Add landlock rulesets

2025-12-01 11:15:29 +09:00
parent 2472936857
commit 152c3ddbcc
7 changed files with 136 additions and 4 deletions
--- a/src/server/landlock.rs
+++ b/src/server/landlock.rs
@@ -0,0 +1,89 @@
+#[cfg(target_os = "linux")]
+use std::path::Path;
+
+#[cfg(target_os = "linux")]
+pub fn landlock_restrict_server(config_path: Option<&Path>) -> anyhow::Result<()> {
+    use crate::{core::common::DEFAULT_CONFIG_PATH, server::config::ServerConfig};
+    use anyhow::Context;
+    use landlock::{
+        ABI, Access, AccessFs, AccessNet, NetPort, Ruleset, RulesetAttr, RulesetCreatedAttr,
+        path_beneath_rules,
+    };
+
+    let config_path = config_path.unwrap_or(Path::new(DEFAULT_CONFIG_PATH));
+
+    let config = ServerConfig::read_config_from_path(config_path)?;
+
+    let abi = ABI::V4;
+    let mut ruleset = Ruleset::default()
+        .handle_access(AccessFs::from_all(abi))?
+        .handle_access(AccessNet::from_all(abi))?
+        .create()
+        .context("Failed to create Landlock ruleset")?
+        .add_rules(path_beneath_rules(
+            &["/run/muscl"],
+            AccessFs::from_read(abi),
+        ))
+        .context("Failed to add Landlock rules for /run/muscl")?
+        // Needs read access to /etc to access unix user/group info
+        .add_rules(path_beneath_rules(&["/etc"], AccessFs::from_read(abi)))
+        .context("Failed to add Landlock rules for /etc")?
+        .add_rules(path_beneath_rules(&[config_path], AccessFs::from_read(abi)))
+        .context(format!(
+            "Failed to add Landlock rules for server config path at {}",
+            config_path.display()
+        ))?;
+
+    if let Some(socket_path) = &config.socket_path {
+        ruleset = ruleset
+            .add_rules(path_beneath_rules(&[socket_path], AccessFs::from_all(abi)))
+            .context(format!(
+                "Failed to add Landlock rules for server socket path at {}",
+                socket_path.display()
+            ))?;
+    }
+
+    if let Some(mysql_socket_path) = &config.mysql.socket_path {
+        ruleset = ruleset
+            .add_rules(path_beneath_rules(
+                &[mysql_socket_path],
+                AccessFs::from_all(abi),
+            ))
+            .context(format!(
+                "Failed to add Landlock rules for MySQL socket path at {}",
+                mysql_socket_path.display()
+            ))?;
+    }
+
+    if let Some(mysql_host) = &config.mysql.host {
+        ruleset = ruleset
+            .add_rule(NetPort::new(config.mysql.port, AccessNet::ConnectTcp))
+            .context(format!(
+                "Failed to add Landlock rules for MySQL host at {}:{}",
+                mysql_host, config.mysql.port
+            ))?;
+    }
+
+    if let Some(mysql_passwd_file) = &config.mysql.password_file {
+        ruleset = ruleset
+            .add_rules(path_beneath_rules(
+                &[mysql_passwd_file],
+                AccessFs::from_read(abi),
+            ))
+            .context(format!(
+                "Failed to add Landlock rules for MySQL password file at {}",
+                mysql_passwd_file.display()
+            ))?;
+    }
+
+    ruleset
+        .restrict_self()
+        .context("Failed to apply Landlock restrictions to the server process")?;
+
+    Ok(())
+}
+
+#[cfg(not(target_os = "linux"))]
+pub fn landlock_restrict_server() -> anyhow::Result<()> {
+    Ok(())
+}