1 /* Copyright 2022 The ChromiumOS Authors 2 * Use of this source code is governed by a BSD-style license that can be 3 * found in the LICENSE file. 4 */ 5 6 /* 7 * Landlock functions and constants. 8 */ 9 10 #ifndef _LANDLOCK_UTIL_H_ 11 #define _LANDLOCK_UTIL_H_ 12 13 #include <asm/unistd.h> 14 #include <stdbool.h> 15 #include <stddef.h> 16 #include <stdint.h> 17 18 #include "landlock.h" 19 20 #ifdef __cplusplus 21 extern "C" { 22 #endif 23 24 #ifndef __NR_landlock_create_ruleset 25 #define __NR_landlock_create_ruleset 444 26 #endif 27 28 #ifndef __NR_landlock_add_rule 29 #define __NR_landlock_add_rule 445 30 #endif 31 32 #ifndef __NR_landlock_restrict_self 33 #define __NR_landlock_restrict_self 446 34 #endif 35 36 #define ACCESS_FS_ROUGHLY_READ \ 37 (LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR) 38 39 #define ACCESS_FS_ROUGHLY_READ_EXECUTE \ 40 (LANDLOCK_ACCESS_FS_EXECUTE | LANDLOCK_ACCESS_FS_READ_FILE | \ 41 LANDLOCK_ACCESS_FS_READ_DIR) 42 43 #define ACCESS_FS_ROUGHLY_BASIC_WRITE \ 44 (LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | \ 45 LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_MAKE_DIR | \ 46 LANDLOCK_ACCESS_FS_MAKE_REG) 47 48 #define ACCESS_FS_ROUGHLY_EDIT \ 49 (LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | \ 50 LANDLOCK_ACCESS_FS_REMOVE_FILE) 51 52 #define ACCESS_FS_ROUGHLY_FULL_WRITE \ 53 (LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | \ 54 LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_MAKE_CHAR | \ 55 LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG | \ 56 LANDLOCK_ACCESS_FS_MAKE_SOCK | LANDLOCK_ACCESS_FS_MAKE_FIFO | \ 57 LANDLOCK_ACCESS_FS_MAKE_BLOCK | LANDLOCK_ACCESS_FS_MAKE_SYM) 58 59 #define ACCESS_FILE \ 60 (LANDLOCK_ACCESS_FS_EXECUTE | LANDLOCK_ACCESS_FS_WRITE_FILE | \ 61 LANDLOCK_ACCESS_FS_READ_FILE) 62 63 #define HANDLED_ACCESS_TYPES \ 64 (ACCESS_FS_ROUGHLY_READ_EXECUTE | ACCESS_FS_ROUGHLY_FULL_WRITE) 65 66 #define LANDLOCK_ABI_FS_REFER_SUPPORTED 2 67 68 /* 69 * Performs Landlock create ruleset syscall. 70 * 71 * Returns the ruleset file descriptor on success, returns an error code 72 * otherwise. 73 */ 74 extern int 75 landlock_create_ruleset(const struct minijail_landlock_ruleset_attr *const attr, 76 const size_t size, const __u32 flags); 77 78 /* Performs Landlock add rule syscall. */ 79 extern int landlock_add_rule(const int ruleset_fd, 80 const enum minijail_landlock_rule_type rule_type, 81 const void *const rule_attr, const __u32 flags); 82 83 /* Performs Landlock restrict self syscall. */ 84 extern int landlock_restrict_self(const int ruleset_fd, const __u32 flags); 85 86 /* Populates the landlock ruleset for a path and any needed paths beneath. */ 87 extern bool populate_ruleset_internal(const char *const path, 88 const int ruleset_fd, 89 const uint64_t allowed_access); 90 91 #ifdef __cplusplus 92 }; /* extern "C" */ 93 #endif 94 95 #endif /* _LANDLOCK_UTIL_H_ */ 96