Separate landlock rules for prepare and build

bjorn3 · bjorn3 · commit 69c0ec9501c3 · 2024-09-12T17:03:24.000Z
diff --git a/build_system/landlock.rs b/build_system/landlock.rs
@@ -0,0 +1,64 @@
+use landlock::{
+    path_beneath_rules, Access, AccessFs, Compatible, RulesetAttr, RulesetCreated,
+    RulesetCreatedAttr, ABI,
+};
+
+/// Base landlock ruleset
+///
+/// This allows access to various essential system locations.
+pub(super) fn base_ruleset() -> RulesetCreated {
+    let abi = ABI::V2;
+    let access_all = AccessFs::from_all(abi);
+    let access_read = AccessFs::from_read(abi);
+    landlock::Ruleset::default()
+        .set_compatibility(landlock::CompatLevel::BestEffort)
+        .handle_access(access_all)
+        .unwrap()
+        .create()
+        .unwrap()
+        .add_rules(path_beneath_rules(&["/"], access_read))
+        .unwrap()
+        .add_rules(path_beneath_rules(&["/tmp", "/dev/null"], access_all))
+        .unwrap()
+        .add_rules(landlock::path_beneath_rules(
+            &[std::env::home_dir().unwrap().join(".cargo/registry")],
+            access_all,
+        ))
+        .unwrap()
+}
+
+pub(super) fn lock_fetch() {
+    let abi = landlock::ABI::V2;
+    let access_all = landlock::AccessFs::from_all(abi);
+    base_ruleset()
+        .add_rules(landlock::path_beneath_rules(
+            &[
+                std::env::current_dir().unwrap().join("build"), // FIXME only enable during ./y.rs build
+            ],
+            access_all,
+        ))
+        .unwrap()
+        .add_rules(path_beneath_rules(
+            [std::env::current_dir().unwrap().join("download")],
+            access_all,
+        ))
+        .unwrap()
+        .restrict_self()
+        .unwrap();
+}
+
+pub(super) fn lock_build() {
+    let abi = landlock::ABI::V2;
+    let access_all = landlock::AccessFs::from_all(abi);
+    base_ruleset()
+        .add_rules(landlock::path_beneath_rules(
+            &[
+                std::env::current_dir().unwrap().join("build"),
+                std::env::current_dir().unwrap().join("dist"),
+            ],
+            access_all,
+        ))
+        .unwrap()
+        .restrict_self()
+        .unwrap();
+}
diff --git a/build_system/main.rs b/build_system/main.rs
@@ -12,6 +12,7 @@ mod bench;
 mod build_backend;
 mod build_sysroot;
 mod config;
+mod landlock;
 mod path;
 mod prepare;
 mod rustc_info;
@@ -54,36 +55,6 @@ enum CodegenBackend {
 }
 
 fn main() {
-    use landlock::{Access, Compatible, RulesetAttr, RulesetCreatedAttr};
-    let abi = landlock::ABI::V2;
-    let access_all = landlock::AccessFs::from_all(abi);
-    let access_read = landlock::AccessFs::from_read(abi);
-    landlock::Ruleset::default()
-        .set_compatibility(landlock::CompatLevel::BestEffort)
-        .handle_access(access_all)
-        .unwrap()
-        .create()
-        .unwrap()
-        .add_rules(landlock::path_beneath_rules(&["/"], access_read))
-        .unwrap()
-        .add_rules(landlock::path_beneath_rules(&["/tmp", "/dev/null"], access_all))
-        .unwrap()
-        .add_rules(landlock::path_beneath_rules(
-            &[
-                std::env::current_dir().unwrap().join("build"),
-                std::env::current_dir().unwrap().join("dist"),
-            ],
-            access_all,
-        ))
-        .unwrap()
-        .add_rules(landlock::path_beneath_rules(
-            &[std::env::home_dir().unwrap().join(".cargo/registry")],
-            access_all,
-        ))
-        .unwrap()
-        .restrict_self()
-        .unwrap();
-
     if env::var_os("RUST_BACKTRACE").is_none() {
         env::set_var("RUST_BACKTRACE", "1");
     }
@@ -160,15 +131,21 @@ fn main() {
     out_dir = current_dir.join(out_dir);
 
     if command == Command::Prepare {
-        prepare::prepare(&path::Dirs {
+        let dirs = path::Dirs {
             source_dir: current_dir.clone(),
             download_dir: download_dir
                 .map(|dir| current_dir.join(dir))
                 .unwrap_or_else(|| out_dir.join("download")),
             build_dir: PathBuf::from("dummy_do_not_use"),
             dist_dir: PathBuf::from("dummy_do_not_use"),
             frozen,
-        });
+        };
+
+        path::RelPath::DOWNLOAD.ensure_exists(&dirs);
+
+        landlock::lock_fetch();
+
+        prepare::prepare(&dirs);
         process::exit(0);
     }
 
@@ -216,6 +193,7 @@ fn main() {
     };
 
     path::RelPath::BUILD.ensure_exists(&dirs);
+    path::RelPath::DIST.ensure_exists(&dirs);
 
     {
         // Make sure we always explicitly specify the target dir
@@ -226,6 +204,8 @@ fn main() {
         std::fs::File::create(target).unwrap();
     }
 
+    landlock::lock_build();
+
     env::set_var("RUSTC", "rustc_should_be_set_explicitly");
     env::set_var("RUSTDOC", "rustdoc_should_be_set_explicitly");
 
