Documentation ¶
Overview ¶
Package syscall provides a low-level interface to the Linux Landlock sandboxing feature.
The syscall package is a stopgap solution while there is no Landlock support in x/sys/unix. The syscall package is considered highly unstable and may change or disappear without warning.
The full documentation can be found at https://www.kernel.org/doc/html/latest/userspace-api/landlock.html.
Index ¶
- Constants
- func AllThreadsLandlockRestrictSelf(rulesetFd int, flags int) (err error)
- func AllThreadsPrctl(option int, arg2 uintptr, arg3 uintptr, arg4 uintptr, arg5 uintptr) (err error)
- func LandlockAddPathBeneathRule(rulesetFd int, attr *PathBeneathAttr, flags int) error
- func LandlockAddRule(rulesetFd int, ruleType int, ruleAttr unsafe.Pointer, flags int) (err error)
- func LandlockCreateRuleset(attr *RulesetAttr, flags int) (fd int, err error)
- func LandlockGetABIVersion() (version int, err error)
- type PathBeneathAttr
- type RulesetAttr
Constants ¶
const ( SYS_LANDLOCK_CREATE_RULESET = 444 SYS_LANDLOCK_ADD_RULE = 445 SYS_LANDLOCK_RESTRICT_SELF = 446 )
Syscall numbers for Landlock syscalls.
Note: These syscall numbers will probably soon show up in the x/sys/unix package. Please do not depend on these variables to exist.
const ( AccessFSExecute = (1 << 0) AccessFSWriteFile = (1 << 1) AccessFSReadFile = (1 << 2) AccessFSReadDir = (1 << 3) AccessFSRemoveDir = (1 << 4) AccessFSRemoveFile = (1 << 5) AccessFSMakeChar = (1 << 6) AccessFSMakeDir = (1 << 7) AccessFSMakeReg = (1 << 8) AccessFSMakeSock = (1 << 9) AccessFSMakeFifo = (1 << 10) AccessFSMakeBlock = (1 << 11) AccessFSMakeSym = (1 << 12) )
Landlock access rights, for use in "access" bit fields.
Please see the full documentation at https://www.kernel.org/doc/html/latest/userspace-api/landlock.html#access-rights.
const RuleTypePathBeneath = 1
There is currently only one Landlock rule type.
Variables ¶
This section is empty.
Functions ¶
func AllThreadsLandlockRestrictSelf ¶
AllThreadsLandlockRestrictSelf enforces the given ruleset on all OS threads managed by the Go runtime.
func AllThreadsPrctl ¶
func AllThreadsPrctl(option int, arg2 uintptr, arg3 uintptr, arg4 uintptr, arg5 uintptr) (err error)
AllThreadsPrctl is like unix.Prctl, but gets applied on all OS threads at the same time.
func LandlockAddPathBeneathRule ¶
func LandlockAddPathBeneathRule(rulesetFd int, attr *PathBeneathAttr, flags int) error
LandlockAddPathBeneathRule adds a rule of type "path beneath" to the given ruleset fd. attr defines the rule parameters. flags must currently be 0.
func LandlockAddRule ¶
LandlockAddRule is the generic landlock_add_rule syscall.
func LandlockCreateRuleset ¶
func LandlockCreateRuleset(attr *RulesetAttr, flags int) (fd int, err error)
LandlockCreateRuleset creates a ruleset file descriptor with the given attributes.
func LandlockGetABIVersion ¶
LandlockGetABIVersion returns the supported Landlock ABI version (starting at 1).
Types ¶
type PathBeneathAttr ¶
type PathBeneathAttr struct { // AllowedAccess is a bitmask of allowed actions for this file // hierarchy (cf. "Filesystem flags"). The enabled bits must // be a subset of the bits defined in the ruleset. AllowedAccess uint64 // ParentFd is a file descriptor, open with `O_PATH`, which identifies // the parent directory of a file hierarchy, or just a file. ParentFd int }
PathBeneathAttr references a file hierarchy and defines the desired extent to which it should be usable when the rule is enforced.
type RulesetAttr ¶
type RulesetAttr struct {
HandledAccessFS uint64
}
RulesetAttr is the Landlock ruleset definition.
Argument of LandlockCreateRuleset(). This structure can grow in future versions of Landlock.
C version is in usr/include/linux/landlock.h