bunpen: add minimal landlock API

pkgs/additional/bunpen/src/landlock.ha

@@ -0,0 +1,36 @@
+// vim: set shiftwidth=2 :
+use log;
+use rt;
+
+// kernel consts. TODO: extract these from kernel headers, somehow.
+const __NR_landlock_create_ruleset = 444u64;
+const LANDLOCK_CREATE_RULESET_VERSION = 1u64;
+
+fn landlock_restrict() void = {
+  let abi = landlock_create_ruleset();
+  log::printfln("found landlock version {}", abi);
+  // TODO: restrict net, paths, etc
+};
+
+// checks the return value from a Linux syscall and, if found to be in error,
+// returns the appropriate error. otherwise, returns the original value.
+// borrowed from non-public hare internals: rt/+linux/errno.ha
+fn wrap_return(r: u64) (rt::errno | u64) = {
+  if (r > -4096: u64) {
+    return (-(r: i64)): rt::errno;
+  };
+  return r;
+};
+
+// like `rt::syscall`, but maps negative return values to `errno`
+fn syscall(num: u64, args: u64...) (rt::errno | u64) = {
+  return wrap_return(rt::syscall(num, args...));
+};
+
+// landlock_create_ruleset syscall
+fn landlock_create_ruleset() u64 = {
+  const landlock_ruleset_attr_ptr = 0u64;
+  const size_ = 0u64;
+  return syscall(__NR_landlock_create_ruleset, landlock_ruleset_attr_ptr, size_, LANDLOCK_CREATE_RULESET_VERSION)!;
+};
+

pkgs/additional/bunpen/src/main.ha

@@ -22,5 +22,6 @@ export fn main() void = {
   let my_name = os::args[0];
   let exec_line = os::args[1..];
   no_new_privs();
+  landlock_restrict();
   do_exec(exec_line);
 };