/src/crosvm/third_party/minijail/landlock_util.c

Source
/* Copyright 2022 The ChromiumOS Authors
 * Use of this source code is governed by a BSD-style license that can be
 * found in the LICENSE file.
 */

/* Define _GNU_SOURCE because we need O_PATH to resolve correctly. */
#define _GNU_SOURCE

#include "landlock_util.h"

#include <fcntl.h>
#include <sys/stat.h>

#include "util.h"

int landlock_create_ruleset(
    const struct minijail_landlock_ruleset_attr *const attr, const size_t size,
    const __u32 flags)
{
  return syscall(__NR_landlock_create_ruleset, attr, size, flags);
}

int landlock_add_rule(const int ruleset_fd,
          const enum minijail_landlock_rule_type rule_type,
          const void *const rule_attr, const __u32 flags)
{
  return syscall(__NR_landlock_add_rule, ruleset_fd, rule_type, rule_attr,
           flags);
}

int landlock_restrict_self(const int ruleset_fd, const __u32 flags)
{
  return syscall(__NR_landlock_restrict_self, ruleset_fd, flags);
}

bool populate_ruleset_internal(const char *const path, const int ruleset_fd,
             const uint64_t allowed_access)
{
  struct minijail_landlock_path_beneath_attr path_beneath = {
      .parent_fd = -1,
  };
  struct stat statbuf;
  attribute_cleanup_fd int parent_fd = open(path, O_PATH | O_CLOEXEC);
  path_beneath.parent_fd = parent_fd;
  if (path_beneath.parent_fd < 0) {
    pwarn("Failed to open \"%s\"", path);
    return false;
  }
  if (fstat(path_beneath.parent_fd, &statbuf)) {
    return false;
  }
  path_beneath.allowed_access = allowed_access;
  if (!S_ISDIR(statbuf.st_mode)) {
    path_beneath.allowed_access &= ACCESS_FILE;
  }
  if (landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
            &path_beneath, 0)) {
    pwarn("Failed to update ruleset \"%s\"", path);
    return false;
  }
  return true;
}

Line	Count	Source
1		/* Copyright 2022 The ChromiumOS Authors
2		* Use of this source code is governed by a BSD-style license that can be
3		* found in the LICENSE file.
4		*/
5
6		/* Define _GNU_SOURCE because we need O_PATH to resolve correctly. */
7		#define _GNU_SOURCE
8
9		#include "landlock_util.h"
10
11		#include <fcntl.h>
12		#include <sys/stat.h>
13
14		#include "util.h"
15
16		int landlock_create_ruleset(
17		const struct minijail_landlock_ruleset_attr *const attr, const size_t size,
18		const __u32 flags)
19	0	{
20	0	return syscall(__NR_landlock_create_ruleset, attr, size, flags);
21	0	}
22
23		int landlock_add_rule(const int ruleset_fd,
24		const enum minijail_landlock_rule_type rule_type,
25		const void *const rule_attr, const __u32 flags)
26	0	{
27	0	return syscall(__NR_landlock_add_rule, ruleset_fd, rule_type, rule_attr,
28	0	flags);
29	0	}
30
31		int landlock_restrict_self(const int ruleset_fd, const __u32 flags)
32	0	{
33	0	return syscall(__NR_landlock_restrict_self, ruleset_fd, flags);
34	0	}
35
36		bool populate_ruleset_internal(const char *const path, const int ruleset_fd,
37		const uint64_t allowed_access)
38	0	{
39	0	struct minijail_landlock_path_beneath_attr path_beneath = {
40	0	.parent_fd = -1,
41	0	};
42	0	struct stat statbuf;
43	0	attribute_cleanup_fd int parent_fd = open(path, O_PATH \| O_CLOEXEC);
44	0	path_beneath.parent_fd = parent_fd;
45	0	if (path_beneath.parent_fd < 0) {
46	0	pwarn("Failed to open \"%s\"", path);
47	0	return false;
48	0	}
49	0	if (fstat(path_beneath.parent_fd, &statbuf)) {
50	0	return false;
51	0	}
52	0	path_beneath.allowed_access = allowed_access;
53	0	if (!S_ISDIR(statbuf.st_mode)) {
54	0	path_beneath.allowed_access &= ACCESS_FILE;
55	0	}
56	0	if (landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
57	0	&path_beneath, 0)) {
58	0	pwarn("Failed to update ruleset \"%s\"", path);
59	0	return false;
60	0	}
61	0	return true;
62	0	}

Coverage Report

Created: 2026-05-16 06:08