sign: ensure we are getting RW/RO access for the files

Signed-off-by: Morten Linderud <[email protected]>

Author: Foxboron

cmd/sbctl/sign.go

@@ -11,6 +11,7 @@ import (
 	"github.com/foxboron/sbctl/logging"
 	"github.com/foxboron/sbctl/lsm"
 	"github.com/landlock-lsm/go-landlock/landlock"
+	"github.com/spf13/afero"
 	"github.com/spf13/cobra"
 )
 
@@ -30,27 +31,32 @@ var signCmd = &cobra.Command{
 			os.Exit(1)
 		}
 
+		var rules []landlock.Rule
+
 		// Ensure we have absolute paths
 		file, err := filepath.Abs(args[0])
 		if err != nil {
 			return err
 		}
 		if output == "" {
 			output = file
+			rules = append(rules, lsm.TruncFile(file).IgnoreIfMissing())
 		} else {
 			output, err = filepath.Abs(output)
 			if err != nil {
 				return err
 			}
+			// Set input file to RO and output dir/file to RW
+			rules = append(rules, landlock.ROFiles(file).IgnoreIfMissing())
+			if ok, _ := afero.Exists(state.Fs, output); ok {
+				rules = append(rules, lsm.TruncFile(output))
+			} else {
+				rules = append(rules, landlock.RWDirs(filepath.Dir(output)))
+			}
 		}
 
 		if state.Config.Landlock {
-			lsm.RestrictAdditionalPaths(
-				// TODO: This doesn't work quite how I want it to
-				// setting RWFiles to the path gets EACCES
-				// but setting RWDirs on the dir is fine
-				landlock.RWDirs(filepath.Dir(output)),
-			)
+			lsm.RestrictAdditionalPaths(rules...)
 			if err := lsm.Restrict(); err != nil {
 				return err
 			}

database.go

@@ -69,16 +69,25 @@ func LandlockFromFileDatabase(state *config.State) error {
 		return err
 	}
 	for _, entry := range files {
-		llrules = append(llrules,
-			landlock.PathAccess(accessFile, entry.File),
-		)
+		if entry.File == entry.OutputFile {
+			// If file is the same as output, set RW+Trunc on file
+			llrules = append(llrules,
+				lsm.TruncFile(entry.File).IgnoreIfMissing(),
+			)
+		}
 		if entry.File != entry.OutputFile {
-			// We do an RWDirs on the directory and a RWFiles on the file itself.  it
-			// should be noted that the output file might not exist at this time
-			llrules = append(llrules, landlock.RWDirs(
-				filepath.Dir(entry.File),
-			),
-				landlock.RWFiles(entry.File).IgnoreIfMissing())
+			// Set input file to RO, ignore if missing so we can bubble a useable
+			// error to the user
+			llrules = append(llrules, landlock.ROFiles(entry.File).IgnoreIfMissing())
+
+			// Check if output file exists
+			// if it does we set RW on the file directly
+			// if it doesnt, we set RW on the directory
+			if ok, _ := afero.Exists(state.Fs, entry.OutputFile); ok {
+				llrules = append(llrules, lsm.TruncFile(entry.OutputFile))
+			} else {
+				llrules = append(llrules, landlock.RWDirs(filepath.Dir(entry.OutputFile)))
+			}
 		}
 	}
 	lsm.RestrictAdditionalPaths(llrules...)