landlock 0.1.1 → 0.3

data/lib/landlock/execution.rb

@@ -0,0 +1,238 @@
+# frozen_string_literal: true
+
+require_relative "env"
+require_relative "native"
+require_relative "policy"
+require_relative "result"
+require_relative "rlimits"
+require_relative "runner"
+require_relative "validation"
+
+module Landlock
+  module Execution
+    module_function
+
+    def exec(
+      argv,
+      read: [],
+      write: [],
+      execute: [],
+      connect_tcp: [],
+      bind_tcp: [],
+      paths: [],
+      scope: [],
+      chdir: nil,
+      env: nil,
+      unsetenv_others: false,
+      close_others: true,
+      allow_all_known: false
+    )
+      pid =
+        spawn(
+          argv,
+          read:,
+          write:,
+          execute:,
+          connect_tcp:,
+          bind_tcp:,
+          paths:,
+          scope:,
+          chdir:,
+          env:,
+          unsetenv_others:,
+          close_others:,
+          allow_all_known:
+        )
+      _, status = ::Process.wait2(pid)
+      status
+    end
+
+    def spawn(
+      argv,
+      read: [],
+      write: [],
+      execute: [],
+      connect_tcp: [],
+      bind_tcp: [],
+      paths: [],
+      scope: [],
+      chdir: nil,
+      env: nil,
+      unsetenv_others: false,
+      close_others: true,
+      allow_all_known: false
+    )
+      argv = Validation.normalize_argv(argv).map(&:to_s)
+      ensure_landlock_supported!
+      env = Env.normalize(env)
+      policy =
+        prepare_policy(read:, write:, execute:, connect_tcp:, bind_tcp:, paths:, scope:, chdir:, allow_all_known:)
+      validate_landlock_restriction!(**policy)
+
+      spawn_with_runner(argv, **policy, chdir:, env:, unsetenv_others:, close_others:)
+    end
+
+    def capture(argv, **options)
+      capture_with(argv, raise_on_failure: false, **options)
+    end
+
+    def capture!(argv, **options)
+      capture_with(argv, raise_on_failure: true, **options)
+    end
+
+    def capture_with(
+      argv,
+      read: [],
+      write: [],
+      execute: [],
+      connect_tcp: [],
+      bind_tcp: [],
+      paths: [],
+      scope: [],
+      chdir: nil,
+      env: nil,
+      unsetenv_others: false,
+      close_others: true,
+      allow_all_known: false,
+      timeout: nil,
+      stdin: nil,
+      rlimits: {},
+      seccomp_deny_network: false,
+      max_output_bytes: nil,
+      truncate_output: false,
+      success_status_codes: [0],
+      failure_message: "",
+      raise_on_failure:
+    )
+      argv = Validation.normalize_argv(argv).map(&:to_s)
+      ensure_landlock_supported!
+      max_output_bytes = Validation.validate_output_limit!(max_output_bytes)
+      timeout = Validation.validate_timeout!(timeout)
+      normalized_rlimits = Rlimits.normalize(rlimits)
+      env = Env.normalize(env)
+      policy =
+        prepare_policy(read:, write:, execute:, connect_tcp:, bind_tcp:, paths:, scope:, chdir:, allow_all_known:)
+      validate_capture_restriction!(**policy, seccomp_deny_network:, rlimits: normalized_rlimits)
+
+      result =
+        call_with_runner(
+          argv,
+          **policy,
+          chdir:,
+          env:,
+          unsetenv_others:,
+          close_others:,
+          timeout:,
+          stdin:,
+          rlimits: normalized_rlimits,
+          seccomp_deny_network:,
+          max_output_bytes:,
+          truncate_output:
+        )
+
+      if raise_on_failure &&
+           (result.timed_out? || !result.status.exited? || !success_status_codes.include?(result.status.exitstatus))
+        message = [argv.join(" "), failure_message, result.stderr].filter { |part| part.to_s != "" }.join("\n")
+        raise CommandError.new(message, stdout: result.stdout, stderr: result.stderr, status: result.status, result:)
+      end
+
+      result
+    rescue OutputTooLargeError => e
+      message = [argv&.join(" "), failure_message, e.message].filter { |part| part.to_s != "" }.join("\n")
+      result = e.result
+      raise CommandError.new(
+              message,
+              stdout: result&.stdout.to_s,
+              stderr: result&.stderr.to_s,
+              status: result&.status,
+              result:
+            )
+    end
+
+    def spawn_with_runner(argv, **options)
+      if Runner::Native.available?
+        begin
+          return Runner::Native.spawn(argv, **options)
+        rescue Errno::E2BIG
+          return Runner::Fork.spawn(argv, **options)
+        end
+      end
+
+      Runner::Fork.spawn(argv, **options)
+    end
+
+    def call_with_runner(argv, **options)
+      if Runner::Native.available?
+        begin
+          return Runner::Native.call(argv, **options)
+        rescue Errno::E2BIG
+          return Runner::Fork.call(argv, **options)
+        end
+      end
+
+      Runner::Fork.call(argv, **options)
+    end
+
+    def ensure_landlock_supported!
+      raise UnsupportedError, "Linux Landlock is unavailable" unless Native.abi_version.positive?
+    end
+
+    def prepare_policy(read:, write:, execute:, connect_tcp:, bind_tcp:, paths:, scope:, chdir:, allow_all_known:)
+      connect_tcp = Validation.normalize_ports(connect_tcp, :connect_tcp)
+      bind_tcp = Validation.normalize_ports(bind_tcp, :bind_tcp)
+      read, write, execute, paths = validate_policy_paths!(read:, write:, execute:, paths:, chdir:)
+      { read:, write:, execute:, connect_tcp:, bind_tcp:, paths:, scope:, allow_all_known: }
+    end
+
+    def validate_landlock_restriction!(
+      read:,
+      write:,
+      execute:,
+      connect_tcp:,
+      bind_tcp:,
+      paths:,
+      scope:,
+      allow_all_known:
+    )
+      return if Policy.requested?(read:, write:, execute:, connect_tcp:, bind_tcp:, paths:, scope:, allow_all_known:)
+
+      raise ArgumentError, "empty Landlock policy: provide filesystem paths, TCP ports, or scopes"
+    end
+
+    def validate_capture_restriction!(
+      read:,
+      write:,
+      execute:,
+      connect_tcp:,
+      bind_tcp:,
+      paths:,
+      scope:,
+      allow_all_known:,
+      seccomp_deny_network:,
+      rlimits:
+    )
+      return if Policy.requested?(read:, write:, execute:, connect_tcp:, bind_tcp:, paths:, scope:, allow_all_known:)
+      return if seccomp_deny_network
+      return if Array(rlimits).any?
+
+      raise ArgumentError, "empty capture policy: provide Landlock rules, seccomp_deny_network, or rlimits"
+    end
+
+    def validate_policy_paths!(read:, write:, execute:, paths:, chdir:)
+      base = chdir ? File.expand_path(chdir) : Dir.pwd
+      abi = Native.abi_version
+      read = Validation.validate_existing_paths(read, :read, chdir:)
+      write = Validation.validate_existing_paths(write, :write, chdir:)
+      execute = Validation.validate_existing_paths(execute, :execute, chdir:)
+      paths =
+        Array(paths).map do |rule|
+          path, rights = Policy.normalize_path_rule(rule)
+          Validation.validate_existing_path!(path, :path, base)
+          Policy.path_rule_access_mask(File.expand_path(path, base), rights, abi)
+          { path: path.to_s, rights: }
+        end
+
+      [read, write, execute, paths]
+    end
+  end
+end

data/lib/landlock/native.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+require_relative "errors"
+require_relative "landlock"
+
+module Landlock
+  module Native
+    module_function
+
+    def abi_version
+      Landlock.abi_version
+    end
+
+    def create_ruleset(fs_handled, net_handled, scoped)
+      Landlock.__send__(:_create_ruleset, fs_handled, net_handled, scoped)
+    end
+
+    def add_path_rule(fd, path, access_mask)
+      Landlock.__send__(:_add_path_rule, fd, path, access_mask)
+    end
+
+    def add_net_rule(fd, port, access_mask)
+      Landlock.__send__(:_add_net_rule, fd, port, access_mask)
+    end
+
+    def restrict_self(fd)
+      Landlock.__send__(:_restrict_self, fd)
+    end
+
+    def close_fd(fd)
+      Landlock.__send__(:_close_fd, fd)
+    end
+
+    def seccomp_deny_network!
+      Landlock.seccomp_deny_network!
+    end
+  end
+end

data/lib/landlock/policy.rb

@@ -0,0 +1,161 @@
+# frozen_string_literal: true
+
+require_relative "native"
+require_relative "rights"
+
+module Landlock
+  module Policy
+    module_function
+
+    def restrict!(
+      read: [],
+      write: [],
+      execute: [],
+      connect_tcp: [],
+      bind_tcp: [],
+      paths: [],
+      scope: [],
+      allow_all_known: false
+    )
+      abi = Native.abi_version
+      raise UnsupportedError, "Linux Landlock is unavailable" unless abi.positive?
+
+      fs_handled =
+        (
+          if allow_all_known
+            fs_rights_for_abi(abi)
+          else
+            handled_fs_for(read:, write:, execute:, paths:, abi:)
+          end
+        )
+      net_handled = handled_net_for(connect_tcp:, bind_tcp:, abi:)
+      scoped = scope_for(scope:, abi:)
+
+      if fs_handled.zero? && net_handled.zero? && scoped.zero?
+        raise ArgumentError, "empty Landlock policy: provide filesystem paths, TCP ports, or scopes"
+      end
+
+      fd = Native.create_ruleset(fs_handled, net_handled, scoped)
+      begin
+        add_path_rules(fd, read, READ_RIGHTS, abi)
+        add_path_rules(fd, execute, EXEC_RIGHTS, abi)
+        add_path_rules(fd, write, WRITE_RIGHTS, abi)
+
+        Array(paths).each do |rule|
+          path, rights = normalize_path_rule(rule)
+          expanded_path = File.expand_path(path)
+          access_mask = path_rule_access_mask(expanded_path, rights, abi)
+
+          Native.add_path_rule(fd, expanded_path, access_mask)
+        end
+
+        add_net_rules(fd, connect_tcp, [:connect_tcp], abi)
+        add_net_rules(fd, bind_tcp, [:bind_tcp], abi)
+
+        Native.restrict_self(fd)
+      ensure
+        Native.close_fd(fd) if fd && fd >= 0
+      end
+
+      true
+    end
+
+    def requested?(read:, write:, execute:, connect_tcp:, bind_tcp:, paths:, scope:, allow_all_known:)
+      allow_all_known || Array(read).any? || Array(write).any? || Array(execute).any? || Array(connect_tcp).any? ||
+        Array(bind_tcp).any? || Array(paths).any? || Array(scope).any?
+    end
+
+    def path_rights(path, rights)
+      File.directory?(path) ? rights : Array(rights) & FILE_PATH_RIGHTS
+    end
+
+    def path_rule_access_mask(path, rights, abi)
+      mask(path_rights(path, rights), FS_RIGHTS, abi).tap do |access_mask|
+        raise ArgumentError, "path rule has no effective rights: #{path}" if access_mask.zero?
+      end
+    end
+
+    def add_path_rules(fd, paths, rights, abi)
+      Array(paths).each do |path|
+        expanded_path = File.expand_path(path)
+        access_mask = mask(path_rights(expanded_path, rights), FS_RIGHTS, abi)
+        next if access_mask.zero?
+
+        Native.add_path_rule(fd, expanded_path, access_mask)
+      end
+    end
+
+    def add_net_rules(fd, ports, rights, abi)
+      ports = Array(ports)
+      return if ports.empty?
+      raise UnsupportedError, "Landlock network rules require ABI v4+; running ABI v#{abi}" if abi < 4
+
+      access_mask = mask(rights, NET_RIGHTS, abi)
+      return if access_mask.zero?
+
+      ports.each { |port| Native.add_net_rule(fd, Integer(port), access_mask) }
+    end
+
+    def normalize_path_rule(rule)
+      case rule
+      when Hash
+        [rule.fetch(:path), Array(rule.fetch(:rights))]
+      when Array
+        [rule.fetch(0), Array(rule.fetch(1))]
+      else
+        raise ArgumentError, "path rule must be {path:, rights:} or [path, rights]"
+      end
+    end
+
+    def mask(names, table, abi)
+      Array(names).reduce(0) do |bits, name|
+        bit = table.fetch(name.to_sym) { raise ArgumentError, "unknown Landlock right: #{name.inspect}" }
+        next bits if bit == ACCESS_FS_REFER && abi < 2
+        next bits if bit == ACCESS_FS_TRUNCATE && abi < 3
+        next bits if bit == ACCESS_FS_IOCTL_DEV && abi < 5
+
+        bits | bit
+      end
+    end
+
+    def fs_rights_for_abi(abi)
+      rights = FS_RIGHTS.values.reduce(0, :|)
+      rights &= ~ACCESS_FS_REFER if abi < 2
+      rights &= ~ACCESS_FS_TRUNCATE if abi < 3
+      rights &= ~ACCESS_FS_IOCTL_DEV if abi < 5
+      rights
+    end
+
+    def handled_fs_for(read:, write:, execute:, paths:, abi:)
+      bits = 0
+      bits |= mask(READ_RIGHTS, FS_RIGHTS, abi) unless Array(read).empty?
+      bits |= mask(EXEC_RIGHTS, FS_RIGHTS, abi) unless Array(execute).empty?
+      bits |= mask(WRITE_RIGHTS, FS_RIGHTS, abi) unless Array(write).empty?
+      Array(paths).each do |rule|
+        path, rights = normalize_path_rule(rule)
+        bits |= path_rule_access_mask(File.expand_path(path), rights, abi)
+      end
+      bits
+    end
+
+    def handled_net_for(connect_tcp:, bind_tcp:, abi:)
+      bits = 0
+      bits |= ACCESS_NET_CONNECT_TCP unless Array(connect_tcp).empty?
+      bits |= ACCESS_NET_BIND_TCP unless Array(bind_tcp).empty?
+      return 0 if bits.zero?
+
+      raise UnsupportedError, "Landlock network rules require ABI v4+; running ABI v#{abi}" if abi < 4
+
+      bits
+    end
+
+    def scope_for(scope:, abi:)
+      bits = mask(scope, SCOPE_FLAGS, abi)
+      return 0 if bits.zero?
+
+      raise UnsupportedError, "Landlock scopes require ABI v6+; running ABI v#{abi}" if abi < 6
+
+      bits
+    end
+  end
+end

data/lib/landlock/process_io.rb

@@ -0,0 +1,249 @@
+# frozen_string_literal: true
+
+require_relative "errors"
+require_relative "result"
+
+module Landlock
+  READ_CHUNK_BYTES = 16 * 1024
+  PROCESS_POLL_SECONDS = 0.1
+  STDIN_THREAD_JOIN_SECONDS = 0.1
+  POST_TIMEOUT_DRAIN_SECONDS = 0.05
+
+  module ProcessIO
+    module_function
+
+    def complete_pipe_capture(
+      pid,
+      stdout_reader,
+      stderr_reader,
+      stdin_writer,
+      stdin,
+      timeout,
+      max_output_bytes,
+      truncate_output
+    )
+      stdin_thread = write_input(stdin_writer, stdin)
+
+      stdout = +"".b
+      stderr = +"".b
+      state = { bytes: 0, truncated: false }
+      begin
+        status, timed_out =
+          read_and_wait(
+            pid,
+            { stdout_reader => stdout, stderr_reader => stderr },
+            timeout,
+            max_output_bytes,
+            truncate_output,
+            state
+          )
+      rescue OutputTooLargeError => error
+        status ||= wait_for_pid(pid)
+        error.result = capture_result(stdout, stderr, status, output_truncated: true, timed_out:)
+        raise
+      ensure
+        finish_input_thread(stdin_thread, stdin_writer)
+      end
+
+      capture_result(stdout, stderr, status, output_truncated: state[:truncated], timed_out:)
+    end
+
+    def capture_result(stdout, stderr, status, output_truncated:, timed_out:)
+      stdout.force_encoding(Encoding.default_external)
+      stderr.force_encoding(Encoding.default_external)
+      CaptureResult.new(stdout:, stderr:, status:, output_truncated:, timed_out:)
+    end
+
+    def write_input(io, input)
+      return io.close if input.nil?
+
+      Thread.new do
+        Thread.current.report_on_exception = false
+        begin
+          if input.respond_to?(:read)
+            while (chunk = input.read(READ_CHUNK_BYTES))
+              io.write(chunk)
+            end
+          else
+            io.write(input.to_s)
+          end
+        rescue Errno::EPIPE, IOError
+        ensure
+          io.close unless io.closed?
+        end
+      end
+    end
+
+    def finish_input_thread(thread, io)
+      close_stream(io)
+      return unless thread
+
+      if thread.join(STDIN_THREAD_JOIN_SECONDS)
+        thread.value
+      else
+        thread.kill
+        thread.join(STDIN_THREAD_JOIN_SECONDS)
+      end
+    end
+
+    def read_and_wait(pid, streams, timeout, max_output_bytes, truncate_output, state)
+      deadline = timeout ? ::Process.clock_gettime(::Process::CLOCK_MONOTONIC) + timeout : nil
+      timed_out = false
+      status = nil
+
+      until streams.empty? && status
+        if deadline
+          remaining = deadline - ::Process.clock_gettime(::Process::CLOCK_MONOTONIC)
+          if remaining <= 0
+            timed_out = true
+            terminate_process(pid)
+            status = wait_for_pid(pid)
+            drain_streams_until(
+              streams,
+              ::Process.clock_gettime(::Process::CLOCK_MONOTONIC) + POST_TIMEOUT_DRAIN_SECONDS,
+              max_output_bytes,
+              truncate_output,
+              state,
+              pid
+            )
+            close_streams(streams)
+            break
+          end
+        end
+
+        status ||= poll_pid(pid)
+
+        break if streams.empty? && status
+
+        wait =
+          (
+            if deadline
+              [deadline - ::Process.clock_gettime(::Process::CLOCK_MONOTONIC), PROCESS_POLL_SECONDS].min
+            else
+              PROCESS_POLL_SECONDS
+            end
+          )
+        wait = 0 if wait.negative?
+        if streams.empty?
+          sleep wait
+          next
+        end
+
+        readable, = IO.select(streams.keys, nil, nil, wait)
+        next unless readable
+
+        readable.each do |io|
+          begin
+            chunk = io.read_nonblock(READ_CHUNK_BYTES)
+            append_output_chunk(streams.fetch(io), chunk, state, max_output_bytes, truncate_output, pid)
+          rescue IO::WaitReadable
+            next
+          rescue EOFError
+            streams.delete(io)
+            io.close
+          end
+        end
+      end
+
+      status ||= wait_for_pid(pid)
+      [status, timed_out]
+    end
+
+    def poll_pid(pid)
+      result = ::Process.wait2(pid, ::Process::WNOHANG)
+      result&.last
+    rescue Errno::ECHILD
+      nil
+    end
+
+    def wait_for_pid(pid)
+      ::Process.wait2(pid).last
+    rescue Errno::ECHILD
+      nil
+    end
+
+    def close_stream(io)
+      io.close unless io.closed?
+    rescue IOError
+    end
+
+    def read_available_streams(streams, max_output_bytes, truncate_output, state, pid)
+      readable, = IO.select(streams.keys, nil, nil, 0)
+      return false unless readable
+
+      readable.each do |io|
+        begin
+          chunk = io.read_nonblock(READ_CHUNK_BYTES)
+          append_output_chunk(streams.fetch(io), chunk, state, max_output_bytes, truncate_output, pid)
+        rescue IO::WaitReadable
+          next
+        rescue EOFError
+          streams.delete(io)
+          io.close
+        end
+      end
+
+      true
+    end
+
+    def drain_streams_until(streams, drain_deadline, max_output_bytes, truncate_output, state, pid)
+      while streams.any? && ::Process.clock_gettime(::Process::CLOCK_MONOTONIC) < drain_deadline
+        break unless read_available_streams(streams, max_output_bytes, truncate_output, state, pid)
+      end
+    end
+
+    def close_streams(streams)
+      streams.keys.each do |io|
+        streams.delete(io)
+        io.close unless io.closed?
+      rescue IOError
+      end
+    end
+
+    def append_output_chunk(
+      buffer,
+      chunk,
+      state,
+      max_output_bytes,
+      truncate_output,
+      pid,
+      output_too_large_error: Landlock::OutputTooLargeError
+    )
+      return buffer << chunk if max_output_bytes.nil?
+
+      chunk_to_append = chunk
+      over_limit = false
+      remaining_bytes = max_output_bytes - state[:bytes]
+      if remaining_bytes <= 0
+        chunk_to_append = ""
+        over_limit = true
+      elsif chunk.bytesize > remaining_bytes
+        chunk_to_append = chunk.byteslice(0, remaining_bytes)
+        over_limit = true
+      end
+
+      state[:bytes] += chunk.bytesize
+      state[:truncated] = true if over_limit
+      buffer << chunk_to_append
+      return unless over_limit
+
+      terminate_process(pid)
+      raise output_too_large_error, "Process output exceeded #{max_output_bytes} bytes" unless truncate_output
+    end
+
+    def terminate_process(pid)
+      signal_process("TERM", pid)
+      sleep 0.5
+      signal_process("KILL", pid)
+    end
+
+    def signal_process(signal, pid)
+      ::Process.kill(signal, -pid)
+    rescue Errno::ESRCH, Errno::EPERM
+      begin
+        ::Process.kill(signal, pid)
+      rescue Errno::ESRCH, Errno::EPERM
+      end
+    end
+  end
+end