Sandbox: Add a linux landlock implementation

Author: Michael du Breuil

cmd/gonic/gonic.go

@@ -52,7 +52,7 @@ import (
 )
 
 func main() {
-	sandbox.Init()
+	sandbox := sandbox.Init()
 	confListenAddr := flag.String("listen-addr", "0.0.0.0:4747", "listen address (optional)")
 
 	confTLSCert := flag.String("tls-cert", "", "path to TLS certificate (optional)")
@@ -102,7 +102,7 @@ func main() {
 	flagconf.ParseEnv()
 
 	if *confConfigPath != "" {
-		sandbox.ReadOnlyPath(*confConfigPath)
+		sandbox.ReadOnlyFile(*confConfigPath)
 		flagconf.ParseConfig(*confConfigPath)
 	}
 
@@ -121,21 +121,21 @@ func main() {
 
 	var err error
 	for i, confMusicPath := range confMusicPaths {
-		sandbox.ReadOnlyPath(confMusicPath.path)
+		sandbox.ReadOnlyDir(confMusicPath.path)
 		if confMusicPaths[i].path, err = validatePath(confMusicPath.path); err != nil {
 			log.Fatalf("checking music dir %q: %v", confMusicPath.path, err)
 		}
 	}
 
-	sandbox.ReadWriteCreatePath(*confPodcastPath)
+	sandbox.ReadWriteCreateDir(*confPodcastPath)
 	if *confPodcastPath, err = validatePath(*confPodcastPath); err != nil {
 		log.Fatalf("checking podcast directory: %v", err)
 	}
-	sandbox.ReadWriteCreatePath(*confCachePath)
+	sandbox.ReadWriteCreateDir(*confCachePath)
 	if *confCachePath, err = validatePath(*confCachePath); err != nil {
 		log.Fatalf("checking cache directory: %v", err)
 	}
-	sandbox.ReadWriteCreatePath(*confPlaylistsPath)
+	sandbox.ReadWriteCreateDir(*confPlaylistsPath)
 	if *confPlaylistsPath, err = validatePath(*confPlaylistsPath); err != nil {
 		log.Fatalf("checking playlist directory: %v", err)
 	}
@@ -149,7 +149,7 @@ func main() {
 		log.Fatalf("couldn't create covers cache path: %v\n", err)
 	}
 
-	dbc, err := db.New(*confDBPath, db.DefaultOptions())
+	dbc, err := db.New(*confDBPath, sandbox, db.DefaultOptions())
 	if err != nil {
 		log.Fatalf("error opening database: %v\n", err)
 	}
@@ -161,14 +161,15 @@ func main() {
 		OriginalMusicPath: confMusicPaths[0].path,
 		PlaylistsPath:     *confPlaylistsPath,
 		PodcastsPath:      *confPodcastPath,
+		Sandbox:           sandbox,
 	})
 	if err != nil {
 		log.Panicf("error migrating database: %v\n", err)
 	}
 
 	if *confTLSCert != "" && *confTLSKey != "" {
-		sandbox.ReadOnlyPath(*confTLSCert)
-		sandbox.ReadOnlyPath(*confTLSKey)
+		sandbox.ReadOnlyFile(*confTLSCert)
+		sandbox.ReadOnlyFile(*confTLSKey)
 	}
 
 	sandbox.AllPathsAdded()

db/db.go

@@ -44,16 +44,16 @@ type DB struct {
 	*gorm.DB
 }
 
-func New(path string, options url.Values) (*DB, error) {
+func New(path string, sandbox sandbox.Sandbox, options url.Values) (*DB, error) {
 	// https://github.com/mattn/go-sqlite3#connection-string
 	url := url.URL{
 		Scheme: "file",
 		Opaque: path,
 	}
-	sandbox.ReadWriteCreatePath(path)
-	sandbox.ReadWriteCreatePath(path + "-wal")
-	sandbox.ReadWriteCreatePath(path + "-shm")
-	sandbox.ReadWriteCreatePath(path + "-journal")
+	sandbox.ReadWriteCreateFile(path)
+	sandbox.ReadWriteCreateFile(path + "-wal")
+	sandbox.ReadWriteCreateFile(path + "-shm")
+	sandbox.ReadWriteCreateFile(path + "-journal")
 	url.RawQuery = options.Encode()
 	db, err := gorm.Open("sqlite3", url.String())
 	if err != nil {
@@ -65,7 +65,7 @@ func New(path string, options url.Values) (*DB, error) {
 }
 
 func NewMock() (*DB, error) {
-	return New(":memory:", mockOptions())
+	return New(":memory:", sandbox.Init(), mockOptions())
 }
 
 func (db *DB) InsertBulkLeftMany(table string, head []string, left int, col []int) error {
@@ -628,7 +628,7 @@ func join[T fmt.Stringer](in []T, sep string) string {
 }
 
 func Dump(ctx context.Context, db *gorm.DB, to string) error {
-	dest, err := New(to, url.Values{})
+	dest, err := New(to, sandbox.Init(), url.Values{})
 	if err != nil {
 		return fmt.Errorf("create dest db: %w", err)
 	}

db/migrations.go

@@ -25,6 +25,7 @@ type MigrationContext struct {
 	OriginalMusicPath string
 	PlaylistsPath     string
 	PodcastsPath      string
+	Sandbox           sandbox.Sandbox
 }
 
 func (db *DB) Migrate(ctx MigrationContext) error {
@@ -742,7 +743,7 @@ func backupDBPre016(tx *gorm.DB, ctx MigrationContext) error {
 		return nil
 	}
 	backupPath := fmt.Sprintf("%s.%d.bak", ctx.DBPath, time.Now().Unix())
-	sandbox.ReadWriteCreatePath(backupPath)
+	ctx.Sandbox.ReadWriteCreateFile(backupPath)
 	return Dump(context.Background(), tx, backupPath)
 }
 

go.mod

@@ -48,6 +48,7 @@ require (
 	github.com/jinzhu/now v1.1.2 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/landlock-lsm/go-landlock v0.0.0-20250303204525-1544bccde3a3 // indirect
 	github.com/lib/pq v1.3.0 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/go-runewidth v0.0.16 // indirect
@@ -62,9 +63,10 @@ require (
 	github.com/ssor/bom v0.0.0-20170718123548-6386211fdfcf // indirect
 	golang.org/x/crypto v0.27.0 // indirect
 	golang.org/x/image v0.20.0 // indirect
-	golang.org/x/sys v0.25.0 // indirect
+	golang.org/x/sys v0.26.0 // indirect
 	golang.org/x/text v0.18.0 // indirect
 	gopkg.in/natefinch/npipe.v2 v2.0.0-20160621034901-c1b8fa8bdcce // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
+	kernel.org/pub/linux/libs/security/libcap/psx v1.2.70 // indirect
 )

go.sum

@@ -85,6 +85,8 @@ github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/landlock-lsm/go-landlock v0.0.0-20250303204525-1544bccde3a3 h1:zcMi8R8vP0WrrXlFMNUBpDy/ydo3sTnCcUPowq1XmSc=
+github.com/landlock-lsm/go-landlock v0.0.0-20250303204525-1544bccde3a3/go.mod h1:RSub3ourNF8Hf+swvw49Catm3s7HVf4hzdFxDUnEzdA=
 github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
 github.com/lib/pq v1.1.1/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
 github.com/lib/pq v1.3.0 h1:/qkRGz8zljWiDcFvgpwUpwIAPu3r07TDvs3Rws+o/pU=
@@ -184,6 +186,8 @@ golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34=
 golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo=
+golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
@@ -216,3 +220,5 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 jaytaylor.com/html2text v0.0.0-20230321000545-74c2419ad056 h1:6YFJoB+0fUH6X3xU/G2tQqCYg+PkGtnZ5nMR5rpw72g=
 jaytaylor.com/html2text v0.0.0-20230321000545-74c2419ad056/go.mod h1:OxvTsCwKosqQ1q7B+8FwXqg4rKZ/UG9dUW+g/VL2xH4=
+kernel.org/pub/linux/libs/security/libcap/psx v1.2.70 h1:HsB2G/rEQiYyo1bGoQqHZ/Bvd6x1rERQTNdPr1FyWjI=
+kernel.org/pub/linux/libs/security/libcap/psx v1.2.70/go.mod h1:+l6Ee2F59XiJ2I6WR5ObpC1utCQJZ/VLsEbQCD8RG24=

sandbox/none.go

@@ -1,19 +1,24 @@
-//go:build !openbsd
-// +build !openbsd
+//go:build !(openbsd || linux)
 
 package sandbox
 
-func Init() {
+type Sandbox struct{}
+
+func Init() Sandbox {
+	return Sandbox{}
+}
+
+func (box *Sandbox) ReadOnlyDir(path string) {
 }
 
-func ReadOnlyPath(path string) {
+func (box *Sandbox) ReadOnlyFile(path string) {
 }
 
-func ReadWritePath(path string) {
+func (box *Sandbox) ReadWriteCreateDir(path string) {
 }
 
-func ReadWriteCreatePath(path string) {
+func (box *Sandbox) ReadWriteCreateFile(path string) {
 }
 
-func AllPathsAdded() {
+func (box *Sandbox) AllPathsAdded() {
 }

sandbox/sandbox_linux.go

@@ -0,0 +1,55 @@
+package sandbox
+
+import (
+	"log"
+	"os"
+
+	"github.com/landlock-lsm/go-landlock/landlock"
+)
+
+type Sandbox struct {
+	paths []landlock.Rule
+}
+
+func Init() Sandbox {
+	return Sandbox{make([]landlock.Rule, 0)}
+}
+
+func (box *Sandbox) ExecPath(path string) {
+	// landlock does not currently provide anything for us here
+}
+
+func (box *Sandbox) ReadOnlyDir(path string) {
+	box.paths = append(box.paths, landlock.RODirs(path))
+}
+
+func (box *Sandbox) ReadOnlyFile(path string) {
+	box.paths = append(box.paths, landlock.ROFiles(path))
+}
+
+func (box *Sandbox) ReadWriteCreateDir(path string) {
+	box.paths = append(box.paths, landlock.RWDirs(path))
+}
+
+func (box *Sandbox) ReadWriteCreateFile(path string) {
+	// landlock requires the file to already exist
+	// so create it if it wasn't already present
+	_, err := os.Stat(path)
+	switch {
+	case os.IsNotExist(err):
+		file, err := os.Create(path)
+		if err != nil {
+			log.Fatal("Could not create file for landlock:", err)
+		} else {
+			file.Close()
+		}
+	}
+	box.paths = append(box.paths, landlock.RWFiles(path))
+}
+
+func (box *Sandbox) AllPathsAdded() {
+	if err := landlock.V5.BestEffort().RestrictPaths(box.paths...); err != nil {
+		log.Fatal("Could not enable landlock:", err)
+	}
+	// FIXME: clear paths
+}

sandbox/sandbox_openbsd.go

@@ -7,7 +7,10 @@ import (
 	"golang.org/x/sys/unix"
 )
 
-func Init() {
+type Sandbox struct{}
+
+func Init() Sandbox {
+	box := Sandbox{}
 	if err := unix.PledgePromises("stdio rpath cpath wpath flock inet unveil dns proc exec fattr"); err != nil {
 		log.Fatalf("failed to pledge: %v", err)
 	}
@@ -17,10 +20,10 @@ func Init() {
 	mpvPath, mpvErr := exec.LookPath("mpv")
 	if ffmpegErr == nil || mpvErr == nil {
 		if ffmpegErr == nil {
-			ExecPath(ffmpegPath)
+			box.ExecPath(ffmpegPath)
 		}
 		if mpvErr == nil {
-			ExecPath(mpvPath)
+			box.ExecPath(mpvPath)
 		}
 	} else {
 		// we can restrict our permissions
@@ -29,34 +32,41 @@ func Init() {
 		}
 	}
 	// needed to enable certificate validation
-	ReadOnlyPath("/etc/ssl/cert.pem")
+	box.ReadOnlyFile("/etc/ssl/cert.pem")
+	return box
 }
 
-func ExecPath(path string) {
+func (box *Sandbox) ExecPath(path string) {
 	if err := unix.Unveil(path, "rx"); err != nil {
 		log.Fatalf("failed to unveil exec for %s: %v", path, err)
 	}
 }
 
-func ReadOnlyPath(path string) {
+func (box *Sandbox) ReadOnlyDir(path string) {
+	if err := unix.Unveil(path, "r"); err != nil {
+		log.Fatalf("failed to unveil read for %s: %v", path, err)
+	}
+}
+
+func (box *Sandbox) ReadOnlyFile(path string) {
 	if err := unix.Unveil(path, "r"); err != nil {
 		log.Fatalf("failed to unveil read for %s: %v", path, err)
 	}
 }
 
-func ReadWritePath(path string) {
-	if err := unix.Unveil(path, "rw"); err != nil {
-		log.Fatalf("failed to unveil read/write for %s: %v", path, err)
+func (box *Sandbox) ReadWriteCreateDir(path string) {
+	if err := unix.Unveil(path, "rwc"); err != nil {
+		log.Fatalf("failed to unveil read/write/create for %s: %v", path, err)
 	}
 }
 
-func ReadWriteCreatePath(path string) {
+func (box *Sandbox) ReadWriteCreateFile(path string) {
 	if err := unix.Unveil(path, "rwc"); err != nil {
 		log.Fatalf("failed to unveil read/write/create for %s: %v", path, err)
 	}
 }
 
-func AllPathsAdded() {
+func (box *Sandbox) AllPathsAdded() {
 	if err := unix.UnveilBlock(); err != nil {
 		log.Fatalf("failed to finalize unveil: %v", err)
 	}