commit 4c31de2915cd2ef3e7d5463bde48cf9064c89d20 from: Omar Polo date: Sun Sep 19 17:08:12 2021 UTC add configure check and shim for landlock First move towards landlock support (#3). The shim is needed until libc provides the proper wrappers for the landlock APIs; I hope it doesn't take too long, but landlock was merged back in May and are still missing. commit - fba809b5c775fd4d3c28a012259ee3b1908d4e40 commit + 4c31de2915cd2ef3e7d5463bde48cf9064c89d20 blob - 5283a56dc7002802c8437d506cd57e4ec006df69 blob + 3639700759b6ab3e32703a161876bc19b9d30149 --- configure +++ configure @@ -240,6 +240,7 @@ runtest getdtablecount GETDTABLECOUNT || true runtest getdtablesize GETDTABLESIZE || true runtest getprogname GETPROGNAME || true runtest imsg IMSG -lutil || true +runtest landlock LANDLOCK || true runtest libevent LIBEVENT || true runtest libtls LIBTLS || true runtest openssl OPENSSL || true blob - /dev/null blob + 8be29bd370345824936362a9d053dd8ca210696c (mode 644) --- /dev/null +++ have/landlock.c @@ -0,0 +1,30 @@ +/* + * Copyright (c) 2021 Omar Polo + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "../landlock_shim.h" + +int +main(void) +{ + int rfd; + struct landlock_ruleset_attr rsattr = { + .handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE | + LANDLOCK_ACCESS_FS_READ_DIR + }; + + rfd = landlock_create_ruleset(&rsattr, sizeof(rsattr), 0); + return rfd == -1; +} blob - /dev/null blob + 1ffa6c2764786d3f41936778d4581e84b0b5d155 (mode 644) --- /dev/null +++ landlock_shim.h @@ -0,0 +1,65 @@ +/* + * Copyright (c) 2021 Omar Polo + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +/* + * What's the deal with landlock? While distro with linux >= 5.13 + * have the struct declarations, it seems that the glibc (or whatever) + * wrappers are missing. The sample landlock code provided by the + * authors includes these "shims" for the landlock API until libc + * provides them. + * + * Linux is such a mess sometimes. /rant + */ + +#ifndef LANDLOCK_SHIM_H +#define LANDLOCK_SHIM_H + +#include +#include + +#include +#include +#include + +#include + +#ifndef landlock_create_ruleset +static inline int +landlock_create_ruleset(const struct landlock_ruleset_attr *attr, size_t size, + __u32 flags) +{ + return syscall(__NR_landlock_create_ruleset, attr, size, flags); +} +#endif + +#ifndef landlock_add_rule +static inline int +landlock_add_rule(int ruleset_fd, enum landlock_rule_type type, + const void *attr, __u32 flags) +{ + return syscall(__NR_landlock_add_rule, ruleset_fd, type, attr, flags); +} +#endif + +#ifndef landlock_restrict_self +static inline int +landlock_restrict_self(int ruleset_fd, __u32 flags) +{ + return syscall(__NR_landlock_restrict_self, ruleset_fd, flags); +} +#endif + +#endif /* LANDLOCK_SHIM_H */