This program doesn't do anything restricted by landlock, so we can just set up a maximally restrictive ruleset and be done with it. Signed-off-by: Alyssa Ross <hi@alyssa.is> --- .../Cargo.lock | 32 +++++++++++++++++++ .../Cargo.toml | 1 + .../src/main.rs | 19 ++++++++++- 3 files changed, 51 insertions(+), 1 deletion(-) diff --git a/tools/xdg-desktop-portal-spectrum-host/Cargo.lock b/tools/xdg-desktop-portal-spectrum-host/Cargo.lock index d09e36ff..147a6b9a 100644 --- a/tools/xdg-desktop-portal-spectrum-host/Cargo.lock +++ b/tools/xdg-desktop-portal-spectrum-host/Cargo.lock @@ -513,6 +513,17 @@ dependencies = [ "hashbrown", ] +[[package]] +name = "landlock" +version = "0.4.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "49fefd6652c57d68aaa32544a4c0e642929725bdc1fd929367cdeb673ab81088" +dependencies = [ + "enumflags2", + "libc", + "thiserror", +] + [[package]] name = "libc" version = "0.2.178" @@ -767,6 +778,26 @@ dependencies = [ "windows-sys", ] +[[package]] +name = "thiserror" +version = "2.0.17" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f63587ca0f12b72a0600bcba1d40081f830876000bb46dd2337a3051618f4fc8" +dependencies = [ + "thiserror-impl", +] + +[[package]] +name = "thiserror-impl" +version = "2.0.17" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3ff15c8ecd7de3849db632e14d18d2571fa09dfc5ed93479bc4485c7a517c913" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + [[package]] name = "tinystr" version = "0.7.6" @@ -988,6 +1019,7 @@ dependencies = [ "async-executor", "async-io", "futures-lite", + "landlock", "percent-encoding", "rustix", "url", diff --git a/tools/xdg-desktop-portal-spectrum-host/Cargo.toml b/tools/xdg-desktop-portal-spectrum-host/Cargo.toml index 96459c82..7b177cbf 100644 --- a/tools/xdg-desktop-portal-spectrum-host/Cargo.toml +++ b/tools/xdg-desktop-portal-spectrum-host/Cargo.toml @@ -10,6 +10,7 @@ edition = "2024" async-executor = { version = "1.12.0", features = ["static"] } async-io = "2.3.2" futures-lite = "2.3.0" +landlock = "0.4.4" percent-encoding = "2.3.1" rustix = "0.38.34" url = "2.5.0" diff --git a/tools/xdg-desktop-portal-spectrum-host/src/main.rs b/tools/xdg-desktop-portal-spectrum-host/src/main.rs index 3fc49cf3..a8672197 100644 --- a/tools/xdg-desktop-portal-spectrum-host/src/main.rs +++ b/tools/xdg-desktop-portal-spectrum-host/src/main.rs @@ -1,5 +1,5 @@ // SPDX-License-Identifier: EUPL-1.2+ -// SPDX-FileCopyrightText: 2024 Alyssa Ross <hi@alyssa.is> +// SPDX-FileCopyrightText: 2024-2025 Alyssa Ross <hi@alyssa.is> mod documents; mod file_chooser; @@ -19,6 +19,10 @@ use async_executor::StaticExecutor; use async_io::Async; use futures_lite::prelude::*; use futures_lite::stream::StreamExt; +use landlock::{ + ABI, Access, AccessFs, AccessNet, CompatLevel, Compatible, Ruleset, RulesetAttr, RulesetError, + Scope, +}; use zbus::{AuthMechanism, Connection, MessageStream, connection}; use file_chooser::FileChooser; @@ -208,6 +212,17 @@ fn listening_vsock_path(connection: &UnixListener) -> Result<PathBuf, String> { Ok(OsString::from_vec(listening_addr).into()) } +fn set_up_landlock() -> Result<(), RulesetError> { + Ruleset::default() + .handle_access(AccessFs::from_all(ABI::V6))? + .handle_access(AccessNet::from_all(ABI::V6))? + .scope(Scope::from_all(ABI::V6))? + .create()? + .set_compatibility(CompatLevel::HardRequirement) + .restrict_self()?; + Ok(()) +} + fn read_argv() { let mut args = args_os(); args.next(); @@ -219,6 +234,8 @@ fn read_argv() { } fn run() -> Result<(), String> { + set_up_landlock().map_err(|e| format!("setting up landlock: {e}"))?; + read_argv(); async_io::block_on(EXECUTOR.run(async { base-commit: 073642b88d65fd3d5a10e45226cb8ba580ac7bd3 -- 2.51.0