Add initial bits for landlock.
Currently not working fully.
This commit is contained in:
parent
cdc7d03c41
commit
082fa5e918
5
go.mod
5
go.mod
@ -2,4 +2,7 @@ module suah.dev/protect
|
||||
|
||||
go 1.14
|
||||
|
||||
require golang.org/x/sys v0.4.0
|
||||
require (
|
||||
github.com/landlock-lsm/go-landlock v0.0.0-20230225094210-7a98d7db83f2
|
||||
golang.org/x/sys v0.6.0
|
||||
)
|
||||
|
||||
9
go.sum
9
go.sum
@ -1,2 +1,7 @@
|
||||
golang.org/x/sys v0.4.0 h1:Zr2JFtRQNX3BCZ8YtxRE9hNJYC8J6I1MVbMg6owUp18=
|
||||
golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
github.com/landlock-lsm/go-landlock v0.0.0-20230225094210-7a98d7db83f2 h1:kTSOM+yiVubrJQI/LJ67EGxYqrqC0C5VkfRurbFg7J4=
|
||||
github.com/landlock-lsm/go-landlock v0.0.0-20230225094210-7a98d7db83f2/go.mod h1:oCxtVqzP6dNPgAQK+4okeQk9BcxjkttF8MG4DmoT6Sk=
|
||||
golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.6.0 h1:MVltZSvRTcU2ljQOhs94SXPftV6DCNnZViHeQps87pQ=
|
||||
golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
kernel.org/pub/linux/libs/security/libcap/psx v1.2.66 h1:ikIhPzfkSSAEwBOU+2DWhoF+xnGUhvlMTfQjBVhvzQY=
|
||||
kernel.org/pub/linux/libs/security/libcap/psx v1.2.66/go.mod h1:+l6Ee2F59XiJ2I6WR5ObpC1utCQJZ/VLsEbQCD8RG24=
|
||||
|
||||
@ -12,8 +12,8 @@ import (
|
||||
"strings"
|
||||
)
|
||||
|
||||
// Unveil is a wrapper for OpenBSD's unveil(2). unveil can be used to limit
|
||||
// a processes view of the filesystem.
|
||||
// Unveil is a wrapper for OpenBSD's unveil(2) and Linux's LandLock. Both of
|
||||
// which are used to limit a processes view of the filesystem.
|
||||
//
|
||||
// The first call to Unveil removes a processes visibility to everything
|
||||
// except 'path'. Any subsequent calls expand the view to contain those
|
||||
@ -45,7 +45,7 @@ func UnveilSet(set map[string]string, block bool) error {
|
||||
// UnveilBlock locks the Unveil'd paths. Preventing further changes to a
|
||||
// processes filesystem view.
|
||||
//
|
||||
// On non-OpenBSD machines this call is a noop.
|
||||
// On non-OpenBSD,Linux machines this call is a noop.
|
||||
func UnveilBlock() error {
|
||||
return unveilBlock()
|
||||
}
|
||||
|
||||
76
protect_linux.go
Normal file
76
protect_linux.go
Normal file
@ -0,0 +1,76 @@
|
||||
//go:build linux
|
||||
// +build linux
|
||||
|
||||
package protect
|
||||
|
||||
import (
|
||||
"log"
|
||||
"os"
|
||||
|
||||
"github.com/landlock-lsm/go-landlock/landlock"
|
||||
)
|
||||
|
||||
type lands []landlock.PathOpt
|
||||
|
||||
var landToLock lands
|
||||
|
||||
func (l lands) landAdd(path, flags string) error {
|
||||
s, err := os.Stat(path)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
switch mode := s.Mode(); {
|
||||
case mode.IsDir():
|
||||
log.Println("directory", path)
|
||||
switch flags {
|
||||
case "r":
|
||||
l = append(l, landlock.RODirs(path))
|
||||
case "w":
|
||||
l = append(l, landlock.RWDirs(path))
|
||||
case "rw":
|
||||
l = append(l, landlock.RWDirs(path))
|
||||
}
|
||||
default:
|
||||
log.Println("file", path)
|
||||
switch flags {
|
||||
case "r":
|
||||
log.Println("READ ONLY")
|
||||
l = append(l, landlock.ROFiles(path))
|
||||
case "w":
|
||||
log.Println("WRITE")
|
||||
l = append(l, landlock.RWFiles(path))
|
||||
case "rw":
|
||||
log.Println("WRITE")
|
||||
l = append(l, landlock.RWFiles(path))
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func (l *lands) landWalk() []landlock.PathOpt {
|
||||
return *l
|
||||
}
|
||||
|
||||
func unveil(path string, flags string) error {
|
||||
if path == "" {
|
||||
err := landlock.V3.BestEffort().RestrictPaths()
|
||||
if err != nil {
|
||||
return landlock.V2.BestEffort().RestrictPaths()
|
||||
}
|
||||
}
|
||||
return landToLock.landAdd(path, flags)
|
||||
}
|
||||
|
||||
func unveilBlock() error {
|
||||
err := landlock.V3.RestrictPaths(landToLock.landWalk()...)
|
||||
if err != nil {
|
||||
return landlock.V2.RestrictPaths(landToLock.landWalk()...)
|
||||
}
|
||||
return err
|
||||
}
|
||||
|
||||
func pledge(promises string) error {
|
||||
return nil
|
||||
}
|
||||
53
protect_linux_ro_dir_test.go
Normal file
53
protect_linux_ro_dir_test.go
Normal file
@ -0,0 +1,53 @@
|
||||
package protect
|
||||
|
||||
import (
|
||||
"os"
|
||||
"runtime"
|
||||
"testing"
|
||||
)
|
||||
|
||||
/*
|
||||
FIXME
|
||||
func TestLandlockFileWrite(t *testing.T) {
|
||||
if runtime.GOOS != "linux" {
|
||||
t.Skip("Not running on Linux... skipping landlock test")
|
||||
}
|
||||
|
||||
f, err := os.CreateTemp("", "landlockTest")
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
defer os.Remove(f.Name())
|
||||
|
||||
unveil("/tmp", "r")
|
||||
err = unveilBlock()
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
if c, err := f.Write([]byte("badbeef")); err == nil {
|
||||
t.Fatalf("wrote %d bytes to %q when I shouldn't have been able too\n", c, f.Name())
|
||||
}
|
||||
|
||||
if err := f.Close(); err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
}
|
||||
*/
|
||||
|
||||
func TestLandlockRO(t *testing.T) {
|
||||
if runtime.GOOS != "linux" {
|
||||
t.Skip("Not running on Linux... skipping landlock test")
|
||||
}
|
||||
|
||||
unveil("/tmp", "r")
|
||||
err := unveilBlock()
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
f, err := os.CreateTemp("", "landlockTest")
|
||||
if err == nil {
|
||||
t.Fatalf("should not have been able to create %q, but was able to do so\n", f.Name())
|
||||
}
|
||||
}
|
||||
@ -1,5 +1,5 @@
|
||||
//go:build !openbsd
|
||||
// +build !openbsd
|
||||
//go:build !openbsd && !linux
|
||||
// +build !openbsd,!linux
|
||||
|
||||
package protect
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user