From 8d3c068404dea6efff80876f06a05e0878c0b548 Mon Sep 17 00:00:00 2001 From: Seth Hoenig Date: Sat, 4 Nov 2023 14:08:20 +0000 Subject: [PATCH] agent: build without landlock support --- agent/config.go | 2 + agent/lockdown.go | 35 ----------------- agent/lockdown_default.go | 9 ----- agent/lockdown_linux.go | 9 ----- agent/lockdown_test.go | 82 --------------------------------------- main.go | 3 -- 6 files changed, 2 insertions(+), 138 deletions(-) delete mode 100644 agent/lockdown.go delete mode 100644 agent/lockdown_default.go delete mode 100644 agent/lockdown_linux.go delete mode 100644 agent/lockdown_test.go diff --git a/agent/config.go b/agent/config.go index b691a22..e3625ae 100644 --- a/agent/config.go +++ b/agent/config.go @@ -37,6 +37,7 @@ type CoreConfig struct { SuffixDir string NoDefaults bool Forward *Forward + NoLandlock bool } // Generate a CoreDNS (Caddy) style configuration block as a string. @@ -82,6 +83,7 @@ func ConfigFromEnv(e env.Environment) *CoreConfig { "DONUT_DNS_UPSTREAM_1": env.String(&upstream1, false), "DONUT_DNS_UPSTREAM_2": env.String(&upstream2, false), "DONUT_DNS_UPSTREAM_NAME": env.String(&cc.Forward.ServerName, false), + "DONUT_DNS_NO_LANDLOCK": env.Bool(&cc.NoLandlock, false), }); err != nil { panic(err) } diff --git a/agent/lockdown.go b/agent/lockdown.go deleted file mode 100644 index 2c9706c..0000000 --- a/agent/lockdown.go +++ /dev/null @@ -1,35 +0,0 @@ -package agent - -import ( - "strings" - - "github.com/shoenig/go-landlock" -) - -func Lockdown(cc *CoreConfig) error { - paths := make([]*landlock.Path, 0, 4) - paths = append(paths, sysPaths...) - paths = append(paths, readable(cc)...) - locker := landlock.New(paths...) - return locker.Lock(landlock.OnlySupported) -} - -func readable(cc *CoreConfig) []*landlock.Path { - var paths []*landlock.Path - add := func(path string, f func(string, string) *landlock.Path) { - if nonempty(path) { - paths = append(paths, f(path, "r")) - } - } - add(cc.AllowFile, landlock.File) - add(cc.BlockFile, landlock.File) - add(cc.SuffixFile, landlock.File) - add(cc.AllowDir, landlock.Dir) - add(cc.BlockDir, landlock.Dir) - add(cc.SuffixDir, landlock.Dir) - return paths -} - -func nonempty(s string) bool { - return strings.TrimSpace(s) != "" -} diff --git a/agent/lockdown_default.go b/agent/lockdown_default.go deleted file mode 100644 index 1feb33d..0000000 --- a/agent/lockdown_default.go +++ /dev/null @@ -1,9 +0,0 @@ -//go:build !linux - -package agent - -import ( - "github.com/shoenig/go-landlock" -) - -var sysPaths []*landlock.Path diff --git a/agent/lockdown_linux.go b/agent/lockdown_linux.go deleted file mode 100644 index 60ac7eb..0000000 --- a/agent/lockdown_linux.go +++ /dev/null @@ -1,9 +0,0 @@ -//go:build linux - -package agent - -import ( - "github.com/shoenig/go-landlock" -) - -var sysPaths = []*landlock.Path{landlock.Certs()} diff --git a/agent/lockdown_test.go b/agent/lockdown_test.go deleted file mode 100644 index ce5857f..0000000 --- a/agent/lockdown_test.go +++ /dev/null @@ -1,82 +0,0 @@ -//go:build linux - -package agent - -import ( - "testing" - - "github.com/shoenig/go-landlock" - "github.com/shoenig/test/must" -) - -func Test_readable(t *testing.T) { - cases := []struct { - name string - cc *CoreConfig - exp []*landlock.Path - }{ - { - name: "none", - cc: new(CoreConfig), - exp: nil, - }, - { - name: "partial", - cc: &CoreConfig{BlockFile: "/opt/blocks.txt"}, - exp: []*landlock.Path{landlock.File("/opt/blocks.txt", "r")}, - }, - { - name: "mix", - cc: &CoreConfig{ - AllowFile: "/opt/allows.txt", - BlockDir: "/opt/blocks", - SuffixFile: "/opt/suffix.txt", - }, - exp: []*landlock.Path{ - landlock.Dir("/opt/blocks", "r"), - landlock.File("/opt/allows.txt", "r"), - landlock.File("/opt/suffix.txt", "r"), - }, - }, - { - name: "all", - cc: &CoreConfig{ - AllowFile: "/opt/allows.txt", - BlockFile: "/opt/block.txt", - SuffixFile: "/opt/suffix.txt", - AllowDir: "/opt/allow", - BlockDir: "/opt/blocks", - SuffixDir: "/opt/suffix", - }, - exp: []*landlock.Path{ - landlock.File("/opt/block.txt", "r"), - landlock.File("/opt/allows.txt", "r"), - landlock.File("/opt/suffix.txt", "r"), - landlock.Dir("/opt/blocks", "r"), - landlock.Dir("/opt/allow", "r"), - landlock.Dir("/opt/suffix", "r"), - }, - }, - } - - for _, tc := range cases { - result := readable(tc.cc) - must.SliceContainsAll(t, tc.exp, result) - } -} - -func Test_Lockdown(t *testing.T) { - t.Run("ok", func(t *testing.T) { - err := Lockdown(&CoreConfig{ - BlockFile: "../hack/example.txt", - }) - must.NoError(t, err) - }) - - t.Run("does not exist", func(t *testing.T) { - err := Lockdown(&CoreConfig{ - BlockFile: "/does/not/exist", - }) - must.ErrorContains(t, err, "no such file") - }) -} diff --git a/main.go b/main.go index 72b3a4c..a5e06e8 100644 --- a/main.go +++ b/main.go @@ -48,9 +48,6 @@ func setupCC() { // get core config from environment cc := getCC() - // sandbox donutdns from filesystem (Linux landlock) - _ = agent.Lockdown(cc) - // set plugin core config dnsserver.Port = strconv.Itoa(cc.Port) dnsserver.Directives = directives