diff options
-rw-r--r-- | src/include/landlock.h | 70 | ||||
-rw-r--r-- | src/lib/libtinyll.c | 108 |
2 files changed, 0 insertions, 178 deletions
diff --git a/src/include/landlock.h b/src/include/landlock.h deleted file mode 100644 index 5d6b0260e..000000000 --- a/src/include/landlock.h +++ /dev/null | |||
@@ -1,70 +0,0 @@ | |||
1 | #define _GNU_SOURCE | ||
2 | #include <stdio.h> | ||
3 | #include <stddef.h> | ||
4 | #include <stdlib.h> | ||
5 | #include <unistd.h> | ||
6 | #include <fcntl.h> | ||
7 | #include <sys/syscall.h> | ||
8 | #include <sys/types.h> | ||
9 | #include <linux/landlock.h> | ||
10 | |||
11 | int landlock_create_ruleset(struct landlock_ruleset_attr *rsattr,size_t size,__u32 flags) { | ||
12 | return syscall(__NR_landlock_create_ruleset,rsattr,size,flags); | ||
13 | } | ||
14 | |||
15 | int landlock_add_rule(int fd,enum landlock_rule_type t,void *attr,__u32 flags) { | ||
16 | return syscall(__NR_landlock_add_rule,fd,t,attr,flags); | ||
17 | } | ||
18 | |||
19 | int landlock_restrict_self(int fd,__u32 flags) { | ||
20 | int result = syscall(__NR_landlock_restrict_self,fd,flags); | ||
21 | if (result!=0) return result; | ||
22 | else { | ||
23 | close(fd); | ||
24 | return 0; | ||
25 | } | ||
26 | } | ||
27 | |||
28 | int create_full_ruleset() { | ||
29 | struct landlock_ruleset_attr attr; | ||
30 | attr.handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR | LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SOCK | LANDLOCK_ACCESS_FS_MAKE_FIFO | LANDLOCK_ACCESS_FS_MAKE_BLOCK | LANDLOCK_ACCESS_FS_MAKE_SYM | LANDLOCK_ACCESS_FS_EXECUTE; | ||
31 | return landlock_create_ruleset(&attr,sizeof(attr),0); | ||
32 | } | ||
33 | |||
34 | int add_read_access_rule_by_path(int rset_fd,char *allowed_path) { | ||
35 | int result; | ||
36 | int allowed_fd = open(allowed_path,O_PATH | O_CLOEXEC); | ||
37 | struct landlock_path_beneath_attr target; | ||
38 | target.parent_fd = allowed_fd; | ||
39 | target.allowed_access = LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR; | ||
40 | result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0); | ||
41 | close(allowed_fd); | ||
42 | return result; | ||
43 | } | ||
44 | |||
45 | int add_write_access_rule_by_path(int rset_fd,char *allowed_path,int restricted) { | ||
46 | int result; | ||
47 | int allowed_fd = open(allowed_path,O_PATH | O_CLOEXEC); | ||
48 | struct landlock_path_beneath_attr target; | ||
49 | target.parent_fd = allowed_fd; | ||
50 | if (restricted==0) target.allowed_access = LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SOCK | LANDLOCK_ACCESS_FS_MAKE_FIFO | LANDLOCK_ACCESS_FS_MAKE_BLOCK | LANDLOCK_ACCESS_FS_MAKE_SYM; | ||
51 | else if (restricted==1) target.allowed_access = LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SYM; | ||
52 | else { | ||
53 | close(allowed_fd); | ||
54 | return -1; | ||
55 | } | ||
56 | result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0); | ||
57 | close(allowed_fd); | ||
58 | return result; | ||
59 | } | ||
60 | |||
61 | int add_execute_rule_by_path(int rset_fd,char *allowed_path) { | ||
62 | int result; | ||
63 | int allowed_fd = open(allowed_path,O_PATH | O_CLOEXEC); | ||
64 | struct landlock_path_beneath_attr target; | ||
65 | target.parent_fd = allowed_fd; | ||
66 | target.allowed_access = LANDLOCK_ACCESS_FS_EXECUTE; | ||
67 | result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0); | ||
68 | close(allowed_fd); | ||
69 | return result; | ||
70 | } | ||
diff --git a/src/lib/libtinyll.c b/src/lib/libtinyll.c deleted file mode 100644 index 9db6f75d7..000000000 --- a/src/lib/libtinyll.c +++ /dev/null | |||
@@ -1,108 +0,0 @@ | |||
1 | #define _GNU_SOURCE | ||
2 | #include <stdio.h> | ||
3 | #include <stddef.h> | ||
4 | #include <stdlib.h> | ||
5 | #include <unistd.h> | ||
6 | #include <fcntl.h> | ||
7 | #include <sys/syscall.h> | ||
8 | #include <sys/types.h> | ||
9 | #include <sys/prctl.h> | ||
10 | #include <linux/prctl.h> | ||
11 | #include <linux/landlock.h> | ||
12 | |||
13 | int landlock_create_ruleset(struct landlock_ruleset_attr *rsattr,size_t size,__u32 flags) { | ||
14 | return syscall(__NR_landlock_create_ruleset,rsattr,size,flags); | ||
15 | } | ||
16 | |||
17 | int landlock_add_rule(int fd,enum landlock_rule_type t,void *attr,__u32 flags) { | ||
18 | return syscall(__NR_landlock_add_rule,fd,t,attr,flags); | ||
19 | } | ||
20 | |||
21 | int landlock_restrict_self(int fd,__u32 flags) { | ||
22 | int result = syscall(__NR_landlock_restrict_self,fd,flags); | ||
23 | if (result!=0) return result; | ||
24 | else { | ||
25 | close(fd); | ||
26 | return 0; | ||
27 | } | ||
28 | } | ||
29 | |||
30 | int create_full_ruleset() { | ||
31 | struct landlock_ruleset_attr attr; | ||
32 | attr.handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR | LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SOCK | LANDLOCK_ACCESS_FS_MAKE_FIFO | LANDLOCK_ACCESS_FS_MAKE_BLOCK | LANDLOCK_ACCESS_FS_MAKE_SYM | LANDLOCK_ACCESS_FS_EXECUTE; | ||
33 | return landlock_create_ruleset(&attr,sizeof(attr),0); | ||
34 | } | ||
35 | |||
36 | int add_read_access_rule(int rset_fd,int allowed_fd) { | ||
37 | int result; | ||
38 | struct landlock_path_beneath_attr target; | ||
39 | target.parent_fd = allowed_fd; | ||
40 | target.allowed_access = LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR; | ||
41 | result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0); | ||
42 | return result; | ||
43 | } | ||
44 | |||
45 | int add_read_access_rule_by_path(int rset_fd,char *allowed_path) { | ||
46 | int result; | ||
47 | int allowed_fd = open(allowed_path,O_PATH | O_CLOEXEC); | ||
48 | struct landlock_path_beneath_attr target; | ||
49 | target.parent_fd = allowed_fd; | ||
50 | target.allowed_access = LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR; | ||
51 | result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0); | ||
52 | close(allowed_fd); | ||
53 | return result; | ||
54 | } | ||
55 | |||
56 | int add_write_access_rule(int rset_fd,int allowed_fd,int restricted) { | ||
57 | int result; | ||
58 | struct landlock_path_beneath_attr target; | ||
59 | target.parent_fd = allowed_fd; | ||
60 | if (restricted==0) target.allowed_access = LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SOCK | LANDLOCK_ACCESS_FS_MAKE_FIFO | LANDLOCK_ACCESS_FS_MAKE_BLOCK | LANDLOCK_ACCESS_FS_MAKE_SYM; | ||
61 | else if (restricted==1) target.allowed_access = LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SYM; | ||
62 | result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0); | ||
63 | return result; | ||
64 | } | ||
65 | |||
66 | int add_write_access_rule_by_path(int rset_fd,char *allowed_path,int restricted) { | ||
67 | int result; | ||
68 | int allowed_fd = open(allowed_path,O_PATH | O_CLOEXEC); | ||
69 | struct landlock_path_beneath_attr target; | ||
70 | target.parent_fd = allowed_fd; | ||
71 | if (restricted==0) target.allowed_access = LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SOCK | LANDLOCK_ACCESS_FS_MAKE_FIFO | LANDLOCK_ACCESS_FS_MAKE_BLOCK | LANDLOCK_ACCESS_FS_MAKE_SYM; | ||
72 | else if (restricted==1) target.allowed_access = LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SYM; | ||
73 | else { | ||
74 | close(allowed_fd); | ||
75 | return -1; | ||
76 | } | ||
77 | result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0); | ||
78 | close(allowed_fd); | ||
79 | return result; | ||
80 | } | ||
81 | |||
82 | int add_execute_rule(int rset_fd,int allowed_fd) { | ||
83 | int result; | ||
84 | struct landlock_path_beneath_attr target; | ||
85 | target.parent_fd = allowed_fd; | ||
86 | target.allowed_access = LANDLOCK_ACCESS_FS_EXECUTE; | ||
87 | result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0); | ||
88 | return result; | ||
89 | } | ||
90 | |||
91 | int add_execute_rule_by_path(int rset_fd,char *allowed_path) { | ||
92 | int result; | ||
93 | int allowed_fd = open(allowed_path,O_PATH | O_CLOEXEC); | ||
94 | struct landlock_path_beneath_attr target; | ||
95 | target.parent_fd = allowed_fd; | ||
96 | target.allowed_access = LANDLOCK_ACCESS_FS_EXECUTE; | ||
97 | result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0); | ||
98 | close(allowed_fd); | ||
99 | return result; | ||
100 | } | ||
101 | |||
102 | int check_nnp() { | ||
103 | return prctl(PR_GET_NO_NEW_PRIVS,0,0,0,0); | ||
104 | } | ||
105 | |||
106 | int enable_nnp() { | ||
107 | return prctl(PR_SET_NO_NEW_PRIVS,1,0,0,0); | ||
108 | } | ||