setpriv on Linux supports Landlock.
Another example:
$ setpriv \
--landlock-access fs \
--landlock-rule path-beneath:execute,read-file:/bin/ls-static \
--landlock-rule path-beneath:read-dir:/tmp \
/bin/ls-static /tmp/tmp/xorg.atom
The first argument --landlock-access fs says that nothing is allowed.
--landlock-rule path-beneath:execute,read-file:/bin/ls-static says that reading and executing that file is allowed. It’s a statically linked ls program (not GNU ls).
--landlock-rule path-beneath:read-dir:/tmp says that reading the /tmp directory and everything below it is allowed.
The output of the ls-static program is this line:
─rw─r──r────x 3000 200 07-12 09:19 22'491 │ /tmp/tmp/xorg.atom
It was able to read the directory, see the file, do stat() on it and everything, the little x indicates that getting xattrs also worked.
3000 and 200 are user name and group name – they are shown as numeric, because the program does not have access to /etc/passwd and /etc/group.
Adding --landlock-rule path-beneath:read-file:/etc/passwd, for example, allows resolving users and yields this:
─rw─r──r────x cathy 200 07-12 09:19 22'491 │ /tmp/tmp/xorg.atom