From bbd4e0a400943c9e45e1249ace6c202162a23bae Mon Sep 17 00:00:00 2001 From: Mickaël Salaün Date: Mon, 30 Sep 2024 10:36:22 +0200 Subject: sys/linux: add Landlock scopes for Linux 6.12 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add new the landlock_ruleset_attr's "scoped" field and related flags for Linux 6.12: LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET and LANDLOCK_SCOPE_SIGNAL. Update tests with the new landlock_ruleset_attr's field. Signed-off-by: Mickaël Salaün --- sys/linux/landlock.txt | 3 +++ sys/linux/landlock.txt.const | 2 ++ sys/linux/test/landlock_fs_accesses | 2 +- sys/linux/test/landlock_fs_forbidden | 2 +- sys/linux/test/landlock_fs_ioctl | 2 +- sys/linux/test/landlock_fs_reparent | 2 +- sys/linux/test/landlock_fs_truncate | 2 +- sys/linux/test/landlock_layers | 4 ++-- sys/linux/test/landlock_ptrace | 4 ++-- sys/linux/test/landlock_sb_delete | 2 +- 10 files changed, 15 insertions(+), 10 deletions(-) (limited to 'sys/linux') diff --git a/sys/linux/landlock.txt b/sys/linux/landlock.txt index 7452275f9..6a1500212 100644 --- a/sys/linux/landlock.txt +++ b/sys/linux/landlock.txt @@ -16,6 +16,7 @@ landlock_restrict_self(ruleset_fd fd_ruleset, flags const[0]) landlock_ruleset_attr { handled_access_fs flags[landlock_access_fs_flags, int64] handled_access_net flags[landlock_access_net_flags, int64] + scoped flags[landlock_scope_flags, int64] } landlock_path_beneath_attr { @@ -34,3 +35,5 @@ define LANDLOCK_ACCESS_FS_IOCTL_DEV (1ULL << 15) landlock_access_fs_flags = LANDLOCK_ACCESS_FS_EXECUTE, LANDLOCK_ACCESS_FS_WRITE_FILE, LANDLOCK_ACCESS_FS_READ_FILE, LANDLOCK_ACCESS_FS_READ_DIR, LANDLOCK_ACCESS_FS_REMOVE_DIR, LANDLOCK_ACCESS_FS_REMOVE_FILE, LANDLOCK_ACCESS_FS_MAKE_CHAR, LANDLOCK_ACCESS_FS_MAKE_DIR, LANDLOCK_ACCESS_FS_MAKE_REG, LANDLOCK_ACCESS_FS_MAKE_SOCK, LANDLOCK_ACCESS_FS_MAKE_FIFO, LANDLOCK_ACCESS_FS_MAKE_BLOCK, LANDLOCK_ACCESS_FS_MAKE_SYM, LANDLOCK_ACCESS_FS_REFER, LANDLOCK_ACCESS_FS_TRUNCATE, LANDLOCK_ACCESS_FS_IOCTL_DEV landlock_access_net_flags = LANDLOCK_ACCESS_NET_BIND_TCP, LANDLOCK_ACCESS_NET_CONNECT_TCP + +landlock_scope_flags = LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET, LANDLOCK_SCOPE_SIGNAL diff --git a/sys/linux/landlock.txt.const b/sys/linux/landlock.txt.const index 1fce9aa48..142c76bf1 100644 --- a/sys/linux/landlock.txt.const +++ b/sys/linux/landlock.txt.const @@ -20,6 +20,8 @@ LANDLOCK_ACCESS_NET_BIND_TCP = 1 LANDLOCK_ACCESS_NET_CONNECT_TCP = 2 LANDLOCK_RULE_NET_PORT = 2 LANDLOCK_RULE_PATH_BENEATH = 1 +LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET = 1 +LANDLOCK_SCOPE_SIGNAL = 2 __NR_landlock_add_rule = 445, mips64le:5445 __NR_landlock_create_ruleset = 444, mips64le:5444 __NR_landlock_restrict_self = 446, mips64le:5446 diff --git a/sys/linux/test/landlock_fs_accesses b/sys/linux/test/landlock_fs_accesses index 18a8cb983..933ba5667 100644 --- a/sys/linux/test/landlock_fs_accesses +++ b/sys/linux/test/landlock_fs_accesses @@ -33,7 +33,7 @@ symlinkat(&AUTO='./file2\x00', 0xffffffffffffff9c, &AUTO='./file6\x00') # Creates a ruleset to restrict all kind of file creation. -r0 = landlock_create_ruleset(&AUTO={0x1fff, 0x0}, AUTO, 0x0) +r0 = landlock_create_ruleset(&AUTO={0x1fff, 0x0, 0x0}, AUTO, 0x0) prctl$PR_SET_NO_NEW_PRIVS(0x26, 0x1) landlock_restrict_self(r0, 0x0) diff --git a/sys/linux/test/landlock_fs_forbidden b/sys/linux/test/landlock_fs_forbidden index f45c34af3..26c272ab9 100644 --- a/sys/linux/test/landlock_fs_forbidden +++ b/sys/linux/test/landlock_fs_forbidden @@ -14,7 +14,7 @@ mkdirat(0xffffffffffffff9c, &AUTO='./file0/file1\x00', 0x1c0) # Creates a first ruleset to restrict execution. -r0 = landlock_create_ruleset(&AUTO={0x1, 0x0}, AUTO, 0x0) +r0 = landlock_create_ruleset(&AUTO={0x1, 0x0, 0x0}, AUTO, 0x0) prctl$PR_SET_NO_NEW_PRIVS(0x26, 0x1) landlock_restrict_self(r0, 0x0) diff --git a/sys/linux/test/landlock_fs_ioctl b/sys/linux/test/landlock_fs_ioctl index 35c16ef0e..2c2549347 100644 --- a/sys/linux/test/landlock_fs_ioctl +++ b/sys/linux/test/landlock_fs_ioctl @@ -4,7 +4,7 @@ mknodat(0xffffffffffffff9c, &AUTO='./file0\x00', 0x81c0, 0x0) # Creates a ruleset to restrict most filesystem IOCTLs: LANDLOCK_ACCESS_FS_IOCTL_DEV. -r0 = landlock_create_ruleset(&AUTO={0x8000, 0x0}, AUTO, 0x0) +r0 = landlock_create_ruleset(&AUTO={0x8000, 0x0, 0x0}, AUTO, 0x0) # No need to close FDs for this test. diff --git a/sys/linux/test/landlock_fs_reparent b/sys/linux/test/landlock_fs_reparent index 20934003d..b6498edab 100644 --- a/sys/linux/test/landlock_fs_reparent +++ b/sys/linux/test/landlock_fs_reparent @@ -12,7 +12,7 @@ mkdirat(0xffffffffffffff9c, &AUTO='./file1/file4/file7\x00', 0x1c0) # Creates a ruleset to restrict file linking/renaming and execution (to get an extra access right). -r0 = landlock_create_ruleset(&AUTO={0x2001, 0x0}, AUTO, 0x0) +r0 = landlock_create_ruleset(&AUTO={0x2001, 0x0, 0x0}, AUTO, 0x0) # Allows link and rename from and to file1. diff --git a/sys/linux/test/landlock_fs_truncate b/sys/linux/test/landlock_fs_truncate index dd5986d0a..7429d74b3 100644 --- a/sys/linux/test/landlock_fs_truncate +++ b/sys/linux/test/landlock_fs_truncate @@ -10,7 +10,7 @@ r1 = openat$dir(0xffffffffffffff9c, &AUTO='./file1\x00', 0x1, 0x0) # Creates a ruleset to restrict file truncation: LANDLOCK_ACCESS_FS_TRUNCATE. -r2 = landlock_create_ruleset(&AUTO={0x4000, 0x0}, AUTO, 0x0) +r2 = landlock_create_ruleset(&AUTO={0x4000, 0x0, 0x0}, AUTO, 0x0) # Allows truncation of file1. diff --git a/sys/linux/test/landlock_layers b/sys/linux/test/landlock_layers index 166a4a930..ddd09bc4f 100644 --- a/sys/linux/test/landlock_layers +++ b/sys/linux/test/landlock_layers @@ -5,7 +5,7 @@ mkdirat(0xffffffffffffff9c, &AUTO='./file0/file0\x00', 0x1c0) # Creates a first ruleset to restrict file creation. -r0 = landlock_create_ruleset(&AUTO={0x100, 0x0}, AUTO, 0x0) +r0 = landlock_create_ruleset(&AUTO={0x100, 0x0, 0x0}, AUTO, 0x0) r1 = openat$dir(0xffffffffffffff9c, &AUTO='./file0\x00', 0x200000, 0x0) landlock_add_rule$LANDLOCK_RULE_PATH_BENEATH(r0, AUTO, &AUTO={0x100, r1}, 0x0) @@ -27,7 +27,7 @@ mknodat(0xffffffffffffff9c, &AUTO='./file1\x00', 0x81c0, 0x0) # EACCES # Creates a second ruleset to restrict file removal. -r2 = landlock_create_ruleset(&AUTO={0x20, 0x0}, AUTO, 0x0) +r2 = landlock_create_ruleset(&AUTO={0x20, 0x0, 0x0}, AUTO, 0x0) r3 = openat$dir(0xffffffffffffff9c, &AUTO='./file0/file0\x00', 0x200000, 0x0) landlock_add_rule$LANDLOCK_RULE_PATH_BENEATH(r2, AUTO, &AUTO={0x20, r3}, 0x0) diff --git a/sys/linux/test/landlock_ptrace b/sys/linux/test/landlock_ptrace index aca5afa79..e401b6344 100644 --- a/sys/linux/test/landlock_ptrace +++ b/sys/linux/test/landlock_ptrace @@ -11,7 +11,7 @@ r0 = syz_clone(0x11, 0x0, 0x0, 0x0, 0x0, 0x0) ptrace(0x10, r0) ptrace(0x11, r0) -r1 = landlock_create_ruleset(&AUTO={0x100, 0x0}, AUTO, 0x0) +r1 = landlock_create_ruleset(&AUTO={0x100, 0x0, 0x0}, AUTO, 0x0) landlock_restrict_self(r1, 0x0) r2 = syz_clone(0x11, 0x0, 0x0, 0x0, 0x0, 0x0) @@ -22,7 +22,7 @@ ptrace(0x11, r0) ptrace(0x10, r2) ptrace(0x11, r2) -r3 = landlock_create_ruleset(&AUTO={0x100, 0x0}, AUTO, 0x0) +r3 = landlock_create_ruleset(&AUTO={0x100, 0x0, 0x0}, AUTO, 0x0) landlock_restrict_self(r3, 0x0) ptrace(0x10, r0) diff --git a/sys/linux/test/landlock_sb_delete b/sys/linux/test/landlock_sb_delete index f81ebeb9d..a45042b8a 100644 --- a/sys/linux/test/landlock_sb_delete +++ b/sys/linux/test/landlock_sb_delete @@ -13,7 +13,7 @@ mkdirat(0xffffffffffffff9c, &AUTO='./file1\x00', 0x1c0) # Creates a ruleset with a reference to this mount point. -r0 = landlock_create_ruleset(&AUTO={0x100, 0x0}, AUTO, 0x0) +r0 = landlock_create_ruleset(&AUTO={0x100, 0x0, 0x0}, AUTO, 0x0) r1 = openat$dir(0xffffffffffffff9c, &AUTO='./file0\x00', 0x200000, 0x0) landlock_add_rule$LANDLOCK_RULE_PATH_BENEATH(r0, AUTO, &AUTO={0x100, r1}, 0x0) -- cgit mrf-deployment