diff options
| author | Mickaël Salaün <mic@linux.microsoft.com> | 2025-02-14 09:56:20 +0100 |
|---|---|---|
| committer | Aleksandr Nogikh <nogikh@google.com> | 2025-03-21 17:21:41 +0000 |
| commit | c6512ef73a66c56765fe73422ce54003ede8c0cd (patch) | |
| tree | 02bc314304f05749df7629fb93983aabb771f89e /sys/linux | |
| parent | 623305521a130ee29d32df86af67c671c60f61af (diff) | |
sys/linux: add Landlock syscall flags
Add the new LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF,
LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON, and
LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_ON flags for landlock_restrict_self(2)
from Linux 6.15 (audit support for Landlock).
Also add the LANDLOCK_CREATE_RULESET_VERSION and
LANDLOCK_CREATE_RULESET_ERRATA flags for landlock_create_ruleset(2).
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
Diffstat (limited to 'sys/linux')
| -rw-r--r-- | sys/linux/landlock.txt | 8 | ||||
| -rw-r--r-- | sys/linux/landlock.txt.const | 5 |
2 files changed, 11 insertions, 2 deletions
diff --git a/sys/linux/landlock.txt b/sys/linux/landlock.txt index 6a1500212..fb81d38db 100644 --- a/sys/linux/landlock.txt +++ b/sys/linux/landlock.txt @@ -5,13 +5,13 @@ include <uapi/linux/landlock.h> resource fd_ruleset[fd] -landlock_create_ruleset(attr ptr[in, landlock_ruleset_attr], size bytesize[attr], flags const[0]) fd_ruleset +landlock_create_ruleset(attr ptr[in, landlock_ruleset_attr], size bytesize[attr], flags flags[landlock_create_ruleset_flags]) fd_ruleset landlock_add_rule$LANDLOCK_RULE_PATH_BENEATH(ruleset_fd fd_ruleset, rule_type const[LANDLOCK_RULE_PATH_BENEATH], rule_attr ptr[in, landlock_path_beneath_attr], flags const[0]) landlock_add_rule$LANDLOCK_RULE_NET_PORT(ruleset_fd fd_ruleset, rule_type const[LANDLOCK_RULE_NET_PORT], rule_attr ptr[in, landlock_net_port_attr], flags const[0]) -landlock_restrict_self(ruleset_fd fd_ruleset, flags const[0]) +landlock_restrict_self(ruleset_fd fd_ruleset, flags flags[landlock_restrict_self_flags]) landlock_ruleset_attr { handled_access_fs flags[landlock_access_fs_flags, int64] @@ -32,6 +32,10 @@ landlock_net_port_attr { # TODO(glider): remove this line once LANDLOCK_ACCESS_FS_IOCTL_DEV hits upstream. define LANDLOCK_ACCESS_FS_IOCTL_DEV (1ULL << 15) +landlock_create_ruleset_flags = LANDLOCK_CREATE_RULESET_VERSION, LANDLOCK_CREATE_RULESET_ERRATA + +landlock_restrict_self_flags = LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF, LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON, LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF + landlock_access_fs_flags = LANDLOCK_ACCESS_FS_EXECUTE, LANDLOCK_ACCESS_FS_WRITE_FILE, LANDLOCK_ACCESS_FS_READ_FILE, LANDLOCK_ACCESS_FS_READ_DIR, LANDLOCK_ACCESS_FS_REMOVE_DIR, LANDLOCK_ACCESS_FS_REMOVE_FILE, LANDLOCK_ACCESS_FS_MAKE_CHAR, LANDLOCK_ACCESS_FS_MAKE_DIR, LANDLOCK_ACCESS_FS_MAKE_REG, LANDLOCK_ACCESS_FS_MAKE_SOCK, LANDLOCK_ACCESS_FS_MAKE_FIFO, LANDLOCK_ACCESS_FS_MAKE_BLOCK, LANDLOCK_ACCESS_FS_MAKE_SYM, LANDLOCK_ACCESS_FS_REFER, LANDLOCK_ACCESS_FS_TRUNCATE, LANDLOCK_ACCESS_FS_IOCTL_DEV landlock_access_net_flags = LANDLOCK_ACCESS_NET_BIND_TCP, LANDLOCK_ACCESS_NET_CONNECT_TCP diff --git a/sys/linux/landlock.txt.const b/sys/linux/landlock.txt.const index 142c76bf1..23b776c46 100644 --- a/sys/linux/landlock.txt.const +++ b/sys/linux/landlock.txt.const @@ -18,6 +18,11 @@ LANDLOCK_ACCESS_FS_TRUNCATE = 16384 LANDLOCK_ACCESS_FS_WRITE_FILE = 2 LANDLOCK_ACCESS_NET_BIND_TCP = 1 LANDLOCK_ACCESS_NET_CONNECT_TCP = 2 +LANDLOCK_CREATE_RULESET_ERRATA = 2 +LANDLOCK_CREATE_RULESET_VERSION = 1 +LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON = 2 +LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF = 1 +LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF = 4 LANDLOCK_RULE_NET_PORT = 2 LANDLOCK_RULE_PATH_BENEATH = 1 LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET = 1 |