src: Handle Landlock ABI v5

Add the AccessFs::IoctlDev right. Signed-off-by: Mickaël Salaün <[email protected]>
landlock-lsm · Sep 9, 2024 · 4946424 · 4946424
1 parent 0b5d60f
commit 4946424
Show file tree

Hide file tree

Showing 6 changed files with 32 additions and 7 deletions.
diff --git a/examples/sandboxer.rs b/examples/sandboxer.rs
@@ -111,7 +111,7 @@ fn main() -> anyhow::Result<()> {
         anyhow!("Missing command")
     })?;
 
-    let abi = ABI::V4;
+    let abi = ABI::V5;
     let mut ruleset = Ruleset::default().handle_access(AccessFs::from_all(abi))?;
     let ruleset_ref = &mut ruleset;
 

diff --git a/src/compat.rs b/src/compat.rs
@@ -61,6 +61,9 @@ pub enum ABI {
     /// Fourth Landlock ABI, introduced with
     /// [Linux 6.7](https://git.kernel.org/stable/c/136cc1e1f5be75f57f1e0404b94ee1c8792cb07d).
     V4 = 4,
+    /// Fifth Landlock ABI, introduced with
+    /// [Linux 6.10](https://git.kernel.org/stable/c/2fc0e7892c10734c1b7c613ef04836d57d4676d5).
+    V5 = 5,
 }
 
 impl ABI {
@@ -87,8 +90,9 @@ impl ABI {
             1 => ABI::V1,
             2 => ABI::V2,
             3 => ABI::V3,
+            4 => ABI::V4,
             // Returns the greatest known ABI.
-            _ => ABI::V4,
+            _ => ABI::V5,
         }
     }
 
@@ -385,7 +389,7 @@ pub trait Compatible: Sized + private::OptionCompatLevelMut {
     ///         // However, this ruleset may also handle other (future) access rights
     ///         // if they are supported by the running kernel.
     ///         .set_compatibility(CompatLevel::BestEffort)
-    ///         .handle_access(AccessFs::from_all(ABI::V4))?
+    ///         .handle_access(AccessFs::from_all(ABI::V5))?
     ///         .create()?)
     /// }
     /// ```
@@ -414,7 +418,7 @@ pub trait Compatible: Sized + private::OptionCompatLevelMut {
     ///         // if they are supported by the running kernel,
     ///         // but without returning any error otherwise.
     ///         .set_compatibility(CompatLevel::BestEffort)
-    ///         .handle_access(AccessFs::from_all(ABI::V2))?
+    ///         .handle_access(AccessFs::from_all(ABI::V5))?
     ///         .create()?)
     /// }
     /// ```

diff --git a/src/fs.rs b/src/fs.rs
@@ -84,6 +84,8 @@ pub enum AccessFs {
     Refer = uapi::LANDLOCK_ACCESS_FS_REFER as u64,
     /// Truncate a file with `truncate(2)`, `ftruncate(2)`, `creat(2)`, or `open(2)` with `O_TRUNC`.
     Truncate = uapi::LANDLOCK_ACCESS_FS_TRUNCATE as u64,
+    /// Send IOCL commands to a device file.
+    IoctlDev = uapi::LANDLOCK_ACCESS_FS_IOCTL_DEV as u64,
 }
 
 impl Access for AccessFs {
@@ -104,7 +106,7 @@ impl AccessFs {
     pub fn from_read(abi: ABI) -> BitFlags<Self> {
         match abi {
             ABI::Unsupported => BitFlags::EMPTY,
-            ABI::V1 | ABI::V2 | ABI::V3 | ABI::V4 => make_bitflags!(AccessFs::{
+            ABI::V1 | ABI::V2 | ABI::V3 | ABI::V4 | ABI::V5 => make_bitflags!(AccessFs::{
                 Execute
                 | ReadFile
                 | ReadDir
@@ -132,6 +134,7 @@ impl AccessFs {
             }),
             ABI::V2 => Self::from_write(ABI::V1) | AccessFs::Refer,
             ABI::V3 | ABI::V4 => Self::from_write(ABI::V2) | AccessFs::Truncate,
+            ABI::V5 => Self::from_write(ABI::V4) | AccessFs::IoctlDev,
         }
     }
 
@@ -185,7 +188,7 @@ impl PrivateAccess for AccessFs {
 // TODO: Make ACCESS_FILE a property of AccessFs.
 // TODO: Add tests for ACCESS_FILE.
 const ACCESS_FILE: BitFlags<AccessFs> = make_bitflags!(AccessFs::{
-    ReadFile | WriteFile | Execute | Truncate
+    ReadFile | WriteFile | Execute | Truncate | IoctlDev
 });
 
 // XXX: What should we do when a stat call failed?

diff --git a/src/lib.rs b/src/lib.rs
@@ -385,4 +385,21 @@ mod tests {
             false,
         );
     }
+
+    #[test]
+    fn abi_v5_ioctl_dev() {
+        check_ruleset_support(
+            ABI::V4,
+            Some(ABI::V5),
+            move |ruleset: Ruleset| -> _ {
+                Ok(ruleset
+                    .handle_access(AccessNet::BindTcp)?
+                    .handle_access(AccessFs::IoctlDev)?
+                    .create()?
+                    .add_rule(PathBeneath::new(PathFd::new("/")?, AccessFs::IoctlDev))?
+                    .restrict_self()?)
+            },
+            false,
+        );
+    }
 }
diff --git a/src/net.rs b/src/net.rs
@@ -55,7 +55,7 @@ impl Access for AccessNet {
     fn from_all(abi: ABI) -> BitFlags<Self> {
         match abi {
             ABI::Unsupported | ABI::V1 | ABI::V2 | ABI::V3 => BitFlags::EMPTY,
-            ABI::V4 => AccessNet::BindTcp | AccessNet::ConnectTcp,
+            ABI::V4 | ABI::V5 => AccessNet::BindTcp | AccessNet::ConnectTcp,
         }
     }
 }

diff --git a/src/uapi/mod.rs b/src/uapi/mod.rs
@@ -27,6 +27,7 @@ pub use self::landlock::{
     LANDLOCK_ACCESS_FS_MAKE_SYM,
     LANDLOCK_ACCESS_FS_REFER,
     LANDLOCK_ACCESS_FS_TRUNCATE,
+    LANDLOCK_ACCESS_FS_IOCTL_DEV,
     LANDLOCK_ACCESS_NET_BIND_TCP,
     LANDLOCK_ACCESS_NET_CONNECT_TCP,
     LANDLOCK_CREATE_RULESET_VERSION,