Landlock Class

Entry point for the binding. A Landlock instance represents a ruleset under construction; the static members check kernel support and create rulesets, and the instance members add rules and enforce the sandbox on the current thread.

Definition

public class Landlock

A ruleset declares which access rights it handles — those rights become denied by default. Rules added with AddPathBeneathRule and AddPortRule re-grant access to specific resources, and Enforce binds the ruleset to the current thread.

Remarks

The class mirrors the three Landlock syscalls in order: landlock_create_ruleset → landlock_add_rule → landlock_restrict_self. An instance is mutable while you add rules and becomes inert once enforced — calling an Add* method after Enforce throws. The kernel ruleset is a file descriptor; discarding the instance without enforcing releases it. See API overview for the full lifecycle.

Methods

IsSupported

public static bool IsSupported()

Returns true only when the host OS is Linux, the process architecture is x86-64, and landlock_create_ruleset reports an ABI version ≥ 1. Safe to call on any platform — non-Linux hosts return false. Gate every other call on this result so your code stays portable.

Maps to landlock_create_ruleset (version query).

GetAbiVersion

public static int GetAbiVersion()

Returns the running kernel's supported Landlock ABI version (≥ 1), or a negative value when Landlock is unavailable (kernel < 5.13, or Landlock excluded from lsm=). It is a single syscall and safe to call repeatedly. Use it for feature negotiation — see ABI versions.

Maps to landlock_create_ruleset (version query).

CreateRuleset

public static Landlock CreateRuleset(params Landlock.FileSystem[] fileSystem);

public static Landlock CreateRuleset(params Landlock.Network[] network);

public static Landlock CreateRuleset(
    Landlock.FileSystem[] fileSystem,
    Landlock.Network[]    network,
    Landlock.Scope[]      scope = null);

Creates a new ruleset declaring which access rights it handles. Three overloads match the three resource categories: filesystem only, network only, or all three together. Pass null to a category to leave it untouched by the sandbox. Flags newer than the running kernel's ABI are silently dropped.

Maps to landlock_create_ruleset.

AddPathBeneathRule

public Landlock AddPathBeneathRule(string parentPath, params Landlock.FileSystem[] allowedActions)

Re-grants the given filesystem rights for parentPath and everything beneath it. parentPath must be an existing directory. The granted actions must be a subset of the rights declared in CreateRuleset. Returns the same instance for chaining. Throws if called after Enforce.

Maps to landlock_add_rule(..., PATH_BENEATH, ...). See the filesystem rules guide.

AddPortRule

public Landlock AddPortRule(int port, params Landlock.Network[] allowedActions)

Re-grants TCP access for a single port number. The granted actions must be a subset of the network rights declared in CreateRuleset. Returns the same instance for chaining. Throws if called after Enforce.

Maps to landlock_add_rule(..., NET_PORT, ...). See the network rules guide.

Enforce

public void Enforce(
    bool disableDenyLogging = false,
    bool enableChildDenyLogging = false,
    bool disabledNestedDomainsLogging = false)

Applies the ruleset to the current thread and its descendants. The call sets PR_SET_NO_NEW_PRIVS, invokes landlock_restrict_self, and closes the ruleset file descriptor. The restriction is irrevocable — there is no way to widen the sandbox afterwards. Idempotent on the same instance; enforcing a different instance layers additional restrictions on top.

The three optional flags map to ABI 7 (kernel 6.13) logging controls and are silently ignored on older kernels.

Maps to prctl(PR_SET_NO_NEW_PRIVS) + landlock_restrict_self. See the enforcing and deny logging guides.

Applies to