From 3cab160feb5eab6bf8d1d786d30f0f1e8299f705 Mon Sep 17 00:00:00 2001 From: hgc Date: Thu, 20 Oct 2022 14:56:59 +1100 Subject: [PATCH] add landlock support --- go.mod | 4 +++- go.sum | 7 ++++++- main.go | 18 +++++++++++++++++- 3 files changed, 26 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 8cabda9..c3437af 100644 --- a/go.mod +++ b/go.mod @@ -6,6 +6,7 @@ require ( github.com/boltdb/bolt v1.3.1 github.com/gabriel-vasile/mimetype v1.4.1 github.com/gorilla/mux v1.8.0 + github.com/landlock-lsm/go-landlock v0.0.0-20221004190946-f5b03a1c9b89 github.com/rs/zerolog v1.28.0 ) @@ -13,5 +14,6 @@ require ( github.com/mattn/go-colorable v0.1.12 // indirect github.com/mattn/go-isatty v0.0.14 // indirect golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e // indirect - golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a // indirect + golang.org/x/sys v0.0.0-20220817070843-5a390386f1f2 // indirect + kernel.org/pub/linux/libs/security/libcap/psx v1.2.65 // indirect ) diff --git a/go.sum b/go.sum index 6f809d5..56a0277 100644 --- a/go.sum +++ b/go.sum @@ -6,6 +6,8 @@ github.com/gabriel-vasile/mimetype v1.4.1/go.mod h1:05Vi0w3Y9c/lNvJOdmIwvrrAhX3r github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/gorilla/mux v1.8.0 h1:i40aqfkR1h2SlN9hojwV5ZA91wcXFOvkdNIeFDP5koI= github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So= +github.com/landlock-lsm/go-landlock v0.0.0-20221004190946-f5b03a1c9b89 h1:FIk3JFmJ1zKLLqEzMWFWl0hs1eR4WQUWDMOCDsJqDVU= +github.com/landlock-lsm/go-landlock v0.0.0-20221004190946-f5b03a1c9b89/go.mod h1:pvQOStHTxYHPZVAXTNqWH8TgE76OUMfKhbJP2RRovog= github.com/mattn/go-colorable v0.1.12 h1:jF+Du6AlPIjs2BiUiQlKOX0rt3SujHxPnksPKZbaA40= github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4= github.com/mattn/go-isatty v0.0.14 h1:yVuAays6BHfxijgZPzw+3Zlu5yQgKGP2/hcQbHb7S9Y= @@ -19,8 +21,11 @@ golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e/go.mod h1:XRhObCWvk6IyKnWLug golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a h1:dGzPydgVsqGcTRVwiLJ1jVbufYwmzD3LfVPLKsKg+0k= golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220817070843-5a390386f1f2 h1:fqTvyMIIj+HRzMmnzr9NtpHP6uVpvB5fkHcgPDC4nu8= +golang.org/x/sys v0.0.0-20220817070843-5a390386f1f2/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +kernel.org/pub/linux/libs/security/libcap/psx v1.2.65 h1:v2G3aCgEMr8qh4GpOGMukkv92EE7jtY+Uh9mB7cAACk= +kernel.org/pub/linux/libs/security/libcap/psx v1.2.65/go.mod h1:+l6Ee2F59XiJ2I6WR5ObpC1utCQJZ/VLsEbQCD8RG24= diff --git a/main.go b/main.go index 2a4ac03..1bdc5a4 100644 --- a/main.go +++ b/main.go @@ -10,6 +10,7 @@ import ( "github.com/gabriel-vasile/mimetype" "github.com/gorilla/mux" + "github.com/landlock-lsm/go-landlock/landlock" "github.com/rs/zerolog" "github.com/rs/zerolog/log" @@ -125,7 +126,22 @@ func ExpiryDoer() { func main() { log.Logger = log.Output(zerolog.ConsoleWriter{Out: os.Stderr}) - var err error + err := landlock.V2.BestEffort().RestrictPaths( + landlock.RWDirs("./data"), + landlock.RWFiles("filehole.db"), + ) + + if err != nil { + log.Warn().Err(err).Msg("Could not landlock") + } + + _, err = os.Open("/etc/passwd") + if err == nil { + log.Warn().Msg("Landlock failed, could open /etc/passwd") + } else { + log.Info().Err(err).Msg("Landlocked") + } + db, err = bolt.Open("filehole.db", 0600, nil) if err != nil { log.Fatal().Err(err).Msg("dangerous database activity")