Skip to content

Commit

Permalink
fix landlock restriction while files do not exists (#114)
Browse files Browse the repository at this point in the history
  • Loading branch information
pufferffish authored Apr 19, 2024
1 parent a679716 commit 6ab7069
Showing 1 changed file with 18 additions and 18 deletions.
36 changes: 18 additions & 18 deletions cmd/wireproxy/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -76,24 +76,24 @@ func lock(stage string) {
// Linux
net.DefaultResolver.PreferGo = true // needed to lock down dependencies
panicIfError(landlock.V1.BestEffort().RestrictPaths(
landlock.ROFiles("/etc/resolv.conf"),
landlock.ROFiles("/dev/fd"),
landlock.ROFiles("/dev/zero"),
landlock.ROFiles("/dev/urandom"),
landlock.ROFiles("/etc/localtime"),
landlock.ROFiles("/proc/self/stat"),
landlock.ROFiles("/proc/self/status"),
landlock.ROFiles("/usr/share/locale"),
landlock.ROFiles("/proc/self/cmdline"),
landlock.ROFiles("/usr/share/zoneinfo"),
landlock.ROFiles("/proc/sys/kernel/version"),
landlock.ROFiles("/proc/sys/kernel/ngroups_max"),
landlock.ROFiles("/proc/sys/kernel/cap_last_cap"),
landlock.ROFiles("/proc/sys/vm/overcommit_memory"),
landlock.RWFiles("/dev/log"),
landlock.RWFiles("/dev/null"),
landlock.RWFiles("/dev/full"),
landlock.RWFiles("/proc/self/fd"),
landlock.ROFiles("/etc/resolv.conf").IgnoreIfMissing(),
landlock.ROFiles("/dev/fd").IgnoreIfMissing(),
landlock.ROFiles("/dev/zero").IgnoreIfMissing(),
landlock.ROFiles("/dev/urandom").IgnoreIfMissing(),
landlock.ROFiles("/etc/localtime").IgnoreIfMissing(),
landlock.ROFiles("/proc/self/stat").IgnoreIfMissing(),
landlock.ROFiles("/proc/self/status").IgnoreIfMissing(),
landlock.ROFiles("/usr/share/locale").IgnoreIfMissing(),
landlock.ROFiles("/proc/self/cmdline").IgnoreIfMissing(),
landlock.ROFiles("/usr/share/zoneinfo").IgnoreIfMissing(),
landlock.ROFiles("/proc/sys/kernel/version").IgnoreIfMissing(),
landlock.ROFiles("/proc/sys/kernel/ngroups_max").IgnoreIfMissing(),
landlock.ROFiles("/proc/sys/kernel/cap_last_cap").IgnoreIfMissing(),
landlock.ROFiles("/proc/sys/vm/overcommit_memory").IgnoreIfMissing(),
landlock.RWFiles("/dev/log").IgnoreIfMissing(),
landlock.RWFiles("/dev/null").IgnoreIfMissing(),
landlock.RWFiles("/dev/full").IgnoreIfMissing(),
landlock.RWFiles("/proc/self/fd").IgnoreIfMissing(),
))
default:
panic("invalid stage")
Expand Down

0 comments on commit 6ab7069

Please sign in to comment.