1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 * Copyright (C) 2024 SUSE LLC Andrea Cervesato <andrea.cervesato@suse.com>
4 */
5
6 #ifndef LAPI_LANDLOCK_H__
7 #define LAPI_LANDLOCK_H__
8
9 #include "config.h"
10 #include <stdint.h>
11
12 #ifdef HAVE_LINUX_LANDLOCK_H
13 # include <linux/landlock.h>
14 #endif
15
16 #include "lapi/syscalls.h"
17
18 struct tst_landlock_ruleset_attr_abi1
19 {
20 uint64_t handled_access_fs;
21 };
22
23 struct tst_landlock_ruleset_attr_abi4
24 {
25 uint64_t handled_access_fs;
26 uint64_t handled_access_net;
27 };
28
29 #ifndef HAVE_STRUCT_LANDLOCK_PATH_BENEATH_ATTR
30 struct landlock_path_beneath_attr
31 {
32 uint64_t allowed_access;
33 int32_t parent_fd;
34 } __attribute__((packed));
35 #endif
36
37 #if !HAVE_DECL_LANDLOCK_RULE_PATH_BENEATH
38 # define LANDLOCK_RULE_PATH_BENEATH 1
39 #endif
40
41 #if !HAVE_DECL_LANDLOCK_RULE_NET_PORT
42 # define LANDLOCK_RULE_NET_PORT 2
43 #endif
44
45 #ifndef HAVE_STRUCT_LANDLOCK_NET_PORT_ATTR
46 struct landlock_net_port_attr
47 {
48 uint64_t allowed_access;
49 uint64_t port;
50 };
51 #endif
52
53 #ifndef LANDLOCK_CREATE_RULESET_VERSION
54 # define LANDLOCK_CREATE_RULESET_VERSION (1U << 0)
55 #endif
56
57 #ifndef LANDLOCK_ACCESS_FS_EXECUTE
58 # define LANDLOCK_ACCESS_FS_EXECUTE (1ULL << 0)
59 #endif
60
61 #ifndef LANDLOCK_ACCESS_FS_WRITE_FILE
62 # define LANDLOCK_ACCESS_FS_WRITE_FILE (1ULL << 1)
63 #endif
64
65 #ifndef LANDLOCK_ACCESS_FS_READ_FILE
66 # define LANDLOCK_ACCESS_FS_READ_FILE (1ULL << 2)
67 #endif
68
69 #ifndef LANDLOCK_ACCESS_FS_READ_DIR
70 # define LANDLOCK_ACCESS_FS_READ_DIR (1ULL << 3)
71 #endif
72
73 #ifndef LANDLOCK_ACCESS_FS_REMOVE_DIR
74 # define LANDLOCK_ACCESS_FS_REMOVE_DIR (1ULL << 4)
75 #endif
76
77 #ifndef LANDLOCK_ACCESS_FS_REMOVE_FILE
78 # define LANDLOCK_ACCESS_FS_REMOVE_FILE (1ULL << 5)
79 #endif
80
81 #ifndef LANDLOCK_ACCESS_FS_MAKE_CHAR
82 # define LANDLOCK_ACCESS_FS_MAKE_CHAR (1ULL << 6)
83 #endif
84
85 #ifndef LANDLOCK_ACCESS_FS_MAKE_DIR
86 # define LANDLOCK_ACCESS_FS_MAKE_DIR (1ULL << 7)
87 #endif
88
89 #ifndef LANDLOCK_ACCESS_FS_MAKE_REG
90 # define LANDLOCK_ACCESS_FS_MAKE_REG (1ULL << 8)
91 #endif
92
93 #ifndef LANDLOCK_ACCESS_FS_MAKE_SOCK
94 # define LANDLOCK_ACCESS_FS_MAKE_SOCK (1ULL << 9)
95 #endif
96
97 #ifndef LANDLOCK_ACCESS_FS_MAKE_FIFO
98 # define LANDLOCK_ACCESS_FS_MAKE_FIFO (1ULL << 10)
99 #endif
100
101 #ifndef LANDLOCK_ACCESS_FS_MAKE_BLOCK
102 # define LANDLOCK_ACCESS_FS_MAKE_BLOCK (1ULL << 11)
103 #endif
104
105 #ifndef LANDLOCK_ACCESS_FS_MAKE_SYM
106 # define LANDLOCK_ACCESS_FS_MAKE_SYM (1ULL << 12)
107 #endif
108
109 #ifndef LANDLOCK_ACCESS_FS_REFER
110 # define LANDLOCK_ACCESS_FS_REFER (1ULL << 13)
111 #endif
112
113 #ifndef LANDLOCK_ACCESS_FS_TRUNCATE
114 # define LANDLOCK_ACCESS_FS_TRUNCATE (1ULL << 14)
115 #endif
116
117 #ifndef LANDLOCK_ACCESS_FS_IOCTL_DEV
118 # define LANDLOCK_ACCESS_FS_IOCTL_DEV (1ULL << 15)
119 #endif
120
121 #ifndef LANDLOCK_ACCESS_NET_BIND_TCP
122 # define LANDLOCK_ACCESS_NET_BIND_TCP (1ULL << 0)
123 #endif
124
125 #ifndef LANDLOCK_ACCESS_NET_CONNECT_TCP
126 # define LANDLOCK_ACCESS_NET_CONNECT_TCP (1ULL << 1)
127 #endif
128
safe_landlock_create_ruleset(const char * file,const int lineno,const void * attr,size_t size,uint32_t flags)129 static inline int safe_landlock_create_ruleset(const char *file, const int lineno,
130 const void *attr, size_t size , uint32_t flags)
131 {
132 int rval;
133
134 rval = tst_syscall(__NR_landlock_create_ruleset, attr, size, flags);
135 if (rval == -1) {
136 tst_brk_(file, lineno, TBROK | TERRNO,
137 "landlock_create_ruleset(%p, %zi, %u)",
138 attr, size, flags);
139 } else if (rval < 0) {
140 tst_brk_(file, lineno, TBROK | TERRNO,
141 "Invalid landlock_create_ruleset(%p, %lu, %u) return value %d",
142 attr, size, flags, rval);
143 }
144
145 return rval;
146 }
147
safe_landlock_add_rule(const char * file,const int lineno,int ruleset_fd,int rule_type,const void * rule_attr,uint32_t flags)148 static inline int safe_landlock_add_rule(const char *file, const int lineno,
149 int ruleset_fd, int rule_type, const void *rule_attr, uint32_t flags)
150 {
151 int rval;
152
153 rval = tst_syscall(__NR_landlock_add_rule,
154 ruleset_fd, rule_type, rule_attr, flags);
155
156 if (rval == -1) {
157 tst_brk_(file, lineno, TBROK | TERRNO,
158 "landlock_add_rule(%d, %d, %p, %u)",
159 ruleset_fd, rule_type, rule_attr, flags);
160 } else if (rval < 0) {
161 tst_brk_(file, lineno, TBROK | TERRNO,
162 "Invalid landlock_add_rule(%d, %d, %p, %u) return value %d",
163 ruleset_fd, rule_type, rule_attr, flags, rval);
164 }
165
166 return rval;
167 }
168
safe_landlock_restrict_self(const char * file,const int lineno,int ruleset_fd,int flags)169 static inline int safe_landlock_restrict_self(const char *file, const int lineno,
170 int ruleset_fd, int flags)
171 {
172 int rval;
173
174 rval = tst_syscall(__NR_landlock_restrict_self, ruleset_fd, flags);
175 if (rval == -1) {
176 tst_brk_(file, lineno, TBROK | TERRNO,
177 "landlock_restrict_self(%d, %u)",
178 ruleset_fd, flags);
179 } else if (rval < 0) {
180 tst_brk_(file, lineno, TBROK | TERRNO,
181 "Invalid landlock_restrict_self(%d, %u) return value %d",
182 ruleset_fd, flags, rval);
183 }
184
185 return rval;
186 }
187
188 #define SAFE_LANDLOCK_CREATE_RULESET(attr, size, flags) \
189 safe_landlock_create_ruleset(__FILE__, __LINE__, (attr), (size), (flags))
190
191 #define SAFE_LANDLOCK_ADD_RULE(ruleset_fd, rule_type, rule_attr, flags) \
192 safe_landlock_add_rule(__FILE__, __LINE__, \
193 (ruleset_fd), (rule_type), (rule_attr), (flags))
194
195 #define SAFE_LANDLOCK_RESTRICT_SELF(ruleset_fd, flags) \
196 safe_landlock_restrict_self(__FILE__, __LINE__, (ruleset_fd), (flags))
197
198 #endif
199