From d315bc5663b04f2b6a3812b8d07d945323d72e85 Mon Sep 17 00:00:00 2001 From: atagen Date: Mon, 3 Nov 2025 15:16:44 +1100 Subject: [PATCH] expand permissions system, allow escapes --- src/main.rs | 60 +++++++++++++++++++++++++++++++++++----------------- src/parse.rs | 31 +++++++++++++++++++-------- src/types.rs | 19 +++++++++-------- 3 files changed, 73 insertions(+), 37 deletions(-) diff --git a/src/main.rs b/src/main.rs index f315ec4..cfcc4b3 100644 --- a/src/main.rs +++ b/src/main.rs @@ -9,8 +9,6 @@ use landlock::{ RulesetCreatedAttr, Scope, make_bitflags, path_beneath_rules, }; -use crate::types::BasePermission; - fn main() -> Result<()> { let opts = parse::parse_args()?; if opts.exec.is_empty() { @@ -43,13 +41,18 @@ rule types resolve process dependencies and add to sandbox: --ldd | -l + unsandbox: + --no-fs | -nf + --no-tcp | -nt + specifiers ------------ fs: - r - read (implies execute) - w - write (implies read+execute) - i - allow ioctls (implies nothing - may require read or write) + r - read + w - write + x - execute + i - ioctl tcp: i - in/bind @@ -76,16 +79,14 @@ examples .scope(Scope::AbstractUnixSocket) .context("scoping sockets")?; } - let is_fs = !opts.fs.is_empty(); - let is_tcp = !opts.tcp.is_empty(); - preempt = if is_fs { + preempt = if !opts.unsandbox.fs { preempt .handle_access(AccessFs::from_all(ABI::V6)) .context("handling fs access")? } else { preempt }; - preempt = if is_tcp { + preempt = if !opts.unsandbox.tcp { preempt .handle_access(AccessNet::BindTcp) .context("handling tcp bind access")? @@ -96,13 +97,32 @@ examples }; let mut ruleset = preempt.create().context("creating ruleset")?; for (perms, paths) in opts.fs { - let mut access = match perms.base { - BasePermission::Unset => BitFlags::empty(), - BasePermission::Read => AccessFs::from_read(ABI::V6), - BasePermission::Write => AccessFs::from_write(ABI::V6), - }; + let mut access = BitFlags::empty(); + if perms.read { + access.insert(make_bitflags!(AccessFs::{ReadFile | ReadDir})); + } + if perms.write { + access.insert(make_bitflags!( + AccessFs::{ WriteFile + | RemoveDir + | RemoveFile + | MakeChar + | MakeDir + | MakeReg + | MakeSock + | MakeFifo + | MakeBlock + | MakeSym + | Refer + | Truncate + } + )); + } + if perms.execute { + access.insert(AccessFs::Execute); + } if perms.ioctl { - access.insert(make_bitflags!(AccessFs::IoctlDev)); + access.insert(AccessFs::IoctlDev); } if access == BitFlags::empty() { return Err(anyhow!("invalid filesystem permissions requested")); @@ -126,10 +146,12 @@ examples } } let fullpath = which::which(&opts.exec[0]).context("finding executable")?; - ruleset = ruleset.add_rules(path_beneath_rules( - std::slice::from_ref(&fullpath), - AccessFs::from_read(ABI::V6), - ))?; + if !opts.unsandbox.fs { + ruleset = ruleset.add_rules(path_beneath_rules( + std::slice::from_ref(&fullpath), + AccessFs::from_read(ABI::V6), + ))?; + } if opts.ldd { let loader = DynamicLoader::options() .search_dirs(glibc::get_hard_coded_search_dirs(None)?) diff --git a/src/parse.rs b/src/parse.rs index 6e38e62..a369689 100644 --- a/src/parse.rs +++ b/src/parse.rs @@ -1,5 +1,5 @@ -use crate::types::{BasePermission, Direction, Permissions, Yoke}; -use anyhow::{Context, Result, anyhow}; +use crate::types::{Direction, Permissions, Yoke}; +use anyhow::{anyhow, Context, Result}; use std::{collections::HashMap, path::PathBuf, str::FromStr}; #[derive(PartialEq)] @@ -32,17 +32,18 @@ fn fs_parse(pairs: &[String]) -> Result>> { .ok_or(anyhow!("invalid filesystem pair"))?; let mut perms = Permissions::default(); - - use BasePermission::*; for c in s_perm.chars() { match c { - 'r' | 'R' if perms.base == Unset => { - perms.base = Read; + 'r' => { + perms.read = true; } - 'w' | 'W' => { - perms.base = Write; + 'w' => { + perms.write = true; } - 'i' | 'I' => { + 'x' => { + perms.execute = true; + } + 'i' => { perms.ioctl = true; } s => return Err(anyhow!("invalid access specifier {}", s)), @@ -150,6 +151,18 @@ pub fn parse_args() -> Result { cur_arg = Unset; yoke.ldd = true; } + "--no-fs" | "-nf" => { + collect_args(&mut yoke, &collector, &cur_arg)?; + collector.clear(); + cur_arg = Unset; + yoke.unsandbox.fs = true; + } + "--no-tcp" | "-nt" => { + collect_args(&mut yoke, &collector, &cur_arg)?; + collector.clear(); + cur_arg = Unset; + yoke.unsandbox.tcp = true; + } "--" => { collect_args(&mut yoke, &collector, &cur_arg)?; collector.clear(); diff --git a/src/types.rs b/src/types.rs index 50876bc..fffb4be 100644 --- a/src/types.rs +++ b/src/types.rs @@ -1,5 +1,11 @@ use std::{collections::HashMap, path::PathBuf}; +#[derive(Debug, Default)] +pub struct Unsandbox { + pub fs: bool, + pub tcp: bool, +} + #[derive(Debug, Default)] pub struct Yoke { pub fs: HashMap>, @@ -8,21 +14,16 @@ pub struct Yoke { pub retain_env: bool, pub signals: bool, pub sockets: bool, + pub unsandbox: Unsandbox, pub ldd: bool, pub exec: Vec, } -#[derive(Clone, Copy, Debug, Hash, PartialEq, Eq, Default)] -pub enum BasePermission { - #[default] - Unset, - Read, - Write, -} - #[derive(Clone, Copy, Debug, Hash, PartialEq, Eq, Default)] pub struct Permissions { - pub base: BasePermission, + pub read: bool, + pub write: bool, + pub execute: bool, pub ioctl: bool, }