1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
|
package landlock
import (
"fmt"
ll "github.com/landlock-lsm/go-landlock/landlock/syscall"
)
type NetRule struct {
access AccessNetSet
port uint16
}
// ConnectTCP is a [Rule] which grants the right to connect a socket
// to a given TCP port.
//
// In Go, the connect(2) operation is usually run as part of
// net.Dial().
func ConnectTCP(port uint16) NetRule {
return NetRule{
access: ll.AccessNetConnectTCP,
port: port,
}
}
// BindTCP is a [Rule] which grants the right to bind a socket to a
// given TCP port.
//
// In Go, the bind(2) operation is usually run as part of
// net.Listen().
func BindTCP(port uint16) NetRule {
return NetRule{
access: ll.AccessNetBindTCP,
port: port,
}
}
func (n NetRule) String() string {
return fmt.Sprintf("ALLOW %v on TCP port %v", n.access, n.port)
}
func (n NetRule) compatibleWithConfig(c Config) bool {
return n.access.isSubset(c.handledAccessNet)
}
func (n NetRule) addToRuleset(rulesetFD int, c Config) error {
if n.access == 0 {
// Adding this to the ruleset would be a no-op
// and result in an error.
return nil
}
flags := 0
attr := &ll.NetPortAttr{
AllowedAccess: uint64(n.access),
Port: uint64(n.port),
}
return ll.LandlockAddNetPortRule(rulesetFD, attr, flags)
}
func (n NetRule) downgrade(c Config) (out Rule, ok bool) {
return NetRule{
access: n.access.intersect(c.handledAccessNet),
port: n.port,
}, true
}
|
