Sandbox: Add a linux landlock implementation

Michael du Breuil · Michael du Breuil · commit 3c5259ee94c1 · 2025-06-14T11:48:06.000-06:00
diff --git a/cmd/gonic/gonic.go b/cmd/gonic/gonic.go
@@ -52,7 +52,7 @@ import (
 )
 
 func main() {
-	sandbox.Init()
+	sandbox := sandbox.Init()
 	confListenAddr := flag.String("listen-addr", "0.0.0.0:4747", "listen address (optional)")
 
 	confTLSCert := flag.String("tls-cert", "", "path to TLS certificate (optional)")
@@ -102,7 +102,7 @@ func main() {
 	flagconf.ParseEnv()
 
 	if *confConfigPath != "" {
-		sandbox.ReadOnlyPath(*confConfigPath)
+		sandbox.ReadOnlyFile(*confConfigPath)
 		flagconf.ParseConfig(*confConfigPath)
 	}
 
@@ -121,21 +121,21 @@ func main() {
 
 	var err error
 	for i, confMusicPath := range confMusicPaths {
-		sandbox.ReadOnlyPath(confMusicPath.path)
+		sandbox.ReadOnlyDir(confMusicPath.path)
 		if confMusicPaths[i].path, err = validatePath(confMusicPath.path); err != nil {
 			log.Fatalf("checking music dir %q: %v", confMusicPath.path, err)
 		}
 	}
 
-	sandbox.ReadWriteCreatePath(*confPodcastPath)
+	sandbox.ReadWriteCreateDir(*confPodcastPath)
 	if *confPodcastPath, err = validatePath(*confPodcastPath); err != nil {
 		log.Fatalf("checking podcast directory: %v", err)
 	}
-	sandbox.ReadWriteCreatePath(*confCachePath)
+	sandbox.ReadWriteCreateDir(*confCachePath)
 	if *confCachePath, err = validatePath(*confCachePath); err != nil {
 		log.Fatalf("checking cache directory: %v", err)
 	}
-	sandbox.ReadWriteCreatePath(*confPlaylistsPath)
+	sandbox.ReadWriteCreateDir(*confPlaylistsPath)
 	if *confPlaylistsPath, err = validatePath(*confPlaylistsPath); err != nil {
 		log.Fatalf("checking playlist directory: %v", err)
 	}
@@ -149,7 +149,7 @@ func main() {
 		log.Fatalf("couldn't create covers cache path: %v\n", err)
 	}
 
-	dbc, err := db.New(*confDBPath, db.DefaultOptions())
+	dbc, err := db.New(*confDBPath, sandbox, db.DefaultOptions())
 	if err != nil {
 		log.Fatalf("error opening database: %v\n", err)
 	}
@@ -161,14 +161,15 @@ func main() {
 		OriginalMusicPath: confMusicPaths[0].path,
 		PlaylistsPath:     *confPlaylistsPath,
 		PodcastsPath:      *confPodcastPath,
+		Sandbox:           sandbox,
 	})
 	if err != nil {
 		log.Panicf("error migrating database: %v\n", err)
 	}
 
 	if *confTLSCert != "" && *confTLSKey != "" {
-		sandbox.ReadOnlyPath(*confTLSCert)
-		sandbox.ReadOnlyPath(*confTLSKey)
+		sandbox.ReadOnlyFile(*confTLSCert)
+		sandbox.ReadOnlyFile(*confTLSKey)
 	}
 
 	sandbox.AllPathsAdded()
diff --git a/db/db.go b/db/db.go
@@ -44,16 +44,16 @@ type DB struct {
 	*gorm.DB
 }
 
-func New(path string, options url.Values) (*DB, error) {
+func New(path string, sandbox sandbox.Sandbox, options url.Values) (*DB, error) {
 	// https://github.com/mattn/go-sqlite3#connection-string
 	url := url.URL{
 		Scheme: "file",
 		Opaque: path,
 	}
-	sandbox.ReadWriteCreatePath(path)
-	sandbox.ReadWriteCreatePath(path + "-wal")
-	sandbox.ReadWriteCreatePath(path + "-shm")
-	sandbox.ReadWriteCreatePath(path + "-journal")
+	sandbox.ReadWriteCreateFile(path)
+	sandbox.ReadWriteCreateFile(path + "-wal")
+	sandbox.ReadWriteCreateFile(path + "-shm")
+	sandbox.ReadWriteCreateFile(path + "-journal")
 	url.RawQuery = options.Encode()
 	db, err := gorm.Open("sqlite3", url.String())
 	if err != nil {
@@ -65,7 +65,7 @@ func New(path string, options url.Values) (*DB, error) {
 }
 
 func NewMock() (*DB, error) {
-	return New(":memory:", mockOptions())
+	return New(":memory:", sandbox.Init(), mockOptions())
 }
 
 func (db *DB) InsertBulkLeftMany(table string, head []string, left int, col []int) error {
@@ -628,7 +628,7 @@ func join[T fmt.Stringer](in []T, sep string) string {
 }
 
 func Dump(ctx context.Context, db *gorm.DB, to string) error {
-	dest, err := New(to, url.Values{})
+	dest, err := New(to, sandbox.Init(), url.Values{})
 	if err != nil {
 		return fmt.Errorf("create dest db: %w", err)
 	}
diff --git a/db/migrations.go b/db/migrations.go
@@ -25,6 +25,7 @@ type MigrationContext struct {
 	OriginalMusicPath string
 	PlaylistsPath     string
 	PodcastsPath      string
+	Sandbox           sandbox.Sandbox
 }
 
 func (db *DB) Migrate(ctx MigrationContext) error {
@@ -742,7 +743,7 @@ func backupDBPre016(tx *gorm.DB, ctx MigrationContext) error {
 		return nil
 	}
 	backupPath := fmt.Sprintf("%s.%d.bak", ctx.DBPath, time.Now().Unix())
-	sandbox.ReadWriteCreatePath(backupPath)
+	ctx.Sandbox.ReadWriteCreateFile(backupPath)
 	return Dump(context.Background(), tx, backupPath)
 }
 
diff --git a/go.mod b/go.mod
@@ -48,6 +48,7 @@ require (
 	github.com/jinzhu/now v1.1.2 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/landlock-lsm/go-landlock v0.0.0-20250303204525-1544bccde3a3 // indirect
 	github.com/lib/pq v1.3.0 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/go-runewidth v0.0.16 // indirect
@@ -62,9 +63,10 @@ require (
 	github.com/ssor/bom v0.0.0-20170718123548-6386211fdfcf // indirect
 	golang.org/x/crypto v0.27.0 // indirect
 	golang.org/x/image v0.20.0 // indirect
-	golang.org/x/sys v0.25.0 // indirect
+	golang.org/x/sys v0.26.0 // indirect
 	golang.org/x/text v0.18.0 // indirect
 	gopkg.in/natefinch/npipe.v2 v2.0.0-20160621034901-c1b8fa8bdcce // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
+	kernel.org/pub/linux/libs/security/libcap/psx v1.2.70 // indirect
 )
diff --git a/go.sum b/go.sum
@@ -85,6 +85,8 @@ github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/landlock-lsm/go-landlock v0.0.0-20250303204525-1544bccde3a3 h1:zcMi8R8vP0WrrXlFMNUBpDy/ydo3sTnCcUPowq1XmSc=
+github.com/landlock-lsm/go-landlock v0.0.0-20250303204525-1544bccde3a3/go.mod h1:RSub3ourNF8Hf+swvw49Catm3s7HVf4hzdFxDUnEzdA=
 github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
 github.com/lib/pq v1.1.1/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
 github.com/lib/pq v1.3.0 h1:/qkRGz8zljWiDcFvgpwUpwIAPu3r07TDvs3Rws+o/pU=
@@ -184,6 +186,8 @@ golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34=
 golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo=
+golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
@@ -216,3 +220,5 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 jaytaylor.com/html2text v0.0.0-20230321000545-74c2419ad056 h1:6YFJoB+0fUH6X3xU/G2tQqCYg+PkGtnZ5nMR5rpw72g=
 jaytaylor.com/html2text v0.0.0-20230321000545-74c2419ad056/go.mod h1:OxvTsCwKosqQ1q7B+8FwXqg4rKZ/UG9dUW+g/VL2xH4=
+kernel.org/pub/linux/libs/security/libcap/psx v1.2.70 h1:HsB2G/rEQiYyo1bGoQqHZ/Bvd6x1rERQTNdPr1FyWjI=
+kernel.org/pub/linux/libs/security/libcap/psx v1.2.70/go.mod h1:+l6Ee2F59XiJ2I6WR5ObpC1utCQJZ/VLsEbQCD8RG24=
diff --git a/sandbox/none.go b/sandbox/none.go
@@ -1,18 +1,21 @@
-//go:build !openbsd
+//go:build !(openbsd || linux)
 // +build !openbsd
 
 package sandbox
 
 func Init() {
 }
 
-func ReadOnlyPath(path string) {
+func ReadOnlyDir(path string) {
 }
 
-func ReadWritePath(path string) {
+func ReadOnlyFile(path string) {
 }
 
-func ReadWriteCreatePath(path string) {
+func ReadWriteCreateDir(path string) {
+}
+
+func ReadWriteCreateFile(path string) {
 }
 
 func AllPathsAdded() {
diff --git a/sandbox/sandbox_linux.go b/sandbox/sandbox_linux.go
@@ -0,0 +1,54 @@
+package sandbox
+
+import (
+	"github.com/landlock-lsm/go-landlock/landlock"
+	"log"
+	"os"
+)
+
+type Sandbox struct {
+	paths []landlock.Rule
+}
+
+func Init() Sandbox {
+	return Sandbox{make([]landlock.Rule, 0)}
+}
+
+func (box *Sandbox) ExecPath(path string) {
+	// landlock does not currently provide anything for us here
+}
+
+func (box *Sandbox) ReadOnlyDir(path string) {
+	box.paths = append(box.paths, landlock.RODirs(path))
+}
+
+func (box *Sandbox) ReadOnlyFile(path string) {
+	box.paths = append(box.paths, landlock.ROFiles(path))
+}
+
+func (box *Sandbox) ReadWriteCreateDir(path string) {
+	box.paths = append(box.paths, landlock.RWDirs(path))
+}
+
+func (box *Sandbox) ReadWriteCreateFile(path string) {
+	// landlock requires the file to already exist
+	// so create it if it wasn't already present
+	_, err := os.Stat(path)
+	switch {
+	case os.IsNotExist(err):
+		file, err := os.Create(path)
+		if err != nil {
+			log.Fatal("Could not create file for landlock:", err)
+		} else {
+			file.Close()
+		}
+	}
+	box.paths = append(box.paths, landlock.RWFiles(path))
+}
+
+func (box *Sandbox) AllPathsAdded() {
+	if err := landlock.V5.BestEffort().RestrictPaths(box.paths...); err != nil {
+		log.Fatal("Could not enable landlock:", err)
+	}
+	// FIXME: clear paths
+}
diff --git a/sandbox/sandbox_openbsd.go b/sandbox/sandbox_openbsd.go
@@ -29,7 +29,7 @@ func Init() {
 		}
 	}
 	// needed to enable certificate validation
-	ReadOnlyPath("/etc/ssl/cert.pem")
+	ReadOnlyFile("/etc/ssl/cert.pem")
 }
 
 func ExecPath(path string) {
@@ -38,19 +38,25 @@ func ExecPath(path string) {
 	}
 }
 
-func ReadOnlyPath(path string) {
+func ReadOnlyDir(path string) {
 	if err := unix.Unveil(path, "r"); err != nil {
 		log.Fatalf("failed to unveil read for %s: %v", path, err)
 	}
 }
 
-func ReadWritePath(path string) {
-	if err := unix.Unveil(path, "rw"); err != nil {
-		log.Fatalf("failed to unveil read/write for %s: %v", path, err)
+func ReadOnlyFile(path string) {
+	if err := unix.Unveil(path, "r"); err != nil {
+		log.Fatalf("failed to unveil read for %s: %v", path, err)
+	}
+}
+
+func ReadWriteCreateDir(path string) {
+	if err := unix.Unveil(path, "rwc"); err != nil {
+		log.Fatalf("failed to unveil read/write/create for %s: %v", path, err)
 	}
 }
 
-func ReadWriteCreatePath(path string) {
+func ReadWriteCreateFile(path string) {
 	if err := unix.Unveil(path, "rwc"); err != nil {
 		log.Fatalf("failed to unveil read/write/create for %s: %v", path, err)
 	}

Original file line number	Diff line number	Diff line change
`@@ -52,7 +52,7 @@ import (`
`52`	`52`	`)`
`53`	`53`
`54`	`54`	`func main() {`
`55`		`- sandbox.Init()`
	`55`	`+ sandbox := sandbox.Init()`
`56`	`56`	`confListenAddr := flag.String("listen-addr", "0.0.0.0:4747", "listen address (optional)")`
`57`	`57`
`58`	`58`	`confTLSCert := flag.String("tls-cert", "", "path to TLS certificate (optional)")`
`@@ -102,7 +102,7 @@ func main() {`
`102`	`102`	`flagconf.ParseEnv()`
`103`	`103`
`104`	`104`	`if *confConfigPath != "" {`
`105`		`- sandbox.ReadOnlyPath(*confConfigPath)`
	`105`	`+ sandbox.ReadOnlyFile(*confConfigPath)`
`106`	`106`	`flagconf.ParseConfig(*confConfigPath)`
`107`	`107`	`}`
`108`	`108`
`@@ -121,21 +121,21 @@ func main() {`
`121`	`121`
`122`	`122`	`var err error`
`123`	`123`	`for i, confMusicPath := range confMusicPaths {`
`124`		`- sandbox.ReadOnlyPath(confMusicPath.path)`
	`124`	`+ sandbox.ReadOnlyDir(confMusicPath.path)`
`125`	`125`	`if confMusicPaths[i].path, err = validatePath(confMusicPath.path); err != nil {`
`126`	`126`	`log.Fatalf("checking music dir %q: %v", confMusicPath.path, err)`
`127`	`127`	`}`
`128`	`128`	`}`
`129`	`129`
`130`		`- sandbox.ReadWriteCreatePath(*confPodcastPath)`
	`130`	`+ sandbox.ReadWriteCreateDir(*confPodcastPath)`
`131`	`131`	`if confPodcastPath, err = validatePath(confPodcastPath); err != nil {`
`132`	`132`	`log.Fatalf("checking podcast directory: %v", err)`
`133`	`133`	`}`
`134`		`- sandbox.ReadWriteCreatePath(*confCachePath)`
	`134`	`+ sandbox.ReadWriteCreateDir(*confCachePath)`
`135`	`135`	`if confCachePath, err = validatePath(confCachePath); err != nil {`
`136`	`136`	`log.Fatalf("checking cache directory: %v", err)`
`137`	`137`	`}`
`138`		`- sandbox.ReadWriteCreatePath(*confPlaylistsPath)`
	`138`	`+ sandbox.ReadWriteCreateDir(*confPlaylistsPath)`
`139`	`139`	`if confPlaylistsPath, err = validatePath(confPlaylistsPath); err != nil {`
`140`	`140`	`log.Fatalf("checking playlist directory: %v", err)`
`141`	`141`	`}`
`@@ -149,7 +149,7 @@ func main() {`
`149`	`149`	`log.Fatalf("couldn't create covers cache path: %v\n", err)`
`150`	`150`	`}`
`151`	`151`
`152`		`- dbc, err := db.New(*confDBPath, db.DefaultOptions())`
	`152`	`+ dbc, err := db.New(*confDBPath, sandbox, db.DefaultOptions())`
`153`	`153`	`if err != nil {`
`154`	`154`	`log.Fatalf("error opening database: %v\n", err)`
`155`	`155`	`}`
`@@ -161,14 +161,15 @@ func main() {`
`161`	`161`	`OriginalMusicPath: confMusicPaths[0].path,`
`162`	`162`	`PlaylistsPath: *confPlaylistsPath,`
`163`	`163`	`PodcastsPath: *confPodcastPath,`
	`164`	`+ Sandbox: sandbox,`
`164`	`165`	`})`
`165`	`166`	`if err != nil {`
`166`	`167`	`log.Panicf("error migrating database: %v\n", err)`
`167`	`168`	`}`
`168`	`169`
`169`	`170`	`if confTLSCert != "" && confTLSKey != "" {`
`170`		`- sandbox.ReadOnlyPath(*confTLSCert)`
`171`		`- sandbox.ReadOnlyPath(*confTLSKey)`
	`171`	`+ sandbox.ReadOnlyFile(*confTLSCert)`
	`172`	`+ sandbox.ReadOnlyFile(*confTLSKey)`
`172`	`173`	`}`
`173`	`174`
`174`	`175`	`sandbox.AllPathsAdded()`
Original file line number	Diff line number	Diff line change
`@@ -44,16 +44,16 @@ type DB struct {`
`44`	`44`	`*gorm.DB`
`45`	`45`	`}`
`46`	`46`
`47`		`-func New(path string, options url.Values) (*DB, error) {`
	`47`	`+func New(path string, sandbox sandbox.Sandbox, options url.Values) (*DB, error) {`
`48`	`48`	`// https://github.com/mattn/go-sqlite3#connection-string`
`49`	`49`	`url := url.URL{`
`50`	`50`	`Scheme: "file",`
`51`	`51`	`Opaque: path,`
`52`	`52`	`}`
`53`		`- sandbox.ReadWriteCreatePath(path)`
`54`		`- sandbox.ReadWriteCreatePath(path + "-wal")`
`55`		`- sandbox.ReadWriteCreatePath(path + "-shm")`
`56`		`- sandbox.ReadWriteCreatePath(path + "-journal")`
	`53`	`+ sandbox.ReadWriteCreateFile(path)`
	`54`	`+ sandbox.ReadWriteCreateFile(path + "-wal")`
	`55`	`+ sandbox.ReadWriteCreateFile(path + "-shm")`
	`56`	`+ sandbox.ReadWriteCreateFile(path + "-journal")`
`57`	`57`	`url.RawQuery = options.Encode()`
`58`	`58`	`db, err := gorm.Open("sqlite3", url.String())`
`59`	`59`	`if err != nil {`
`@@ -65,7 +65,7 @@ func New(path string, options url.Values) (*DB, error) {`
`65`	`65`	`}`
`66`	`66`
`67`	`67`	`func NewMock() (*DB, error) {`
`68`		`- return New(":memory:", mockOptions())`
	`68`	`+ return New(":memory:", sandbox.Init(), mockOptions())`
`69`	`69`	`}`
`70`	`70`
`71`	`71`	`func (db *DB) InsertBulkLeftMany(table string, head []string, left int, col []int) error {`
`@@ -628,7 +628,7 @@ func join[T fmt.Stringer](in []T, sep string) string {`
`628`	`628`	`}`
`629`	`629`
`630`	`630`	`func Dump(ctx context.Context, db *gorm.DB, to string) error {`
`631`		`- dest, err := New(to, url.Values{})`
	`631`	`+ dest, err := New(to, sandbox.Init(), url.Values{})`
`632`	`632`	`if err != nil {`
`633`	`633`	`return fmt.Errorf("create dest db: %w", err)`
`634`	`634`	`}`
Original file line number	Diff line number	Diff line change
`@@ -25,6 +25,7 @@ type MigrationContext struct {`
`25`	`25`	`OriginalMusicPath string`
`26`	`26`	`PlaylistsPath string`
`27`	`27`	`PodcastsPath string`
	`28`	`+ Sandbox sandbox.Sandbox`
`28`	`29`	`}`
`29`	`30`
`30`	`31`	`func (db *DB) Migrate(ctx MigrationContext) error {`
`@@ -742,7 +743,7 @@ func backupDBPre016(tx *gorm.DB, ctx MigrationContext) error {`
`742`	`743`	`return nil`
`743`	`744`	`}`
`744`	`745`	`backupPath := fmt.Sprintf("%s.%d.bak", ctx.DBPath, time.Now().Unix())`
`745`		`- sandbox.ReadWriteCreatePath(backupPath)`
	`746`	`+ ctx.Sandbox.ReadWriteCreateFile(backupPath)`
`746`	`747`	`return Dump(context.Background(), tx, backupPath)`
`747`	`748`	`}`
`748`	`749`
Original file line number	Diff line number	Diff line change
`@@ -1,18 +1,21 @@`
`1`		`-//go:build !openbsd`
	`1`	`+//go:build !(openbsd \|\| linux)`
`2`	`2`	`// +build !openbsd`
`3`	`3`
`4`	`4`	`package sandbox`
`5`	`5`
`6`	`6`	`func Init() {`
`7`	`7`	`}`
`8`	`8`
`9`		`-func ReadOnlyPath(path string) {`
	`9`	`+func ReadOnlyDir(path string) {`
`10`	`10`	`}`
`11`	`11`
`12`		`-func ReadWritePath(path string) {`
	`12`	`+func ReadOnlyFile(path string) {`
`13`	`13`	`}`
`14`	`14`
`15`		`-func ReadWriteCreatePath(path string) {`
	`15`	`+func ReadWriteCreateDir(path string) {`
	`16`	`+}`
	`17`	`+`
	`18`	`+func ReadWriteCreateFile(path string) {`
`16`	`19`	`}`
`17`	`20`
`18`	`21`	`func AllPathsAdded() {`
Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,7 @@ func Init() {`
`29`	`29`	`}`
`30`	`30`	`}`
`31`	`31`	`// needed to enable certificate validation`
`32`		`- ReadOnlyPath("/etc/ssl/cert.pem")`
	`32`	`+ ReadOnlyFile("/etc/ssl/cert.pem")`
`33`	`33`	`}`
`34`	`34`
`35`	`35`	`func ExecPath(path string) {`
`@@ -38,19 +38,25 @@ func ExecPath(path string) {`
`38`	`38`	`}`
`39`	`39`	`}`
`40`	`40`
`41`		`-func ReadOnlyPath(path string) {`
	`41`	`+func ReadOnlyDir(path string) {`
`42`	`42`	`if err := unix.Unveil(path, "r"); err != nil {`
`43`	`43`	`log.Fatalf("failed to unveil read for %s: %v", path, err)`
`44`	`44`	`}`
`45`	`45`	`}`
`46`	`46`
`47`		`-func ReadWritePath(path string) {`
`48`		`- if err := unix.Unveil(path, "rw"); err != nil {`
`49`		`- log.Fatalf("failed to unveil read/write for %s: %v", path, err)`
	`47`	`+func ReadOnlyFile(path string) {`
	`48`	`+ if err := unix.Unveil(path, "r"); err != nil {`
	`49`	`+ log.Fatalf("failed to unveil read for %s: %v", path, err)`
	`50`	`+ }`
	`51`	`+}`
	`52`	`+`
	`53`	`+func ReadWriteCreateDir(path string) {`
	`54`	`+ if err := unix.Unveil(path, "rwc"); err != nil {`
	`55`	`+ log.Fatalf("failed to unveil read/write/create for %s: %v", path, err)`
`50`	`56`	`}`
`51`	`57`	`}`
`52`	`58`
`53`		`-func ReadWriteCreatePath(path string) {`
	`59`	`+func ReadWriteCreateFile(path string) {`
`54`	`60`	`if err := unix.Unveil(path, "rwc"); err != nil {`
`55`	`61`	`log.Fatalf("failed to unveil read/write/create for %s: %v", path, err)`
`56`	`62`	`}`