Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 15 additions & 3 deletions sys/linux/landlock.txt
Original file line number Diff line number Diff line change
Expand Up @@ -6,16 +6,28 @@ include <uapi/linux/landlock.h>
resource fd_ruleset[fd]

landlock_create_ruleset(attr ptr[in, landlock_ruleset_attr], size bytesize[attr], flags const[0]) fd_ruleset

landlock_add_rule$LANDLOCK_RULE_PATH_BENEATH(ruleset_fd fd_ruleset, rule_type const[LANDLOCK_RULE_PATH_BENEATH], rule_attr ptr[in, landlock_path_beneath_attr], flags const[0])

landlock_add_rule$LANDLOCK_RULE_NET_PORT(ruleset_fd fd_ruleset, rule_type const[LANDLOCK_RULE_NET_PORT], rule_attr ptr[in, landlock_net_port_attr], flags const[0])

landlock_restrict_self(ruleset_fd fd_ruleset, flags const[0])

landlock_ruleset_attr {
handled_fs_access flags[landlock_access_flags, int64]
handled_access_fs flags[landlock_access_fs_flags, int64]
handled_access_net flags[landlock_access_net_flags, int64]
}

landlock_path_beneath_attr {
allowed_access flags[landlock_access_flags, int64]
allowed_access flags[landlock_access_fs_flags, int64]
parent_fd fd
} [packed]

landlock_access_flags = LANDLOCK_ACCESS_FS_EXECUTE, LANDLOCK_ACCESS_FS_MAKE_BLOCK, LANDLOCK_ACCESS_FS_MAKE_CHAR, LANDLOCK_ACCESS_FS_MAKE_DIR, LANDLOCK_ACCESS_FS_MAKE_FIFO, LANDLOCK_ACCESS_FS_MAKE_REG, LANDLOCK_ACCESS_FS_MAKE_SOCK, LANDLOCK_ACCESS_FS_MAKE_SYM, LANDLOCK_ACCESS_FS_READ_DIR, LANDLOCK_ACCESS_FS_READ_FILE, LANDLOCK_ACCESS_FS_REFER, LANDLOCK_ACCESS_FS_REMOVE_DIR, LANDLOCK_ACCESS_FS_REMOVE_FILE, LANDLOCK_ACCESS_FS_TRUNCATE, LANDLOCK_ACCESS_FS_WRITE_FILE
landlock_net_port_attr {
allowed_access flags[landlock_access_net_flags, int64]
port int64
}

landlock_access_fs_flags = LANDLOCK_ACCESS_FS_EXECUTE, LANDLOCK_ACCESS_FS_MAKE_BLOCK, LANDLOCK_ACCESS_FS_MAKE_CHAR, LANDLOCK_ACCESS_FS_MAKE_DIR, LANDLOCK_ACCESS_FS_MAKE_FIFO, LANDLOCK_ACCESS_FS_MAKE_REG, LANDLOCK_ACCESS_FS_MAKE_SOCK, LANDLOCK_ACCESS_FS_MAKE_SYM, LANDLOCK_ACCESS_FS_READ_DIR, LANDLOCK_ACCESS_FS_READ_FILE, LANDLOCK_ACCESS_FS_REFER, LANDLOCK_ACCESS_FS_REMOVE_DIR, LANDLOCK_ACCESS_FS_REMOVE_FILE, LANDLOCK_ACCESS_FS_TRUNCATE, LANDLOCK_ACCESS_FS_WRITE_FILE

landlock_access_net_flags = LANDLOCK_ACCESS_NET_BIND_TCP, LANDLOCK_ACCESS_NET_CONNECT_TCP
3 changes: 3 additions & 0 deletions sys/linux/landlock.txt.const
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,9 @@ LANDLOCK_ACCESS_FS_REMOVE_DIR = 16
LANDLOCK_ACCESS_FS_REMOVE_FILE = 32
LANDLOCK_ACCESS_FS_TRUNCATE = 16384
LANDLOCK_ACCESS_FS_WRITE_FILE = 2
LANDLOCK_ACCESS_NET_BIND_TCP = 1
LANDLOCK_ACCESS_NET_CONNECT_TCP = 2
LANDLOCK_RULE_NET_PORT = 2
LANDLOCK_RULE_PATH_BENEATH = 1
__NR_landlock_add_rule = 445, mips64le:5445
__NR_landlock_create_ruleset = 444, mips64le:5444
Expand Down
2 changes: 1 addition & 1 deletion sys/linux/test/landlock_fs_accesses
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ symlinkat(&AUTO='./file2\x00', 0xffffffffffffff9c, &AUTO='./file6\x00')

# Creates a ruleset to restrict all kind of file creation.

r0 = landlock_create_ruleset(&AUTO={0x1fff}, AUTO, 0x0)
r0 = landlock_create_ruleset(&AUTO={0x1fff, 0x0}, AUTO, 0x0)
prctl$PR_SET_NO_NEW_PRIVS(0x26, 0x1)
landlock_restrict_self(r0, 0x0)

Expand Down
2 changes: 1 addition & 1 deletion sys/linux/test/landlock_fs_forbidden
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ mkdirat(0xffffffffffffff9c, &AUTO='./file0/file1\x00', 0x1c0)

# Creates a first ruleset to restrict execution.

r0 = landlock_create_ruleset(&AUTO={0x1}, AUTO, 0x0)
r0 = landlock_create_ruleset(&AUTO={0x1, 0x0}, AUTO, 0x0)
prctl$PR_SET_NO_NEW_PRIVS(0x26, 0x1)
landlock_restrict_self(r0, 0x0)

Expand Down
2 changes: 1 addition & 1 deletion sys/linux/test/landlock_fs_reparent
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ mkdirat(0xffffffffffffff9c, &AUTO='./file1/file4/file7\x00', 0x1c0)

# Creates a ruleset to restrict file linking/renaming and execution (to get an extra access right).

r0 = landlock_create_ruleset(&AUTO={0x2001}, AUTO, 0x0)
r0 = landlock_create_ruleset(&AUTO={0x2001, 0x0}, AUTO, 0x0)

# Allows link and rename from and to file1.

Expand Down
2 changes: 1 addition & 1 deletion sys/linux/test/landlock_fs_truncate
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ r1 = openat$dir(0xffffffffffffff9c, &AUTO='./file1\x00', 0x1, 0x0)

# Creates a ruleset to restrict file truncation: LANDLOCK_ACCESS_FS_TRUNCATE.

r2 = landlock_create_ruleset(&AUTO={0x4000}, AUTO, 0x0)
r2 = landlock_create_ruleset(&AUTO={0x4000, 0x0}, AUTO, 0x0)

# Allows truncation of file1.

Expand Down
4 changes: 2 additions & 2 deletions sys/linux/test/landlock_layers
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ mkdirat(0xffffffffffffff9c, &AUTO='./file0/file0\x00', 0x1c0)

# Creates a first ruleset to restrict file creation.

r0 = landlock_create_ruleset(&AUTO={0x100}, AUTO, 0x0)
r0 = landlock_create_ruleset(&AUTO={0x100, 0x0}, AUTO, 0x0)
r1 = openat$dir(0xffffffffffffff9c, &AUTO='./file0\x00', 0x200000, 0x0)
landlock_add_rule$LANDLOCK_RULE_PATH_BENEATH(r0, AUTO, &AUTO={0x100, r1}, 0x0)

Expand All @@ -27,7 +27,7 @@ mknodat(0xffffffffffffff9c, &AUTO='./file1\x00', 0x81c0, 0x0) # EACCES

# Creates a second ruleset to restrict file removal.

r2 = landlock_create_ruleset(&AUTO={0x20}, AUTO, 0x0)
r2 = landlock_create_ruleset(&AUTO={0x20, 0x0}, AUTO, 0x0)
r3 = openat$dir(0xffffffffffffff9c, &AUTO='./file0/file0\x00', 0x200000, 0x0)
landlock_add_rule$LANDLOCK_RULE_PATH_BENEATH(r2, AUTO, &AUTO={0x20, r3}, 0x0)

Expand Down
4 changes: 2 additions & 2 deletions sys/linux/test/landlock_ptrace
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ r0 = syz_clone(0x11, 0x0, 0x0, 0x0, 0x0, 0x0)
ptrace(0x10, r0)
ptrace(0x11, r0)

r1 = landlock_create_ruleset(&AUTO={0x100}, AUTO, 0x0)
r1 = landlock_create_ruleset(&AUTO={0x100, 0x0}, AUTO, 0x0)
landlock_restrict_self(r1, 0x0)

r2 = syz_clone(0x11, 0x0, 0x0, 0x0, 0x0, 0x0)
Expand All @@ -22,7 +22,7 @@ ptrace(0x11, r0)
ptrace(0x10, r2)
ptrace(0x11, r2)

r3 = landlock_create_ruleset(&AUTO={0x100}, AUTO, 0x0)
r3 = landlock_create_ruleset(&AUTO={0x100, 0x0}, AUTO, 0x0)
landlock_restrict_self(r3, 0x0)

ptrace(0x10, r0)
Expand Down
2 changes: 1 addition & 1 deletion sys/linux/test/landlock_sb_delete
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ mkdirat(0xffffffffffffff9c, &AUTO='./file1\x00', 0x1c0)

# Creates a ruleset with a reference to this mount point.

r0 = landlock_create_ruleset(&AUTO={0x100}, AUTO, 0x0)
r0 = landlock_create_ruleset(&AUTO={0x100, 0x0}, AUTO, 0x0)
r1 = openat$dir(0xffffffffffffff9c, &AUTO='./file0\x00', 0x200000, 0x0)
landlock_add_rule$LANDLOCK_RULE_PATH_BENEATH(r0, AUTO, &AUTO={0x100, r1}, 0x0)

Expand Down