1*4b9c6d91SCole Faust /* Copyright 2022 The ChromiumOS Authors 2*4b9c6d91SCole Faust * Use of this source code is governed by a BSD-style license that can be 3*4b9c6d91SCole Faust * found in the LICENSE file. 4*4b9c6d91SCole Faust */ 5*4b9c6d91SCole Faust 6*4b9c6d91SCole Faust /* 7*4b9c6d91SCole Faust * Landlock functions and constants. 8*4b9c6d91SCole Faust */ 9*4b9c6d91SCole Faust 10*4b9c6d91SCole Faust #ifndef _LANDLOCK_UTIL_H_ 11*4b9c6d91SCole Faust #define _LANDLOCK_UTIL_H_ 12*4b9c6d91SCole Faust 13*4b9c6d91SCole Faust #include <asm/unistd.h> 14*4b9c6d91SCole Faust #include <stdbool.h> 15*4b9c6d91SCole Faust #include <stddef.h> 16*4b9c6d91SCole Faust #include <stdint.h> 17*4b9c6d91SCole Faust 18*4b9c6d91SCole Faust #include "landlock.h" 19*4b9c6d91SCole Faust 20*4b9c6d91SCole Faust 21*4b9c6d91SCole Faust #ifdef __cplusplus 22*4b9c6d91SCole Faust extern "C" { 23*4b9c6d91SCole Faust #endif 24*4b9c6d91SCole Faust 25*4b9c6d91SCole Faust #ifndef __NR_landlock_create_ruleset 26*4b9c6d91SCole Faust #define __NR_landlock_create_ruleset 444 27*4b9c6d91SCole Faust #endif 28*4b9c6d91SCole Faust 29*4b9c6d91SCole Faust #ifndef __NR_landlock_add_rule 30*4b9c6d91SCole Faust #define __NR_landlock_add_rule 445 31*4b9c6d91SCole Faust #endif 32*4b9c6d91SCole Faust 33*4b9c6d91SCole Faust #ifndef __NR_landlock_restrict_self 34*4b9c6d91SCole Faust #define __NR_landlock_restrict_self 446 35*4b9c6d91SCole Faust #endif 36*4b9c6d91SCole Faust 37*4b9c6d91SCole Faust #define ACCESS_FS_ROUGHLY_READ ( \ 38*4b9c6d91SCole Faust LANDLOCK_ACCESS_FS_READ_FILE | \ 39*4b9c6d91SCole Faust LANDLOCK_ACCESS_FS_READ_DIR) 40*4b9c6d91SCole Faust 41*4b9c6d91SCole Faust #define ACCESS_FS_ROUGHLY_READ_EXECUTE ( \ 42*4b9c6d91SCole Faust LANDLOCK_ACCESS_FS_EXECUTE | \ 43*4b9c6d91SCole Faust LANDLOCK_ACCESS_FS_READ_FILE | \ 44*4b9c6d91SCole Faust LANDLOCK_ACCESS_FS_READ_DIR) 45*4b9c6d91SCole Faust 46*4b9c6d91SCole Faust #define ACCESS_FS_ROUGHLY_BASIC_WRITE ( \ 47*4b9c6d91SCole Faust LANDLOCK_ACCESS_FS_WRITE_FILE | \ 48*4b9c6d91SCole Faust LANDLOCK_ACCESS_FS_REMOVE_DIR | \ 49*4b9c6d91SCole Faust LANDLOCK_ACCESS_FS_REMOVE_FILE | \ 50*4b9c6d91SCole Faust LANDLOCK_ACCESS_FS_MAKE_DIR | \ 51*4b9c6d91SCole Faust LANDLOCK_ACCESS_FS_MAKE_REG) 52*4b9c6d91SCole Faust 53*4b9c6d91SCole Faust #define ACCESS_FS_ROUGHLY_EDIT ( \ 54*4b9c6d91SCole Faust LANDLOCK_ACCESS_FS_WRITE_FILE | \ 55*4b9c6d91SCole Faust LANDLOCK_ACCESS_FS_REMOVE_DIR | \ 56*4b9c6d91SCole Faust LANDLOCK_ACCESS_FS_REMOVE_FILE) 57*4b9c6d91SCole Faust 58*4b9c6d91SCole Faust #define ACCESS_FS_ROUGHLY_FULL_WRITE ( \ 59*4b9c6d91SCole Faust LANDLOCK_ACCESS_FS_WRITE_FILE | \ 60*4b9c6d91SCole Faust LANDLOCK_ACCESS_FS_REMOVE_DIR | \ 61*4b9c6d91SCole Faust LANDLOCK_ACCESS_FS_REMOVE_FILE | \ 62*4b9c6d91SCole Faust LANDLOCK_ACCESS_FS_MAKE_CHAR | \ 63*4b9c6d91SCole Faust LANDLOCK_ACCESS_FS_MAKE_DIR | \ 64*4b9c6d91SCole Faust LANDLOCK_ACCESS_FS_MAKE_REG | \ 65*4b9c6d91SCole Faust LANDLOCK_ACCESS_FS_MAKE_SOCK | \ 66*4b9c6d91SCole Faust LANDLOCK_ACCESS_FS_MAKE_FIFO | \ 67*4b9c6d91SCole Faust LANDLOCK_ACCESS_FS_MAKE_BLOCK | \ 68*4b9c6d91SCole Faust LANDLOCK_ACCESS_FS_MAKE_SYM) 69*4b9c6d91SCole Faust 70*4b9c6d91SCole Faust #define ACCESS_FILE ( \ 71*4b9c6d91SCole Faust LANDLOCK_ACCESS_FS_EXECUTE | \ 72*4b9c6d91SCole Faust LANDLOCK_ACCESS_FS_WRITE_FILE | \ 73*4b9c6d91SCole Faust LANDLOCK_ACCESS_FS_READ_FILE) 74*4b9c6d91SCole Faust 75*4b9c6d91SCole Faust #define HANDLED_ACCESS_TYPES (ACCESS_FS_ROUGHLY_READ_EXECUTE | \ 76*4b9c6d91SCole Faust ACCESS_FS_ROUGHLY_FULL_WRITE) 77*4b9c6d91SCole Faust 78*4b9c6d91SCole Faust /* 79*4b9c6d91SCole Faust * Performs Landlock create ruleset syscall. 80*4b9c6d91SCole Faust * 81*4b9c6d91SCole Faust * Returns the ruleset file descriptor on success, returns an error code 82*4b9c6d91SCole Faust * otherwise. 83*4b9c6d91SCole Faust */ 84*4b9c6d91SCole Faust extern int landlock_create_ruleset(const struct 85*4b9c6d91SCole Faust minijail_landlock_ruleset_attr *const attr, 86*4b9c6d91SCole Faust const size_t size, const __u32 flags); 87*4b9c6d91SCole Faust 88*4b9c6d91SCole Faust /* Performs Landlock add rule syscall. */ 89*4b9c6d91SCole Faust extern int landlock_add_rule(const int ruleset_fd, 90*4b9c6d91SCole Faust const enum minijail_landlock_rule_type rule_type, 91*4b9c6d91SCole Faust const void *const rule_attr, const __u32 flags); 92*4b9c6d91SCole Faust 93*4b9c6d91SCole Faust /* Performs Landlock restrict self syscall. */ 94*4b9c6d91SCole Faust extern int landlock_restrict_self(const int ruleset_fd, 95*4b9c6d91SCole Faust const __u32 flags); 96*4b9c6d91SCole Faust 97*4b9c6d91SCole Faust /* Populates the landlock ruleset for a path and any needed paths beneath. */ 98*4b9c6d91SCole Faust extern bool populate_ruleset_internal(const char *const path, 99*4b9c6d91SCole Faust const int ruleset_fd, 100*4b9c6d91SCole Faust const uint64_t allowed_access); 101*4b9c6d91SCole Faust 102*4b9c6d91SCole Faust #ifdef __cplusplus 103*4b9c6d91SCole Faust }; /* extern "C" */ 104*4b9c6d91SCole Faust #endif 105*4b9c6d91SCole Faust 106*4b9c6d91SCole Faust #endif /* _LANDLOCK_UTIL_H_ */ 107