xref: /kernel/linux/linux-6.6/security/landlock/syscalls.c

32 #include "ruleset.h"
111 	struct landlock_ruleset *ruleset = filp->private_data;
113 	landlock_put_ruleset(ruleset);
133  * A ruleset file descriptor enables to build a ruleset by adding (i.e.
135  * reentrant design is also used in a read way to enforce the ruleset on the
147  * sys_landlock_create_ruleset - Create a new ruleset
150  *        the new ruleset.
155  * This system call enables to create a new Landlock ruleset, and returns the
174 	struct landlock_ruleset *ruleset;
204 	ruleset = landlock_create_ruleset(ruleset_attr.handled_access_fs);
205 	if (IS_ERR(ruleset))
206 		return PTR_ERR(ruleset);
208 	/* Creates anonymous FD referring to the ruleset. */
209 	ruleset_fd = anon_inode_getfd("[landlock-ruleset]", &ruleset_fops,
210 				      ruleset, O_RDWR | O_CLOEXEC);
212 		landlock_put_ruleset(ruleset);
217  * Returns an owned ruleset from a FD. It is thus needed to call
224 	struct landlock_ruleset *ruleset;
232 		ruleset = ERR_PTR(-EBADFD);
236 		ruleset = ERR_PTR(-EPERM);
239 	ruleset = ruleset_f.file->private_data;
240 	if (WARN_ON_ONCE(ruleset->num_layers != 1)) {
241 		ruleset = ERR_PTR(-EINVAL);
244 	landlock_get_ruleset(ruleset);
248 	return ruleset;
269 	 * Forbids ruleset FDs, internal filesystems (e.g. nsfs), including
290  * sys_landlock_add_rule - Add a new rule to a ruleset
292  * @ruleset_fd: File descriptor tied to the ruleset that should be extended
301  * ruleset.
308  *   ruleset handled accesses);
312  * - %EBADFD: @ruleset_fd is not a ruleset file descriptor, or a member of
314  * - %EPERM: @ruleset_fd has no write access to the underlying ruleset;
323 	struct landlock_ruleset *ruleset;
333 	/* Gets and checks the ruleset. */
334 	ruleset = get_ruleset_from_fd(ruleset_fd, FMODE_CAN_WRITE);
335 	if (IS_ERR(ruleset))
336 		return PTR_ERR(ruleset);
360 	 * Checks that allowed_access matches the @ruleset constraints
361 	 * (ruleset->fs_access_masks[0] is automatically upgraded to 64-bits).
363 	if ((path_beneath_attr.allowed_access | ruleset->fs_access_masks[0]) !=
364 	    ruleset->fs_access_masks[0]) {
375 	err = landlock_append_fs_rule(ruleset, &path,
380 	landlock_put_ruleset(ruleset);
387  * sys_landlock_restrict_self - Enforce a ruleset on the calling thread
389  * @ruleset_fd: File descriptor tied to the ruleset to merge with the target.
392  * This system call enables to enforce a Landlock ruleset on the current
393  * thread.  Enforcing a ruleset requires that the task has %CAP_SYS_ADMIN in its
402  * - %EBADFD: @ruleset_fd is not a ruleset file descriptor;
403  * - %EPERM: @ruleset_fd has no read access to the underlying ruleset, or the
412 	struct landlock_ruleset *new_dom, *ruleset;
432 	/* Gets and checks the ruleset. */
433 	ruleset = get_ruleset_from_fd(ruleset_fd, FMODE_CAN_READ);
434 	if (IS_ERR(ruleset))
435 		return PTR_ERR(ruleset);
449 	new_dom = landlock_merge_ruleset(new_llcred->domain, ruleset);
459 	landlock_put_ruleset(ruleset);
466 	landlock_put_ruleset(ruleset);

Indexes created Thu Nov 07 10:32:03 CST 2024