colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

bunpen: break out a resources abstraction

Browse Source
This commit is contained in:
Colin
2024-08-23 11:14:17 +00:00
parent f323c0f90d
commit e457cf96ae
3 changed files with 33 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
pkgs/additional/bunpen/main.ha
View File

@@ -18,7 +18,13 @@ fn do_exec(args: []str) never = {
export fn main() void = { export fn main() void = {
let my_name = os::args[0]; let my_name = os::args[0];
let exec_line = os::args[1..]; let exec_line = os::args[1..];
let what = restrict::resources {
paths = ["/"],
net = false,
};
rtext::no_new_privs(); rtext::no_new_privs();
restrict::landlock_restrict(); restrict::landlock_restrict(&what);
do_exec(exec_line); do_exec(exec_line);
}; };

26
pkgs/additional/bunpen/restrict/landlock.ha
View File

@@ -27,7 +27,7 @@ fn access_fs_roughly_write() u64 = return
fn access_fs_roughly_rw() u64 = return access_fs_roughly_read() | access_fs_roughly_write(); fn access_fs_roughly_rw() u64 = return access_fs_roughly_read() | access_fs_roughly_write();
export fn landlock_restrict() void = { export fn landlock_restrict(what: *resources) void = {
let abi = rtext::landlock_create_ruleset(null, rtext::LANDLOCK_CREATE_RULESET_VERSION)!; let abi = rtext::landlock_create_ruleset(null, rtext::LANDLOCK_CREATE_RULESET_VERSION)!;
log::printfln("found landlock version {}", abi); log::printfln("found landlock version {}", abi);
@@ -48,15 +48,25 @@ export fn landlock_restrict() void = {
if (abi <= 4) { if (abi <= 4) {
ruleset_attr.handled_access_fs &= ~rtext::LANDLOCK_ACCESS_FS_IOCTL_DEV; ruleset_attr.handled_access_fs &= ~rtext::LANDLOCK_ACCESS_FS_IOCTL_DEV;
}; };
if (what.net) {
// un-restrict net access
log::println("landlock: permit net");
ruleset_attr.handled_access_net = 0;
}; // XXX: `what.net` only affects TCP. UDP, and ICMP remain possible always
let ruleset_fd = rtext::landlock_create_ruleset(&ruleset_attr)!; let ruleset_fd = rtext::landlock_create_ruleset(&ruleset_attr)!;
let root_fd = rt::open("/", rt::O_PATH | rt::O_CLOEXEC, 0)!; //< O_PATH allows for opening files which are `x` but not `r` for (let path .. what.paths) {
rtext::landlock_add_rule(ruleset_fd, &rtext::landlock_path_beneath_attr { log::printfln("landlock: permit path: {}", path);
allowed_access = access_fs_roughly_rw(), let path_fd = rt::open(path, rt::O_PATH | rt::O_CLOEXEC, 0)!; //< O_PATH allows for opening files which are `x` but not `r`
parent_fd = root_fd, rtext::landlock_add_rule(ruleset_fd, &rtext::landlock_path_beneath_attr {
})!; allowed_access = access_fs_roughly_rw(),
parent_fd = path_fd,
log::println("landlock_restrict: TODO: populate net access (landlock_add_rule)"); })!;
};
rtext::landlock_restrict_self(ruleset_fd)!; rtext::landlock_restrict_self(ruleset_fd)!;
log::println("landlock restrictions activated");
}; };

8
pkgs/additional/bunpen/restrict/resources.ha Normal file
View File

@@ -0,0 +1,8 @@
export type resources = struct {
// paths to allow unrestricted access to (i.e. with whatever permissions the
// user has naturally.
paths: []str,
// true to allow unrestricted net access.
// false to maximally disable net access.
net: bool,
};