Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make it possible to create composable libraries of Landlock rules #25

Open
gnoack opened this issue Feb 5, 2023 · 3 comments
Open

Make it possible to create composable libraries of Landlock rules #25

gnoack opened this issue Feb 5, 2023 · 3 comments
Assignees
@gnoack

Comments

@gnoack
Copy link
Collaborator

gnoack commented Feb 5, 2023

Users should be able to group their own libraries of commonly used rules that are used together

idea:

package llopts

import ...

var SharedLibraries = landlock.GroupRules(
    landlock.RODirs("/usr/lib", "/lib"),
    landlock.RWDirs(os.Getenv("TMPDIR")),
)

// Looking a bit into the future here with Network rules...
var DNSClient = landlock.GroupRules(
    landlock.ROFiles("/etc/hosts"),
    landlock.DialTCP(53),
    landlock.DialUDP(53),
)

(This is just an example -- the details of these rules are not really fleshed out)
@gnoack
Copy link
Collaborator Author

gnoack commented Feb 5, 2023
edited
Loading

Such a GroupRules meta-rule requires a bit of refactoring... I have been considering the following options:

Option A - fully compatible

Make the PathOpt struct be able to compose itself, e.g.

type PathOpt struct {
  // all the existing fields
  more []PathOpt
}

and extend all its methods accordingly.

  • It does not extend nicely to networking if that patch goes in.
  • Cannot have llopts.DNS() with a DialTCP() feature -- but it is desirable
    that the grouping spans both FS rules and Network rules

Option B

Inheritance hierarchy

  • Opt (interface)
    • PathOpt (interface)
      • RealPathOpt
      • CompositePathOpt
    • NetOpt (interface)
      • RealNetOpt
      • CompositeNetOpt

=> also no composition across FS and net rules...

Option C - turn types to runtime errors

Rule is the interface for options

type PathOpt = Rule  // for backwards compatibility

func (c *Config) RestrictPaths([]Rule) error
func RWDirs(...) FSRule

Note: RWDirs and friends do not return the actual Rule type, but their returned type is implementing that interface.

Slight API breakage, but probably OK to do for most use cases. The two use cases on Github do something like

var opts []landlock.PathOpt
// repeatedly
opts = append(opts, landlock.RWDirs(...))
landlock.V2.RestrictPaths(opts...)

That would continue to work because people tend to not spell out the return type of RWDirs and friends, and it is compatible with the landlock.Rule (a.k.a. PathOpt) interface.

Known API breakages:

  • RWDirs and friends return a different type now, not landlock.PathOpt.
  • landlock.PathOpt is not a struct any more and can't be instantiated with landlock.PathOpt{} (It's more of a theoretical concern I think, I don't see why anyone might want to do that.)

Considerations:

  • When networking is introduced, RestrictPaths() and RestrictNet() will both use the same argument type Rule -- the error checking for the type of rule will need to happen at runtime. (But there is anyway already some error checking happening for wrong rules, e.g. rules with rights specified which are not handled in the ruleset -- so clients already have to deal with such cases anyway.)

@gnoack gnoack pinned this issue Feb 5, 2023
@gnoack gnoack self-assigned this Feb 5, 2023
@gnoack
Copy link
Collaborator Author

gnoack commented Feb 5, 2023

I am strongly leaning towards C, but will let it sink a little bit before committing.

gnoack added a commit that referenced this issue Feb 5, 2023
@gnoack
Restructure the types used to model Landlock rules
47065f1 
* Make `restrictOpt` public and name it `Rule`.
* Rename old `PathOpt` struct type to `FSRule`.
* Make `PathOpt` an alias for `Rule`.
* Change mentions of the words "opts" or "option" to "rule".

This is not a fully backwards-compatible change, but it works for the
go-landlock users which I have discovered on Github, using the
API roughly in the following way:

```
var opts []landlock.PathOpt
// repeatedly
opts = append(opts, landlock.RWDirs(...))
// then
landlock.V2.RestrictPaths(opts...)
```

The approach is also discussed in issue #25.
@gnoack
Copy link
Collaborator Author

gnoack commented Feb 5, 2023

Work is happening on the options branch https://github.com/landlock-lsm/go-landlock/commits/options

@gnoack gnoack changed the title Make it possible to create libraries of Landlock rules Make it possible to create composable libraries of Landlock rules Jan 23, 2024
@gnoack gnoack unpinned this issue Jan 23, 2024
gnoack added a commit that referenced this issue Jun 2, 2024
@gnoack
WIP: Support for composite rules
b67957f 
Fixes issue #25
gnoack added a commit that referenced this issue Oct 13, 2024
@gnoack
WIP: Support for composite rules
7c8ab09 
Fixes issue #25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gnoack gnoack

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@gnoack