colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

bunpen: break out a resources abstraction

Browse Source
This commit is contained in:
Colin
2024-08-23 11:14:17 +00:00
parent f323c0f90d
commit e457cf96ae
3 changed files with 33 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
pkgs/additional/bunpen/main.ha
View File

@@ -18,7 +18,13 @@ fn do_exec(args: []str) never = {
export fn main() void = {
let my_name = os::args[0];
let exec_line = os::args[1..];
let what = restrict::resources {
paths = ["/"],
net = false,
};
rtext::no_new_privs();
restrict::landlock_restrict();
restrict::landlock_restrict(&what);
do_exec(exec_line);
};

26
pkgs/additional/bunpen/restrict/landlock.ha
View File

@@ -27,7 +27,7 @@ fn access_fs_roughly_write() u64 = return
fn access_fs_roughly_rw() u64 = return access_fs_roughly_read() | access_fs_roughly_write();
export fn landlock_restrict() void = {
export fn landlock_restrict(what: *resources) void = {
let abi = rtext::landlock_create_ruleset(null, rtext::LANDLOCK_CREATE_RULESET_VERSION)!;
log::printfln("found landlock version {}", abi);
@@ -48,15 +48,25 @@ export fn landlock_restrict() void = {
if (abi <= 4) {
ruleset_attr.handled_access_fs &= ~rtext::LANDLOCK_ACCESS_FS_IOCTL_DEV;
};
if (what.net) {
// un-restrict net access
log::println("landlock: permit net");
ruleset_attr.handled_access_net = 0;
}; // XXX: `what.net` only affects TCP. UDP, and ICMP remain possible always
let ruleset_fd = rtext::landlock_create_ruleset(&ruleset_attr)!;
let root_fd = rt::open("/", rt::O_PATH | rt::O_CLOEXEC, 0)!; //< O_PATH allows for opening files which are `x` but not `r`
rtext::landlock_add_rule(ruleset_fd, &rtext::landlock_path_beneath_attr {
allowed_access = access_fs_roughly_rw(),
parent_fd = root_fd,
})!;
log::println("landlock_restrict: TODO: populate net access (landlock_add_rule)");
for (let path .. what.paths) {
log::printfln("landlock: permit path: {}", path);
let path_fd = rt::open(path, rt::O_PATH | rt::O_CLOEXEC, 0)!; //< O_PATH allows for opening files which are `x` but not `r`
rtext::landlock_add_rule(ruleset_fd, &rtext::landlock_path_beneath_attr {
allowed_access = access_fs_roughly_rw(),
parent_fd = path_fd,
})!;
};
rtext::landlock_restrict_self(ruleset_fd)!;
log::println("landlock restrictions activated");
};

8
pkgs/additional/bunpen/restrict/resources.ha Normal file
View File

@@ -0,0 +1,8 @@
export type resources = struct {
// paths to allow unrestricted access to (i.e. with whatever permissions the
// user has naturally.
paths: []str,
// true to allow unrestricted net access.
// false to maximally disable net access.
net: bool,
};