Use abi.* synthetic variables

TODO: Remove patch.cartes-io once this PR land:
landlock-lsm/rust-landlock#108

TODO: Factor out code

In preparation to replace the "vN." prefixes with a global max ABI
version.  This new approach is flexible enough and simpler.

This is now possible thanks to the composition feature (each file can
have a dedicated max ABI) and its similar to the use of a local
variable.

For instance, the variable `abi = 4` represents the highest version of
the Landlock ABI in a configuration file, which should replace the
hardcoded v4 uses.  This is convenient to update configurations to
newest Landlock features by only updating one line instead of all use of
vN.

Example:

  abi = 4

  [[ruleset]]
  handled_access_fs = ["abi.all"]

  [[path_beneath]]
  allowed_access = ["abi.read_execute"]
  parent = ["/usr"]

Add new ValueAccess enums and AbiGroup trait to factor out common code.
Replace get_fs_read_execute() and get_fs_read_write() with
AbiGroupFs::ReadExecute and AbiGroupFs::ReadWrite.

Signed-off-by: Mickaël Salaün <mic@digikod.net>

Author: l0kod

Cargo.toml

@@ -44,3 +44,6 @@ lazy_static = "1.5.0"
 [[example]]
 name = "sandboxer"
 required-features = ["toml"]
+
+[patch.crates-io]
+landlock = { git = "https://github.com/landlock-lsm/rust-landlock", rev = "19f01a99752607e0f6b1872edf86690982c0e920" }

examples/micro-var.toml

@@ -1,3 +1,5 @@
+abi = 5
+
 [[variable]]
 name = "tmp"
 literal = ["/tmp", "/var/tmp"]
@@ -12,10 +14,10 @@ literal = ["/etc"]
 
 # Main system file hierarchies can be read and executed, including the current path (for test only).
 [[path_beneath]]
-allowed_access = ["v5.read_execute"]
+allowed_access = ["abi.read_execute"]
 parent = [".", "/bin", "/lib", "/usr", "/dev", "/proc", "${config}"]
 
 # Only allow writing to temporary and home directories.
 [[path_beneath]]
-allowed_access = ["v5.read_write"]
+allowed_access = ["abi.read_write"]
 parent = ["${tmp}", "${home}"]

schema/landlockconfig.json

@@ -8,9 +8,17 @@
       "minimum": 0,
       "maximum": 18446744073709551615
     },
+    "abi": {
+      "type": "integer",
+      "minimum": 1,
+      "maximum": 2147483647
+    },
     "accessFs": {
       "type": "string",
       "enum": [
+        "abi.all",
+        "abi.read_execute",
+        "abi.read_write",
         "execute",
         "write_file",
         "read_file",
@@ -50,6 +58,7 @@
     "accessNet": {
       "type": "string",
       "enum": [
+        "abi.all",
         "bind_tcp",
         "connect_tcp",
         "v4.all",
@@ -60,13 +69,17 @@
     "scope": {
       "type": "string",
       "enum": [
+        "abi.all",
         "abstract_unix_socket",
         "signal",
         "v6.all"
       ]
     }
   },
   "properties": {
+    "abi": {
+      "$ref": "#/definitions/abi"
+    },
     "variable": {
       "type": "array",
       "minItems": 1,

src/config.rs

@@ -5,7 +5,7 @@ use crate::parser::{JsonConfig, TemplateString, TomlConfig};
 use crate::variable::{NameError, ResolveError, Variables, VecStringIterator};
 use landlock::{
     AccessFs, AccessNet, BitFlags, NetPort, PathBeneath, PathFd, PathFdError, Ruleset, RulesetAttr,
-    RulesetCreated, RulesetCreatedAttr, RulesetError, Scope,
+    RulesetCreated, RulesetCreatedAttr, RulesetError, Scope, ABI,
 };
 use std::collections::BTreeMap;
 use std::fs::{self, File};
@@ -27,6 +27,7 @@ pub enum BuildRulesetError {
 #[cfg_attr(test, derive(Default))]
 #[derive(Clone, Debug, PartialEq, Eq)]
 pub struct Config {
+    pub(crate) abi: Option<ABI>,
     pub(crate) variables: Variables,
     pub(crate) handled_fs: BitFlags<AccessFs>,
     pub(crate) handled_net: BitFlags<AccessNet>,
@@ -53,6 +54,8 @@ pub struct ResolvedConfig {
 pub enum ConfigError {
     #[error(transparent)]
     Name(#[from] NameError),
+    #[error(transparent)]
+    Resolve(#[from] ResolveError),
 }
 
 impl TryFrom<NonEmptyStruct<JsonConfig>> for Config {
@@ -62,6 +65,8 @@ impl TryFrom<NonEmptyStruct<JsonConfig>> for Config {
         let mut config = Self::empty();
         let json = json.into_inner();
 
+        config.abi = json.abi.map(Into::into);
+
         for variable in json.variable.unwrap_or_default() {
             let name = variable.name.parse()?;
             let literal = variable.literal.unwrap_or_default();
@@ -73,23 +78,23 @@ impl TryFrom<NonEmptyStruct<JsonConfig>> for Config {
             let ruleset = ruleset.into_inner();
             config.handled_fs |= ruleset
                 .handledAccessFs
-                .as_ref()
-                .map(BitFlags::<AccessFs>::from)
+                .map(|access| access.resolve_bitflags(config.abi))
+                .transpose()?
                 .unwrap_or_default();
             config.handled_net |= ruleset
                 .handledAccessNet
-                .as_ref()
-                .map(BitFlags::<AccessNet>::from)
+                .map(|access| access.resolve_bitflags(config.abi))
+                .transpose()?
                 .unwrap_or_default();
             config.scoped |= ruleset
                 .scoped
-                .as_ref()
-                .map(BitFlags::<Scope>::from)
+                .map(|scoped| scoped.resolve_bitflags(config.abi))
+                .transpose()?
                 .unwrap_or_default();
         }
 
         for path_beneath in json.pathBeneath.unwrap_or_default() {
-            let access: BitFlags<AccessFs> = (&path_beneath.allowedAccess).into();
+            let access = path_beneath.allowedAccess.resolve_bitflags(config.abi)?;
 
             /* Automatically augment and keep the ruleset consistent. */
             config.handled_fs |= access;
@@ -104,7 +109,7 @@ impl TryFrom<NonEmptyStruct<JsonConfig>> for Config {
         }
 
         for net_port in json.netPort.unwrap_or_default() {
-            let access: BitFlags<AccessNet> = (&net_port.allowedAccess).into();
+            let access = net_port.allowedAccess.resolve_bitflags(config.abi)?;
 
             /* Automatically augment and keep the ruleset consistent. */
             config.handled_net |= access;
@@ -198,6 +203,7 @@ impl Config {
     // could not be updated with public methods (e.g. compose).
     fn empty() -> Self {
         Self {
+            abi: Default::default(),
             variables: Default::default(),
             handled_fs: Default::default(),
             handled_net: Default::default(),
@@ -274,6 +280,14 @@ impl Config {
         self.handled_fs &= other.handled_fs;
         self.handled_net &= other.handled_net;
         self.scoped &= other.scoped;
+
+        // Fifth step: downgrade the ABI version.
+        self.abi = match (self.abi, other.abi) {
+            (Some(a), Some(b)) => Some(a.min(b)),
+            (Some(a), None) => Some(a),
+            (None, Some(b)) => Some(b),
+            (None, None) => None,
+        };
     }
 
     pub fn parse_json<R>(reader: R) -> Result<Self, ParseJsonError>
@@ -442,6 +456,7 @@ impl ResolvedConfig {
 impl TryFrom<Config> for ResolvedConfig {
     type Error = ResolveError;
 
+    /// Resolve all (composed) variables but not local (synthetic) variables such as `abi.*`.
     fn try_from(config: Config) -> Result<Self, Self::Error> {
         let mut rules_path_beneath: BTreeMap<PathBuf, BitFlags<AccessFs>> = Default::default();
         for (path_beneath, access) in config.rules_path_beneath {
@@ -537,4 +552,64 @@ mod tests_compose {
             }
         );
     }
+
+    #[test]
+    fn test_abi_none_none() {
+        let c1 = Config {
+            abi: None,
+            ..Default::default()
+        };
+        let mut c1_mut = c1.clone();
+        let mut c2_mut = Config {
+            abi: None,
+            ..Default::default()
+        };
+
+        c1_mut.compose(&c2_mut);
+        assert_eq!(c1_mut.abi, None);
+
+        // Test commutativity
+        c2_mut.compose(&c1);
+        assert_eq!(c1_mut, c2_mut);
+    }
+
+    #[test]
+    fn test_abi_some_none() {
+        let c1 = Config {
+            abi: Some(ABI::V2),
+            ..Default::default()
+        };
+        let mut c1_mut = c1.clone();
+        let mut c2_mut = Config {
+            abi: None,
+            ..Default::default()
+        };
+
+        c1_mut.compose(&c2_mut);
+        assert_eq!(c1_mut.abi, Some(ABI::V2));
+
+        // Test commutativity
+        c2_mut.compose(&c1);
+        assert_eq!(c1_mut, c2_mut);
+    }
+
+    #[test]
+    fn test_abi_some_some() {
+        let c1 = Config {
+            abi: Some(ABI::V1),
+            ..Default::default()
+        };
+        let mut c1_mut = c1.clone();
+        let mut c2_mut = Config {
+            abi: Some(ABI::V2),
+            ..Default::default()
+        };
+
+        c1_mut.compose(&c2_mut);
+        assert_eq!(c1_mut.abi, Some(ABI::V1));
+
+        // Test commutativity
+        c2_mut.compose(&c1);
+        assert_eq!(c1_mut, c2_mut);
+    }
 }

src/lib.rs

@@ -22,3 +22,6 @@ mod tests_variable;
 
 #[cfg(test)]
 mod tests_compose;
+
+#[cfg(test)]
+mod tests_abi;