Expose Config.HandledAccessFS. (#12)

landlock-lsm · Aug 28, 2021 · fd8c035 · fd8c035
1 parent 71e1285
commit fd8c035
Show file tree

Hide file tree

Showing 6 changed files with 75 additions and 34 deletions.
diff --git a/landlock/accessfs.go b/landlock/accessfs.go
@@ -1,6 +1,25 @@
 package landlock
 
-import "strings"
+import (
+ "fmt"
+ "strings"
+)
+
+var flagNames = []string{
+ "Execute",
+ "WriteFile",
+ "ReadFile",
+ "ReadDir",
+ "RemoveDir",
+ "RemoveFile",
+ "MakeChar",
+ "MakeDir",
+ "MakeReg",
+ "MakeSock",
+ "MakeFifo",
+ "MakeBlock",
+ "MakeSym",
+}
 
 // AccessFSSet is a set of Landlockable file system access operations.
 type AccessFSSet uint64
@@ -11,28 +30,18 @@ func (a AccessFSSet) String() string {
  }
  var b strings.Builder
  b.WriteByte('{')
- for i, n := range []string{
- "Execute",
- "WriteFile",
- "ReadFile",
- "ReadDir",
- "RemoveDir",
- "RemoveFile",
- "MakeChar",
- "MakeDir",
- "MakeReg",
- "MakeSock",
- "MakeFifo",
- "MakeBlock",
- "MakeSym",
- } {
+ for i := 0; i < 64; i++ {
  if a&(1<<i) == 0 {
  continue
  }
  if b.Len() > 1 {
  b.WriteByte(',')
  }
- b.WriteString(n)
+ if i < len(flagNames) {
+ b.WriteString(flagNames[i])
+ } else {
+ b.WriteString(fmt.Sprintf("1<<%v", i))
+ }
  }
  b.WriteByte('}')
  return b.String()

diff --git a/landlock/accessfs_test.go b/landlock/accessfs_test.go
@@ -46,6 +46,7 @@ func TestPrettyPrint(t *testing.T) {
  {a: ll.AccessFSMakeFifo, want: "{MakeFifo}"},
  {a: ll.AccessFSMakeBlock, want: "{MakeBlock}"},
  {a: ll.AccessFSMakeSym, want: "{MakeSym}"},
+ {a: ll.AccessFSReadFile | 1<<63, want: "{ReadFile,1<<63}"},
  } {
  got := tc.a.String()
  if got != tc.want {

diff --git a/landlock/config.go b/landlock/config.go
@@ -31,46 +31,61 @@ const (
 var (
  // Landlock V1 support (basic file operations).
  V1 = Config{
- handledAccessFS: abiInfos[1].supportedAccessFS,
+ HandledAccessFS: abiInfos[1].supportedAccessFS,
  }
 )
 
 // The Landlock configuration describes the desired set of
-// landlockable operations to be restricted.
+// landlockable operations to be restricted and the constraints on it
+// (e.g. best effort mode).
 type Config struct {
- handledAccessFS AccessFSSet
+ // File system operations to restrict when enabling Landlock.
+ // Needs to stay within the bounds of what go-landlock supports.
+ HandledAccessFS AccessFSSet
  bestEffort bool
 }
 
 // validate returns success when the given config is supported by
 // go-landlock. (It may still be unsupported by your kernel though.)
 func (c Config) validate() error {
  safs := highestKnownABIVersion.supportedAccessFS
- if !c.handledAccessFS.isSubset(safs) {
- return errors.New("unsupported handledAccessFS value")
+ if !c.HandledAccessFS.isSubset(safs) {
+ return errors.New("unsupported HandledAccessFS value")
  }
  return nil
 }
 
 // String builds a human-readable representation of the Config.
 func (c Config) String() string {
- var abi abiInfo
+ abi := abiInfo{version: -1} // invalid
  for _, a := range abiInfos {
- if c.handledAccessFS.isSubset(a.supportedAccessFS) {
+ if c.HandledAccessFS.isSubset(a.supportedAccessFS) {
  abi = a
  }
  }
 
- var desc = c.handledAccessFS.String()
- if abi.supportedAccessFS == c.handledAccessFS {
+ var desc = c.HandledAccessFS.String()
+ if abi.supportedAccessFS == c.HandledAccessFS {
  desc = "all"
  }
 
  var bestEffort = ""
  if c.bestEffort {
  bestEffort = " (best effort)"
  }
- return fmt.Sprintf("{Landlock V%v; HandledAccessFS: %v%v}", abi.version, desc, bestEffort)
+
+ var version string
+ if abi.version < 0 {
+ version = "V???"
+ } else {
+ version = fmt.Sprintf("V%v", abi.version)
+ }
+
+ errStr := ""
+ if err := c.validate(); err != nil {
+ errStr = fmt.Sprintf(" (%v)", err)
+ }
+ return fmt.Sprintf("{Landlock %v; HandledAccessFS: %v%v%v}", version, desc, bestEffort, errStr)
 }
 
 // BestEffort returns a config that will opportunistically enforce

diff --git a/landlock/config_test.go b/landlock/config_test.go
@@ -13,11 +13,11 @@ func TestConfigString(t *testing.T) {
  want string
  }{
  {
- cfg: Config{handledAccessFS: 0},
+ cfg: Config{HandledAccessFS: 0},
  want: fmt.Sprintf("{Landlock V1; HandledAccessFS: %v}", AccessFSSet(0)),
  },
  {
- cfg: Config{handledAccessFS: ll.AccessFSWriteFile},
+ cfg: Config{HandledAccessFS: ll.AccessFSWriteFile},
  want: "{Landlock V1; HandledAccessFS: {WriteFile}}",
  },
  {
@@ -28,6 +28,10 @@ func TestConfigString(t *testing.T) {
  cfg: V1.BestEffort(),
  want: "{Landlock V1; HandledAccessFS: all (best effort)}",
  },
+ {
+ cfg: Config{HandledAccessFS: 1<<63},
+ want: "{Landlock V???; HandledAccessFS: {1<<63} (unsupported HandledAccessFS value)}",
+ },
  } {
  got := tc.cfg.String()
  if got != tc.want {
@@ -39,8 +43,8 @@ func TestConfigString(t *testing.T) {
 func TestValidateSuccess(t *testing.T) {
  for _, c := range []Config{
  V1, V1.BestEffort(),
- Config{handledAccessFS: ll.AccessFSWriteFile},
- Config{handledAccessFS: 0},
+ Config{HandledAccessFS: ll.AccessFSWriteFile},
+ Config{HandledAccessFS: 0},
  } {
  err := c.validate()
  if err != nil {
@@ -51,8 +55,8 @@ func TestValidateSuccess(t *testing.T) {
 
 func TestValidateFailure(t *testing.T) {
  for _, c := range []Config{
- Config{handledAccessFS: 0xffffffffffffffff},
- Config{handledAccessFS: highestKnownABIVersion.supportedAccessFS + 1},
+ Config{HandledAccessFS: 0xffffffffffffffff},
+ Config{HandledAccessFS: highestKnownABIVersion.supportedAccessFS + 1},
  } {
  err := c.validate()
  if err == nil {

diff --git a/landlock/restrict.go b/landlock/restrict.go
@@ -15,7 +15,7 @@ func restrictPaths(c Config, opts ...PathOpt) error {
  if err != nil {
  return fmt.Errorf("unsupported Landlock config %v (upgrade go-landlock?): %v", c, err)
  }
- handledAccessFS := c.handledAccessFS
+ handledAccessFS := c.HandledAccessFS
  abi := getSupportedABIVersion()
  if c.bestEffort {
  handledAccessFS = handledAccessFS.intersect(abi.supportedAccessFS)

diff --git a/tests/failure/failure_test.go b/tests/failure/failure_test.go
@@ -47,3 +47,15 @@ func TestEmptyAccessRights(t *testing.T) {
  t.Errorf("expected error message with «empty access rights», got: %v", err)
  }
 }
+
+func TestSpecifiedTooManyFlags(t *testing.T) {
+ cfg := landlock.Config{HandledAccessFS: 1 << 13}
+ err := cfg.RestrictPaths()
+ if err == nil {
+ t.Errorf("%v.RestrictPaths(): expected error, got success", cfg)
+ }
+ want := "unsupported Landlock config"
+ if !strings.Contains(err.Error(), want) {
+ t.Errorf("%v.RestrictPaths(): expected error with %q, got %q", cfg, want, err.Error())
+ }
+}