1*4b9c6d91SCole Faust /* Copyright 2022 The ChromiumOS Authors
2*4b9c6d91SCole Faust * Use of this source code is governed by a BSD-style license that can be
3*4b9c6d91SCole Faust * found in the LICENSE file.
4*4b9c6d91SCole Faust */
5*4b9c6d91SCole Faust
6*4b9c6d91SCole Faust /* Define _GNU_SOURCE because we need O_PATH to resolve correctly. */
7*4b9c6d91SCole Faust #define _GNU_SOURCE
8*4b9c6d91SCole Faust
9*4b9c6d91SCole Faust #include "landlock_util.h"
10*4b9c6d91SCole Faust
11*4b9c6d91SCole Faust #include <fcntl.h>
12*4b9c6d91SCole Faust #include <sys/stat.h>
13*4b9c6d91SCole Faust
14*4b9c6d91SCole Faust #include "util.h"
15*4b9c6d91SCole Faust
16*4b9c6d91SCole Faust
landlock_create_ruleset(const struct minijail_landlock_ruleset_attr * const attr,const size_t size,const __u32 flags)17*4b9c6d91SCole Faust int landlock_create_ruleset(const struct
18*4b9c6d91SCole Faust minijail_landlock_ruleset_attr *const attr,
19*4b9c6d91SCole Faust const size_t size, const __u32 flags)
20*4b9c6d91SCole Faust {
21*4b9c6d91SCole Faust return syscall(__NR_landlock_create_ruleset, attr, size, flags);
22*4b9c6d91SCole Faust }
23*4b9c6d91SCole Faust
landlock_add_rule(const int ruleset_fd,const enum minijail_landlock_rule_type rule_type,const void * const rule_attr,const __u32 flags)24*4b9c6d91SCole Faust int landlock_add_rule(const int ruleset_fd,
25*4b9c6d91SCole Faust const enum minijail_landlock_rule_type rule_type,
26*4b9c6d91SCole Faust const void *const rule_attr, const __u32 flags)
27*4b9c6d91SCole Faust {
28*4b9c6d91SCole Faust return syscall(__NR_landlock_add_rule, ruleset_fd, rule_type,
29*4b9c6d91SCole Faust rule_attr, flags);
30*4b9c6d91SCole Faust }
31*4b9c6d91SCole Faust
landlock_restrict_self(const int ruleset_fd,const __u32 flags)32*4b9c6d91SCole Faust int landlock_restrict_self(const int ruleset_fd,
33*4b9c6d91SCole Faust const __u32 flags)
34*4b9c6d91SCole Faust {
35*4b9c6d91SCole Faust return syscall(__NR_landlock_restrict_self, ruleset_fd, flags);
36*4b9c6d91SCole Faust }
37*4b9c6d91SCole Faust
populate_ruleset_internal(const char * const path,const int ruleset_fd,const uint64_t allowed_access)38*4b9c6d91SCole Faust bool populate_ruleset_internal(const char *const path,
39*4b9c6d91SCole Faust const int ruleset_fd,
40*4b9c6d91SCole Faust const uint64_t allowed_access)
41*4b9c6d91SCole Faust {
42*4b9c6d91SCole Faust struct minijail_landlock_path_beneath_attr path_beneath = {
43*4b9c6d91SCole Faust .parent_fd = -1,
44*4b9c6d91SCole Faust };
45*4b9c6d91SCole Faust struct stat statbuf;
46*4b9c6d91SCole Faust attribute_cleanup_fd int parent_fd = open(path, O_PATH | O_CLOEXEC);
47*4b9c6d91SCole Faust path_beneath.parent_fd = parent_fd;
48*4b9c6d91SCole Faust if (path_beneath.parent_fd < 0) {
49*4b9c6d91SCole Faust pwarn("Failed to open \"%s\"", path);
50*4b9c6d91SCole Faust return false;
51*4b9c6d91SCole Faust }
52*4b9c6d91SCole Faust if (fstat(path_beneath.parent_fd, &statbuf)) {
53*4b9c6d91SCole Faust return false;
54*4b9c6d91SCole Faust }
55*4b9c6d91SCole Faust path_beneath.allowed_access = allowed_access;
56*4b9c6d91SCole Faust if (!S_ISDIR(statbuf.st_mode)) {
57*4b9c6d91SCole Faust path_beneath.allowed_access &= ACCESS_FILE;
58*4b9c6d91SCole Faust }
59*4b9c6d91SCole Faust if (landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
60*4b9c6d91SCole Faust &path_beneath, 0)) {
61*4b9c6d91SCole Faust pwarn("Failed to update ruleset \"%s\"", path);
62*4b9c6d91SCole Faust return false;
63*4b9c6d91SCole Faust }
64*4b9c6d91SCole Faust return true;
65*4b9c6d91SCole Faust }
66