From 10f8b1c2214bf75cc2d755956c57bac193fe6427 Mon Sep 17 00:00:00 2001 From: Ophestra Date: Tue, 7 Apr 2026 12:44:07 +0900 Subject: [PATCH] internal/pkg: optional landlock LSM The alpine linux riscv64 kernel does not enable Landlock LSM, and kernel compilation is not yet feasible. Signed-off-by: Ophestra --- internal/pkg/exec.go | 7 +++++-- internal/pkg/pkg.go | 8 ++++++++ 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/internal/pkg/exec.go b/internal/pkg/exec.go index fcbf1245..4865c71a 100644 --- a/internal/pkg/exec.go +++ b/internal/pkg/exec.go @@ -397,6 +397,7 @@ const SeccompPresets = std.PresetStrict & func (a *execArtifact) makeContainer( ctx context.Context, msg message.Msg, + flags int, hostNet bool, temp, work *check.Absolute, getArtifact GetArtifactFunc, @@ -423,7 +424,9 @@ func (a *execArtifact) makeContainer( z.SeccompFlags |= seccomp.AllowMultiarch z.ParentPerm = 0700 z.HostNet = hostNet + z.HostAbstract = flags&CHostAbstract != 0 z.Hostname = "cure" + z.SetScheduler = flags&CSchedIdle != 0 z.SchedPolicy = ext.SCHED_IDLE if z.HostNet { z.Hostname = "cure-net" @@ -559,6 +562,7 @@ func (c *Cache) EnterExec( var z *container.Container z, err = e.makeContainer( ctx, c.msg, + c.flags, hostNet, temp, work, func(a Artifact) (*check.Absolute, unique.Handle[Checksum]) { @@ -598,14 +602,13 @@ func (a *execArtifact) cure(f *FContext, hostNet bool) (err error) { msg := f.GetMessage() var z *container.Container if z, err = a.makeContainer( - ctx, msg, hostNet, + ctx, msg, f.cache.flags, hostNet, f.GetTempDir(), f.GetWorkDir(), f.GetArtifact, f.cache.Ident, ); err != nil { return } - z.SetScheduler = f.cache.flags&CSchedIdle != 0 var status io.Writer if status, err = f.GetStatusWriter(); err != nil { diff --git a/internal/pkg/pkg.go b/internal/pkg/pkg.go index ccb7541e..1ecd4b5c 100644 --- a/internal/pkg/pkg.go +++ b/internal/pkg/pkg.go @@ -521,6 +521,14 @@ const ( // was caused by an incorrect checksum accidentally left behind while // bumping a package. Only enable this if you are really sure you need it. CAssumeChecksum + + // CHostAbstract disables restriction of sandboxed processes from connecting + // to an abstract UNIX socket created by a host process. + // + // This is considered less secure in some systems, but does not introduce + // impurity due to [KindExecNet] being [KnownChecksum]. This flag exists + // to support kernels without Landlock LSM enabled. + CHostAbstract ) // Cache is a support layer that implementations of [Artifact] can use to store