-
Notifications
You must be signed in to change notification settings - Fork 89
/
Copy pathdatabase.go
95 lines (83 loc) · 2.33 KB
/
database.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
package sbctl
import (
"encoding/json"
"fmt"
"path/filepath"
"github.com/foxboron/sbctl/config"
"github.com/foxboron/sbctl/fs"
"github.com/foxboron/sbctl/lsm"
"github.com/landlock-lsm/go-landlock/landlock"
"github.com/spf13/afero"
)
type SigningEntry struct {
File string `json:"file"`
OutputFile string `json:"output_file"`
}
type SigningEntries map[string]*SigningEntry
func ReadFileDatabase(vfs afero.Fs, dbpath string) (SigningEntries, error) {
f, err := ReadOrCreateFile(vfs, dbpath)
if err != nil {
return nil, err
}
files := make(SigningEntries)
if len(f) == 0 {
return files, nil
}
if err = json.Unmarshal(f, &files); err != nil {
return nil, fmt.Errorf("failed to parse json: %v", err)
}
return files, nil
}
func WriteFileDatabase(vfs afero.Fs, dbpath string, files SigningEntries) error {
data, err := json.MarshalIndent(files, "", " ")
if err != nil {
return err
}
err = fs.WriteFile(vfs, dbpath, data, 0644)
if err != nil {
return err
}
return nil
}
func SigningEntryIter(state *config.State, fn func(s *SigningEntry) error) error {
files, err := ReadFileDatabase(state.Fs, state.Config.FilesDb)
if err != nil {
return fmt.Errorf("couldn't open database %v: %w", state.Config.FilesDb, err)
}
for _, s := range files {
if err := fn(s); err != nil {
return err
}
}
return nil
}
func LandlockFromFileDatabase(state *config.State) error {
var llrules []landlock.Rule
files, err := ReadFileDatabase(state.Fs, state.Config.FilesDb)
if err != nil {
return err
}
for _, entry := range files {
if entry.File == entry.OutputFile {
// If file is the same as output, set RW+Trunc on file
llrules = append(llrules,
lsm.TruncFile(entry.File).IgnoreIfMissing(),
)
}
if entry.File != entry.OutputFile {
// Set input file to RO, ignore if missing so we can bubble a useable
// error to the user
llrules = append(llrules, landlock.ROFiles(entry.File).IgnoreIfMissing())
// Check if output file exists
// if it does we set RW on the file directly
// if it doesnt, we set RW on the directory
if ok, _ := afero.Exists(state.Fs, entry.OutputFile); ok {
llrules = append(llrules, lsm.TruncFile(entry.OutputFile))
} else {
llrules = append(llrules, landlock.RWDirs(filepath.Dir(entry.OutputFile)))
}
}
}
lsm.RestrictAdditionalPaths(llrules...)
return nil
}