Lines Matching defs:ruleset
37 #include "ruleset.h"
125 struct landlock_ruleset *ruleset = filp->private_data;
127 landlock_put_ruleset(ruleset);
147 * A ruleset file descriptor enables to build a ruleset by adding (i.e.
149 * reentrant design is also used in a read way to enforce the ruleset on the
170 * sys_landlock_create_ruleset - Create a new ruleset
173 * the new ruleset.
181 * This system call enables to create a new Landlock ruleset, and returns the
203 struct landlock_ruleset *ruleset;
248 ruleset = landlock_create_ruleset(ruleset_attr.handled_access_fs,
251 if (IS_ERR(ruleset))
252 return PTR_ERR(ruleset);
254 /* Creates anonymous FD referring to the ruleset. */
255 ruleset_fd = anon_inode_getfd("[landlock-ruleset]", &ruleset_fops,
256 ruleset, O_RDWR | O_CLOEXEC);
258 landlock_put_ruleset(ruleset);
263 * Returns an owned ruleset from a FD. It is thus needed to call
270 struct landlock_ruleset *ruleset;
280 ruleset = fd_file(ruleset_f)->private_data;
281 if (WARN_ON_ONCE(ruleset->num_layers != 1))
283 landlock_get_ruleset(ruleset);
284 return ruleset;
302 * Forbids ruleset FDs, internal filesystems (e.g. nsfs), including
317 static int add_rule_path_beneath(struct landlock_ruleset *const ruleset,
338 /* Checks that allowed_access matches the @ruleset constraints. */
339 mask = ruleset->access_masks[0].fs;
349 err = landlock_append_fs_rule(ruleset, &path,
355 static int add_rule_net_port(struct landlock_ruleset *ruleset,
374 /* Checks that allowed_access matches the @ruleset constraints. */
375 mask = landlock_get_net_access_mask(ruleset, 0);
384 return landlock_append_net_rule(ruleset, net_port_attr.port,
389 * sys_landlock_add_rule - Add a new rule to a ruleset
391 * @ruleset_fd: File descriptor tied to the ruleset that should be extended
399 * ruleset.
409 * &landlock_net_port_attr.allowed_access is not a subset of the ruleset
416 * - %EBADFD: @ruleset_fd is not a ruleset file descriptor, or a member of
418 * - %EPERM: @ruleset_fd has no write access to the underlying ruleset;
425 struct landlock_ruleset *ruleset __free(landlock_put_ruleset) = NULL;
434 /* Gets and checks the ruleset. */
435 ruleset = get_ruleset_from_fd(ruleset_fd, FMODE_CAN_WRITE);
436 if (IS_ERR(ruleset))
437 return PTR_ERR(ruleset);
441 return add_rule_path_beneath(ruleset, rule_attr);
443 return add_rule_net_port(ruleset, rule_attr);
452 * sys_landlock_restrict_self - Enforce a ruleset on the calling thread
454 * @ruleset_fd: File descriptor tied to the ruleset to merge with the target.
462 * This system call enforces a Landlock ruleset on the current thread.
463 * Enforcing a ruleset requires that the task has %CAP_SYS_ADMIN in its
472 * - %EBADFD: @ruleset_fd is not a ruleset file descriptor;
473 * - %EPERM: @ruleset_fd has no read access to the underlying ruleset, or the
485 struct landlock_ruleset *ruleset __free(landlock_put_ruleset) = NULL;
519 /* Gets and checks the ruleset. */
520 ruleset = get_ruleset_from_fd(ruleset_fd, FMODE_CAN_READ);
521 if (IS_ERR(ruleset))
522 return PTR_ERR(ruleset);
539 * The only case when a ruleset may not be set is if
544 if (ruleset) {
551 landlock_merge_ruleset(new_llcred->domain, ruleset);