3 files changed, 199 insertions, 130 deletions
diff --git a/Makefile b/Makefile
index 225031a..2b89cfa 100644
--- a/Makefile
+++ b/Makefile
@@ -37,7 +37,8 @@ activitypub.o: activitypub.c xs.h xs_json.h xs_curl.h xs_mime.h \
 xs_openssl.h xs_regex.h xs_time.h xs_set.h xs_match.h snac.h \
 http_codes.h
 sandbox.o: sandbox.c xs.h xs_hex.h xs_io.h xs_json.h xs_openssl.h \
- xs_glob.h xs_set.h xs_time.h xs_regex.h xs_match.h xs_unicode.h snac.h
+ xs_glob.h xs_set.h xs_time.h xs_regex.h xs_match.h xs_unicode.h \
+ landloc.h snac.h
 data.o: data.c xs.h xs_hex.h xs_io.h xs_json.h xs_openssl.h xs_glob.h \
 xs_set.h xs_time.h xs_regex.h xs_match.h xs_unicode.h xs_random.h snac.h \
 http_codes.h
diff --git a/landloc.h b/landloc.h
new file mode 100644
index 0000000..c5b849a
--- /dev/null
+++ b/landloc.h
@@ -0,0 +1,153 @@
+/**
+ *  Zero-Clause BSD
+ *  ===============
+ *
+ *  Copyright 2024 shtrophic <christoph@liebender.dev>
+ *
+ *  Permission to use, copy, modify, and/or distribute this software for
+ *  any purpose with or without fee is hereby granted.
+ *
+ *  THE SOFTWARE IS PROVIDED “AS IS” AND THE AUTHOR DISCLAIMS ALL
+ *  WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ *  OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE
+ *  FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY
+ *  DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
+ *  AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ *  OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
+ */
+/**
+ * Usage example:
+ *
+LL_BEGIN(my_sandbox_function, const char *rw_path) {
+    LL_PATH(rw_path, LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR | LANDLOCK_ACCESS_FS_EXECUTE);
+    LL_PORT(443, LANDLOCK_ACCESS_NET_CONNECT_TCP);
+} LL_END
+int main(void) {
+    int status = my_sandbox_function("some/path");
+    if (status != 0) {
+        // error
+    }
+}
+ */
+#ifndef __LANDLOC_H__
+#define __LANDLOC_H__
+#ifndef __linux__
+#error "no landlock without linux"
+#endif
+#include <unistd.h>
+#include <linux/landlock.h>
+#include <sys/syscall.h>
+#include <sys/prctl.h>
+#include <fcntl.h>
+#ifndef O_PATH
+#define O_PATH          010000000
+#endif
+#ifndef LL_PRINTERR
+#define LL_PRINTERR(fmt, ...) (void)fmt;
+#else
+#include <string.h>
+#include <errno.h>
+#endif
+#define LL_FS_ALL                   (\
+    LANDLOCK_ACCESS_FS_EXECUTE      |\
+    LANDLOCK_ACCESS_FS_WRITE_FILE   |\
+    LANDLOCK_ACCESS_FS_READ_FILE    |\
+    LANDLOCK_ACCESS_FS_READ_DIR     |\
+    LANDLOCK_ACCESS_FS_REMOVE_DIR   |\
+    LANDLOCK_ACCESS_FS_REMOVE_FILE  |\
+    LANDLOCK_ACCESS_FS_MAKE_CHAR    |\
+    LANDLOCK_ACCESS_FS_MAKE_DIR     |\
+    LANDLOCK_ACCESS_FS_MAKE_REG     |\
+    LANDLOCK_ACCESS_FS_MAKE_SOCK    |\
+    LANDLOCK_ACCESS_FS_MAKE_FIFO    |\
+    LANDLOCK_ACCESS_FS_MAKE_BLOCK   |\
+    LANDLOCK_ACCESS_FS_MAKE_SYM     |\
+    LANDLOCK_ACCESS_FS_REFER        |\
+    LANDLOCK_ACCESS_FS_TRUNCATE     |\
+    LANDLOCK_ACCESS_FS_IOCTL_DEV    )
+#define LL_NET_ALL                  (\
+    LANDLOCK_ACCESS_NET_BIND_TCP    |\
+    LANDLOCK_ACCESS_NET_CONNECT_TCP )
+#define LL_BEGIN(function, ...) int function(__VA_ARGS__) {\
+    int ll_rule_fd, ll_abi;\
+    struct landlock_ruleset_attr      __rattr = {0};\
+    struct landlock_path_beneath_attr __pattr = {0};\
+    struct landlock_net_port_attr     __nattr = {0};\
+    int __err = 0;\
+    __rattr.handled_access_fs  = LL_FS_ALL;\
+    __rattr.handled_access_net = LL_NET_ALL;\
+    ll_abi = (int)syscall(SYS_landlock_create_ruleset, NULL, 0, LANDLOCK_CREATE_RULESET_VERSION);\
+    switch (ll_abi) {\
+    case -1: return -1;\
+    case  1: __rattr.handled_access_fs  &= ~LANDLOCK_ACCESS_FS_REFER; __attribute__((fallthrough));\
+    case  2: __rattr.handled_access_fs  &= ~LANDLOCK_ACCESS_FS_TRUNCATE; __attribute__((fallthrough));\
+    case  3: __rattr.handled_access_net &= ~(LANDLOCK_ACCESS_NET_BIND_TCP | LANDLOCK_ACCESS_NET_CONNECT_TCP); __attribute__((fallthrough));\
+    case  4: __rattr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_IOCTL_DEV;\
+    default: break;\
+    }\
+    ll_rule_fd = (int)syscall(SYS_landlock_create_ruleset, &__rattr, sizeof(struct landlock_ruleset_attr), 0);\
+    if (-1 == ll_rule_fd) {\
+        LL_PRINTERR("landlock_create_ruleset: %s", strerror(errno));\
+        return -1;\
+    }
+#define LL_END \
+    __err = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);\
+    if (-1 == __err) {\
+        LL_PRINTERR("set_no_new_privs: %s", strerror(errno));\
+        goto __close;\
+    }\
+    __err = (int)syscall(SYS_landlock_restrict_self, ll_rule_fd, 0);\
+    if (__err)\
+        LL_PRINTERR("landlock_restrict_self: %s", strerror(errno));\
+    __close: close(ll_rule_fd);\
+    return __err; }
+#define LL_PATH(p, rules) do {\
+    const char *__path = (p);\
+    __pattr.allowed_access = (rules) & __rattr.handled_access_fs;\
+    __pattr.parent_fd = open(__path, O_PATH | O_CLOEXEC);\
+    if (-1 == __pattr.parent_fd) {\
+        LL_PRINTERR("open(%s): %s", __path, strerror(errno));\
+        __err = -1;\
+        goto __close;\
+    }\
+    __err = (int)syscall(SYS_landlock_add_rule, ll_rule_fd, LANDLOCK_RULE_PATH_BENEATH, &__pattr, 0);\
+    if (__err) {\
+        LL_PRINTERR("landlock_add_rule(%s): %s", __path, strerror(errno));\
+        goto __close;\
+    }\
+    close(__pattr.parent_fd);\
+} while (0)
+#define LL_PORT(p, rules) do {\
+    if (ll_abi > 3) {\
+        unsigned short __port = (p);\
+        __nattr.allowed_access = (rules);\
+        __nattr.port = __port;\
+        __err = (int)syscall(SYS_landlock_add_rule, ll_rule_fd, LANDLOCK_RULE_NET_PORT, &__nattr, 0);\
+        if (__err) {\
+            LL_PRINTERR("landlock_add_rule(%u): %s", __port, strerror(errno));\
+            goto __close;\
+        }\
+    }\
+} while (0)
+#endif /* __LANDLOC_H__ */
diff --git a/sandbox.c b/sandbox.c
index 7f26d0a..6dd9360 100644
--- a/sandbox.c
+++ b/sandbox.c
@@ -5,12 +5,49 @@
 #include <unistd.h>
 #if defined (__linux__)
-#   define __USE_GNU
-#   include <linux/landlock.h>
+#define LL_PRINTERR(fmt, ...) srv_debug(0, xs_fmt(fmt, __VA_ARGS__))
-#   include <sys/syscall.h>
+#include "landloc.h"
-#   include <sys/prctl.h>
-#   include <stdint.h>
+#define LL_R LANDLOCK_ACCESS_FS_READ_FILE
-#   include <fcntl.h>
+#define LL_X LANDLOCK_ACCESS_FS_EXECUTE
+#define LL_RWCF (LL_R | LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_TRUNCATE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REFER)
+#define LL_RWCD (LL_RWCF | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_REMOVE_DIR)
+#define LL_UNIX (LL_R | LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_MAKE_SOCK)
+#define LL_CONN LANDLOCK_ACCESS_NET_CONNECT_TCP
+#define LL_BIND LANDLOCK_ACCESS_NET_BIND_TCP
+static
+LL_BEGIN(sbox_enter_linux_, const char* basedir, const char *address, int smail) {
+    LL_PATH(basedir,                LL_RWCD);
+    LL_PATH("/tmp",                 LL_RWCD);
+#ifndef WITHOUT_SHM
+    LL_PATH("/dev/shm",             LL_RWCF);
+#endif
+    LL_PATH("/etc/resolv.conf",     LL_R  );
+    LL_PATH("/etc/hosts",           LL_R  );
+    LL_PATH("/etc/ssl/openssl.cnf", LL_R  );
+    LL_PATH("/etc/ssl/cert.pem",    LL_R  );
+    LL_PATH("/usr/share/zoneinfo",  LL_R  );
+    if (*address == '/')
+        LL_PATH(address, LL_UNIX);
+    if (smail)
+        LL_PATH("/usr/sbin/sendmail", LL_X);
+    if (*address != '/') {
+        LL_PORT(
+            (unsigned short)xs_number_get(xs_dict_get(srv_config, "port")), LL_BIND);
+    }
+    LL_PORT(80,  LL_CONN);
+    LL_PORT(443, LL_CONN);
+} LL_END
 #endif
 void sbox_enter(const char *basedir)
@@ -60,132 +97,10 @@ void sbox_enter(const char *basedir)
    xs_free(p);
 #elif defined (__linux__)
-    int error, ruleset_fd, abi;
-    struct landlock_ruleset_attr      rules = {0};
-    struct landlock_path_beneath_attr path  = {0};
-    struct landlock_net_port_attr     net   = {0};
-    rules.handled_access_fs =
-        LANDLOCK_ACCESS_FS_EXECUTE     |
-        LANDLOCK_ACCESS_FS_WRITE_FILE  |
-        LANDLOCK_ACCESS_FS_READ_FILE   |
-        LANDLOCK_ACCESS_FS_REMOVE_DIR  |
-        LANDLOCK_ACCESS_FS_REMOVE_FILE |
-        LANDLOCK_ACCESS_FS_MAKE_CHAR   |
-        LANDLOCK_ACCESS_FS_MAKE_DIR    |
-        LANDLOCK_ACCESS_FS_MAKE_REG    |
-        LANDLOCK_ACCESS_FS_MAKE_SOCK   |
-        LANDLOCK_ACCESS_FS_MAKE_FIFO   |
-        LANDLOCK_ACCESS_FS_MAKE_BLOCK  |
-        LANDLOCK_ACCESS_FS_MAKE_SYM    |
-        LANDLOCK_ACCESS_FS_REFER       |
-        LANDLOCK_ACCESS_FS_TRUNCATE    |
-        LANDLOCK_ACCESS_FS_IOCTL_DEV;
-    rules.handled_access_net =
-        LANDLOCK_ACCESS_NET_BIND_TCP |
-        LANDLOCK_ACCESS_NET_CONNECT_TCP;
-    abi = syscall(SYS_landlock_create_ruleset, NULL, 0, LANDLOCK_CREATE_RULESET_VERSION);
-    switch (abi) {
-    case -1:
-        srv_debug(0, xs_dup("Kernel without landlock support"));
-        return;
-    case 1:
-        rules.handled_access_fs  &= ~LANDLOCK_ACCESS_FS_REFER;
-        __attribute__((fallthrough));
-    case 2:
-        rules.handled_access_fs  &= ~LANDLOCK_ACCESS_FS_TRUNCATE;
-        __attribute__((fallthrough));
-    case 3:
-        rules.handled_access_net &= ~(LANDLOCK_ACCESS_NET_BIND_TCP | LANDLOCK_ACCESS_NET_CONNECT_TCP);
-        __attribute__((fallthrough));
-    case 4:
-        rules.handled_access_fs  &= ~LANDLOCK_ACCESS_FS_IOCTL_DEV;
-    }
-    srv_debug(1, xs_fmt("lanlock abi: %d", abi));
-    ruleset_fd = syscall(SYS_landlock_create_ruleset, &rules, sizeof(struct landlock_ruleset_attr), 0);
-    if (ruleset_fd == -1) {
-        srv_debug(0, xs_fmt("landlock_create_ruleset failed: %s", strerror(errno)));
-        return;
-    }
-#define LL_R LANDLOCK_ACCESS_FS_READ_FILE
-#define LL_X LANDLOCK_ACCESS_FS_EXECUTE
-#define LL_RWCF (LL_R | LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_TRUNCATE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REFER)
-#define LL_RWCD (LL_RWCF | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_REMOVE_DIR)
-#define LL_UNIX (LL_R | LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_MAKE_SOCK)
-#define LL_CONN LANDLOCK_ACCESS_NET_CONNECT_TCP
-#define LL_BIND LANDLOCK_ACCESS_NET_BIND_TCP
-#define LANDLOCK_PATH(p, r) do {\
-    path.allowed_access = r;\
-    if (abi < 2)\
-        path.allowed_access &= ~LANDLOCK_ACCESS_FS_REFER;\
-    if (abi < 3)\
-        path.allowed_access &= ~LANDLOCK_ACCESS_FS_TRUNCATE;\
-    path.parent_fd = open(p, O_PATH | O_CLOEXEC);\
-    if (path.parent_fd == -1) {\
-        srv_debug(2, xs_fmt("open %s: %s", p, strerror(errno)));\
-        goto close;\
-    }\
-    error = syscall(SYS_landlock_add_rule, ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, &path, 0); \
-    if (error) {\
-        srv_debug(0, xs_fmt("LANDLOCK_PATH(%s): %s", p, strerror(errno)));\
-        goto close;\
-    }\
-} while (0)
-#define LANDLOCK_PORT(p, r) do {\
-    uint16_t _p = p;\
-    net.port = _p;\
-    net.allowed_access = r;\
-    error = syscall(SYS_landlock_add_rule, ruleset_fd, LANDLOCK_RULE_NET_PORT, &net, 0);\
-    if (error) {\
-        srv_debug(0, xs_fmt("LANDLOCK_PORT(%d): %s", _p, strerror(errno)));\
-        goto close;\
-    }\
-} while (0)
-    LANDLOCK_PATH(basedir,                LL_RWCD);
-    LANDLOCK_PATH("/tmp",                 LL_RWCD);
-#ifndef WITHOUT_SHM
-    LANDLOCK_PATH("/dev/shm",             LL_RWCF);
-#endif
-    LANDLOCK_PATH("/etc/resolv.conf",     LL_R  );
-    LANDLOCK_PATH("/etc/hosts",           LL_R  );
-    LANDLOCK_PATH("/etc/ssl/openssl.cnf", LL_R  );
-    LANDLOCK_PATH("/etc/ssl/cert.pem",    LL_R  );
-    LANDLOCK_PATH("/usr/share/zoneinfo",  LL_R  );
-    if (*address == '/')
-        LANDLOCK_PATH(address, LL_UNIX);
-    if (smail)
-        LANDLOCK_PATH("/usr/sbin/sendmail", LL_X);
-    if (abi > 3) {
-        if (*address != '/') {
-            LANDLOCK_PORT(
-                (uint16_t)xs_number_get(xs_dict_get(srv_config, "port")), LL_BIND);
-        }
-        LANDLOCK_PORT(80,  LL_CONN);
-        LANDLOCK_PORT(443, LL_CONN);
-    }
    
-    if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
+    sbox_enter_linux_(basedir, address, smail);
-        srv_debug(0, xs_fmt("prctl SET_NO_NEW_PRIVS: %s", strerror(errno)));
-        goto close;
-    }
-    if (syscall(SYS_landlock_restrict_self, ruleset_fd, 0))
-        srv_debug(0, xs_fmt("landlock_restrict_self: %s", strerror(errno)));
    srv_log(xs_dup("landlocked"));
-close:
-    close(ruleset_fd);
 #endif
 }

diff --git a/Makefile b/Makefile index 225031a..2b89cfa 100644 --- a/Makefile +++ b/Makefile
@@ -37,7 +37,8 @@ activitypub.o: activitypub.c xs.h xs_json.h xs_curl.h xs_mime.h \
37	xs_openssl.h xs_regex.h xs_time.h xs_set.h xs_match.h snac.h \	37	xs_openssl.h xs_regex.h xs_time.h xs_set.h xs_match.h snac.h \
38	http_codes.h	38	http_codes.h
39	sandbox.o: sandbox.c xs.h xs_hex.h xs_io.h xs_json.h xs_openssl.h \	39	sandbox.o: sandbox.c xs.h xs_hex.h xs_io.h xs_json.h xs_openssl.h \
40	xs_glob.h xs_set.h xs_time.h xs_regex.h xs_match.h xs_unicode.h snac.h	40	xs_glob.h xs_set.h xs_time.h xs_regex.h xs_match.h xs_unicode.h \
		41	landloc.h snac.h
41	data.o: data.c xs.h xs_hex.h xs_io.h xs_json.h xs_openssl.h xs_glob.h \	42	data.o: data.c xs.h xs_hex.h xs_io.h xs_json.h xs_openssl.h xs_glob.h \
42	xs_set.h xs_time.h xs_regex.h xs_match.h xs_unicode.h xs_random.h snac.h \	43	xs_set.h xs_time.h xs_regex.h xs_match.h xs_unicode.h xs_random.h snac.h \
43	http_codes.h	44	http_codes.h


diff --git a/landloc.h b/landloc.h new file mode 100644 index 0000000..c5b849a --- /dev/null +++ b/landloc.h
@@ -0,0 +1,153 @@
		1	/**
		2	* Zero-Clause BSD
		3	* ===============
		4	*
		5	* Copyright 2024 shtrophic <christoph@liebender.dev>
		6	*
		7	* Permission to use, copy, modify, and/or distribute this software for
		8	* any purpose with or without fee is hereby granted.
		9	*
		10	* THE SOFTWARE IS PROVIDED “AS IS” AND THE AUTHOR DISCLAIMS ALL
		11	* WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
		12	* OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE
		13	* FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY
		14	* DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
		15	* AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
		16	* OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
		17	*
		18	*/
		19
		20	/**
		21	* Usage example:
		22	*
		23
		24	LL_BEGIN(my_sandbox_function, const char *rw_path) {
		25
		26	LL_PATH(rw_path, LANDLOCK_ACCESS_FS_READ_FILE \| LANDLOCK_ACCESS_FS_READ_DIR \| LANDLOCK_ACCESS_FS_EXECUTE);
		27	LL_PORT(443, LANDLOCK_ACCESS_NET_CONNECT_TCP);
		28
		29	} LL_END
		30
		31	int main(void) {
		32
		33	int status = my_sandbox_function("some/path");
		34
		35	if (status != 0) {
		36	// error
		37	}
		38
		39	}
		40	*/
		41
		42	#ifndef __LANDLOC_H__
		43	#define __LANDLOC_H__
		44
		45	#ifndef __linux__
		46	#error "no landlock without linux"
		47	#endif
		48
		49	#include <unistd.h>
		50	#include <linux/landlock.h>
		51	#include <sys/syscall.h>
		52	#include <sys/prctl.h>
		53	#include <fcntl.h>
		54
		55	#ifndef O_PATH
		56	#define O_PATH 010000000
		57	#endif
		58
		59	#ifndef LL_PRINTERR
		60	#define LL_PRINTERR(fmt, ...) (void)fmt;
		61	#else
		62	#include <string.h>
		63	#include <errno.h>
		64	#endif
		65
		66	#define LL_FS_ALL (\
		67	LANDLOCK_ACCESS_FS_EXECUTE \|\
		68	LANDLOCK_ACCESS_FS_WRITE_FILE \|\
		69	LANDLOCK_ACCESS_FS_READ_FILE \|\
		70	LANDLOCK_ACCESS_FS_READ_DIR \|\
		71	LANDLOCK_ACCESS_FS_REMOVE_DIR \|\
		72	LANDLOCK_ACCESS_FS_REMOVE_FILE \|\
		73	LANDLOCK_ACCESS_FS_MAKE_CHAR \|\
		74	LANDLOCK_ACCESS_FS_MAKE_DIR \|\
		75	LANDLOCK_ACCESS_FS_MAKE_REG \|\
		76	LANDLOCK_ACCESS_FS_MAKE_SOCK \|\
		77	LANDLOCK_ACCESS_FS_MAKE_FIFO \|\
		78	LANDLOCK_ACCESS_FS_MAKE_BLOCK \|\
		79	LANDLOCK_ACCESS_FS_MAKE_SYM \|\
		80	LANDLOCK_ACCESS_FS_REFER \|\
		81	LANDLOCK_ACCESS_FS_TRUNCATE \|\
		82	LANDLOCK_ACCESS_FS_IOCTL_DEV )
		83
		84	#define LL_NET_ALL (\
		85	LANDLOCK_ACCESS_NET_BIND_TCP \|\
		86	LANDLOCK_ACCESS_NET_CONNECT_TCP )
		87
		88	#define LL_BEGIN(function, ...) int function(__VA_ARGS__) {\
		89	int ll_rule_fd, ll_abi;\
		90	struct landlock_ruleset_attr __rattr = {0};\
		91	struct landlock_path_beneath_attr __pattr = {0};\
		92	struct landlock_net_port_attr __nattr = {0};\
		93	int __err = 0;\
		94	__rattr.handled_access_fs = LL_FS_ALL;\
		95	__rattr.handled_access_net = LL_NET_ALL;\
		96	ll_abi = (int)syscall(SYS_landlock_create_ruleset, NULL, 0, LANDLOCK_CREATE_RULESET_VERSION);\
		97	switch (ll_abi) {\
		98	case -1: return -1;\
		99	case 1: __rattr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_REFER; __attribute__((fallthrough));\
		100	case 2: __rattr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_TRUNCATE; __attribute__((fallthrough));\
		101	case 3: __rattr.handled_access_net &= ~(LANDLOCK_ACCESS_NET_BIND_TCP \| LANDLOCK_ACCESS_NET_CONNECT_TCP); __attribute__((fallthrough));\
		102	case 4: __rattr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_IOCTL_DEV;\
		103	default: break;\
		104	}\
		105	ll_rule_fd = (int)syscall(SYS_landlock_create_ruleset, &__rattr, sizeof(struct landlock_ruleset_attr), 0);\
		106	if (-1 == ll_rule_fd) {\
		107	LL_PRINTERR("landlock_create_ruleset: %s", strerror(errno));\
		108	return -1;\
		109	}
		110
		111	#define LL_END \
		112	__err = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);\
		113	if (-1 == __err) {\
		114	LL_PRINTERR("set_no_new_privs: %s", strerror(errno));\
		115	goto __close;\
		116	}\
		117	__err = (int)syscall(SYS_landlock_restrict_self, ll_rule_fd, 0);\
		118	if (__err)\
		119	LL_PRINTERR("landlock_restrict_self: %s", strerror(errno));\
		120	__close: close(ll_rule_fd);\
		121	return __err; }
		122
		123	#define LL_PATH(p, rules) do {\
		124	const char *__path = (p);\
		125	__pattr.allowed_access = (rules) & __rattr.handled_access_fs;\
		126	__pattr.parent_fd = open(__path, O_PATH \| O_CLOEXEC);\
		127	if (-1 == __pattr.parent_fd) {\
		128	LL_PRINTERR("open(%s): %s", __path, strerror(errno));\
		129	__err = -1;\
		130	goto __close;\
		131	}\
		132	__err = (int)syscall(SYS_landlock_add_rule, ll_rule_fd, LANDLOCK_RULE_PATH_BENEATH, &__pattr, 0);\
		133	if (__err) {\
		134	LL_PRINTERR("landlock_add_rule(%s): %s", __path, strerror(errno));\
		135	goto __close;\
		136	}\
		137	close(__pattr.parent_fd);\
		138	} while (0)
		139
		140	#define LL_PORT(p, rules) do {\
		141	if (ll_abi > 3) {\
		142	unsigned short __port = (p);\
		143	__nattr.allowed_access = (rules);\
		144	__nattr.port = __port;\
		145	__err = (int)syscall(SYS_landlock_add_rule, ll_rule_fd, LANDLOCK_RULE_NET_PORT, &__nattr, 0);\
		146	if (__err) {\
		147	LL_PRINTERR("landlock_add_rule(%u): %s", __port, strerror(errno));\
		148	goto __close;\
		149	}\
		150	}\
		151	} while (0)
		152
		153	#endif /* __LANDLOC_H__ */


diff --git a/sandbox.c b/sandbox.c index 7f26d0a..6dd9360 100644 --- a/sandbox.c +++ b/sandbox.c
@@ -5,12 +5,49 @@
5	#include <unistd.h>	5	#include <unistd.h>
6		6
7	#if defined (__linux__)	7	#if defined (__linux__)
8	# define __USE_GNU	8
9	# include <linux/landlock.h>	9	#define LL_PRINTERR(fmt, ...) srv_debug(0, xs_fmt(fmt, __VA_ARGS__))
10	# include <sys/syscall.h>	10	#include "landloc.h"
11	# include <sys/prctl.h>	11
12	# include <stdint.h>	12	#define LL_R LANDLOCK_ACCESS_FS_READ_FILE
13	# include <fcntl.h>	13	#define LL_X LANDLOCK_ACCESS_FS_EXECUTE
		14	#define LL_RWCF (LL_R \| LANDLOCK_ACCESS_FS_WRITE_FILE \| LANDLOCK_ACCESS_FS_MAKE_REG \| LANDLOCK_ACCESS_FS_TRUNCATE \| LANDLOCK_ACCESS_FS_REMOVE_FILE \| LANDLOCK_ACCESS_FS_REFER)
		15	#define LL_RWCD (LL_RWCF \| LANDLOCK_ACCESS_FS_MAKE_DIR \| LANDLOCK_ACCESS_FS_REMOVE_DIR)
		16	#define LL_UNIX (LL_R \| LANDLOCK_ACCESS_FS_WRITE_FILE \| LANDLOCK_ACCESS_FS_MAKE_SOCK)
		17	#define LL_CONN LANDLOCK_ACCESS_NET_CONNECT_TCP
		18	#define LL_BIND LANDLOCK_ACCESS_NET_BIND_TCP
		19
		20	static
		21	LL_BEGIN(sbox_enter_linux_, const char* basedir, const char *address, int smail) {
		22
		23	LL_PATH(basedir, LL_RWCD);
		24	LL_PATH("/tmp", LL_RWCD);
		25	#ifndef WITHOUT_SHM
		26	LL_PATH("/dev/shm", LL_RWCF);
		27	#endif
		28	LL_PATH("/etc/resolv.conf", LL_R );
		29	LL_PATH("/etc/hosts", LL_R );
		30	LL_PATH("/etc/ssl/openssl.cnf", LL_R );
		31	LL_PATH("/etc/ssl/cert.pem", LL_R );
		32	LL_PATH("/usr/share/zoneinfo", LL_R );
		33
		34	if (*address == '/')
		35	LL_PATH(address, LL_UNIX);
		36
		37	if (smail)
		38	LL_PATH("/usr/sbin/sendmail", LL_X);
		39
		40
		41	if (*address != '/') {
		42	LL_PORT(
		43	(unsigned short)xs_number_get(xs_dict_get(srv_config, "port")), LL_BIND);
		44	}
		45
		46	LL_PORT(80, LL_CONN);
		47	LL_PORT(443, LL_CONN);
		48
		49	} LL_END
		50
14	#endif	51	#endif
15		52
16	void sbox_enter(const char *basedir)	53	void sbox_enter(const char *basedir)
@@ -60,132 +97,10 @@ void sbox_enter(const char *basedir)
60		97
61	xs_free(p);	98	xs_free(p);
62	#elif defined (__linux__)	99	#elif defined (__linux__)
63	int error, ruleset_fd, abi;
64	struct landlock_ruleset_attr rules = {0};
65	struct landlock_path_beneath_attr path = {0};
66	struct landlock_net_port_attr net = {0};
67
68	rules.handled_access_fs =
69	LANDLOCK_ACCESS_FS_EXECUTE \|
70	LANDLOCK_ACCESS_FS_WRITE_FILE \|
71	LANDLOCK_ACCESS_FS_READ_FILE \|
72	LANDLOCK_ACCESS_FS_REMOVE_DIR \|
73	LANDLOCK_ACCESS_FS_REMOVE_FILE \|
74	LANDLOCK_ACCESS_FS_MAKE_CHAR \|
75	LANDLOCK_ACCESS_FS_MAKE_DIR \|
76	LANDLOCK_ACCESS_FS_MAKE_REG \|
77	LANDLOCK_ACCESS_FS_MAKE_SOCK \|
78	LANDLOCK_ACCESS_FS_MAKE_FIFO \|
79	LANDLOCK_ACCESS_FS_MAKE_BLOCK \|
80	LANDLOCK_ACCESS_FS_MAKE_SYM \|
81	LANDLOCK_ACCESS_FS_REFER \|
82	LANDLOCK_ACCESS_FS_TRUNCATE \|
83	LANDLOCK_ACCESS_FS_IOCTL_DEV;
84	rules.handled_access_net =
85	LANDLOCK_ACCESS_NET_BIND_TCP \|
86	LANDLOCK_ACCESS_NET_CONNECT_TCP;
87
88	abi = syscall(SYS_landlock_create_ruleset, NULL, 0, LANDLOCK_CREATE_RULESET_VERSION);
89	switch (abi) {
90	case -1:
91	srv_debug(0, xs_dup("Kernel without landlock support"));
92	return;
93	case 1:
94	rules.handled_access_fs &= ~LANDLOCK_ACCESS_FS_REFER;
95	__attribute__((fallthrough));
96	case 2:
97	rules.handled_access_fs &= ~LANDLOCK_ACCESS_FS_TRUNCATE;
98	__attribute__((fallthrough));
99	case 3:
100	rules.handled_access_net &= ~(LANDLOCK_ACCESS_NET_BIND_TCP \| LANDLOCK_ACCESS_NET_CONNECT_TCP);
101	__attribute__((fallthrough));
102	case 4:
103	rules.handled_access_fs &= ~LANDLOCK_ACCESS_FS_IOCTL_DEV;
104	}
105	srv_debug(1, xs_fmt("lanlock abi: %d", abi));
106
107	ruleset_fd = syscall(SYS_landlock_create_ruleset, &rules, sizeof(struct landlock_ruleset_attr), 0);
108	if (ruleset_fd == -1) {
109	srv_debug(0, xs_fmt("landlock_create_ruleset failed: %s", strerror(errno)));
110	return;
111	}
112
113	#define LL_R LANDLOCK_ACCESS_FS_READ_FILE
114	#define LL_X LANDLOCK_ACCESS_FS_EXECUTE
115	#define LL_RWCF (LL_R \| LANDLOCK_ACCESS_FS_WRITE_FILE \| LANDLOCK_ACCESS_FS_MAKE_REG \| LANDLOCK_ACCESS_FS_TRUNCATE \| LANDLOCK_ACCESS_FS_REMOVE_FILE \| LANDLOCK_ACCESS_FS_REFER)
116	#define LL_RWCD (LL_RWCF \| LANDLOCK_ACCESS_FS_MAKE_DIR \| LANDLOCK_ACCESS_FS_REMOVE_DIR)
117	#define LL_UNIX (LL_R \| LANDLOCK_ACCESS_FS_WRITE_FILE \| LANDLOCK_ACCESS_FS_MAKE_SOCK)
118	#define LL_CONN LANDLOCK_ACCESS_NET_CONNECT_TCP
119	#define LL_BIND LANDLOCK_ACCESS_NET_BIND_TCP
120
121	#define LANDLOCK_PATH(p, r) do {\
122	path.allowed_access = r;\
123	if (abi < 2)\
124	path.allowed_access &= ~LANDLOCK_ACCESS_FS_REFER;\
125	if (abi < 3)\
126	path.allowed_access &= ~LANDLOCK_ACCESS_FS_TRUNCATE;\
127	path.parent_fd = open(p, O_PATH \| O_CLOEXEC);\
128	if (path.parent_fd == -1) {\
129	srv_debug(2, xs_fmt("open %s: %s", p, strerror(errno)));\
130	goto close;\
131	}\
132	error = syscall(SYS_landlock_add_rule, ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, &path, 0); \
133	if (error) {\
134	srv_debug(0, xs_fmt("LANDLOCK_PATH(%s): %s", p, strerror(errno)));\
135	goto close;\
136	}\
137	} while (0)
138
139	#define LANDLOCK_PORT(p, r) do {\
140	uint16_t _p = p;\
141	net.port = _p;\
142	net.allowed_access = r;\
143	error = syscall(SYS_landlock_add_rule, ruleset_fd, LANDLOCK_RULE_NET_PORT, &net, 0);\
144	if (error) {\
145	srv_debug(0, xs_fmt("LANDLOCK_PORT(%d): %s", _p, strerror(errno)));\
146	goto close;\
147	}\
148	} while (0)
149
150	LANDLOCK_PATH(basedir, LL_RWCD);
151	LANDLOCK_PATH("/tmp", LL_RWCD);
152	#ifndef WITHOUT_SHM
153	LANDLOCK_PATH("/dev/shm", LL_RWCF);
154	#endif
155	LANDLOCK_PATH("/etc/resolv.conf", LL_R );
156	LANDLOCK_PATH("/etc/hosts", LL_R );
157	LANDLOCK_PATH("/etc/ssl/openssl.cnf", LL_R );
158	LANDLOCK_PATH("/etc/ssl/cert.pem", LL_R );
159	LANDLOCK_PATH("/usr/share/zoneinfo", LL_R );
160
161	if (*address == '/')
162	LANDLOCK_PATH(address, LL_UNIX);
163
164	if (smail)
165	LANDLOCK_PATH("/usr/sbin/sendmail", LL_X);
166
167	if (abi > 3) {
168	if (*address != '/') {
169	LANDLOCK_PORT(
170	(uint16_t)xs_number_get(xs_dict_get(srv_config, "port")), LL_BIND);
171	}
172
173	LANDLOCK_PORT(80, LL_CONN);
174	LANDLOCK_PORT(443, LL_CONN);
175	}
176		100
177	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {	101	sbox_enter_linux_(basedir, address, smail);
178	srv_debug(0, xs_fmt("prctl SET_NO_NEW_PRIVS: %s", strerror(errno)));
179	goto close;
180	}
181
182	if (syscall(SYS_landlock_restrict_self, ruleset_fd, 0))
183	srv_debug(0, xs_fmt("landlock_restrict_self: %s", strerror(errno)));
184		102
185	srv_log(xs_dup("landlocked"));	103	srv_log(xs_dup("landlocked"));
186		104
187	close:
188	close(ruleset_fd);
189
190	#endif	105	#endif
191	}	106	}