Get prospective restriction status, without applying restrictions

[mrcnski]

Hi, appreciate the work on this! I'm curious if it's possible to get what the RestrictionStatus would be, without actually applying the restrictions. Kind of like a dry run? I have two use cases:

1. Telemetry a single time on application startup, instead of every time the worker thread is locked.
2. Disabling tests when the test environment doesn't support landlock.

I don't know how landlock works under the hood, so maybe this can result in a race, but for our purposes that wouldn't really matter. I can help with the implementation if this is possible & desired.

[l0kod]

Thanks! Your telemetry use case is definitely valuable.

About the "disabling tests" use case, I guess it is about testing the sandboxing itself, not directly the app, right?

There is an API improvement ongoing #12 and I'll get back to it this month. I need to implement the remaining changes I proposed at FOSDEM. This revamp should bring most of the mechanic to add a "dry-run" feature. Feel free to give your point of view about this new API. I'll ping you once #12 land.

[mrcnski]

About the "disabling tests" use case, I guess it is about testing the sandboxing itself, not directly the app, right?

Yep, we are testing to ensure landlocked threads are really restricted. If landlock is not supported by the kernel (in the CI machine or whatever), the test has to bail early.

I'll ping you once #12 land.

Awesome, thanks! I watched the FOSDEM talk so I should be able to understand the PR.

[l0kod]

@mrcnski are you still interested to work on this?

[mrcnski]

Hey @l0kod, not at the moment but appreciate the consideration! Glad to see this ticket is on the agenda.