1 files changed, 108 insertions, 0 deletions
diff --git a/src/lib/libtinyll.c b/src/lib/libtinyll.c
new file mode 100644
index 000000000..9db6f75d7
--- /dev/null
+++ b/src/lib/libtinyll.c
@@ -0,0 +1,108 @@
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <sys/prctl.h>
+#include <linux/prctl.h>
+#include <linux/landlock.h>
+int landlock_create_ruleset(struct landlock_ruleset_attr *rsattr,size_t size,__u32 flags) {
+        return syscall(__NR_landlock_create_ruleset,rsattr,size,flags);
+}
+int landlock_add_rule(int fd,enum landlock_rule_type t,void *attr,__u32 flags) {
+        return syscall(__NR_landlock_add_rule,fd,t,attr,flags);
+}
+int landlock_restrict_self(int fd,__u32 flags) {
+        int result = syscall(__NR_landlock_restrict_self,fd,flags);
+        if (result!=0) return result;
+        else {
+                close(fd);
+                return 0;
+        }
+}
+int create_full_ruleset() {
+        struct landlock_ruleset_attr attr;
+        attr.handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR | LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SOCK | LANDLOCK_ACCESS_FS_MAKE_FIFO | LANDLOCK_ACCESS_FS_MAKE_BLOCK | LANDLOCK_ACCESS_FS_MAKE_SYM | LANDLOCK_ACCESS_FS_EXECUTE;
+        return landlock_create_ruleset(&attr,sizeof(attr),0);
+}
+int add_read_access_rule(int rset_fd,int allowed_fd) {
+        int result;
+        struct landlock_path_beneath_attr target;
+        target.parent_fd = allowed_fd;
+        target.allowed_access = LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR;
+        result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0);
+        return result;
+}
+int add_read_access_rule_by_path(int rset_fd,char *allowed_path) {
+        int result;
+        int allowed_fd = open(allowed_path,O_PATH | O_CLOEXEC);
+        struct landlock_path_beneath_attr target;
+        target.parent_fd = allowed_fd;
+        target.allowed_access = LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR;
+        result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0);
+        close(allowed_fd);
+        return result;
+}
+int add_write_access_rule(int rset_fd,int allowed_fd,int restricted) {
+        int result;
+        struct landlock_path_beneath_attr target;
+        target.parent_fd = allowed_fd;
+        if (restricted==0) target.allowed_access = LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SOCK | LANDLOCK_ACCESS_FS_MAKE_FIFO | LANDLOCK_ACCESS_FS_MAKE_BLOCK | LANDLOCK_ACCESS_FS_MAKE_SYM;
+        else if (restricted==1) target.allowed_access = LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SYM;
+        result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0);
+        return result;
+}
+int add_write_access_rule_by_path(int rset_fd,char *allowed_path,int restricted) {
+        int result;
+        int allowed_fd = open(allowed_path,O_PATH | O_CLOEXEC);
+        struct landlock_path_beneath_attr target;
+        target.parent_fd = allowed_fd;
+        if (restricted==0) target.allowed_access = LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SOCK | LANDLOCK_ACCESS_FS_MAKE_FIFO | LANDLOCK_ACCESS_FS_MAKE_BLOCK | LANDLOCK_ACCESS_FS_MAKE_SYM;
+        else if (restricted==1) target.allowed_access = LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SYM;
+        else {
+                close(allowed_fd);
+                return -1;
+        }
+        result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0);
+        close(allowed_fd);
+        return result;
+}
+int add_execute_rule(int rset_fd,int allowed_fd) {
+        int result;
+        struct landlock_path_beneath_attr target;
+        target.parent_fd = allowed_fd;
+        target.allowed_access = LANDLOCK_ACCESS_FS_EXECUTE;
+        result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0);
+        return result;
+}
+int add_execute_rule_by_path(int rset_fd,char *allowed_path) {
+        int result;
+        int allowed_fd = open(allowed_path,O_PATH | O_CLOEXEC);
+        struct landlock_path_beneath_attr target;
+        target.parent_fd = allowed_fd;
+        target.allowed_access = LANDLOCK_ACCESS_FS_EXECUTE;
+        result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0);
+        close(allowed_fd);
+        return result;
+}
+int check_nnp() {
+        return prctl(PR_GET_NO_NEW_PRIVS,0,0,0,0);
+}
+int enable_nnp() {
+        return prctl(PR_SET_NO_NEW_PRIVS,1,0,0,0);
+}

diff --git a/src/lib/libtinyll.c b/src/lib/libtinyll.c new file mode 100644 index 000000000..9db6f75d7 --- /dev/null +++ b/src/lib/libtinyll.c
@@ -0,0 +1,108 @@
	1	#define _GNU_SOURCE
	2	#include <stdio.h>
	3	#include <stddef.h>
	4	#include <stdlib.h>
	5	#include <unistd.h>
	6	#include <fcntl.h>
	7	#include <sys/syscall.h>
	8	#include <sys/types.h>
	9	#include <sys/prctl.h>
	10	#include <linux/prctl.h>
	11	#include <linux/landlock.h>
	12
	13	int landlock_create_ruleset(struct landlock_ruleset_attr *rsattr,size_t size,__u32 flags) {
	14	return syscall(__NR_landlock_create_ruleset,rsattr,size,flags);
	15	}
	16
	17	int landlock_add_rule(int fd,enum landlock_rule_type t,void *attr,__u32 flags) {
	18	return syscall(__NR_landlock_add_rule,fd,t,attr,flags);
	19	}
	20
	21	int landlock_restrict_self(int fd,__u32 flags) {
	22	int result = syscall(__NR_landlock_restrict_self,fd,flags);
	23	if (result!=0) return result;
	24	else {
	25	close(fd);
	26	return 0;
	27	}
	28	}
	29
	30	int create_full_ruleset() {
	31	struct landlock_ruleset_attr attr;
	32	attr.handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE \| LANDLOCK_ACCESS_FS_READ_DIR \| LANDLOCK_ACCESS_FS_WRITE_FILE \| LANDLOCK_ACCESS_FS_REMOVE_FILE \| LANDLOCK_ACCESS_FS_REMOVE_DIR \| LANDLOCK_ACCESS_FS_MAKE_CHAR \| LANDLOCK_ACCESS_FS_MAKE_DIR \| LANDLOCK_ACCESS_FS_MAKE_REG \| LANDLOCK_ACCESS_FS_MAKE_SOCK \| LANDLOCK_ACCESS_FS_MAKE_FIFO \| LANDLOCK_ACCESS_FS_MAKE_BLOCK \| LANDLOCK_ACCESS_FS_MAKE_SYM \| LANDLOCK_ACCESS_FS_EXECUTE;
	33	return landlock_create_ruleset(&attr,sizeof(attr),0);
	34	}
	35
	36	int add_read_access_rule(int rset_fd,int allowed_fd) {
	37	int result;
	38	struct landlock_path_beneath_attr target;
	39	target.parent_fd = allowed_fd;
	40	target.allowed_access = LANDLOCK_ACCESS_FS_READ_FILE \| LANDLOCK_ACCESS_FS_READ_DIR;
	41	result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0);
	42	return result;
	43	}
	44
	45	int add_read_access_rule_by_path(int rset_fd,char *allowed_path) {
	46	int result;
	47	int allowed_fd = open(allowed_path,O_PATH \| O_CLOEXEC);
	48	struct landlock_path_beneath_attr target;
	49	target.parent_fd = allowed_fd;
	50	target.allowed_access = LANDLOCK_ACCESS_FS_READ_FILE \| LANDLOCK_ACCESS_FS_READ_DIR;
	51	result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0);
	52	close(allowed_fd);
	53	return result;
	54	}
	55
	56	int add_write_access_rule(int rset_fd,int allowed_fd,int restricted) {
	57	int result;
	58	struct landlock_path_beneath_attr target;
	59	target.parent_fd = allowed_fd;
	60	if (restricted==0) target.allowed_access = LANDLOCK_ACCESS_FS_WRITE_FILE \| LANDLOCK_ACCESS_FS_REMOVE_FILE \| LANDLOCK_ACCESS_FS_REMOVE_DIR \| LANDLOCK_ACCESS_FS_MAKE_CHAR \| LANDLOCK_ACCESS_FS_MAKE_DIR \| LANDLOCK_ACCESS_FS_MAKE_REG \| LANDLOCK_ACCESS_FS_MAKE_SOCK \| LANDLOCK_ACCESS_FS_MAKE_FIFO \| LANDLOCK_ACCESS_FS_MAKE_BLOCK \| LANDLOCK_ACCESS_FS_MAKE_SYM;
	61	else if (restricted==1) target.allowed_access = LANDLOCK_ACCESS_FS_WRITE_FILE \| LANDLOCK_ACCESS_FS_REMOVE_FILE \| LANDLOCK_ACCESS_FS_REMOVE_DIR \| LANDLOCK_ACCESS_FS_MAKE_CHAR \| LANDLOCK_ACCESS_FS_MAKE_DIR \| LANDLOCK_ACCESS_FS_MAKE_REG \| LANDLOCK_ACCESS_FS_MAKE_SYM;
	62	result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0);
	63	return result;
	64	}
	65
	66	int add_write_access_rule_by_path(int rset_fd,char *allowed_path,int restricted) {
	67	int result;
	68	int allowed_fd = open(allowed_path,O_PATH \| O_CLOEXEC);
	69	struct landlock_path_beneath_attr target;
	70	target.parent_fd = allowed_fd;
	71	if (restricted==0) target.allowed_access = LANDLOCK_ACCESS_FS_WRITE_FILE \| LANDLOCK_ACCESS_FS_REMOVE_FILE \| LANDLOCK_ACCESS_FS_REMOVE_DIR \| LANDLOCK_ACCESS_FS_MAKE_CHAR \| LANDLOCK_ACCESS_FS_MAKE_DIR \| LANDLOCK_ACCESS_FS_MAKE_REG \| LANDLOCK_ACCESS_FS_MAKE_SOCK \| LANDLOCK_ACCESS_FS_MAKE_FIFO \| LANDLOCK_ACCESS_FS_MAKE_BLOCK \| LANDLOCK_ACCESS_FS_MAKE_SYM;
	72	else if (restricted==1) target.allowed_access = LANDLOCK_ACCESS_FS_WRITE_FILE \| LANDLOCK_ACCESS_FS_REMOVE_FILE \| LANDLOCK_ACCESS_FS_REMOVE_DIR \| LANDLOCK_ACCESS_FS_MAKE_CHAR \| LANDLOCK_ACCESS_FS_MAKE_DIR \| LANDLOCK_ACCESS_FS_MAKE_REG \| LANDLOCK_ACCESS_FS_MAKE_SYM;
	73	else {
	74	close(allowed_fd);
	75	return -1;
	76	}
	77	result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0);
	78	close(allowed_fd);
	79	return result;
	80	}
	81
	82	int add_execute_rule(int rset_fd,int allowed_fd) {
	83	int result;
	84	struct landlock_path_beneath_attr target;
	85	target.parent_fd = allowed_fd;
	86	target.allowed_access = LANDLOCK_ACCESS_FS_EXECUTE;
	87	result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0);
	88	return result;
	89	}
	90
	91	int add_execute_rule_by_path(int rset_fd,char *allowed_path) {
	92	int result;
	93	int allowed_fd = open(allowed_path,O_PATH \| O_CLOEXEC);
	94	struct landlock_path_beneath_attr target;
	95	target.parent_fd = allowed_fd;
	96	target.allowed_access = LANDLOCK_ACCESS_FS_EXECUTE;
	97	result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0);
	98	close(allowed_fd);
	99	return result;
	100	}
	101
	102	int check_nnp() {
	103	return prctl(PR_GET_NO_NEW_PRIVS,0,0,0,0);
	104	}
	105
	106	int enable_nnp() {
	107	return prctl(PR_SET_NO_NEW_PRIVS,1,0,0,0);
	108	}