filed

Job queue using FUSE

git clone git://mccd.space/filed

main.go (2197B)

      1 package main
      2 
      3 import (
      4 	"flag"
      5 	"fmt"
      6 	"log"
      7 	"os"
      8 	"os/exec"
      9 	"syscall"
     10 
     11 	"github.com/landlock-lsm/go-landlock/landlock"
     12 )
     13 
     14 func main() {
     15 	var roPaths, roFilePaths, rwFilePaths, rwPaths []string
     16 	flag.Func("ro", "Read-only path", func(s string) error {
     17 		roPaths = append(roPaths, s)
     18 		return nil
     19 	})
     20 
     21 	flag.Func("rof", "Read-only file", func(s string) error {
     22 		roFilePaths = append(roFilePaths, s)
     23 		return nil
     24 	})
     25 
     26 	flag.Func("rwf", "Read-write file", func(s string) error {
     27 		rwFilePaths = append(rwFilePaths, s)
     28 		return nil
     29 	})
     30 
     31 	flag.Func("rw", "Read-write path", func(s string) error {
     32 		rwPaths = append(rwPaths, s)
     33 		return nil
     34 	})
     35 	blockNetwork := flag.Bool("block-network", false, "Strictly block all TCP networking")
     36 	stripEnv := flag.Bool("strip-env", false, "Remove env variables, replace with a single PATH variable.")
     37 	flag.Parse()
     38 
     39 	if flag.NArg() < 1 {
     40 		fmt.Fprintf(os.Stderr, "Usage: %s [flags] -- command [args...]\n", os.Args[0])
     41 		os.Exit(1)
     42 	}
     43 	target := flag.Arg(0)
     44 	args := flag.Args()[1:]
     45 
     46 	var rules []landlock.Rule
     47 	if len(roPaths) > 0 {
     48 		rules = append(rules, landlock.RODirs(roPaths...))
     49 	}
     50 	if len(roFilePaths) > 0 {
     51 		rules = append(rules, landlock.ROFiles(roFilePaths...))
     52 	}
     53 	if len(rwPaths) > 0 {
     54 		rules = append(rules, landlock.RWDirs(rwPaths...))
     55 	}
     56 	if len(rwFilePaths) > 0 {
     57 		rules = append(rules, landlock.RWFiles(rwFilePaths...))
     58 	}
     59 	if len(rules) > 0 && *blockNetwork {
     60 		err := landlock.V5.BestEffort().Restrict(rules...)
     61 		if err != nil {
     62 			log.Fatalf("failed to apply landlock: %v", err)
     63 		}
     64 	} else if len(rules) > 0 {
     65 		if err := landlock.V5.BestEffort().RestrictPaths(rules...); err != nil {
     66 			log.Fatalf("failed to apply landlock: %v", err)
     67 		}
     68 	}
     69 
     70 	fullPath, err := exec.LookPath(target)
     71 	if err != nil {
     72 		log.Fatalf("command not found: %v", err)
     73 	}
     74 
     75 	if *stripEnv {
     76 		env := []string{
     77 			"PATH=/usr/local/bin:/bin:/usr/bin",
     78 		}
     79 		if err := syscall.Exec(fullPath, append([]string{target}, args...), env); err != nil {
     80 			log.Fatalf("failed to exec target: %v", err)
     81 		}
     82 	} else {
     83 		if err := syscall.Exec(fullPath, append([]string{target}, args...), os.Environ()); err != nil {
     84 			log.Fatalf("failed to exec target: %v", err)
     85 		}
     86 
     87 	}
     88 
     89 }