xref: /external/minijail/landlock_util.c

/* Copyright 2022 The ChromiumOS Authors
 * Use of this source code is governed by a BSD-style license that can be
 * found in the LICENSE file.
 */

/* Define _GNU_SOURCE because we need O_PATH to resolve correctly. */
#define _GNU_SOURCE

#include "landlock_util.h"

#include <fcntl.h>
#include <sys/stat.h>

#include "util.h"

int landlock_create_ruleset(
    const struct minijail_landlock_ruleset_attr *const attr, const size_t size,
    const __u32 flags)
{
	return syscall(__NR_landlock_create_ruleset, attr, size, flags);
}

int landlock_add_rule(const int ruleset_fd,
		      const enum minijail_landlock_rule_type rule_type,
		      const void *const rule_attr, const __u32 flags)
{
	return syscall(__NR_landlock_add_rule, ruleset_fd, rule_type, rule_attr,
		       flags);
}

int landlock_restrict_self(const int ruleset_fd, const __u32 flags)
{
	return syscall(__NR_landlock_restrict_self, ruleset_fd, flags);
}

bool populate_ruleset_internal(const char *const path, const int ruleset_fd,
			       const uint64_t allowed_access)
{
	struct minijail_landlock_path_beneath_attr path_beneath = {
	    .parent_fd = -1,
	};
	struct stat statbuf;
	attribute_cleanup_fd int parent_fd = open(path, O_PATH | O_CLOEXEC);
	path_beneath.parent_fd = parent_fd;
	if (path_beneath.parent_fd < 0) {
		pwarn("Failed to open \"%s\"", path);
		return false;
	}
	if (fstat(path_beneath.parent_fd, &statbuf)) {
		return false;
	}
	path_beneath.allowed_access = allowed_access;
	if (!S_ISDIR(statbuf.st_mode)) {
		path_beneath.allowed_access &= ACCESS_FILE;
	}
	if (landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
			      &path_beneath, 0)) {
		pwarn("Failed to update ruleset \"%s\"", path);
		return false;
	}
	return true;
}