Skip to content

Commit

Permalink
Update go-landlock and use NewConfig instead
Browse files Browse the repository at this point in the history
Co-authored-by: Zheao Li <[email protected]>
Signed-off-by: Kailun Qin <[email protected]>
  • Loading branch information
kailun-qin and Zheaoli committed Dec 23, 2024
1 parent 36d695b commit cfe834c
Show file tree
Hide file tree
Showing 3 changed files with 44 additions and 7 deletions.
22 changes: 22 additions & 0 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -38,4 +38,26 @@ require (
github.com/landlock-lsm/go-landlock v0.0.0-20210828133255-ec6c6b87a946
github.com/russross/blackfriday/v2 v2.1.0 // indirect
github.com/vishvananda/netns v0.0.4 // indirect
github.com/bits-and-blooms/bitset v1.2.0
github.com/checkpoint-restore/go-criu/v5 v5.0.0
github.com/cilium/ebpf v0.6.2
github.com/containerd/console v1.0.3
github.com/coreos/go-systemd/v22 v22.3.2
github.com/cyphar/filepath-securejoin v0.2.3
github.com/docker/go-units v0.4.0
github.com/godbus/dbus/v5 v5.0.4
github.com/landlock-lsm/go-landlock v0.0.0-20210908180355-c56710719da4
github.com/moby/sys/mountinfo v0.4.1
github.com/mrunalp/fileutils v0.5.0
github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417
github.com/opencontainers/selinux v1.8.4
github.com/seccomp/libseccomp-golang v0.9.2-0.20210429002308-3879420cc921
github.com/sirupsen/logrus v1.8.1
github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635
// NOTE: urfave/cli must be <= v1.22.1 due to a regression: https://github.com/urfave/cli/issues/1092
github.com/urfave/cli v1.22.1
github.com/vishvananda/netlink v1.1.0
golang.org/x/net v0.0.0-20201224014010-6772e930b67b
golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf
google.golang.org/protobuf v1.27.1
)
15 changes: 15 additions & 0 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,21 @@ github.com/opencontainers/runtime-spec v1.2.0 h1:z97+pHb3uELt/yiAWD691HNHQIF07bE
github.com/opencontainers/runtime-spec v1.2.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
github.com/opencontainers/selinux v1.11.1 h1:nHFvthhM0qY8/m+vfhJylliSshm8G1jJ2jDMcgULaH8=
github.com/opencontainers/selinux v1.11.1/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec=
github.com/kr/pretty v0.2.1 h1:Fmg33tUaq4/8ym9TJN1x7sLJnHVwhP33CNkpYV/7rwI=
github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
github.com/landlock-lsm/go-landlock v0.0.0-20210908180355-c56710719da4 h1:5FNPB9FxONNZ10VtNC2n15+0O4O6wfCqCBmkxm2O5x0=
github.com/landlock-lsm/go-landlock v0.0.0-20210908180355-c56710719da4/go.mod h1:wjznJ04q4Tvsbx3vkzfmgfEOe6w5dSGlXFa+xbSl9X8=
github.com/moby/sys/mountinfo v0.4.1 h1:1O+1cHA1aujwEwwVMa2Xm2l+gIpUHyd3+D+d7LZh1kM=
github.com/moby/sys/mountinfo v0.4.1/go.mod h1:rEr8tzG/lsIZHBtN/JjGG+LMYx9eXgW2JI+6q0qou+A=
github.com/mrunalp/fileutils v0.5.0 h1:NKzVxiH7eSk+OQ4M+ZYW1K6h27RUV3MI6NUTsHhU6Z4=
github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ=
github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 h1:3snG66yBm59tKhhSPQrQ/0bCrv1LQbKt40LnUPiUxdc=
github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
github.com/opencontainers/selinux v1.8.4 h1:krlgQ6/j9CkCXT5oW0yVXdQFOME3NjKuuAZXuR6O7P4=
github.com/opencontainers/selinux v1.8.4/go.mod h1:HTvjPFoGMbpQsG886e3lQwnsRWtE4TC1OF3OUvG9FAo=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
Expand Down
14 changes: 7 additions & 7 deletions libcontainer/landlock/landlock.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,14 +21,14 @@ func InitLandlock(config *configs.Landlock) error {
return errors.New("cannot initialize Landlock - nil config passed")
}

var llConfig landlock.Config

ruleset := config.Ruleset.HandledAccessFS
// Panic on error when constructing the Landlock configuration using invalid config values.
if config.DisableBestEffort {
llConfig = landlock.MustConfig(ruleset)
} else {
llConfig = landlock.MustConfig(ruleset).BestEffort()
llConfig, err := landlock.NewConfig(ruleset)
if err != nil {
return fmt.Errorf("could not create ruleset: %w", err)
}

if !config.DisableBestEffort {
*llConfig = llConfig.BestEffort()
}

if err := llConfig.RestrictPaths(
Expand Down

0 comments on commit cfe834c

Please sign in to comment.