Compare commits
3 Commits
master
...
add_landlo
Author | SHA1 | Date | |
---|---|---|---|
2b9c3db652 | |||
e433d9038e | |||
082fa5e918 |
5
go.mod
5
go.mod
@ -2,4 +2,7 @@ module suah.dev/protect
|
|||||||
|
|
||||||
go 1.14
|
go 1.14
|
||||||
|
|
||||||
require golang.org/x/sys v0.4.0
|
require (
|
||||||
|
github.com/landlock-lsm/go-landlock v0.0.0-20230225094210-7a98d7db83f2
|
||||||
|
golang.org/x/sys v0.6.0
|
||||||
|
)
|
||||||
|
9
go.sum
9
go.sum
@ -1,2 +1,7 @@
|
|||||||
golang.org/x/sys v0.4.0 h1:Zr2JFtRQNX3BCZ8YtxRE9hNJYC8J6I1MVbMg6owUp18=
|
github.com/landlock-lsm/go-landlock v0.0.0-20230225094210-7a98d7db83f2 h1:kTSOM+yiVubrJQI/LJ67EGxYqrqC0C5VkfRurbFg7J4=
|
||||||
golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
github.com/landlock-lsm/go-landlock v0.0.0-20230225094210-7a98d7db83f2/go.mod h1:oCxtVqzP6dNPgAQK+4okeQk9BcxjkttF8MG4DmoT6Sk=
|
||||||
|
golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||||
|
golang.org/x/sys v0.6.0 h1:MVltZSvRTcU2ljQOhs94SXPftV6DCNnZViHeQps87pQ=
|
||||||
|
golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||||
|
kernel.org/pub/linux/libs/security/libcap/psx v1.2.66 h1:ikIhPzfkSSAEwBOU+2DWhoF+xnGUhvlMTfQjBVhvzQY=
|
||||||
|
kernel.org/pub/linux/libs/security/libcap/psx v1.2.66/go.mod h1:+l6Ee2F59XiJ2I6WR5ObpC1utCQJZ/VLsEbQCD8RG24=
|
||||||
|
@ -12,8 +12,8 @@ import (
|
|||||||
"strings"
|
"strings"
|
||||||
)
|
)
|
||||||
|
|
||||||
// Unveil is a wrapper for OpenBSD's unveil(2). unveil can be used to limit
|
// Unveil is a wrapper for OpenBSD's unveil(2) and Linux's LandLock. Both of
|
||||||
// a processes view of the filesystem.
|
// which are used to limit a processes view of the filesystem.
|
||||||
//
|
//
|
||||||
// The first call to Unveil removes a processes visibility to everything
|
// The first call to Unveil removes a processes visibility to everything
|
||||||
// except 'path'. Any subsequent calls expand the view to contain those
|
// except 'path'. Any subsequent calls expand the view to contain those
|
||||||
@ -45,7 +45,7 @@ func UnveilSet(set map[string]string, block bool) error {
|
|||||||
// UnveilBlock locks the Unveil'd paths. Preventing further changes to a
|
// UnveilBlock locks the Unveil'd paths. Preventing further changes to a
|
||||||
// processes filesystem view.
|
// processes filesystem view.
|
||||||
//
|
//
|
||||||
// On non-OpenBSD machines this call is a noop.
|
// On non-OpenBSD,Linux machines this call is a noop.
|
||||||
func UnveilBlock() error {
|
func UnveilBlock() error {
|
||||||
return unveilBlock()
|
return unveilBlock()
|
||||||
}
|
}
|
||||||
|
68
protect_linux.go
Normal file
68
protect_linux.go
Normal file
@ -0,0 +1,68 @@
|
|||||||
|
//go:build linux
|
||||||
|
// +build linux
|
||||||
|
|
||||||
|
package protect
|
||||||
|
|
||||||
|
import (
|
||||||
|
"os"
|
||||||
|
|
||||||
|
"github.com/landlock-lsm/go-landlock/landlock"
|
||||||
|
)
|
||||||
|
|
||||||
|
type lands struct {
|
||||||
|
paths []landlock.PathOpt
|
||||||
|
}
|
||||||
|
|
||||||
|
var landToLock lands
|
||||||
|
|
||||||
|
func landAdd(path, flags string) error {
|
||||||
|
s, err := os.Stat(path)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
switch mode := s.Mode(); {
|
||||||
|
case mode.IsDir():
|
||||||
|
switch flags {
|
||||||
|
case "r":
|
||||||
|
landToLock.paths = append(landToLock.paths, landlock.RODirs(path))
|
||||||
|
default:
|
||||||
|
landToLock.paths = append(landToLock.paths, landlock.RWDirs(path))
|
||||||
|
}
|
||||||
|
default:
|
||||||
|
switch flags {
|
||||||
|
case "r":
|
||||||
|
landToLock.paths = append(landToLock.paths, landlock.ROFiles(path))
|
||||||
|
default:
|
||||||
|
landToLock.paths = append(landToLock.paths, landlock.RWFiles(path))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (l lands) landWalk() []landlock.PathOpt {
|
||||||
|
return l.paths
|
||||||
|
}
|
||||||
|
|
||||||
|
func unveil(path string, flags string) error {
|
||||||
|
if path == "" {
|
||||||
|
err := landlock.V3.BestEffort().RestrictPaths()
|
||||||
|
if err != nil {
|
||||||
|
return landlock.V2.BestEffort().RestrictPaths()
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return landAdd(path, flags)
|
||||||
|
}
|
||||||
|
|
||||||
|
func unveilBlock() error {
|
||||||
|
err := landlock.V3.RestrictPaths(landToLock.landWalk()...)
|
||||||
|
if err != nil {
|
||||||
|
return landlock.V2.RestrictPaths(landToLock.landWalk()...)
|
||||||
|
}
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
func pledge(promises string) error {
|
||||||
|
return nil
|
||||||
|
}
|
48
protect_linux_ro_dir_test.go
Normal file
48
protect_linux_ro_dir_test.go
Normal file
@ -0,0 +1,48 @@
|
|||||||
|
package protect
|
||||||
|
|
||||||
|
import (
|
||||||
|
"os"
|
||||||
|
"path"
|
||||||
|
"runtime"
|
||||||
|
"testing"
|
||||||
|
)
|
||||||
|
|
||||||
|
func TestLandlockFileWrite(t *testing.T) {
|
||||||
|
if runtime.GOOS != "linux" {
|
||||||
|
t.Skip("Not running on Linux... skipping landlock test")
|
||||||
|
}
|
||||||
|
|
||||||
|
dir, err := os.MkdirTemp("", "landlock")
|
||||||
|
if err != nil {
|
||||||
|
t.Fatal(err)
|
||||||
|
}
|
||||||
|
defer os.RemoveAll(dir)
|
||||||
|
|
||||||
|
unveil(dir, "r")
|
||||||
|
err = unveilBlock()
|
||||||
|
if err != nil {
|
||||||
|
t.Fatal(err)
|
||||||
|
}
|
||||||
|
|
||||||
|
f, err := os.OpenFile(path.Join(dir, "deadbeef"), os.O_RDWR|os.O_CREATE, 0600)
|
||||||
|
if err == nil {
|
||||||
|
t.Fatalf("should not have been able to create %q, but was able to do so\n", f.Name())
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestLandlockRO(t *testing.T) {
|
||||||
|
if runtime.GOOS != "linux" {
|
||||||
|
t.Skip("Not running on Linux... skipping landlock test")
|
||||||
|
}
|
||||||
|
|
||||||
|
unveil("/tmp", "r")
|
||||||
|
err := unveilBlock()
|
||||||
|
if err != nil {
|
||||||
|
t.Fatal(err)
|
||||||
|
}
|
||||||
|
|
||||||
|
f, err := os.CreateTemp("", "landlockTest")
|
||||||
|
if err == nil {
|
||||||
|
t.Fatalf("should not have been able to create %q, but was able to do so\n", f.Name())
|
||||||
|
}
|
||||||
|
}
|
@ -1,5 +1,5 @@
|
|||||||
//go:build !openbsd
|
//go:build !openbsd && !linux
|
||||||
// +build !openbsd
|
// +build !openbsd,!linux
|
||||||
|
|
||||||
package protect
|
package protect
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user