Add landlock api

sunfishcode · Sep 24, 2024 · 7ac6852 · 7ac6852
1 parent 4f90f6a
commit 7ac6852
Show file tree

Hide file tree

Showing 19 changed files with 793 additions and 0 deletions.
diff --git a/gen/modules/general.h b/gen/modules/general.h
@@ -14,6 +14,7 @@
 #include <linux/fs.h>
 #include <linux/futex.h>
 #include <linux/inotify.h>
+#include <linux/landlock.h>
 #include <linux/limits.h>
 #include <linux/magic.h>
 #include <linux/mman.h>

diff --git a/src/aarch64/general.rs b/src/aarch64/general.rs
@@ -426,6 +426,24 @@ pub name: __IncompleteArrayField<crate::ctypes::c_char>,
 }
 #[repr(C)]
 #[derive(Debug, Copy, Clone)]
+pub struct landlock_ruleset_attr {
+pub handled_access_fs: __u64,
+pub handled_access_net: __u64,
+}
+#[repr(C, packed)]
+#[derive(Debug, Copy, Clone)]
+pub struct landlock_path_beneath_attr {
+pub allowed_access: __u64,
+pub parent_fd: __s32,
+}
+#[repr(C)]
+#[derive(Debug, Copy, Clone)]
+pub struct landlock_net_port_attr {
+pub allowed_access: __u64,
+pub port: __u64,
+}
+#[repr(C)]
+#[derive(Debug, Copy, Clone)]
 pub struct cachestat_range {
 pub off: __u64,
 pub len: __u64,
@@ -1551,6 +1569,25 @@ pub const IN_ONESHOT: u32 = 2147483648;
 pub const IN_ALL_EVENTS: u32 = 4095;
 pub const IN_CLOEXEC: u32 = 524288;
 pub const IN_NONBLOCK: u32 = 2048;
+pub const LANDLOCK_CREATE_RULESET_VERSION: u32 = 1;
+pub const LANDLOCK_ACCESS_FS_EXECUTE: u32 = 1;
+pub const LANDLOCK_ACCESS_FS_WRITE_FILE: u32 = 2;
+pub const LANDLOCK_ACCESS_FS_READ_FILE: u32 = 4;
+pub const LANDLOCK_ACCESS_FS_READ_DIR: u32 = 8;
+pub const LANDLOCK_ACCESS_FS_REMOVE_DIR: u32 = 16;
+pub const LANDLOCK_ACCESS_FS_REMOVE_FILE: u32 = 32;
+pub const LANDLOCK_ACCESS_FS_MAKE_CHAR: u32 = 64;
+pub const LANDLOCK_ACCESS_FS_MAKE_DIR: u32 = 128;
+pub const LANDLOCK_ACCESS_FS_MAKE_REG: u32 = 256;
+pub const LANDLOCK_ACCESS_FS_MAKE_SOCK: u32 = 512;
+pub const LANDLOCK_ACCESS_FS_MAKE_FIFO: u32 = 1024;
+pub const LANDLOCK_ACCESS_FS_MAKE_BLOCK: u32 = 2048;
+pub const LANDLOCK_ACCESS_FS_MAKE_SYM: u32 = 4096;
+pub const LANDLOCK_ACCESS_FS_REFER: u32 = 8192;
+pub const LANDLOCK_ACCESS_FS_TRUNCATE: u32 = 16384;
+pub const LANDLOCK_ACCESS_FS_IOCTL_DEV: u32 = 32768;
+pub const LANDLOCK_ACCESS_NET_BIND_TCP: u32 = 1;
+pub const LANDLOCK_ACCESS_NET_CONNECT_TCP: u32 = 2;
 pub const ADFS_SUPER_MAGIC: u32 = 44533;
 pub const AFFS_SUPER_MAGIC: u32 = 44543;
 pub const AFS_SUPER_MAGIC: u32 = 1397113167;
@@ -2749,6 +2786,13 @@ PROCMAP_QUERY_FILE_BACKED_VMA = 32,
 #[repr(u32)]
 #[non_exhaustive]
 #[derive(Debug, Copy, Clone, Hash, PartialEq, Eq)]
+pub enum landlock_rule_type {
+LANDLOCK_RULE_PATH_BENEATH = 1,
+LANDLOCK_RULE_NET_PORT = 2,
+}
+#[repr(u32)]
+#[non_exhaustive]
+#[derive(Debug, Copy, Clone, Hash, PartialEq, Eq)]
 pub enum membarrier_cmd {
 MEMBARRIER_CMD_QUERY = 0,
 MEMBARRIER_CMD_GLOBAL = 1,

diff --git a/src/arm/general.rs b/src/arm/general.rs
@@ -424,6 +424,24 @@ pub name: __IncompleteArrayField<crate::ctypes::c_char>,
 }
 #[repr(C)]
 #[derive(Debug, Copy, Clone)]
+pub struct landlock_ruleset_attr {
+pub handled_access_fs: __u64,
+pub handled_access_net: __u64,
+}
+#[repr(C, packed)]
+#[derive(Debug, Copy, Clone)]
+pub struct landlock_path_beneath_attr {
+pub allowed_access: __u64,
+pub parent_fd: __s32,
+}
+#[repr(C)]
+#[derive(Debug, Copy, Clone)]
+pub struct landlock_net_port_attr {
+pub allowed_access: __u64,
+pub port: __u64,
+}
+#[repr(C)]
+#[derive(Debug, Copy, Clone)]
 pub struct cachestat_range {
 pub off: __u64,
 pub len: __u64,
@@ -1582,6 +1600,25 @@ pub const IN_ONESHOT: u32 = 2147483648;
 pub const IN_ALL_EVENTS: u32 = 4095;
 pub const IN_CLOEXEC: u32 = 524288;
 pub const IN_NONBLOCK: u32 = 2048;
+pub const LANDLOCK_CREATE_RULESET_VERSION: u32 = 1;
+pub const LANDLOCK_ACCESS_FS_EXECUTE: u32 = 1;
+pub const LANDLOCK_ACCESS_FS_WRITE_FILE: u32 = 2;
+pub const LANDLOCK_ACCESS_FS_READ_FILE: u32 = 4;
+pub const LANDLOCK_ACCESS_FS_READ_DIR: u32 = 8;
+pub const LANDLOCK_ACCESS_FS_REMOVE_DIR: u32 = 16;
+pub const LANDLOCK_ACCESS_FS_REMOVE_FILE: u32 = 32;
+pub const LANDLOCK_ACCESS_FS_MAKE_CHAR: u32 = 64;
+pub const LANDLOCK_ACCESS_FS_MAKE_DIR: u32 = 128;
+pub const LANDLOCK_ACCESS_FS_MAKE_REG: u32 = 256;
+pub const LANDLOCK_ACCESS_FS_MAKE_SOCK: u32 = 512;
+pub const LANDLOCK_ACCESS_FS_MAKE_FIFO: u32 = 1024;
+pub const LANDLOCK_ACCESS_FS_MAKE_BLOCK: u32 = 2048;
+pub const LANDLOCK_ACCESS_FS_MAKE_SYM: u32 = 4096;
+pub const LANDLOCK_ACCESS_FS_REFER: u32 = 8192;
+pub const LANDLOCK_ACCESS_FS_TRUNCATE: u32 = 16384;
+pub const LANDLOCK_ACCESS_FS_IOCTL_DEV: u32 = 32768;
+pub const LANDLOCK_ACCESS_NET_BIND_TCP: u32 = 1;
+pub const LANDLOCK_ACCESS_NET_CONNECT_TCP: u32 = 2;
 pub const ADFS_SUPER_MAGIC: u32 = 44533;
 pub const AFFS_SUPER_MAGIC: u32 = 44543;
 pub const AFS_SUPER_MAGIC: u32 = 1397113167;
@@ -2886,6 +2923,13 @@ PROCMAP_QUERY_FILE_BACKED_VMA = 32,
 #[repr(u32)]
 #[non_exhaustive]
 #[derive(Debug, Copy, Clone, Hash, PartialEq, Eq)]
+pub enum landlock_rule_type {
+LANDLOCK_RULE_PATH_BENEATH = 1,
+LANDLOCK_RULE_NET_PORT = 2,
+}
+#[repr(u32)]
+#[non_exhaustive]
+#[derive(Debug, Copy, Clone, Hash, PartialEq, Eq)]
 pub enum membarrier_cmd {
 MEMBARRIER_CMD_QUERY = 0,
 MEMBARRIER_CMD_GLOBAL = 1,

diff --git a/src/csky/general.rs b/src/csky/general.rs
@@ -424,6 +424,24 @@ pub name: __IncompleteArrayField<crate::ctypes::c_char>,
 }
 #[repr(C)]
 #[derive(Debug, Copy, Clone)]
+pub struct landlock_ruleset_attr {
+pub handled_access_fs: __u64,
+pub handled_access_net: __u64,
+}
+#[repr(C, packed)]
+#[derive(Debug, Copy, Clone)]
+pub struct landlock_path_beneath_attr {
+pub allowed_access: __u64,
+pub parent_fd: __s32,
+}
+#[repr(C)]
+#[derive(Debug, Copy, Clone)]
+pub struct landlock_net_port_attr {
+pub allowed_access: __u64,
+pub port: __u64,
+}
+#[repr(C)]
+#[derive(Debug, Copy, Clone)]
 pub struct cachestat_range {
 pub off: __u64,
 pub len: __u64,
@@ -1573,6 +1591,25 @@ pub const IN_ONESHOT: u32 = 2147483648;
 pub const IN_ALL_EVENTS: u32 = 4095;
 pub const IN_CLOEXEC: u32 = 524288;
 pub const IN_NONBLOCK: u32 = 2048;
+pub const LANDLOCK_CREATE_RULESET_VERSION: u32 = 1;
+pub const LANDLOCK_ACCESS_FS_EXECUTE: u32 = 1;
+pub const LANDLOCK_ACCESS_FS_WRITE_FILE: u32 = 2;
+pub const LANDLOCK_ACCESS_FS_READ_FILE: u32 = 4;
+pub const LANDLOCK_ACCESS_FS_READ_DIR: u32 = 8;
+pub const LANDLOCK_ACCESS_FS_REMOVE_DIR: u32 = 16;
+pub const LANDLOCK_ACCESS_FS_REMOVE_FILE: u32 = 32;
+pub const LANDLOCK_ACCESS_FS_MAKE_CHAR: u32 = 64;
+pub const LANDLOCK_ACCESS_FS_MAKE_DIR: u32 = 128;
+pub const LANDLOCK_ACCESS_FS_MAKE_REG: u32 = 256;
+pub const LANDLOCK_ACCESS_FS_MAKE_SOCK: u32 = 512;
+pub const LANDLOCK_ACCESS_FS_MAKE_FIFO: u32 = 1024;
+pub const LANDLOCK_ACCESS_FS_MAKE_BLOCK: u32 = 2048;
+pub const LANDLOCK_ACCESS_FS_MAKE_SYM: u32 = 4096;
+pub const LANDLOCK_ACCESS_FS_REFER: u32 = 8192;
+pub const LANDLOCK_ACCESS_FS_TRUNCATE: u32 = 16384;
+pub const LANDLOCK_ACCESS_FS_IOCTL_DEV: u32 = 32768;
+pub const LANDLOCK_ACCESS_NET_BIND_TCP: u32 = 1;
+pub const LANDLOCK_ACCESS_NET_CONNECT_TCP: u32 = 2;
 pub const ADFS_SUPER_MAGIC: u32 = 44533;
 pub const AFFS_SUPER_MAGIC: u32 = 44543;
 pub const AFS_SUPER_MAGIC: u32 = 1397113167;
@@ -2787,6 +2824,13 @@ PROCMAP_QUERY_FILE_BACKED_VMA = 32,
 #[repr(u32)]
 #[non_exhaustive]
 #[derive(Debug, Copy, Clone, Hash, PartialEq, Eq)]
+pub enum landlock_rule_type {
+LANDLOCK_RULE_PATH_BENEATH = 1,
+LANDLOCK_RULE_NET_PORT = 2,
+}
+#[repr(u32)]
+#[non_exhaustive]
+#[derive(Debug, Copy, Clone, Hash, PartialEq, Eq)]
 pub enum membarrier_cmd {
 MEMBARRIER_CMD_QUERY = 0,
 MEMBARRIER_CMD_GLOBAL = 1,

diff --git a/src/loongarch64/general.rs b/src/loongarch64/general.rs
@@ -426,6 +426,24 @@ pub name: __IncompleteArrayField<crate::ctypes::c_char>,
 }
 #[repr(C)]
 #[derive(Debug, Copy, Clone)]
+pub struct landlock_ruleset_attr {
+pub handled_access_fs: __u64,
+pub handled_access_net: __u64,
+}
+#[repr(C, packed)]
+#[derive(Debug, Copy, Clone)]
+pub struct landlock_path_beneath_attr {
+pub allowed_access: __u64,
+pub parent_fd: __s32,
+}
+#[repr(C)]
+#[derive(Debug, Copy, Clone)]
+pub struct landlock_net_port_attr {
+pub allowed_access: __u64,
+pub port: __u64,
+}
+#[repr(C)]
+#[derive(Debug, Copy, Clone)]
 pub struct cachestat_range {
 pub off: __u64,
 pub len: __u64,
@@ -1549,6 +1567,25 @@ pub const IN_ONESHOT: u32 = 2147483648;
 pub const IN_ALL_EVENTS: u32 = 4095;
 pub const IN_CLOEXEC: u32 = 524288;
 pub const IN_NONBLOCK: u32 = 2048;
+pub const LANDLOCK_CREATE_RULESET_VERSION: u32 = 1;
+pub const LANDLOCK_ACCESS_FS_EXECUTE: u32 = 1;
+pub const LANDLOCK_ACCESS_FS_WRITE_FILE: u32 = 2;
+pub const LANDLOCK_ACCESS_FS_READ_FILE: u32 = 4;
+pub const LANDLOCK_ACCESS_FS_READ_DIR: u32 = 8;
+pub const LANDLOCK_ACCESS_FS_REMOVE_DIR: u32 = 16;
+pub const LANDLOCK_ACCESS_FS_REMOVE_FILE: u32 = 32;
+pub const LANDLOCK_ACCESS_FS_MAKE_CHAR: u32 = 64;
+pub const LANDLOCK_ACCESS_FS_MAKE_DIR: u32 = 128;
+pub const LANDLOCK_ACCESS_FS_MAKE_REG: u32 = 256;
+pub const LANDLOCK_ACCESS_FS_MAKE_SOCK: u32 = 512;
+pub const LANDLOCK_ACCESS_FS_MAKE_FIFO: u32 = 1024;
+pub const LANDLOCK_ACCESS_FS_MAKE_BLOCK: u32 = 2048;
+pub const LANDLOCK_ACCESS_FS_MAKE_SYM: u32 = 4096;
+pub const LANDLOCK_ACCESS_FS_REFER: u32 = 8192;
+pub const LANDLOCK_ACCESS_FS_TRUNCATE: u32 = 16384;
+pub const LANDLOCK_ACCESS_FS_IOCTL_DEV: u32 = 32768;
+pub const LANDLOCK_ACCESS_NET_BIND_TCP: u32 = 1;
+pub const LANDLOCK_ACCESS_NET_CONNECT_TCP: u32 = 2;
 pub const ADFS_SUPER_MAGIC: u32 = 44533;
 pub const AFFS_SUPER_MAGIC: u32 = 44543;
 pub const AFS_SUPER_MAGIC: u32 = 1397113167;
@@ -2738,6 +2775,13 @@ PROCMAP_QUERY_FILE_BACKED_VMA = 32,
 #[repr(u32)]
 #[non_exhaustive]
 #[derive(Debug, Copy, Clone, Hash, PartialEq, Eq)]
+pub enum landlock_rule_type {
+LANDLOCK_RULE_PATH_BENEATH = 1,
+LANDLOCK_RULE_NET_PORT = 2,
+}
+#[repr(u32)]
+#[non_exhaustive]
+#[derive(Debug, Copy, Clone, Hash, PartialEq, Eq)]
 pub enum membarrier_cmd {
 MEMBARRIER_CMD_QUERY = 0,
 MEMBARRIER_CMD_GLOBAL = 1,

diff --git a/src/mips/general.rs b/src/mips/general.rs
@@ -427,6 +427,24 @@ pub name: __IncompleteArrayField<crate::ctypes::c_char>,
 }
 #[repr(C)]
 #[derive(Debug, Copy, Clone)]
+pub struct landlock_ruleset_attr {
+pub handled_access_fs: __u64,
+pub handled_access_net: __u64,
+}
+#[repr(C, packed)]
+#[derive(Debug, Copy, Clone)]
+pub struct landlock_path_beneath_attr {
+pub allowed_access: __u64,
+pub parent_fd: __s32,
+}
+#[repr(C)]
+#[derive(Debug, Copy, Clone)]
+pub struct landlock_net_port_attr {
+pub allowed_access: __u64,
+pub port: __u64,
+}
+#[repr(C)]
+#[derive(Debug, Copy, Clone)]
 pub struct cachestat_range {
 pub off: __u64,
 pub len: __u64,
@@ -1600,6 +1618,25 @@ pub const IN_ONESHOT: u32 = 2147483648;
 pub const IN_ALL_EVENTS: u32 = 4095;
 pub const IN_CLOEXEC: u32 = 524288;
 pub const IN_NONBLOCK: u32 = 128;
+pub const LANDLOCK_CREATE_RULESET_VERSION: u32 = 1;
+pub const LANDLOCK_ACCESS_FS_EXECUTE: u32 = 1;
+pub const LANDLOCK_ACCESS_FS_WRITE_FILE: u32 = 2;
+pub const LANDLOCK_ACCESS_FS_READ_FILE: u32 = 4;
+pub const LANDLOCK_ACCESS_FS_READ_DIR: u32 = 8;
+pub const LANDLOCK_ACCESS_FS_REMOVE_DIR: u32 = 16;
+pub const LANDLOCK_ACCESS_FS_REMOVE_FILE: u32 = 32;
+pub const LANDLOCK_ACCESS_FS_MAKE_CHAR: u32 = 64;
+pub const LANDLOCK_ACCESS_FS_MAKE_DIR: u32 = 128;
+pub const LANDLOCK_ACCESS_FS_MAKE_REG: u32 = 256;
+pub const LANDLOCK_ACCESS_FS_MAKE_SOCK: u32 = 512;
+pub const LANDLOCK_ACCESS_FS_MAKE_FIFO: u32 = 1024;
+pub const LANDLOCK_ACCESS_FS_MAKE_BLOCK: u32 = 2048;
+pub const LANDLOCK_ACCESS_FS_MAKE_SYM: u32 = 4096;
+pub const LANDLOCK_ACCESS_FS_REFER: u32 = 8192;
+pub const LANDLOCK_ACCESS_FS_TRUNCATE: u32 = 16384;
+pub const LANDLOCK_ACCESS_FS_IOCTL_DEV: u32 = 32768;
+pub const LANDLOCK_ACCESS_NET_BIND_TCP: u32 = 1;
+pub const LANDLOCK_ACCESS_NET_CONNECT_TCP: u32 = 2;
 pub const ADFS_SUPER_MAGIC: u32 = 44533;
 pub const AFFS_SUPER_MAGIC: u32 = 44543;
 pub const AFS_SUPER_MAGIC: u32 = 1397113167;
@@ -3055,6 +3092,13 @@ PROCMAP_QUERY_FILE_BACKED_VMA = 32,
 #[repr(u32)]
 #[non_exhaustive]
 #[derive(Debug, Copy, Clone, Hash, PartialEq, Eq)]
+pub enum landlock_rule_type {
+LANDLOCK_RULE_PATH_BENEATH = 1,
+LANDLOCK_RULE_NET_PORT = 2,
+}
+#[repr(u32)]
+#[non_exhaustive]
+#[derive(Debug, Copy, Clone, Hash, PartialEq, Eq)]
 pub enum membarrier_cmd {
 MEMBARRIER_CMD_QUERY = 0,
 MEMBARRIER_CMD_GLOBAL = 1,

diff --git a/src/mips32r6/general.rs b/src/mips32r6/general.rs
@@ -427,6 +427,24 @@ pub name: __IncompleteArrayField<crate::ctypes::c_char>,
 }
 #[repr(C)]
 #[derive(Debug, Copy, Clone)]
+pub struct landlock_ruleset_attr {
+pub handled_access_fs: __u64,
+pub handled_access_net: __u64,
+}
+#[repr(C, packed)]
+#[derive(Debug, Copy, Clone)]
+pub struct landlock_path_beneath_attr {
+pub allowed_access: __u64,
+pub parent_fd: __s32,
+}
+#[repr(C)]
+#[derive(Debug, Copy, Clone)]
+pub struct landlock_net_port_attr {
+pub allowed_access: __u64,
+pub port: __u64,
+}
+#[repr(C)]
+#[derive(Debug, Copy, Clone)]
 pub struct cachestat_range {
 pub off: __u64,
 pub len: __u64,
@@ -1600,6 +1618,25 @@ pub const IN_ONESHOT: u32 = 2147483648;
 pub const IN_ALL_EVENTS: u32 = 4095;
 pub const IN_CLOEXEC: u32 = 524288;
 pub const IN_NONBLOCK: u32 = 128;
+pub const LANDLOCK_CREATE_RULESET_VERSION: u32 = 1;
+pub const LANDLOCK_ACCESS_FS_EXECUTE: u32 = 1;
+pub const LANDLOCK_ACCESS_FS_WRITE_FILE: u32 = 2;
+pub const LANDLOCK_ACCESS_FS_READ_FILE: u32 = 4;
+pub const LANDLOCK_ACCESS_FS_READ_DIR: u32 = 8;
+pub const LANDLOCK_ACCESS_FS_REMOVE_DIR: u32 = 16;
+pub const LANDLOCK_ACCESS_FS_REMOVE_FILE: u32 = 32;
+pub const LANDLOCK_ACCESS_FS_MAKE_CHAR: u32 = 64;
+pub const LANDLOCK_ACCESS_FS_MAKE_DIR: u32 = 128;
+pub const LANDLOCK_ACCESS_FS_MAKE_REG: u32 = 256;
+pub const LANDLOCK_ACCESS_FS_MAKE_SOCK: u32 = 512;
+pub const LANDLOCK_ACCESS_FS_MAKE_FIFO: u32 = 1024;
+pub const LANDLOCK_ACCESS_FS_MAKE_BLOCK: u32 = 2048;
+pub const LANDLOCK_ACCESS_FS_MAKE_SYM: u32 = 4096;
+pub const LANDLOCK_ACCESS_FS_REFER: u32 = 8192;
+pub const LANDLOCK_ACCESS_FS_TRUNCATE: u32 = 16384;
+pub const LANDLOCK_ACCESS_FS_IOCTL_DEV: u32 = 32768;
+pub const LANDLOCK_ACCESS_NET_BIND_TCP: u32 = 1;
+pub const LANDLOCK_ACCESS_NET_CONNECT_TCP: u32 = 2;
 pub const ADFS_SUPER_MAGIC: u32 = 44533;
 pub const AFFS_SUPER_MAGIC: u32 = 44543;
 pub const AFS_SUPER_MAGIC: u32 = 1397113167;
@@ -3055,6 +3092,13 @@ PROCMAP_QUERY_FILE_BACKED_VMA = 32,
 #[repr(u32)]
 #[non_exhaustive]
 #[derive(Debug, Copy, Clone, Hash, PartialEq, Eq)]
+pub enum landlock_rule_type {
+LANDLOCK_RULE_PATH_BENEATH = 1,
+LANDLOCK_RULE_NET_PORT = 2,
+}
+#[repr(u32)]
+#[non_exhaustive]
+#[derive(Debug, Copy, Clone, Hash, PartialEq, Eq)]
 pub enum membarrier_cmd {
 MEMBARRIER_CMD_QUERY = 0,
 MEMBARRIER_CMD_GLOBAL = 1,