• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /* Copyright 2022 The ChromiumOS Authors
2  * Use of this source code is governed by a BSD-style license that can be
3  * found in the LICENSE file.
4  */
5 
6 /*
7  * Landlock functions and constants.
8  */
9 
10 #ifndef _LANDLOCK_UTIL_H_
11 #define _LANDLOCK_UTIL_H_
12 
13 #include <asm/unistd.h>
14 #include <stdbool.h>
15 #include <stddef.h>
16 #include <stdint.h>
17 
18 #include "landlock.h"
19 
20 
21 #ifdef __cplusplus
22 extern "C" {
23 #endif
24 
25 #ifndef __NR_landlock_create_ruleset
26 #define __NR_landlock_create_ruleset 444
27 #endif
28 
29 #ifndef __NR_landlock_add_rule
30 #define __NR_landlock_add_rule 445
31 #endif
32 
33 #ifndef __NR_landlock_restrict_self
34 #define __NR_landlock_restrict_self 446
35 #endif
36 
37 #define ACCESS_FS_ROUGHLY_READ ( \
38 	LANDLOCK_ACCESS_FS_READ_FILE | \
39 	LANDLOCK_ACCESS_FS_READ_DIR)
40 
41 #define ACCESS_FS_ROUGHLY_READ_EXECUTE ( \
42 	LANDLOCK_ACCESS_FS_EXECUTE | \
43 	LANDLOCK_ACCESS_FS_READ_FILE | \
44 	LANDLOCK_ACCESS_FS_READ_DIR)
45 
46 #define ACCESS_FS_ROUGHLY_BASIC_WRITE ( \
47 	LANDLOCK_ACCESS_FS_WRITE_FILE | \
48 	LANDLOCK_ACCESS_FS_REMOVE_DIR | \
49 	LANDLOCK_ACCESS_FS_REMOVE_FILE | \
50 	LANDLOCK_ACCESS_FS_MAKE_DIR | \
51 	LANDLOCK_ACCESS_FS_MAKE_REG)
52 
53 #define ACCESS_FS_ROUGHLY_EDIT ( \
54 	LANDLOCK_ACCESS_FS_WRITE_FILE | \
55 	LANDLOCK_ACCESS_FS_REMOVE_DIR | \
56 	LANDLOCK_ACCESS_FS_REMOVE_FILE)
57 
58 #define ACCESS_FS_ROUGHLY_FULL_WRITE ( \
59 	LANDLOCK_ACCESS_FS_WRITE_FILE | \
60 	LANDLOCK_ACCESS_FS_REMOVE_DIR | \
61 	LANDLOCK_ACCESS_FS_REMOVE_FILE | \
62 	LANDLOCK_ACCESS_FS_MAKE_CHAR | \
63 	LANDLOCK_ACCESS_FS_MAKE_DIR | \
64 	LANDLOCK_ACCESS_FS_MAKE_REG | \
65 	LANDLOCK_ACCESS_FS_MAKE_SOCK | \
66 	LANDLOCK_ACCESS_FS_MAKE_FIFO | \
67 	LANDLOCK_ACCESS_FS_MAKE_BLOCK | \
68 	LANDLOCK_ACCESS_FS_MAKE_SYM)
69 
70 #define ACCESS_FILE ( \
71 	LANDLOCK_ACCESS_FS_EXECUTE | \
72 	LANDLOCK_ACCESS_FS_WRITE_FILE | \
73 	LANDLOCK_ACCESS_FS_READ_FILE)
74 
75 #define HANDLED_ACCESS_TYPES (ACCESS_FS_ROUGHLY_READ_EXECUTE | \
76 	ACCESS_FS_ROUGHLY_FULL_WRITE)
77 
78 /*
79  * Performs Landlock create ruleset syscall.
80  *
81  * Returns the ruleset file descriptor on success, returns an error code
82  * otherwise.
83  */
84 extern int landlock_create_ruleset(const struct
85 				   minijail_landlock_ruleset_attr *const attr,
86 				   const size_t size, const __u32 flags);
87 
88 /* Performs Landlock add rule syscall. */
89 extern int landlock_add_rule(const int ruleset_fd,
90 			     const enum minijail_landlock_rule_type rule_type,
91 			     const void *const rule_attr, const __u32 flags);
92 
93 /* Performs Landlock restrict self syscall. */
94 extern int landlock_restrict_self(const int ruleset_fd,
95 				  const __u32 flags);
96 
97 /* Populates the landlock ruleset for a path and any needed paths beneath. */
98 extern bool populate_ruleset_internal(const char *const path,
99 				      const int ruleset_fd,
100 				      const uint64_t allowed_access);
101 
102 #ifdef __cplusplus
103 }; /* extern "C" */
104 #endif
105 
106 #endif /* _LANDLOCK_UTIL_H_ */
107