use landlock to restrict permissions on linux
5 files changed, 38 insertions(+), 2 deletions(-)
M go.mod → go.mod
@@ -9,6 +9,7 @@ github.com/cyphar/filepath-securejoin v0.4.1 github.com/dimfeld/httptreemux/v5 v5.5.0 github.com/dustin/go-humanize v1.0.1 github.com/go-git/go-git/v5 v5.14.0 + github.com/landlock-lsm/go-landlock v0.0.0-20250303204525-1544bccde3a3 github.com/microcosm-cc/bluemonday v1.0.27 github.com/russross/blackfriday/v2 v2.1.0 go.alanpearce.eu/gomponents v1.4.0@@ -37,4 +38,5 @@ github.com/xanzy/ssh-agent v0.3.3 // indirect golang.org/x/crypto v0.36.0 // indirect golang.org/x/net v0.38.0 // indirect gopkg.in/warnings.v0 v0.1.2 // indirect + kernel.org/pub/linux/libs/security/libcap/psx v1.2.70 // indirect )
M go.sum → go.sum
@@ -65,6 +65,8 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/landlock-lsm/go-landlock v0.0.0-20250303204525-1544bccde3a3 h1:zcMi8R8vP0WrrXlFMNUBpDy/ydo3sTnCcUPowq1XmSc= +github.com/landlock-lsm/go-landlock v0.0.0-20250303204525-1544bccde3a3/go.mod h1:RSub3ourNF8Hf+swvw49Catm3s7HVf4hzdFxDUnEzdA= github.com/microcosm-cc/bluemonday v1.0.27 h1:MpEUotklkwCSLeH+Qdx1VJgNqLlpY2KXwXFM08ygZfk= github.com/microcosm-cc/bluemonday v1.0.27/go.mod h1:jFi9vgW+H7c3V0lb6nR74Ib/DIB5OBs92Dimizgw2cA= github.com/onsi/gomega v1.34.1 h1:EUMJIKUjM8sKjYbtxQI9A4z2o+rruxnzNvpknOXie6k=@@ -126,3 +128,5 @@ gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +kernel.org/pub/linux/libs/security/libcap/psx v1.2.70 h1:HsB2G/rEQiYyo1bGoQqHZ/Bvd6x1rERQTNdPr1FyWjI= +kernel.org/pub/linux/libs/security/libcap/psx v1.2.70/go.mod h1:+l6Ee2F59XiJ2I6WR5ObpC1utCQJZ/VLsEbQCD8RG24=
M readme → readme
@@ -9,6 +9,7 @@ • Uses gomponents instead of html/template. • Better integration with [gitolite](https://gitolite.com/gitolite/index.html) • repo.ignore is ignored: only repositories listed in projects.list are shown. • Supports subdirectories +• Use landlock as a substitute for unveil on linux FEATURES
A unveil_landlock.go
@@ -0,0 +1,29 @@ +//go:build linux +// +build linux + +package main + +import ( + "fmt" + + "github.com/landlock-lsm/go-landlock/landlock" +) + +var ll = landlock.V5 + +func Unveil(path string, perms string) error { + return nil +} + +func UnveilBlock() error { + return nil +} + +func UnveilPaths(paths []string, perms string) error { + switch perms { + case "r": + return ll.RestrictPaths(landlock.RODirs(paths...)) + default: + return fmt.Errorf("perms '%s' not handled", perms) + } +}
M unveil_stub.go → unveil_stub.go
@@ -1,5 +1,5 @@ -//go:build !openbsd -// +build !openbsd +//go:build !openbsd && !linux +// +build !openbsd,!linux // Stub functions for GOOS that don't support unix.Unveil()