|
| 1 | +{ |
| 2 | + stdenv, |
| 3 | + lib, |
| 4 | + buildGoModule, |
| 5 | + fetchFromGitHub, |
| 6 | + versionCheckHook, |
| 7 | + which, |
| 8 | +}: |
| 9 | + |
| 10 | +buildGoModule (finalAttrs: { |
| 11 | + pname = "landrun"; |
| 12 | + version = "0.1.15"; |
| 13 | + |
| 14 | + src = fetchFromGitHub { |
| 15 | + owner = "Zouuup"; |
| 16 | + repo = "landrun"; |
| 17 | + tag = "v${finalAttrs.version}"; |
| 18 | + hash = "sha256-yfK7Q3FKXp5pXVBNV0w/vN0xuoaTxWCq19ziBQnLapg="; |
| 19 | + }; |
| 20 | + |
| 21 | + # Test script requires lots of patching for build sandbox. |
| 22 | + # Networking tests are disabled, since they actually access the internet. |
| 23 | + # Two tests that specifically target /usr/bin are disabled. |
| 24 | + postPatch = '' |
| 25 | + patchShebangs --build test.sh |
| 26 | + substituteInPlace test.sh \ |
| 27 | + --replace-fail 'Basic access tests' '# Basic access tests' \ |
| 28 | + --replace-fail '--rox /usr --ro /lib --ro /lib64' '--rox ${builtins.storeDir}' \ |
| 29 | + --replace-fail '--rox /usr --ro /lib,/lib64,' '--rox ${builtins.storeDir} --ro ' \ |
| 30 | + --replace-fail '--rox /usr --ro /etc -- whoami' '--help' \ |
| 31 | + --replace-fail '--rox /usr' '--rox ${builtins.storeDir}' \ |
| 32 | + --replace-fail '--ro /usr/bin' "" \ |
| 33 | + --replace-fail '#!/bin/bash' '#!${stdenv.shell}' \ |
| 34 | + --replace-fail '/usr/bin/true' '$(which true)' \ |
| 35 | + --replace-fail 'ls /usr | grep bin' '$(which ls) / | $(which grep) build' \ |
| 36 | + --replace-fail 'ls /usr' '$(which ls) /build' \ |
| 37 | + --replace-fail 'cat ' '$(which cat) ' \ |
| 38 | + --replace-fail 'grep ' '$(which grep) ' \ |
| 39 | + --replace-fail 'ls -la /usr/bin' 'ls -la /build' \ |
| 40 | + --replace-fail 'run_test "TCP connection' 'false && run_test "TCP' \ |
| 41 | + --replace-fail 'run_test "Unrestricted network access"' 'false && run_test ""' \ |
| 42 | + --replace-fail 'run_test "Restricted network access"' 'false && run_test ""' \ |
| 43 | + --replace-fail 'run_test "Execute from read-only paths regression test' 'false && run_test "' \ |
| 44 | + --replace-fail 'run_test "Root path' 'false && run_test "Root path' |
| 45 | + ''; |
| 46 | + |
| 47 | + vendorHash = "sha256-Bs5b5w0mQj1MyT2ctJ7V38Dy60moB36+T8TFH38FA08="; |
| 48 | + |
| 49 | + doInstallCheck = true; |
| 50 | + nativeInstallCheckInputs = [ |
| 51 | + versionCheckHook |
| 52 | + which |
| 53 | + ]; |
| 54 | + postInstallCheck = '' |
| 55 | + # only check functionality if the builder supports it (Linux 5.13+) |
| 56 | + set +e |
| 57 | + $out/bin/landrun --best-effort --rox ${builtins.storeDir} sh -c 'exit' |
| 58 | + [[ $? != 0 ]] && set -e && return |
| 59 | + set -e |
| 60 | +
|
| 61 | + # only run upstream tests if the builder supports all features (Linux 6.7+) |
| 62 | + set +e |
| 63 | + $out/bin/landrun --rox ${builtins.storeDir} sh -c 'exit' |
| 64 | + [[ $? == 0 ]] && set -e && export PATH=$out/bin:"$PATH" && ./test.sh --use-system |
| 65 | + set -e |
| 66 | +
|
| 67 | + pushd $(mktemp -d) |
| 68 | +
|
| 69 | + # check directory read/write restrictions work |
| 70 | + mkdir dir1 |
| 71 | + echo content > dir1/file1 |
| 72 | +
|
| 73 | + set +e |
| 74 | + $out/bin/landrun --best-effort --rox ${builtins.storeDir} sh -c '< dir1/file1' |
| 75 | + [[ $? == 0 ]] && die |
| 76 | + set -e |
| 77 | +
|
| 78 | + $out/bin/landrun --best-effort --rox ${builtins.storeDir} --ro ./dir1 --env PATH sh -c 'cat dir1/file1' \ |
| 79 | + | grep content > /dev/null |
| 80 | +
|
| 81 | + set +e |
| 82 | + $out/bin/landrun --best-effort --rox ${builtins.storeDir} --ro ./dir1 sh -c 'echo x > dir1/file1' |
| 83 | + [[ $? == 0 ]] && die |
| 84 | + set -e |
| 85 | + cat dir1/file1 | grep content > /dev/null |
| 86 | +
|
| 87 | + $out/bin/landrun --best-effort --rox ${builtins.storeDir} --rw ./dir1 sh -c 'echo x > dir1/file1' |
| 88 | + cat dir1/file1 | grep x > /dev/null |
| 89 | +
|
| 90 | + popd |
| 91 | + ''; |
| 92 | + |
| 93 | + meta = { |
| 94 | + description = "Lightweight, secure sandbox for running Linux processes using Landlock LSM"; |
| 95 | + mainProgram = "landrun"; |
| 96 | + longDescription = '' |
| 97 | + Landrun is designed to make it practical to sandbox any command with fine-grained filesystem |
| 98 | + and network access controls, without root/containers/SELinux/AppArmor. |
| 99 | +
|
| 100 | + It's lightweight, auditable, and wraps Landlock v5 features. |
| 101 | +
|
| 102 | + Linux 5.13+ is required for file access restrictions, Linux 6.7+ for TCP restrictions. |
| 103 | + ''; |
| 104 | + homepage = "https://github.com/Zouuup/landrun"; |
| 105 | + changelog = "https://github.com/Zouuup/landrun/releases/tag/{finalAttrs.src.tag}"; |
| 106 | + license = lib.licenses.gpl2Only; |
| 107 | + maintainers = [ lib.maintainers.fliegendewurst ]; |
| 108 | + platforms = lib.platforms.linux; |
| 109 | + }; |
| 110 | +}) |
0 commit comments