bunpen: landlock: cleaner bindings

pkgs/additional/bunpen/src/kernel_bindings.ha

@@ -6,7 +6,7 @@ fn no_new_privs() void = {
 };
 
 ///// kernel consts. TODO: extract these from kernel headers, somehow.
-// landlock syscall ID
+// landlock syscall numbers
 const __NR_landlock_create_ruleset: u64 = 444;
 const __NR_landlock_add_rule: u64 = 445;
 // ---- landlock API constants ----
@@ -62,20 +62,23 @@ type landlock_rule_attr = union {
 
 
 // landlock_create_ruleset syscall
-fn landlock_create_ruleset(attr: nullable *landlock_ruleset_attr, flags: u64) u64 = {
+fn landlock_create_ruleset(attr: nullable *landlock_ruleset_attr, flags: u64) (rt::errno | u64) = {
   const size_: u64 = match (attr) {
     case null => yield 0;
     case => yield size(landlock_ruleset_attr);
   };
-  return syscall(__NR_landlock_create_ruleset, attr: uintptr, size_, flags)!;
+  return syscall(__NR_landlock_create_ruleset, attr: uintptr, size_, flags);
 };
 
 fn landlock_add_rule(
   ruleset_fd: i32,
-  rule_type: u64,  //< landlock_rule_type
-  rule_attr: *landlock_rule_attr,
+  rule_attr: (*landlock_path_beneath_attr | *landlock_net_port_attr),
   flags: u64,
 ) (rt::errno | u64) = {
+  const (rule_type, rule_attr) = match (rule_attr) {
+    case let p: *landlock_path_beneath_attr => yield (LANDLOCK_RULE_PATH_BENEATH, p: uintptr);
+    case let p: *landlock_net_port_attr => yield (LANDLOCK_RULE_NET_PORT, p: uintptr);
+  };
   return syscall(__NR_landlock_add_rule, ruleset_fd: u64, rule_type, rule_attr: uintptr, flags);
 };
 

pkgs/additional/bunpen/src/landlock.ha

@@ -24,7 +24,7 @@ fn access_fs_roughly_write() u64 = return
 ;
 
 fn landlock_restrict() void = {
-  let abi = landlock_create_ruleset(null, LANDLOCK_CREATE_RULESET_VERSION);
+  let abi = landlock_create_ruleset(null, LANDLOCK_CREATE_RULESET_VERSION)!;
   log::printfln("found landlock version {}", abi);
 
   // determine the access modes we can ask this kernel to restrict on:
@@ -44,7 +44,7 @@ fn landlock_restrict() void = {
   if (abi <= 4) {
     ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_IOCTL_DEV;
   };
-  landlock_create_ruleset(&ruleset_attr, 0);
+  landlock_create_ruleset(&ruleset_attr, 0)!;
 
   // TODO: compute fs and net resource handles and call `landlock_add_rule`, `landlock_restrict_self`
   log::println("landlock_restrict: UNFINISHED");