fix(landlock): landlock only after creating files

2023-04-13 12:31:26 +00:00 · 2023-04-13 12:31:26 +00:00 · 00ee8d21c6
--- a/main.go
+++ b/main.go
@ -131,23 +131,9 @@ var indexPage []byte
 func main() {
 	log.Logger = log.Output(zerolog.ConsoleWriter{Out: os.Stderr})

-	err := landlock.V2.BestEffort().RestrictPaths(
-		landlock.RWDirs("./data"),
-		landlock.RWFiles("filehole.db"),
-	)
+    var err error

-	if err != nil {
-		log.Warn().Err(err).Msg("Could not landlock")
-	}
-
-	_, err = os.Open("/etc/passwd")
-	if err == nil {
-		log.Warn().Msg("Landlock failed, could open /etc/passwd")
-	} else {
-		log.Info().Err(err).Msg("Landlocked")
-	}
-
-	db, err = bolt.Open("filehole.db", 0600, nil)
+    db, err = bolt.Open("filehole.db", 0600, nil)
 	if err != nil {
 		log.Fatal().Err(err).Msg("dangerous database activity")
 	}
@ -160,12 +146,32 @@ func main() {
 		return nil
 	})

-	r := mux.NewRouter()
+    // New single binary setup will have this user only reading from data
+    os.Mkdir("./data", 0600)

+    // We actually need to landlock after creating all the files we reference
+    // in the landlock or it will fail
+	err = landlock.V2.BestEffort().RestrictPaths(
+		landlock.RWDirs("./data"),
+		landlock.RWFiles("filehole.db"),
+	)
+	if err != nil {
+		log.Error().Err(err).Msg("Could not landlock")
+	}
+
+    // Test if landlock actually works on whatever fucked kernel you're
+    // probably using
+	_, err = os.Open("/etc/passwd")
+	if err == nil {
+		log.Error().Msg("Landlock failed, could open /etc/passwd")
+	} else {
+		log.Info().Err(err).Msg("Landlocked")
+	}
+
+	r := mux.NewRouter()
 	r.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
 		w.Write(indexPage)
 	}).Methods("GET")
-
 	r.HandleFunc("/", UploadHandler).Methods("POST")

 	http.Handle("/", r)