fix: add user-configured allowRead paths to Landlock ruleset (#8)

tito · web-flow · commit 3925d672abfe · 2026-03-12T15:35:03.000-06:00
ApplyLandlockFromConfig was not processing cfg.Filesystem.AllowRead paths, causing them to be blocked by Landlock despite bwrap mounting them correctly as read-only. This made files like ~/.gitconfig inaccessible inside the sandbox when using DefaultDenyRead mode. Closes #6
diff --git a/internal/sandbox/linux_landlock.go b/internal/sandbox/linux_landlock.go
@@ -152,6 +152,25 @@ func ApplyLandlockFromConfig(cfg *config.Config, cwd string, socketPaths []strin
 		}
 	}
 
+	// User-configured allowRead paths
+	if cfg != nil && cfg.Filesystem.AllowRead != nil {
+		expandedPaths := ExpandGlobPatterns(cfg.Filesystem.AllowRead)
+		for _, p := range expandedPaths {
+			if err := ruleset.AllowRead(p); err != nil && debug {
+				fmt.Fprintf(os.Stderr, "[greywall:landlock] Warning: failed to add read path %s: %v\n", p, err)
+			}
+		}
+		// Also add non-glob paths directly
+		for _, p := range cfg.Filesystem.AllowRead {
+			if !ContainsGlobChars(p) {
+				normalized := NormalizePath(p)
+				if err := ruleset.AllowRead(normalized); err != nil && debug {
+					fmt.Fprintf(os.Stderr, "[greywall:landlock] Warning: failed to add read path %s: %v\n", normalized, err)
+				}
+			}
+		}
+	}
+
 	// User-configured allowWrite paths
 	if cfg != nil && cfg.Filesystem.AllowWrite != nil {
 		expandedPaths := ExpandGlobPatterns(cfg.Filesystem.AllowWrite)
