landlock 0.2 → 0.3

data/lib/landlock/result.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+module Landlock
+  module ResultBehavior
+    attr_reader :stdout, :stderr, :status
+
+    def success?
+      !timed_out? && status&.success?
+    end
+
+    def output_truncated?
+      @output_truncated
+    end
+
+    def timed_out?
+      @timed_out
+    end
+
+    def to_ary
+      [stdout, stderr, status]
+    end
+
+    def to_s
+      stdout.to_s
+    end
+
+    def inspect
+      "#<#{self.class} status=#{status.inspect} timed_out=#{timed_out?} output_truncated=#{output_truncated?} stdout=#{stdout.inspect} stderr=#{stderr.inspect}>"
+    end
+  end
+
+  class CaptureResult
+    include ResultBehavior
+
+    def initialize(stdout:, stderr:, status:, output_truncated: false, timed_out: false)
+      @stdout = stdout
+      @stderr = stderr
+      @status = status
+      @output_truncated = output_truncated
+      @timed_out = timed_out
+    end
+  end
+end

data/lib/landlock/rights.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+require_relative "native"
+
+module Landlock
+  FS_RIGHTS = {
+    execute: ACCESS_FS_EXECUTE,
+    write_file: ACCESS_FS_WRITE_FILE,
+    read_file: ACCESS_FS_READ_FILE,
+    read_dir: ACCESS_FS_READ_DIR,
+    remove_dir: ACCESS_FS_REMOVE_DIR,
+    remove_file: ACCESS_FS_REMOVE_FILE,
+    make_char: ACCESS_FS_MAKE_CHAR,
+    make_dir: ACCESS_FS_MAKE_DIR,
+    make_reg: ACCESS_FS_MAKE_REG,
+    make_sock: ACCESS_FS_MAKE_SOCK,
+    make_fifo: ACCESS_FS_MAKE_FIFO,
+    make_block: ACCESS_FS_MAKE_BLOCK,
+    make_sym: ACCESS_FS_MAKE_SYM,
+    refer: ACCESS_FS_REFER,
+    truncate: ACCESS_FS_TRUNCATE,
+    ioctl_dev: ACCESS_FS_IOCTL_DEV
+  }.freeze
+
+  NET_RIGHTS = { bind_tcp: ACCESS_NET_BIND_TCP, connect_tcp: ACCESS_NET_CONNECT_TCP }.freeze
+
+  SCOPE_FLAGS = { abstract_unix_socket: SCOPE_ABSTRACT_UNIX_SOCKET, signal: SCOPE_SIGNAL }.freeze
+
+  READ_RIGHTS = %i[read_file read_dir].freeze
+  EXEC_RIGHTS = %i[execute read_file read_dir].freeze
+  WRITE_RIGHTS = %i[
+    read_file
+    read_dir
+    write_file
+    truncate
+    remove_dir
+    remove_file
+    make_char
+    make_dir
+    make_reg
+    make_sock
+    make_fifo
+    make_block
+    make_sym
+    refer
+  ].freeze
+  FILE_PATH_RIGHTS = %i[execute write_file read_file truncate ioctl_dev].freeze
+end

data/lib/landlock/rlimits.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+module Landlock
+  module Rlimits
+    VALID_NAMES = %i[cpu_seconds memory_bytes file_size_bytes open_files processes].freeze
+
+    module_function
+
+    def normalize(rlimits)
+      Array(rlimits).filter_map do |name, value|
+        next if value.nil?
+
+        key = name.to_sym
+        raise ArgumentError, "Unknown rlimit: #{name}" if !VALID_NAMES.include?(key)
+
+        value = Integer(value)
+        raise ArgumentError, "rlimit #{name} must be non-negative" if value.negative?
+
+        [key, value]
+      end
+    end
+
+    def apply!(rlimits)
+      rlimits.each do |key, value|
+        case key
+        when :cpu_seconds
+          ::Process.setrlimit(:CPU, value, value)
+        when :memory_bytes
+          ::Process.setrlimit(:AS, value, value)
+        when :file_size_bytes
+          ::Process.setrlimit(:FSIZE, value, value)
+        when :open_files
+          ::Process.setrlimit(:NOFILE, value, value)
+        when :processes
+          ::Process.setrlimit(:NPROC, value, value)
+        end
+      end
+    end
+  end
+end

data/lib/landlock/runner/fork.rb

@@ -0,0 +1,171 @@
+# frozen_string_literal: true
+
+require_relative "../errors"
+require_relative "../native"
+require_relative "../policy"
+require_relative "../process_io"
+require_relative "../rlimits"
+
+module Landlock
+  module Runner
+    module Fork
+      module_function
+
+      def spawn(
+        argv,
+        read:,
+        write:,
+        execute:,
+        connect_tcp:,
+        bind_tcp:,
+        paths:,
+        scope:,
+        chdir:,
+        env:,
+        unsetenv_others:,
+        close_others:,
+        allow_all_known:
+      )
+        fork do
+          begin
+            setup_child!(
+              argv,
+              read:,
+              write:,
+              execute:,
+              connect_tcp:,
+              bind_tcp:,
+              paths:,
+              scope:,
+              chdir:,
+              env:,
+              unsetenv_others:,
+              close_others:,
+              allow_all_known:,
+              rlimits: [],
+              seccomp_deny_network: false
+            )
+          rescue Exception => error
+            Runner.exit_child!(error)
+          end
+        end
+      end
+
+      def call(
+        argv,
+        read:,
+        write:,
+        execute:,
+        connect_tcp:,
+        bind_tcp:,
+        paths:,
+        scope:,
+        chdir:,
+        env:,
+        unsetenv_others:,
+        close_others:,
+        allow_all_known:,
+        timeout:,
+        stdin:,
+        rlimits:,
+        seccomp_deny_network:,
+        max_output_bytes:,
+        truncate_output:
+      )
+        stdout_reader, stdout_writer = IO.pipe
+        stderr_reader, stderr_writer = IO.pipe
+        stdin_reader, stdin_writer = IO.pipe
+
+        pid =
+          fork do
+            begin
+              stdout_reader.close
+              stderr_reader.close
+              stdin_writer.close
+              ::Process.setpgrp
+              STDIN.reopen(stdin_reader)
+              STDOUT.reopen(stdout_writer)
+              STDERR.reopen(stderr_writer)
+              stdin_reader.close
+              stdout_writer.close
+              stderr_writer.close
+
+              setup_child!(
+                argv,
+                read:,
+                write:,
+                execute:,
+                connect_tcp:,
+                bind_tcp:,
+                paths:,
+                scope:,
+                chdir:,
+                env:,
+                unsetenv_others:,
+                close_others:,
+                allow_all_known:,
+                rlimits:,
+                seccomp_deny_network:
+              )
+            rescue Exception => error
+              Runner.exit_child!(error)
+            end
+          end
+
+        stdin_reader.close
+        stdout_writer.close
+        stderr_writer.close
+
+        ProcessIO.complete_pipe_capture(
+          pid,
+          stdout_reader,
+          stderr_reader,
+          stdin_writer,
+          stdin,
+          timeout,
+          max_output_bytes,
+          truncate_output
+        )
+      rescue OutputTooLargeError
+        raise
+      rescue Exception
+        if pid
+          ProcessIO.terminate_process(pid)
+          ProcessIO.wait_for_pid(pid)
+        end
+        raise
+      ensure
+        [stdin_reader, stdin_writer, stdout_reader, stdout_writer, stderr_reader, stderr_writer].each do |io|
+          io&.close unless io.closed?
+        rescue IOError
+        end
+      end
+
+      def setup_child!(
+        argv,
+        read:,
+        write:,
+        execute:,
+        connect_tcp:,
+        bind_tcp:,
+        paths:,
+        scope:,
+        chdir:,
+        env:,
+        unsetenv_others:,
+        close_others:,
+        allow_all_known:,
+        rlimits:,
+        seccomp_deny_network:
+      )
+        Dir.chdir(chdir) if chdir # rubocop:disable Discourse/NoChdir
+        if Policy.requested?(read:, write:, execute:, connect_tcp:, bind_tcp:, paths:, scope:, allow_all_known:)
+          Landlock.restrict!(read:, write:, execute:, connect_tcp:, bind_tcp:, paths:, scope:, allow_all_known:)
+        end
+        Landlock::Native.seccomp_deny_network! if seccomp_deny_network
+        Rlimits.apply!(rlimits)
+        Kernel.exec(*Runner.kernel_exec_args(argv, env, unsetenv_others:, close_others:))
+      end
+    end
+  end
+end

data/lib/landlock/runner/native.rb

@@ -0,0 +1,225 @@
+# frozen_string_literal: true
+
+require "rbconfig"
+require_relative "../errors"
+require_relative "../policy"
+require_relative "../process_io"
+
+module Landlock
+  module Runner
+    module Native
+      # Starts the native helper with the sandbox policy encoded as argv flags.
+      # The helper applies the policy, then execs the target command so the
+      # long-lived child is not a forked Ruby process.
+      module_function
+
+      def available?
+        File.executable?(helper_path)
+      end
+
+      def helper_path
+        candidates = [
+          File.expand_path("../landlock-safe-exec", __dir__),
+          File.expand_path(
+            "../../../tmp/#{RbConfig::CONFIG.fetch("arch")}/landlock/#{RUBY_VERSION}/landlock-safe-exec",
+            __dir__
+          ),
+          File.expand_path("../../../ext/landlock/landlock-safe-exec", __dir__)
+        ]
+        candidates.find { |path| File.executable?(path) } || candidates.first
+      end
+
+      def spawn(
+        argv,
+        read:,
+        write:,
+        execute:,
+        connect_tcp:,
+        bind_tcp:,
+        paths:,
+        scope:,
+        chdir:,
+        env:,
+        unsetenv_others:,
+        close_others:,
+        allow_all_known:
+      )
+        spawn_helper(
+          argv,
+          read:,
+          write:,
+          execute:,
+          connect_tcp:,
+          bind_tcp:,
+          paths:,
+          scope:,
+          chdir:,
+          env:,
+          unsetenv_others:,
+          close_others:,
+          allow_all_known:,
+          rlimits: [],
+          seccomp_deny_network: false
+        )
+      end
+
+      def call(
+        argv,
+        read:,
+        write:,
+        execute:,
+        connect_tcp:,
+        bind_tcp:,
+        paths:,
+        scope:,
+        chdir:,
+        env:,
+        unsetenv_others:,
+        close_others:,
+        allow_all_known:,
+        timeout:,
+        stdin:,
+        rlimits:,
+        seccomp_deny_network:,
+        max_output_bytes:,
+        truncate_output:
+      )
+        stdout_reader, stdout_writer = IO.pipe
+        stderr_reader, stderr_writer = IO.pipe
+        stdin_reader, stdin_writer = IO.pipe
+
+        pid =
+          spawn_helper(
+            argv,
+            read:,
+            write:,
+            execute:,
+            connect_tcp:,
+            bind_tcp:,
+            paths:,
+            scope:,
+            chdir:,
+            env:,
+            unsetenv_others:,
+            close_others:,
+            allow_all_known:,
+            rlimits:,
+            seccomp_deny_network:,
+            stdin_reader:,
+            stdout_writer:,
+            stderr_writer:,
+            pgroup: true
+          )
+
+        stdin_reader.close
+        stdout_writer.close
+        stderr_writer.close
+
+        ProcessIO.complete_pipe_capture(
+          pid,
+          stdout_reader,
+          stderr_reader,
+          stdin_writer,
+          stdin,
+          timeout,
+          max_output_bytes,
+          truncate_output
+        )
+      rescue OutputTooLargeError
+        raise
+      rescue Exception
+        if pid
+          ProcessIO.terminate_process(pid)
+          ProcessIO.wait_for_pid(pid)
+        end
+        raise
+      ensure
+        [stdin_reader, stdin_writer, stdout_reader, stdout_writer, stderr_reader, stderr_writer].each do |io|
+          io&.close unless io.closed?
+        rescue IOError
+        end
+      end
+
+      def spawn_helper(
+        argv,
+        read:,
+        write:,
+        execute:,
+        connect_tcp:,
+        bind_tcp:,
+        paths:,
+        scope:,
+        chdir:,
+        env:,
+        unsetenv_others:,
+        close_others:,
+        allow_all_known:,
+        rlimits:,
+        seccomp_deny_network:,
+        stdin_reader: nil,
+        stdout_writer: nil,
+        stderr_writer: nil,
+        pgroup: false
+      )
+        spawn_options = { close_others: }
+        spawn_options[:unsetenv_others] = true if unsetenv_others
+        spawn_options[:chdir] = chdir if chdir
+        spawn_options[:in] = stdin_reader if stdin_reader
+        spawn_options[:out] = stdout_writer if stdout_writer
+        spawn_options[:err] = stderr_writer if stderr_writer
+        spawn_options[:pgroup] = true if pgroup
+
+        spawn_args =
+          helper_argv(
+            argv,
+            read:,
+            write:,
+            execute:,
+            connect_tcp:,
+            bind_tcp:,
+            paths:,
+            scope:,
+            allow_all_known:,
+            rlimits:,
+            seccomp_deny_network:,
+            close_others:
+          )
+        env ? ::Process.spawn(env, *spawn_args, spawn_options) : ::Process.spawn(*spawn_args, spawn_options)
+      end
+
+      def helper_argv(
+        argv,
+        read:,
+        write:,
+        execute:,
+        connect_tcp:,
+        bind_tcp:,
+        paths:,
+        scope:,
+        allow_all_known:,
+        rlimits:,
+        seccomp_deny_network:,
+        close_others:
+      )
+        args = [helper_path]
+        Array(read).each { |path| args << "--read" << path.to_s }
+        Array(write).each { |path| args << "--write" << path.to_s }
+        Array(execute).each { |path| args << "--execute" << path.to_s }
+        Array(paths).each do |rule|
+          path, rights = Policy.normalize_path_rule(rule)
+          args << "--path" << path.to_s << Array(rights).map(&:to_s).join(",")
+        end
+        Array(connect_tcp).each { |port| args << "--connect-tcp" << port.to_s }
+        Array(bind_tcp).each { |port| args << "--bind-tcp" << port.to_s }
+        Array(scope).each { |name| args << "--scope" << name.to_s }
+        Array(rlimits).each { |key, value| args << "--rlimit" << "#{key}=#{value}" }
+        args << "--allow-all-known" if allow_all_known
+        args << "--seccomp-deny-network" if seccomp_deny_network
+        args << "--keep-fds" unless close_others
+        args << "--"
+        args.concat(argv.map(&:to_s))
+        args
+      end
+    end
+  end
+end

data/lib/landlock/runner.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module Landlock
+  module Runner
+    module_function
+
+    def argv_for_exec(argv)
+      command = argv.fetch(0)
+      [[command, command], *argv.drop(1)]
+    end
+
+    def kernel_exec_args(argv, env, unsetenv_others:, close_others:)
+      exec_options = { close_others: }
+      exec_options[:unsetenv_others] = true if unsetenv_others
+
+      env ? [env, *argv_for_exec(argv), exec_options] : [*argv_for_exec(argv), exec_options]
+    end
+
+    def exit_child!(error)
+      warn "Landlock child failed before exec: #{error.class}: #{error.message}"
+    ensure
+      exit! 127
+    end
+  end
+end
+
+require_relative "runner/fork"
+require_relative "runner/native"

data/lib/landlock/validation.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+module Landlock
+  module Validation
+    module_function
+
+    def normalize_argv(argv)
+      raise ArgumentError, "argv must be an Array of command arguments" unless argv.is_a?(Array)
+      raise ArgumentError, "argv must not be empty" if argv.empty?
+
+      argv
+    end
+
+    def normalize_ports(ports, name)
+      Array(ports).map do |port|
+        integer = Integer(port)
+        raise ArgumentError, "#{name} port must be between 0 and 65535" if integer.negative? || integer > 65_535
+
+        integer
+      end
+    end
+
+    def validate_existing_paths(paths, name, chdir: nil)
+      base = chdir ? File.expand_path(chdir) : Dir.pwd
+      Array(paths)
+        .map do |path|
+          validate_existing_path!(path, name, base)
+          path.to_s
+        end
+        .uniq
+    end
+
+    def validate_existing_path!(path, name, base)
+      string = path.to_s
+      raise ArgumentError, "#{name} path must not be empty" if string.empty?
+
+      expanded = File.expand_path(string, base)
+      raise ArgumentError, "#{name} path does not exist: #{string}" if !File.exist?(expanded)
+    end
+
+    def validate_output_limit!(max_output_bytes)
+      return if max_output_bytes.nil?
+
+      Integer(max_output_bytes).tap do |value|
+        raise ArgumentError, "max_output_bytes must be non-negative" if value.negative?
+      end
+    end
+
+    def validate_timeout!(timeout)
+      return if timeout.nil?
+      raise ArgumentError, "timeout must be numeric" unless timeout.is_a?(Numeric)
+
+      Float(timeout).tap do |value|
+        raise ArgumentError, "timeout must be finite" unless value.finite?
+        raise ArgumentError, "timeout must be non-negative" if value.negative?
+      end
+    end
+  end
+end

data/lib/landlock/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Landlock
-  VERSION = "0.2"
+  VERSION = "0.3"
 end