landlock 0.1.1 → 0.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 60ae145a444fb3dd4c072fe4e5c8bac7de1836325a6d84e10be894d5b2f9ed2c
-  data.tar.gz: 983b4da291286f4c903d12cb625508f1a569de918167a2c3f1fab450fcdeb866
+  metadata.gz: baea0cbd5b22406f288880dd5bcec85569c3134b256657d876a502f37e622364
+  data.tar.gz: a383e9cb807f51e2fd6e5d15a5d3d22c61d20a9ee2f9dffb046a1a97e24c2a6e
 SHA512:
-  metadata.gz: ff7628efa5a0f464788e1adfe215d457e77eef7d8c94d1c6ee17a61f651732e3012afe0a1ae04792709b7255e5e8196576f4b5b19a0f7351a719cdfa6e72b49b
-  data.tar.gz: 596b360c7dbcc2bd5079ea597df5b39d9d57c240ed6298d30ddeace1b955294e34bffe7f58353d3bcf01ae897bf2d738d5527c3cc25af1e485506de5f359d91e
+  metadata.gz: c385390bd6b239d5a7b495d74388ba9bb357787900ef73bfbd953d8353c49ce893117df8cc80fe95b0c9b2e8a6c836988a8540b2fbfdbce244ff76a6879d7067
+  data.tar.gz: b1d754bbfd7b60ec81cc4d036bc13ab627253fdf2fdb55a752477a43f917381d819f8fa20870abcad264e2a86d0c5635cb327799ccc614800e3adb1088b9dfec

data/CHANGELOG.md

@@ -2,6 +2,14 @@
 
 All notable changes to this project will be documented in this file.
 
+## Unreleased
+
+### [0.2] - 2026-04-30
+
+- Add `Landlock::SafeExec.capture`, backed by a compiled `landlock-safe-exec` helper, for subprocess capture with Landlock, optional seccomp network denial, resource limits, exact environment handling, stdin, timeout handling, process-group cleanup, result metadata, and output limits.
+- Share native Landlock syscall/constant definitions between the Ruby extension and helper binary.
+- Add non-Linux/pass-through SafeExec behavior so integration code can run on platforms without the Linux sandbox backend while warning that sandbox options are ignored.
+
 ## [0.1.1] - 2026-04-30
 
 ### Security

data/README.md

@@ -66,6 +66,78 @@ Landlock.exec(
 )
 ```
 
+## SafeExec helper
+
+`Landlock::SafeExec.capture` runs a command through the compiled `landlock-safe-exec` helper. The helper applies Landlock rules, resource limits, and an optional seccomp network-deny filter in the execing process before replacing itself with the target command. This keeps the privileged setup out of Ruby/FFI and avoids running Ruby code in a post-fork child. Use `capture!` when unsuccessful exit statuses should raise.
+
+For example, inspect an uploaded video with `ffprobe` while only allowing reads from the upload and system runtime paths, denying network access, and bounding CPU/output:
+
+```ruby
+result = Landlock::SafeExec.capture(
+  "ffprobe",
+  "-v", "error",
+  "-show_format",
+  "-show_streams",
+  "-of", "json",
+  upload_path,
+  read: [upload_path, *Landlock::SafeExec.default_read_paths],
+  execute: Landlock::SafeExec.default_execute_paths,
+  env: { "PATH" => ENV.fetch("PATH", "") },
+  rlimits: {
+    cpu_seconds: 5,
+    memory_bytes: 512 * 1024 * 1024,
+    file_size_bytes: 0,
+    open_files: 64,
+    processes: 0
+  },
+  seccomp_deny_network: true,
+  max_output_bytes: 256 * 1024,
+  truncate_output: false
+)
+
+metadata = JSON.parse(result.stdout) if result.success?
+```
+
+Pass `stdin:` when a tool should read from standard input instead of a file:
+
+```ruby
+stdout, stderr, status = Landlock::SafeExec.capture(
+  "tr", "a-z", "A-Z",
+  stdin: "hello",
+  env: { "PATH" => ENV.fetch("PATH", "") }
+)
+```
+
+`capture` returns a `Landlock::SafeExec::Result` with `stdout`, `stderr`, `status`, `success?`, `timed_out?`, and `output_truncated?`, including for unsuccessful exit statuses. It also supports array destructuring:
+
+```ruby
+stdout, stderr, status = Landlock::SafeExec.capture("tool", "arg")
+```
+
+`capture!` has the same return shape for successful commands, but raises `Landlock::SafeExec::CommandError` for unsuccessful statuses. The error also exposes `stdout`, `stderr`, `status`, and `result`.
+
+SafeExec options:
+
+- `read:`, `write:`, `execute:` — filesystem allowlists. Explicit paths must exist; missing paths raise `ArgumentError` instead of being silently ignored.
+- `connect_tcp:` — allowed outbound TCP ports. If omitted on Landlock ABI v4+, SafeExec denies outbound TCP by installing a dummy allow rule for port `0`. Pass `connect_tcp: []` to leave outbound TCP unrestricted.
+- `bind_tcp:` — allowed TCP bind ports. Binding is unrestricted unless this is provided.
+- `seccomp_deny_network:` — additionally deny common Linux network syscalls with seccomp. This is Linux-specific and intended as defense in depth.
+- `rlimits:` — resource limits. Supported keys are `:cpu_seconds`, `:memory_bytes`, `:file_size_bytes`, `:open_files`, and `:processes`. Values must be non-negative integers.
+- `timeout:` — wall-clock timeout in seconds. On timeout SafeExec terminates the process group and returns/raises with `result.timed_out?` true.
+- `max_output_bytes:` — combined stdout+stderr byte limit. With `truncate_output: false`, exceeding the limit raises. With `truncate_output: true`, output is truncated and `result.output_truncated?` is true.
+- `stdin:` — string or IO-like object to write to the child process stdin.
+- `chdir:` — working directory for the child.
+- `env:` — exact child environment by default.
+- `inherit_env:` — when true, inherit the parent environment and apply `env:` as overrides.
+- `success_status_codes:` — status codes considered successful by `capture!`; defaults to `[0]`.
+- `allow_all_known:` — when filesystem rules are present, handle all Landlock filesystem rights known to the running ABI so unlisted filesystem access is denied. Defaults to `true`.
+
+SafeExec uses an exact environment by default: `env:` is the full environment passed to the child, not additions to the parent environment. Use `inherit_env: true` when a command really needs the parent environment plus the supplied `env:` overrides.
+
+Use `Landlock::SafeExec.supported?` (or `sandboxing?`) to check whether the Linux helper and Landlock are available. When this is false, SafeExec still runs commands in pass-through mode but does not enforce Landlock/seccomp sandbox options.
+
+On non-Linux platforms, or when the compiled helper is unavailable, SafeExec runs as a pass-through compatibility wrapper. Process-management features such as capture, timeout, environment handling, `chdir:`, output limits, `stdin:`, and supported `rlimits:` still apply, but Landlock and seccomp options (`read:`, `write:`, `execute:`, `connect_tcp:`, `bind_tcp:`, `seccomp_deny_network:`) are ignored and a warning is emitted. This makes cross-platform integration easier while keeping the security guarantees explicit: sandboxing is Linux-only.
+
 ## Restrict current process
 
 This is irreversible for the current thread and its future children. Use `Landlock.exec` or `Landlock.spawn` unless you really mean it.

data/ext/landlock/bin/safe_exec_helper.c

@@ -0,0 +1,369 @@
+#include "../landlock_native.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <limits.h>
+#include <sys/resource.h>
+#include <sys/stat.h>
+
+#ifdef __linux__
+#include <linux/audit.h>
+#include <linux/filter.h>
+#include <linux/seccomp.h>
+#endif
+
+#ifndef SECCOMP_RET_ALLOW
+#define SECCOMP_RET_ALLOW 0x7fff0000U
+#endif
+#ifndef SECCOMP_RET_ERRNO
+#define SECCOMP_RET_ERRNO 0x00050000U
+#endif
+#ifndef SECCOMP_SET_MODE_FILTER
+#define SECCOMP_SET_MODE_FILTER 1
+#endif
+
+typedef struct {
+  char **items;
+  size_t len;
+  size_t cap;
+} string_list;
+
+typedef struct {
+  unsigned long long *items;
+  size_t len;
+  size_t cap;
+} ull_list;
+
+static void die(const char *message) {
+  perror(message);
+  _exit(126);
+}
+
+static void die_msg(const char *message) {
+  fprintf(stderr, "landlock-safe-exec: %s\n", message);
+  _exit(126);
+}
+
+static void string_list_push(string_list *list, char *value) {
+  if (list->len == list->cap) {
+    size_t cap = list->cap ? list->cap * 2 : 8;
+    char **items = realloc(list->items, cap * sizeof(char *));
+    if (!items) die("realloc");
+    list->items = items;
+    list->cap = cap;
+  }
+  list->items[list->len++] = value;
+}
+
+static void ull_list_push(ull_list *list, unsigned long long value) {
+  if (list->len == list->cap) {
+    size_t cap = list->cap ? list->cap * 2 : 8;
+    unsigned long long *items = realloc(list->items, cap * sizeof(unsigned long long));
+    if (!items) die("realloc");
+    list->items = items;
+    list->cap = cap;
+  }
+  list->items[list->len++] = value;
+}
+
+static unsigned long long parse_ull(const char *value, const char *name) {
+  if (!value || value[0] == '\0' || value[0] == '-') die_msg(name);
+
+  errno = 0;
+  char *end = NULL;
+  unsigned long long parsed = strtoull(value, &end, 10);
+  if (errno == ERANGE || !end || *end != '\0') die_msg(name);
+
+  return parsed;
+}
+
+static unsigned long long parse_port(const char *value) {
+  unsigned long long port = parse_ull(value, "TCP port must be an integer between 0 and 65535");
+  if (port > 65535ULL) die_msg("TCP port must be between 0 and 65535");
+  return port;
+}
+
+static int abi_version(void) {
+  long abi = ll_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_VERSION);
+  if (abi < 0 && (errno == ENOSYS || errno == EOPNOTSUPP)) return 0;
+  if (abi < 0) die("landlock_create_ruleset(version)");
+  return (int)abi;
+}
+
+static uint64_t known_fs_rights_for_abi(int abi) {
+  uint64_t rights = LANDLOCK_ACCESS_FS_EXECUTE |
+                    LANDLOCK_ACCESS_FS_WRITE_FILE |
+                    LANDLOCK_ACCESS_FS_READ_FILE |
+                    LANDLOCK_ACCESS_FS_READ_DIR |
+                    LANDLOCK_ACCESS_FS_REMOVE_DIR |
+                    LANDLOCK_ACCESS_FS_REMOVE_FILE |
+                    LANDLOCK_ACCESS_FS_MAKE_CHAR |
+                    LANDLOCK_ACCESS_FS_MAKE_DIR |
+                    LANDLOCK_ACCESS_FS_MAKE_REG |
+                    LANDLOCK_ACCESS_FS_MAKE_SOCK |
+                    LANDLOCK_ACCESS_FS_MAKE_FIFO |
+                    LANDLOCK_ACCESS_FS_MAKE_BLOCK |
+                    LANDLOCK_ACCESS_FS_MAKE_SYM;
+  if (abi >= 2) rights |= LANDLOCK_ACCESS_FS_REFER;
+  if (abi >= 3) rights |= LANDLOCK_ACCESS_FS_TRUNCATE;
+  if (abi >= 5) rights |= LANDLOCK_ACCESS_FS_IOCTL_DEV;
+  return rights;
+}
+
+static uint64_t read_rights(void) {
+  return LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR;
+}
+
+static uint64_t execute_rights(void) {
+  return LANDLOCK_ACCESS_FS_EXECUTE | LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR;
+}
+
+static uint64_t write_rights(int abi) {
+  return known_fs_rights_for_abi(abi) & ~LANDLOCK_ACCESS_FS_EXECUTE;
+}
+
+static uint64_t file_path_rights(void) {
+  return LANDLOCK_ACCESS_FS_EXECUTE |
+         LANDLOCK_ACCESS_FS_WRITE_FILE |
+         LANDLOCK_ACCESS_FS_READ_FILE |
+         LANDLOCK_ACCESS_FS_TRUNCATE |
+         LANDLOCK_ACCESS_FS_IOCTL_DEV;
+}
+
+static void add_path_rule(int fd, const char *path, uint64_t rights) {
+  int parent_fd = open(path, O_PATH | O_CLOEXEC);
+  if (parent_fd < 0) die("open(path rule)");
+
+  struct stat st;
+  if (fstat(parent_fd, &st) != 0) die("fstat(path rule)");
+  if (!S_ISDIR(st.st_mode)) rights &= file_path_rights();
+
+  struct rb_landlock_path_beneath_attr rule;
+  memset(&rule, 0, sizeof(rule));
+  rule.allowed_access = rights;
+  rule.parent_fd = parent_fd;
+
+  long ret = ll_add_rule(fd, LANDLOCK_RULE_PATH_BENEATH, &rule, 0);
+  int saved_errno = errno;
+  close(parent_fd);
+  if (ret < 0) {
+    errno = saved_errno;
+    die("landlock_add_rule(path_beneath)");
+  }
+}
+
+static void add_net_rule(int fd, unsigned long long port, uint64_t rights) {
+  if (port > 65535ULL) die_msg("TCP port must be between 0 and 65535");
+  struct rb_landlock_net_port_attr rule;
+  memset(&rule, 0, sizeof(rule));
+  rule.allowed_access = rights;
+  rule.port = port;
+  if (ll_add_rule(fd, LANDLOCK_RULE_NET_PORT, &rule, 0) < 0) die("landlock_add_rule(net_port)");
+}
+
+static void apply_landlock(string_list *read_paths, string_list *write_paths, string_list *execute_paths,
+                           ull_list *connect_ports, ull_list *bind_ports, int allow_all_known) {
+  int need_fs = read_paths->len || write_paths->len || execute_paths->len || allow_all_known;
+  int need_net = connect_ports->len || bind_ports->len;
+  if (!need_fs && !need_net) return;
+
+  int abi = abi_version();
+  if (abi <= 0) die_msg("Linux Landlock is unavailable");
+  if (need_net && abi < 4) die_msg("Landlock network rules require ABI v4+");
+
+  uint64_t fs_handled = allow_all_known ? known_fs_rights_for_abi(abi) : 0;
+  if (!allow_all_known) {
+    if (read_paths->len) fs_handled |= read_rights();
+    if (execute_paths->len) fs_handled |= execute_rights();
+    if (write_paths->len) fs_handled |= write_rights(abi);
+  }
+  uint64_t net_handled = 0;
+  if (bind_ports->len) net_handled |= LANDLOCK_ACCESS_NET_BIND_TCP;
+  if (connect_ports->len) net_handled |= LANDLOCK_ACCESS_NET_CONNECT_TCP;
+
+  struct rb_landlock_ruleset_attr attr;
+  memset(&attr, 0, sizeof(attr));
+  attr.handled_access_fs = fs_handled;
+  attr.handled_access_net = net_handled;
+
+  size_t attr_size = net_handled ? offsetof(struct rb_landlock_ruleset_attr, scoped) : offsetof(struct rb_landlock_ruleset_attr, handled_access_net);
+  int fd = (int)ll_create_ruleset(&attr, attr_size, 0);
+  if (fd < 0) die("landlock_create_ruleset");
+
+  for (size_t i = 0; i < read_paths->len; i++) add_path_rule(fd, read_paths->items[i], read_rights());
+  for (size_t i = 0; i < execute_paths->len; i++) add_path_rule(fd, execute_paths->items[i], execute_rights());
+  for (size_t i = 0; i < write_paths->len; i++) add_path_rule(fd, write_paths->items[i], write_rights(abi));
+  for (size_t i = 0; i < connect_ports->len; i++) add_net_rule(fd, connect_ports->items[i], LANDLOCK_ACCESS_NET_CONNECT_TCP);
+  for (size_t i = 0; i < bind_ports->len; i++) add_net_rule(fd, bind_ports->items[i], LANDLOCK_ACCESS_NET_BIND_TCP);
+
+  if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) != 0) die("prctl(PR_SET_NO_NEW_PRIVS)");
+  if (ll_restrict_self(fd, 0) < 0) die("landlock_restrict_self");
+  close(fd);
+}
+
+static void apply_rlimit(const char *spec) {
+  char *copy = strdup(spec);
+  if (!copy) die("strdup");
+  char *eq = strchr(copy, '=');
+  if (!eq) die_msg("rlimit must be name=value");
+  *eq = '\0';
+  unsigned long long value = parse_ull(eq + 1, "rlimit value must be a non-negative integer");
+  int resource = -1;
+
+  if (strcmp(copy, "cpu_seconds") == 0) resource = RLIMIT_CPU;
+#ifdef RLIMIT_AS
+  else if (strcmp(copy, "memory_bytes") == 0) resource = RLIMIT_AS;
+#endif
+  else if (strcmp(copy, "file_size_bytes") == 0) resource = RLIMIT_FSIZE;
+  else if (strcmp(copy, "open_files") == 0) resource = RLIMIT_NOFILE;
+#ifdef RLIMIT_NPROC
+  else if (strcmp(copy, "processes") == 0) resource = RLIMIT_NPROC;
+#endif
+  else die_msg("unknown rlimit");
+
+  struct rlimit limit;
+  limit.rlim_cur = (rlim_t)value;
+  limit.rlim_max = (rlim_t)value;
+  if (setrlimit(resource, &limit) != 0) die("setrlimit");
+  free(copy);
+}
+
+static int deny_syscalls[] = {
+#ifdef __NR_socket
+  __NR_socket,
+#endif
+#ifdef __NR_socketpair
+  __NR_socketpair,
+#endif
+#ifdef __NR_connect
+  __NR_connect,
+#endif
+#ifdef __NR_bind
+  __NR_bind,
+#endif
+#ifdef __NR_listen
+  __NR_listen,
+#endif
+#ifdef __NR_accept
+  __NR_accept,
+#endif
+#ifdef __NR_accept4
+  __NR_accept4,
+#endif
+#ifdef __NR_sendto
+  __NR_sendto,
+#endif
+#ifdef __NR_sendmsg
+  __NR_sendmsg,
+#endif
+#ifdef __NR_sendmmsg
+  __NR_sendmmsg,
+#endif
+#ifdef __NR_recvfrom
+  __NR_recvfrom,
+#endif
+#ifdef __NR_recvmsg
+  __NR_recvmsg,
+#endif
+#ifdef __NR_recvmmsg
+  __NR_recvmmsg,
+#endif
+#ifdef __NR_socketcall
+  __NR_socketcall,
+#endif
+};
+
+#if defined(__x86_64__) && defined(AUDIT_ARCH_X86_64)
+#define EXPECTED_AUDIT_ARCH AUDIT_ARCH_X86_64
+#elif defined(__aarch64__) && defined(AUDIT_ARCH_AARCH64)
+#define EXPECTED_AUDIT_ARCH AUDIT_ARCH_AARCH64
+#elif defined(__i386__) && defined(AUDIT_ARCH_I386)
+#define EXPECTED_AUDIT_ARCH AUDIT_ARCH_I386
+#endif
+
+#ifndef SECCOMP_RET_KILL_PROCESS
+#define SECCOMP_RET_KILL_PROCESS 0x80000000U
+#endif
+
+static void apply_seccomp_deny_network(void) {
+  size_t count = sizeof(deny_syscalls) / sizeof(deny_syscalls[0]);
+  if (count == 0) return;
+
+  size_t len = 1 + (2 * count) + 1;
+#ifdef EXPECTED_AUDIT_ARCH
+  len += 3;
+#endif
+  struct sock_filter *filter = calloc(len, sizeof(struct sock_filter));
+  if (!filter) die("calloc");
+
+  size_t pc = 0;
+#ifdef EXPECTED_AUDIT_ARCH
+  filter[pc++] = (struct sock_filter)BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, arch));
+  filter[pc++] = (struct sock_filter)BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, EXPECTED_AUDIT_ARCH, 1, 0);
+  filter[pc++] = (struct sock_filter)BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL_PROCESS);
+#endif
+  filter[pc++] = (struct sock_filter)BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, nr));
+  for (size_t i = 0; i < count; i++) {
+    filter[pc++] = (struct sock_filter)BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, (unsigned int)deny_syscalls[i], 0, 1);
+    filter[pc++] = (struct sock_filter)BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ERRNO | EPERM);
+  }
+  filter[pc++] = (struct sock_filter)BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW);
+
+  struct sock_fprog prog;
+  prog.len = (unsigned short)pc;
+  prog.filter = filter;
+
+  if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) != 0) die("prctl(PR_SET_NO_NEW_PRIVS)");
+#ifdef SYS_seccomp
+  if (syscall(SYS_seccomp, SECCOMP_SET_MODE_FILTER, 0, &prog) != 0)
+#endif
+  {
+    if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) != 0) die("seccomp(SECCOMP_SET_MODE_FILTER)");
+  }
+  free(filter);
+}
+
+static char *require_arg(int argc, char **argv, int *i) {
+  if (*i + 1 >= argc) die_msg("missing option argument");
+  (*i)++;
+  return argv[*i];
+}
+
+int main(int argc, char **argv) {
+  string_list read_paths = {0}, write_paths = {0}, execute_paths = {0}, env_vars = {0};
+  ull_list connect_ports = {0}, bind_ports = {0};
+  int unsetenv_others = 0, seccomp_deny_network = 0, allow_all_known = 0;
+  char *chdir_path = NULL;
+  int command_index = -1;
+
+  for (int i = 1; i < argc; i++) {
+    if (strcmp(argv[i], "--") == 0) { command_index = i + 1; break; }
+    if (strcmp(argv[i], "--read") == 0) string_list_push(&read_paths, require_arg(argc, argv, &i));
+    else if (strcmp(argv[i], "--write") == 0) string_list_push(&write_paths, require_arg(argc, argv, &i));
+    else if (strcmp(argv[i], "--execute") == 0) string_list_push(&execute_paths, require_arg(argc, argv, &i));
+    else if (strcmp(argv[i], "--connect-tcp") == 0) ull_list_push(&connect_ports, parse_port(require_arg(argc, argv, &i)));
+    else if (strcmp(argv[i], "--bind-tcp") == 0) ull_list_push(&bind_ports, parse_port(require_arg(argc, argv, &i)));
+    else if (strcmp(argv[i], "--chdir") == 0) chdir_path = require_arg(argc, argv, &i);
+    else if (strcmp(argv[i], "--env") == 0) string_list_push(&env_vars, require_arg(argc, argv, &i));
+    else if (strcmp(argv[i], "--unsetenv-others") == 0) unsetenv_others = 1;
+    else if (strcmp(argv[i], "--rlimit") == 0) apply_rlimit(require_arg(argc, argv, &i));
+    else if (strcmp(argv[i], "--seccomp-deny-network") == 0) seccomp_deny_network = 1;
+    else if (strcmp(argv[i], "--allow-all-known") == 0) allow_all_known = 1;
+    else die_msg("unknown option");
+  }
+
+  if (command_index < 0 || command_index >= argc) die_msg("missing command after --");
+
+  if (chdir_path && chdir(chdir_path) != 0) die("chdir");
+  if (unsetenv_others && clearenv() != 0) die("clearenv");
+  for (size_t i = 0; i < env_vars.len; i++) {
+    if (putenv(env_vars.items[i]) != 0) die("putenv");
+  }
+
+  apply_landlock(&read_paths, &write_paths, &execute_paths, &connect_ports, &bind_ports, allow_all_known);
+  if (seccomp_deny_network) apply_seccomp_deny_network();
+
+  execvp(argv[command_index], &argv[command_index]);
+  die("execvp");
+}

data/ext/landlock/extconf.rb

@@ -5,8 +5,38 @@ require "mkmf"
 abort "missing ruby headers" unless have_header("ruby.h")
 
 have_header("linux/landlock.h")
+have_header("linux/seccomp.h")
+have_header("linux/filter.h")
 have_header("sys/prctl.h")
 have_header("sys/syscall.h")
+have_header("sys/resource.h")
 have_header("fcntl.h")
 
 create_makefile("landlock/landlock")
+
+if RUBY_PLATFORM.include?("linux")
+  helper = "landlock-safe-exec"
+  helper_src = "$(srcdir)/bin/safe_exec_helper.c"
+  helper_dest = "$(RUBYARCHDIR)/#{helper}"
+
+  File.open("Makefile", "a") do |makefile|
+    makefile.puts <<~MAKE
+
+      all: #{helper}
+
+      #{helper}: #{helper_src}
+      \t$(CC) $(INCFLAGS) $(CPPFLAGS) $(CFLAGS) #{helper_src} -o #{helper} $(LIBS)
+
+      install: install-#{helper}
+
+      install-#{helper}: #{helper}
+      \t$(MAKEDIRS) $(RUBYARCHDIR)
+      \t$(INSTALL_PROG) #{helper} #{helper_dest}
+
+      clean-local::
+      \t$(Q)$(RM) #{helper}
+
+      clean: clean-local
+    MAKE
+  end
+end