hakurei/container/landlock/landlock.go

package landlock

/*
#include <linux/landlock.h>
#include <sys/syscall.h>
*/
import "C"

import (
	"fmt"
	"syscall"
	"unsafe"
)

const (
	LANDLOCK_CREATE_RULESET_VERSION     = C.LANDLOCK_CREATE_RULESET_VERSION
	LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET = C.LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET

	SYS_LANDLOCK_CREATE_RULESET = C.SYS_landlock_create_ruleset
	SYS_LANDLOCK_RESTRICT_SELF  = C.SYS_landlock_restrict_self
)

type LandlockRulesetAttr = C.struct_landlock_ruleset_attr

// ScopeAbstract calls landlock_restrict_self and must be called from a goroutine wired to an m
// with the process starting from the same goroutine.
func ScopeAbstract() error {
	abi, _, err := syscall.Syscall(SYS_LANDLOCK_CREATE_RULESET, 0, 0, LANDLOCK_CREATE_RULESET_VERSION)

	if err != 0 {
		return fmt.Errorf("could not fetch landlock ABI: errno %v", err)
	}

	if abi < 6 {
		return fmt.Errorf("landlock ABI must be >= 6, got %d", abi)
	}

	attrs := LandlockRulesetAttr{
		scoped: LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET,
	}

	fd, _, err := syscall.Syscall(SYS_LANDLOCK_CREATE_RULESET, uintptr(unsafe.Pointer(&attrs)), unsafe.Sizeof(attrs), 0)

	if err != 0 {
		return fmt.Errorf("could not create landlock ruleset: errno %v", err)
	}

	defer syscall.Close(int(fd))

	r, _, err := syscall.Syscall(SYS_LANDLOCK_RESTRICT_SELF, fd, 0, 0)
	if r != 0 {
		return fmt.Errorf("could not restrict self via landlock: errno %v", err)
	}
	return nil
}