sys/linux: add Landlock syscall flags

l0kod · a-nogikh · commit c6512ef73a66 · 2025-03-21T17:21:41.000Z
Add the new LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF,
LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON, and
LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_ON flags for landlock_restrict_self(2)
from Linux 6.15 (audit support for Landlock).

Also add the LANDLOCK_CREATE_RULESET_VERSION and
LANDLOCK_CREATE_RULESET_ERRATA flags for landlock_create_ruleset(2).

Signed-off-by: Mickaël Salaün &lt;mic@linux.microsoft.com&gt;
diff --git a/sys/linux/landlock.txt b/sys/linux/landlock.txt
@@ -5,13 +5,13 @@ include <uapi/linux/landlock.h>
 
 resource fd_ruleset[fd]
 
-landlock_create_ruleset(attr ptr[in, landlock_ruleset_attr], size bytesize[attr], flags const[0]) fd_ruleset
+landlock_create_ruleset(attr ptr[in, landlock_ruleset_attr], size bytesize[attr], flags flags[landlock_create_ruleset_flags]) fd_ruleset
 
 landlock_add_rule$LANDLOCK_RULE_PATH_BENEATH(ruleset_fd fd_ruleset, rule_type const[LANDLOCK_RULE_PATH_BENEATH], rule_attr ptr[in, landlock_path_beneath_attr], flags const[0])
 
 landlock_add_rule$LANDLOCK_RULE_NET_PORT(ruleset_fd fd_ruleset, rule_type const[LANDLOCK_RULE_NET_PORT], rule_attr ptr[in, landlock_net_port_attr], flags const[0])
 
-landlock_restrict_self(ruleset_fd fd_ruleset, flags const[0])
+landlock_restrict_self(ruleset_fd fd_ruleset, flags flags[landlock_restrict_self_flags])
 
 landlock_ruleset_attr {
 	handled_access_fs	flags[landlock_access_fs_flags, int64]
@@ -32,6 +32,10 @@ landlock_net_port_attr {
 # TODO(glider): remove this line once LANDLOCK_ACCESS_FS_IOCTL_DEV hits upstream.
 define LANDLOCK_ACCESS_FS_IOCTL_DEV	(1ULL << 15)
 
+landlock_create_ruleset_flags = LANDLOCK_CREATE_RULESET_VERSION, LANDLOCK_CREATE_RULESET_ERRATA
+
+landlock_restrict_self_flags = LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF, LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON, LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF
+
 landlock_access_fs_flags = LANDLOCK_ACCESS_FS_EXECUTE, LANDLOCK_ACCESS_FS_WRITE_FILE, LANDLOCK_ACCESS_FS_READ_FILE, LANDLOCK_ACCESS_FS_READ_DIR, LANDLOCK_ACCESS_FS_REMOVE_DIR, LANDLOCK_ACCESS_FS_REMOVE_FILE, LANDLOCK_ACCESS_FS_MAKE_CHAR, LANDLOCK_ACCESS_FS_MAKE_DIR, LANDLOCK_ACCESS_FS_MAKE_REG, LANDLOCK_ACCESS_FS_MAKE_SOCK, LANDLOCK_ACCESS_FS_MAKE_FIFO, LANDLOCK_ACCESS_FS_MAKE_BLOCK, LANDLOCK_ACCESS_FS_MAKE_SYM, LANDLOCK_ACCESS_FS_REFER, LANDLOCK_ACCESS_FS_TRUNCATE, LANDLOCK_ACCESS_FS_IOCTL_DEV
 
 landlock_access_net_flags = LANDLOCK_ACCESS_NET_BIND_TCP, LANDLOCK_ACCESS_NET_CONNECT_TCP
diff --git a/sys/linux/landlock.txt.const b/sys/linux/landlock.txt.const
@@ -18,6 +18,11 @@ LANDLOCK_ACCESS_FS_TRUNCATE = 16384
 LANDLOCK_ACCESS_FS_WRITE_FILE = 2
 LANDLOCK_ACCESS_NET_BIND_TCP = 1
 LANDLOCK_ACCESS_NET_CONNECT_TCP = 2
+LANDLOCK_CREATE_RULESET_ERRATA = 2
+LANDLOCK_CREATE_RULESET_VERSION = 1
+LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON = 2
+LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF = 1
+LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF = 4
 LANDLOCK_RULE_NET_PORT = 2
 LANDLOCK_RULE_PATH_BENEATH = 1
 LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET = 1
