diff options
Diffstat (limited to 'src/firejail/landlock.c')
-rw-r--r-- | src/firejail/landlock.c | 79 |
1 files changed, 0 insertions, 79 deletions
diff --git a/src/firejail/landlock.c b/src/firejail/landlock.c deleted file mode 100644 index 67e2b2cfc..000000000 --- a/src/firejail/landlock.c +++ /dev/null | |||
@@ -1,79 +0,0 @@ | |||
1 | #define _GNU_SOURCE | ||
2 | #include <stdio.h> | ||
3 | #include <stddef.h> | ||
4 | #include <stdlib.h> | ||
5 | #include <unistd.h> | ||
6 | #include <fcntl.h> | ||
7 | #include <sys/syscall.h> | ||
8 | #include <sys/types.h> | ||
9 | #include <sys/prctl.h> | ||
10 | #include <linux/prctl.h> | ||
11 | #include <linux/landlock.h> | ||
12 | |||
13 | int landlock_create_ruleset(struct landlock_ruleset_attr *rsattr,size_t size,__u32 flags) { | ||
14 | return syscall(__NR_landlock_create_ruleset,rsattr,size,flags); | ||
15 | } | ||
16 | |||
17 | int landlock_add_rule(int fd,enum landlock_rule_type t,void *attr,__u32 flags) { | ||
18 | return syscall(__NR_landlock_add_rule,fd,t,attr,flags); | ||
19 | } | ||
20 | |||
21 | int landlock_restrict_self(int fd,__u32 flags) { | ||
22 | prctl(PR_SET_NO_NEW_PRIVS,1,0,0,0); | ||
23 | int result = syscall(__NR_landlock_restrict_self,fd,flags); | ||
24 | if (result!=0) return result; | ||
25 | else { | ||
26 | close(fd); | ||
27 | return 0; | ||
28 | } | ||
29 | } | ||
30 | |||
31 | int create_full_ruleset() { | ||
32 | struct landlock_ruleset_attr attr; | ||
33 | attr.handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR | LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SOCK | LANDLOCK_ACCESS_FS_MAKE_FIFO | LANDLOCK_ACCESS_FS_MAKE_BLOCK | LANDLOCK_ACCESS_FS_MAKE_SYM | LANDLOCK_ACCESS_FS_EXECUTE; | ||
34 | return landlock_create_ruleset(&attr,sizeof(attr),0); | ||
35 | } | ||
36 | |||
37 | int add_read_access_rule_by_path(int rset_fd,char *allowed_path) { | ||
38 | int result; | ||
39 | int allowed_fd = open(allowed_path,O_PATH | O_CLOEXEC); | ||
40 | struct landlock_path_beneath_attr target; | ||
41 | target.parent_fd = allowed_fd; | ||
42 | target.allowed_access = LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR; | ||
43 | result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0); | ||
44 | close(allowed_fd); | ||
45 | return result; | ||
46 | } | ||
47 | |||
48 | int add_write_access_rule_by_path(int rset_fd,char *allowed_path) { | ||
49 | int result; | ||
50 | int allowed_fd = open(allowed_path,O_PATH | O_CLOEXEC); | ||
51 | struct landlock_path_beneath_attr target; | ||
52 | target.parent_fd = allowed_fd; | ||
53 | target.allowed_access = LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SYM; | ||
54 | result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0); | ||
55 | close(allowed_fd); | ||
56 | return result; | ||
57 | } | ||
58 | |||
59 | int add_create_special_rule_by_path(int rset_fd,char *allowed_path) { | ||
60 | int result; | ||
61 | int allowed_fd = open(allowed_path,O_PATH | O_CLOEXEC); | ||
62 | struct landlock_path_beneath_attr target; | ||
63 | target.parent_fd = allowed_fd; | ||
64 | target.allowed_access = LANDLOCK_ACCESS_FS_MAKE_SOCK | LANDLOCK_ACCESS_FS_MAKE_FIFO | LANDLOCK_ACCESS_FS_MAKE_BLOCK; | ||
65 | result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0); | ||
66 | close(allowed_fd); | ||
67 | return result; | ||
68 | } | ||
69 | |||
70 | int add_execute_rule_by_path(int rset_fd,char *allowed_path) { | ||
71 | int result; | ||
72 | int allowed_fd = open(allowed_path,O_PATH | O_CLOEXEC); | ||
73 | struct landlock_path_beneath_attr target; | ||
74 | target.parent_fd = allowed_fd; | ||
75 | target.allowed_access = LANDLOCK_ACCESS_FS_EXECUTE; | ||
76 | result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0); | ||
77 | close(allowed_fd); | ||
78 | return result; | ||
79 | } | ||