import updated landloc.h

author: shtrophic 2024-12-26 15:22:39 +0100
committer: shtrophic 2024-12-26 15:22:39 +0100
commit: 1a44f56372ac4ae821016e32daa7b23fbd4a93d4 (patch)
tree: 00a313d1de5b6e1d11704bc10fa59e1e55034f8c /landloc.h
parent: Merge tag '2.67' (diff)
download: snac2-1a44f56372ac4ae821016e32daa7b23fbd4a93d4.tar.gz
snac2-1a44f56372ac4ae821016e32daa7b23fbd4a93d4.tar.xz
snac2-1a44f56372ac4ae821016e32daa7b23fbd4a93d4.zip
1 files changed, 82 insertions, 32 deletions
diff --git a/landloc.h b/landloc.h
index e1ade20..aaec29f 100644
--- a/landloc.h
+++ b/landloc.h
@@ -65,9 +65,13 @@ int main(void) {
 #define __LANDLOC_H__
 #ifndef __linux__
-#error "no landlock without linux"
+#   error "no landlock without linux"
 #endif
+#include <linux/version.h>
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 13, 0)
 #include <unistd.h>
 #include <linux/landlock.h>
 #include <sys/syscall.h>
@@ -75,53 +79,89 @@ int main(void) {
 #include <fcntl.h>
 #ifndef O_PATH
-#define O_PATH          010000000
+#   define O_PATH               010000000
 #endif
 #ifndef LL_PRINTERR
-#define LL_PRINTERR(fmt, ...) (void)fmt;
+#   define LL_PRINTERR(fmt, ...) (void)fmt;
 #else
-#include <string.h>
+#   include <string.h>
-#include <errno.h>
+#   include <errno.h>
 #endif
-#define LL_FS_ALL                   (\
+#ifdef LANDLOCK_ACCESS_FS_REFER
-    LANDLOCK_ACCESS_FS_EXECUTE      |\
+#   define __LL_FS_REFER_COMPAT LANDLOCK_ACCESS_FS_REFER
-    LANDLOCK_ACCESS_FS_WRITE_FILE   |\
+#   define __LL_SWITCH_FS_REFER __rattr.handled_access_fs &= ~__LL_FS_REFER_COMPAT
-    LANDLOCK_ACCESS_FS_READ_FILE    |\
+#else
-    LANDLOCK_ACCESS_FS_READ_DIR     |\
+#   define __LL_FS_REFER_COMPAT 0
-    LANDLOCK_ACCESS_FS_REMOVE_DIR   |\
+#   define __LL_SWITCH_FS_REFER (void)0
-    LANDLOCK_ACCESS_FS_REMOVE_FILE  |\
+#endif
-    LANDLOCK_ACCESS_FS_MAKE_CHAR    |\
-    LANDLOCK_ACCESS_FS_MAKE_DIR     |\
+#ifdef LANDLOCK_ACCESS_FS_TRUNCATE
-    LANDLOCK_ACCESS_FS_MAKE_REG     |\
+#   define __LL_FS_TRUNCATE_COMPAT LANDLOCK_ACCESS_FS_TRUNCATE
-    LANDLOCK_ACCESS_FS_MAKE_SOCK    |\
+#   define __LL_SWITCH_FS_TRUNCATE __rattr.handled_access_fs  &= ~__LL_FS_TRUNCATE_COMPAT
-    LANDLOCK_ACCESS_FS_MAKE_FIFO    |\
+#else
-    LANDLOCK_ACCESS_FS_MAKE_BLOCK   |\
+#   define __LL_FS_TRUNCATE_COMPAT 0
-    LANDLOCK_ACCESS_FS_MAKE_SYM     |\
+#   define __LL_SWITCH_FS_TRUNCATE (void)0
-    LANDLOCK_ACCESS_FS_REFER        |\
+#endif
-    LANDLOCK_ACCESS_FS_TRUNCATE     |\
-    LANDLOCK_ACCESS_FS_IOCTL_DEV    )
+#ifdef LANDLOCK_ACCESS_FS_IOCTL_DEV
+#   define __LL_FS_IOCTL_DEV_COMPAT LANDLOCK_ACCESS_FS_IOCTL_DEV
-#define LL_NET_ALL                  (\
+#   define __LL_SWITCH_FS_IOCTL_DEV __rattr.handled_access_fs &= ~__LL_FS_IOCTL_DEV_COMPAT
-    LANDLOCK_ACCESS_NET_BIND_TCP    |\
+#else
-    LANDLOCK_ACCESS_NET_CONNECT_TCP )
+#   define __LL_FS_IOCTL_DEV_COMPAT 0
+#   define __LL_SWITCH_FS_IOCTL_DEV (void)0
+#endif
+#define LL_FS_ALL                       (\
+    LANDLOCK_ACCESS_FS_EXECUTE          |\
+    LANDLOCK_ACCESS_FS_WRITE_FILE       |\
+    LANDLOCK_ACCESS_FS_READ_FILE        |\
+    LANDLOCK_ACCESS_FS_READ_DIR         |\
+    LANDLOCK_ACCESS_FS_REMOVE_DIR       |\
+    LANDLOCK_ACCESS_FS_REMOVE_FILE      |\
+    LANDLOCK_ACCESS_FS_MAKE_CHAR        |\
+    LANDLOCK_ACCESS_FS_MAKE_DIR         |\
+    LANDLOCK_ACCESS_FS_MAKE_REG         |\
+    LANDLOCK_ACCESS_FS_MAKE_SOCK        |\
+    LANDLOCK_ACCESS_FS_MAKE_FIFO        |\
+    LANDLOCK_ACCESS_FS_MAKE_BLOCK       |\
+    LANDLOCK_ACCESS_FS_MAKE_SYM         |\
+    __LL_FS_REFER_COMPAT                |\
+    __LL_FS_TRUNCATE_COMPAT             |\
+    __LL_FS_IOCTL_DEV_COMPAT            )
+#if defined(LANDLOCK_ACCESS_NET_BIND_TCP) && defined(LANDLOCK_ACCESS_NET_CONNECT_TCP)
+#   define __LL_HAVE_NET
+#endif
+#ifdef __LL_HAVE_NET
+#   define LL_NET_ALL (LANDLOCK_ACCESS_NET_BIND_TCP | LANDLOCK_ACCESS_NET_CONNECT_TCP)
+#   define __LL_DECLARE_NET struct landlock_net_port_attr __nattr = {0}
+#   define __LL_INIT_NET __rattr.handled_access_net = LL_NET_ALL
+#   define __LL_SWITCH_NET do { __rattr.handled_access_net &= ~(LANDLOCK_ACCESS_NET_BIND_TCP | LANDLOCK_ACCESS_NET_CONNECT_TCP); } while (0)
+#else
+#   define LL_NET_ALL 0
+#   define __LL_DECLARE_NET (void)0
+#   define __LL_INIT_NET (void)0
+#   define __LL_SWITCH_NET (void)0
+#endif
 #define LL_BEGIN(function, ...) int function(__VA_ARGS__) {\
    int ll_rule_fd, ll_abi;\
    struct landlock_ruleset_attr      __rattr = {0};\
    struct landlock_path_beneath_attr __pattr = {0};\
-    struct landlock_net_port_attr     __nattr = {0};\
+    __LL_DECLARE_NET;\
    int __err = 0;\
    __rattr.handled_access_fs  = LL_FS_ALL;\
-    __rattr.handled_access_net = LL_NET_ALL;\
+    __LL_INIT_NET;\
    ll_abi = (int)syscall(SYS_landlock_create_ruleset, NULL, 0, LANDLOCK_CREATE_RULESET_VERSION);\
    switch (ll_abi) {\
    case -1: return -1;\
-    case  1: __rattr.handled_access_fs  &= ~LANDLOCK_ACCESS_FS_REFER; __attribute__((fallthrough));\
+    case  1: __LL_SWITCH_FS_REFER; __attribute__((fallthrough));\
-    case  2: __rattr.handled_access_fs  &= ~LANDLOCK_ACCESS_FS_TRUNCATE; __attribute__((fallthrough));\
+    case  2: __LL_SWITCH_FS_TRUNCATE; __attribute__((fallthrough));\
-    case  3: __rattr.handled_access_net &= ~(LANDLOCK_ACCESS_NET_BIND_TCP | LANDLOCK_ACCESS_NET_CONNECT_TCP); __attribute__((fallthrough));\
+    case  3: __LL_SWITCH_NET; __attribute__((fallthrough));\
-    case  4: __rattr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_IOCTL_DEV;\
+    case  4: __LL_SWITCH_FS_IOCTL_DEV;\
    default: break;\
    }\
    ll_rule_fd = (int)syscall(SYS_landlock_create_ruleset, &__rattr, sizeof(struct landlock_ruleset_attr), 0);\
@@ -159,6 +199,8 @@ int main(void) {
    close(__pattr.parent_fd);\
 } while (0)
+#ifdef __LL_HAVE_NET
 #define LL_PORT(p, rules) do {\
    unsigned short __port = (p);\
    __nattr.allowed_access = (rules);\
@@ -172,4 +214,12 @@ int main(void) {
    }\
 } while (0)
+#else
+#define LL_PORT(p, rules) do { (void)p; (void)rules; } while (0)
+#endif /* __LL_HAVE_NET */
+#endif /* KERNEL_VERSION(5, 13, 0) */
 #endif /* __LANDLOC_H__ */
author	shtrophic	2024-12-26 15:22:39 +0100
committer	shtrophic	2024-12-26 15:22:39 +0100
commit	1a44f56372ac4ae821016e32daa7b23fbd4a93d4 (patch)
tree	00a313d1de5b6e1d11704bc10fa59e1e55034f8c /landloc.h
parent	Merge tag '2.67' (diff)
download	snac2-1a44f56372ac4ae821016e32daa7b23fbd4a93d4.tar.gz snac2-1a44f56372ac4ae821016e32daa7b23fbd4a93d4.tar.xz snac2-1a44f56372ac4ae821016e32daa7b23fbd4a93d4.zip

diff --git a/landloc.h b/landloc.h index e1ade20..aaec29f 100644 --- a/landloc.h +++ b/landloc.h
@@ -65,9 +65,13 @@ int main(void) {
65	#define __LANDLOC_H__	65	#define __LANDLOC_H__
66		66
67	#ifndef __linux__	67	#ifndef __linux__
68	#error "no landlock without linux"	68	# error "no landlock without linux"
69	#endif	69	#endif
70		70
		71	#include <linux/version.h>
		72
		73	#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 13, 0)
		74
71	#include <unistd.h>	75	#include <unistd.h>
72	#include <linux/landlock.h>	76	#include <linux/landlock.h>
73	#include <sys/syscall.h>	77	#include <sys/syscall.h>
@@ -75,53 +79,89 @@ int main(void) {
75	#include <fcntl.h>	79	#include <fcntl.h>
76		80
77	#ifndef O_PATH	81	#ifndef O_PATH
78	#define O_PATH 010000000	82	# define O_PATH 010000000
79	#endif	83	#endif
80		84
81	#ifndef LL_PRINTERR	85	#ifndef LL_PRINTERR
82	#define LL_PRINTERR(fmt, ...) (void)fmt;	86	# define LL_PRINTERR(fmt, ...) (void)fmt;
83	#else	87	#else
84	#include <string.h>	88	# include <string.h>
85	#include <errno.h>	89	# include <errno.h>
86	#endif	90	#endif
87		91
88	#define LL_FS_ALL (\	92	#ifdef LANDLOCK_ACCESS_FS_REFER
89	LANDLOCK_ACCESS_FS_EXECUTE \|\	93	# define __LL_FS_REFER_COMPAT LANDLOCK_ACCESS_FS_REFER
90	LANDLOCK_ACCESS_FS_WRITE_FILE \|\	94	# define __LL_SWITCH_FS_REFER __rattr.handled_access_fs &= ~__LL_FS_REFER_COMPAT
91	LANDLOCK_ACCESS_FS_READ_FILE \|\	95	#else
92	LANDLOCK_ACCESS_FS_READ_DIR \|\	96	# define __LL_FS_REFER_COMPAT 0
93	LANDLOCK_ACCESS_FS_REMOVE_DIR \|\	97	# define __LL_SWITCH_FS_REFER (void)0
94	LANDLOCK_ACCESS_FS_REMOVE_FILE \|\	98	#endif
95	LANDLOCK_ACCESS_FS_MAKE_CHAR \|\	99
96	LANDLOCK_ACCESS_FS_MAKE_DIR \|\	100	#ifdef LANDLOCK_ACCESS_FS_TRUNCATE
97	LANDLOCK_ACCESS_FS_MAKE_REG \|\	101	# define __LL_FS_TRUNCATE_COMPAT LANDLOCK_ACCESS_FS_TRUNCATE
98	LANDLOCK_ACCESS_FS_MAKE_SOCK \|\	102	# define __LL_SWITCH_FS_TRUNCATE __rattr.handled_access_fs &= ~__LL_FS_TRUNCATE_COMPAT
99	LANDLOCK_ACCESS_FS_MAKE_FIFO \|\	103	#else
100	LANDLOCK_ACCESS_FS_MAKE_BLOCK \|\	104	# define __LL_FS_TRUNCATE_COMPAT 0
101	LANDLOCK_ACCESS_FS_MAKE_SYM \|\	105	# define __LL_SWITCH_FS_TRUNCATE (void)0
102	LANDLOCK_ACCESS_FS_REFER \|\	106	#endif
103	LANDLOCK_ACCESS_FS_TRUNCATE \|\	107
104	LANDLOCK_ACCESS_FS_IOCTL_DEV )	108	#ifdef LANDLOCK_ACCESS_FS_IOCTL_DEV
105		109	# define __LL_FS_IOCTL_DEV_COMPAT LANDLOCK_ACCESS_FS_IOCTL_DEV
106	#define LL_NET_ALL (\	110	# define __LL_SWITCH_FS_IOCTL_DEV __rattr.handled_access_fs &= ~__LL_FS_IOCTL_DEV_COMPAT
107	LANDLOCK_ACCESS_NET_BIND_TCP \|\	111	#else
108	LANDLOCK_ACCESS_NET_CONNECT_TCP )	112	# define __LL_FS_IOCTL_DEV_COMPAT 0
		113	# define __LL_SWITCH_FS_IOCTL_DEV (void)0
		114	#endif
		115
		116	#define LL_FS_ALL (\
		117	LANDLOCK_ACCESS_FS_EXECUTE \|\
		118	LANDLOCK_ACCESS_FS_WRITE_FILE \|\
		119	LANDLOCK_ACCESS_FS_READ_FILE \|\
		120	LANDLOCK_ACCESS_FS_READ_DIR \|\
		121	LANDLOCK_ACCESS_FS_REMOVE_DIR \|\
		122	LANDLOCK_ACCESS_FS_REMOVE_FILE \|\
		123	LANDLOCK_ACCESS_FS_MAKE_CHAR \|\
		124	LANDLOCK_ACCESS_FS_MAKE_DIR \|\
		125	LANDLOCK_ACCESS_FS_MAKE_REG \|\
		126	LANDLOCK_ACCESS_FS_MAKE_SOCK \|\
		127	LANDLOCK_ACCESS_FS_MAKE_FIFO \|\
		128	LANDLOCK_ACCESS_FS_MAKE_BLOCK \|\
		129	LANDLOCK_ACCESS_FS_MAKE_SYM \|\
		130	__LL_FS_REFER_COMPAT \|\
		131	__LL_FS_TRUNCATE_COMPAT \|\
		132	__LL_FS_IOCTL_DEV_COMPAT )
		133
		134	#if defined(LANDLOCK_ACCESS_NET_BIND_TCP) && defined(LANDLOCK_ACCESS_NET_CONNECT_TCP)
		135	# define __LL_HAVE_NET
		136	#endif
		137
		138	#ifdef __LL_HAVE_NET
		139	# define LL_NET_ALL (LANDLOCK_ACCESS_NET_BIND_TCP \| LANDLOCK_ACCESS_NET_CONNECT_TCP)
		140	# define __LL_DECLARE_NET struct landlock_net_port_attr __nattr = {0}
		141	# define __LL_INIT_NET __rattr.handled_access_net = LL_NET_ALL
		142	# define __LL_SWITCH_NET do { __rattr.handled_access_net &= ~(LANDLOCK_ACCESS_NET_BIND_TCP \| LANDLOCK_ACCESS_NET_CONNECT_TCP); } while (0)
		143	#else
		144	# define LL_NET_ALL 0
		145	# define __LL_DECLARE_NET (void)0
		146	# define __LL_INIT_NET (void)0
		147	# define __LL_SWITCH_NET (void)0
		148	#endif
109		149
110	#define LL_BEGIN(function, ...) int function(__VA_ARGS__) {\	150	#define LL_BEGIN(function, ...) int function(__VA_ARGS__) {\
111	int ll_rule_fd, ll_abi;\	151	int ll_rule_fd, ll_abi;\
112	struct landlock_ruleset_attr __rattr = {0};\	152	struct landlock_ruleset_attr __rattr = {0};\
113	struct landlock_path_beneath_attr __pattr = {0};\	153	struct landlock_path_beneath_attr __pattr = {0};\
114	struct landlock_net_port_attr __nattr = {0};\	154	__LL_DECLARE_NET;\
115	int __err = 0;\	155	int __err = 0;\
116	__rattr.handled_access_fs = LL_FS_ALL;\	156	__rattr.handled_access_fs = LL_FS_ALL;\
117	__rattr.handled_access_net = LL_NET_ALL;\	157	__LL_INIT_NET;\
118	ll_abi = (int)syscall(SYS_landlock_create_ruleset, NULL, 0, LANDLOCK_CREATE_RULESET_VERSION);\	158	ll_abi = (int)syscall(SYS_landlock_create_ruleset, NULL, 0, LANDLOCK_CREATE_RULESET_VERSION);\
119	switch (ll_abi) {\	159	switch (ll_abi) {\
120	case -1: return -1;\	160	case -1: return -1;\
121	case 1: __rattr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_REFER; __attribute__((fallthrough));\	161	case 1: __LL_SWITCH_FS_REFER; __attribute__((fallthrough));\
122	case 2: __rattr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_TRUNCATE; __attribute__((fallthrough));\	162	case 2: __LL_SWITCH_FS_TRUNCATE; __attribute__((fallthrough));\
123	case 3: __rattr.handled_access_net &= ~(LANDLOCK_ACCESS_NET_BIND_TCP \| LANDLOCK_ACCESS_NET_CONNECT_TCP); __attribute__((fallthrough));\	163	case 3: __LL_SWITCH_NET; __attribute__((fallthrough));\
124	case 4: __rattr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_IOCTL_DEV;\	164	case 4: __LL_SWITCH_FS_IOCTL_DEV;\
125	default: break;\	165	default: break;\
126	}\	166	}\
127	ll_rule_fd = (int)syscall(SYS_landlock_create_ruleset, &__rattr, sizeof(struct landlock_ruleset_attr), 0);\	167	ll_rule_fd = (int)syscall(SYS_landlock_create_ruleset, &__rattr, sizeof(struct landlock_ruleset_attr), 0);\
@@ -159,6 +199,8 @@ int main(void) {
159	close(__pattr.parent_fd);\	199	close(__pattr.parent_fd);\
160	} while (0)	200	} while (0)
161		201
		202	#ifdef __LL_HAVE_NET
		203
162	#define LL_PORT(p, rules) do {\	204	#define LL_PORT(p, rules) do {\
163	unsigned short __port = (p);\	205	unsigned short __port = (p);\
164	__nattr.allowed_access = (rules);\	206	__nattr.allowed_access = (rules);\
@@ -172,4 +214,12 @@ int main(void) {
172	}\	214	}\
173	} while (0)	215	} while (0)
174		216
		217	#else
		218
		219	#define LL_PORT(p, rules) do { (void)p; (void)rules; } while (0)
		220
		221	#endif /* __LL_HAVE_NET */
		222
		223	#endif /* KERNEL_VERSION(5, 13, 0) */
		224
175	#endif /* __LANDLOC_H__ */	225	#endif /* __LANDLOC_H__ */