commit 97e0bb14629c0a7f6ff03062076b81f78a86ce0b Author: atagen Date: Fri Oct 31 14:37:46 2025 +1100 initial poc diff --git a/.envrc b/.envrc new file mode 100644 index 0000000..3550a30 --- /dev/null +++ b/.envrc @@ -0,0 +1 @@ +use flake diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..2d5df85 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +/target +.direnv diff --git a/Cargo.lock b/Cargo.lock new file mode 100644 index 0000000..ff658e6 --- /dev/null +++ b/Cargo.lock @@ -0,0 +1,217 @@ +# This file is automatically @generated by Cargo. +# It is not intended for manual editing. +version = 4 + +[[package]] +name = "anyhow" +version = "1.0.100" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a23eb6b1614318a8071c9b2521f36b424b2c83db5eb3a0fead4a6c0809af6e61" + +[[package]] +name = "cc" +version = "1.2.43" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "739eb0f94557554b3ca9a86d2d37bebd49c5e6d0c1d2bda35ba5bdac830befc2" +dependencies = [ + "find-msvc-tools", + "shlex", +] + +[[package]] +name = "enumflags2" +version = "0.7.12" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1027f7680c853e056ebcec683615fb6fbbc07dbaa13b4d5d9442b146ded4ecef" +dependencies = [ + "enumflags2_derive", +] + +[[package]] +name = "enumflags2_derive" +version = "0.7.12" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "67c78a4d8fdf9953a5c9d458f9efe940fd97a0cab0941c075a813ac594733827" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.108", +] + +[[package]] +name = "errno" +version = "0.2.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f639046355ee4f37944e44f60642c6f3a7efa3cf6b78c78a0d989a8ce6c396a1" +dependencies = [ + "errno-dragonfly", + "libc", + "winapi", +] + +[[package]] +name = "errno-dragonfly" +version = "0.1.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "aa68f1b12764fab894d2755d2518754e71b4fd80ecfb822714a1206c2aab39bf" +dependencies = [ + "cc", + "libc", +] + +[[package]] +name = "exec" +version = "0.3.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "886b70328cba8871bfc025858e1de4be16b1d5088f2ba50b57816f4210672615" +dependencies = [ + "errno", + "libc", +] + +[[package]] +name = "find-msvc-tools" +version = "0.1.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "52051878f80a721bb68ebfbc930e07b65ba72f2da88968ea5c06fd6ca3d3a127" + +[[package]] +name = "gumdrop" +version = "0.8.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5bc700f989d2f6f0248546222d9b4258f5b02a171a431f8285a81c08142629e3" +dependencies = [ + "gumdrop_derive", +] + +[[package]] +name = "gumdrop_derive" +version = "0.8.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "729f9bd3449d77e7831a18abfb7ba2f99ee813dfd15b8c2167c9a54ba20aa99d" +dependencies = [ + "proc-macro2", + "quote", + "syn 1.0.109", +] + +[[package]] +name = "landlock" +version = "0.4.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "affe8b77dce5b172f8e290bd801b12832a77cd1942d1ea98259916e89d5829d6" +dependencies = [ + "enumflags2", + "libc", + "thiserror", +] + +[[package]] +name = "libc" +version = "0.2.177" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2874a2af47a2325c2001a6e6fad9b16a53b802102b528163885171cf92b15976" + +[[package]] +name = "proc-macro2" +version = "1.0.103" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5ee95bc4ef87b8d5ba32e8b7714ccc834865276eab0aed5c9958d00ec45f49e8" +dependencies = [ + "unicode-ident", +] + +[[package]] +name = "quote" +version = "1.0.41" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ce25767e7b499d1b604768e7cde645d14cc8584231ea6b295e9c9eb22c02e1d1" +dependencies = [ + "proc-macro2", +] + +[[package]] +name = "shlex" +version = "1.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64" + +[[package]] +name = "syn" +version = "1.0.109" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "72b64191b275b66ffe2469e8af2c1cfe3bafa67b529ead792a6d0160888b4237" +dependencies = [ + "proc-macro2", + "quote", + "unicode-ident", +] + +[[package]] +name = "syn" +version = "2.0.108" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "da58917d35242480a05c2897064da0a80589a2a0476c9a3f2fdc83b53502e917" +dependencies = [ + "proc-macro2", + "quote", + "unicode-ident", +] + +[[package]] +name = "thiserror" +version = "2.0.17" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f63587ca0f12b72a0600bcba1d40081f830876000bb46dd2337a3051618f4fc8" +dependencies = [ + "thiserror-impl", +] + +[[package]] +name = "thiserror-impl" +version = "2.0.17" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3ff15c8ecd7de3849db632e14d18d2571fa09dfc5ed93479bc4485c7a517c913" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.108", +] + +[[package]] +name = "unicode-ident" +version = "1.0.20" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "462eeb75aeb73aea900253ce739c8e18a67423fadf006037cd3ff27e82748a06" + +[[package]] +name = "winapi" +version = "0.3.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419" +dependencies = [ + "winapi-i686-pc-windows-gnu", + "winapi-x86_64-pc-windows-gnu", +] + +[[package]] +name = "winapi-i686-pc-windows-gnu" +version = "0.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6" + +[[package]] +name = "winapi-x86_64-pc-windows-gnu" +version = "0.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f" + +[[package]] +name = "yoke" +version = "0.1.0" +dependencies = [ + "anyhow", + "exec", + "gumdrop", + "landlock", +] diff --git a/Cargo.toml b/Cargo.toml new file mode 100644 index 0000000..adaf3cb --- /dev/null +++ b/Cargo.toml @@ -0,0 +1,10 @@ +[package] +name = "yoke" +version = "0.1.0" +edition = "2024" + +[dependencies] +anyhow = "1.0.100" +exec = "0.3.1" +gumdrop = "0.8.1" +landlock = "0.4.3" diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..ec172cd --- /dev/null +++ b/flake.lock @@ -0,0 +1,43 @@ +{ + "nodes": { + "nixpkgs": { + "locked": { + "lastModified": 1761656231, + "narHash": "sha256-EiED5k6gXTWoAIS8yQqi5mAX6ojnzpHwAQTS3ykeYMg=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "e99366c665bdd53b7b500ccdc5226675cfc51f45", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "nixpkgs": "nixpkgs", + "systems": "systems" + } + }, + "systems": { + "locked": { + "lastModified": 1689347949, + "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", + "owner": "nix-systems", + "repo": "default-linux", + "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default-linux", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..9a852de --- /dev/null +++ b/flake.nix @@ -0,0 +1,28 @@ +{ + inputs.nixpkgs.url = "github:nixos/nixpkgs/nixpkgs-unstable"; + inputs.systems.url = "github:nix-systems/default-linux"; + + outputs = + { + self, + nixpkgs, + systems, + }: + let + forAllSystems = + func: nixpkgs.lib.genAttrs (import systems) (system: func (import nixpkgs { inherit system; })); + in + { + devShells = forAllSystems (pkgs: { + default = pkgs.mkShell { + packages = with pkgs; [ + cargo + rustc + rust-analyzer + rustfmt + clippy + ]; + }; + }); + }; +} diff --git a/src/main.rs b/src/main.rs new file mode 100644 index 0000000..86f606b --- /dev/null +++ b/src/main.rs @@ -0,0 +1,213 @@ +use std::{collections::HashMap, path::PathBuf, str::FromStr}; + +use anyhow::{Context, Result, anyhow}; +use gumdrop::Options; +use landlock::{ + ABI, Access, AccessFs, AccessNet, Compatible, NetPort, Ruleset, RulesetAttr, + RulesetCreatedAttr, Scope, path_beneath_rules, +}; + +#[derive(Clone, Copy, Debug, Hash, Eq, PartialEq)] +enum Direction { + In, + Out, +} + +#[derive(Debug, Options)] +struct Chas { + #[options(no_multi, parse(try_from_str = "fs_parse"))] + fs: HashMap>, + #[options(no_multi, parse(try_from_str = "tcp_parse"))] + tcp: HashMap>, + #[options(no_multi, parse(try_from_str = "env_parse"))] + env: HashMap, + clear_env: bool, + #[options(free)] + exec: Vec, +} + +#[derive(Clone, Copy, Debug, Hash, PartialEq, Eq)] +enum Permissions { + Read, + Write, +} + +fn env_parse(s: &str) -> Result> { + let pairs = s.split(','); + let mut envs = HashMap::new(); + for pair in pairs { + let (k, v) = pair.split_once('=').ok_or(anyhow!("invalid env var"))?; + envs.entry(k.to_string()) + .and_modify(|iv: &mut String| { + *iv = v.to_string(); + }) + .or_insert(v.to_string()); + } + Ok(envs) +} + +// TODO handle ioctl perms +fn fs_parse(s: &str) -> Result>> { + let pairs = s.split(','); + let mut rules = HashMap::new(); + for pair in pairs { + let (s_perm, s_path) = pair + .split_once('=') + .ok_or(anyhow!("invalid filesystem pair"))?; + if s_perm.len() > 1 { + return Err(anyhow!("permission specifier too long")); + } + let perm = unsafe { + match s_perm.get_unchecked(0..1) { + "r" | "R" => Permissions::Read, + "w" | "W" => Permissions::Write, + _ => { + return Err(anyhow!("invalid permission specifier")); + } + } + }; + for sub in s_path.split(':') { + let path = PathBuf::from_str(sub).context("invalid path specifier")?; + rules + .entry(perm) + .and_modify(|v: &mut Vec| { + v.push(path.clone()); + }) + .or_insert(vec![path]); + } + } + Ok(rules) +} + +fn tcp_parse(s: &str) -> Result>> { + let pairs = s.split(','); + let mut rules = HashMap::new(); + for pair in pairs { + let (s_io, s_port) = pair.split_once('=').context("invalid tcp pair")?; + let dir = match s_io { + "i" => Direction::In, + "o" => Direction::Out, + _ => { + return Err(anyhow!("invalid tcp specifier")); + } + }; + for sub in s_port.split(':') { + let port = sub.parse().context("invalid port")?; + rules + .entry(dir) + .and_modify(|v: &mut Vec| { + v.push(port); + }) + .or_insert(vec![port]); + } + } + Ok(rules) +} + +fn main() -> Result<()> { + let opts = Chas::parse_args_or_exit(gumdrop::ParsingStyle::StopAtFirstFree); + println!("{opts:?}"); + let mut preempt = Ruleset::default(); + preempt = preempt.set_compatibility(landlock::CompatLevel::HardRequirement); + preempt = preempt.scope(Scope::Signal).context("scoping signals")?; + preempt = preempt + .scope(Scope::AbstractUnixSocket) + .context("scoping sockets")?; + // let is_fs = !opts.fs.is_empty(); + let is_fs = true; + let is_tcp = !opts.tcp.is_empty(); + preempt = if is_fs { + preempt + .handle_access(AccessFs::from_all(ABI::V6)) + .context("handling fs access")? + } else { + preempt + }; + preempt = if is_tcp { + preempt + .handle_access(AccessNet::BindTcp) + .context("handling tcp bind access")? + .handle_access(AccessNet::ConnectTcp) + .context("handling tcp conn access")? + } else { + preempt + }; + let mut ruleset = preempt.create().context("creating ruleset")?; + for (perms, paths) in opts.fs { + let access = match perms { + Permissions::Read => AccessFs::from_read(ABI::V6), + Permissions::Write => AccessFs::from_write(ABI::V6), + }; + ruleset = ruleset + .add_rules(path_beneath_rules(paths, access)) + .context("adding fs rule")?; + } + for (dir, ports) in opts.tcp { + let access = match dir { + Direction::In => AccessNet::BindTcp, + Direction::Out => AccessNet::ConnectTcp, + }; + for port in ports { + ruleset = ruleset + .add_rule(NetPort::new(port, access)) + .context("adding tcp rule")?; + } + } + ruleset.restrict_self().context("enforcing ruleset")?; + if !opts.exec.is_empty() { + let mut cmd = exec::Command::new(&opts.exec[0]); + if opts.exec.len() > 1 { + cmd.args(&opts.exec[1..]); + } + if opts.clear_env { + for (k, _) in std::env::vars() { + unsafe { + std::env::remove_var(k); + } + } + } + if !opts.env.is_empty() { + for (k, v) in opts.env { + unsafe { + std::env::set_var(k, v); + } + } + } + let err = cmd.exec(); + eprintln!("failed to run process: {}", err); + } else { + eprintln!( + " + yoke -- simple command sandboxer + + use: yoke [rules] [command] + + rules: + --fs [access]=/path:/another/path,[access]=/more/path + filesystem rules + + --tcp [access]=1234:5678,[access]=91011 + tcp port rules + + --env [key]=[value] + include env vars for process + + --clear-env + clear all inherited env vars + + access specifiers (only one may be used per entry): + fs: + r - read (implies execute) + w - write (implies read+execute) + tcp: + i - in/bind + o - out/connect + + example: + yoke --fs r=$(which ls):/etc ls /etc + yoke --tcp i=80:443,o=80:443 --fs r=/srv/web --clear-env --env SERVE_FROM=/srv/web myhttpserver + " + ); + } + Ok(()) +}