initial poc

2025-10-31 14:37:46 +11:00 · 2025-10-31 14:37:46 +11:00 · aae8e63107
commit aae8e63107
7 changed files with 513 additions and 0 deletions
--- a/.envrc
+++ b/.envrc
@ -0,0 +1 @@
+use flake
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,2 @@
+/target
+.direnv
--- a/Cargo.lock
+++ b/Cargo.lock
@ -0,0 +1,217 @@
+# This file is automatically @generated by Cargo.
+# It is not intended for manual editing.
+version = 4
+
+[[package]]
+name = "anyhow"
+version = "1.0.100"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a23eb6b1614318a8071c9b2521f36b424b2c83db5eb3a0fead4a6c0809af6e61"
+
+[[package]]
+name = "cc"
+version = "1.2.43"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "739eb0f94557554b3ca9a86d2d37bebd49c5e6d0c1d2bda35ba5bdac830befc2"
+dependencies = [
+ "find-msvc-tools",
+ "shlex",
+]
+
+[[package]]
+name = "enumflags2"
+version = "0.7.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1027f7680c853e056ebcec683615fb6fbbc07dbaa13b4d5d9442b146ded4ecef"
+dependencies = [
+ "enumflags2_derive",
+]
+
+[[package]]
+name = "enumflags2_derive"
+version = "0.7.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "67c78a4d8fdf9953a5c9d458f9efe940fd97a0cab0941c075a813ac594733827"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.108",
+]
+
+[[package]]
+name = "errno"
+version = "0.2.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f639046355ee4f37944e44f60642c6f3a7efa3cf6b78c78a0d989a8ce6c396a1"
+dependencies = [
+ "errno-dragonfly",
+ "libc",
+ "winapi",
+]
+
+[[package]]
+name = "errno-dragonfly"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "aa68f1b12764fab894d2755d2518754e71b4fd80ecfb822714a1206c2aab39bf"
+dependencies = [
+ "cc",
+ "libc",
+]
+
+[[package]]
+name = "exec"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "886b70328cba8871bfc025858e1de4be16b1d5088f2ba50b57816f4210672615"
+dependencies = [
+ "errno",
+ "libc",
+]
+
+[[package]]
+name = "find-msvc-tools"
+version = "0.1.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "52051878f80a721bb68ebfbc930e07b65ba72f2da88968ea5c06fd6ca3d3a127"
+
+[[package]]
+name = "gumdrop"
+version = "0.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5bc700f989d2f6f0248546222d9b4258f5b02a171a431f8285a81c08142629e3"
+dependencies = [
+ "gumdrop_derive",
+]
+
+[[package]]
+name = "gumdrop_derive"
+version = "0.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "729f9bd3449d77e7831a18abfb7ba2f99ee813dfd15b8c2167c9a54ba20aa99d"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 1.0.109",
+]
+
+[[package]]
+name = "landlock"
+version = "0.4.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "affe8b77dce5b172f8e290bd801b12832a77cd1942d1ea98259916e89d5829d6"
+dependencies = [
+ "enumflags2",
+ "libc",
+ "thiserror",
+]
+
+[[package]]
+name = "libc"
+version = "0.2.177"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2874a2af47a2325c2001a6e6fad9b16a53b802102b528163885171cf92b15976"
+
+[[package]]
+name = "proc-macro2"
+version = "1.0.103"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5ee95bc4ef87b8d5ba32e8b7714ccc834865276eab0aed5c9958d00ec45f49e8"
+dependencies = [
+ "unicode-ident",
+]
+
+[[package]]
+name = "quote"
+version = "1.0.41"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ce25767e7b499d1b604768e7cde645d14cc8584231ea6b295e9c9eb22c02e1d1"
+dependencies = [
+ "proc-macro2",
+]
+
+[[package]]
+name = "shlex"
+version = "1.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64"
+
+[[package]]
+name = "syn"
+version = "1.0.109"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "72b64191b275b66ffe2469e8af2c1cfe3bafa67b529ead792a6d0160888b4237"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "unicode-ident",
+]
+
+[[package]]
+name = "syn"
+version = "2.0.108"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "da58917d35242480a05c2897064da0a80589a2a0476c9a3f2fdc83b53502e917"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "unicode-ident",
+]
+
+[[package]]
+name = "thiserror"
+version = "2.0.17"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f63587ca0f12b72a0600bcba1d40081f830876000bb46dd2337a3051618f4fc8"
+dependencies = [
+ "thiserror-impl",
+]
+
+[[package]]
+name = "thiserror-impl"
+version = "2.0.17"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3ff15c8ecd7de3849db632e14d18d2571fa09dfc5ed93479bc4485c7a517c913"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.108",
+]
+
+[[package]]
+name = "unicode-ident"
+version = "1.0.20"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "462eeb75aeb73aea900253ce739c8e18a67423fadf006037cd3ff27e82748a06"
+
+[[package]]
+name = "winapi"
+version = "0.3.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419"
+dependencies = [
+ "winapi-i686-pc-windows-gnu",
+ "winapi-x86_64-pc-windows-gnu",
+]
+
+[[package]]
+name = "winapi-i686-pc-windows-gnu"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"
+
+[[package]]
+name = "winapi-x86_64-pc-windows-gnu"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"
+
+[[package]]
+name = "yoke"
+version = "0.1.0"
+dependencies = [
+ "anyhow",
+ "exec",
+ "gumdrop",
+ "landlock",
+]
--- a/Cargo.toml
+++ b/Cargo.toml
@ -0,0 +1,10 @@
+[package]
+name = "yoke"
+version = "0.1.0"
+edition = "2024"
+
+[dependencies]
+anyhow = "1.0.100"
+exec = "0.3.1"
+gumdrop = "0.8.1"
+landlock = "0.4.3"
--- a/flake.lock
+++ b/flake.lock
@ -0,0 +1,43 @@
+{
+  "nodes": {
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1761656231,
+        "narHash": "sha256-EiED5k6gXTWoAIS8yQqi5mAX6ojnzpHwAQTS3ykeYMg=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "e99366c665bdd53b7b500ccdc5226675cfc51f45",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs",
+        "systems": "systems"
+      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1689347949,
+        "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
+        "owner": "nix-systems",
+        "repo": "default-linux",
+        "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default-linux",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
--- a/flake.nix
+++ b/flake.nix
@ -0,0 +1,28 @@
+{
+  inputs.nixpkgs.url = "github:nixos/nixpkgs/nixpkgs-unstable";
+  inputs.systems.url = "github:nix-systems/default-linux";
+
+  outputs =
+    {
+      self,
+      nixpkgs,
+      systems,
+    }:
+    let
+      forAllSystems =
+        func: nixpkgs.lib.genAttrs (import systems) (system: func (import nixpkgs { inherit system; }));
+    in
+    {
+      devShells = forAllSystems (pkgs: {
+        default = pkgs.mkShell {
+          packages = with pkgs; [
+            cargo
+            rustc
+            rust-analyzer
+            rustfmt
+            clippy
+          ];
+        };
+      });
+    };
+}
--- a/src/main.rs
+++ b/src/main.rs
@ -0,0 +1,212 @@
+use std::{collections::HashMap, path::PathBuf, str::FromStr};
+
+use anyhow::{Context, Result, anyhow};
+use gumdrop::Options;
+use landlock::{
+    ABI, Access, AccessFs, AccessNet, Compatible, NetPort, Ruleset, RulesetAttr,
+    RulesetCreatedAttr, Scope, path_beneath_rules,
+};
+
+#[derive(Clone, Copy, Debug, Hash, Eq, PartialEq)]
+enum Direction {
+    In,
+    Out,
+}
+
+#[derive(Debug, Options)]
+struct Chas {
+    #[options(no_multi, parse(try_from_str = "fs_parse"))]
+    fs: HashMap<Permissions, Vec<PathBuf>>,
+    #[options(no_multi, parse(try_from_str = "tcp_parse"))]
+    tcp: HashMap<Direction, Vec<u16>>,
+    #[options(no_multi, parse(try_from_str = "env_parse"))]
+    env: HashMap<String, String>,
+    clear_env: bool,
+    #[options(free)]
+    exec: Vec<String>,
+}
+
+#[derive(Clone, Copy, Debug, Hash, PartialEq, Eq)]
+enum Permissions {
+    Read,
+    Write,
+}
+
+fn env_parse(s: &str) -> Result<HashMap<String, String>> {
+    let pairs = s.split(',');
+    let mut envs = HashMap::new();
+    for pair in pairs {
+        let (k, v) = pair.split_once('=').ok_or(anyhow!("invalid env var"))?;
+        envs.entry(k.to_string())
+            .and_modify(|iv: &mut String| {
+                *iv = v.to_string();
+            })
+            .or_insert(v.to_string());
+    }
+    Ok(envs)
+}
+
+// TODO handle ioctl perms
+fn fs_parse(s: &str) -> Result<HashMap<Permissions, Vec<PathBuf>>> {
+    let pairs = s.split(',');
+    let mut rules = HashMap::new();
+    for pair in pairs {
+        let (s_perm, s_path) = pair
+            .split_once('=')
+            .ok_or(anyhow!("invalid filesystem pair"))?;
+        if s_perm.len() > 1 {
+            return Err(anyhow!("permission specifier too long"));
+        }
+        let perm = unsafe {
+            match s_perm.get_unchecked(0..1) {
+                "r" | "R" => Permissions::Read,
+                "w" | "W" => Permissions::Write,
+                _ => {
+                    return Err(anyhow!("invalid permission specifier"));
+                }
+            }
+        };
+        for sub in s_path.split(':') {
+            let path = PathBuf::from_str(sub).context("invalid path specifier")?;
+            rules
+                .entry(perm)
+                .and_modify(|v: &mut Vec<PathBuf>| {
+                    v.push(path.clone());
+                })
+                .or_insert(vec![path]);
+        }
+    }
+    Ok(rules)
+}
+
+fn tcp_parse(s: &str) -> Result<HashMap<Direction, Vec<u16>>> {
+    let pairs = s.split(',');
+    let mut rules = HashMap::new();
+    for pair in pairs {
+        let (s_io, s_port) = pair.split_once('=').context("invalid tcp pair")?;
+        let dir = match s_io {
+            "i" => Direction::In,
+            "o" => Direction::Out,
+            _ => {
+                return Err(anyhow!("invalid tcp specifier"));
+            }
+        };
+        for sub in s_port.split(':') {
+            let port = sub.parse().context("invalid port")?;
+            rules
+                .entry(dir)
+                .and_modify(|v: &mut Vec<u16>| {
+                    v.push(port);
+                })
+                .or_insert(vec![port]);
+        }
+    }
+    Ok(rules)
+}
+
+fn main() -> Result<()> {
+    let opts = Chas::parse_args_or_exit(gumdrop::ParsingStyle::StopAtFirstFree);
+    println!("{opts:?}");
+    let mut preempt = Ruleset::default();
+    preempt = preempt.set_compatibility(landlock::CompatLevel::HardRequirement);
+    preempt = preempt.scope(Scope::Signal).context("scoping signals")?;
+    preempt = preempt
+        .scope(Scope::AbstractUnixSocket)
+        .context("scoping sockets")?;
+    // let is_fs = !opts.fs.is_empty();
+    let is_fs = true;
+    let is_tcp = !opts.tcp.is_empty();
+    preempt = if is_fs {
+        preempt
+            .handle_access(AccessFs::from_all(ABI::V6))
+            .context("handling fs access")?
+    } else {
+        preempt
+    };
+    preempt = if is_tcp {
+        preempt
+            .handle_access(AccessNet::BindTcp)
+            .context("handling tcp bind access")?
+            .handle_access(AccessNet::ConnectTcp)
+            .context("handling tcp conn access")?
+    } else {
+        preempt
+    };
+    let mut ruleset = preempt.create().context("creating ruleset")?;
+    for (perms, paths) in opts.fs {
+        let access = match perms {
+            Permissions::Read => AccessFs::from_read(ABI::V6),
+            Permissions::Write => AccessFs::from_write(ABI::V6),
+        };
+        ruleset = ruleset
+            .add_rules(path_beneath_rules(paths, access))
+            .context("adding fs rule")?;
+    }
+    for (dir, ports) in opts.tcp {
+        let access = match dir {
+            Direction::In => AccessNet::BindTcp,
+            Direction::Out => AccessNet::ConnectTcp,
+        };
+        for port in ports {
+            ruleset = ruleset
+                .add_rule(NetPort::new(port, access))
+                .context("adding tcp rule")?;
+        }
+    }
+    ruleset.restrict_self().context("enforcing ruleset")?;
+    if !opts.exec.is_empty() {
+        let mut cmd = exec::Command::new(&opts.exec[0]);
+        if opts.exec.len() > 1 {
+            cmd.args(&opts.exec[1..]);
+        }
+        if opts.clear_env {
+            for (k, _) in std::env::vars() {
+                unsafe {
+                    std::env::remove_var(k);
+                }
+            }
+        }
+        if !opts.env.is_empty() {
+            for (k, v) in opts.env {
+                unsafe {
+                    std::env::set_var(k, v);
+                }
+            }
+        }
+        let err = cmd.exec();
+        eprintln!("failed to run process: {}", err);
+    } else {
+        eprintln!(
+            "
+            yoke -- simple command sandboxer
+
+            use: yoke [rules] [command]
+
+            rules:
+                --fs [access]=/path:/another/path,[access]=/more/path
+                filesystem rules
+
+                --tcp [access]=1234:5678,[access]=91011
+                tcp port rules
+                
+                --env [key]=[value]
+                include env vars for process
+                
+                --clear-env
+                clear all inherited env vars
+
+            access specifiers (only one may be used per entry):
+                fs:
+                    r - read (implies execute)
+                    w - write (implies read+execute)
+                tcp:
+                    i - in/bind
+                    o - out/connect
+            example:
+                yoke --fs r=$(which ls):/etc ls /etc
+                yoke --tcp i=80:443,o=80:443 --fs r=/srv/web --clear-env --env SERVE_FROM=/srv/web myhttpserver
+            "
+        );
+    }
+    Ok(())
+}