diff options
| author | Mickaël Salaün <mic@linux.microsoft.com> | 2023-10-10 18:28:59 +0200 |
|---|---|---|
| committer | Aleksandr Nogikh <nogikh@google.com> | 2023-10-13 13:15:32 +0000 |
| commit | 2f3c16ff202947ee7671f5b36c2cd294449ff26f (patch) | |
| tree | 34284618dc5d7d58c946c2eae031cb80f3766651 /sys/linux/landlock.txt | |
| parent | 6388bc36373b7e4e4dbac9101b34007e839a74bd (diff) | |
sys/linux: add the Landlock network rule type and access rights
Add the new lanlock_net_port_attr struct and related
LANDLOCK_ACCESS_NET_{BIND,CONNECT}_TCP flags for TCP access control.
Add landlock_ruleset_attr's handled_access_net field and fix
handled_access_fs name.
Update tests with the new landlock_ruleset_attr's handled_access_net
field.
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
Diffstat (limited to 'sys/linux/landlock.txt')
| -rw-r--r-- | sys/linux/landlock.txt | 18 |
1 files changed, 15 insertions, 3 deletions
diff --git a/sys/linux/landlock.txt b/sys/linux/landlock.txt index 6b225cf40..62980b764 100644 --- a/sys/linux/landlock.txt +++ b/sys/linux/landlock.txt @@ -6,16 +6,28 @@ include <uapi/linux/landlock.h> resource fd_ruleset[fd] landlock_create_ruleset(attr ptr[in, landlock_ruleset_attr], size bytesize[attr], flags const[0]) fd_ruleset + landlock_add_rule$LANDLOCK_RULE_PATH_BENEATH(ruleset_fd fd_ruleset, rule_type const[LANDLOCK_RULE_PATH_BENEATH], rule_attr ptr[in, landlock_path_beneath_attr], flags const[0]) + +landlock_add_rule$LANDLOCK_RULE_NET_PORT(ruleset_fd fd_ruleset, rule_type const[LANDLOCK_RULE_NET_PORT], rule_attr ptr[in, landlock_net_port_attr], flags const[0]) + landlock_restrict_self(ruleset_fd fd_ruleset, flags const[0]) landlock_ruleset_attr { - handled_fs_access flags[landlock_access_flags, int64] + handled_access_fs flags[landlock_access_fs_flags, int64] + handled_access_net flags[landlock_access_net_flags, int64] } landlock_path_beneath_attr { - allowed_access flags[landlock_access_flags, int64] + allowed_access flags[landlock_access_fs_flags, int64] parent_fd fd } [packed] -landlock_access_flags = LANDLOCK_ACCESS_FS_EXECUTE, LANDLOCK_ACCESS_FS_MAKE_BLOCK, LANDLOCK_ACCESS_FS_MAKE_CHAR, LANDLOCK_ACCESS_FS_MAKE_DIR, LANDLOCK_ACCESS_FS_MAKE_FIFO, LANDLOCK_ACCESS_FS_MAKE_REG, LANDLOCK_ACCESS_FS_MAKE_SOCK, LANDLOCK_ACCESS_FS_MAKE_SYM, LANDLOCK_ACCESS_FS_READ_DIR, LANDLOCK_ACCESS_FS_READ_FILE, LANDLOCK_ACCESS_FS_REFER, LANDLOCK_ACCESS_FS_REMOVE_DIR, LANDLOCK_ACCESS_FS_REMOVE_FILE, LANDLOCK_ACCESS_FS_TRUNCATE, LANDLOCK_ACCESS_FS_WRITE_FILE +landlock_net_port_attr { + allowed_access flags[landlock_access_net_flags, int64] + port int64 +} + +landlock_access_fs_flags = LANDLOCK_ACCESS_FS_EXECUTE, LANDLOCK_ACCESS_FS_MAKE_BLOCK, LANDLOCK_ACCESS_FS_MAKE_CHAR, LANDLOCK_ACCESS_FS_MAKE_DIR, LANDLOCK_ACCESS_FS_MAKE_FIFO, LANDLOCK_ACCESS_FS_MAKE_REG, LANDLOCK_ACCESS_FS_MAKE_SOCK, LANDLOCK_ACCESS_FS_MAKE_SYM, LANDLOCK_ACCESS_FS_READ_DIR, LANDLOCK_ACCESS_FS_READ_FILE, LANDLOCK_ACCESS_FS_REFER, LANDLOCK_ACCESS_FS_REMOVE_DIR, LANDLOCK_ACCESS_FS_REMOVE_FILE, LANDLOCK_ACCESS_FS_TRUNCATE, LANDLOCK_ACCESS_FS_WRITE_FILE + +landlock_access_net_flags = LANDLOCK_ACCESS_NET_BIND_TCP, LANDLOCK_ACCESS_NET_CONNECT_TCP |