Better restrict ./y.sh prepare

Author: bjorn3

build_system/landlock.rs

@@ -1,8 +1,13 @@
+use std::env;
+use std::path::Path;
+
 use landlock::{
     path_beneath_rules, Access, AccessFs, Compatible, RulesetAttr, RulesetCreated,
     RulesetCreatedAttr, ABI,
 };
 
+use crate::rustc_info::get_cargo_home;
+
 /// Base landlock ruleset
 ///
 /// This allows access to various essential system locations.
@@ -20,42 +25,29 @@ pub(super) fn base_ruleset() -> RulesetCreated {
         .unwrap()
         .add_rules(path_beneath_rules(&["/tmp", "/dev/null"], access_all))
         .unwrap()
-        .add_rules(landlock::path_beneath_rules(
-            &[std::env::home_dir().unwrap().join(".cargo/registry")],
-            access_all,
-        ))
-        .unwrap()
 }
 
 pub(super) fn lock_fetch() {
-    let abi = landlock::ABI::V2;
-    let access_all = landlock::AccessFs::from_all(abi);
+    let abi = ABI::V2;
+    let access_all = AccessFs::from_all(abi);
     base_ruleset()
-        .add_rules(landlock::path_beneath_rules(
-            &[
-                std::env::current_dir().unwrap().join("build"), // FIXME only enable during ./y.rs build
-            ],
-            access_all,
-        ))
-        .unwrap()
-        .add_rules(path_beneath_rules(
-            [std::env::current_dir().unwrap().join("download")],
-            access_all,
-        ))
+        .add_rules(path_beneath_rules([env::current_dir().unwrap().join("download")], access_all))
         .unwrap()
         .restrict_self()
         .unwrap();
 }
 
-pub(super) fn lock_build() {
-    let abi = landlock::ABI::V2;
-    let access_all = landlock::AccessFs::from_all(abi);
+pub(super) fn lock_build(cargo: &Path) {
+    let abi = ABI::V2;
+    let access_all = AccessFs::from_all(abi);
     base_ruleset()
-        .add_rules(landlock::path_beneath_rules(
-            &[
-                std::env::current_dir().unwrap().join("build"),
-                std::env::current_dir().unwrap().join("dist"),
-            ],
+        .add_rules(path_beneath_rules(
+            &[get_cargo_home(cargo).join("git"), get_cargo_home(cargo).join("registry")],
+            access_all,
+        ))
+        .unwrap()
+        .add_rules(path_beneath_rules(
+            &[env::current_dir().unwrap().join("build"), env::current_dir().unwrap().join("dist")],
             access_all,
         ))
         .unwrap()

build_system/main.rs

@@ -204,7 +204,7 @@ fn main() {
         std::fs::File::create(target).unwrap();
     }
 
-    landlock::lock_build();
+    landlock::lock_build(&bootstrap_host_compiler.cargo);
 
     env::set_var("RUSTC", "rustc_should_be_set_explicitly");
     env::set_var("RUSTDOC", "rustdoc_should_be_set_explicitly");

build_system/rustc_info.rs

@@ -27,6 +27,24 @@ pub(crate) fn get_toolchain_name() -> String {
     String::from_utf8(active_toolchain).unwrap().trim().split_once(' ').unwrap().0.to_owned()
 }
 
+pub(crate) fn get_cargo_home(cargo: &Path) -> PathBuf {
+    let cargo_home = Command::new(cargo)
+        .stderr(Stdio::inherit())
+        .args(&["-Zunstable-options", "config", "get", "--format=json-value", "home"])
+        .output()
+        .unwrap()
+        .stdout;
+    PathBuf::from(
+        String::from_utf8(cargo_home)
+            .unwrap()
+            .trim()
+            .strip_prefix('"')
+            .unwrap()
+            .strip_suffix('"')
+            .unwrap(),
+    )
+}
+
 pub(crate) fn get_cargo_path() -> PathBuf {
     if let Ok(cargo) = std::env::var("CARGO") {
         return PathBuf::from(cargo);