[WIP] Use landlock

Author: bjorn3

build_system/Cargo.lock

@@ -11,6 +11,8 @@ path = "main.rs"
 unstable-features = [] # for rust-analyzer
 
 # Do not add any dependencies
+[dependencies]
+landlock = "0.4"
 
 [profile.dev]
 debug = 1

build_system/Cargo.toml

@@ -0,0 +1,66 @@
+use std::env;
+use std::path::Path;
+
+use landlock::{
+    path_beneath_rules, Access, AccessFs, CompatLevel, Compatible, RulesetAttr, RulesetCreated,
+    RulesetCreatedAttr, ABI,
+};
+
+use crate::rustc_info::get_cargo_home;
+
+/// Base landlock ruleset
+///
+/// This allows access to various essential system locations.
+pub(super) fn base_ruleset() -> RulesetCreated {
+    let abi = ABI::V2;
+    let access_all = AccessFs::from_all(abi);
+    let access_read = AccessFs::from_read(abi);
+    landlock::Ruleset::default()
+        .set_compatibility(CompatLevel::SoftRequirement)
+        .handle_access(AccessFs::Refer)
+        .unwrap()
+        .set_compatibility(CompatLevel::BestEffort)
+        .handle_access(access_all)
+        .unwrap()
+        .create()
+        .unwrap()
+        .add_rules(path_beneath_rules(&["/"], access_read))
+        .unwrap()
+        .add_rules(path_beneath_rules(&["/tmp", "/dev/null"], access_all))
+        .unwrap()
+}
+
+pub(super) fn lock_fetch() {
+    let abi = ABI::V2;
+    let access_all = AccessFs::from_all(abi);
+    base_ruleset()
+        .add_rules(path_beneath_rules([env::current_dir().unwrap().join("download")], access_all))
+        .unwrap()
+        .restrict_self()
+        .unwrap();
+}
+
+pub(super) fn lock_build(cargo: &Path, frozen: bool) {
+    let abi = ABI::V2;
+    let access_all = AccessFs::from_all(abi);
+
+    let ruleset = base_ruleset()
+        .add_rules(path_beneath_rules(
+            &[env::current_dir().unwrap().join("build"), env::current_dir().unwrap().join("dist")],
+            access_all,
+        ))
+        .unwrap();
+
+    let ruleset = if frozen {
+        ruleset
+    } else {
+        ruleset
+            .add_rules(path_beneath_rules(
+                &[get_cargo_home(cargo).join("git"), get_cargo_home(cargo).join("registry")],
+                access_all,
+            ))
+            .unwrap()
+    };
+
+    ruleset.restrict_self().unwrap();
+}

build_system/landlock.rs

@@ -12,6 +12,7 @@ mod bench;
 mod build_backend;
 mod build_sysroot;
 mod config;
+mod landlock;
 mod path;
 mod prepare;
 mod rustc_info;
@@ -130,15 +131,21 @@ fn main() {
     out_dir = current_dir.join(out_dir);
 
     if command == Command::Prepare {
-        prepare::prepare(&path::Dirs {
+        let dirs = path::Dirs {
             source_dir: current_dir.clone(),
             download_dir: download_dir
                 .map(|dir| current_dir.join(dir))
                 .unwrap_or_else(|| out_dir.join("download")),
             build_dir: PathBuf::from("dummy_do_not_use"),
             dist_dir: PathBuf::from("dummy_do_not_use"),
             frozen,
-        });
+        };
+
+        path::RelPath::DOWNLOAD.ensure_exists(&dirs);
+
+        landlock::lock_fetch();
+
+        prepare::prepare(&dirs);
         process::exit(0);
     }
 
@@ -186,6 +193,9 @@ fn main() {
     };
 
     path::RelPath::BUILD.ensure_exists(&dirs);
+    path::RelPath::DIST.ensure_exists(&dirs);
+
+    landlock::lock_build(&bootstrap_host_compiler.cargo, frozen);
 
     {
         // Make sure we always explicitly specify the target dir

build_system/main.rs

@@ -27,6 +27,24 @@ pub(crate) fn get_toolchain_name() -> String {
     String::from_utf8(active_toolchain).unwrap().trim().split_once(' ').unwrap().0.to_owned()
 }
 
+pub(crate) fn get_cargo_home(cargo: &Path) -> PathBuf {
+    let cargo_home = Command::new(cargo)
+        .stderr(Stdio::inherit())
+        .args(&["-Zunstable-options", "config", "get", "--format=json-value", "home"])
+        .output()
+        .unwrap()
+        .stdout;
+    PathBuf::from(
+        String::from_utf8(cargo_home)
+            .unwrap()
+            .trim()
+            .strip_prefix('"')
+            .unwrap()
+            .strip_suffix('"')
+            .unwrap(),
+    )
+}
+
 pub(crate) fn get_cargo_path() -> PathBuf {
     if let Ok(cargo) = std::env::var("CARGO") {
         return PathBuf::from(cargo);