landlock 0.1.1 → 0.3

data/ext/landlock/landlock.c

@@ -1,179 +1,16 @@
 #include "ruby.h"
+#include "landlock_native.h"
+#include "seccomp_deny_network.h"
 
-#include <errno.h>
-#include <fcntl.h>
-#include <stdint.h>
-#include <stddef.h>
 #include <string.h>
-#include <unistd.h>
-#include <sys/prctl.h>
-#include <sys/syscall.h>
-
-#ifdef HAVE_LINUX_LANDLOCK_H
-#include <linux/landlock.h>
-#endif
-
-#ifndef SYS_landlock_create_ruleset
-# if defined(__NR_landlock_create_ruleset) && defined(__NR_landlock_add_rule) && defined(__NR_landlock_restrict_self)
-#  define SYS_landlock_create_ruleset __NR_landlock_create_ruleset
-#  define SYS_landlock_add_rule __NR_landlock_add_rule
-#  define SYS_landlock_restrict_self __NR_landlock_restrict_self
-# elif defined(__x86_64__) && defined(__ILP32__)
-#  ifndef __X32_SYSCALL_BIT
-#   define __X32_SYSCALL_BIT 0x40000000
-#  endif
-#  define SYS_landlock_create_ruleset (__X32_SYSCALL_BIT + 444)
-#  define SYS_landlock_add_rule (__X32_SYSCALL_BIT + 445)
-#  define SYS_landlock_restrict_self (__X32_SYSCALL_BIT + 446)
-# elif defined(__x86_64__)
-#  define SYS_landlock_create_ruleset 444
-#  define SYS_landlock_add_rule 445
-#  define SYS_landlock_restrict_self 446
-# elif defined(__aarch64__)
-#  define SYS_landlock_create_ruleset 444
-#  define SYS_landlock_add_rule 445
-#  define SYS_landlock_restrict_self 446
-# elif defined(__i386__)
-#  define SYS_landlock_create_ruleset 444
-#  define SYS_landlock_add_rule 445
-#  define SYS_landlock_restrict_self 446
-# endif
-#endif
-
-#ifndef LANDLOCK_CREATE_RULESET_VERSION
-#define LANDLOCK_CREATE_RULESET_VERSION (1U << 0)
-#endif
-
-#ifndef LANDLOCK_RULE_PATH_BENEATH
-#define LANDLOCK_RULE_PATH_BENEATH 1
-#endif
-
-#ifndef LANDLOCK_RULE_NET_PORT
-#define LANDLOCK_RULE_NET_PORT 2
-#endif
-
-#ifndef LANDLOCK_ACCESS_FS_EXECUTE
-#define LANDLOCK_ACCESS_FS_EXECUTE    (1ULL << 0)
-#endif
-#ifndef LANDLOCK_ACCESS_FS_WRITE_FILE
-#define LANDLOCK_ACCESS_FS_WRITE_FILE (1ULL << 1)
-#endif
-#ifndef LANDLOCK_ACCESS_FS_READ_FILE
-#define LANDLOCK_ACCESS_FS_READ_FILE  (1ULL << 2)
-#endif
-#ifndef LANDLOCK_ACCESS_FS_READ_DIR
-#define LANDLOCK_ACCESS_FS_READ_DIR   (1ULL << 3)
-#endif
-#ifndef LANDLOCK_ACCESS_FS_REMOVE_DIR
-#define LANDLOCK_ACCESS_FS_REMOVE_DIR (1ULL << 4)
-#endif
-#ifndef LANDLOCK_ACCESS_FS_REMOVE_FILE
-#define LANDLOCK_ACCESS_FS_REMOVE_FILE (1ULL << 5)
-#endif
-#ifndef LANDLOCK_ACCESS_FS_MAKE_CHAR
-#define LANDLOCK_ACCESS_FS_MAKE_CHAR  (1ULL << 6)
-#endif
-#ifndef LANDLOCK_ACCESS_FS_MAKE_DIR
-#define LANDLOCK_ACCESS_FS_MAKE_DIR   (1ULL << 7)
-#endif
-#ifndef LANDLOCK_ACCESS_FS_MAKE_REG
-#define LANDLOCK_ACCESS_FS_MAKE_REG   (1ULL << 8)
-#endif
-#ifndef LANDLOCK_ACCESS_FS_MAKE_SOCK
-#define LANDLOCK_ACCESS_FS_MAKE_SOCK  (1ULL << 9)
-#endif
-#ifndef LANDLOCK_ACCESS_FS_MAKE_FIFO
-#define LANDLOCK_ACCESS_FS_MAKE_FIFO  (1ULL << 10)
-#endif
-#ifndef LANDLOCK_ACCESS_FS_MAKE_BLOCK
-#define LANDLOCK_ACCESS_FS_MAKE_BLOCK (1ULL << 11)
-#endif
-#ifndef LANDLOCK_ACCESS_FS_MAKE_SYM
-#define LANDLOCK_ACCESS_FS_MAKE_SYM   (1ULL << 12)
-#endif
-#ifndef LANDLOCK_ACCESS_FS_REFER
-#define LANDLOCK_ACCESS_FS_REFER      (1ULL << 13)
-#endif
-#ifndef LANDLOCK_ACCESS_FS_TRUNCATE
-#define LANDLOCK_ACCESS_FS_TRUNCATE   (1ULL << 14)
-#endif
-#ifndef LANDLOCK_ACCESS_FS_IOCTL_DEV
-#define LANDLOCK_ACCESS_FS_IOCTL_DEV  (1ULL << 15)
-#endif
-
-#ifndef LANDLOCK_ACCESS_NET_BIND_TCP
-#define LANDLOCK_ACCESS_NET_BIND_TCP    (1ULL << 0)
-#endif
-#ifndef LANDLOCK_ACCESS_NET_CONNECT_TCP
-#define LANDLOCK_ACCESS_NET_CONNECT_TCP (1ULL << 1)
-#endif
-
-#ifndef LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET
-#define LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET (1ULL << 0)
-#endif
-#ifndef LANDLOCK_SCOPE_SIGNAL
-#define LANDLOCK_SCOPE_SIGNAL (1ULL << 1)
-#endif
-
-#ifndef O_PATH
-#define O_PATH 010000000
-#endif
-
-#ifndef O_CLOEXEC
-#define O_CLOEXEC 02000000
-#endif
-
-struct rb_landlock_ruleset_attr {
-  uint64_t handled_access_fs;
-  uint64_t handled_access_net;
-  uint64_t scoped;
-};
-
-struct rb_landlock_path_beneath_attr {
-  uint64_t allowed_access;
-  int32_t parent_fd;
-} __attribute__((packed));
-
-struct rb_landlock_net_port_attr {
-  uint64_t allowed_access;
-  uint64_t port;
-};
 
 static VALUE mLandlock;
 static VALUE eLandlockError;
 static VALUE eSyscallError;
 
-static long ll_create_ruleset(const void *attr, size_t size, uint32_t flags) {
-#ifdef SYS_landlock_create_ruleset
-  return syscall(SYS_landlock_create_ruleset, attr, size, flags);
-#else
-  errno = ENOSYS;
-  return -1;
-#endif
-}
-
-static long ll_add_rule(int ruleset_fd, int rule_type, const void *rule_attr, uint32_t flags) {
-#ifdef SYS_landlock_add_rule
-  return syscall(SYS_landlock_add_rule, ruleset_fd, rule_type, rule_attr, flags);
-#else
-  errno = ENOSYS;
-  return -1;
-#endif
-}
-
-static long ll_restrict_self(int ruleset_fd, uint32_t flags) {
-#ifdef SYS_landlock_restrict_self
-  return syscall(SYS_landlock_restrict_self, ruleset_fd, flags);
-#else
-  errno = ENOSYS;
-  return -1;
-#endif
-}
-
 static void raise_syscall_error(const char *syscall_name) {
   int saved_errno = errno;
-  VALUE err = rb_funcall(eSyscallError, rb_intern("new"), 3,
-                         rb_str_new_cstr(syscall_name),
+  VALUE err = rb_funcall(eSyscallError, rb_intern("new"), 3, rb_str_new_cstr(syscall_name),
                          INT2NUM(saved_errno),
                          rb_sprintf("%s failed: %s", syscall_name, strerror(saved_errno)));
   rb_exc_raise(err);
@@ -182,7 +19,9 @@ static void raise_syscall_error(const char *syscall_name) {
 static VALUE rb_ll_abi_version(VALUE self) {
   long abi = ll_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_VERSION);
   if (abi < 0) {
-    if (errno == ENOSYS || errno == EOPNOTSUPP) return INT2FIX(0);
+    if (errno == ENOSYS || errno == EOPNOTSUPP) {
+      return INT2FIX(0);
+    }
     raise_syscall_error("landlock_create_ruleset");
   }
   return LONG2NUM(abi);
@@ -208,7 +47,9 @@ static VALUE rb_ll_create_ruleset(int argc, VALUE *argv, VALUE self) {
   attr.scoped = scoped;
 
   long fd = ll_create_ruleset(&attr, attr_size, 0);
-  if (fd < 0) raise_syscall_error("landlock_create_ruleset");
+  if (fd < 0) {
+    raise_syscall_error("landlock_create_ruleset");
+  }
   return INT2NUM(fd);
 }
 
@@ -218,7 +59,9 @@ static VALUE rb_ll_add_path_rule(VALUE self, VALUE ruleset_fd, VALUE path, VALUE
   Check_Type(path, T_STRING);
   const char *cpath = StringValueCStr(path);
   int parent_fd = open(cpath, O_PATH | O_CLOEXEC);
-  if (parent_fd < 0) raise_syscall_error("open");
+  if (parent_fd < 0) {
+    raise_syscall_error("open");
+  }
 
   struct rb_landlock_path_beneath_attr rule;
   memset(&rule, 0, sizeof(rule));
@@ -237,7 +80,9 @@ static VALUE rb_ll_add_path_rule(VALUE self, VALUE ruleset_fd, VALUE path, VALUE
 
 static VALUE rb_ll_add_net_rule(VALUE self, VALUE ruleset_fd, VALUE port, VALUE access_bits) {
   unsigned long long p = NUM2ULL(port);
-  if (p > 65535ULL) rb_raise(rb_eArgError, "TCP port must be between 0 and 65535");
+  if (p > 65535ULL) {
+    rb_raise(rb_eArgError, "TCP port must be between 0 and 65535");
+  }
 
   struct rb_landlock_net_port_attr rule;
   memset(&rule, 0, sizeof(rule));
@@ -245,26 +90,45 @@ static VALUE rb_ll_add_net_rule(VALUE self, VALUE ruleset_fd, VALUE port, VALUE
   rule.port = p;
 
   long ret = ll_add_rule(NUM2INT(ruleset_fd), LANDLOCK_RULE_NET_PORT, &rule, 0);
-  if (ret < 0) raise_syscall_error("landlock_add_rule(net_port)");
+  if (ret < 0) {
+    raise_syscall_error("landlock_add_rule(net_port)");
+  }
   return Qtrue;
 }
 
 static VALUE rb_ll_restrict_self(VALUE self, VALUE ruleset_fd) {
+#ifdef __linux__
   if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) != 0) {
     raise_syscall_error("prctl(PR_SET_NO_NEW_PRIVS)");
   }
 
   long ret = ll_restrict_self(NUM2INT(ruleset_fd), 0);
-  if (ret < 0) raise_syscall_error("landlock_restrict_self");
+  if (ret < 0) {
+    raise_syscall_error("landlock_restrict_self");
+  }
   return Qtrue;
+#else
+  errno = ENOSYS;
+  raise_syscall_error("landlock_restrict_self");
+#endif
 }
 
 static VALUE rb_ll_close_fd(VALUE self, VALUE fd_value) {
   int fd = NUM2INT(fd_value);
-  if (fd >= 0) close(fd);
+  if (fd >= 0) {
+    close(fd);
+  }
   return Qnil;
 }
 
+static VALUE rb_ll_seccomp_deny_network(VALUE self) {
+  const char *error_message = "seccomp(SECCOMP_SET_MODE_FILTER)";
+  if (rb_landlock_seccomp_deny_network(&error_message) != 0) {
+    raise_syscall_error(error_message);
+  }
+  return Qtrue;
+}
+
 void Init_landlock(void) {
   mLandlock = rb_define_module("Landlock");
 
@@ -286,6 +150,7 @@ void Init_landlock(void) {
   rb_define_singleton_method(mLandlock, "_add_net_rule", rb_ll_add_net_rule, 3);
   rb_define_singleton_method(mLandlock, "_restrict_self", rb_ll_restrict_self, 1);
   rb_define_singleton_method(mLandlock, "_close_fd", rb_ll_close_fd, 1);
+  rb_define_singleton_method(mLandlock, "seccomp_deny_network!", rb_ll_seccomp_deny_network, 0);
 
   rb_define_const(mLandlock, "ACCESS_FS_EXECUTE", ULL2NUM(LANDLOCK_ACCESS_FS_EXECUTE));
   rb_define_const(mLandlock, "ACCESS_FS_WRITE_FILE", ULL2NUM(LANDLOCK_ACCESS_FS_WRITE_FILE));
@@ -305,6 +170,7 @@ void Init_landlock(void) {
   rb_define_const(mLandlock, "ACCESS_FS_IOCTL_DEV", ULL2NUM(LANDLOCK_ACCESS_FS_IOCTL_DEV));
   rb_define_const(mLandlock, "ACCESS_NET_BIND_TCP", ULL2NUM(LANDLOCK_ACCESS_NET_BIND_TCP));
   rb_define_const(mLandlock, "ACCESS_NET_CONNECT_TCP", ULL2NUM(LANDLOCK_ACCESS_NET_CONNECT_TCP));
-  rb_define_const(mLandlock, "SCOPE_ABSTRACT_UNIX_SOCKET", ULL2NUM(LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET));
+  rb_define_const(mLandlock, "SCOPE_ABSTRACT_UNIX_SOCKET",
+                  ULL2NUM(LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET));
   rb_define_const(mLandlock, "SCOPE_SIGNAL", ULL2NUM(LANDLOCK_SCOPE_SIGNAL));
 }

data/ext/landlock/landlock_native.h

@@ -0,0 +1,168 @@
+#ifndef RB_LANDLOCK_NATIVE_H
+#define RB_LANDLOCK_NATIVE_H
+
+#include <errno.h>
+#include <fcntl.h>
+#include <stddef.h>
+#include <stdint.h>
+#include <unistd.h>
+
+#ifdef __linux__
+#include <sys/prctl.h>
+#include <sys/syscall.h>
+#ifdef HAVE_LINUX_LANDLOCK_H
+#include <linux/landlock.h>
+#endif
+#endif
+
+#ifndef SYS_landlock_create_ruleset
+#if defined(__linux__) && defined(__NR_landlock_create_ruleset) &&                                 \
+    defined(__NR_landlock_add_rule) && defined(__NR_landlock_restrict_self)
+#define SYS_landlock_create_ruleset __NR_landlock_create_ruleset
+#define SYS_landlock_add_rule __NR_landlock_add_rule
+#define SYS_landlock_restrict_self __NR_landlock_restrict_self
+#elif defined(__linux__) && defined(__x86_64__) && defined(__ILP32__)
+#ifndef __X32_SYSCALL_BIT
+#define __X32_SYSCALL_BIT 0x40000000
+#endif
+#define SYS_landlock_create_ruleset (__X32_SYSCALL_BIT + 444)
+#define SYS_landlock_add_rule (__X32_SYSCALL_BIT + 445)
+#define SYS_landlock_restrict_self (__X32_SYSCALL_BIT + 446)
+#elif defined(__linux__) && (defined(__x86_64__) || defined(__aarch64__) || defined(__i386__))
+#define SYS_landlock_create_ruleset 444
+#define SYS_landlock_add_rule 445
+#define SYS_landlock_restrict_self 446
+#endif
+#endif
+
+#ifndef LANDLOCK_CREATE_RULESET_VERSION
+#define LANDLOCK_CREATE_RULESET_VERSION (1U << 0)
+#endif
+
+#ifndef LANDLOCK_RULE_PATH_BENEATH
+#define LANDLOCK_RULE_PATH_BENEATH 1
+#endif
+
+#ifndef LANDLOCK_RULE_NET_PORT
+#define LANDLOCK_RULE_NET_PORT 2
+#endif
+
+#ifndef LANDLOCK_ACCESS_FS_EXECUTE
+#define LANDLOCK_ACCESS_FS_EXECUTE (1ULL << 0)
+#endif
+#ifndef LANDLOCK_ACCESS_FS_WRITE_FILE
+#define LANDLOCK_ACCESS_FS_WRITE_FILE (1ULL << 1)
+#endif
+#ifndef LANDLOCK_ACCESS_FS_READ_FILE
+#define LANDLOCK_ACCESS_FS_READ_FILE (1ULL << 2)
+#endif
+#ifndef LANDLOCK_ACCESS_FS_READ_DIR
+#define LANDLOCK_ACCESS_FS_READ_DIR (1ULL << 3)
+#endif
+#ifndef LANDLOCK_ACCESS_FS_REMOVE_DIR
+#define LANDLOCK_ACCESS_FS_REMOVE_DIR (1ULL << 4)
+#endif
+#ifndef LANDLOCK_ACCESS_FS_REMOVE_FILE
+#define LANDLOCK_ACCESS_FS_REMOVE_FILE (1ULL << 5)
+#endif
+#ifndef LANDLOCK_ACCESS_FS_MAKE_CHAR
+#define LANDLOCK_ACCESS_FS_MAKE_CHAR (1ULL << 6)
+#endif
+#ifndef LANDLOCK_ACCESS_FS_MAKE_DIR
+#define LANDLOCK_ACCESS_FS_MAKE_DIR (1ULL << 7)
+#endif
+#ifndef LANDLOCK_ACCESS_FS_MAKE_REG
+#define LANDLOCK_ACCESS_FS_MAKE_REG (1ULL << 8)
+#endif
+#ifndef LANDLOCK_ACCESS_FS_MAKE_SOCK
+#define LANDLOCK_ACCESS_FS_MAKE_SOCK (1ULL << 9)
+#endif
+#ifndef LANDLOCK_ACCESS_FS_MAKE_FIFO
+#define LANDLOCK_ACCESS_FS_MAKE_FIFO (1ULL << 10)
+#endif
+#ifndef LANDLOCK_ACCESS_FS_MAKE_BLOCK
+#define LANDLOCK_ACCESS_FS_MAKE_BLOCK (1ULL << 11)
+#endif
+#ifndef LANDLOCK_ACCESS_FS_MAKE_SYM
+#define LANDLOCK_ACCESS_FS_MAKE_SYM (1ULL << 12)
+#endif
+#ifndef LANDLOCK_ACCESS_FS_REFER
+#define LANDLOCK_ACCESS_FS_REFER (1ULL << 13)
+#endif
+#ifndef LANDLOCK_ACCESS_FS_TRUNCATE
+#define LANDLOCK_ACCESS_FS_TRUNCATE (1ULL << 14)
+#endif
+#ifndef LANDLOCK_ACCESS_FS_IOCTL_DEV
+#define LANDLOCK_ACCESS_FS_IOCTL_DEV (1ULL << 15)
+#endif
+
+#ifndef LANDLOCK_ACCESS_NET_BIND_TCP
+#define LANDLOCK_ACCESS_NET_BIND_TCP (1ULL << 0)
+#endif
+#ifndef LANDLOCK_ACCESS_NET_CONNECT_TCP
+#define LANDLOCK_ACCESS_NET_CONNECT_TCP (1ULL << 1)
+#endif
+
+#ifndef LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET
+#define LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET (1ULL << 0)
+#endif
+#ifndef LANDLOCK_SCOPE_SIGNAL
+#define LANDLOCK_SCOPE_SIGNAL (1ULL << 1)
+#endif
+
+#ifndef O_PATH
+#define O_PATH 010000000
+#endif
+
+#ifndef O_CLOEXEC
+#define O_CLOEXEC 02000000
+#endif
+
+#ifndef PR_SET_NO_NEW_PRIVS
+#define PR_SET_NO_NEW_PRIVS 38
+#endif
+
+struct rb_landlock_ruleset_attr {
+  uint64_t handled_access_fs;
+  uint64_t handled_access_net;
+  uint64_t scoped;
+};
+
+struct rb_landlock_path_beneath_attr {
+  uint64_t allowed_access;
+  int32_t parent_fd;
+} __attribute__((packed));
+
+struct rb_landlock_net_port_attr {
+  uint64_t allowed_access;
+  uint64_t port;
+};
+
+static long ll_create_ruleset(const void *attr, size_t size, uint32_t flags) {
+#ifdef SYS_landlock_create_ruleset
+  return syscall(SYS_landlock_create_ruleset, attr, size, flags);
+#else
+  errno = ENOSYS;
+  return -1;
+#endif
+}
+
+static long ll_add_rule(int ruleset_fd, int rule_type, const void *rule_attr, uint32_t flags) {
+#ifdef SYS_landlock_add_rule
+  return syscall(SYS_landlock_add_rule, ruleset_fd, rule_type, rule_attr, flags);
+#else
+  errno = ENOSYS;
+  return -1;
+#endif
+}
+
+static long ll_restrict_self(int ruleset_fd, uint32_t flags) {
+#ifdef SYS_landlock_restrict_self
+  return syscall(SYS_landlock_restrict_self, ruleset_fd, flags);
+#else
+  errno = ENOSYS;
+  return -1;
+#endif
+}
+
+#endif

data/ext/landlock/seccomp_deny_network.h

@@ -0,0 +1,176 @@
+#ifndef RB_LANDLOCK_SECCOMP_DENY_NETWORK_H
+#define RB_LANDLOCK_SECCOMP_DENY_NETWORK_H
+
+#include <errno.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#ifdef __linux__
+#include <linux/audit.h>
+#include <linux/filter.h>
+#include <linux/seccomp.h>
+#include <sys/prctl.h>
+#include <sys/syscall.h>
+#endif
+
+#ifndef SECCOMP_RET_ALLOW
+#define SECCOMP_RET_ALLOW 0x7fff0000U
+#endif
+#ifndef SECCOMP_RET_ERRNO
+#define SECCOMP_RET_ERRNO 0x00050000U
+#endif
+#ifndef SECCOMP_RET_KILL_PROCESS
+#define SECCOMP_RET_KILL_PROCESS 0x80000000U
+#endif
+#ifndef SECCOMP_SET_MODE_FILTER
+#define SECCOMP_SET_MODE_FILTER 1
+#endif
+
+#ifdef __linux__
+static int rb_landlock_deny_network_syscalls[] = {
+#ifdef __NR_socket
+    __NR_socket,
+#endif
+#ifdef __NR_socketpair
+    __NR_socketpair,
+#endif
+#ifdef __NR_connect
+    __NR_connect,
+#endif
+#ifdef __NR_bind
+    __NR_bind,
+#endif
+#ifdef __NR_listen
+    __NR_listen,
+#endif
+#ifdef __NR_accept
+    __NR_accept,
+#endif
+#ifdef __NR_accept4
+    __NR_accept4,
+#endif
+#ifdef __NR_sendto
+    __NR_sendto,
+#endif
+#ifdef __NR_sendmsg
+    __NR_sendmsg,
+#endif
+#ifdef __NR_sendmmsg
+    __NR_sendmmsg,
+#endif
+#ifdef __NR_recvfrom
+    __NR_recvfrom,
+#endif
+#ifdef __NR_recvmsg
+    __NR_recvmsg,
+#endif
+#ifdef __NR_recvmmsg
+    __NR_recvmmsg,
+#endif
+#ifdef __NR_socketcall
+    __NR_socketcall,
+#endif
+};
+
+#if defined(__x86_64__) && defined(AUDIT_ARCH_X86_64)
+#define RB_LANDLOCK_EXPECTED_AUDIT_ARCH AUDIT_ARCH_X86_64
+#elif defined(__aarch64__) && defined(AUDIT_ARCH_AARCH64)
+#define RB_LANDLOCK_EXPECTED_AUDIT_ARCH AUDIT_ARCH_AARCH64
+#elif defined(__i386__) && defined(AUDIT_ARCH_I386)
+#define RB_LANDLOCK_EXPECTED_AUDIT_ARCH AUDIT_ARCH_I386
+#endif
+
+#if defined(__x86_64__) && !defined(__ILP32__)
+#ifndef __X32_SYSCALL_BIT
+#define __X32_SYSCALL_BIT 0x40000000
+#endif
+#define RB_LANDLOCK_DENY_X32_SYSCALLS 1
+#endif
+#endif
+
+static int rb_landlock_seccomp_deny_network(const char **error_message) {
+#ifdef __linux__
+#ifndef RB_LANDLOCK_EXPECTED_AUDIT_ARCH
+  errno = ENOSYS;
+  if (error_message) {
+    *error_message = "seccomp unsupported architecture";
+  }
+  return -1;
+#else
+  size_t count =
+      sizeof(rb_landlock_deny_network_syscalls) / sizeof(rb_landlock_deny_network_syscalls[0]);
+  if (count == 0) {
+    return 0;
+  }
+
+  size_t len = 1 + (2 * count) + 1;
+  len += 3;
+#ifdef RB_LANDLOCK_DENY_X32_SYSCALLS
+  len += 2;
+#endif
+  struct sock_filter *filter = calloc(len, sizeof(struct sock_filter));
+  if (!filter) {
+    if (error_message) {
+      *error_message = "calloc";
+    }
+    return -1;
+  }
+
+  size_t pc = 0;
+  filter[pc++] =
+      (struct sock_filter)BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, arch));
+  filter[pc++] = (struct sock_filter)BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K,
+                                              RB_LANDLOCK_EXPECTED_AUDIT_ARCH, 1, 0);
+  filter[pc++] = (struct sock_filter)BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL_PROCESS);
+  filter[pc++] =
+      (struct sock_filter)BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, nr));
+#ifdef RB_LANDLOCK_DENY_X32_SYSCALLS
+  filter[pc++] = (struct sock_filter)BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, __X32_SYSCALL_BIT, 0, 1);
+  filter[pc++] = (struct sock_filter)BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ERRNO | EPERM);
+#endif
+  for (size_t i = 0; i < count; i++) {
+    filter[pc++] = (struct sock_filter)BPF_JUMP(
+        BPF_JMP | BPF_JEQ | BPF_K, (unsigned int)rb_landlock_deny_network_syscalls[i], 0, 1);
+    filter[pc++] = (struct sock_filter)BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ERRNO | EPERM);
+  }
+  filter[pc++] = (struct sock_filter)BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW);
+
+  struct sock_fprog prog;
+  prog.len = (unsigned short)pc;
+  prog.filter = filter;
+
+  if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) != 0) {
+    if (error_message) {
+      *error_message = "prctl(PR_SET_NO_NEW_PRIVS)";
+    }
+    free(filter);
+    return -1;
+  }
+#ifdef SYS_seccomp
+  if (syscall(SYS_seccomp, SECCOMP_SET_MODE_FILTER, 0, &prog) == 0) {
+    free(filter);
+    return 0;
+  }
+#endif
+  if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) != 0) {
+    if (error_message) {
+      *error_message = "seccomp(SECCOMP_SET_MODE_FILTER)";
+    }
+    free(filter);
+    return -1;
+  }
+
+  free(filter);
+  return 0;
+#endif
+#else
+  errno = ENOSYS;
+  if (error_message) {
+    *error_message = "seccomp(SECCOMP_SET_MODE_FILTER)";
+  }
+  return -1;
+#endif
+}
+
+#endif

data/lib/landlock/env.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module Landlock
+  module Env
+    module_function
+
+    def normalize(env)
+      return nil if env.nil?
+
+      raise ArgumentError, "env must be a Hash-compatible object" unless env.respond_to?(:each_pair)
+
+      normalized = {}
+      env.each_pair do |key, value|
+        key = key.to_s
+        raise ArgumentError, "env key must not be empty" if key.empty?
+        raise ArgumentError, "env key must not contain '='" if key.include?("=")
+        raise ArgumentError, "env key must not contain NUL" if key.include?("\0")
+
+        if value.nil?
+          normalized[key] = nil
+        else
+          value = value.to_s
+          raise ArgumentError, "env value must not contain NUL" if value.include?("\0")
+
+          normalized[key] = value
+        end
+      end
+      normalized
+    end
+  end
+end

data/lib/landlock/errors.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module Landlock
+  Error = Class.new(StandardError)
+  UnsupportedError = Class.new(Error)
+
+  class SyscallError < Error
+    attr_reader :errno, :syscall
+
+    def initialize(syscall, errno, message = nil)
+      @syscall = syscall
+      @errno = errno
+      super(message || "#{syscall} failed: #{errno}")
+    end
+  end
+
+  class CommandError < Error
+    attr_reader :stdout, :stderr, :status, :result
+
+    def initialize(message, stdout: "", stderr: "", status: nil, result: nil)
+      @stdout = stdout
+      @stderr = stderr
+      @status = status
+      @result = result
+      super(message)
+    end
+  end
+
+  class OutputTooLargeError < Error
+    attr_accessor :result
+  end
+end