github.com/google/syzkaller@v0.0.0-20240517125934-c0f1611a36d6/sys/linux/landlock.txt (about) 1 # Copyright 2021 syzkaller project authors. All rights reserved. 2 # Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file. 3 4 include <uapi/linux/landlock.h> 5 6 resource fd_ruleset[fd] 7 8 landlock_create_ruleset(attr ptr[in, landlock_ruleset_attr], size bytesize[attr], flags const[0]) fd_ruleset 9 10 landlock_add_rule$LANDLOCK_RULE_PATH_BENEATH(ruleset_fd fd_ruleset, rule_type const[LANDLOCK_RULE_PATH_BENEATH], rule_attr ptr[in, landlock_path_beneath_attr], flags const[0]) 11 12 landlock_add_rule$LANDLOCK_RULE_NET_PORT(ruleset_fd fd_ruleset, rule_type const[LANDLOCK_RULE_NET_PORT], rule_attr ptr[in, landlock_net_port_attr], flags const[0]) 13 14 landlock_restrict_self(ruleset_fd fd_ruleset, flags const[0]) 15 16 landlock_ruleset_attr { 17 handled_access_fs flags[landlock_access_fs_flags, int64] 18 handled_access_net flags[landlock_access_net_flags, int64] 19 } 20 21 landlock_path_beneath_attr { 22 allowed_access flags[landlock_access_fs_flags, int64] 23 parent_fd fd 24 } [packed] 25 26 landlock_net_port_attr { 27 allowed_access flags[landlock_access_net_flags, int64] 28 port int64 29 } 30 31 # TODO(glider): remove this line once LANDLOCK_ACCESS_FS_IOCTL_DEV hits upstream. 32 define LANDLOCK_ACCESS_FS_IOCTL_DEV (1ULL << 15) 33 34 landlock_access_fs_flags = LANDLOCK_ACCESS_FS_EXECUTE, LANDLOCK_ACCESS_FS_WRITE_FILE, LANDLOCK_ACCESS_FS_READ_FILE, LANDLOCK_ACCESS_FS_READ_DIR, LANDLOCK_ACCESS_FS_REMOVE_DIR, LANDLOCK_ACCESS_FS_REMOVE_FILE, LANDLOCK_ACCESS_FS_MAKE_CHAR, LANDLOCK_ACCESS_FS_MAKE_DIR, LANDLOCK_ACCESS_FS_MAKE_REG, LANDLOCK_ACCESS_FS_MAKE_SOCK, LANDLOCK_ACCESS_FS_MAKE_FIFO, LANDLOCK_ACCESS_FS_MAKE_BLOCK, LANDLOCK_ACCESS_FS_MAKE_SYM, LANDLOCK_ACCESS_FS_REFER, LANDLOCK_ACCESS_FS_TRUNCATE, LANDLOCK_ACCESS_FS_IOCTL_DEV 35 36 landlock_access_net_flags = LANDLOCK_ACCESS_NET_BIND_TCP, LANDLOCK_ACCESS_NET_CONNECT_TCP