-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy pathlandlock.go
79 lines (72 loc) · 2.38 KB
/
landlock.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
// Package syscall provides a low-level interface to the Linux Landlock sandboxing feature.
//
// The package contains constants and syscall wrappers. The syscall
// wrappers whose names start with AllThreads will execute the syscall
// on all OS threads belonging to the current process, as long as
// these threads have been started implicitly by the Go runtime or
// using `pthread_create`.
//
// This package package is a stopgap solution while there is no
// Landlock support in x/sys/unix. The syscall package is considered
// highly unstable and may change or disappear without warning.
//
// The full documentation can be found at
// https://www.kernel.org/doc/html/latest/userspace-api/landlock.html.
package syscall
// Landlock file system access rights.
//
// Please see the full documentation at
// https://www.kernel.org/doc/html/latest/userspace-api/landlock.html#filesystem-flags.
const (
AccessFSExecute = 1 << iota
AccessFSWriteFile
AccessFSReadFile
AccessFSReadDir
AccessFSRemoveDir
AccessFSRemoveFile
AccessFSMakeChar
AccessFSMakeDir
AccessFSMakeReg
AccessFSMakeSock
AccessFSMakeFifo
AccessFSMakeBlock
AccessFSMakeSym
AccessFSRefer
AccessFSTruncate
AccessFSIoctlDev
)
// Landlock network access rights.
//
// Please see the full documentation at
// https://www.kernel.org/doc/html/latest/userspace-api/landlock.html#network-flags.
const (
AccessNetBindTCP = 1 << iota
AccessNetConnectTCP
)
// RulesetAttr is the Landlock ruleset definition.
//
// Argument of LandlockCreateRuleset(). This structure can grow in future versions of Landlock.
//
// C version is in usr/include/linux/landlock.h
type RulesetAttr struct {
HandledAccessFS uint64
HandledAccessNet uint64
}
// The size of the RulesetAttr struct in bytes.
const rulesetAttrSize = 16
// PathBeneathAttr references a file hierarchy and defines the desired
// extent to which it should be usable when the rule is enforced.
type PathBeneathAttr struct {
// AllowedAccess is a bitmask of allowed actions for this file
// hierarchy (cf. "Filesystem flags"). The enabled bits must
// be a subset of the bits defined in the ruleset.
AllowedAccess uint64
// ParentFd is a file descriptor, opened with `O_PATH`, which identifies
// the parent directory of a file hierarchy, or just a file.
ParentFd int
}
// NetPortAttr specifies which ports can be used for what.
type NetPortAttr struct {
AllowedAccess uint64
Port uint64
}