Validate Landlock config when calling RestrictPath().

This checks that the provided set of handledAccessFS permissions is within the set known to go-landlock. (see #12)
landlock-lsm · Aug 28, 2021 · 71e1285 · 71e1285
1 parent 0a9e761
commit 71e1285
Show file tree

Hide file tree

Showing 4 changed files with 43 additions and 0 deletions.
diff --git a/landlock/abi_versions.go b/landlock/abi_versions.go
@@ -18,6 +18,8 @@ var abiInfos = []abiInfo{
  },
 }
 
+var highestKnownABIVersion = abiInfos[len(abiInfos)-1]
+
 // getSupportedABIVersion returns the kernel-supported ABI version.
 //
 // If the ABI version supported by the kernel is higher than the

diff --git a/landlock/config.go b/landlock/config.go
@@ -1,6 +1,7 @@
 package landlock
 
 import (
+ "errors"
  "fmt"
 
  ll "github.com/landlock-lsm/go-landlock/landlock/syscall"
@@ -41,6 +42,17 @@ type Config struct {
  bestEffort bool
 }
 
+// validate returns success when the given config is supported by
+// go-landlock. (It may still be unsupported by your kernel though.)
+func (c Config) validate() error {
+ safs := highestKnownABIVersion.supportedAccessFS
+ if !c.handledAccessFS.isSubset(safs) {
+ return errors.New("unsupported handledAccessFS value")
+ }
+ return nil
+}
+
+// String builds a human-readable representation of the Config.
 func (c Config) String() string {
  var abi abiInfo
  for _, a := range abiInfos {

diff --git a/landlock/config_test.go b/landlock/config_test.go
@@ -35,3 +35,28 @@ func TestConfigString(t *testing.T) {
  }
  }
 }
+
+func TestValidateSuccess(t *testing.T) {
+ for _, c := range []Config{
+ V1, V1.BestEffort(),
+ Config{handledAccessFS: ll.AccessFSWriteFile},
+ Config{handledAccessFS: 0},
+ } {
+ err := c.validate()
+ if err != nil {
+ t.Errorf("%v.validate(): expected success, got %v", c, err)
+ }
+ }
+}
+
+func TestValidateFailure(t *testing.T) {
+ for _, c := range []Config{
+ Config{handledAccessFS: 0xffffffffffffffff},
+ Config{handledAccessFS: highestKnownABIVersion.supportedAccessFS + 1},
+ } {
+ err := c.validate()
+ if err == nil {
+ t.Errorf("%v.validate(): expected error, got success", c)
+ }
+ }
+}
diff --git a/landlock/restrict.go b/landlock/restrict.go
@@ -11,6 +11,10 @@ import (
 
 // The actual restrictPaths implementation.
 func restrictPaths(c Config, opts ...PathOpt) error {
+ err := c.validate()
+ if err != nil {
+ return fmt.Errorf("unsupported Landlock config %v (upgrade go-landlock?): %v", c, err)
+ }
  handledAccessFS := c.handledAccessFS
  abi := getSupportedABIVersion()
  if c.bestEffort {