sandlock-core 0.7.0

Lightweight process sandbox using Landlock, seccomp-bpf, and seccomp user notification
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

use std::collections::HashSet;
use std::sync::Mutex;

/// Per-sandbox registry of virtualized netlink cookie fds.
///
/// Keyed by `(pid, fd)` — the exact fd number allocated in the child
/// when our `socket(AF_NETLINK, ..., NETLINK_ROUTE)` handler returned
/// `InjectFdSendTracked`.  Using the fd number directly (instead of
/// comparing `/proc/<pid>/fd/<fd>` inodes against a set of injected
/// inodes) avoids TOCTOU: once we record `(pid, fd)`, no other thread
/// can redirect that fd slot without our `close` handler observing it
/// and removing the entry first.
#[derive(Default)]
pub struct NetlinkState {
    cookies: Mutex<HashSet<(i32, i32)>>,
}

impl NetlinkState {
    pub fn new() -> Self {
        Self { cookies: Mutex::new(HashSet::new()) }
    }

    /// Register a new cookie fd injected into the child.
    pub fn register(&self, pid: i32, fd: i32) {
        self.cookies.lock().unwrap().insert((pid, fd));
    }

    /// Remove a cookie entry.  Called from the close handler when the
    /// child closes a tracked fd.
    pub fn unregister(&self, pid: i32, fd: i32) {
        self.cookies.lock().unwrap().remove(&(pid, fd));
    }

    /// Is this (pid, fd) one of our injected netlink cookies?
    pub fn is_cookie(&self, pid: i32, fd: i32) -> bool {
        self.cookies.lock().unwrap().contains(&(pid, fd))
    }
}