search

landlock-lsm / go-landlock

A Go library for the Linux Landlock sandboxing feature
MIT License
105 stars 7 forks source link

pathOpt struct external usage #11

Closed BoardzMaster closed 2 years ago

BoardzMaster commented 2 years ago

Dear Günther! Is it possible to make pathOpt structure for external usage cause it would be convenient in runc/containerd implementation? image

It could be easily parsed from runc spec .json and into opts array directly and then fed to RestrictPaths(opts ...pathOpt) function

gnoack commented 2 years ago

Hello Konstantin!

We can expose the type itself if that helps (make PathOpts uppercase), but the internals are hidden on purpose here, so that it can be used if RestrictPaths() will need special additional options other than the existing ones in the future.

Would that help?

BoardzMaster commented 2 years ago

Yes, we can of course. But if we want to use go-landlock lib so maybe it would be more suitable that all changes come from outside(upstream) and we could keep the library consistent. If I make a change locally so other users don't see this change and could get a compilation error (with my runc patch as an example ) cause they have an upstream version of go-landlock. What do you think?

gnoack commented 2 years ago

I have trouble understanding your comment. Obviously, you shouldn't need to maintain your own copy of go-landlock because of this. I'm happy to make the necessary changes here to support your use case, as long as I understand what these necessary changes are, and as long as it's done in a way that doesn't complicate things in the future.

If it's just about making the pathOpt type public, we can do that. Would that work for your use case?

BoardzMaster commented 2 years ago

Sorry if my comment confused you! If it's possible please could you make pathOpt public? In runc implementation, Landlock rules (from spec config.json file) will be parsed into an array of pathOpt and fed in RestrictPaths() function. Cause ,as I understand, now RestrictPaths() function could be used just with predefined RODirs....RWFiles pathopts or with PathAccess() function. If you want the internals of RestrictPaths() to stay hidden, so it's OK! I will apply another landlock rules parsing logic in runc. Thank you!!

gnoack commented 2 years ago

Sounds good, I made the pathOpt type public. I'll close the bug for now, assuming that this works for your use case. If there are more API usage issues with pathOpt that I have overlooked, please feel free to reopen.

P.S.: Please don't forget to use the new import path "github.com/landlock-lsm/go-landlock/landlock".

BoardzMaster commented 2 years ago

Thank you so much!!!!