fe80::468a:5bff:fe88:2141 Connecting to chesswob.org (chesswob.org)|95.216.39.164|:80... failed: Permission denied. Connecting to chesswob.org (chesswob.org)|fe80::468a:5bff:fe88:2141|:80... failed: Permission denied. Retrying. ^C $ syd-lock -l read,exec+/ -l write+/dev/null -l connect+80 -l connect+443 wget -O/dev/null chesswob.org Prepended http:// to 'chesswob.org' --2025-04-30 16:25:59-- http://chesswob.org/ Resolving chesswob.org (chesswob.org)... 95.216.39.164, fe80::468a:5bff:fe88:2141 Connecting to chesswob.org (chesswob.org)|95.216.39.164|:80... connected. HTTP request sent, awaiting response... 302 Moved Temporarily Location: https://www.chesswob.org/ [following] --2025-04-30 16:25:59-- https://www.chesswob.org/ Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt' Resolving www.chesswob.org (www.chesswob.org)... 95.216.39.164, fe80::468a:5bff:fe88:2141 Connecting to www.chesswob.org (www.chesswob.org)|95.216.39.164|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 148827 (145K) [text/html] Saving to: ‘/dev/null’ /dev/null 100%[=============================================================>] 145.34K --.-KB/s in 0.01s 2025-04-30 16:25:59 (11.9 MB/s) - ‘/dev/null’ saved [148827/148827] $
landlock(7), syd(1), syd(2), syd(5), syd(7), syd-mdwe(1), syd-pds(1)
syd homepage: https://sydbox.exherbo.org/
Landlock homepage: https://landlock.io/
Landlock documentation: https://docs.kernel.org/userspace-api/landlock.html
Landlock admin guide: https://docs.kernel.org/admin-guide/LSM/landlock.html
Maintained by Ali Polatel. Up-to-date sources can be found at https://gitlab.exherbo.org/sydbox/sydbox.git and bugs/patches can be submitted to https://gitlab.exherbo.org/groups/sydbox/-/issues. Discuss in #sydbox on Libera Chat or in #sydbox:mailstation.de on Matrix.
| 2025-09-13 |