colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

bunpen: fix to allow binding files into the environment -- not just directories

Browse Source
This commit is contained in:
Colin
2024-08-23 15:57:07 +00:00
parent ab4ebb012a
commit abb19b1fc9
1 changed files with 28 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
pkgs/additional/bunpen/restrict/landlock.ha
View File

@@ -24,8 +24,31 @@ fn access_fs_roughly_write() u64 = return
rtext::LANDLOCK_ACCESS_FS_TRUNCATE |
rtext::LANDLOCK_ACCESS_FS_IOCTL_DEV
;
fn access_fs_roughly_rw() u64 = return access_fs_roughly_read() | access_fs_roughly_write();
fn access_file() u64 = return
rtext::LANDLOCK_ACCESS_FS_EXECUTE |
rtext::LANDLOCK_ACCESS_FS_WRITE_FILE |
rtext::LANDLOCK_ACCESS_FS_READ_FILE |
rtext::LANDLOCK_ACCESS_FS_TRUNCATE |
rtext::LANDLOCK_ACCESS_FS_IOCTL_DEV
;
fn allow_path_fd(ruleset_fd: u64, path_fd: i32) (rt::errno | u64) = {
let access = access_fs_roughly_rw();
let statbuf = rt::st { ... };
rt::fstat(path_fd, &statbuf)?;
if (statbuf.mode & rt::S_IFDIR == 0) {
// not a directory: remove all access modes which are only sensible for
// directories, else landlock will fail.
access = access & access_file();
};
return rtext::landlock_add_rule(ruleset_fd, &rtext::landlock_path_beneath_attr {
allowed_access = access,
parent_fd = path_fd,
});
};
export fn landlock_restrict(what: *resources) void = {
let abi = rtext::landlock_create_ruleset(null, rtext::LANDLOCK_CREATE_RULESET_VERSION)!;
@@ -59,11 +82,10 @@ export fn landlock_restrict(what: *resources) void = {
for (let path .. what.paths) {
log::printfln("landlock: permit path: {}", path);
let path_fd = rt::open(path, rt::O_PATH | rt::O_CLOEXEC, 0)!; //< O_PATH allows for opening files which are `x` but not `r`
rtext::landlock_add_rule(ruleset_fd, &rtext::landlock_path_beneath_attr {
allowed_access = access_fs_roughly_rw(),
parent_fd = path_fd,
})!;
match (rt::open(path, rt::O_PATH | rt::O_CLOEXEC, 0)) { //< O_PATH allows for opening files which are `x` but not `r`
case rt::errno => log::printfln("omitting from sandbox (failed to `open`): {}", path);
case let path_fd: int => allow_path_fd(ruleset_fd, path_fd)!;
};
};
rtext::landlock_restrict_self(ruleset_fd)!;