filed
Job queue using FUSE
git clone git://mccd.space/filed
| Log | Files | Refs | README | LICENSE |
commit edcfce3e7b7a1dedcdc91250ce4f747f3fb3711c parent c4d5dfa31bc8533f01d9bbb1a2cc8d8cd82d9b58 Author: Marc Coquand <marc@coquand.email> Date: Fri, 19 Dec 2025 16:12:20 +0100 Further restrict filed Diffstat:
| M | README.md | | | 1 | + |
| M | main.go | | | 4 | ++-- |
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/README.md b/README.md
@@ -103,6 +103,7 @@ I was inspired by 9p, and files proved to be a great abstraction since directori
- [x] "Landlock"-mode for sandboxing
- [x] Add filed-launch - a script that can be used to restrict command access
- [x] Add command arguments to filed to lock it down, but still allow it access to state files, and remove that access in filed-launch
+- [ ] Support landlock cli to only take -ro or -rw, use stat to determine if it's a file.
- [ ] Support network restrictions
- [ ] A reusable systemd unit file
- [ ] Notification on failure. Unfortunately [inotify does not work with fuse], which would have been elegant otherwise.
diff --git a/main.go b/main.go
@@ -116,11 +116,11 @@ func main() {
// filed-launch are needed to launch applications
// fusermount for unmounting
- roFilePathsForFiled := append(restrictions.roFiles, fusermountExecutable, filedLaunchExecutable)
+ roFilePathsForFiled := append(restrictions.roFiles, "/dev/fuse", "/dev/null", fusermountExecutable, filedLaunchExecutable)
rules = append(rules, landlock.ROFiles(roFilePathsForFiled...))
// /proc and /dev are needed to oversee the process and kill it
- roDirPathsForFiled := append(restrictions.roDir, "/proc", "/dev")
+ roDirPathsForFiled := append(restrictions.roDir, "/proc")
rules = append(rules, landlock.RODirs(roDirPathsForFiled...))
// mountpoint might not technically be necessarily? Probably good to include either way...