forked from google/minijail
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathlandlock_util.c
62 lines (54 loc) · 1.69 KB
/
landlock_util.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
/* Copyright 2022 The ChromiumOS Authors
* Use of this source code is governed by a BSD-style license that can be
* found in the LICENSE file.
*/
/* Define _GNU_SOURCE because we need O_PATH to resolve correctly. */
#define _GNU_SOURCE
#include "landlock_util.h"
#include <fcntl.h>
#include <sys/stat.h>
#include "util.h"
int landlock_create_ruleset(
const struct minijail_landlock_ruleset_attr *const attr, const size_t size,
const __u32 flags)
{
return syscall(__NR_landlock_create_ruleset, attr, size, flags);
}
int landlock_add_rule(const int ruleset_fd,
const enum minijail_landlock_rule_type rule_type,
const void *const rule_attr, const __u32 flags)
{
return syscall(__NR_landlock_add_rule, ruleset_fd, rule_type, rule_attr,
flags);
}
int landlock_restrict_self(const int ruleset_fd, const __u32 flags)
{
return syscall(__NR_landlock_restrict_self, ruleset_fd, flags);
}
bool populate_ruleset_internal(const char *const path, const int ruleset_fd,
const uint64_t allowed_access)
{
struct minijail_landlock_path_beneath_attr path_beneath = {
.parent_fd = -1,
};
struct stat statbuf;
attribute_cleanup_fd int parent_fd = open(path, O_PATH | O_CLOEXEC);
path_beneath.parent_fd = parent_fd;
if (path_beneath.parent_fd < 0) {
pwarn("Failed to open \"%s\"", path);
return false;
}
if (fstat(path_beneath.parent_fd, &statbuf)) {
return false;
}
path_beneath.allowed_access = allowed_access;
if (!S_ISDIR(statbuf.st_mode)) {
path_beneath.allowed_access &= ACCESS_FILE;
}
if (landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
&path_beneath, 0)) {
pwarn("Failed to update ruleset \"%s\"", path);
return false;
}
return true;
}