1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
|
package landlock
import (
"fmt"
"strings"
)
var accessFSNames = []string{
"execute",
"write_file",
"read_file",
"read_dir",
"remove_dir",
"remove_file",
"make_char",
"make_dir",
"make_reg",
"make_sock",
"make_fifo",
"make_block",
"make_sym",
"refer",
"truncate",
"ioctl_dev",
}
// AccessFSSet is a set of Landlockable file system access operations.
type AccessFSSet uint64
var supportedAccessFS = AccessFSSet((1 << len(accessFSNames)) - 1)
func accessSetString(a uint64, names []string) string {
if a == 0 {
return "∅"
}
var b strings.Builder
b.WriteByte('{')
for i := 0; i < 64; i++ {
if a&(1<<i) == 0 {
continue
}
if b.Len() > 1 {
b.WriteByte(',')
}
if i < len(names) {
b.WriteString(names[i])
} else {
b.WriteString(fmt.Sprintf("1<<%v", i))
}
}
b.WriteByte('}')
return b.String()
}
func (a AccessFSSet) String() string {
return accessSetString(uint64(a), accessFSNames)
}
func (a AccessFSSet) isSubset(b AccessFSSet) bool {
return a&b == a
}
func (a AccessFSSet) intersect(b AccessFSSet) AccessFSSet {
return a & b
}
func (a AccessFSSet) union(b AccessFSSet) AccessFSSet {
return a | b
}
func (a AccessFSSet) isEmpty() bool {
return a == 0
}
// valid returns true iff the given AccessFSSet is supported by this
// version of go-landlock.
func (a AccessFSSet) valid() bool {
return a.isSubset(supportedAccessFS)
}
|
