SYD-LOCK(1) General Commands Manual SYD-LOCK(1)

syd-lock - Run a command under Landlock

syd-lock [-hvAV] [-l category[,category...]{+|-}path|port[-port]]... [-r path]... [-w path]... [-b port[-port]]... [-c port[-port]]... {command [args...]}

The syd-lock utility runs a command under Landlock. It executes a command confined by specified Landlock sandbox categories. Categories and their associated resources (paths or ports) are defined using the -l option. Each -l option requires at least one category, followed directly by either "+" (to explicitly grant) or "-" (to explicitly deny) and a resource (path or port range). Multiple categories can be combined, separated by commas, to apply permissions collectively to the specified resource. The -l option itself can be repeated. Use -V option to check for Landlock support. The specific support level may be determined by the exit code. Use -A option to check for Landlock ABI version.

Supported sandbox categories are read, write, exec, ioctl, create, delete, rename, symlink, truncate, readdir, mkdir, rmdir, mkdev, mkfifo, bind, connect, and all. Categories other than bind and connect must specify file or directory paths. Categories bind and connect must specify network ports or closed port ranges; the bind category also supports absolute UNIX domain socket paths. For full details and specific behavior of each sandbox category, refer to the "Sandboxing" and "Lock Sandboxing" sections of the syd(7) manual page.

As of version 3.35.0, Landlock compatibility level may be set using the -C option: hard stands for the Landlock compatibility level "hard-requirement", soft stands for "soft-requirement", best stands for "best-effort". Default is "hard-requirement". "ENOENT", aka "No such file or directory" errors are fatal unless compatibility level is set to "best-effort".

-h Display help.
-v Be verbose. Print Landlock status to standard error before running the specified command.
-A Print ABI version on standard output and exit with ABI version as exit code, rather than running a command. Use for scripting.
-V Check if Landlock is supported and print ABI version, rather than running a command.
-C level Set Landlock compatibility level. Must be one of hard, soft, best or shortly h, s, b. Defaults to hard.
-l cat[,cat...]{+|-}path|port[-port] Specify sandbox categories and grant or deny them on the associated path, port or closed port range, may be repeated.
-r path Specify a read-only path, may be repeated. Equivalent to -l read,readdir,exec,ioctl+path.
-w path Specify a read-write path, may be repeated. Equivalent to -l all+path.
-b port[-port] Specify a port for bind(2), may be repeated. Equivalent to -l bind+port.
-c port[-port] Specify a port for connect(2), may be repeated. Equivalent to -l connect+port.

When running a command, syd-lock exits with the same exit code as the command.

When running in check mode with -A, syd exits with ABI version as exit code.

When running in check mode with -V, syd may exit with the following exit codes:

0 Fully enforced
1 Partially enforced
2 Not enforced
127 Not supported

Landlock ABI versioning makes it possible to adjust the security policy according to the kernel capabilities.

1.
First Landlock ABI, introduced with Linux 5.13: https://git.kernel.org/stable/c/17ae69aba89dbfa2139b7f8024b757ab3cc42f59
2.
Second Landlock ABI, introduced with Linux 5.19: https://git.kernel.org/stable/c/cb44e4f061e16be65b8a16505e121490c66d30d0
3.
Third Landlock ABI, introduced with Linux 6.2: https://git.kernel.org/stable/c/299e2b1967578b1442128ba8b3e86ed3427d3651
4.
Fourth Landlock ABI, introduced with Linux 6.7: https://git.kernel.org/stable/c/136cc1e1f5be75f57f1e0404b94ee1c8792cb07d
5.
Fifth Landlock ABI, introduced with Linux 6.10: https://git.kernel.org/stable/c/2fc0e7892c10734c1b7c613ef04836d57d4676d5
6.
Sixth Landlock ABI, introduced with Linux 6.12: https://git.kernel.org/stable/c/e1b061b444fb01c237838f0d8238653afe6a8094

Block device creation with the Landlock access right "LANDLOCK_ACCESS_FS_MAKE_BLOCK" is never allowed.

Scoped signals and UNIX abstract sockets which were introduced with Landlock ABI version 6 with Linux-6.12 are always enabled.

Consider prepending syd-lock(1) invocations with syd-mdwe(1) to get W^X memory protections. See syd-mdwe(1) manual page for more information.

As of version 3.35.0, the default Landlock compatibility level has been changed from "best-effort" to "hard-requirement", and "ENOENT", aka "No such file or directory" errors are made fatal unless level is set to "best-effort". This adheres to the principle of secure defaults and above all avoids the silent and dangerous trap where a non-existing file or directory which had been denied access (and skipped) at startup is created after and Landlock ends up allowing access to the newly created file or directory. For more information, see: https://landlock.io/rust-landlock/landlock/trait.Compatible.html

$ syd-lock wget -O/dev/null chesswob.org
$ syd-lock -l read,exec+/ wget -O/dev/null chesswob.org
/dev/null: Permission denied
$ syd-lock -l read,exec+/ -l write+/dev/null wget -O/dev/null chesswob.org
Prepended http:// to 'chesswob.org'
--2025-04-30 16:24:35--  http://chesswob.org/
Resolving chesswob.org (chesswob.org)... 95.216.39.164, fe80::468a:5bff:fe88:2141
Connecting to chesswob.org (chesswob.org)|95.216.39.164|:80... failed: Permission denied.
Connecting to chesswob.org (chesswob.org)|fe80::468a:5bff:fe88:2141|:80... failed: Permission denied.
Retrying.
^C
$ syd-lock -l read,exec+/ -l write+/dev/null -l connect+80 -l connect+443 wget -O/dev/null chesswob.org
Prepended http:// to 'chesswob.org'
--2025-04-30 16:25:59--  http://chesswob.org/
Resolving chesswob.org (chesswob.org)... 95.216.39.164, fe80::468a:5bff:fe88:2141
Connecting to chesswob.org (chesswob.org)|95.216.39.164|:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: https://www.chesswob.org/ [following]
--2025-04-30 16:25:59--  https://www.chesswob.org/
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
Resolving www.chesswob.org (www.chesswob.org)... 95.216.39.164, fe80::468a:5bff:fe88:2141
Connecting to www.chesswob.org (www.chesswob.org)|95.216.39.164|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 148827 (145K) [text/html]
Saving to: ‘/dev/null’
/dev/null                         100%[=============================================================>] 145.34K  --.-KB/s    in 0.01s
2025-04-30 16:25:59 (11.9 MB/s) - ‘/dev/null’ saved [148827/148827]
$

landlock(7), syd(1), syd(2), syd(5), syd(7), syd-mdwe(1), syd-pds(1)

syd homepage: https://sydbox.exherbo.org/

Landlock homepage: https://landlock.io/

Landlock documentation: https://docs.kernel.org/userspace-api/landlock.html

Landlock admin guide: https://docs.kernel.org/admin-guide/LSM/landlock.html

Maintained by Ali Polatel. Up-to-date sources can be found at https://gitlab.exherbo.org/sydbox/sydbox.git and bugs/patches can be submitted to https://gitlab.exherbo.org/groups/sydbox/-/issues. Discuss in #sydbox on Libera Chat or in #sydbox:mailstation.de on Matrix.

2025-06-23