landlock 0.2 → 0.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: baea0cbd5b22406f288880dd5bcec85569c3134b256657d876a502f37e622364
-  data.tar.gz: a383e9cb807f51e2fd6e5d15a5d3d22c61d20a9ee2f9dffb046a1a97e24c2a6e
+  metadata.gz: 0d4dc223f9ec0de53ff3ac2db1547a2bb21cee7fe670106795384c2d508395fd
+  data.tar.gz: 81db633dd067c82e68746b5bffb7db1b4a46a85984aededc03607a49f1ec5bd1
 SHA512:
-  metadata.gz: c385390bd6b239d5a7b495d74388ba9bb357787900ef73bfbd953d8353c49ce893117df8cc80fe95b0c9b2e8a6c836988a8540b2fbfdbce244ff76a6879d7067
-  data.tar.gz: b1d754bbfd7b60ec81cc4d036bc13ab627253fdf2fdb55a752477a43f917381d819f8fa20870abcad264e2a86d0c5635cb327799ccc614800e3adb1088b9dfec
+  metadata.gz: bcf9b3f9a3b369aca990a9ead22bdee7e5414baee0c73762504a10eb15fa87e56d75253f58802885621000b8e84f70d7ec5ee81b835ac1209b41476727079b81
+  data.tar.gz: 24f8ee88a25a18f5049b957878969cdb890a12f93e900bdda1402cbd1bf0ea33ec8841c96a3f6391bc216cea0730d361d4be24dac7ae19caf572f372c8c818c2

data/CHANGELOG.md

@@ -4,7 +4,39 @@ All notable changes to this project will be documented in this file.
 
 ## Unreleased
 
-### [0.2] - 2026-04-30
+## [0.3] - 2026-06-17
+
+### Added
+
+- Add top-level `Landlock.capture` and `Landlock.capture!`, direct Landlock/`exec` capture APIs with stdout/stderr capture, stdin, wall-clock timeout with process-group cleanup, output byte limits, `rlimits:`, controlled environments, `chdir:`, TCP/scoped Landlock rules, `allow_all_known:`, and optional `seccomp_deny_network:`.
+- Expose `Landlock.seccomp_deny_network!` from the native extension so capture children can install the same deny-network seccomp filter used by the helper binary.
+
+### Changed
+
+- Remove the legacy `Landlock::SafeExec` Ruby facade. Use `Landlock.capture`/`capture!` with argv arrays for captured subprocesses and `Landlock.exec`/`spawn` for non-capturing subprocesses.
+- `Landlock.exec`, `Landlock.spawn`, and `Landlock.capture` now use the packaged native `landlock-safe-exec` helper when available, passing sandbox policy as helper arguments to avoid forking a large Ruby process for child setup and falling back to the Ruby fork runner if the helper argv exceeds `ARG_MAX`.
+- Split subprocess running internals into `Landlock::Runner::Native` and `Landlock::Runner::Fork` backends, with shared validation, process I/O, rlimit, environment, and policy helpers.
+- Normalize subprocess `env:` keys and values in Ruby before spawning and keep environment values out of native-helper argv.
+- Require non-empty `Landlock.exec`/`spawn` policies instead of launching an unsandboxed command when no Landlock rules are provided.
+
+### Fixed
+
+- Treat timeouts as failures for `capture!` even when a command handles termination and exits with an otherwise successful status.
+- Bound post-timeout pipe draining so escaped descendants that keep stdout/stderr open cannot hang capture past the requested timeout.
+- Harden `landlock-safe-exec` by closing inherited file descriptors, applying rlimits after sandbox setup, matching Ruby `write:` rights, tightening CLI parsing, and making the shared seccomp network-deny filter reject x32 syscall-number bypasses.
+- Validate `Landlock.capture` filesystem policy paths before forking so missing paths raise `ArgumentError`.
+- Reject empty `Landlock.capture` policies unless another restriction such as seccomp or rlimits is provided.
+- Filter directory-only custom path-rule rights for file paths in `Landlock.restrict!`, matching helper behavior.
+
+### Documentation
+
+- Document `Landlock.capture`, its result/error types, capture options, and subprocess sandboxing guidance.
+
+### [0.2.1] - 2026-06-16
+
+- Build `landlock-safe-exec` without Ruby extension `$(LIBS)` to avoid unnecessary runtime library dependencies and improve SafeExec helper startup time.
+
+## [0.2] - 2026-04-30
 
 - Add `Landlock::SafeExec.capture`, backed by a compiled `landlock-safe-exec` helper, for subprocess capture with Landlock, optional seccomp network denial, resource limits, exact environment handling, stdin, timeout handling, process-group cleanup, result metadata, and output limits.
 - Share native Landlock syscall/constant definitions between the Ruby extension and helper binary.

data/README.md

@@ -19,7 +19,7 @@ See [CHANGELOG.md](CHANGELOG.md) for release notes.
 
 ## Safe subprocess execution
 
-Pass commands as an argument array. `Landlock.exec` and `Landlock.spawn` do not invoke a shell implicitly; use an explicit shell in the array if that is really required. Both helpers accept `env:` and `unsetenv_others:` and pass them through to `Kernel.exec` so subprocesses can run with a controlled environment.
+Pass commands as an argument array. `Landlock.exec` and `Landlock.spawn` do not invoke a shell implicitly; use an explicit shell in the array if that is really required. Both helpers require a non-empty Landlock policy, accept `env:`/`unsetenv_others:` for controlled environments, and use the packaged native helper when available so the long-lived child is not a forked Ruby process.
 
 Allow Ruby to execute and read its runtime, but only allow outbound TCP connections to port 443:
 
@@ -66,23 +66,17 @@ Landlock.exec(
 )
 ```
 
-## SafeExec helper
+## Capturing subprocess output
 
-`Landlock::SafeExec.capture` runs a command through the compiled `landlock-safe-exec` helper. The helper applies Landlock rules, resource limits, and an optional seccomp network-deny filter in the execing process before replacing itself with the target command. This keeps the privileged setup out of Ruby/FFI and avoids running Ruby code in a post-fork child. Use `capture!` when unsuccessful exit statuses should raise.
-
-For example, inspect an uploaded video with `ffprobe` while only allowing reads from the upload and system runtime paths, denying network access, and bounding CPU/output:
+`Landlock.capture` is the stdout/stderr-capturing sibling of `Landlock.exec`: it launches a child process, applies Landlock rules, resource limits, and the optional seccomp network-deny filter before the target command starts, then execs that command directly. When the packaged `landlock-safe-exec` helper is available, `exec`, `spawn`, and `capture` all spawn that small native helper with policy arguments so the parent does not need to fork a bloated Ruby process; they fall back to the Ruby fork path when the helper cannot be used or when an unusually large helper argv would exceed the platform `ARG_MAX`. Environment changes are applied by Ruby when spawning the helper rather than encoded in helper argv. Use `capture!` when unsuccessful exit statuses should raise.
 
 ```ruby
-result = Landlock::SafeExec.capture(
-  "ffprobe",
-  "-v", "error",
-  "-show_format",
-  "-show_streams",
-  "-of", "json",
-  upload_path,
-  read: [upload_path, *Landlock::SafeExec.default_read_paths],
-  execute: Landlock::SafeExec.default_execute_paths,
+result = Landlock.capture(
+  ["ffprobe", "-v", "error", "-show_format", "-of", "json", upload_path],
+  read: [upload_path, "/usr", "/lib", "/lib64", "/etc"].select { |path| File.exist?(path) },
+  execute: ["/usr", "/lib", "/lib64"].select { |path| File.exist?(path) },
   env: { "PATH" => ENV.fetch("PATH", "") },
+  unsetenv_others: true,
   rlimits: {
     cpu_seconds: 5,
     memory_bytes: 512 * 1024 * 1024,
@@ -98,45 +92,46 @@ result = Landlock::SafeExec.capture(
 metadata = JSON.parse(result.stdout) if result.success?
 ```
 
-Pass `stdin:` when a tool should read from standard input instead of a file:
+`Landlock.capture` takes the command as a single argv array, like `Landlock.exec`. It returns a `Landlock::CaptureResult` with `stdout`, `stderr`, `status`, `success?`, `timed_out?`, and `output_truncated?`, including for unsuccessful exit statuses. It also supports array destructuring:
 
 ```ruby
-stdout, stderr, status = Landlock::SafeExec.capture(
-  "tr", "a-z", "A-Z",
-  stdin: "hello",
-  env: { "PATH" => ENV.fetch("PATH", "") }
+stdout, stderr, status = Landlock.capture(
+  ["tool", "arg"],
+  read: ["/usr", "/lib", "/lib64", "/etc"].select { |path| File.exist?(path) },
+  execute: ["/usr", "/lib", "/lib64"].select { |path| File.exist?(path) }
 )
 ```
 
-`capture` returns a `Landlock::SafeExec::Result` with `stdout`, `stderr`, `status`, `success?`, `timed_out?`, and `output_truncated?`, including for unsuccessful exit statuses. It also supports array destructuring:
+`Landlock.capture!` has the same return shape for successful commands, but raises `Landlock::CommandError` for unsuccessful statuses. The error also exposes `stdout`, `stderr`, `status`, and `result`.
+
+`Landlock.capture` requires an actual restriction: provide Landlock rules, `seccomp_deny_network: true`, or `rlimits:`. This avoids accidentally running a command completely unsandboxed when a dynamically built policy is empty. It also requires Linux Landlock support and raises `Landlock::UnsupportedError` when unavailable; it does not fall back to running the command unsandboxed.
+
+Pass `stdin:` when a tool should read from standard input instead of a file:
 
 ```ruby
-stdout, stderr, status = Landlock::SafeExec.capture("tool", "arg")
+stdout, stderr, status = Landlock.capture(
+  ["tr", "a-z", "A-Z"],
+  stdin: "hello",
+  rlimits: { open_files: 64 }
+)
 ```
 
-`capture!` has the same return shape for successful commands, but raises `Landlock::SafeExec::CommandError` for unsuccessful statuses. The error also exposes `stdout`, `stderr`, `status`, and `result`.
-
-SafeExec options:
+Capture options:
 
 - `read:`, `write:`, `execute:` — filesystem allowlists. Explicit paths must exist; missing paths raise `ArgumentError` instead of being silently ignored.
-- `connect_tcp:` — allowed outbound TCP ports. If omitted on Landlock ABI v4+, SafeExec denies outbound TCP by installing a dummy allow rule for port `0`. Pass `connect_tcp: []` to leave outbound TCP unrestricted.
-- `bind_tcp:` — allowed TCP bind ports. Binding is unrestricted unless this is provided.
+- `paths:` — exact path rules with explicit Landlock rights, e.g. `{ path:, rights: %i[read_file] }`.
+- `connect_tcp:` and `bind_tcp:` — allowed TCP ports. TCP access is unrestricted unless a network rule is provided.
+- `scope:` — Landlock ABI v6+ scopes such as `:signal` and `:abstract_unix_socket`.
 - `seccomp_deny_network:` — additionally deny common Linux network syscalls with seccomp. This is Linux-specific and intended as defense in depth.
 - `rlimits:` — resource limits. Supported keys are `:cpu_seconds`, `:memory_bytes`, `:file_size_bytes`, `:open_files`, and `:processes`. Values must be non-negative integers.
-- `timeout:` — wall-clock timeout in seconds. On timeout SafeExec terminates the process group and returns/raises with `result.timed_out?` true.
-- `max_output_bytes:` — combined stdout+stderr byte limit. With `truncate_output: false`, exceeding the limit raises. With `truncate_output: true`, output is truncated and `result.output_truncated?` is true.
+- `timeout:` — wall-clock timeout in seconds. On timeout capture terminates the process group and returns/raises with `result.timed_out?` true.
+- `max_output_bytes:` — combined stdout+stderr byte limit. With `truncate_output: false`, exceeding the limit raises `Landlock::CommandError` with the partial output captured before termination. With `truncate_output: true`, output is truncated and `result.output_truncated?` is true.
 - `stdin:` — string or IO-like object to write to the child process stdin.
 - `chdir:` — working directory for the child.
-- `env:` — exact child environment by default.
-- `inherit_env:` — when true, inherit the parent environment and apply `env:` as overrides.
-- `success_status_codes:` — status codes considered successful by `capture!`; defaults to `[0]`.
-- `allow_all_known:` — when filesystem rules are present, handle all Landlock filesystem rights known to the running ABI so unlisted filesystem access is denied. Defaults to `true`.
-
-SafeExec uses an exact environment by default: `env:` is the full environment passed to the child, not additions to the parent environment. Use `inherit_env: true` when a command really needs the parent environment plus the supplied `env:` overrides.
-
-Use `Landlock::SafeExec.supported?` (or `sandboxing?`) to check whether the Linux helper and Landlock are available. When this is false, SafeExec still runs commands in pass-through mode but does not enforce Landlock/seccomp sandbox options.
-
-On non-Linux platforms, or when the compiled helper is unavailable, SafeExec runs as a pass-through compatibility wrapper. Process-management features such as capture, timeout, environment handling, `chdir:`, output limits, `stdin:`, and supported `rlimits:` still apply, but Landlock and seccomp options (`read:`, `write:`, `execute:`, `connect_tcp:`, `bind_tcp:`, `seccomp_deny_network:`) are ignored and a warning is emitted. This makes cross-platform integration easier while keeping the security guarantees explicit: sandboxing is Linux-only.
+- `env:` — environment entries for the child.
+- `unsetenv_others:` — clear the parent environment before applying `env:`.
+- `success_status_codes:` and `failure_message:` — `capture!` failure handling options.
+- `allow_all_known:` — when filesystem rules are present, handle all Landlock filesystem rights known to the running ABI so unlisted filesystem access is denied.
 
 ## Restrict current process
 
@@ -202,12 +197,16 @@ Treat small positive or negative deltas as noise and benchmark on the kernel, fi
 
 ## Caveats
 
-Landlock is not a complete container. It does not impose CPU/memory limits, hide already-open file descriptors, or replace seccomp/namespaces/cgroups. For serious untrusted execution, combine it with a controlled environment, `close_others`, resource limits, and preferably process isolation.
+Landlock is not a complete container. It restricts selected kernel-mediated actions for the current thread and its future descendants, but it does not create namespaces, hide process IDs, virtualize the filesystem, or isolate the process from every kernel interface. For serious untrusted execution, combine Landlock with a controlled environment, resource limits, seccomp, and process isolation appropriate to your threat model.
+
+`Landlock.restrict!` only installs a Landlock ruleset. It does not close already-open file descriptors, impose resource limits, clean the environment, or kill subprocess trees. The subprocess helpers add practical hardening around this: `exec`/`spawn` add controlled environments and `close_others`, while `capture` also adds optional `rlimits:`, optional `seccomp_deny_network:`, output limits, timeout handling, and process-group termination. This is still not a VM/container boundary. By default, subprocess helpers close inherited file descriptors numbered 3 and higher before installing the sandbox; pass `close_others: false` only when the child intentionally needs inherited descriptors. Direct `landlock-safe-exec` use also closes inherited descriptors by default.
+
+When the native helper is used, sandbox policy details such as allowed paths, TCP ports, scopes, rights, and rlimits are passed as helper argv. They may be visible to same-user processes through tools such as `ps` or `/proc/<pid>/cmdline` until the helper execs the target command. Environment values passed with `env:` are not encoded in helper argv, but do not put secrets in policy path names or other policy arguments.
 
-If a child fails during sandbox setup or `exec`, the helpers print a diagnostic and the child exits 127. That code can collide with a command that legitimately exits 127; unsupported kernels are checked before forking so they raise `Landlock::UnsupportedError` synchronously instead.
+If `Landlock.exec`, `Landlock.spawn`, or `Landlock.capture` child setup fails before `exec`, the child prints a diagnostic and exits 127. `landlock-safe-exec` setup/argument failures exit 126. These codes can collide with commands that legitimately exit with the same status, so inspect stderr when debugging failures.
 
-Path rules follow the kernel's normal path resolution when the rule is installed. Because paths are opened without `O_NOFOLLOW`, a symlink rule applies to the symlink target's inode, not to the symlink path itself.
+Path rules follow the kernel's normal path resolution when the rule is installed. Because paths are opened without `O_NOFOLLOW`, a symlink rule applies to the symlink target's inode, not to the symlink path itself. Capture APIs validate explicit `read:`, `write:`, and `execute:` paths before launching so typos fail closed instead of silently weakening a policy.
 
-Landlock only restricts access rights included in a ruleset's handled set: omitted categories remain allowed. Use `allow_all_known: true` when you want unlisted filesystem actions denied. The high-level helpers handle the categories you pass (`read`, `write`, `execute`, `connect_tcp`, `bind_tcp`, `scope`). Landlock's TCP rules do not cover UDP or pathname Unix-domain sockets; ABI v6+ scopes can restrict signals and abstract Unix-domain sockets.
+Landlock only restricts access rights included in a ruleset's handled set: omitted categories remain allowed. Use `allow_all_known: true` when you want unlisted filesystem actions denied. Landlock TCP rules do not cover UDP or pathname Unix-domain sockets; ABI v6+ scopes can restrict signals and abstract Unix-domain sockets. `seccomp_deny_network:` is Linux-specific defense in depth for common network syscalls, not a general-purpose seccomp policy language.
 
-`Landlock.restrict!` applies to the calling thread and its future children; already-running sibling threads are not retroactively sandboxed. Prefer `Landlock.exec` or `Landlock.spawn` for subprocess sandboxing from a larger Ruby application.
+`Landlock.restrict!` applies to the calling thread and its future children; already-running sibling threads are not retroactively sandboxed. Prefer `Landlock.capture`, `Landlock.exec`, or `Landlock.spawn` for subprocess sandboxing from a larger Ruby application.

data/benchmark/landlock_overhead.rb

@@ -71,9 +71,7 @@ module LandlockBench
 
   def run_child(payload)
     stdout, stderr, status = Open3.capture3(*child_command(payload), chdir: ROOT)
-    unless status.success?
-      abort "bench child failed (#{status.exitstatus})\nSTDOUT:\n#{stdout}\nSTDERR:\n#{stderr}"
-    end
+    abort "bench child failed (#{status.exitstatus})\nSTDOUT:\n#{stdout}\nSTDERR:\n#{stderr}" unless status.success?
 
     JSON.parse(stdout)
   end
@@ -91,8 +89,8 @@ module LandlockBench
         mode: "workloads",
         iterations: DEFAULT_ITERATIONS,
         dir_iterations: DIR_ITERATIONS,
-        read_paths: read_paths,
-        workspace: workspace
+        read_paths:,
+        workspace:
       }
 
       baseline = collect_samples(DEFAULT_SAMPLES) { run_child(common.merge(sandbox: false)) }
@@ -104,9 +102,7 @@ module LandlockBench
       end
 
       sandbox = collect_samples(DEFAULT_SAMPLES) { run_child(common.merge(sandbox: true)) }
-      setup = collect_samples(SETUP_SAMPLES) do
-        run_child(mode: "setup", read_paths: read_paths).fetch("setup_ns")
-      end
+      setup = collect_samples(SETUP_SAMPLES) { run_child(mode: "setup", read_paths:).fetch("setup_ns") }
 
       print_workload_table(baseline, sandbox)
       puts
@@ -132,14 +128,7 @@ module LandlockBench
         locked = median(sandbox.map { |sample| sample.fetch(name) })
         delta = locked - base
         pct = base.positive? ? (delta.to_f / base * 100.0) : 0.0
-        puts format(
-          "%-12s %14s %14s %12s %9.2f%%",
-          name,
-          format_ms(base),
-          format_ms(locked),
-          format_ms(delta),
-          pct
-        )
+        puts format("%-12s %14s %14s %12s %9.2f%%", name, format_ms(base), format_ms(locked), format_ms(delta), pct)
       else
         puts format("%-12s %14s %14s %12s %10s", name, format_ms(base), "n/a", "n/a", "n/a")
       end
@@ -185,20 +174,10 @@ module LandlockBench
 
     GC.disable
     {
-      "cpu_loop" => measure do
-        iterations.times { |index| sink ^= ((index * 31) & 0xffff) }
-      end,
-      "file_stat" => measure do
-        iterations.times { sink ^= File.stat(file).size }
-      end,
-      "file_read" => measure do
-        iterations.times { sink ^= File.binread(file).bytesize }
-      end,
-      "dir_scan" => measure do
-        dir_iterations.times do
-          Dir.foreach(entries) { |entry| sink ^= entry.bytesize }
-        end
-      end
+      "cpu_loop" => measure { iterations.times { |index| sink ^= ((index * 31) & 0xffff) } },
+      "file_stat" => measure { iterations.times { sink ^= File.stat(file).size } },
+      "file_read" => measure { iterations.times { sink ^= File.binread(file).bytesize } },
+      "dir_scan" => measure { dir_iterations.times { Dir.foreach(entries) { |entry| sink ^= entry.bytesize } } }
     }.merge("sink" => sink)
   ensure
     GC.enable