samples/landlock: Add support for LANDLOCK_ACCESS_FS_IOCTL_DEV

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Add IOCTL support to the Landlock sample tool.

The IOCTL right is grouped with the read-write rights in the sample
tool, as some IOCTL requests provide features that mutate state.

Signed-off-by: Günther Noack <gnoack@google.com>
Link: https://lore.kernel.org/r/20240419161122.2023765-9-gnoack@google.com
Signed-off-by: Mickaël Salaün <mic@digikod.net>

authored by

Günther Noack and committed by

Mickaël Salaün 2 years ago cd13738d bce605e0

+10 -3

1 changed file

expand all

samples

landlock

sandboxer.c

+10 -3

samples/landlock/sandboxer.c

··· 81 81 LANDLOCK_ACCESS_FS_EXECUTE | \ 82 82 LANDLOCK_ACCESS_FS_WRITE_FILE | \ 83 83 LANDLOCK_ACCESS_FS_READ_FILE | \ 84 - LANDLOCK_ACCESS_FS_TRUNCATE) 84 + LANDLOCK_ACCESS_FS_TRUNCATE | \ 85 + LANDLOCK_ACCESS_FS_IOCTL_DEV) 85 86 86 87 /* clang-format on */ 87 88 ··· 203 202 LANDLOCK_ACCESS_FS_MAKE_BLOCK | \ 204 203 LANDLOCK_ACCESS_FS_MAKE_SYM | \ 205 204 LANDLOCK_ACCESS_FS_REFER | \ 206 - LANDLOCK_ACCESS_FS_TRUNCATE) 205 + LANDLOCK_ACCESS_FS_TRUNCATE | \ 206 + LANDLOCK_ACCESS_FS_IOCTL_DEV) 207 207 208 208 /* clang-format on */ 209 209 210 - #define LANDLOCK_ABI_LAST 4 210 + #define LANDLOCK_ABI_LAST 5 211 211 212 212 int main(const int argc, char *const argv[], char *const *const envp) 213 213 { ··· 322 320 ruleset_attr.handled_access_net &= 323 321 ~(LANDLOCK_ACCESS_NET_BIND_TCP | 324 322 LANDLOCK_ACCESS_NET_CONNECT_TCP); 323 + __attribute__((fallthrough)); 324 + case 4: 325 + /* Removes LANDLOCK_ACCESS_FS_IOCTL_DEV for ABI < 5 */ 326 + ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_IOCTL_DEV; 327 + 325 328 fprintf(stderr, 326 329 "Hint: You should update the running kernel " 327 330 "to leverage Landlock features "