Class: AgentJail::Restrictions::Landlock
- Defined in:
- lib/agent_jail/restrictions/landlock.rb
Overview
Applies Linux Landlock filesystem restrictions in the child process. Requires kernel 5.13+ and is a no-op on older kernels.
Constant Summary collapse
- SYSTEM_READ_PATHS =
Paths that are implicitly allowed read-only for Ruby to function. These are added automatically regardless of user-specified fs_allow.
%w[ /usr /lib /lib64 /proc /dev /etc /run/systemd ].freeze
Instance Method Summary collapse
- #apply ⇒ Object
-
#initialize(fs_allow:, fs_read_allow:) ⇒ Landlock
constructor
A new instance of Landlock.
Constructor Details
#initialize(fs_allow:, fs_read_allow:) ⇒ Landlock
Returns a new instance of Landlock.
20 21 22 23 24 |
# File 'lib/agent_jail/restrictions/landlock.rb', line 20 def initialize(fs_allow:, fs_read_allow:) super() @fs_allow = Array(fs_allow) @fs_read_allow = Array(fs_read_allow) end |
Instance Method Details
#apply ⇒ Object
26 27 28 29 30 31 32 33 34 |
# File 'lib/agent_jail/restrictions/landlock.rb', line 26 def apply ruleset_fd = FFI::Landlock.create_ruleset(FFI::Landlock::ALL_ACCESS_FS) raise "landlock_create_ruleset failed: #{ruleset_fd}" if ruleset_fd.negative? add_read_only_paths(ruleset_fd) add_read_write_paths(ruleset_fd) FFI::Landlock.restrict_self(ruleset_fd) end |