1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
|
# Copyright 2021 syzkaller project authors. All rights reserved.
# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
include <uapi/linux/landlock.h>
resource fd_ruleset[fd]
landlock_create_ruleset(attr ptr[in, landlock_ruleset_attr], size bytesize[attr], flags flags[landlock_create_ruleset_flags]) fd_ruleset
landlock_add_rule$LANDLOCK_RULE_PATH_BENEATH(ruleset_fd fd_ruleset, rule_type const[LANDLOCK_RULE_PATH_BENEATH], rule_attr ptr[in, landlock_path_beneath_attr], flags const[0])
landlock_add_rule$LANDLOCK_RULE_NET_PORT(ruleset_fd fd_ruleset, rule_type const[LANDLOCK_RULE_NET_PORT], rule_attr ptr[in, landlock_net_port_attr], flags const[0])
landlock_restrict_self(ruleset_fd fd_ruleset, flags flags[landlock_restrict_self_flags])
landlock_ruleset_attr {
handled_access_fs flags[landlock_access_fs_flags, int64]
handled_access_net flags[landlock_access_net_flags, int64]
scoped flags[landlock_scope_flags, int64]
}
landlock_path_beneath_attr {
allowed_access flags[landlock_access_fs_flags, int64]
parent_fd fd
} [packed]
landlock_net_port_attr {
allowed_access flags[landlock_access_net_flags, int64]
port int64
}
# TODO(glider): remove this line once LANDLOCK_ACCESS_FS_IOCTL_DEV hits upstream.
define LANDLOCK_ACCESS_FS_IOCTL_DEV (1ULL << 15)
landlock_create_ruleset_flags = LANDLOCK_CREATE_RULESET_VERSION, LANDLOCK_CREATE_RULESET_ERRATA
landlock_restrict_self_flags = LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF, LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON, LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF
landlock_access_fs_flags = LANDLOCK_ACCESS_FS_EXECUTE, LANDLOCK_ACCESS_FS_WRITE_FILE, LANDLOCK_ACCESS_FS_READ_FILE, LANDLOCK_ACCESS_FS_READ_DIR, LANDLOCK_ACCESS_FS_REMOVE_DIR, LANDLOCK_ACCESS_FS_REMOVE_FILE, LANDLOCK_ACCESS_FS_MAKE_CHAR, LANDLOCK_ACCESS_FS_MAKE_DIR, LANDLOCK_ACCESS_FS_MAKE_REG, LANDLOCK_ACCESS_FS_MAKE_SOCK, LANDLOCK_ACCESS_FS_MAKE_FIFO, LANDLOCK_ACCESS_FS_MAKE_BLOCK, LANDLOCK_ACCESS_FS_MAKE_SYM, LANDLOCK_ACCESS_FS_REFER, LANDLOCK_ACCESS_FS_TRUNCATE, LANDLOCK_ACCESS_FS_IOCTL_DEV
landlock_access_net_flags = LANDLOCK_ACCESS_NET_BIND_TCP, LANDLOCK_ACCESS_NET_CONNECT_TCP
landlock_scope_flags = LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET, LANDLOCK_SCOPE_SIGNAL
|
