feat: add landlock (linux userspace sandbox feature)

ngergs · Apr 4, 2024 · 40fa2d7 · 40fa2d7
1 parent 092aba5
commit 40fa2d7
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 0 deletions.
diff --git a/cmd/websrv/main.go b/cmd/websrv/main.go
@@ -4,8 +4,10 @@ import (
 	"compress/gzip"
 	"context"
 	"errors"
+	"fmt"
 	"github.com/go-chi/chi/v5"
 	"github.com/go-chi/chi/v5/middleware"
+	"github.com/landlock-lsm/go-landlock/landlock"
 	"github.com/ngergs/websrv/v3/internal/utils"
 	"github.com/prometheus/client_golang/prometheus"
 	"io/fs"
@@ -34,6 +36,9 @@ func main() {
 	if err = setup(conf); err != nil {
 		log.Fatal().Err(err).Msg("Error during initialization")
 	}
+	if err := setupLandlock(conf); err != nil {
+		log.Fatal().Err(err).Msg("")
+	}
 	var wg sync.WaitGroup
 	sigtermCtx := server.SigTermCtx(context.Background(), time.Duration(conf.ShutdownDelay)*time.Second)
 	unzipfs, zipfs := initFs(conf)
@@ -170,3 +175,29 @@ func logErrors(errChan <-chan error) {
 		}
 	}
 }
+
+// setupLandlock activates the linux landlock sandbox features on an best effort basis
+func setupLandlock(conf *config) error {
+	llConf := landlock.V4.BestEffort()
+	if err := llConf.RestrictPaths(landlock.RODirs(targetDir)); err != nil {
+		return fmt.Errorf("error during landlock filesystem setup: %w", err)
+	}
+	ports := []uint16{conf.Port.Webserver}
+	if conf.Health {
+		ports = append(ports, conf.Port.Health)
+	}
+	if conf.H2C {
+		ports = append(ports, conf.Port.H2c)
+	}
+	if conf.Metrics.Enabled {
+		ports = append(ports, conf.Port.Metrics)
+	}
+	portRules := make([]landlock.Rule, len(ports))
+	for i, port := range ports {
+		portRules[i] = landlock.BindTCP(port)
+	}
+	if err := llConf.RestrictNet(portRules...); err != nil {
+		return fmt.Errorf("error during landlock network setup: %w", err)
+	}
+	return nil
+}
diff --git a/go.mod b/go.mod
@@ -11,6 +11,7 @@ require (
 	github.com/knadh/koanf/providers/file v0.1.0
 	github.com/knadh/koanf/providers/structs v0.1.0
 	github.com/knadh/koanf/v2 v2.1.1
+	github.com/landlock-lsm/go-landlock v0.0.0-20240216195629-efb66220540a
 	github.com/prometheus/client_golang v1.19.0
 	github.com/rs/zerolog v1.32.0
 	github.com/stretchr/testify v1.8.1
@@ -38,4 +39,5 @@ require (
 	golang.org/x/text v0.14.0 // indirect
 	google.golang.org/protobuf v1.33.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
+	kernel.org/pub/linux/libs/security/libcap/psx v1.2.69 // indirect
 )
diff --git a/go.sum b/go.sum
@@ -36,6 +36,8 @@ github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/landlock-lsm/go-landlock v0.0.0-20240216195629-efb66220540a h1:dz+a1MiMQksVhejeZwqJuzPawYQBwug74J8PPtkLl9U=
+github.com/landlock-lsm/go-landlock v0.0.0-20240216195629-efb66220540a/go.mod h1:1NY/VPO8xm3hXw3f+M65z+PJDLUaZA5cu7OfanxoUzY=
 github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
 github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
@@ -90,3 +92,5 @@ gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EV
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+kernel.org/pub/linux/libs/security/libcap/psx v1.2.69 h1:IdrOs1ZgwGw5CI+BH6GgVVlOt+LAXoPyh7enr8lfaXs=
+kernel.org/pub/linux/libs/security/libcap/psx v1.2.69/go.mod h1:+l6Ee2F59XiJ2I6WR5ObpC1utCQJZ/VLsEbQCD8RG24=