landlock 0.4.5

Landlock LSM helpers
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209

// SPDX-License-Identifier: Apache-2.0 OR MIT

//! Syscall flag types for `landlock_restrict_self()` and future syscall flags.
//!
//! This module provides a compatibility mechanism for individual syscall flags,
//! parallel to but simpler than the [`Access`](crate::Access) /
//! [`TryCompat`](crate::TryCompat) machinery.
//!
//! Key differences from the [`Access`](crate::Access) pattern:
//!
//! - Access types ([`AccessFs`](crate::AccessFs), [`AccessNet`](crate::AccessNet),
//!   [`Scope`](crate::Scope)) operate on **sets** of rights passed as
//!   [`BitFlags<T>`](enumflags2::BitFlags), where the compat result can be Full,
//!   Partial, or No depending on which bits are supported.  They use the
//!   [`TryCompat`](crate::TryCompat) trait and the full
//!   [`AccessError`](crate::AccessError) hierarchy.
//!
//! - Syscall flags are set **individually** through boolean setter methods
//!   (e.g., [`log_same_exec()`](crate::RulesetCreatedAttr::log_same_exec)), so
//!   the compat result is binary: supported or not.  There is no Partial case,
//!   no set-level validation, and no need for an
//!   [`AccessError`](crate::AccessError)-like hierarchy.  The
//!   [`try_compat()`](SyscallFlagExt::try_compat) default method on
//!   [`SyscallFlagExt`] handles the compat dispatch directly, using
//!   [`Compatibility::try_compat_binary()`](crate::compat::Compatibility::try_compat_binary)
//!   factored out from the No branch of
//!   [`TryCompat::try_compat()`](crate::TryCompat::try_compat).
//!
//! - Access types implement the [`Access`](crate::Access) trait (which requires
//!   [`BitFlag`](enumflags2::BitFlag)) and are used with
//!   [`BitFlags<T>`](enumflags2::BitFlags) throughout the builder.  Syscall
//!   flags are plain enums (no `#[bitflags]`); the raw UAPI bitmask is built
//!   internally by OR-ing the constants returned by
//!   [`raw_bit()`](SyscallFlagExt::raw_bit) into a `u32`.

use crate::compat::{Compatibility, ABI};
use crate::errors::SyscallFlagError;
use crate::private;
use crate::uapi;

/// Marker trait for syscall flag types used in compatibility checks.
///
/// This is the syscall-flag equivalent of the [`Access`](crate::Access) trait,
/// but without the [`BitFlag`](enumflags2::BitFlag) requirement since syscall
/// flags are set individually rather than as sets.
///
/// This trait is sealed and cannot be implemented outside of this crate.
pub trait SyscallFlag: Copy + core::fmt::Debug + private::Sealed {}

/// Internal extension providing compatibility logic for syscall flags.
///
/// This is the syscall-flag equivalent of [`TryCompat`](crate::TryCompat),
/// simplified for single-flag boolean setters where the compat result is
/// binary (supported or not) rather than Full/Partial/No.
///
/// Implementors provide [`default_value()`](Self::default_value),
/// [`raw_bit()`](Self::raw_bit), and [`since()`](Self::since); the
/// [`try_compat()`](Self::try_compat) default method handles the compat
/// state update and level dispatch.
pub(crate) trait SyscallFlagExt: SyscallFlag {
    /// Returns the kernel's default state for this flag.
    fn default_value(self) -> bool;

    /// Returns the raw UAPI constant for this flag.
    fn raw_bit(self) -> u32;

    /// Returns the minimum ABI version that supports this flag.
    fn since(self) -> ABI;

    /// Checks compatibility and returns whether the non-default bit should
    /// be applied.
    ///
    /// Returns `Ok(true)` if [`raw_bit()`](Self::raw_bit) should be set in
    /// the actual flags.  Returns `Ok(false)` if the flag should be cleared
    /// to its default state, either because `set == default_value()` or
    /// because the kernel does not support the flag and the compat level
    /// permits dropping it.  Returns `Err` if the flag is unsupported with
    /// [`CompatLevel::HardRequirement`](crate::CompatLevel::HardRequirement).
    ///
    /// Setting to the default value never requires a compat check.
    ///
    /// This mirrors the compat dispatch in
    /// [`TryCompat::try_compat()`](crate::TryCompat::try_compat) but without
    /// the Partial case (a single flag is either fully supported or not).
    fn try_compat(
        self,
        set: bool,
        compat: &mut Compatibility,
    ) -> Result<bool, SyscallFlagError<Self>> {
        if set == self.default_value() {
            // Setting to the default value is always safe; no compat check
            // needed and the caller should clear the bit.
            return Ok(false);
        }
        compat.try_compat_binary(compat.abi() >= self.since(), || {
            SyscallFlagError::NotSupported { flag: self, set }
        })
    }
}

/// Identifies a configuration flag for the `landlock_restrict_self()` syscall.
///
/// Unlike access rights ([`AccessFs`](crate::AccessFs), [`AccessNet`](crate::AccessNet))
/// and scopes ([`Scope`](crate::Scope)), these flags are not passed to
/// `landlock_create_ruleset()` but to `landlock_restrict_self()`.  They control
/// audit logging behavior rather than access restrictions.
///
/// Each flag is set through a dedicated boolean method on
/// [`RulesetCreatedAttr`](crate::RulesetCreatedAttr) or
/// [`RestrictSelfAttr`](crate::RestrictSelfAttr).  The polarity mapping
/// (e.g., `log_same_exec(false)` maps to `LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF`)
/// is handled internally.
#[derive(Copy, Clone, Debug, PartialEq, Eq)]
#[non_exhaustive]
// All variants intentionally share the "Log" prefix to match the kernel's
// LANDLOCK_RESTRICT_SELF_LOG_* naming convention.  Future non-logging flags
// (e.g., TSYNC) will break the shared prefix, removing the need for this allow.
#[allow(clippy::enum_variant_names)]
pub enum RestrictSelfFlag {
    /// Same-exec logging (see [`RulesetCreatedAttr::log_same_exec()`](crate::RulesetCreatedAttr::log_same_exec)).
    LogSameExec,
    /// New-exec logging (see [`RulesetCreatedAttr::log_new_exec()`](crate::RulesetCreatedAttr::log_new_exec)).
    LogNewExec,
    /// Subdomain logging (see [`RestrictSelfAttr::log_subdomains()`](crate::RestrictSelfAttr::log_subdomains)).
    LogSubdomains,
}

impl SyscallFlag for RestrictSelfFlag {}

impl RestrictSelfFlag {
    /// Returns the effective state of this flag given a raw bitmask of
    /// applied flags.
    pub(crate) fn is_set(self, raw_flags: u32) -> bool {
        // Each flag's raw_bit() returns either an OFF or ON UAPI constant
        // depending on the kernel's default for that flag.  When the bit
        // is set in raw_flags, the kernel applies the opposite of the
        // default; when unset, the default applies.
        if raw_flags & self.raw_bit() != 0 {
            !self.default_value()
        } else {
            self.default_value()
        }
    }
}

impl SyscallFlagExt for RestrictSelfFlag {
    fn default_value(self) -> bool {
        match self {
            // Same-exec logging is enabled by default.
            Self::LogSameExec => true,
            // New-exec logging is disabled by default.
            Self::LogNewExec => false,
            // Subdomain logging is enabled by default.
            Self::LogSubdomains => true,
        }
    }

    fn raw_bit(self) -> u32 {
        match self {
            Self::LogSameExec => uapi::LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF,
            Self::LogNewExec => uapi::LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON,
            Self::LogSubdomains => uapi::LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF,
        }
    }

    fn since(self) -> ABI {
        match self {
            Self::LogSameExec => ABI::V7,
            Self::LogNewExec => ABI::V7,
            Self::LogSubdomains => ABI::V7,
        }
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::uapi;

    #[test]
    fn restrict_self_flag_raw_bit() {
        assert_eq!(
            RestrictSelfFlag::LogSameExec.raw_bit(),
            uapi::LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF,
        );
        assert_eq!(
            RestrictSelfFlag::LogNewExec.raw_bit(),
            uapi::LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON,
        );
        assert_eq!(
            RestrictSelfFlag::LogSubdomains.raw_bit(),
            uapi::LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF,
        );
    }

    #[test]
    fn restrict_self_flag_default_value() {
        assert!(RestrictSelfFlag::LogSameExec.default_value());
        assert!(!RestrictSelfFlag::LogNewExec.default_value());
        assert!(RestrictSelfFlag::LogSubdomains.default_value());
    }

    #[test]
    fn restrict_self_flag_since() {
        assert_eq!(RestrictSelfFlag::LogSameExec.since(), ABI::V7);
        assert_eq!(RestrictSelfFlag::LogNewExec.since(), ABI::V7);
        assert_eq!(RestrictSelfFlag::LogSubdomains.since(), ABI::V7);
    }
}