syscall

package

v0.0.0-...-efb6622 Latest Latest Go to latest Published: Feb 16, 2024 License: MIT Imports: 4 Imported by: 4

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/landlock-lsm/go-landlock

Links

Open Source Insights

Documentation ¶

Rendered for

Overview ¶

Package syscall provides a low-level interface to the Linux Landlock sandboxing feature.

The package contains constants and syscall wrappers. The syscall wrappers whose names start with AllThreads will execute the syscall on all OS threads belonging to the current process, as long as these threads have been started implicitly by the Go runtime or using `pthread_create`.

This package package is a stopgap solution while there is no Landlock support in x/sys/unix. The syscall package is considered highly unstable and may change or disappear without warning.

The full documentation can be found at https://www.kernel.org/doc/html/latest/userspace-api/landlock.html.

Index ¶

Constants
func AllThreadsLandlockRestrictSelf(rulesetFd int, flags int) (err error)
func AllThreadsPrctl(option int, arg2, arg3, arg4, arg5 uintptr) (err error)
func LandlockAddNetServiceRule(rulesetFD int, attr *NetServiceAttr, flags int) error
func LandlockAddPathBeneathRule(rulesetFd int, attr *PathBeneathAttr, flags int) error
func LandlockAddRule(rulesetFd int, ruleType int, ruleAttr unsafe.Pointer, flags int) (err error)
func LandlockCreateRuleset(attr *RulesetAttr, flags int) (fd int, err error)
func LandlockGetABIVersion() (version int, err error)
type NetServiceAttr
type PathBeneathAttr
type RulesetAttr

Constants ¶

View Source

const (
	AccessFSExecute = 1 << iota
	AccessFSWriteFile
	AccessFSReadFile
	AccessFSReadDir
	AccessFSRemoveDir
	AccessFSRemoveFile
	AccessFSMakeChar
	AccessFSMakeDir
	AccessFSMakeReg
	AccessFSMakeSock
	AccessFSMakeFifo
	AccessFSMakeBlock
	AccessFSMakeSym
	AccessFSRefer
	AccessFSTruncate
)

Landlock file system access rights.

Please see the full documentation at https://www.kernel.org/doc/html/latest/userspace-api/landlock.html#filesystem-flags.

View Source

const (
	// TODO: Use these from sys/unix when available.
	AccessNetBindTCP    = 1 << 0
	AccessNetConnectTCP = 1 << 1
)

Landlock network access rights.

Please see the full documentation at https://www.kernel.org/doc/html/latest/userspace-api/landlock.html#network-flags.

View Source

const (
	RuleTypePathBeneath = unix.LANDLOCK_RULE_PATH_BENEATH
	RuleTypeNetService  = 2 // TODO: Use it from sys/unix when available.
)

Landlock rule types.

Variables ¶

This section is empty.

Functions ¶

func AllThreadsLandlockRestrictSelf ¶

func AllThreadsLandlockRestrictSelf(rulesetFd int, flags int) (err error)

AllThreadsLandlockRestrictSelf enforces the given ruleset on all OS threads belonging to the current process.

func AllThreadsPrctl ¶

func AllThreadsPrctl(option int, arg2, arg3, arg4, arg5 uintptr) (err error)

AllThreadsPrctl is like unix.Prctl, but gets applied on all OS threads at the same time.

func LandlockAddNetServiceRule ¶

func LandlockAddNetServiceRule(rulesetFD int, attr *NetServiceAttr, flags int) error

LandlockAddNetServiceRule adds a rule of type "net service" to the given ruleset FD. attr defines the rule parameters. flags must currently be 0.

func LandlockAddPathBeneathRule ¶

func LandlockAddPathBeneathRule(rulesetFd int, attr *PathBeneathAttr, flags int) error

LandlockAddPathBeneathRule adds a rule of type "path beneath" to the given ruleset fd. attr defines the rule parameters. flags must currently be 0.

func LandlockAddRule ¶

func LandlockAddRule(rulesetFd int, ruleType int, ruleAttr unsafe.Pointer, flags int) (err error)

LandlockAddRule is the generic landlock_add_rule syscall.

func LandlockCreateRuleset ¶

func LandlockCreateRuleset(attr *RulesetAttr, flags int) (fd int, err error)

LandlockCreateRuleset creates a ruleset file descriptor with the given attributes.

func LandlockGetABIVersion ¶

func LandlockGetABIVersion() (version int, err error)

LandlockGetABIVersion returns the supported Landlock ABI version (starting at 1).

Types ¶

type NetServiceAttr ¶

type NetServiceAttr struct {
	AllowedAccess uint64
	Port          uint16
}

NetServiceAttr specifies which ports can be used for what.

type PathBeneathAttr ¶

type PathBeneathAttr struct {
	// AllowedAccess is a bitmask of allowed actions for this file
	// hierarchy (cf. "Filesystem flags"). The enabled bits must
	// be a subset of the bits defined in the ruleset.
	AllowedAccess uint64

	// ParentFd is a file descriptor, opened with `O_PATH`, which identifies
	// the parent directory of a file hierarchy, or just a file.
	ParentFd int
}

PathBeneathAttr references a file hierarchy and defines the desired extent to which it should be usable when the rule is enforced.

type RulesetAttr ¶

type RulesetAttr struct {
	HandledAccessFS  uint64
	HandledAccessNet uint64
}

RulesetAttr is the Landlock ruleset definition.

Argument of LandlockCreateRuleset(). This structure can grow in future versions of Landlock.

C version is in usr/include/linux/landlock.h

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL