commit 1a44f56372ac4ae821016e32daa7b23fbd4a93d4
parent a7ca4007f2a55a8becab1e4595d2696dd6e7bfd1
Author: shtrophic <christoph@liebender.dev>
Date: Thu, 26 Dec 2024 15:22:39 +0100
import updated landloc.h
Diffstat:
| M | landloc.h | | | 114 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++---------------------- |
1 file changed, 82 insertions(+), 32 deletions(-)
diff --git a/landloc.h b/landloc.h
@@ -65,9 +65,13 @@ int main(void) {
#define __LANDLOC_H__
#ifndef __linux__
-#error "no landlock without linux"
+# error "no landlock without linux"
#endif
+#include <linux/version.h>
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 13, 0)
+
#include <unistd.h>
#include <linux/landlock.h>
#include <sys/syscall.h>
@@ -75,53 +79,89 @@ int main(void) {
#include <fcntl.h>
#ifndef O_PATH
-#define O_PATH 010000000
+# define O_PATH 010000000
#endif
#ifndef LL_PRINTERR
-#define LL_PRINTERR(fmt, ...) (void)fmt;
+# define LL_PRINTERR(fmt, ...) (void)fmt;
#else
-#include <string.h>
-#include <errno.h>
+# include <string.h>
+# include <errno.h>
#endif
-#define LL_FS_ALL (\
- LANDLOCK_ACCESS_FS_EXECUTE |\
- LANDLOCK_ACCESS_FS_WRITE_FILE |\
- LANDLOCK_ACCESS_FS_READ_FILE |\
- LANDLOCK_ACCESS_FS_READ_DIR |\
- LANDLOCK_ACCESS_FS_REMOVE_DIR |\
- LANDLOCK_ACCESS_FS_REMOVE_FILE |\
- LANDLOCK_ACCESS_FS_MAKE_CHAR |\
- LANDLOCK_ACCESS_FS_MAKE_DIR |\
- LANDLOCK_ACCESS_FS_MAKE_REG |\
- LANDLOCK_ACCESS_FS_MAKE_SOCK |\
- LANDLOCK_ACCESS_FS_MAKE_FIFO |\
- LANDLOCK_ACCESS_FS_MAKE_BLOCK |\
- LANDLOCK_ACCESS_FS_MAKE_SYM |\
- LANDLOCK_ACCESS_FS_REFER |\
- LANDLOCK_ACCESS_FS_TRUNCATE |\
- LANDLOCK_ACCESS_FS_IOCTL_DEV )
-
-#define LL_NET_ALL (\
- LANDLOCK_ACCESS_NET_BIND_TCP |\
- LANDLOCK_ACCESS_NET_CONNECT_TCP )
+#ifdef LANDLOCK_ACCESS_FS_REFER
+# define __LL_FS_REFER_COMPAT LANDLOCK_ACCESS_FS_REFER
+# define __LL_SWITCH_FS_REFER __rattr.handled_access_fs &= ~__LL_FS_REFER_COMPAT
+#else
+# define __LL_FS_REFER_COMPAT 0
+# define __LL_SWITCH_FS_REFER (void)0
+#endif
+
+#ifdef LANDLOCK_ACCESS_FS_TRUNCATE
+# define __LL_FS_TRUNCATE_COMPAT LANDLOCK_ACCESS_FS_TRUNCATE
+# define __LL_SWITCH_FS_TRUNCATE __rattr.handled_access_fs &= ~__LL_FS_TRUNCATE_COMPAT
+#else
+# define __LL_FS_TRUNCATE_COMPAT 0
+# define __LL_SWITCH_FS_TRUNCATE (void)0
+#endif
+
+#ifdef LANDLOCK_ACCESS_FS_IOCTL_DEV
+# define __LL_FS_IOCTL_DEV_COMPAT LANDLOCK_ACCESS_FS_IOCTL_DEV
+# define __LL_SWITCH_FS_IOCTL_DEV __rattr.handled_access_fs &= ~__LL_FS_IOCTL_DEV_COMPAT
+#else
+# define __LL_FS_IOCTL_DEV_COMPAT 0
+# define __LL_SWITCH_FS_IOCTL_DEV (void)0
+#endif
+
+#define LL_FS_ALL (\
+ LANDLOCK_ACCESS_FS_EXECUTE |\
+ LANDLOCK_ACCESS_FS_WRITE_FILE |\
+ LANDLOCK_ACCESS_FS_READ_FILE |\
+ LANDLOCK_ACCESS_FS_READ_DIR |\
+ LANDLOCK_ACCESS_FS_REMOVE_DIR |\
+ LANDLOCK_ACCESS_FS_REMOVE_FILE |\
+ LANDLOCK_ACCESS_FS_MAKE_CHAR |\
+ LANDLOCK_ACCESS_FS_MAKE_DIR |\
+ LANDLOCK_ACCESS_FS_MAKE_REG |\
+ LANDLOCK_ACCESS_FS_MAKE_SOCK |\
+ LANDLOCK_ACCESS_FS_MAKE_FIFO |\
+ LANDLOCK_ACCESS_FS_MAKE_BLOCK |\
+ LANDLOCK_ACCESS_FS_MAKE_SYM |\
+ __LL_FS_REFER_COMPAT |\
+ __LL_FS_TRUNCATE_COMPAT |\
+ __LL_FS_IOCTL_DEV_COMPAT )
+
+#if defined(LANDLOCK_ACCESS_NET_BIND_TCP) && defined(LANDLOCK_ACCESS_NET_CONNECT_TCP)
+# define __LL_HAVE_NET
+#endif
+
+#ifdef __LL_HAVE_NET
+# define LL_NET_ALL (LANDLOCK_ACCESS_NET_BIND_TCP | LANDLOCK_ACCESS_NET_CONNECT_TCP)
+# define __LL_DECLARE_NET struct landlock_net_port_attr __nattr = {0}
+# define __LL_INIT_NET __rattr.handled_access_net = LL_NET_ALL
+# define __LL_SWITCH_NET do { __rattr.handled_access_net &= ~(LANDLOCK_ACCESS_NET_BIND_TCP | LANDLOCK_ACCESS_NET_CONNECT_TCP); } while (0)
+#else
+# define LL_NET_ALL 0
+# define __LL_DECLARE_NET (void)0
+# define __LL_INIT_NET (void)0
+# define __LL_SWITCH_NET (void)0
+#endif
#define LL_BEGIN(function, ...) int function(__VA_ARGS__) {\
int ll_rule_fd, ll_abi;\
struct landlock_ruleset_attr __rattr = {0};\
struct landlock_path_beneath_attr __pattr = {0};\
- struct landlock_net_port_attr __nattr = {0};\
+ __LL_DECLARE_NET;\
int __err = 0;\
__rattr.handled_access_fs = LL_FS_ALL;\
- __rattr.handled_access_net = LL_NET_ALL;\
+ __LL_INIT_NET;\
ll_abi = (int)syscall(SYS_landlock_create_ruleset, NULL, 0, LANDLOCK_CREATE_RULESET_VERSION);\
switch (ll_abi) {\
case -1: return -1;\
- case 1: __rattr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_REFER; __attribute__((fallthrough));\
- case 2: __rattr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_TRUNCATE; __attribute__((fallthrough));\
- case 3: __rattr.handled_access_net &= ~(LANDLOCK_ACCESS_NET_BIND_TCP | LANDLOCK_ACCESS_NET_CONNECT_TCP); __attribute__((fallthrough));\
- case 4: __rattr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_IOCTL_DEV;\
+ case 1: __LL_SWITCH_FS_REFER; __attribute__((fallthrough));\
+ case 2: __LL_SWITCH_FS_TRUNCATE; __attribute__((fallthrough));\
+ case 3: __LL_SWITCH_NET; __attribute__((fallthrough));\
+ case 4: __LL_SWITCH_FS_IOCTL_DEV;\
default: break;\
}\
ll_rule_fd = (int)syscall(SYS_landlock_create_ruleset, &__rattr, sizeof(struct landlock_ruleset_attr), 0);\
@@ -159,6 +199,8 @@ int main(void) {
close(__pattr.parent_fd);\
} while (0)
+#ifdef __LL_HAVE_NET
+
#define LL_PORT(p, rules) do {\
unsigned short __port = (p);\
__nattr.allowed_access = (rules);\
@@ -172,4 +214,12 @@ int main(void) {
}\
} while (0)
+#else
+
+#define LL_PORT(p, rules) do { (void)p; (void)rules; } while (0)
+
+#endif /* __LL_HAVE_NET */
+
+#endif /* KERNEL_VERSION(5, 13, 0) */
+
#endif /* __LANDLOC_H__ */
