Documentation ¶
Overview ¶
Package syscall provides a low-level interface to the Linux Landlock sandboxing feature.
The package contains constants and syscall wrappers. The syscall wrappers whose names start with AllThreads will execute the syscall on all OS threads belonging to the current process, as long as these threads have been started implicitly by the Go runtime or using `pthread_create`.
This package package is a stopgap solution while there is no Landlock support in x/sys/unix. The syscall package is considered highly unstable and may change or disappear without warning.
The full documentation can be found at https://www.kernel.org/doc/html/latest/userspace-api/landlock.html.
Index ¶
- Constants
- func AllThreadsLandlockRestrictSelf(rulesetFd int, flags int) (err error)
- func AllThreadsPrctl(option int, arg2, arg3, arg4, arg5 uintptr) (err error)
- func LandlockAddNetPortRule(rulesetFD int, attr *NetPortAttr, flags int) error
- func LandlockAddPathBeneathRule(rulesetFd int, attr *PathBeneathAttr, flags int) error
- func LandlockAddRule(rulesetFd int, ruleType int, ruleAttr unsafe.Pointer, flags int) (err error)
- func LandlockCreateRuleset(attr *RulesetAttr, flags int) (fd int, err error)
- func LandlockGetABIVersion() (version int, err error)
- type NetPortAttr
- type PathBeneathAttr
- type RulesetAttr
Constants ¶
const ( AccessFSExecute = 1 << iota AccessFSWriteFile AccessFSReadFile AccessFSReadDir AccessFSRemoveDir AccessFSRemoveFile AccessFSMakeChar AccessFSMakeDir AccessFSMakeReg AccessFSMakeSock AccessFSMakeFifo AccessFSMakeBlock AccessFSMakeSym AccessFSRefer AccessFSTruncate AccessFSIoctlDev )
Landlock file system access rights.
Please see the full documentation at https://www.kernel.org/doc/html/latest/userspace-api/landlock.html#filesystem-flags.
const ( AccessNetBindTCP = 1 << iota AccessNetConnectTCP )
Landlock network access rights.
Please see the full documentation at https://www.kernel.org/doc/html/latest/userspace-api/landlock.html#network-flags.
const ( RuleTypePathBeneath = unix.LANDLOCK_RULE_PATH_BENEATH RuleTypeNetPort = 2 // TODO: Use it from sys/unix when available. )
Landlock rule types.
Variables ¶
This section is empty.
Functions ¶
func AllThreadsLandlockRestrictSelf ¶
AllThreadsLandlockRestrictSelf enforces the given ruleset on all OS threads belonging to the current process.
func AllThreadsPrctl ¶
AllThreadsPrctl is like unix.Prctl, but gets applied on all OS threads at the same time.
func LandlockAddNetPortRule ¶
func LandlockAddNetPortRule(rulesetFD int, attr *NetPortAttr, flags int) error
LandlockAddNetPortRule adds a rule of type "net port" to the given ruleset FD. attr defines the rule parameters. flags must currently be 0.
func LandlockAddPathBeneathRule ¶
func LandlockAddPathBeneathRule(rulesetFd int, attr *PathBeneathAttr, flags int) error
LandlockAddPathBeneathRule adds a rule of type "path beneath" to the given ruleset fd. attr defines the rule parameters. flags must currently be 0.
func LandlockAddRule ¶
LandlockAddRule is the generic landlock_add_rule syscall.
func LandlockCreateRuleset ¶
func LandlockCreateRuleset(attr *RulesetAttr, flags int) (fd int, err error)
LandlockCreateRuleset creates a ruleset file descriptor with the given attributes.
func LandlockGetABIVersion ¶
LandlockGetABIVersion returns the supported Landlock ABI version (starting at 1).
Types ¶
type NetPortAttr ¶
NetPortAttr specifies which ports can be used for what.
type PathBeneathAttr ¶
type PathBeneathAttr struct { // AllowedAccess is a bitmask of allowed actions for this file // hierarchy (cf. "Filesystem flags"). The enabled bits must // be a subset of the bits defined in the ruleset. AllowedAccess uint64 // ParentFd is a file descriptor, opened with `O_PATH`, which identifies // the parent directory of a file hierarchy, or just a file. ParentFd int }
PathBeneathAttr references a file hierarchy and defines the desired extent to which it should be usable when the rule is enforced.
type RulesetAttr ¶
RulesetAttr is the Landlock ruleset definition.
Argument of LandlockCreateRuleset(). This structure can grow in future versions of Landlock.
C version is in usr/include/linux/landlock.h