-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathlibtinyll.c
148 lines (132 loc) · 5.97 KB
/
libtinyll.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
#define _GNU_SOURCE
#include <stdio.h>
#include <stddef.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <sys/prctl.h>
#include <linux/prctl.h>
#include <linux/landlock.h>
int landlock_create_ruleset(struct landlock_ruleset_attr *rsattr,size_t size,__u32 flags) {
return syscall(__NR_landlock_create_ruleset,rsattr,size,flags);
}
int landlock_add_rule(int fd,enum landlock_rule_type t,void *attr,__u32 flags) {
return syscall(__NR_landlock_add_rule,fd,t,attr,flags);
}
int landlock_restrict_self(int fd,__u32 flags) {
int result = syscall(__NR_landlock_restrict_self,fd,flags);
if (result!=0) return result;
else {
close(fd);
return 0;
}
}
int create_full_ruleset() {
struct landlock_ruleset_attr attr;
attr.handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR | LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SOCK | LANDLOCK_ACCESS_FS_MAKE_FIFO | LANDLOCK_ACCESS_FS_MAKE_BLOCK | LANDLOCK_ACCESS_FS_MAKE_SYM | LANDLOCK_ACCESS_FS_EXECUTE;
return landlock_create_ruleset(&attr,sizeof(attr),0);
}
int add_read_access_rule(int rset_fd,int allowed_fd) {
int result;
struct landlock_path_beneath_attr target;
target.parent_fd = allowed_fd;
target.allowed_access = LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR;
result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0);
return result;
}
int add_file_read_access_rule(int rset_fd,int allowed_fd) {
int result;
struct landlock_path_beneath_attr target;
target.parent_fd = allowed_fd;
target.allowed_access = LANDLOCK_ACCESS_FS_READ_FILE;
result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0);
return result;
}
int add_read_access_rule_by_path(int rset_fd,char *allowed_path) {
int result;
int allowed_fd = open(allowed_path,O_PATH | O_CLOEXEC);
struct landlock_path_beneath_attr target;
target.parent_fd = allowed_fd;
target.allowed_access = LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR;
result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0);
close(allowed_fd);
return result;
}
int add_file_read_access_rule_by_path(int rset_fd,char *allowed_path) {
int result;
int allowed_fd = open(allowed_path,O_PATH | O_CLOEXEC);
struct landlock_path_beneath_attr target;
target.parent_fd = allowed_fd;
target.allowed_access = LANDLOCK_ACCESS_FS_READ_FILE;
result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0);
close(allowed_fd);
return result;
}
int add_write_access_rule(int rset_fd,int allowed_fd,int restricted) {
int result;
struct landlock_path_beneath_attr target;
target.parent_fd = allowed_fd;
if (restricted==0) target.allowed_access = LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SOCK | LANDLOCK_ACCESS_FS_MAKE_FIFO | LANDLOCK_ACCESS_FS_MAKE_BLOCK | LANDLOCK_ACCESS_FS_MAKE_SYM;
else if (restricted==1) target.allowed_access = LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SYM;
result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0);
return result;
}
int add_write_access_rule_by_path(int rset_fd,char *allowed_path,int restricted) {
int result;
int allowed_fd = open(allowed_path,O_PATH | O_CLOEXEC);
struct landlock_path_beneath_attr target;
target.parent_fd = allowed_fd;
if (restricted==0) target.allowed_access = LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SOCK | LANDLOCK_ACCESS_FS_MAKE_FIFO | LANDLOCK_ACCESS_FS_MAKE_BLOCK | LANDLOCK_ACCESS_FS_MAKE_SYM;
else if (restricted==1) target.allowed_access = LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SYM;
else {
close(allowed_fd);
return -1;
}
result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0);
close(allowed_fd);
return result;
}
int add_file_write_access_rule(int rset_fd,int allowed_fd) {
int result;
struct landlock_path_beneath_attr target;
target.parent_fd = allowed_fd;
target.allowed_access = LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_FILE;
result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0);
return result;
}
int add__file_write_access_rule_by_path(int rset_fd,char *allowed_path) {
int result;
int allowed_fd = open(allowed_path,O_PATH | O_CLOEXEC);
struct landlock_path_beneath_attr target;
target.parent_fd = allowed_fd;
target.allowed_access = LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_FILE;
result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0);
close(allowed_fd);
return result;
}
int add_execute_rule(int rset_fd,int allowed_fd) {
int result;
struct landlock_path_beneath_attr target;
target.parent_fd = allowed_fd;
target.allowed_access = LANDLOCK_ACCESS_FS_EXECUTE;
result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0);
return result;
}
int add_execute_rule_by_path(int rset_fd,char *allowed_path) {
int result;
int allowed_fd = open(allowed_path,O_PATH | O_CLOEXEC);
struct landlock_path_beneath_attr target;
target.parent_fd = allowed_fd;
target.allowed_access = LANDLOCK_ACCESS_FS_EXECUTE;
result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0);
close(allowed_fd);
return result;
}
int check_nnp() {
return prctl(PR_GET_NO_NEW_PRIVS,0,0,0,0);
}
int enable_nnp() {
return prctl(PR_SET_NO_NEW_PRIVS,1,0,0,0);
}