-
Notifications
You must be signed in to change notification settings - Fork 8
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fixes issue #25
- Loading branch information
Showing
2 changed files
with
81 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,46 @@ | ||
| package landlock | ||
|
|
||
| type compositeRule struct { | ||
| rules []Rule | ||
| } | ||
|
|
||
| func (c *compositeRule) compatibleWithConfig(cfg Config) bool { | ||
| for _, r := range c.rules { | ||
| if !r.compatibleWithConfig(cfg) { | ||
| return false | ||
| } | ||
| } | ||
| return true | ||
| } | ||
|
|
||
| func (c *compositeRule) downgrade(cfg Config) (out Rule, ok bool) { | ||
| cr := new(compositeRule) | ||
| for _, r := range c.rules { | ||
| r, ok := r.downgrade(cfg) | ||
| if !ok { | ||
| return nil, false | ||
| } | ||
| cr.rules = append(cr.rules, r) | ||
| } | ||
| return cr, true | ||
| } | ||
|
|
||
| func (c *compositeRule) addToRuleset(rulesetFD int, cfg Config) error { | ||
| for _, r := range c.rules { | ||
| err := r.addToRuleset(rulesetFD, cfg) | ||
| if err != nil { | ||
| return err | ||
| } | ||
| } | ||
| return nil | ||
| } | ||
|
|
||
| // CompositeRule returns a rule composed of sub-rules. | ||
| // | ||
| // A composite rule passed to [Restrict] behaves the same as passing | ||
| // all sub-rules individually. Composite rules are not strictly | ||
| // necessary in Go-Landlock, but useful for building libraries of | ||
| // re-usable Landlock rules. | ||
| func CompositeRule(rules ...Rule) Rule { | ||
| return &compositeRule{rules: rules} | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| // Package llrules experimentally implements commonly used groups of | ||
| // Landlock rules. | ||
| package llrules | ||
|
|
||
| import "github.com/landlock-lsm/go-landlock/landlock" | ||
|
|
||
| func DNSOverTCP() landlock.Rule { | ||
| return landlock.CompositeRule(landlock.ConnectTCP(53), dnsFiles()) | ||
| } | ||
|
|
||
| func DNSOverUDP() landlock.Rule { | ||
| // UDP is not restrictable yet, but it can be added here once | ||
| // Landlock can do that. | ||
| return dnsFiles() | ||
| } | ||
|
|
||
| func dnsFiles() landlock.Rule { | ||
| return landlock.ROFiles( | ||
| "/etc/hosts", | ||
| "/etc/resolv.conf", | ||
| ).IgnoreIfMissing() | ||
| } | ||
|
|
||
| func SharedLibraries() landlock.Rule { | ||
| // XXX: How does the linker look up this list of paths? | ||
| // XXX: Use more specific rulesets. | ||
| return landlock.RODirs( | ||
| "/lib", | ||
| "/lib32", | ||
| "/lib64", | ||
| "/usr/lib", | ||
| "/usr/lib32", | ||
| "/usr/lib64", | ||
| ).IgnoreIfMissing() | ||
| } |