Use abi.* synthetic variables

TODO: Remove patch.cartes-io once this PR land:
landlock-lsm/rust-landlock#108

TODO: Factor out code

In preparation to replace the "vN." prefixes with a global max ABI
version.  This new approach is flexible enough and simpler.

This is now possible thanks to the composition feature (each file can
have a dedicated max ABI) and its similar to the use of a local
variable.

The variable `abi = 4` is the highest version of the Landlock ABI, which
should replace the hardcoded v4 uses.  This is convenient to update
configurations to newest Landlock features by only updating one line
instead of all use of vN.

Example:

  abi = 4

  [[ruleset]]
  handled_access_fs = ["abi.all"]

  [[path_beneath]]
  allowed_access = ["abi.read_execute"]
  parent = ["/usr"]

Signed-off-by: Mickaël Salaün <mic@digikod.net>

Author: l0kod

Cargo.toml

@@ -44,3 +44,6 @@ lazy_static = "1.5.0"
 [[example]]
 name = "sandboxer"
 required-features = ["toml"]
+
+[patch.crates-io]
+landlock = { git = "https://github.com/landlock-lsm/rust-landlock", rev = "19f01a99752607e0f6b1872edf86690982c0e920" }

examples/micro-var.toml

@@ -1,3 +1,5 @@
+abi = 5
+
 [[variable]]
 name = "tmp"
 literal = ["/tmp", "/var/tmp"]
@@ -12,10 +14,10 @@ literal = ["/etc"]
 
 # Main system file hierarchies can be read and executed, including the current path (for test only).
 [[path_beneath]]
-allowed_access = ["v5.read_execute"]
+allowed_access = ["abi.read_execute"]
 parent = [".", "/bin", "/lib", "/usr", "/dev", "/proc", "${config}"]
 
 # Only allow writing to temporary and home directories.
 [[path_beneath]]
-allowed_access = ["v5.read_write"]
+allowed_access = ["abi.read_write"]
 parent = ["${tmp}", "${home}"]

schema/landlockconfig.json

@@ -8,6 +8,11 @@
       "minimum": 0,
       "maximum": 18446744073709551615
     },
+    "abi": {
+      "type": "integer",
+      "minimum": 1,
+      "maximum": 2147483647
+    },
     "accessFs": {
       "type": "string",
       "enum": [
@@ -44,7 +49,10 @@
         "v5.read_write",
         "v6.all",
         "v6.read_execute",
-        "v6.read_write"
+        "v6.read_write",
+        "abi.all",
+        "abi.read_execute",
+        "abi.read_write"
       ]
     },
     "accessNet": {
@@ -54,7 +62,8 @@
         "connect_tcp",
         "v4.all",
         "v5.all",
-        "v6.all"
+        "v6.all",
+        "abi.all"
       ]
     },
     "scope": {
@@ -67,6 +76,9 @@
     }
   },
   "properties": {
+    "abi": {
+      "$ref": "#/definitions/abi"
+    },
     "variable": {
       "type": "array",
       "minItems": 1,

src/config.rs

@@ -5,7 +5,7 @@ use crate::parser::{JsonConfig, TemplateString, TomlConfig};
 use crate::variable::{NameError, ResolveError, Variables, VecStringIterator};
 use landlock::{
     AccessFs, AccessNet, BitFlags, NetPort, PathBeneath, PathFd, PathFdError, Ruleset, RulesetAttr,
-    RulesetCreated, RulesetCreatedAttr, RulesetError, Scope,
+    RulesetCreated, RulesetCreatedAttr, RulesetError, Scope, ABI,
 };
 use std::collections::BTreeMap;
 use std::fs::{self, File};
@@ -27,6 +27,7 @@ pub enum BuildRulesetError {
 #[cfg_attr(test, derive(Default))]
 #[derive(Clone, Debug, PartialEq, Eq)]
 pub struct Config {
+    pub(crate) abi: Option<ABI>,
     pub(crate) variables: Variables,
     pub(crate) handled_fs: BitFlags<AccessFs>,
     pub(crate) handled_net: BitFlags<AccessNet>,
@@ -53,6 +54,8 @@ pub struct ResolvedConfig {
 pub enum ConfigError {
     #[error(transparent)]
     Name(#[from] NameError),
+    #[error(transparent)]
+    Resolve(#[from] ResolveError),
 }
 
 impl TryFrom<NonEmptyStruct<JsonConfig>> for Config {
@@ -62,6 +65,8 @@ impl TryFrom<NonEmptyStruct<JsonConfig>> for Config {
         let mut config = Self::empty();
         let json = json.into_inner();
 
+        config.abi = json.abi.map(Into::into);
+
         for variable in json.variable.unwrap_or_default() {
             let name = variable.name.parse()?;
             let literal = variable.literal.unwrap_or_default();
@@ -73,13 +78,15 @@ impl TryFrom<NonEmptyStruct<JsonConfig>> for Config {
             let ruleset = ruleset.into_inner();
             config.handled_fs |= ruleset
                 .handledAccessFs
-                .as_ref()
-                .map(BitFlags::<AccessFs>::from)
+                // TODO: Test .map(|access| access.into())
+                .map(|access| access.resolve_bitflags(config.abi))
+                .transpose()?
                 .unwrap_or_default();
             config.handled_net |= ruleset
                 .handledAccessNet
-                .as_ref()
-                .map(BitFlags::<AccessNet>::from)
+                // TODO: Test .map(|access| access.into())
+                .map(|access| access.resolve_bitflags(config.abi))
+                .transpose()?
                 .unwrap_or_default();
             config.scoped |= ruleset
                 .scoped
@@ -89,7 +96,7 @@ impl TryFrom<NonEmptyStruct<JsonConfig>> for Config {
         }
 
         for path_beneath in json.pathBeneath.unwrap_or_default() {
-            let access: BitFlags<AccessFs> = (&path_beneath.allowedAccess).into();
+            let access = path_beneath.allowedAccess.resolve_bitflags(config.abi)?;
 
             /* Automatically augment and keep the ruleset consistent. */
             config.handled_fs |= access;
@@ -104,7 +111,7 @@ impl TryFrom<NonEmptyStruct<JsonConfig>> for Config {
         }
 
         for net_port in json.netPort.unwrap_or_default() {
-            let access: BitFlags<AccessNet> = (&net_port.allowedAccess).into();
+            let access = net_port.allowedAccess.resolve_bitflags(config.abi)?;
 
             /* Automatically augment and keep the ruleset consistent. */
             config.handled_net |= access;
@@ -198,6 +205,7 @@ impl Config {
     // could not be updated with public methods (e.g. compose).
     fn empty() -> Self {
         Self {
+            abi: Default::default(),
             variables: Default::default(),
             handled_fs: Default::default(),
             handled_net: Default::default(),
@@ -274,6 +282,14 @@ impl Config {
         self.handled_fs &= other.handled_fs;
         self.handled_net &= other.handled_net;
         self.scoped &= other.scoped;
+
+        // Fifth step: downgrade the ABI version.
+        self.abi = match (self.abi, other.abi) {
+            (Some(a), Some(b)) => Some(a.min(b)),
+            (Some(a), None) => Some(a),
+            (None, Some(b)) => Some(b),
+            (None, None) => None,
+        };
     }
 
     pub fn parse_json<R>(reader: R) -> Result<Self, ParseJsonError>
@@ -442,6 +458,7 @@ impl ResolvedConfig {
 impl TryFrom<Config> for ResolvedConfig {
     type Error = ResolveError;
 
+    /// Resolve all (composed) variables but not local (synthetic) variables such as `abi.*`.
     fn try_from(config: Config) -> Result<Self, Self::Error> {
         let mut rules_path_beneath: BTreeMap<PathBuf, BitFlags<AccessFs>> = Default::default();
         for (path_beneath, access) in config.rules_path_beneath {
@@ -537,4 +554,64 @@ mod tests_compose {
             }
         );
     }
+
+    #[test]
+    fn test_abi_none_none() {
+        let c1 = Config {
+            abi: None,
+            ..Default::default()
+        };
+        let mut c1_mut = c1.clone();
+        let mut c2_mut = Config {
+            abi: None,
+            ..Default::default()
+        };
+
+        c1_mut.compose(&c2_mut);
+        assert_eq!(c1_mut.abi, None);
+
+        // Test commutativity
+        c2_mut.compose(&c1);
+        assert_eq!(c1_mut, c2_mut);
+    }
+
+    #[test]
+    fn test_abi_some_none() {
+        let c1 = Config {
+            abi: Some(ABI::V2),
+            ..Default::default()
+        };
+        let mut c1_mut = c1.clone();
+        let mut c2_mut = Config {
+            abi: None,
+            ..Default::default()
+        };
+
+        c1_mut.compose(&c2_mut);
+        assert_eq!(c1_mut.abi, Some(ABI::V2));
+
+        // Test commutativity
+        c2_mut.compose(&c1);
+        assert_eq!(c1_mut, c2_mut);
+    }
+
+    #[test]
+    fn test_abi_some_some() {
+        let c1 = Config {
+            abi: Some(ABI::V1),
+            ..Default::default()
+        };
+        let mut c1_mut = c1.clone();
+        let mut c2_mut = Config {
+            abi: Some(ABI::V2),
+            ..Default::default()
+        };
+
+        c1_mut.compose(&c2_mut);
+        assert_eq!(c1_mut.abi, Some(ABI::V1));
+
+        // Test commutativity
+        c2_mut.compose(&c1);
+        assert_eq!(c1_mut, c2_mut);
+    }
 }

src/lib.rs

@@ -22,3 +22,6 @@ mod tests_variable;
 
 #[cfg(test)]
 mod tests_compose;
+
+#[cfg(test)]
+mod tests_abi;