hakurei/container/landlock/landlock.go

package landlock

/*
#cgo linux pkg-config: --static libpsx

#include <linux/landlock.h>
#include <sys/syscall.h>

#include "landlock-helper.h"
*/
import "C"

import (
	"fmt"
	"syscall"
	"unsafe"
)

const (
	LANDLOCK_CREATE_RULESET_VERSION     = C.LANDLOCK_CREATE_RULESET_VERSION
	LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET = C.LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET

	SYS_LANDLOCK_CREATE_RULESET = C.SYS_landlock_create_ruleset
)

type LandlockRulesetAttr = C.struct_landlock_ruleset_attr

func ScopeAbstract() error {
	abi, _, err := syscall.Syscall(SYS_LANDLOCK_CREATE_RULESET, 0, 0, LANDLOCK_CREATE_RULESET_VERSION)

	if err != 0 {
		return fmt.Errorf("could not fetch landlock ABI: errno %v", err)
	}

	if abi < 6 {
		return fmt.Errorf("landlock ABI must be >= 6, got %d", abi)
	}

	attrs := LandlockRulesetAttr{
		scoped: LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET,
	}

	fd, _, err := syscall.Syscall(SYS_LANDLOCK_CREATE_RULESET, uintptr(unsafe.Pointer(&attrs)), unsafe.Sizeof(attrs), 0)

	if err != 0 {
		return fmt.Errorf("could not create landlock ruleset: errno %v", err)
	}

	defer syscall.Close(int(fd))

	var errno C.int
	if rv := C.hakurei_scope_abstract_unix_sockets(&errno, C.int(fd)); rv != 0 {
		return fmt.Errorf("could not restrict self via landlock: errno %v", errno)
	}

	return nil
}