Better landlock usage

bjorn3 · bjorn3 · commit 8ebd297a10c8 · 2024-09-12T17:30:32.000Z
diff --git a/build_system/landlock.rs b/build_system/landlock.rs
@@ -2,7 +2,7 @@ use std::env;
 use std::path::Path;
 
 use landlock::{
-    path_beneath_rules, Access, AccessFs, Compatible, RulesetAttr, RulesetCreated,
+    path_beneath_rules, Access, AccessFs, CompatLevel, Compatible, RulesetAttr, RulesetCreated,
     RulesetCreatedAttr, ABI,
 };
 
@@ -12,11 +12,14 @@ use crate::rustc_info::get_cargo_home;
 ///
 /// This allows access to various essential system locations.
 pub(super) fn base_ruleset() -> RulesetCreated {
-    let abi = ABI::V2;
+    let abi = ABI::V4;
     let access_all = AccessFs::from_all(abi);
     let access_read = AccessFs::from_read(abi);
     landlock::Ruleset::default()
-        .set_compatibility(landlock::CompatLevel::BestEffort)
+        .set_compatibility(CompatLevel::SoftRequirement)
+        .handle_access(AccessFs::Refer)
+        .unwrap()
+        .set_compatibility(CompatLevel::BestEffort)
         .handle_access(access_all)
         .unwrap()
         .create()
@@ -28,7 +31,7 @@ pub(super) fn base_ruleset() -> RulesetCreated {
 }
 
 pub(super) fn lock_fetch() {
-    let abi = ABI::V2;
+    let abi = ABI::V4;
     let access_all = AccessFs::from_all(abi);
     base_ruleset()
         .add_rules(path_beneath_rules([env::current_dir().unwrap().join("download")], access_all))
@@ -38,7 +41,7 @@ pub(super) fn lock_fetch() {
 }
 
 pub(super) fn lock_build(cargo: &Path) {
-    let abi = ABI::V2;
+    let abi = ABI::V4;
     let access_all = AccessFs::from_all(abi);
     base_ruleset()
         .add_rules(path_beneath_rules(
