Landlock.FileSystem Enum

Filesystem access rights handled by a Landlock ruleset. Each value maps to a LANDLOCK_ACCESS_FS_* flag in the kernel header. Pass these to CreateRuleset to declare which rights the sandbox handles, and to AddPathBeneathRule to re-grant them for a directory tree.

Definition

Namespace: Sandbox

public enum FileSystem

Remarks

Each right is gated on a minimum kernel ABI version. The binding silently drops flags newer than the running kernel, so the same code keeps working everywhere — see ABI versions. CORE is a convenience that expands to every filesystem right available on the current kernel except IOCTL_DEV. For the semantics of each right, see the "Filesystem flags" section of landlock(7).

Fields

Value	Description
`CORE`	Convenience value — expands to every filesystem right available on the current kernel except `IOCTL_DEV`. Min ABI 1.
`EXECUTE`	Execute a file (`LANDLOCK_ACCESS_FS_EXECUTE`). Min ABI 1.
`WRITE_FILE`	Write to a file (`LANDLOCK_ACCESS_FS_WRITE_FILE`). Min ABI 1.
`READ_FILE`	Read a file (`LANDLOCK_ACCESS_FS_READ_FILE`). Min ABI 1.
`READ_DIR`	List a directory's contents (`LANDLOCK_ACCESS_FS_READ_DIR`). Min ABI 1.
`REMOVE_DIR`	Remove a directory (`LANDLOCK_ACCESS_FS_REMOVE_DIR`). Min ABI 1.
`REMOVE_FILE`	Remove a file (`LANDLOCK_ACCESS_FS_REMOVE_FILE`). Min ABI 1.
`MAKE_CHAR`	Create a character device (`LANDLOCK_ACCESS_FS_MAKE_CHAR`). Min ABI 1.
`MAKE_DIR`	Create a directory (`LANDLOCK_ACCESS_FS_MAKE_DIR`). Min ABI 1.
`MAKE_REG`	Create a regular file (`LANDLOCK_ACCESS_FS_MAKE_REG`). Min ABI 1.
`MAKE_SOCK`	Create a UNIX domain socket (`LANDLOCK_ACCESS_FS_MAKE_SOCK`). Min ABI 1.
`MAKE_FIFO`	Create a named pipe (`LANDLOCK_ACCESS_FS_MAKE_FIFO`). Min ABI 1.
`MAKE_BLOCK`	Create a block device (`LANDLOCK_ACCESS_FS_MAKE_BLOCK`). Min ABI 1.
`MAKE_SYM`	Create a symbolic link (`LANDLOCK_ACCESS_FS_MAKE_SYM`). Min ABI 1.
`REFER`	Cross-directory rename/link (`LANDLOCK_ACCESS_FS_REFER`). Min ABI 2 (kernel 5.19).
`TRUNCATE`	Truncate a file (`LANDLOCK_ACCESS_FS_TRUNCATE`). Min ABI 3 (kernel 6.2).
`IOCTL_DEV`	`ioctl` on a device file (`LANDLOCK_ACCESS_FS_IOCTL_DEV`). Min ABI 5 (kernel 6.10). Not included in `CORE`.

Applies to

Sandbox.dll — Linux only (x86-64, kernel ≥ 5.13). See the filesystem rules guide.