From e457cf96aeddf1872d93c07a2d75dba30fe43802 Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Fri, 23 Aug 2024 11:14:17 +0000
Subject: [PATCH] bunpen: break out a `resources` abstraction

---
 pkgs/additional/bunpen/main.ha               |  8 +++++-
 pkgs/additional/bunpen/restrict/landlock.ha  | 26 ++++++++++++++------
 pkgs/additional/bunpen/restrict/resources.ha |  8 ++++++
 3 files changed, 33 insertions(+), 9 deletions(-)
 create mode 100644 pkgs/additional/bunpen/restrict/resources.ha

diff --git a/pkgs/additional/bunpen/main.ha b/pkgs/additional/bunpen/main.ha
index 018d9983c..728a6e045 100644
--- a/pkgs/additional/bunpen/main.ha
+++ b/pkgs/additional/bunpen/main.ha
@@ -18,7 +18,13 @@ fn do_exec(args: []str) never = {
 export fn main() void = {
   let my_name = os::args[0];
   let exec_line = os::args[1..];
+
+  let what = restrict::resources {
+    paths = ["/"],
+    net = false,
+  };
+
   rtext::no_new_privs();
-  restrict::landlock_restrict();
+  restrict::landlock_restrict(&what);
   do_exec(exec_line);
 };
diff --git a/pkgs/additional/bunpen/restrict/landlock.ha b/pkgs/additional/bunpen/restrict/landlock.ha
index 0750794ef..8d0bb9bd6 100644
--- a/pkgs/additional/bunpen/restrict/landlock.ha
+++ b/pkgs/additional/bunpen/restrict/landlock.ha
@@ -27,7 +27,7 @@ fn access_fs_roughly_write() u64 = return
 
 fn access_fs_roughly_rw() u64 = return access_fs_roughly_read() | access_fs_roughly_write();
 
-export fn landlock_restrict() void = {
+export fn landlock_restrict(what: *resources) void = {
   let abi = rtext::landlock_create_ruleset(null, rtext::LANDLOCK_CREATE_RULESET_VERSION)!;
   log::printfln("found landlock version {}", abi);
 
@@ -48,15 +48,25 @@ export fn landlock_restrict() void = {
   if (abi <= 4) {
     ruleset_attr.handled_access_fs &= ~rtext::LANDLOCK_ACCESS_FS_IOCTL_DEV;
   };
+
+  if (what.net) {
+    // un-restrict net access
+    log::println("landlock: permit net");
+    ruleset_attr.handled_access_net = 0;
+  }; // XXX: `what.net` only affects TCP. UDP, and ICMP remain possible always
+
   let ruleset_fd = rtext::landlock_create_ruleset(&ruleset_attr)!;
 
-  let root_fd = rt::open("/", rt::O_PATH | rt::O_CLOEXEC, 0)!;  //< O_PATH allows for opening files which are `x` but not `r`
-  rtext::landlock_add_rule(ruleset_fd, &rtext::landlock_path_beneath_attr {
-    allowed_access = access_fs_roughly_rw(),
-    parent_fd = root_fd,
-  })!;
-
-  log::println("landlock_restrict: TODO: populate net access (landlock_add_rule)");
+  for (let path .. what.paths) {
+    log::printfln("landlock: permit path: {}", path);
+    let path_fd = rt::open(path, rt::O_PATH | rt::O_CLOEXEC, 0)!;  //< O_PATH allows for opening files which are `x` but not `r`
+    rtext::landlock_add_rule(ruleset_fd, &rtext::landlock_path_beneath_attr {
+      allowed_access = access_fs_roughly_rw(),
+      parent_fd = path_fd,
+    })!;
+  };
 
   rtext::landlock_restrict_self(ruleset_fd)!;
+
+  log::println("landlock restrictions activated");
 };
diff --git a/pkgs/additional/bunpen/restrict/resources.ha b/pkgs/additional/bunpen/restrict/resources.ha
new file mode 100644
index 000000000..611949e86
--- /dev/null
+++ b/pkgs/additional/bunpen/restrict/resources.ha
@@ -0,0 +1,8 @@
+export type resources = struct {
+  // paths to allow unrestricted access to (i.e. with whatever permissions the
+  // user has naturally.
+  paths: []str,
+  // true to allow unrestricted net access.
+  // false to maximally disable net access.
+  net: bool,
+};