2 files changed, 55 insertions, 47 deletions
diff --git a/landloc.h b/landloc.h
index aaec29f..8995871 100644
--- a/landloc.h
+++ b/landloc.h
@@ -90,57 +90,63 @@ int main(void) {
 #endif
 #ifdef LANDLOCK_ACCESS_FS_REFER
-#   define __LL_FS_REFER_COMPAT LANDLOCK_ACCESS_FS_REFER
+#   define LANDLOCK_ACCESS_FS_REFER_COMPAT LANDLOCK_ACCESS_FS_REFER
-#   define __LL_SWITCH_FS_REFER __rattr.handled_access_fs &= ~__LL_FS_REFER_COMPAT
+#   define __LL_SWITCH_FS_REFER __rattr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_REFER_COMPAT
 #else
-#   define __LL_FS_REFER_COMPAT 0
+#   define LANDLOCK_ACCESS_FS_REFER_COMPAT 0
 #   define __LL_SWITCH_FS_REFER (void)0
 #endif
 #ifdef LANDLOCK_ACCESS_FS_TRUNCATE
-#   define __LL_FS_TRUNCATE_COMPAT LANDLOCK_ACCESS_FS_TRUNCATE
+#   define LANDLOCK_ACCESS_FS_TRUNCATE_COMPAT LANDLOCK_ACCESS_FS_TRUNCATE
-#   define __LL_SWITCH_FS_TRUNCATE __rattr.handled_access_fs  &= ~__LL_FS_TRUNCATE_COMPAT
+#   define __LL_SWITCH_FS_TRUNCATE __rattr.handled_access_fs  &= ~LANDLOCK_ACCESS_FS_TRUNCATE_COMPAT
 #else
-#   define __LL_FS_TRUNCATE_COMPAT 0
+#   define LANDLOCK_ACCESS_FS_TRUNCATE_COMPAT 0
 #   define __LL_SWITCH_FS_TRUNCATE (void)0
 #endif
 #ifdef LANDLOCK_ACCESS_FS_IOCTL_DEV
-#   define __LL_FS_IOCTL_DEV_COMPAT LANDLOCK_ACCESS_FS_IOCTL_DEV
+#   define LANDLOCK_ACCESS_FS_IOCTL_DEV_COMPAT LANDLOCK_ACCESS_FS_IOCTL_DEV
-#   define __LL_SWITCH_FS_IOCTL_DEV __rattr.handled_access_fs &= ~__LL_FS_IOCTL_DEV_COMPAT
+#   define __LL_SWITCH_FS_IOCTL_DEV __rattr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_IOCTL_DEV_COMPAT
 #else
-#   define __LL_FS_IOCTL_DEV_COMPAT 0
+#   define LANDLOCK_ACCESS_FS_IOCTL_DEV_COMPAT 0
 #   define __LL_SWITCH_FS_IOCTL_DEV (void)0
 #endif
-#define LL_FS_ALL                       (\
+#define LL_FS_ALL                           (\
-    LANDLOCK_ACCESS_FS_EXECUTE          |\
+    LANDLOCK_ACCESS_FS_EXECUTE              |\
-    LANDLOCK_ACCESS_FS_WRITE_FILE       |\
+    LANDLOCK_ACCESS_FS_WRITE_FILE           |\
-    LANDLOCK_ACCESS_FS_READ_FILE        |\
+    LANDLOCK_ACCESS_FS_READ_FILE            |\
-    LANDLOCK_ACCESS_FS_READ_DIR         |\
+    LANDLOCK_ACCESS_FS_READ_DIR             |\
-    LANDLOCK_ACCESS_FS_REMOVE_DIR       |\
+    LANDLOCK_ACCESS_FS_REMOVE_DIR           |\
-    LANDLOCK_ACCESS_FS_REMOVE_FILE      |\
+    LANDLOCK_ACCESS_FS_REMOVE_FILE          |\
-    LANDLOCK_ACCESS_FS_MAKE_CHAR        |\
+    LANDLOCK_ACCESS_FS_MAKE_CHAR            |\
-    LANDLOCK_ACCESS_FS_MAKE_DIR         |\
+    LANDLOCK_ACCESS_FS_MAKE_DIR             |\
-    LANDLOCK_ACCESS_FS_MAKE_REG         |\
+    LANDLOCK_ACCESS_FS_MAKE_REG             |\
-    LANDLOCK_ACCESS_FS_MAKE_SOCK        |\
+    LANDLOCK_ACCESS_FS_MAKE_SOCK            |\
-    LANDLOCK_ACCESS_FS_MAKE_FIFO        |\
+    LANDLOCK_ACCESS_FS_MAKE_FIFO            |\
-    LANDLOCK_ACCESS_FS_MAKE_BLOCK       |\
+    LANDLOCK_ACCESS_FS_MAKE_BLOCK           |\
-    LANDLOCK_ACCESS_FS_MAKE_SYM         |\
+    LANDLOCK_ACCESS_FS_MAKE_SYM             |\
-    __LL_FS_REFER_COMPAT                |\
+    LANDLOCK_ACCESS_FS_REFER_COMPAT         |\
-    __LL_FS_TRUNCATE_COMPAT             |\
+    LANDLOCK_ACCESS_FS_TRUNCATE_COMPAT      |\
-    __LL_FS_IOCTL_DEV_COMPAT            )
+    LANDLOCK_ACCESS_FS_IOCTL_DEV_COMPAT     )
 #if defined(LANDLOCK_ACCESS_NET_BIND_TCP) && defined(LANDLOCK_ACCESS_NET_CONNECT_TCP)
-#   define __LL_HAVE_NET
+#   define LL_HAVE_NET 1
-#endif
+#   define LANDLOCK_ACCESS_NET_BIND_TCP_COMPAT LANDLOCK_ACCESS_NET_BIND_TCP
+#   define LANDLOCK_ACCESS_NET_CONNECT_TCP_COMPAT LANDLOCK_ACCESS_NET_CONNECT_TCP
-#ifdef __LL_HAVE_NET
+#   define LL_NET_ALL (LANDLOCK_ACCESS_NET_BIND_TCP_COMPAT | LANDLOCK_ACCESS_NET_CONNECT_TCP_COMPAT)
-#   define LL_NET_ALL (LANDLOCK_ACCESS_NET_BIND_TCP | LANDLOCK_ACCESS_NET_CONNECT_TCP)
 #   define __LL_DECLARE_NET struct landlock_net_port_attr __nattr = {0}
 #   define __LL_INIT_NET __rattr.handled_access_net = LL_NET_ALL
 #   define __LL_SWITCH_NET do { __rattr.handled_access_net &= ~(LANDLOCK_ACCESS_NET_BIND_TCP | LANDLOCK_ACCESS_NET_CONNECT_TCP); } while (0)
 #else
+#   define LL_HAVE_NET 0
+#   define LANDLOCK_ACCESS_NET_BIND_TCP_COMPAT 0
+#   define LANDLOCK_ACCESS_NET_CONNECT_TCP_COMPAT 0
 #   define LL_NET_ALL 0
 #   define __LL_DECLARE_NET (void)0
 #   define __LL_INIT_NET (void)0
@@ -185,26 +191,28 @@ int main(void) {
 #define LL_PATH(p, rules) do {\
    const char *__path = (p);\
    __pattr.allowed_access = (rules) & __rattr.handled_access_fs;\
-    __pattr.parent_fd = open(__path, O_PATH | O_CLOEXEC);\
+    if (__pattr.allowed_access != 0) {\
-    if (-1 == __pattr.parent_fd) {\
+        __pattr.parent_fd = open(__path, O_PATH | O_CLOEXEC);\
-        LL_PRINTERR("open(%s): %s", __path, strerror(errno));\
+        if (-1 == __pattr.parent_fd) {\
-        __err = -1;\
+            LL_PRINTERR("open(%s): %s", __path, strerror(errno));\
-        goto __close;\
+            __err = -1;\
-    }\
+            goto __close;\
-    __err = (int)syscall(SYS_landlock_add_rule, ll_rule_fd, LANDLOCK_RULE_PATH_BENEATH, &__pattr, 0);\
+        }\
-    if (__err) {\
+        __err = (int)syscall(SYS_landlock_add_rule, ll_rule_fd, LANDLOCK_RULE_PATH_BENEATH, &__pattr, 0);\
-        LL_PRINTERR("landlock_add_rule(%s): %s", __path, strerror(errno));\
+        if (__err) {\
-        goto __close;\
+            LL_PRINTERR("landlock_add_rule(%s): %s", __path, strerror(errno));\
+            goto __close;\
+        }\
+        close(__pattr.parent_fd);\
    }\
-    close(__pattr.parent_fd);\
 } while (0)
-#ifdef __LL_HAVE_NET
+#if LL_HAVE_NET
 #define LL_PORT(p, rules) do {\
    unsigned short __port = (p);\
    __nattr.allowed_access = (rules);\
-    if (ll_abi > 3) {\
+    if (ll_abi > 3 && __nattr.allowed_access != 0) {\
        __nattr.port = __port;\
        __err = (int)syscall(SYS_landlock_add_rule, ll_rule_fd, LANDLOCK_RULE_NET_PORT, &__nattr, 0);\
        if (__err) {\
@@ -218,7 +226,7 @@ int main(void) {
 #define LL_PORT(p, rules) do { (void)p; (void)rules; } while (0)
-#endif /* __LL_HAVE_NET */
+#endif /* LL_HAVE_NET */
 #endif /* KERNEL_VERSION(5, 13, 0) */
diff --git a/sandbox.c b/sandbox.c
index 6eafc43..b7c602e 100644
--- a/sandbox.c
+++ b/sandbox.c
@@ -46,11 +46,11 @@ LL_BEGIN(sbox_enter_linux_, const char* basedir, const char *address, int smail)
    if (*address != '/') {
        unsigned short listen_port = xs_number_get(xs_dict_get(srv_config, "port"));
-        LL_PORT(listen_port, LANDLOCK_ACCESS_NET_BIND_TCP);
+        LL_PORT(listen_port, LANDLOCK_ACCESS_NET_BIND_TCP_COMPAT);
    }
-    LL_PORT(80,  LANDLOCK_ACCESS_NET_CONNECT_TCP);
+    LL_PORT(80,  LANDLOCK_ACCESS_NET_CONNECT_TCP_COMPAT);
-    LL_PORT(443, LANDLOCK_ACCESS_NET_CONNECT_TCP);
+    LL_PORT(443, LANDLOCK_ACCESS_NET_CONNECT_TCP_COMPAT);
 } LL_END

diff --git a/landloc.h b/landloc.h index aaec29f..8995871 100644 --- a/landloc.h +++ b/landloc.h
@@ -90,57 +90,63 @@ int main(void) {
90	#endif	90	#endif
91		91
92	#ifdef LANDLOCK_ACCESS_FS_REFER	92	#ifdef LANDLOCK_ACCESS_FS_REFER
93	# define __LL_FS_REFER_COMPAT LANDLOCK_ACCESS_FS_REFER	93	# define LANDLOCK_ACCESS_FS_REFER_COMPAT LANDLOCK_ACCESS_FS_REFER
94	# define __LL_SWITCH_FS_REFER __rattr.handled_access_fs &= ~__LL_FS_REFER_COMPAT	94	# define __LL_SWITCH_FS_REFER __rattr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_REFER_COMPAT
95	#else	95	#else
96	# define __LL_FS_REFER_COMPAT 0	96	# define LANDLOCK_ACCESS_FS_REFER_COMPAT 0
97	# define __LL_SWITCH_FS_REFER (void)0	97	# define __LL_SWITCH_FS_REFER (void)0
98	#endif	98	#endif
99		99
100	#ifdef LANDLOCK_ACCESS_FS_TRUNCATE	100	#ifdef LANDLOCK_ACCESS_FS_TRUNCATE
101	# define __LL_FS_TRUNCATE_COMPAT LANDLOCK_ACCESS_FS_TRUNCATE	101	# define LANDLOCK_ACCESS_FS_TRUNCATE_COMPAT LANDLOCK_ACCESS_FS_TRUNCATE
102	# define __LL_SWITCH_FS_TRUNCATE __rattr.handled_access_fs &= ~__LL_FS_TRUNCATE_COMPAT	102	# define __LL_SWITCH_FS_TRUNCATE __rattr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_TRUNCATE_COMPAT
103	#else	103	#else
104	# define __LL_FS_TRUNCATE_COMPAT 0	104	# define LANDLOCK_ACCESS_FS_TRUNCATE_COMPAT 0
105	# define __LL_SWITCH_FS_TRUNCATE (void)0	105	# define __LL_SWITCH_FS_TRUNCATE (void)0
106	#endif	106	#endif
107		107
108	#ifdef LANDLOCK_ACCESS_FS_IOCTL_DEV	108	#ifdef LANDLOCK_ACCESS_FS_IOCTL_DEV
109	# define __LL_FS_IOCTL_DEV_COMPAT LANDLOCK_ACCESS_FS_IOCTL_DEV	109	# define LANDLOCK_ACCESS_FS_IOCTL_DEV_COMPAT LANDLOCK_ACCESS_FS_IOCTL_DEV
110	# define __LL_SWITCH_FS_IOCTL_DEV __rattr.handled_access_fs &= ~__LL_FS_IOCTL_DEV_COMPAT	110	# define __LL_SWITCH_FS_IOCTL_DEV __rattr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_IOCTL_DEV_COMPAT
111	#else	111	#else
112	# define __LL_FS_IOCTL_DEV_COMPAT 0	112	# define LANDLOCK_ACCESS_FS_IOCTL_DEV_COMPAT 0
113	# define __LL_SWITCH_FS_IOCTL_DEV (void)0	113	# define __LL_SWITCH_FS_IOCTL_DEV (void)0
114	#endif	114	#endif
115		115
116	#define LL_FS_ALL (\	116	#define LL_FS_ALL (\
117	LANDLOCK_ACCESS_FS_EXECUTE \|\	117	LANDLOCK_ACCESS_FS_EXECUTE \|\
118	LANDLOCK_ACCESS_FS_WRITE_FILE \|\	118	LANDLOCK_ACCESS_FS_WRITE_FILE \|\
119	LANDLOCK_ACCESS_FS_READ_FILE \|\	119	LANDLOCK_ACCESS_FS_READ_FILE \|\
120	LANDLOCK_ACCESS_FS_READ_DIR \|\	120	LANDLOCK_ACCESS_FS_READ_DIR \|\
121	LANDLOCK_ACCESS_FS_REMOVE_DIR \|\	121	LANDLOCK_ACCESS_FS_REMOVE_DIR \|\
122	LANDLOCK_ACCESS_FS_REMOVE_FILE \|\	122	LANDLOCK_ACCESS_FS_REMOVE_FILE \|\
123	LANDLOCK_ACCESS_FS_MAKE_CHAR \|\	123	LANDLOCK_ACCESS_FS_MAKE_CHAR \|\
124	LANDLOCK_ACCESS_FS_MAKE_DIR \|\	124	LANDLOCK_ACCESS_FS_MAKE_DIR \|\
125	LANDLOCK_ACCESS_FS_MAKE_REG \|\	125	LANDLOCK_ACCESS_FS_MAKE_REG \|\
126	LANDLOCK_ACCESS_FS_MAKE_SOCK \|\	126	LANDLOCK_ACCESS_FS_MAKE_SOCK \|\
127	LANDLOCK_ACCESS_FS_MAKE_FIFO \|\	127	LANDLOCK_ACCESS_FS_MAKE_FIFO \|\
128	LANDLOCK_ACCESS_FS_MAKE_BLOCK \|\	128	LANDLOCK_ACCESS_FS_MAKE_BLOCK \|\
129	LANDLOCK_ACCESS_FS_MAKE_SYM \|\	129	LANDLOCK_ACCESS_FS_MAKE_SYM \|\
130	__LL_FS_REFER_COMPAT \|\	130	LANDLOCK_ACCESS_FS_REFER_COMPAT \|\
131	__LL_FS_TRUNCATE_COMPAT \|\	131	LANDLOCK_ACCESS_FS_TRUNCATE_COMPAT \|\
132	__LL_FS_IOCTL_DEV_COMPAT )	132	LANDLOCK_ACCESS_FS_IOCTL_DEV_COMPAT )
133		133
134	#if defined(LANDLOCK_ACCESS_NET_BIND_TCP) && defined(LANDLOCK_ACCESS_NET_CONNECT_TCP)	134	#if defined(LANDLOCK_ACCESS_NET_BIND_TCP) && defined(LANDLOCK_ACCESS_NET_CONNECT_TCP)
135	# define __LL_HAVE_NET	135	# define LL_HAVE_NET 1
136	#endif	136
		137	# define LANDLOCK_ACCESS_NET_BIND_TCP_COMPAT LANDLOCK_ACCESS_NET_BIND_TCP
		138	# define LANDLOCK_ACCESS_NET_CONNECT_TCP_COMPAT LANDLOCK_ACCESS_NET_CONNECT_TCP
137		139
138	#ifdef __LL_HAVE_NET	140	# define LL_NET_ALL (LANDLOCK_ACCESS_NET_BIND_TCP_COMPAT \| LANDLOCK_ACCESS_NET_CONNECT_TCP_COMPAT)
139	# define LL_NET_ALL (LANDLOCK_ACCESS_NET_BIND_TCP \| LANDLOCK_ACCESS_NET_CONNECT_TCP)
140	# define __LL_DECLARE_NET struct landlock_net_port_attr __nattr = {0}	141	# define __LL_DECLARE_NET struct landlock_net_port_attr __nattr = {0}
141	# define __LL_INIT_NET __rattr.handled_access_net = LL_NET_ALL	142	# define __LL_INIT_NET __rattr.handled_access_net = LL_NET_ALL
142	# define __LL_SWITCH_NET do { __rattr.handled_access_net &= ~(LANDLOCK_ACCESS_NET_BIND_TCP \| LANDLOCK_ACCESS_NET_CONNECT_TCP); } while (0)	143	# define __LL_SWITCH_NET do { __rattr.handled_access_net &= ~(LANDLOCK_ACCESS_NET_BIND_TCP \| LANDLOCK_ACCESS_NET_CONNECT_TCP); } while (0)
143	#else	144	#else
		145	# define LL_HAVE_NET 0
		146
		147	# define LANDLOCK_ACCESS_NET_BIND_TCP_COMPAT 0
		148	# define LANDLOCK_ACCESS_NET_CONNECT_TCP_COMPAT 0
		149
144	# define LL_NET_ALL 0	150	# define LL_NET_ALL 0
145	# define __LL_DECLARE_NET (void)0	151	# define __LL_DECLARE_NET (void)0
146	# define __LL_INIT_NET (void)0	152	# define __LL_INIT_NET (void)0
@@ -185,26 +191,28 @@ int main(void) {
185	#define LL_PATH(p, rules) do {\	191	#define LL_PATH(p, rules) do {\
186	const char *__path = (p);\	192	const char *__path = (p);\
187	__pattr.allowed_access = (rules) & __rattr.handled_access_fs;\	193	__pattr.allowed_access = (rules) & __rattr.handled_access_fs;\
188	__pattr.parent_fd = open(__path, O_PATH \| O_CLOEXEC);\	194	if (__pattr.allowed_access != 0) {\
189	if (-1 == __pattr.parent_fd) {\	195	__pattr.parent_fd = open(__path, O_PATH \| O_CLOEXEC);\
190	LL_PRINTERR("open(%s): %s", __path, strerror(errno));\	196	if (-1 == __pattr.parent_fd) {\
191	__err = -1;\	197	LL_PRINTERR("open(%s): %s", __path, strerror(errno));\
192	goto __close;\	198	__err = -1;\
193	}\	199	goto __close;\
194	__err = (int)syscall(SYS_landlock_add_rule, ll_rule_fd, LANDLOCK_RULE_PATH_BENEATH, &__pattr, 0);\	200	}\
195	if (__err) {\	201	__err = (int)syscall(SYS_landlock_add_rule, ll_rule_fd, LANDLOCK_RULE_PATH_BENEATH, &__pattr, 0);\
196	LL_PRINTERR("landlock_add_rule(%s): %s", __path, strerror(errno));\	202	if (__err) {\
197	goto __close;\	203	LL_PRINTERR("landlock_add_rule(%s): %s", __path, strerror(errno));\
		204	goto __close;\
		205	}\
		206	close(__pattr.parent_fd);\
198	}\	207	}\
199	close(__pattr.parent_fd);\
200	} while (0)	208	} while (0)
201		209
202	#ifdef __LL_HAVE_NET	210	#if LL_HAVE_NET
203		211
204	#define LL_PORT(p, rules) do {\	212	#define LL_PORT(p, rules) do {\
205	unsigned short __port = (p);\	213	unsigned short __port = (p);\
206	__nattr.allowed_access = (rules);\	214	__nattr.allowed_access = (rules);\
207	if (ll_abi > 3) {\	215	if (ll_abi > 3 && __nattr.allowed_access != 0) {\
208	__nattr.port = __port;\	216	__nattr.port = __port;\
209	__err = (int)syscall(SYS_landlock_add_rule, ll_rule_fd, LANDLOCK_RULE_NET_PORT, &__nattr, 0);\	217	__err = (int)syscall(SYS_landlock_add_rule, ll_rule_fd, LANDLOCK_RULE_NET_PORT, &__nattr, 0);\
210	if (__err) {\	218	if (__err) {\
@@ -218,7 +226,7 @@ int main(void) {
218		226
219	#define LL_PORT(p, rules) do { (void)p; (void)rules; } while (0)	227	#define LL_PORT(p, rules) do { (void)p; (void)rules; } while (0)
220		228
221	#endif /* __LL_HAVE_NET */	229	#endif /* LL_HAVE_NET */
222		230
223	#endif /* KERNEL_VERSION(5, 13, 0) */	231	#endif /* KERNEL_VERSION(5, 13, 0) */
224		232


diff --git a/sandbox.c b/sandbox.c index 6eafc43..b7c602e 100644 --- a/sandbox.c +++ b/sandbox.c
@@ -46,11 +46,11 @@ LL_BEGIN(sbox_enter_linux_, const char* basedir, const char *address, int smail)
46		46
47	if (*address != '/') {	47	if (*address != '/') {
48	unsigned short listen_port = xs_number_get(xs_dict_get(srv_config, "port"));	48	unsigned short listen_port = xs_number_get(xs_dict_get(srv_config, "port"));
49	LL_PORT(listen_port, LANDLOCK_ACCESS_NET_BIND_TCP);	49	LL_PORT(listen_port, LANDLOCK_ACCESS_NET_BIND_TCP_COMPAT);
50	}	50	}
51		51
52	LL_PORT(80, LANDLOCK_ACCESS_NET_CONNECT_TCP);	52	LL_PORT(80, LANDLOCK_ACCESS_NET_CONNECT_TCP_COMPAT);
53	LL_PORT(443, LANDLOCK_ACCESS_NET_CONNECT_TCP);	53	LL_PORT(443, LANDLOCK_ACCESS_NET_CONNECT_TCP_COMPAT);
54		54
55	} LL_END	55	} LL_END
56		56