mirrors/wireproxy
1
0
Fork 0
mirror of https://github.com/whyvl/wireproxy.git synced 2025-04-29 19:01:42 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix landlock restriction while files do not exists (#114)

Browse source
This commit is contained in:
pufferfish 2024-04-19 15:15:09 +01:00 committed by GitHub
parent a6797166eb
commit 6ab7069908
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 18 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

36
cmd/wireproxy/main.go
View file

@ -76,24 +76,24 @@ func lock(stage string) {
// Linux
net.DefaultResolver.PreferGo = true // needed to lock down dependencies
panicIfError(landlock.V1.BestEffort().RestrictPaths(
landlock.ROFiles("/etc/resolv.conf"),
landlock.ROFiles("/dev/fd"),
landlock.ROFiles("/dev/zero"),
landlock.ROFiles("/dev/urandom"),
landlock.ROFiles("/etc/localtime"),
landlock.ROFiles("/proc/self/stat"),
landlock.ROFiles("/proc/self/status"),
landlock.ROFiles("/usr/share/locale"),
landlock.ROFiles("/proc/self/cmdline"),
landlock.ROFiles("/usr/share/zoneinfo"),
landlock.ROFiles("/proc/sys/kernel/version"),
landlock.ROFiles("/proc/sys/kernel/ngroups_max"),
landlock.ROFiles("/proc/sys/kernel/cap_last_cap"),
landlock.ROFiles("/proc/sys/vm/overcommit_memory"),
landlock.RWFiles("/dev/log"),
landlock.RWFiles("/dev/null"),
landlock.RWFiles("/dev/full"),
landlock.RWFiles("/proc/self/fd"),
landlock.ROFiles("/etc/resolv.conf").IgnoreIfMissing(),
landlock.ROFiles("/dev/fd").IgnoreIfMissing(),
landlock.ROFiles("/dev/zero").IgnoreIfMissing(),
landlock.ROFiles("/dev/urandom").IgnoreIfMissing(),
landlock.ROFiles("/etc/localtime").IgnoreIfMissing(),
landlock.ROFiles("/proc/self/stat").IgnoreIfMissing(),
landlock.ROFiles("/proc/self/status").IgnoreIfMissing(),
landlock.ROFiles("/usr/share/locale").IgnoreIfMissing(),
landlock.ROFiles("/proc/self/cmdline").IgnoreIfMissing(),
landlock.ROFiles("/usr/share/zoneinfo").IgnoreIfMissing(),
landlock.ROFiles("/proc/sys/kernel/version").IgnoreIfMissing(),
landlock.ROFiles("/proc/sys/kernel/ngroups_max").IgnoreIfMissing(),
landlock.ROFiles("/proc/sys/kernel/cap_last_cap").IgnoreIfMissing(),
landlock.ROFiles("/proc/sys/vm/overcommit_memory").IgnoreIfMissing(),
landlock.RWFiles("/dev/log").IgnoreIfMissing(),
landlock.RWFiles("/dev/null").IgnoreIfMissing(),
landlock.RWFiles("/dev/full").IgnoreIfMissing(),
landlock.RWFiles("/proc/self/fd").IgnoreIfMissing(),
))
default:
panic("invalid stage")