commit 23be8883f4bca6415f137c12a09c01cfb8cd1d3c

pyrox.dev / nixpkgs

lol

fork atom

landrun: init at 0.1.15

FliegendeWurst 10 months ago 23be8883 f0b75c41

+110

1 changed file

expand all

unified split

pkgs

by-name

landrun

package.nix

+110

pkgs/by-name/la/landrun/package.nix

··· 1 + { 2 + stdenv, 3 + lib, 4 + buildGoModule, 5 + fetchFromGitHub, 6 + versionCheckHook, 7 + which, 8 + }: 9 + 10 + buildGoModule (finalAttrs: { 11 + pname = "landrun"; 12 + version = "0.1.15"; 13 + 14 + src = fetchFromGitHub { 15 + owner = "Zouuup"; 16 + repo = "landrun"; 17 + tag = "v${finalAttrs.version}"; 18 + hash = "sha256-yfK7Q3FKXp5pXVBNV0w/vN0xuoaTxWCq19ziBQnLapg="; 19 + }; 20 + 21 + # Test script requires lots of patching for build sandbox. 22 + # Networking tests are disabled, since they actually access the internet. 23 + # Two tests that specifically target /usr/bin are disabled. 24 + postPatch = '' 25 + patchShebangs --build test.sh 26 + substituteInPlace test.sh \ 27 + --replace-fail 'Basic access tests' '# Basic access tests' \ 28 + --replace-fail '--rox /usr --ro /lib --ro /lib64' '--rox ${builtins.storeDir}' \ 29 + --replace-fail '--rox /usr --ro /lib,/lib64,' '--rox ${builtins.storeDir} --ro ' \ 30 + --replace-fail '--rox /usr --ro /etc -- whoami' '--help' \ 31 + --replace-fail '--rox /usr' '--rox ${builtins.storeDir}' \ 32 + --replace-fail '--ro /usr/bin' "" \ 33 + --replace-fail '#!/bin/bash' '#!${stdenv.shell}' \ 34 + --replace-fail '/usr/bin/true' '$(which true)' \ 35 + --replace-fail 'ls /usr | grep bin' '$(which ls) / | $(which grep) build' \ 36 + --replace-fail 'ls /usr' '$(which ls) /build' \ 37 + --replace-fail 'cat ' '$(which cat) ' \ 38 + --replace-fail 'grep ' '$(which grep) ' \ 39 + --replace-fail 'ls -la /usr/bin' 'ls -la /build' \ 40 + --replace-fail 'run_test "TCP connection' 'false && run_test "TCP' \ 41 + --replace-fail 'run_test "Unrestricted network access"' 'false && run_test ""' \ 42 + --replace-fail 'run_test "Restricted network access"' 'false && run_test ""' \ 43 + --replace-fail 'run_test "Execute from read-only paths regression test' 'false && run_test "' \ 44 + --replace-fail 'run_test "Root path' 'false && run_test "Root path' 45 + ''; 46 + 47 + vendorHash = "sha256-Bs5b5w0mQj1MyT2ctJ7V38Dy60moB36+T8TFH38FA08="; 48 + 49 + doInstallCheck = true; 50 + nativeInstallCheckInputs = [ 51 + versionCheckHook 52 + which 53 + ]; 54 + postInstallCheck = '' 55 + # only check functionality if the builder supports it (Linux 5.13+) 56 + set +e 57 + $out/bin/landrun --best-effort --rox ${builtins.storeDir} sh -c 'exit' 58 + [[ $? != 0 ]] && set -e && return 59 + set -e 60 + 61 + # only run upstream tests if the builder supports all features (Linux 6.7+) 62 + set +e 63 + $out/bin/landrun --rox ${builtins.storeDir} sh -c 'exit' 64 + [[ $? == 0 ]] && set -e && export PATH=$out/bin:"$PATH" && ./test.sh --use-system 65 + set -e 66 + 67 + pushd $(mktemp -d) 68 + 69 + # check directory read/write restrictions work 70 + mkdir dir1 71 + echo content > dir1/file1 72 + 73 + set +e 74 + $out/bin/landrun --best-effort --rox ${builtins.storeDir} sh -c '< dir1/file1' 75 + [[ $? == 0 ]] && die 76 + set -e 77 + 78 + $out/bin/landrun --best-effort --rox ${builtins.storeDir} --ro ./dir1 --env PATH sh -c 'cat dir1/file1' \ 79 + | grep content > /dev/null 80 + 81 + set +e 82 + $out/bin/landrun --best-effort --rox ${builtins.storeDir} --ro ./dir1 sh -c 'echo x > dir1/file1' 83 + [[ $? == 0 ]] && die 84 + set -e 85 + cat dir1/file1 | grep content > /dev/null 86 + 87 + $out/bin/landrun --best-effort --rox ${builtins.storeDir} --rw ./dir1 sh -c 'echo x > dir1/file1' 88 + cat dir1/file1 | grep x > /dev/null 89 + 90 + popd 91 + ''; 92 + 93 + meta = { 94 + description = "Lightweight, secure sandbox for running Linux processes using Landlock LSM"; 95 + mainProgram = "landrun"; 96 + longDescription = '' 97 + Landrun is designed to make it practical to sandbox any command with fine-grained filesystem 98 + and network access controls, without root/containers/SELinux/AppArmor. 99 + 100 + It's lightweight, auditable, and wraps Landlock v5 features. 101 + 102 + Linux 5.13+ is required for file access restrictions, Linux 6.7+ for TCP restrictions. 103 + ''; 104 + homepage = "https://github.com/Zouuup/landrun"; 105 + changelog = "https://github.com/Zouuup/landrun/releases/tag/{finalAttrs.src.tag}"; 106 + license = lib.licenses.gpl2Only; 107 + maintainers = [ lib.maintainers.fliegendewurst ]; 108 + platforms = lib.platforms.linux; 109 + }; 110 + })