diff options
Diffstat (limited to 'sys/linux')
| -rw-r--r-- | sys/linux/landlock.txt | 18 | ||||
| -rw-r--r-- | sys/linux/landlock.txt.const | 3 | ||||
| -rw-r--r-- | sys/linux/test/landlock_fs_accesses | 2 | ||||
| -rw-r--r-- | sys/linux/test/landlock_fs_forbidden | 2 | ||||
| -rw-r--r-- | sys/linux/test/landlock_fs_reparent | 2 | ||||
| -rw-r--r-- | sys/linux/test/landlock_fs_truncate | 2 | ||||
| -rw-r--r-- | sys/linux/test/landlock_layers | 4 | ||||
| -rw-r--r-- | sys/linux/test/landlock_ptrace | 4 | ||||
| -rw-r--r-- | sys/linux/test/landlock_sb_delete | 2 |
9 files changed, 27 insertions, 12 deletions
diff --git a/sys/linux/landlock.txt b/sys/linux/landlock.txt index 6b225cf40..62980b764 100644 --- a/sys/linux/landlock.txt +++ b/sys/linux/landlock.txt @@ -6,16 +6,28 @@ include <uapi/linux/landlock.h> resource fd_ruleset[fd] landlock_create_ruleset(attr ptr[in, landlock_ruleset_attr], size bytesize[attr], flags const[0]) fd_ruleset + landlock_add_rule$LANDLOCK_RULE_PATH_BENEATH(ruleset_fd fd_ruleset, rule_type const[LANDLOCK_RULE_PATH_BENEATH], rule_attr ptr[in, landlock_path_beneath_attr], flags const[0]) + +landlock_add_rule$LANDLOCK_RULE_NET_PORT(ruleset_fd fd_ruleset, rule_type const[LANDLOCK_RULE_NET_PORT], rule_attr ptr[in, landlock_net_port_attr], flags const[0]) + landlock_restrict_self(ruleset_fd fd_ruleset, flags const[0]) landlock_ruleset_attr { - handled_fs_access flags[landlock_access_flags, int64] + handled_access_fs flags[landlock_access_fs_flags, int64] + handled_access_net flags[landlock_access_net_flags, int64] } landlock_path_beneath_attr { - allowed_access flags[landlock_access_flags, int64] + allowed_access flags[landlock_access_fs_flags, int64] parent_fd fd } [packed] -landlock_access_flags = LANDLOCK_ACCESS_FS_EXECUTE, LANDLOCK_ACCESS_FS_MAKE_BLOCK, LANDLOCK_ACCESS_FS_MAKE_CHAR, LANDLOCK_ACCESS_FS_MAKE_DIR, LANDLOCK_ACCESS_FS_MAKE_FIFO, LANDLOCK_ACCESS_FS_MAKE_REG, LANDLOCK_ACCESS_FS_MAKE_SOCK, LANDLOCK_ACCESS_FS_MAKE_SYM, LANDLOCK_ACCESS_FS_READ_DIR, LANDLOCK_ACCESS_FS_READ_FILE, LANDLOCK_ACCESS_FS_REFER, LANDLOCK_ACCESS_FS_REMOVE_DIR, LANDLOCK_ACCESS_FS_REMOVE_FILE, LANDLOCK_ACCESS_FS_TRUNCATE, LANDLOCK_ACCESS_FS_WRITE_FILE +landlock_net_port_attr { + allowed_access flags[landlock_access_net_flags, int64] + port int64 +} + +landlock_access_fs_flags = LANDLOCK_ACCESS_FS_EXECUTE, LANDLOCK_ACCESS_FS_MAKE_BLOCK, LANDLOCK_ACCESS_FS_MAKE_CHAR, LANDLOCK_ACCESS_FS_MAKE_DIR, LANDLOCK_ACCESS_FS_MAKE_FIFO, LANDLOCK_ACCESS_FS_MAKE_REG, LANDLOCK_ACCESS_FS_MAKE_SOCK, LANDLOCK_ACCESS_FS_MAKE_SYM, LANDLOCK_ACCESS_FS_READ_DIR, LANDLOCK_ACCESS_FS_READ_FILE, LANDLOCK_ACCESS_FS_REFER, LANDLOCK_ACCESS_FS_REMOVE_DIR, LANDLOCK_ACCESS_FS_REMOVE_FILE, LANDLOCK_ACCESS_FS_TRUNCATE, LANDLOCK_ACCESS_FS_WRITE_FILE + +landlock_access_net_flags = LANDLOCK_ACCESS_NET_BIND_TCP, LANDLOCK_ACCESS_NET_CONNECT_TCP diff --git a/sys/linux/landlock.txt.const b/sys/linux/landlock.txt.const index b5fac871b..3c09a0589 100644 --- a/sys/linux/landlock.txt.const +++ b/sys/linux/landlock.txt.const @@ -15,6 +15,9 @@ LANDLOCK_ACCESS_FS_REMOVE_DIR = 16 LANDLOCK_ACCESS_FS_REMOVE_FILE = 32 LANDLOCK_ACCESS_FS_TRUNCATE = 16384 LANDLOCK_ACCESS_FS_WRITE_FILE = 2 +LANDLOCK_ACCESS_NET_BIND_TCP = 1 +LANDLOCK_ACCESS_NET_CONNECT_TCP = 2 +LANDLOCK_RULE_NET_PORT = 2 LANDLOCK_RULE_PATH_BENEATH = 1 __NR_landlock_add_rule = 445, mips64le:5445 __NR_landlock_create_ruleset = 444, mips64le:5444 diff --git a/sys/linux/test/landlock_fs_accesses b/sys/linux/test/landlock_fs_accesses index c7d8fc486..18a8cb983 100644 --- a/sys/linux/test/landlock_fs_accesses +++ b/sys/linux/test/landlock_fs_accesses @@ -33,7 +33,7 @@ symlinkat(&AUTO='./file2\x00', 0xffffffffffffff9c, &AUTO='./file6\x00') # Creates a ruleset to restrict all kind of file creation. -r0 = landlock_create_ruleset(&AUTO={0x1fff}, AUTO, 0x0) +r0 = landlock_create_ruleset(&AUTO={0x1fff, 0x0}, AUTO, 0x0) prctl$PR_SET_NO_NEW_PRIVS(0x26, 0x1) landlock_restrict_self(r0, 0x0) diff --git a/sys/linux/test/landlock_fs_forbidden b/sys/linux/test/landlock_fs_forbidden index 29f70e848..f45c34af3 100644 --- a/sys/linux/test/landlock_fs_forbidden +++ b/sys/linux/test/landlock_fs_forbidden @@ -14,7 +14,7 @@ mkdirat(0xffffffffffffff9c, &AUTO='./file0/file1\x00', 0x1c0) # Creates a first ruleset to restrict execution. -r0 = landlock_create_ruleset(&AUTO={0x1}, AUTO, 0x0) +r0 = landlock_create_ruleset(&AUTO={0x1, 0x0}, AUTO, 0x0) prctl$PR_SET_NO_NEW_PRIVS(0x26, 0x1) landlock_restrict_self(r0, 0x0) diff --git a/sys/linux/test/landlock_fs_reparent b/sys/linux/test/landlock_fs_reparent index 08d78decb..20934003d 100644 --- a/sys/linux/test/landlock_fs_reparent +++ b/sys/linux/test/landlock_fs_reparent @@ -12,7 +12,7 @@ mkdirat(0xffffffffffffff9c, &AUTO='./file1/file4/file7\x00', 0x1c0) # Creates a ruleset to restrict file linking/renaming and execution (to get an extra access right). -r0 = landlock_create_ruleset(&AUTO={0x2001}, AUTO, 0x0) +r0 = landlock_create_ruleset(&AUTO={0x2001, 0x0}, AUTO, 0x0) # Allows link and rename from and to file1. diff --git a/sys/linux/test/landlock_fs_truncate b/sys/linux/test/landlock_fs_truncate index 1428bc03a..dd5986d0a 100644 --- a/sys/linux/test/landlock_fs_truncate +++ b/sys/linux/test/landlock_fs_truncate @@ -10,7 +10,7 @@ r1 = openat$dir(0xffffffffffffff9c, &AUTO='./file1\x00', 0x1, 0x0) # Creates a ruleset to restrict file truncation: LANDLOCK_ACCESS_FS_TRUNCATE. -r2 = landlock_create_ruleset(&AUTO={0x4000}, AUTO, 0x0) +r2 = landlock_create_ruleset(&AUTO={0x4000, 0x0}, AUTO, 0x0) # Allows truncation of file1. diff --git a/sys/linux/test/landlock_layers b/sys/linux/test/landlock_layers index fdc044963..166a4a930 100644 --- a/sys/linux/test/landlock_layers +++ b/sys/linux/test/landlock_layers @@ -5,7 +5,7 @@ mkdirat(0xffffffffffffff9c, &AUTO='./file0/file0\x00', 0x1c0) # Creates a first ruleset to restrict file creation. -r0 = landlock_create_ruleset(&AUTO={0x100}, AUTO, 0x0) +r0 = landlock_create_ruleset(&AUTO={0x100, 0x0}, AUTO, 0x0) r1 = openat$dir(0xffffffffffffff9c, &AUTO='./file0\x00', 0x200000, 0x0) landlock_add_rule$LANDLOCK_RULE_PATH_BENEATH(r0, AUTO, &AUTO={0x100, r1}, 0x0) @@ -27,7 +27,7 @@ mknodat(0xffffffffffffff9c, &AUTO='./file1\x00', 0x81c0, 0x0) # EACCES # Creates a second ruleset to restrict file removal. -r2 = landlock_create_ruleset(&AUTO={0x20}, AUTO, 0x0) +r2 = landlock_create_ruleset(&AUTO={0x20, 0x0}, AUTO, 0x0) r3 = openat$dir(0xffffffffffffff9c, &AUTO='./file0/file0\x00', 0x200000, 0x0) landlock_add_rule$LANDLOCK_RULE_PATH_BENEATH(r2, AUTO, &AUTO={0x20, r3}, 0x0) diff --git a/sys/linux/test/landlock_ptrace b/sys/linux/test/landlock_ptrace index ad63f3e5c..aca5afa79 100644 --- a/sys/linux/test/landlock_ptrace +++ b/sys/linux/test/landlock_ptrace @@ -11,7 +11,7 @@ r0 = syz_clone(0x11, 0x0, 0x0, 0x0, 0x0, 0x0) ptrace(0x10, r0) ptrace(0x11, r0) -r1 = landlock_create_ruleset(&AUTO={0x100}, AUTO, 0x0) +r1 = landlock_create_ruleset(&AUTO={0x100, 0x0}, AUTO, 0x0) landlock_restrict_self(r1, 0x0) r2 = syz_clone(0x11, 0x0, 0x0, 0x0, 0x0, 0x0) @@ -22,7 +22,7 @@ ptrace(0x11, r0) ptrace(0x10, r2) ptrace(0x11, r2) -r3 = landlock_create_ruleset(&AUTO={0x100}, AUTO, 0x0) +r3 = landlock_create_ruleset(&AUTO={0x100, 0x0}, AUTO, 0x0) landlock_restrict_self(r3, 0x0) ptrace(0x10, r0) diff --git a/sys/linux/test/landlock_sb_delete b/sys/linux/test/landlock_sb_delete index 88f05946a..f81ebeb9d 100644 --- a/sys/linux/test/landlock_sb_delete +++ b/sys/linux/test/landlock_sb_delete @@ -13,7 +13,7 @@ mkdirat(0xffffffffffffff9c, &AUTO='./file1\x00', 0x1c0) # Creates a ruleset with a reference to this mount point. -r0 = landlock_create_ruleset(&AUTO={0x100}, AUTO, 0x0) +r0 = landlock_create_ruleset(&AUTO={0x100, 0x0}, AUTO, 0x0) r1 = openat$dir(0xffffffffffffff9c, &AUTO='./file0\x00', 0x200000, 0x0) landlock_add_rule$LANDLOCK_RULE_PATH_BENEATH(r0, AUTO, &AUTO={0x100, r1}, 0x0) |