pub fn path_beneath_rules<I, P, A>(
paths: I,
access: A,
) -> impl Iterator<Item = Result<PathBeneath<PathFd>, RulesetError>>Expand description
Helper to quickly create an iterator of PathBeneath rules.
§Note
From the kernel’s perspective, Landlock rules operate on file descriptors, not paths.
This is a helper to create rules based on paths. Here, path_beneath_rules() silently ignores
paths that cannot be opened, hence making the obtainment of a file descriptor impossible. When
possible and for a given path, path_beneath_rules() automatically adjusts access rights,
depending on whether a directory or a file is present at that said path.
This behavior is the result of CompatLevel::BestEffort, which is the default compatibility level of
all created rulesets. Thus, it applies to the example below. However, if CompatLevel::HardRequirement
is set using Compatible::set_compatibility, attempting to create an incompatible rule at runtime will cause
this crate to raise an error instead.
§Example
use landlock::{
ABI, Access, AccessFs, Ruleset, RulesetAttr, RulesetCreatedAttr, RulesetStatus, RulesetError,
path_beneath_rules,
};
fn restrict_thread() -> Result<(), RulesetError> {
let abi = ABI::V1;
let status = Ruleset::default()
.handle_access(AccessFs::from_all(abi))?
.create()?
// Read-only access to /usr, /etc and /dev.
.add_rules(path_beneath_rules(&["/usr", "/etc", "/dev"], AccessFs::from_read(abi)))?
// Read-write access to /home and /tmp.
.add_rules(path_beneath_rules(&["/home", "/tmp"], AccessFs::from_all(abi)))?
.restrict_self()?;
match status.ruleset {
// The FullyEnforced case must be tested by the developer.
RulesetStatus::FullyEnforced => println!("Fully sandboxed."),
RulesetStatus::PartiallyEnforced => println!("Partially sandboxed."),
// Users should be warned that they are not protected.
RulesetStatus::NotEnforced => println!("Not sandboxed! Please update your kernel."),
}
Ok(())
}