security/hakurei
security/hakurei
5
2
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases 4 Wiki Activity
hakurei/container/landlock.go
Clayton Gilmer 40028f3c03
All checks were successful
Test / Create distribution (push) Successful in 37s
Details
Test / Create distribution (pull_request) Successful in 33s
Details
Test / Sandbox (push) Successful in 2m13s
Details
Test / Sandbox (pull_request) Successful in 2m10s
Details
Test / Hpkg (pull_request) Successful in 4m2s
Details
Test / Hpkg (push) Successful in 4m11s
Details
Test / Sandbox (race detector) (pull_request) Successful in 4m15s
Details
Test / Sandbox (race detector) (push) Successful in 4m22s
Details
Test / Hakurei (pull_request) Successful in 4m39s
Details
Test / Hakurei (race detector) (push) Successful in 5m3s
Details
Test / Hakurei (race detector) (pull_request) Successful in 4m57s
Details
Test / Flake checks (pull_request) Successful in 1m25s
Details
Test / Hakurei (push) Successful in 38s
Details
Test / Flake checks (push) Successful in 1m23s
Details
container: optionally isolate host abstract UNIX domain sockets via landlock
2025-08-18 14:35:49 +09:00

60 lines
1.4 KiB
Go
Raw Blame History

package container
/*
#include <linux/landlock.h>
#include <sys/syscall.h>
*/
import "C"
import (
"syscall"
"unsafe"
"hakurei.app/container/seccomp"
)
const (
LANDLOCK_CREATE_RULESET_VERSION = C.LANDLOCK_CREATE_RULESET_VERSION
LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET = C.LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET
LANDLOCK_SCOPE_SIGNAL = C.LANDLOCK_SCOPE_SIGNAL
)
type RulesetAttr = C.struct_landlock_ruleset_attr
func NewRulesetAttr(scoped int) RulesetAttr { return RulesetAttr{scoped: C.__u64(scoped)} }
/* TODO: remove everything above this */
func LandlockCreateRuleset(rulesetAttr *RulesetAttr, flags uintptr) (fd int, err error) {
var pointer, size uintptr
// NULL needed for abi version
if rulesetAttr != nil {
pointer = uintptr(unsafe.Pointer(rulesetAttr))
size = unsafe.Sizeof(*rulesetAttr)
}
rulesetFd, _, errno := syscall.Syscall(seccomp.SYS_LANDLOCK_CREATE_RULESET, pointer, size, flags)
fd = int(rulesetFd)
err = errno
if fd < 0 {
return
}
if rulesetAttr != nil { // not a fd otherwise
syscall.CloseOnExec(fd)
}
return fd, nil
}
func LandlockGetABI() (int, error) {
return LandlockCreateRuleset(nil, LANDLOCK_CREATE_RULESET_VERSION)
}
func LandlockRestrictSelf(rulesetFd int, flags uintptr) error {
r, _, errno := syscall.Syscall(seccomp.SYS_LANDLOCK_RESTRICT_SELF, uintptr(rulesetFd), flags, 0)
if r != 0 {
return errno
}
return nil
}
Reference in New Issue View Git Blame Copy Permalink