landlock 0.2 → 0.3

data/ext/landlock/extconf.rb

@@ -2,6 +2,8 @@
 
 require "mkmf"
 
+append_cppflags("-D_GNU_SOURCE")
+
 abort "missing ruby headers" unless have_header("ruby.h")
 
 have_header("linux/landlock.h")
@@ -17,6 +19,7 @@ create_makefile("landlock/landlock")
 if RUBY_PLATFORM.include?("linux")
   helper = "landlock-safe-exec"
   helper_src = "$(srcdir)/bin/safe_exec_helper.c"
+  helper_headers = "$(srcdir)/landlock_native.h $(srcdir)/seccomp_deny_network.h"
   helper_dest = "$(RUBYARCHDIR)/#{helper}"
 
   File.open("Makefile", "a") do |makefile|
@@ -25,7 +28,7 @@ if RUBY_PLATFORM.include?("linux")
       all: #{helper}
 
       #{helper}: #{helper_src}
-      \t$(CC) $(INCFLAGS) $(CPPFLAGS) $(CFLAGS) #{helper_src} -o #{helper} $(LIBS)
+      \t$(CC) $(INCFLAGS) $(CPPFLAGS) $(CFLAGS) #{helper_src} -o #{helper}
 
       install: install-#{helper}
 

data/ext/landlock/landlock.c

@@ -1,5 +1,6 @@
 #include "ruby.h"
 #include "landlock_native.h"
+#include "seccomp_deny_network.h"
 
 #include <string.h>
 
@@ -9,8 +10,7 @@ static VALUE eSyscallError;
 
 static void raise_syscall_error(const char *syscall_name) {
   int saved_errno = errno;
-  VALUE err = rb_funcall(eSyscallError, rb_intern("new"), 3,
-                         rb_str_new_cstr(syscall_name),
+  VALUE err = rb_funcall(eSyscallError, rb_intern("new"), 3, rb_str_new_cstr(syscall_name),
                          INT2NUM(saved_errno),
                          rb_sprintf("%s failed: %s", syscall_name, strerror(saved_errno)));
   rb_exc_raise(err);
@@ -19,7 +19,9 @@ static void raise_syscall_error(const char *syscall_name) {
 static VALUE rb_ll_abi_version(VALUE self) {
   long abi = ll_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_VERSION);
   if (abi < 0) {
-    if (errno == ENOSYS || errno == EOPNOTSUPP) return INT2FIX(0);
+    if (errno == ENOSYS || errno == EOPNOTSUPP) {
+      return INT2FIX(0);
+    }
     raise_syscall_error("landlock_create_ruleset");
   }
   return LONG2NUM(abi);
@@ -45,7 +47,9 @@ static VALUE rb_ll_create_ruleset(int argc, VALUE *argv, VALUE self) {
   attr.scoped = scoped;
 
   long fd = ll_create_ruleset(&attr, attr_size, 0);
-  if (fd < 0) raise_syscall_error("landlock_create_ruleset");
+  if (fd < 0) {
+    raise_syscall_error("landlock_create_ruleset");
+  }
   return INT2NUM(fd);
 }
 
@@ -55,7 +59,9 @@ static VALUE rb_ll_add_path_rule(VALUE self, VALUE ruleset_fd, VALUE path, VALUE
   Check_Type(path, T_STRING);
   const char *cpath = StringValueCStr(path);
   int parent_fd = open(cpath, O_PATH | O_CLOEXEC);
-  if (parent_fd < 0) raise_syscall_error("open");
+  if (parent_fd < 0) {
+    raise_syscall_error("open");
+  }
 
   struct rb_landlock_path_beneath_attr rule;
   memset(&rule, 0, sizeof(rule));
@@ -74,7 +80,9 @@ static VALUE rb_ll_add_path_rule(VALUE self, VALUE ruleset_fd, VALUE path, VALUE
 
 static VALUE rb_ll_add_net_rule(VALUE self, VALUE ruleset_fd, VALUE port, VALUE access_bits) {
   unsigned long long p = NUM2ULL(port);
-  if (p > 65535ULL) rb_raise(rb_eArgError, "TCP port must be between 0 and 65535");
+  if (p > 65535ULL) {
+    rb_raise(rb_eArgError, "TCP port must be between 0 and 65535");
+  }
 
   struct rb_landlock_net_port_attr rule;
   memset(&rule, 0, sizeof(rule));
@@ -82,7 +90,9 @@ static VALUE rb_ll_add_net_rule(VALUE self, VALUE ruleset_fd, VALUE port, VALUE
   rule.port = p;
 
   long ret = ll_add_rule(NUM2INT(ruleset_fd), LANDLOCK_RULE_NET_PORT, &rule, 0);
-  if (ret < 0) raise_syscall_error("landlock_add_rule(net_port)");
+  if (ret < 0) {
+    raise_syscall_error("landlock_add_rule(net_port)");
+  }
   return Qtrue;
 }
 
@@ -93,7 +103,9 @@ static VALUE rb_ll_restrict_self(VALUE self, VALUE ruleset_fd) {
   }
 
   long ret = ll_restrict_self(NUM2INT(ruleset_fd), 0);
-  if (ret < 0) raise_syscall_error("landlock_restrict_self");
+  if (ret < 0) {
+    raise_syscall_error("landlock_restrict_self");
+  }
   return Qtrue;
 #else
   errno = ENOSYS;
@@ -103,10 +115,20 @@ static VALUE rb_ll_restrict_self(VALUE self, VALUE ruleset_fd) {
 
 static VALUE rb_ll_close_fd(VALUE self, VALUE fd_value) {
   int fd = NUM2INT(fd_value);
-  if (fd >= 0) close(fd);
+  if (fd >= 0) {
+    close(fd);
+  }
   return Qnil;
 }
 
+static VALUE rb_ll_seccomp_deny_network(VALUE self) {
+  const char *error_message = "seccomp(SECCOMP_SET_MODE_FILTER)";
+  if (rb_landlock_seccomp_deny_network(&error_message) != 0) {
+    raise_syscall_error(error_message);
+  }
+  return Qtrue;
+}
+
 void Init_landlock(void) {
   mLandlock = rb_define_module("Landlock");
 
@@ -128,6 +150,7 @@ void Init_landlock(void) {
   rb_define_singleton_method(mLandlock, "_add_net_rule", rb_ll_add_net_rule, 3);
   rb_define_singleton_method(mLandlock, "_restrict_self", rb_ll_restrict_self, 1);
   rb_define_singleton_method(mLandlock, "_close_fd", rb_ll_close_fd, 1);
+  rb_define_singleton_method(mLandlock, "seccomp_deny_network!", rb_ll_seccomp_deny_network, 0);
 
   rb_define_const(mLandlock, "ACCESS_FS_EXECUTE", ULL2NUM(LANDLOCK_ACCESS_FS_EXECUTE));
   rb_define_const(mLandlock, "ACCESS_FS_WRITE_FILE", ULL2NUM(LANDLOCK_ACCESS_FS_WRITE_FILE));
@@ -147,6 +170,7 @@ void Init_landlock(void) {
   rb_define_const(mLandlock, "ACCESS_FS_IOCTL_DEV", ULL2NUM(LANDLOCK_ACCESS_FS_IOCTL_DEV));
   rb_define_const(mLandlock, "ACCESS_NET_BIND_TCP", ULL2NUM(LANDLOCK_ACCESS_NET_BIND_TCP));
   rb_define_const(mLandlock, "ACCESS_NET_CONNECT_TCP", ULL2NUM(LANDLOCK_ACCESS_NET_CONNECT_TCP));
-  rb_define_const(mLandlock, "SCOPE_ABSTRACT_UNIX_SOCKET", ULL2NUM(LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET));
+  rb_define_const(mLandlock, "SCOPE_ABSTRACT_UNIX_SOCKET",
+                  ULL2NUM(LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET));
   rb_define_const(mLandlock, "SCOPE_SIGNAL", ULL2NUM(LANDLOCK_SCOPE_SIGNAL));
 }

data/ext/landlock/landlock_native.h

@@ -16,22 +16,23 @@
 #endif
 
 #ifndef SYS_landlock_create_ruleset
-# if defined(__linux__) && defined(__NR_landlock_create_ruleset) && defined(__NR_landlock_add_rule) && defined(__NR_landlock_restrict_self)
-#  define SYS_landlock_create_ruleset __NR_landlock_create_ruleset
-#  define SYS_landlock_add_rule __NR_landlock_add_rule
-#  define SYS_landlock_restrict_self __NR_landlock_restrict_self
-# elif defined(__linux__) && defined(__x86_64__) && defined(__ILP32__)
-#  ifndef __X32_SYSCALL_BIT
-#   define __X32_SYSCALL_BIT 0x40000000
-#  endif
-#  define SYS_landlock_create_ruleset (__X32_SYSCALL_BIT + 444)
-#  define SYS_landlock_add_rule (__X32_SYSCALL_BIT + 445)
-#  define SYS_landlock_restrict_self (__X32_SYSCALL_BIT + 446)
-# elif defined(__linux__) && (defined(__x86_64__) || defined(__aarch64__) || defined(__i386__))
-#  define SYS_landlock_create_ruleset 444
-#  define SYS_landlock_add_rule 445
-#  define SYS_landlock_restrict_self 446
-# endif
+#if defined(__linux__) && defined(__NR_landlock_create_ruleset) &&                                 \
+    defined(__NR_landlock_add_rule) && defined(__NR_landlock_restrict_self)
+#define SYS_landlock_create_ruleset __NR_landlock_create_ruleset
+#define SYS_landlock_add_rule __NR_landlock_add_rule
+#define SYS_landlock_restrict_self __NR_landlock_restrict_self
+#elif defined(__linux__) && defined(__x86_64__) && defined(__ILP32__)
+#ifndef __X32_SYSCALL_BIT
+#define __X32_SYSCALL_BIT 0x40000000
+#endif
+#define SYS_landlock_create_ruleset (__X32_SYSCALL_BIT + 444)
+#define SYS_landlock_add_rule (__X32_SYSCALL_BIT + 445)
+#define SYS_landlock_restrict_self (__X32_SYSCALL_BIT + 446)
+#elif defined(__linux__) && (defined(__x86_64__) || defined(__aarch64__) || defined(__i386__))
+#define SYS_landlock_create_ruleset 444
+#define SYS_landlock_add_rule 445
+#define SYS_landlock_restrict_self 446
+#endif
 #endif
 
 #ifndef LANDLOCK_CREATE_RULESET_VERSION
@@ -47,16 +48,16 @@
 #endif
 
 #ifndef LANDLOCK_ACCESS_FS_EXECUTE
-#define LANDLOCK_ACCESS_FS_EXECUTE    (1ULL << 0)
+#define LANDLOCK_ACCESS_FS_EXECUTE (1ULL << 0)
 #endif
 #ifndef LANDLOCK_ACCESS_FS_WRITE_FILE
 #define LANDLOCK_ACCESS_FS_WRITE_FILE (1ULL << 1)
 #endif
 #ifndef LANDLOCK_ACCESS_FS_READ_FILE
-#define LANDLOCK_ACCESS_FS_READ_FILE  (1ULL << 2)
+#define LANDLOCK_ACCESS_FS_READ_FILE (1ULL << 2)
 #endif
 #ifndef LANDLOCK_ACCESS_FS_READ_DIR
-#define LANDLOCK_ACCESS_FS_READ_DIR   (1ULL << 3)
+#define LANDLOCK_ACCESS_FS_READ_DIR (1ULL << 3)
 #endif
 #ifndef LANDLOCK_ACCESS_FS_REMOVE_DIR
 #define LANDLOCK_ACCESS_FS_REMOVE_DIR (1ULL << 4)
@@ -65,38 +66,38 @@
 #define LANDLOCK_ACCESS_FS_REMOVE_FILE (1ULL << 5)
 #endif
 #ifndef LANDLOCK_ACCESS_FS_MAKE_CHAR
-#define LANDLOCK_ACCESS_FS_MAKE_CHAR  (1ULL << 6)
+#define LANDLOCK_ACCESS_FS_MAKE_CHAR (1ULL << 6)
 #endif
 #ifndef LANDLOCK_ACCESS_FS_MAKE_DIR
-#define LANDLOCK_ACCESS_FS_MAKE_DIR   (1ULL << 7)
+#define LANDLOCK_ACCESS_FS_MAKE_DIR (1ULL << 7)
 #endif
 #ifndef LANDLOCK_ACCESS_FS_MAKE_REG
-#define LANDLOCK_ACCESS_FS_MAKE_REG   (1ULL << 8)
+#define LANDLOCK_ACCESS_FS_MAKE_REG (1ULL << 8)
 #endif
 #ifndef LANDLOCK_ACCESS_FS_MAKE_SOCK
-#define LANDLOCK_ACCESS_FS_MAKE_SOCK  (1ULL << 9)
+#define LANDLOCK_ACCESS_FS_MAKE_SOCK (1ULL << 9)
 #endif
 #ifndef LANDLOCK_ACCESS_FS_MAKE_FIFO
-#define LANDLOCK_ACCESS_FS_MAKE_FIFO  (1ULL << 10)
+#define LANDLOCK_ACCESS_FS_MAKE_FIFO (1ULL << 10)
 #endif
 #ifndef LANDLOCK_ACCESS_FS_MAKE_BLOCK
 #define LANDLOCK_ACCESS_FS_MAKE_BLOCK (1ULL << 11)
 #endif
 #ifndef LANDLOCK_ACCESS_FS_MAKE_SYM
-#define LANDLOCK_ACCESS_FS_MAKE_SYM   (1ULL << 12)
+#define LANDLOCK_ACCESS_FS_MAKE_SYM (1ULL << 12)
 #endif
 #ifndef LANDLOCK_ACCESS_FS_REFER
-#define LANDLOCK_ACCESS_FS_REFER      (1ULL << 13)
+#define LANDLOCK_ACCESS_FS_REFER (1ULL << 13)
 #endif
 #ifndef LANDLOCK_ACCESS_FS_TRUNCATE
-#define LANDLOCK_ACCESS_FS_TRUNCATE   (1ULL << 14)
+#define LANDLOCK_ACCESS_FS_TRUNCATE (1ULL << 14)
 #endif
 #ifndef LANDLOCK_ACCESS_FS_IOCTL_DEV
-#define LANDLOCK_ACCESS_FS_IOCTL_DEV  (1ULL << 15)
+#define LANDLOCK_ACCESS_FS_IOCTL_DEV (1ULL << 15)
 #endif
 
 #ifndef LANDLOCK_ACCESS_NET_BIND_TCP
-#define LANDLOCK_ACCESS_NET_BIND_TCP    (1ULL << 0)
+#define LANDLOCK_ACCESS_NET_BIND_TCP (1ULL << 0)
 #endif
 #ifndef LANDLOCK_ACCESS_NET_CONNECT_TCP
 #define LANDLOCK_ACCESS_NET_CONNECT_TCP (1ULL << 1)

data/ext/landlock/seccomp_deny_network.h

@@ -0,0 +1,176 @@
+#ifndef RB_LANDLOCK_SECCOMP_DENY_NETWORK_H
+#define RB_LANDLOCK_SECCOMP_DENY_NETWORK_H
+
+#include <errno.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#ifdef __linux__
+#include <linux/audit.h>
+#include <linux/filter.h>
+#include <linux/seccomp.h>
+#include <sys/prctl.h>
+#include <sys/syscall.h>
+#endif
+
+#ifndef SECCOMP_RET_ALLOW
+#define SECCOMP_RET_ALLOW 0x7fff0000U
+#endif
+#ifndef SECCOMP_RET_ERRNO
+#define SECCOMP_RET_ERRNO 0x00050000U
+#endif
+#ifndef SECCOMP_RET_KILL_PROCESS
+#define SECCOMP_RET_KILL_PROCESS 0x80000000U
+#endif
+#ifndef SECCOMP_SET_MODE_FILTER
+#define SECCOMP_SET_MODE_FILTER 1
+#endif
+
+#ifdef __linux__
+static int rb_landlock_deny_network_syscalls[] = {
+#ifdef __NR_socket
+    __NR_socket,
+#endif
+#ifdef __NR_socketpair
+    __NR_socketpair,
+#endif
+#ifdef __NR_connect
+    __NR_connect,
+#endif
+#ifdef __NR_bind
+    __NR_bind,
+#endif
+#ifdef __NR_listen
+    __NR_listen,
+#endif
+#ifdef __NR_accept
+    __NR_accept,
+#endif
+#ifdef __NR_accept4
+    __NR_accept4,
+#endif
+#ifdef __NR_sendto
+    __NR_sendto,
+#endif
+#ifdef __NR_sendmsg
+    __NR_sendmsg,
+#endif
+#ifdef __NR_sendmmsg
+    __NR_sendmmsg,
+#endif
+#ifdef __NR_recvfrom
+    __NR_recvfrom,
+#endif
+#ifdef __NR_recvmsg
+    __NR_recvmsg,
+#endif
+#ifdef __NR_recvmmsg
+    __NR_recvmmsg,
+#endif
+#ifdef __NR_socketcall
+    __NR_socketcall,
+#endif
+};
+
+#if defined(__x86_64__) && defined(AUDIT_ARCH_X86_64)
+#define RB_LANDLOCK_EXPECTED_AUDIT_ARCH AUDIT_ARCH_X86_64
+#elif defined(__aarch64__) && defined(AUDIT_ARCH_AARCH64)
+#define RB_LANDLOCK_EXPECTED_AUDIT_ARCH AUDIT_ARCH_AARCH64
+#elif defined(__i386__) && defined(AUDIT_ARCH_I386)
+#define RB_LANDLOCK_EXPECTED_AUDIT_ARCH AUDIT_ARCH_I386
+#endif
+
+#if defined(__x86_64__) && !defined(__ILP32__)
+#ifndef __X32_SYSCALL_BIT
+#define __X32_SYSCALL_BIT 0x40000000
+#endif
+#define RB_LANDLOCK_DENY_X32_SYSCALLS 1
+#endif
+#endif
+
+static int rb_landlock_seccomp_deny_network(const char **error_message) {
+#ifdef __linux__
+#ifndef RB_LANDLOCK_EXPECTED_AUDIT_ARCH
+  errno = ENOSYS;
+  if (error_message) {
+    *error_message = "seccomp unsupported architecture";
+  }
+  return -1;
+#else
+  size_t count =
+      sizeof(rb_landlock_deny_network_syscalls) / sizeof(rb_landlock_deny_network_syscalls[0]);
+  if (count == 0) {
+    return 0;
+  }
+
+  size_t len = 1 + (2 * count) + 1;
+  len += 3;
+#ifdef RB_LANDLOCK_DENY_X32_SYSCALLS
+  len += 2;
+#endif
+  struct sock_filter *filter = calloc(len, sizeof(struct sock_filter));
+  if (!filter) {
+    if (error_message) {
+      *error_message = "calloc";
+    }
+    return -1;
+  }
+
+  size_t pc = 0;
+  filter[pc++] =
+      (struct sock_filter)BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, arch));
+  filter[pc++] = (struct sock_filter)BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K,
+                                              RB_LANDLOCK_EXPECTED_AUDIT_ARCH, 1, 0);
+  filter[pc++] = (struct sock_filter)BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL_PROCESS);
+  filter[pc++] =
+      (struct sock_filter)BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, nr));
+#ifdef RB_LANDLOCK_DENY_X32_SYSCALLS
+  filter[pc++] = (struct sock_filter)BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, __X32_SYSCALL_BIT, 0, 1);
+  filter[pc++] = (struct sock_filter)BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ERRNO | EPERM);
+#endif
+  for (size_t i = 0; i < count; i++) {
+    filter[pc++] = (struct sock_filter)BPF_JUMP(
+        BPF_JMP | BPF_JEQ | BPF_K, (unsigned int)rb_landlock_deny_network_syscalls[i], 0, 1);
+    filter[pc++] = (struct sock_filter)BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ERRNO | EPERM);
+  }
+  filter[pc++] = (struct sock_filter)BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW);
+
+  struct sock_fprog prog;
+  prog.len = (unsigned short)pc;
+  prog.filter = filter;
+
+  if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) != 0) {
+    if (error_message) {
+      *error_message = "prctl(PR_SET_NO_NEW_PRIVS)";
+    }
+    free(filter);
+    return -1;
+  }
+#ifdef SYS_seccomp
+  if (syscall(SYS_seccomp, SECCOMP_SET_MODE_FILTER, 0, &prog) == 0) {
+    free(filter);
+    return 0;
+  }
+#endif
+  if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) != 0) {
+    if (error_message) {
+      *error_message = "seccomp(SECCOMP_SET_MODE_FILTER)";
+    }
+    free(filter);
+    return -1;
+  }
+
+  free(filter);
+  return 0;
+#endif
+#else
+  errno = ENOSYS;
+  if (error_message) {
+    *error_message = "seccomp(SECCOMP_SET_MODE_FILTER)";
+  }
+  return -1;
+#endif
+}
+
+#endif

data/lib/landlock/env.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module Landlock
+  module Env
+    module_function
+
+    def normalize(env)
+      return nil if env.nil?
+
+      raise ArgumentError, "env must be a Hash-compatible object" unless env.respond_to?(:each_pair)
+
+      normalized = {}
+      env.each_pair do |key, value|
+        key = key.to_s
+        raise ArgumentError, "env key must not be empty" if key.empty?
+        raise ArgumentError, "env key must not contain '='" if key.include?("=")
+        raise ArgumentError, "env key must not contain NUL" if key.include?("\0")
+
+        if value.nil?
+          normalized[key] = nil
+        else
+          value = value.to_s
+          raise ArgumentError, "env value must not contain NUL" if value.include?("\0")
+
+          normalized[key] = value
+        end
+      end
+      normalized
+    end
+  end
+end

data/lib/landlock/errors.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module Landlock
+  Error = Class.new(StandardError)
+  UnsupportedError = Class.new(Error)
+
+  class SyscallError < Error
+    attr_reader :errno, :syscall
+
+    def initialize(syscall, errno, message = nil)
+      @syscall = syscall
+      @errno = errno
+      super(message || "#{syscall} failed: #{errno}")
+    end
+  end
+
+  class CommandError < Error
+    attr_reader :stdout, :stderr, :status, :result
+
+    def initialize(message, stdout: "", stderr: "", status: nil, result: nil)
+      @stdout = stdout
+      @stderr = stderr
+      @status = status
+      @result = result
+      super(message)
+    end
+  end
+
+  class OutputTooLargeError < Error
+    attr_accessor :result
+  end
+end