66 lines
1.7 KiB
C
66 lines
1.7 KiB
C
/* Copyright 2022 The ChromiumOS Authors
|
|
* Use of this source code is governed by a BSD-style license that can be
|
|
* found in the LICENSE file.
|
|
*/
|
|
|
|
/* Define _GNU_SOURCE because we need O_PATH to resolve correctly. */
|
|
#define _GNU_SOURCE
|
|
|
|
#include "landlock_util.h"
|
|
|
|
#include <fcntl.h>
|
|
#include <sys/stat.h>
|
|
|
|
#include "util.h"
|
|
|
|
|
|
int landlock_create_ruleset(const struct
|
|
minijail_landlock_ruleset_attr *const attr,
|
|
const size_t size, const __u32 flags)
|
|
{
|
|
return syscall(__NR_landlock_create_ruleset, attr, size, flags);
|
|
}
|
|
|
|
int landlock_add_rule(const int ruleset_fd,
|
|
const enum minijail_landlock_rule_type rule_type,
|
|
const void *const rule_attr, const __u32 flags)
|
|
{
|
|
return syscall(__NR_landlock_add_rule, ruleset_fd, rule_type,
|
|
rule_attr, flags);
|
|
}
|
|
|
|
int landlock_restrict_self(const int ruleset_fd,
|
|
const __u32 flags)
|
|
{
|
|
return syscall(__NR_landlock_restrict_self, ruleset_fd, flags);
|
|
}
|
|
|
|
bool populate_ruleset_internal(const char *const path,
|
|
const int ruleset_fd,
|
|
const uint64_t allowed_access)
|
|
{
|
|
struct minijail_landlock_path_beneath_attr path_beneath = {
|
|
.parent_fd = -1,
|
|
};
|
|
struct stat statbuf;
|
|
attribute_cleanup_fd int parent_fd = open(path, O_PATH | O_CLOEXEC);
|
|
path_beneath.parent_fd = parent_fd;
|
|
if (path_beneath.parent_fd < 0) {
|
|
pwarn("Failed to open \"%s\"", path);
|
|
return false;
|
|
}
|
|
if (fstat(path_beneath.parent_fd, &statbuf)) {
|
|
return false;
|
|
}
|
|
path_beneath.allowed_access = allowed_access;
|
|
if (!S_ISDIR(statbuf.st_mode)) {
|
|
path_beneath.allowed_access &= ACCESS_FILE;
|
|
}
|
|
if (landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
|
|
&path_beneath, 0)) {
|
|
pwarn("Failed to update ruleset \"%s\"", path);
|
|
return false;
|
|
}
|
|
return true;
|
|
}
|