sandboxing port to linux via landlock

author: shtrophic 2024-11-12 21:01:09 +0100
committer: shtrophic 2024-11-16 00:54:12 +0100
commit: 75f615905629f64f40363161281d640010153d64 (patch)
tree: afd40445102e4bac6da69e55ee96a0f97dcb3479
parent: Minor tweak to proxy code (some URLs were not correctly formed). (diff)
download: snac2-75f615905629f64f40363161281d640010153d64.tar.gz
snac2-75f615905629f64f40363161281d640010153d64.tar.xz
snac2-75f615905629f64f40363161281d640010153d64.zip
4 files changed, 190 insertions, 39 deletions
diff --git a/Makefile b/Makefile
index 600419d..225031a 100644
--- a/Makefile
+++ b/Makefile
@@ -4,7 +4,7 @@ CFLAGS?=-g -Wall -Wextra -pedantic
 all: snac
-snac: snac.o main.o data.o http.o httpd.o webfinger.o \
+snac: snac.o main.o sandbox.o data.o http.o httpd.o webfinger.o \
    activitypub.o html.o utils.o format.o upgrade.o mastoapi.o
        $(CC) $(CFLAGS) -L/usr/local/lib *.o -lcurl -lcrypto $(LDFLAGS) -pthread -o $@
@@ -36,6 +36,8 @@ uninstall:
 activitypub.o: activitypub.c xs.h xs_json.h xs_curl.h xs_mime.h \
 xs_openssl.h xs_regex.h xs_time.h xs_set.h xs_match.h snac.h \
 http_codes.h
+sandbox.o: sandbox.c xs.h xs_hex.h xs_io.h xs_json.h xs_openssl.h \
+ xs_glob.h xs_set.h xs_time.h xs_regex.h xs_match.h xs_unicode.h snac.h
 data.o: data.c xs.h xs_hex.h xs_io.h xs_json.h xs_openssl.h xs_glob.h \
 xs_set.h xs_time.h xs_regex.h xs_match.h xs_unicode.h xs_random.h snac.h \
 http_codes.h
diff --git a/data.c b/data.c
index 1cd69a5..54099db 100644
--- a/data.c
+++ b/data.c
@@ -115,44 +115,7 @@ int srv_open(const char *basedir, int auto_upgrade)
 #define st_mtim st_mtimespec
 #endif
-#ifdef __OpenBSD__
+    sbox_enter(srv_basedir);
-    if (xs_is_true(xs_dict_get(srv_config, "disable_openbsd_security"))) {
-        srv_debug(1, xs_dup("OpenBSD security disabled by admin"));
-    }
-    else {
-        int smail = !xs_is_true(xs_dict_get(srv_config, "disable_email_notifications"));
-        const char *address = xs_dict_get(srv_config, "address");
-        srv_debug(1, xs_fmt("Calling unveil()"));
-        unveil(basedir,                "rwc");
-        unveil("/tmp",                 "rwc");
-        unveil("/etc/resolv.conf",     "r");
-        unveil("/etc/hosts",           "r");
-        unveil("/etc/ssl/openssl.cnf", "r");
-        unveil("/etc/ssl/cert.pem",    "r");
-        unveil("/usr/share/zoneinfo",  "r");
-        if (smail)
-            unveil("/usr/sbin/sendmail",   "x");
-        if (*address == '/')
-            unveil(address, "rwc");
-        unveil(NULL,                   NULL);
-        srv_debug(1, xs_fmt("Calling pledge()"));
-        xs *p = xs_str_new("stdio rpath wpath cpath flock inet proc dns fattr");
-        if (smail)
-            p = xs_str_cat(p, " exec");
-        if (*address == '/')
-            p = xs_str_cat(p, " unix");
-        pledge(p, NULL);
-    }
-#endif /* __OpenBSD__ */
    /* read (and drop) emojis.json, possibly creating it */
    xs_free(emojis());
diff --git a/sandbox.c b/sandbox.c
new file mode 100644
index 0000000..f83a947
--- /dev/null
+++ b/sandbox.c
@@ -0,0 +1,184 @@
+#include "xs.h"
+#include "snac.h"
+#include <unistd.h>
+#if defined (__linux__)
+#   define __USE_GNU
+#   include <linux/landlock.h>
+#   include <linux/prctl.h>
+#   include <sys/syscall.h>
+#   include <sys/prctl.h>
+#   include <fcntl.h>
+#   include <arpa/inet.h>
+#endif
+void sbox_enter(const char *basedir)
+{
+    if (xs_is_true(xs_dict_get(srv_config, "disable_openbsd_security"))) {
+        srv_log(xs_dup("disable_openbsd_security is deprecated. Use disable_sandbox instead."));
+        return;
+    }
+    if (xs_is_true(xs_dict_get(srv_config, "disable_sandbox"))) {
+        srv_debug(0, xs_dup("Sandbox disabled by admin"));
+        return;
+    }
+    const char *address = xs_dict_get(srv_config, "address");
+#if defined (__OpenBSD__)
+    int smail = !xs_is_true(xs_dict_get(srv_config, "disable_email_notifications"));
+    srv_debug(1, xs_fmt("Calling unveil()"));
+    unveil(basedir,                "rwc");
+    unveil("/tmp",                 "rwc");
+    unveil("/etc/resolv.conf",     "r");
+    unveil("/etc/hosts",           "r");
+    unveil("/etc/ssl/openssl.cnf", "r");
+    unveil("/etc/ssl/cert.pem",    "r");
+    unveil("/usr/share/zoneinfo",  "r");
+    if (smail)
+        unveil("/usr/sbin/sendmail",   "x");
+    if (*address == '/')
+        unveil(address, "rwc");
+    unveil(NULL,                   NULL);
+    srv_debug(1, xs_fmt("Calling pledge()"));
+    xs *p = xs_str_new("stdio rpath wpath cpath flock inet proc dns fattr");
+    if (smail)
+        p = xs_str_cat(p, " exec");
+    if (*address == '/')
+        p = xs_str_cat(p, " unix");
+    pledge(p, NULL);
+    xs_free(p);
+#elif defined (__linux__)
+    int error, ruleset_fd, abi;
+    struct landlock_ruleset_attr      rules = {0};
+    struct landlock_path_beneath_attr path  = {0};
+    struct landlock_net_port_attr     net   = {0};
+    rules.handled_access_fs =
+        LANDLOCK_ACCESS_FS_EXECUTE     |
+        LANDLOCK_ACCESS_FS_WRITE_FILE  |
+        LANDLOCK_ACCESS_FS_READ_FILE   |
+        LANDLOCK_ACCESS_FS_REMOVE_DIR  |
+        LANDLOCK_ACCESS_FS_REMOVE_FILE |
+        LANDLOCK_ACCESS_FS_MAKE_CHAR   |
+        LANDLOCK_ACCESS_FS_MAKE_DIR    |
+        LANDLOCK_ACCESS_FS_MAKE_REG    |
+        LANDLOCK_ACCESS_FS_MAKE_SOCK   |
+        LANDLOCK_ACCESS_FS_MAKE_FIFO   |
+        LANDLOCK_ACCESS_FS_MAKE_BLOCK  |
+        LANDLOCK_ACCESS_FS_MAKE_SYM    |
+        LANDLOCK_ACCESS_FS_REFER       |
+        LANDLOCK_ACCESS_FS_TRUNCATE    |
+        LANDLOCK_ACCESS_FS_IOCTL_DEV;
+    rules.handled_access_net =
+        LANDLOCK_ACCESS_NET_BIND_TCP |
+        LANDLOCK_ACCESS_NET_CONNECT_TCP;
+    abi = syscall(SYS_landlock_create_ruleset, NULL, 0, LANDLOCK_CREATE_RULESET_VERSION);
+    switch (abi) {
+    case -1:
+        srv_debug(0, xs_dup("Kernel without landlock support"));
+        return;
+    case 1:
+        rules.handled_access_fs  &= ~LANDLOCK_ACCESS_FS_REFER;
+        __attribute__((fallthrough));
+    case 2:
+        rules.handled_access_fs  &= ~LANDLOCK_ACCESS_FS_TRUNCATE;
+        __attribute__((fallthrough));
+    case 3:
+        rules.handled_access_net &= ~(LANDLOCK_ACCESS_NET_BIND_TCP | LANDLOCK_ACCESS_NET_CONNECT_TCP);
+        __attribute__((fallthrough));
+    case 4:
+        rules.handled_access_fs  &= ~LANDLOCK_ACCESS_FS_IOCTL_DEV;
+    }
+    srv_debug(1, xs_fmt("lanlock abi: %d", abi));
+    ruleset_fd = syscall(SYS_landlock_create_ruleset, &rules, sizeof(struct landlock_ruleset_attr), 0);
+    if (ruleset_fd == -1) {
+        srv_debug(0, xs_fmt("landlock_create_ruleset failed: %s", strerror(errno)));
+        return;
+    }
+#define LL_R LANDLOCK_ACCESS_FS_READ_FILE
+#define LL_X LANDLOCK_ACCESS_FS_EXECUTE
+#define LL_RWC (LL_R | LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_TRUNCATE)
+#define LL_UNX (LL_R | LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_MAKE_SOCK)
+#define LL_CON LANDLOCK_ACCESS_NET_CONNECT_TCP
+#define LL_BND LANDLOCK_ACCESS_NET_BIND_TCP
+#define LANDLOCK_PATH(p, r) do {\
+    path.allowed_access = r;\
+    if (abi < 3)\
+        path.allowed_access &= ~LANDLOCK_ACCESS_FS_TRUNCATE;\
+    path.parent_fd = open(p, O_PATH | O_CLOEXEC);\
+    if (path.parent_fd == -1) {\
+        srv_debug(2, xs_fmt("open %s: %s", p, strerror(errno)));\
+        goto close;\
+    }\
+    error = syscall(SYS_landlock_add_rule, ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, &path, 0); \
+    if (error) {\
+        srv_debug(0, xs_fmt("LANDLOCK_PATH(%s): %s", p, strerror(errno)));\
+        goto close;\
+    }\
+} while (0)
+#define LANDLOCK_PORT(p, r) do {\
+    uint16_t _p = p;\
+    net.port = _p;\
+    net.allowed_access = r;\
+    error = syscall(SYS_landlock_add_rule, ruleset_fd, LANDLOCK_RULE_NET_PORT, &net, 0);\
+    if (error) {\
+        srv_debug(0, xs_fmt("LANDLOCK_PORT(%d): %s", _p, strerror(errno)));\
+        goto close;\
+    }\
+} while (0)
+    LANDLOCK_PATH(basedir,                LL_RWC);
+    LANDLOCK_PATH("/tmp",                 LL_RWC);
+    LANDLOCK_PATH("/dev/shm",             LL_RWC);
+    LANDLOCK_PATH("/etc/resolv.conf",     LL_R  );
+    LANDLOCK_PATH("/etc/hosts",           LL_R  );
+    LANDLOCK_PATH("/etc/ssl/openssl.cnf", LL_R  );
+    LANDLOCK_PATH("/etc/ssl/cert.pem",    LL_R  );
+    LANDLOCK_PATH("/usr/share/zoneinfo",  LL_R  );
+    if (*address == '/')
+        LANDLOCK_PATH(address, LL_UNX);
+    if (abi > 3) {
+        if (*address != '/') {
+            LANDLOCK_PORT(
+                (uint16_t)xs_number_get(xs_dict_get(srv_config, "port")), LL_BND);
+        }
+        LANDLOCK_PORT(80,  LL_CON);
+        LANDLOCK_PORT(443, LL_CON);
+    }
+    
+    if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
+        srv_debug(0, xs_fmt("prctl SET_NO_NEW_PRIVS: %s", strerror(errno)));
+        goto close;
+    }
+    if (syscall(SYS_landlock_restrict_self, ruleset_fd, 0))
+        srv_debug(0, xs_fmt("landlock_restrict_self: %s", strerror(errno)));
+    srv_log(xs_dup("landlocked"));
+close:
+    close(ruleset_fd);
+#endif
+}
diff --git a/snac.h b/snac.h
index ad2793e..ba84420 100644
--- a/snac.h
+++ b/snac.h
@@ -75,6 +75,8 @@ void snac_log(snac *user, xs_str *str);
 int srv_open(const char *basedir, int auto_upgrade);
 void srv_free(void);
+void sbox_enter(const char *basedir);
 int user_open(snac *snac, const char *uid);
 void user_free(snac *snac);
 xs_list *user_list(void);
author	shtrophic	2024-11-12 21:01:09 +0100
committer	shtrophic	2024-11-16 00:54:12 +0100
commit	75f615905629f64f40363161281d640010153d64 (patch)
tree	afd40445102e4bac6da69e55ee96a0f97dcb3479
parent	Minor tweak to proxy code (some URLs were not correctly formed). (diff)
download	snac2-75f615905629f64f40363161281d640010153d64.tar.gz snac2-75f615905629f64f40363161281d640010153d64.tar.xz snac2-75f615905629f64f40363161281d640010153d64.zip

diff --git a/Makefile b/Makefile index 600419d..225031a 100644 --- a/Makefile +++ b/Makefile
@@ -4,7 +4,7 @@ CFLAGS?=-g -Wall -Wextra -pedantic
4		4
5	all: snac	5	all: snac
6		6
7	snac: snac.o main.o data.o http.o httpd.o webfinger.o \	7	snac: snac.o main.o sandbox.o data.o http.o httpd.o webfinger.o \
8	activitypub.o html.o utils.o format.o upgrade.o mastoapi.o	8	activitypub.o html.o utils.o format.o upgrade.o mastoapi.o
9	$(CC) $(CFLAGS) -L/usr/local/lib *.o -lcurl -lcrypto $(LDFLAGS) -pthread -o $@	9	$(CC) $(CFLAGS) -L/usr/local/lib *.o -lcurl -lcrypto $(LDFLAGS) -pthread -o $@
10		10
@@ -36,6 +36,8 @@ uninstall:
36	activitypub.o: activitypub.c xs.h xs_json.h xs_curl.h xs_mime.h \	36	activitypub.o: activitypub.c xs.h xs_json.h xs_curl.h xs_mime.h \
37	xs_openssl.h xs_regex.h xs_time.h xs_set.h xs_match.h snac.h \	37	xs_openssl.h xs_regex.h xs_time.h xs_set.h xs_match.h snac.h \
38	http_codes.h	38	http_codes.h
		39	sandbox.o: sandbox.c xs.h xs_hex.h xs_io.h xs_json.h xs_openssl.h \
		40	xs_glob.h xs_set.h xs_time.h xs_regex.h xs_match.h xs_unicode.h snac.h
39	data.o: data.c xs.h xs_hex.h xs_io.h xs_json.h xs_openssl.h xs_glob.h \	41	data.o: data.c xs.h xs_hex.h xs_io.h xs_json.h xs_openssl.h xs_glob.h \
40	xs_set.h xs_time.h xs_regex.h xs_match.h xs_unicode.h xs_random.h snac.h \	42	xs_set.h xs_time.h xs_regex.h xs_match.h xs_unicode.h xs_random.h snac.h \
41	http_codes.h	43	http_codes.h


diff --git a/data.c b/data.c index 1cd69a5..54099db 100644 --- a/data.c +++ b/data.c
@@ -115,44 +115,7 @@ int srv_open(const char *basedir, int auto_upgrade)
115	#define st_mtim st_mtimespec	115	#define st_mtim st_mtimespec
116	#endif	116	#endif
117		117
118	#ifdef __OpenBSD__	118	sbox_enter(srv_basedir);
119	if (xs_is_true(xs_dict_get(srv_config, "disable_openbsd_security"))) {
120	srv_debug(1, xs_dup("OpenBSD security disabled by admin"));
121	}
122	else {
123	int smail = !xs_is_true(xs_dict_get(srv_config, "disable_email_notifications"));
124	const char *address = xs_dict_get(srv_config, "address");
125
126	srv_debug(1, xs_fmt("Calling unveil()"));
127	unveil(basedir, "rwc");
128	unveil("/tmp", "rwc");
129	unveil("/etc/resolv.conf", "r");
130	unveil("/etc/hosts", "r");
131	unveil("/etc/ssl/openssl.cnf", "r");
132	unveil("/etc/ssl/cert.pem", "r");
133	unveil("/usr/share/zoneinfo", "r");
134
135	if (smail)
136	unveil("/usr/sbin/sendmail", "x");
137
138	if (*address == '/')
139	unveil(address, "rwc");
140
141	unveil(NULL, NULL);
142
143	srv_debug(1, xs_fmt("Calling pledge()"));
144
145	xs *p = xs_str_new("stdio rpath wpath cpath flock inet proc dns fattr");
146
147	if (smail)
148	p = xs_str_cat(p, " exec");
149
150	if (*address == '/')
151	p = xs_str_cat(p, " unix");
152
153	pledge(p, NULL);
154	}
155	#endif /* __OpenBSD__ */
156		119
157	/* read (and drop) emojis.json, possibly creating it */	120	/* read (and drop) emojis.json, possibly creating it */
158	xs_free(emojis());	121	xs_free(emojis());


diff --git a/sandbox.c b/sandbox.c new file mode 100644 index 0000000..f83a947 --- /dev/null +++ b/sandbox.c
@@ -0,0 +1,184 @@
		1	#include "xs.h"
		2
		3	#include "snac.h"
		4
		5	#include <unistd.h>
		6
		7	#if defined (__linux__)
		8	# define __USE_GNU
		9	# include <linux/landlock.h>
		10	# include <linux/prctl.h>
		11	# include <sys/syscall.h>
		12	# include <sys/prctl.h>
		13	# include <fcntl.h>
		14	# include <arpa/inet.h>
		15	#endif
		16
		17	void sbox_enter(const char *basedir)
		18	{
		19	if (xs_is_true(xs_dict_get(srv_config, "disable_openbsd_security"))) {
		20	srv_log(xs_dup("disable_openbsd_security is deprecated. Use disable_sandbox instead."));
		21	return;
		22	}
		23	if (xs_is_true(xs_dict_get(srv_config, "disable_sandbox"))) {
		24	srv_debug(0, xs_dup("Sandbox disabled by admin"));
		25	return;
		26	}
		27
		28	const char *address = xs_dict_get(srv_config, "address");
		29
		30	#if defined (__OpenBSD__)
		31	int smail = !xs_is_true(xs_dict_get(srv_config, "disable_email_notifications"));
		32
		33	srv_debug(1, xs_fmt("Calling unveil()"));
		34	unveil(basedir, "rwc");
		35	unveil("/tmp", "rwc");
		36	unveil("/etc/resolv.conf", "r");
		37	unveil("/etc/hosts", "r");
		38	unveil("/etc/ssl/openssl.cnf", "r");
		39	unveil("/etc/ssl/cert.pem", "r");
		40	unveil("/usr/share/zoneinfo", "r");
		41
		42	if (smail)
		43	unveil("/usr/sbin/sendmail", "x");
		44
		45	if (*address == '/')
		46	unveil(address, "rwc");
		47
		48	unveil(NULL, NULL);
		49
		50	srv_debug(1, xs_fmt("Calling pledge()"));
		51
		52	xs *p = xs_str_new("stdio rpath wpath cpath flock inet proc dns fattr");
		53
		54	if (smail)
		55	p = xs_str_cat(p, " exec");
		56
		57	if (*address == '/')
		58	p = xs_str_cat(p, " unix");
		59
		60	pledge(p, NULL);
		61
		62	xs_free(p);
		63	#elif defined (__linux__)
		64	int error, ruleset_fd, abi;
		65	struct landlock_ruleset_attr rules = {0};
		66	struct landlock_path_beneath_attr path = {0};
		67	struct landlock_net_port_attr net = {0};
		68
		69	rules.handled_access_fs =
		70	LANDLOCK_ACCESS_FS_EXECUTE \|
		71	LANDLOCK_ACCESS_FS_WRITE_FILE \|
		72	LANDLOCK_ACCESS_FS_READ_FILE \|
		73	LANDLOCK_ACCESS_FS_REMOVE_DIR \|
		74	LANDLOCK_ACCESS_FS_REMOVE_FILE \|
		75	LANDLOCK_ACCESS_FS_MAKE_CHAR \|
		76	LANDLOCK_ACCESS_FS_MAKE_DIR \|
		77	LANDLOCK_ACCESS_FS_MAKE_REG \|
		78	LANDLOCK_ACCESS_FS_MAKE_SOCK \|
		79	LANDLOCK_ACCESS_FS_MAKE_FIFO \|
		80	LANDLOCK_ACCESS_FS_MAKE_BLOCK \|
		81	LANDLOCK_ACCESS_FS_MAKE_SYM \|
		82	LANDLOCK_ACCESS_FS_REFER \|
		83	LANDLOCK_ACCESS_FS_TRUNCATE \|
		84	LANDLOCK_ACCESS_FS_IOCTL_DEV;
		85	rules.handled_access_net =
		86	LANDLOCK_ACCESS_NET_BIND_TCP \|
		87	LANDLOCK_ACCESS_NET_CONNECT_TCP;
		88
		89	abi = syscall(SYS_landlock_create_ruleset, NULL, 0, LANDLOCK_CREATE_RULESET_VERSION);
		90	switch (abi) {
		91	case -1:
		92	srv_debug(0, xs_dup("Kernel without landlock support"));
		93	return;
		94	case 1:
		95	rules.handled_access_fs &= ~LANDLOCK_ACCESS_FS_REFER;
		96	__attribute__((fallthrough));
		97	case 2:
		98	rules.handled_access_fs &= ~LANDLOCK_ACCESS_FS_TRUNCATE;
		99	__attribute__((fallthrough));
		100	case 3:
		101	rules.handled_access_net &= ~(LANDLOCK_ACCESS_NET_BIND_TCP \| LANDLOCK_ACCESS_NET_CONNECT_TCP);
		102	__attribute__((fallthrough));
		103	case 4:
		104	rules.handled_access_fs &= ~LANDLOCK_ACCESS_FS_IOCTL_DEV;
		105	}
		106	srv_debug(1, xs_fmt("lanlock abi: %d", abi));
		107
		108	ruleset_fd = syscall(SYS_landlock_create_ruleset, &rules, sizeof(struct landlock_ruleset_attr), 0);
		109	if (ruleset_fd == -1) {
		110	srv_debug(0, xs_fmt("landlock_create_ruleset failed: %s", strerror(errno)));
		111	return;
		112	}
		113
		114	#define LL_R LANDLOCK_ACCESS_FS_READ_FILE
		115	#define LL_X LANDLOCK_ACCESS_FS_EXECUTE
		116	#define LL_RWC (LL_R \| LANDLOCK_ACCESS_FS_WRITE_FILE \| LANDLOCK_ACCESS_FS_MAKE_REG \| LANDLOCK_ACCESS_FS_TRUNCATE)
		117	#define LL_UNX (LL_R \| LANDLOCK_ACCESS_FS_WRITE_FILE \| LANDLOCK_ACCESS_FS_MAKE_SOCK)
		118	#define LL_CON LANDLOCK_ACCESS_NET_CONNECT_TCP
		119	#define LL_BND LANDLOCK_ACCESS_NET_BIND_TCP
		120
		121	#define LANDLOCK_PATH(p, r) do {\
		122	path.allowed_access = r;\
		123	if (abi < 3)\
		124	path.allowed_access &= ~LANDLOCK_ACCESS_FS_TRUNCATE;\
		125	path.parent_fd = open(p, O_PATH \| O_CLOEXEC);\
		126	if (path.parent_fd == -1) {\
		127	srv_debug(2, xs_fmt("open %s: %s", p, strerror(errno)));\
		128	goto close;\
		129	}\
		130	error = syscall(SYS_landlock_add_rule, ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, &path, 0); \
		131	if (error) {\
		132	srv_debug(0, xs_fmt("LANDLOCK_PATH(%s): %s", p, strerror(errno)));\
		133	goto close;\
		134	}\
		135	} while (0)
		136
		137	#define LANDLOCK_PORT(p, r) do {\
		138	uint16_t _p = p;\
		139	net.port = _p;\
		140	net.allowed_access = r;\
		141	error = syscall(SYS_landlock_add_rule, ruleset_fd, LANDLOCK_RULE_NET_PORT, &net, 0);\
		142	if (error) {\
		143	srv_debug(0, xs_fmt("LANDLOCK_PORT(%d): %s", _p, strerror(errno)));\
		144	goto close;\
		145	}\
		146	} while (0)
		147
		148	LANDLOCK_PATH(basedir, LL_RWC);
		149	LANDLOCK_PATH("/tmp", LL_RWC);
		150	LANDLOCK_PATH("/dev/shm", LL_RWC);
		151	LANDLOCK_PATH("/etc/resolv.conf", LL_R );
		152	LANDLOCK_PATH("/etc/hosts", LL_R );
		153	LANDLOCK_PATH("/etc/ssl/openssl.cnf", LL_R );
		154	LANDLOCK_PATH("/etc/ssl/cert.pem", LL_R );
		155	LANDLOCK_PATH("/usr/share/zoneinfo", LL_R );
		156
		157	if (*address == '/')
		158	LANDLOCK_PATH(address, LL_UNX);
		159
		160	if (abi > 3) {
		161	if (*address != '/') {
		162	LANDLOCK_PORT(
		163	(uint16_t)xs_number_get(xs_dict_get(srv_config, "port")), LL_BND);
		164	}
		165
		166	LANDLOCK_PORT(80, LL_CON);
		167	LANDLOCK_PORT(443, LL_CON);
		168	}
		169
		170	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
		171	srv_debug(0, xs_fmt("prctl SET_NO_NEW_PRIVS: %s", strerror(errno)));
		172	goto close;
		173	}
		174
		175	if (syscall(SYS_landlock_restrict_self, ruleset_fd, 0))
		176	srv_debug(0, xs_fmt("landlock_restrict_self: %s", strerror(errno)));
		177
		178	srv_log(xs_dup("landlocked"));
		179
		180	close:
		181	close(ruleset_fd);
		182
		183	#endif
		184	}


diff --git a/snac.h b/snac.h index ad2793e..ba84420 100644 --- a/snac.h +++ b/snac.h
@@ -75,6 +75,8 @@ void snac_log(snac user, xs_str str);
75	int srv_open(const char *basedir, int auto_upgrade);	75	int srv_open(const char *basedir, int auto_upgrade);
76	void srv_free(void);	76	void srv_free(void);
77		77
		78	void sbox_enter(const char *basedir);
		79
78	int user_open(snac snac, const char uid);	80	int user_open(snac snac, const char uid);
79	void user_free(snac *snac);	81	void user_free(snac *snac);
80	xs_list *user_list(void);	82	xs_list *user_list(void);