1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
|
# Create and access multiple type of files
# Makes a character device /dev/null
mknodat(0xffffffffffffff9c, &AUTO='./file0\x00', 0x21c0, 0x103)
# Makes a directory.
mkdirat(0xffffffffffffff9c, &AUTO='./file1\x00', 0x1c0)
# Makes a regular file.
mknodat(0xffffffffffffff9c, &AUTO='./file2\x00', 0x81c0, 0x0)
# Makes a socket.
mknodat(0xffffffffffffff9c, &AUTO='./file3\x00', 0xc1c0, 0x0)
# Makes a fifo.
mknodat(0xffffffffffffff9c, &AUTO='./file4\x00', 0x11c0, 0x0)
# Makes a block device /dev/loop0
mknodat(0xffffffffffffff9c, &AUTO='./file5\x00', 0x61c0, 0x700)
# Makes a symlink.
symlinkat(&AUTO='./file2\x00', 0xffffffffffffff9c, &AUTO='./file6\x00')
# Creates a ruleset to restrict all kind of file creation.
r0 = landlock_create_ruleset(&AUTO={0x1fff, 0x0, 0x0}, AUTO, 0x0)
prctl$PR_SET_NO_NEW_PRIVS(0x26, 0x1)
landlock_restrict_self(r0, 0x0)
# No need to close this FD for this test.
# Checks LANDLOCK_ACCESS_FS_EXECUTE.
execveat(0xffffffffffffff9c, &AUTO='./file2\x00', 0x0, 0x0, 0x0) # EACCES
# Checks LANDLOCK_ACCESS_FS_WRITE_FILE.
openat$dir(0xffffffffffffff9c, &AUTO='./file2\x00', 0x1, 0x0) # EACCES
# Checks LANDLOCK_ACCESS_FS_READ_FILE.
openat$dir(0xffffffffffffff9c, &AUTO='./file2\x00', 0x0, 0x0) # EACCES
# Checks LANDLOCK_ACCESS_FS_READ_DIR.
openat$dir(0xffffffffffffff9c, &AUTO='./file1\x00', 0x0, 0x0) # EACCES
# Checks LANDLOCK_ACCESS_FS_REMOVE_DIR.
unlinkat(0xffffffffffffff9c, &AUTO='./file1\x00', 0x200) # EACCES
# Checks LANDLOCK_ACCESS_FS_REMOVE_FILE.
unlinkat(0xffffffffffffff9c, &AUTO='./file2\x00', 0x0) # EACCES
# Checks LANDLOCK_ACCESS_FS_MAKE_CHAR.
mknodat(0xffffffffffffff9c, &AUTO='./file7\x00', 0x21c0, 0x103) # EACCES
renameat2(0xffffffffffffff9c, &AUTO='./file0\x00', 0xffffffffffffff9c, &AUTO='./file7\x00', 0x0) # EACCES
linkat(0xffffffffffffff9c, &AUTO='./file0\x00', 0xffffffffffffff9c, &AUTO='./file7\x00', 0x0) # EACCES
# Checks LANDLOCK_ACCESS_FS_MAKE_DIR.
mkdirat(0xffffffffffffff9c, &AUTO='./file7\x00', 0x1c0) # EACCES
renameat2(0xffffffffffffff9c, &AUTO='./file1\x00', 0xffffffffffffff9c, &AUTO='./file7\x00', 0x0) # EACCES
# Checks LANDLOCK_ACCESS_FS_MAKE_REG.
mknodat(0xffffffffffffff9c, &AUTO='./file7\x00', 0x81c0, 0x0) # EACCES
renameat2(0xffffffffffffff9c, &AUTO='./file2\x00', 0xffffffffffffff9c, &AUTO='./file7\x00', 0x0) # EACCES
linkat(0xffffffffffffff9c, &AUTO='./file2\x00', 0xffffffffffffff9c, &AUTO='./file7\x00', 0x0) # EACCES
# Checks LANDLOCK_ACCESS_FS_MAKE_SOCK.
mknodat(0xffffffffffffff9c, &AUTO='./file7\x00', 0xc1c0, 0x0) # EACCES
renameat2(0xffffffffffffff9c, &AUTO='./file3\x00', 0xffffffffffffff9c, &AUTO='./file7\x00', 0x0) # EACCES
linkat(0xffffffffffffff9c, &AUTO='./file3\x00', 0xffffffffffffff9c, &AUTO='./file7\x00', 0x0) # EACCES
# Checks LANDLOCK_ACCESS_FS_MAKE_FIFO.
mknodat(0xffffffffffffff9c, &AUTO='./file7\x00', 0x11c0, 0x0) # EACCES
renameat2(0xffffffffffffff9c, &AUTO='./file4\x00', 0xffffffffffffff9c, &AUTO='./file7\x00', 0x0) # EACCES
linkat(0xffffffffffffff9c, &AUTO='./file4\x00', 0xffffffffffffff9c, &AUTO='./file7\x00', 0x0) # EACCES
# Checks LANDLOCK_ACCESS_FS_MAKE_BLOCK.
mknodat(0xffffffffffffff9c, &AUTO='./file7\x00', 0x61c0, 0x700) # EACCES
renameat2(0xffffffffffffff9c, &AUTO='./file5\x00', 0xffffffffffffff9c, &AUTO='./file7\x00', 0x0) # EACCES
linkat(0xffffffffffffff9c, &AUTO='./file5\x00', 0xffffffffffffff9c, &AUTO='./file7\x00', 0x0) # EACCES
# Checks LANDLOCK_ACCESS_FS_MAKE_SYM.
symlinkat(&AUTO='./file2\x00', 0xffffffffffffff9c, &AUTO='./file7\x00') # EACCES
renameat2(0xffffffffffffff9c, &AUTO='./file6\x00', 0xffffffffffffff9c, &AUTO='./file7\x00', 0x0) # EACCES
linkat(0xffffffffffffff9c, &AUTO='./file6\x00', 0xffffffffffffff9c, &AUTO='./file7\x00', 0x0) # EACCES
|
