RubyGems - landlock - Versions diffs - 0.1.0 - Mend

landlock 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

checksums.yaml ADDED Viewed

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 6cf65089e4af85184c67c7a2e6c679932dd21c492882ccf9cf4612d5603cb7a4
+  data.tar.gz: a987aaefb3e9ec52f69087c533fed5e384157aa4e1caebbc56226030c84e1112
+SHA512:
+  metadata.gz: 6de7d6d837c0365fcf6d18e4cf3d41d291d6d043b71a3b05d1501e3c805faf7acd082865e67bad699814f0bdd342859f7790e80c3d58e510b83f8121e3445955
+  data.tar.gz: f87863bd3de8f8a8d5ce6ffd56382bafcf6cefc7ec74dca9ea9a7e6df7c5f759c556f51a2e687668d0fd30b809cf07a8136b73e26467dd069d021977a5abd4e2

data/LICENSE.txt ADDED Viewed

@@ -0,0 +1,21 @@
+MIT License
+Copyright (c) 2026 Sam Saffron
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md ADDED Viewed

@@ -0,0 +1,81 @@
+# landlock
+Ruby bindings for Linux [Landlock](https://docs.kernel.org/userspace-api/landlock.html): unprivileged, kernel-enforced sandboxing for the current process and its descendants.
+This gem includes a small native extension around the three Landlock syscalls and a Ruby API for safe subprocess execution.
+## Status
+Experimental. Filesystem support requires Landlock ABI v1+. TCP network rules require ABI v4+.
+```ruby
+require "landlock"
+puts Landlock.abi_version
+puts Landlock.supported?
+```
+## Safe subprocess execution
+Allow Ruby to execute and read its runtime, but only allow outbound TCP connections to port 443:
+```ruby
+status = Landlock.exec(
+  [RbConfig.ruby, "script.rb"],
+  read: ["/usr", "/lib", "/lib64", "/etc/ssl"],
+  execute: ["/usr", "/lib", "/lib64"],
+  connect_tcp: [443]
+)
+abort "failed" unless status.success?
+```
+Deny all outbound TCP except the listed ports:
+```ruby
+Landlock.exec(
+  ["curl", "https://example.com"],
+  read: ["/usr", "/lib", "/lib64", "/etc/ssl", "/etc/resolv.conf", "/etc/hosts"],
+  execute: ["/usr", "/lib", "/lib64"],
+  connect_tcp: [443]
+)
+```
+Allow binding a local TCP port:
+```ruby
+Landlock.exec(
+  [RbConfig.ruby, "server.rb"],
+  read: ["/usr", "/lib", "/lib64", Dir.pwd],
+  execute: ["/usr", "/lib", "/lib64"],
+  bind_tcp: [9292]
+)
+```
+## Restrict current process
+This is irreversible for the current thread/process. Use `Landlock.exec` or `Landlock.spawn` unless you really mean it.
+```ruby
+Landlock.restrict!(
+  read: ["/usr", "/app"],
+  write: ["/tmp/my-output"],
+  connect_tcp: [443]
+)
+```
+## Lower-level path rules
+```ruby
+Landlock.restrict!(
+  paths: [
+    { path: "/usr", rights: %i[read_file read_dir execute] },
+    { path: "/tmp/out", rights: %i[read_file read_dir write_file truncate make_reg remove_file] }
+  ],
+  connect_tcp: [443]
+)
+```
+## Caveats
+Landlock is not a complete container. It does not impose CPU/memory limits, hide already-open file descriptors, or replace seccomp/namespaces/cgroups. For serious untrusted execution, combine it with controlled environment, `close_others`, resource limits, and preferably process isolation.

data/ext/landlock/extconf.rb ADDED Viewed

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+require "mkmf"
+abort "missing ruby headers" unless have_header("ruby.h")
+have_header("linux/landlock.h")
+have_header("sys/prctl.h")
+have_header("sys/syscall.h")
+have_header("fcntl.h")
+create_makefile("landlock/landlock")

data/ext/landlock/landlock.c ADDED Viewed

@@ -0,0 +1,280 @@
+#include "ruby.h"
+#include <errno.h>
+#include <fcntl.h>
+#include <stdint.h>
+#include <stddef.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/prctl.h>
+#include <sys/syscall.h>
+#ifdef HAVE_LINUX_LANDLOCK_H
+#include <linux/landlock.h>
+#endif
+#ifndef SYS_landlock_create_ruleset
+# if defined(__x86_64__)
+#  define SYS_landlock_create_ruleset 444
+#  define SYS_landlock_add_rule 445
+#  define SYS_landlock_restrict_self 446
+# elif defined(__aarch64__)
+#  define SYS_landlock_create_ruleset 444
+#  define SYS_landlock_add_rule 445
+#  define SYS_landlock_restrict_self 446
+# elif defined(__i386__)
+#  define SYS_landlock_create_ruleset 451
+#  define SYS_landlock_add_rule 452
+#  define SYS_landlock_restrict_self 453
+# endif
+#endif
+#ifndef LANDLOCK_CREATE_RULESET_VERSION
+#define LANDLOCK_CREATE_RULESET_VERSION (1U << 0)
+#endif
+#ifndef LANDLOCK_RULE_PATH_BENEATH
+#define LANDLOCK_RULE_PATH_BENEATH 1
+#endif
+#ifndef LANDLOCK_RULE_NET_PORT
+#define LANDLOCK_RULE_NET_PORT 2
+#endif
+#ifndef LANDLOCK_ACCESS_FS_EXECUTE
+#define LANDLOCK_ACCESS_FS_EXECUTE    (1ULL << 0)
+#endif
+#ifndef LANDLOCK_ACCESS_FS_WRITE_FILE
+#define LANDLOCK_ACCESS_FS_WRITE_FILE (1ULL << 1)
+#endif
+#ifndef LANDLOCK_ACCESS_FS_READ_FILE
+#define LANDLOCK_ACCESS_FS_READ_FILE  (1ULL << 2)
+#endif
+#ifndef LANDLOCK_ACCESS_FS_READ_DIR
+#define LANDLOCK_ACCESS_FS_READ_DIR   (1ULL << 3)
+#endif
+#ifndef LANDLOCK_ACCESS_FS_REMOVE_DIR
+#define LANDLOCK_ACCESS_FS_REMOVE_DIR (1ULL << 4)
+#endif
+#ifndef LANDLOCK_ACCESS_FS_REMOVE_FILE
+#define LANDLOCK_ACCESS_FS_REMOVE_FILE (1ULL << 5)
+#endif
+#ifndef LANDLOCK_ACCESS_FS_MAKE_CHAR
+#define LANDLOCK_ACCESS_FS_MAKE_CHAR  (1ULL << 6)
+#endif
+#ifndef LANDLOCK_ACCESS_FS_MAKE_DIR
+#define LANDLOCK_ACCESS_FS_MAKE_DIR   (1ULL << 7)
+#endif
+#ifndef LANDLOCK_ACCESS_FS_MAKE_REG
+#define LANDLOCK_ACCESS_FS_MAKE_REG   (1ULL << 8)
+#endif
+#ifndef LANDLOCK_ACCESS_FS_MAKE_SOCK
+#define LANDLOCK_ACCESS_FS_MAKE_SOCK  (1ULL << 9)
+#endif
+#ifndef LANDLOCK_ACCESS_FS_MAKE_FIFO
+#define LANDLOCK_ACCESS_FS_MAKE_FIFO  (1ULL << 10)
+#endif
+#ifndef LANDLOCK_ACCESS_FS_MAKE_BLOCK
+#define LANDLOCK_ACCESS_FS_MAKE_BLOCK (1ULL << 11)
+#endif
+#ifndef LANDLOCK_ACCESS_FS_MAKE_SYM
+#define LANDLOCK_ACCESS_FS_MAKE_SYM   (1ULL << 12)
+#endif
+#ifndef LANDLOCK_ACCESS_FS_REFER
+#define LANDLOCK_ACCESS_FS_REFER      (1ULL << 13)
+#endif
+#ifndef LANDLOCK_ACCESS_FS_TRUNCATE
+#define LANDLOCK_ACCESS_FS_TRUNCATE   (1ULL << 14)
+#endif
+#ifndef LANDLOCK_ACCESS_FS_IOCTL_DEV
+#define LANDLOCK_ACCESS_FS_IOCTL_DEV  (1ULL << 15)
+#endif
+#ifndef LANDLOCK_ACCESS_NET_BIND_TCP
+#define LANDLOCK_ACCESS_NET_BIND_TCP    (1ULL << 0)
+#endif
+#ifndef LANDLOCK_ACCESS_NET_CONNECT_TCP
+#define LANDLOCK_ACCESS_NET_CONNECT_TCP (1ULL << 1)
+#endif
+#ifndef O_PATH
+#define O_PATH 010000000
+#endif
+#ifndef O_CLOEXEC
+#define O_CLOEXEC 02000000
+#endif
+struct rb_landlock_ruleset_attr {
+  uint64_t handled_access_fs;
+  uint64_t handled_access_net;
+  uint64_t scoped;
+};
+struct rb_landlock_path_beneath_attr {
+  uint64_t allowed_access;
+  int32_t parent_fd;
+} __attribute__((packed));
+struct rb_landlock_net_port_attr {
+  uint64_t allowed_access;
+  uint64_t port;
+};
+static VALUE mLandlock;
+static VALUE eLandlockError;
+static VALUE eSyscallError;
+static long ll_create_ruleset(const void *attr, size_t size, uint32_t flags) {
+#ifdef SYS_landlock_create_ruleset
+  return syscall(SYS_landlock_create_ruleset, attr, size, flags);
+#else
+  errno = ENOSYS;
+  return -1;
+#endif
+}
+static long ll_add_rule(int ruleset_fd, int rule_type, const void *rule_attr, uint32_t flags) {
+#ifdef SYS_landlock_add_rule
+  return syscall(SYS_landlock_add_rule, ruleset_fd, rule_type, rule_attr, flags);
+#else
+  errno = ENOSYS;
+  return -1;
+#endif
+}
+static long ll_restrict_self(int ruleset_fd, uint32_t flags) {
+#ifdef SYS_landlock_restrict_self
+  return syscall(SYS_landlock_restrict_self, ruleset_fd, flags);
+#else
+  errno = ENOSYS;
+  return -1;
+#endif
+}
+static void raise_syscall_error(const char *syscall_name) {
+  int saved_errno = errno;
+  VALUE err = rb_funcall(eSyscallError, rb_intern("new"), 3,
+                         rb_str_new_cstr(syscall_name),
+                         INT2NUM(saved_errno),
+                         rb_sprintf("%s failed: %s", syscall_name, strerror(saved_errno)));
+  rb_exc_raise(err);
+}
+static VALUE rb_ll_abi_version(VALUE self) {
+  long abi = ll_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_VERSION);
+  if (abi < 0) {
+    if (errno == ENOSYS || errno == EOPNOTSUPP) return INT2FIX(0);
+    raise_syscall_error("landlock_create_ruleset");
+  }
+  return LONG2NUM(abi);
+}
+static VALUE rb_ll_create_ruleset(VALUE self, VALUE fs_bits, VALUE net_bits) {
+  struct rb_landlock_ruleset_attr attr;
+  uint64_t handled_access_net = NUM2ULL(net_bits);
+  size_t attr_size = handled_access_net == 0 ?
+                     offsetof(struct rb_landlock_ruleset_attr, handled_access_net) :
+                     offsetof(struct rb_landlock_ruleset_attr, scoped);
+  memset(&attr, 0, sizeof(attr));
+  attr.handled_access_fs = NUM2ULL(fs_bits);
+  attr.handled_access_net = handled_access_net;
+  long fd = ll_create_ruleset(&attr, attr_size, 0);
+  if (fd < 0) raise_syscall_error("landlock_create_ruleset");
+  return INT2NUM(fd);
+}
+static VALUE rb_ll_add_path_rule(VALUE self, VALUE ruleset_fd, VALUE path, VALUE access_bits) {
+  Check_Type(path, T_STRING);
+  const char *cpath = StringValueCStr(path);
+  int parent_fd = open(cpath, O_PATH | O_CLOEXEC);
+  if (parent_fd < 0) raise_syscall_error("open");
+  struct rb_landlock_path_beneath_attr rule;
+  memset(&rule, 0, sizeof(rule));
+  rule.allowed_access = NUM2ULL(access_bits);
+  rule.parent_fd = parent_fd;
+  long ret = ll_add_rule(NUM2INT(ruleset_fd), LANDLOCK_RULE_PATH_BENEATH, &rule, 0);
+  int saved_errno = errno;
+  close(parent_fd);
+  if (ret < 0) {
+    errno = saved_errno;
+    raise_syscall_error("landlock_add_rule(path_beneath)");
+  }
+  return Qtrue;
+}
+static VALUE rb_ll_add_net_rule(VALUE self, VALUE ruleset_fd, VALUE port, VALUE access_bits) {
+  unsigned long long p = NUM2ULL(port);
+  if (p > 65535ULL) rb_raise(rb_eArgError, "TCP port must be between 0 and 65535");
+  struct rb_landlock_net_port_attr rule;
+  memset(&rule, 0, sizeof(rule));
+  rule.allowed_access = NUM2ULL(access_bits);
+  rule.port = p;
+  long ret = ll_add_rule(NUM2INT(ruleset_fd), LANDLOCK_RULE_NET_PORT, &rule, 0);
+  if (ret < 0) raise_syscall_error("landlock_add_rule(net_port)");
+  return Qtrue;
+}
+static VALUE rb_ll_restrict_self(VALUE self, VALUE ruleset_fd) {
+  if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) != 0) {
+    raise_syscall_error("prctl(PR_SET_NO_NEW_PRIVS)");
+  }
+  long ret = ll_restrict_self(NUM2INT(ruleset_fd), 0);
+  if (ret < 0) raise_syscall_error("landlock_restrict_self");
+  return Qtrue;
+}
+static VALUE rb_ll_close_fd(VALUE self, VALUE fd_value) {
+  int fd = NUM2INT(fd_value);
+  if (fd >= 0) close(fd);
+  return Qnil;
+}
+void Init_landlock(void) {
+  mLandlock = rb_define_module("Landlock");
+  if (rb_const_defined(mLandlock, rb_intern("Error"))) {
+    eLandlockError = rb_const_get(mLandlock, rb_intern("Error"));
+  } else {
+    eLandlockError = rb_define_class_under(mLandlock, "Error", rb_eStandardError);
+  }
+  if (rb_const_defined(mLandlock, rb_intern("SyscallError"))) {
+    eSyscallError = rb_const_get(mLandlock, rb_intern("SyscallError"));
+  } else {
+    eSyscallError = rb_define_class_under(mLandlock, "SyscallError", eLandlockError);
+  }
+  rb_define_singleton_method(mLandlock, "abi_version", rb_ll_abi_version, 0);
+  rb_define_singleton_method(mLandlock, "_create_ruleset", rb_ll_create_ruleset, 2);
+  rb_define_singleton_method(mLandlock, "_add_path_rule", rb_ll_add_path_rule, 3);
+  rb_define_singleton_method(mLandlock, "_add_net_rule", rb_ll_add_net_rule, 3);
+  rb_define_singleton_method(mLandlock, "_restrict_self", rb_ll_restrict_self, 1);
+  rb_define_singleton_method(mLandlock, "_close_fd", rb_ll_close_fd, 1);
+  rb_define_const(mLandlock, "ACCESS_FS_EXECUTE", ULL2NUM(LANDLOCK_ACCESS_FS_EXECUTE));
+  rb_define_const(mLandlock, "ACCESS_FS_WRITE_FILE", ULL2NUM(LANDLOCK_ACCESS_FS_WRITE_FILE));
+  rb_define_const(mLandlock, "ACCESS_FS_READ_FILE", ULL2NUM(LANDLOCK_ACCESS_FS_READ_FILE));
+  rb_define_const(mLandlock, "ACCESS_FS_READ_DIR", ULL2NUM(LANDLOCK_ACCESS_FS_READ_DIR));
+  rb_define_const(mLandlock, "ACCESS_FS_REMOVE_DIR", ULL2NUM(LANDLOCK_ACCESS_FS_REMOVE_DIR));
+  rb_define_const(mLandlock, "ACCESS_FS_REMOVE_FILE", ULL2NUM(LANDLOCK_ACCESS_FS_REMOVE_FILE));
+  rb_define_const(mLandlock, "ACCESS_FS_MAKE_CHAR", ULL2NUM(LANDLOCK_ACCESS_FS_MAKE_CHAR));
+  rb_define_const(mLandlock, "ACCESS_FS_MAKE_DIR", ULL2NUM(LANDLOCK_ACCESS_FS_MAKE_DIR));
+  rb_define_const(mLandlock, "ACCESS_FS_MAKE_REG", ULL2NUM(LANDLOCK_ACCESS_FS_MAKE_REG));
+  rb_define_const(mLandlock, "ACCESS_FS_MAKE_SOCK", ULL2NUM(LANDLOCK_ACCESS_FS_MAKE_SOCK));
+  rb_define_const(mLandlock, "ACCESS_FS_MAKE_FIFO", ULL2NUM(LANDLOCK_ACCESS_FS_MAKE_FIFO));
+  rb_define_const(mLandlock, "ACCESS_FS_MAKE_BLOCK", ULL2NUM(LANDLOCK_ACCESS_FS_MAKE_BLOCK));
+  rb_define_const(mLandlock, "ACCESS_FS_MAKE_SYM", ULL2NUM(LANDLOCK_ACCESS_FS_MAKE_SYM));
+  rb_define_const(mLandlock, "ACCESS_FS_REFER", ULL2NUM(LANDLOCK_ACCESS_FS_REFER));
+  rb_define_const(mLandlock, "ACCESS_FS_TRUNCATE", ULL2NUM(LANDLOCK_ACCESS_FS_TRUNCATE));
+  rb_define_const(mLandlock, "ACCESS_FS_IOCTL_DEV", ULL2NUM(LANDLOCK_ACCESS_FS_IOCTL_DEV));
+  rb_define_const(mLandlock, "ACCESS_NET_BIND_TCP", ULL2NUM(LANDLOCK_ACCESS_NET_BIND_TCP));
+  rb_define_const(mLandlock, "ACCESS_NET_CONNECT_TCP", ULL2NUM(LANDLOCK_ACCESS_NET_CONNECT_TCP));
+}

data/lib/landlock/version.rb ADDED Viewed

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+module Landlock
+  VERSION = "0.1.0"
+end

data/lib/landlock.rb ADDED Viewed

@@ -0,0 +1,195 @@
+# frozen_string_literal: true
+require_relative "landlock/version"
+require_relative "landlock/landlock"
+module Landlock
+  class Error < StandardError; end
+  class UnsupportedError < Error; end
+  class SyscallError < Error
+    attr_reader :errno, :syscall
+    def initialize(syscall, errno, message = nil)
+      @syscall = syscall
+      @errno = errno
+      super(message || "#{syscall} failed: #{errno}")
+    end
+  end
+  FS_RIGHTS = {
+    execute: ACCESS_FS_EXECUTE,
+    write_file: ACCESS_FS_WRITE_FILE,
+    read_file: ACCESS_FS_READ_FILE,
+    read_dir: ACCESS_FS_READ_DIR,
+    remove_dir: ACCESS_FS_REMOVE_DIR,
+    remove_file: ACCESS_FS_REMOVE_FILE,
+    make_char: ACCESS_FS_MAKE_CHAR,
+    make_dir: ACCESS_FS_MAKE_DIR,
+    make_reg: ACCESS_FS_MAKE_REG,
+    make_sock: ACCESS_FS_MAKE_SOCK,
+    make_fifo: ACCESS_FS_MAKE_FIFO,
+    make_block: ACCESS_FS_MAKE_BLOCK,
+    make_sym: ACCESS_FS_MAKE_SYM,
+    refer: ACCESS_FS_REFER,
+    truncate: ACCESS_FS_TRUNCATE,
+    ioctl_dev: ACCESS_FS_IOCTL_DEV
+  }.freeze
+  NET_RIGHTS = {
+    bind_tcp: ACCESS_NET_BIND_TCP,
+    connect_tcp: ACCESS_NET_CONNECT_TCP
+  }.freeze
+  READ_RIGHTS = %i[read_file read_dir].freeze
+  EXEC_RIGHTS = %i[execute read_file read_dir].freeze
+  WRITE_RIGHTS = %i[
+    read_file read_dir write_file truncate remove_dir remove_file make_char
+    make_dir make_reg make_sock make_fifo make_block make_sym refer
+  ].freeze
+  module_function
+  def supported?
+    abi_version.positive?
+  rescue Error
+    false
+  end
+  def restrict!(read: [], write: [], execute: [], connect_tcp: [], bind_tcp: [], paths: [], allow_all_known: false)
+    abi = abi_version
+    raise UnsupportedError, "Linux Landlock is unavailable" unless abi.positive?
+    fs_handled = allow_all_known ? _fs_rights_for_abi(abi) : _handled_fs_for(read:, write:, execute:, paths:, abi:)
+    net_handled = _handled_net_for(connect_tcp:, bind_tcp:, abi:)
+    if fs_handled.zero? && net_handled.zero?
+      raise ArgumentError, "empty Landlock policy: provide filesystem paths or TCP ports"
+    end
+    fd = _create_ruleset(fs_handled, net_handled)
+    begin
+      add_path_rules(fd, read, READ_RIGHTS, abi)
+      add_path_rules(fd, execute, EXEC_RIGHTS, abi)
+      add_path_rules(fd, write, WRITE_RIGHTS, abi)
+      paths.each do |rule|
+        path, rights = normalize_path_rule(rule)
+        _add_path_rule(fd, File.expand_path(path), mask(rights, FS_RIGHTS, abi))
+      end
+      add_net_rules(fd, connect_tcp, [:connect_tcp], abi)
+      add_net_rules(fd, bind_tcp, [:bind_tcp], abi)
+      _restrict_self(fd)
+    ensure
+      _close_fd(fd) if fd && fd >= 0
+    end
+    true
+  end
+  def exec(argv, read: [], write: [], execute: [], connect_tcp: [], bind_tcp: [], paths: [], chdir: nil, env: nil, unsetenv_others: false, close_others: true)
+    argv = Array(argv)
+    raise ArgumentError, "argv must not be empty" if argv.empty?
+    pid = fork do
+      # Safe after fork: this runs only in the child process before exec.
+      Dir.chdir(chdir) if chdir # rubocop:disable Discourse/NoChdir
+      restrict!(read:, write:, execute:, connect_tcp:, bind_tcp:, paths:)
+      if env
+        exec_env = unsetenv_others ? env : ENV.to_h.merge(env)
+        Kernel.exec(exec_env, *argv, close_others: close_others)
+      else
+        Kernel.exec(*argv, close_others: close_others)
+      end
+    end
+    _, status = Process.wait2(pid)
+    status
+  end
+  def spawn(argv, **opts)
+    argv = Array(argv)
+    raise ArgumentError, "argv must not be empty" if argv.empty?
+    fork do
+      # Safe after fork: this runs only in the child process before exec.
+      Dir.chdir(opts[:chdir]) if opts[:chdir] # rubocop:disable Discourse/NoChdir
+      restrict!(
+        read: opts.fetch(:read, []),
+        write: opts.fetch(:write, []),
+        execute: opts.fetch(:execute, []),
+        connect_tcp: opts.fetch(:connect_tcp, []),
+        bind_tcp: opts.fetch(:bind_tcp, []),
+        paths: opts.fetch(:paths, [])
+      )
+      Kernel.exec(*argv, close_others: opts.fetch(:close_others, true))
+    end
+  end
+  def add_path_rules(fd, paths, rights, abi)
+    Array(paths).each { |path| _add_path_rule(fd, File.expand_path(path), mask(rights, FS_RIGHTS, abi)) }
+  end
+  private_class_method :add_path_rules
+  def add_net_rules(fd, ports, rights, abi)
+    return if Array(ports).empty?
+    raise UnsupportedError, "Landlock network rules require ABI v4+; running ABI v#{abi}" if abi < 4
+    Array(ports).each { |port| _add_net_rule(fd, Integer(port), mask(rights, NET_RIGHTS, abi)) }
+  end
+  private_class_method :add_net_rules
+  def normalize_path_rule(rule)
+    case rule
+    when Hash
+      [rule.fetch(:path), Array(rule.fetch(:rights))]
+    when Array
+      [rule.fetch(0), Array(rule.fetch(1))]
+    else
+      raise ArgumentError, "path rule must be {path:, rights:} or [path, rights]"
+    end
+  end
+  private_class_method :normalize_path_rule
+  def mask(names, table, abi)
+    Array(names).reduce(0) do |bits, name|
+      bit = table.fetch(name.to_sym) { raise ArgumentError, "unknown Landlock right: #{name.inspect}" }
+      next bits if bit == ACCESS_FS_REFER && abi < 2
+      next bits if bit == ACCESS_FS_TRUNCATE && abi < 3
+      next bits if bit == ACCESS_FS_IOCTL_DEV && abi < 5
+      bits | bit
+    end
+  end
+  private_class_method :mask
+  def _fs_rights_for_abi(abi)
+    rights = FS_RIGHTS.values.reduce(0, :|)
+    rights &= ~ACCESS_FS_REFER if abi < 2
+    rights &= ~ACCESS_FS_TRUNCATE if abi < 3
+    rights &= ~ACCESS_FS_IOCTL_DEV if abi < 5
+    rights
+  end
+  def _handled_fs_for(read:, write:, execute:, paths:, abi:)
+    bits = 0
+    bits |= mask(READ_RIGHTS, FS_RIGHTS, abi) unless Array(read).empty?
+    bits |= mask(EXEC_RIGHTS, FS_RIGHTS, abi) unless Array(execute).empty?
+    bits |= mask(WRITE_RIGHTS, FS_RIGHTS, abi) unless Array(write).empty?
+    Array(paths).each { |rule| bits |= mask(normalize_path_rule(rule).last, FS_RIGHTS, abi) }
+    bits
+  end
+  private_class_method :_handled_fs_for
+  def _handled_net_for(connect_tcp:, bind_tcp:, abi:)
+    bits = 0
+    bits |= ACCESS_NET_CONNECT_TCP unless Array(connect_tcp).empty?
+    bits |= ACCESS_NET_BIND_TCP unless Array(bind_tcp).empty?
+    return 0 if bits.zero?
+    raise UnsupportedError, "Landlock network rules require ABI v4+; running ABI v#{abi}" if abi < 4
+    bits
+  end
+  private_class_method :_handled_net_for
+end

metadata ADDED Viewed

@@ -0,0 +1,107 @@
+--- !ruby/object:Gem::Specification
+name: landlock
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Sam Saffron
+bindir: bin
+cert_chain: []
+date: 1980-01-02 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+- !ruby/object:Gem::Dependency
+  name: rake-compiler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+- !ruby/object:Gem::Dependency
+  name: rubocop-discourse
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.9'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.9'
+description: Native Ruby wrappers for Linux Landlock with filesystem and TCP port
+  restrictions for safe subprocess execution.
+email:
+- sam.saffron@gmail.com
+executables: []
+extensions:
+- ext/landlock/extconf.rb
+extra_rdoc_files: []
+files:
+- LICENSE.txt
+- README.md
+- ext/landlock/extconf.rb
+- ext/landlock/landlock.c
+- lib/landlock.rb
+- lib/landlock/version.rb
+homepage: https://github.com/discourse/ruby-landlock
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/discourse/ruby-landlock
+  source_code_uri: https://github.com/discourse/ruby-landlock
+  rubygems_mfa_required: 'true'
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '3.3'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 4.0.6
+specification_version: 4
+summary: Ruby bindings for Linux Landlock sandboxing
+test_files: []