1 /* Copyright 2022 The ChromiumOS Authors 2 * Use of this source code is governed by a BSD-style license that can be 3 * found in the LICENSE file. 4 */ 5 6 /* 7 * Landlock functions and constants. 8 */ 9 10 #ifndef _LANDLOCK_UTIL_H_ 11 #define _LANDLOCK_UTIL_H_ 12 13 #include <asm/unistd.h> 14 #include <stdbool.h> 15 #include <stddef.h> 16 #include <stdint.h> 17 18 #include "landlock.h" 19 20 21 #ifdef __cplusplus 22 extern "C" { 23 #endif 24 25 #ifndef __NR_landlock_create_ruleset 26 #define __NR_landlock_create_ruleset 444 27 #endif 28 29 #ifndef __NR_landlock_add_rule 30 #define __NR_landlock_add_rule 445 31 #endif 32 33 #ifndef __NR_landlock_restrict_self 34 #define __NR_landlock_restrict_self 446 35 #endif 36 37 #define ACCESS_FS_ROUGHLY_READ ( \ 38 LANDLOCK_ACCESS_FS_READ_FILE | \ 39 LANDLOCK_ACCESS_FS_READ_DIR) 40 41 #define ACCESS_FS_ROUGHLY_READ_EXECUTE ( \ 42 LANDLOCK_ACCESS_FS_EXECUTE | \ 43 LANDLOCK_ACCESS_FS_READ_FILE | \ 44 LANDLOCK_ACCESS_FS_READ_DIR) 45 46 #define ACCESS_FS_ROUGHLY_BASIC_WRITE ( \ 47 LANDLOCK_ACCESS_FS_WRITE_FILE | \ 48 LANDLOCK_ACCESS_FS_REMOVE_DIR | \ 49 LANDLOCK_ACCESS_FS_REMOVE_FILE | \ 50 LANDLOCK_ACCESS_FS_MAKE_DIR | \ 51 LANDLOCK_ACCESS_FS_MAKE_REG) 52 53 #define ACCESS_FS_ROUGHLY_EDIT ( \ 54 LANDLOCK_ACCESS_FS_WRITE_FILE | \ 55 LANDLOCK_ACCESS_FS_REMOVE_DIR | \ 56 LANDLOCK_ACCESS_FS_REMOVE_FILE) 57 58 #define ACCESS_FS_ROUGHLY_FULL_WRITE ( \ 59 LANDLOCK_ACCESS_FS_WRITE_FILE | \ 60 LANDLOCK_ACCESS_FS_REMOVE_DIR | \ 61 LANDLOCK_ACCESS_FS_REMOVE_FILE | \ 62 LANDLOCK_ACCESS_FS_MAKE_CHAR | \ 63 LANDLOCK_ACCESS_FS_MAKE_DIR | \ 64 LANDLOCK_ACCESS_FS_MAKE_REG | \ 65 LANDLOCK_ACCESS_FS_MAKE_SOCK | \ 66 LANDLOCK_ACCESS_FS_MAKE_FIFO | \ 67 LANDLOCK_ACCESS_FS_MAKE_BLOCK | \ 68 LANDLOCK_ACCESS_FS_MAKE_SYM) 69 70 #define ACCESS_FILE ( \ 71 LANDLOCK_ACCESS_FS_EXECUTE | \ 72 LANDLOCK_ACCESS_FS_WRITE_FILE | \ 73 LANDLOCK_ACCESS_FS_READ_FILE) 74 75 #define HANDLED_ACCESS_TYPES (ACCESS_FS_ROUGHLY_READ_EXECUTE | \ 76 ACCESS_FS_ROUGHLY_FULL_WRITE) 77 78 /* 79 * Performs Landlock create ruleset syscall. 80 * 81 * Returns the ruleset file descriptor on success, returns an error code 82 * otherwise. 83 */ 84 extern int landlock_create_ruleset(const struct 85 minijail_landlock_ruleset_attr *const attr, 86 const size_t size, const __u32 flags); 87 88 /* Performs Landlock add rule syscall. */ 89 extern int landlock_add_rule(const int ruleset_fd, 90 const enum minijail_landlock_rule_type rule_type, 91 const void *const rule_attr, const __u32 flags); 92 93 /* Performs Landlock restrict self syscall. */ 94 extern int landlock_restrict_self(const int ruleset_fd, 95 const __u32 flags); 96 97 /* Populates the landlock ruleset for a path and any needed paths beneath. */ 98 extern bool populate_ruleset_internal(const char *const path, 99 const int ruleset_fd, 100 const uint64_t allowed_access); 101 102 #ifdef __cplusplus 103 }; /* extern "C" */ 104 #endif 105 106 #endif /* _LANDLOCK_UTIL_H_ */ 107