[WIP] Use landlock

bjorn3 · bjorn3 · commit 54c88f3e4420 · 2024-09-12T17:03:24.000Z
diff --git a/build_system/Cargo.lock b/build_system/Cargo.lock
diff --git a/build_system/Cargo.toml b/build_system/Cargo.toml
@@ -11,6 +11,8 @@ path = "main.rs"
 unstable-features = [] # for rust-analyzer
 
 # Do not add any dependencies
+[dependencies]
+landlock = "0.4"
 
 [profile.dev]
 debug = 1
diff --git a/build_system/main.rs b/build_system/main.rs
@@ -54,6 +54,36 @@ enum CodegenBackend {
 }
 
 fn main() {
+    use landlock::{Access, Compatible, RulesetAttr, RulesetCreatedAttr};
+    let abi = landlock::ABI::V2;
+    let access_all = landlock::AccessFs::from_all(abi);
+    let access_read = landlock::AccessFs::from_read(abi);
+    landlock::Ruleset::default()
+        .set_compatibility(landlock::CompatLevel::BestEffort)
+        .handle_access(access_all)
+        .unwrap()
+        .create()
+        .unwrap()
+        .add_rules(landlock::path_beneath_rules(&["/"], access_read))
+        .unwrap()
+        .add_rules(landlock::path_beneath_rules(&["/tmp", "/dev/null"], access_all))
+        .unwrap()
+        .add_rules(landlock::path_beneath_rules(
+            &[
+                std::env::current_dir().unwrap().join("build"),
+                std::env::current_dir().unwrap().join("dist"),
+            ],
+            access_all,
+        ))
+        .unwrap()
+        .add_rules(landlock::path_beneath_rules(
+            &[std::env::home_dir().unwrap().join(".cargo/registry")],
+            access_all,
+        ))
+        .unwrap()
+        .restrict_self()
+        .unwrap();
+
     if env::var_os("RUST_BACKTRACE").is_none() {
         env::set_var("RUST_BACKTRACE", "1");
     }
diff --git a/build_system/utils.rs b/build_system/utils.rs
@@ -176,11 +176,20 @@ pub(crate) fn retry_spawn_and_wait(tries: u64, mut cmd: Command) {
 }
 
 pub(crate) fn remove_dir_if_exists(path: &Path) {
-    match fs::remove_dir_all(&path) {
-        Ok(()) => {}
-        Err(err) if err.kind() == io::ErrorKind::NotFound => {}
-        Err(err) => panic!("Failed to remove {path}: {err}", path = path.display()),
+    for entry in fs::read_dir(&path).unwrap() {
+        let entry = entry.unwrap();
+        if entry.file_type().unwrap().is_dir() {
+            fs::remove_dir_all(entry.path()).unwrap();
+        } else {
+            fs::remove_file(entry.path()).unwrap();
+        }
     }
+
+    //match fs::remove_dir_all(&path) {
+    //    Ok(()) => {}
+    //    Err(err) if err.kind() == io::ErrorKind::NotFound => {}
+    //    Err(err) => panic!("Failed to remove {path}: {err}", path = path.display()),
+    //}
 }
 
 pub(crate) fn copy_dir_recursively(from: &Path, to: &Path) {
