lsm: Implement TruncFile

We need RWFile access + O_TRUNC access

Signed-off-by: Morten Linderud <[email protected]>

Author: Foxboron

database.go

@@ -10,7 +10,6 @@ import (
 	"github.com/foxboron/sbctl/lsm"
 	"github.com/landlock-lsm/go-landlock/landlock"
 
-	ll "github.com/landlock-lsm/go-landlock/landlock/syscall"
 	"github.com/spf13/afero"
 )
 
@@ -63,11 +62,6 @@ func SigningEntryIter(state *config.State, fn func(s *SigningEntry) error) error
 	return nil
 }
 
-const (
-	// We open the file with O_TRUNC
-	accessFile landlock.AccessFSSet = ll.AccessFSExecute | ll.AccessFSWriteFile | ll.AccessFSReadFile | ll.AccessFSTruncate
-)
-
 func LandlockFromFileDatabase(state *config.State) error {
 	var llrules []landlock.Rule
 	files, err := ReadFileDatabase(state.Fs, state.Config.FilesDb)

lsm/lsm.go

@@ -6,12 +6,21 @@ import (
 
 	"github.com/foxboron/sbctl/config"
 	"github.com/landlock-lsm/go-landlock/landlock"
+
+	ll "github.com/landlock-lsm/go-landlock/landlock/syscall"
 )
 
 var (
 	rules []landlock.Rule
+
+	// Include file truncation
+	truncFile landlock.AccessFSSet = ll.AccessFSExecute | ll.AccessFSWriteFile | ll.AccessFSReadFile | ll.AccessFSTruncate
 )
 
+func TruncFile(p string) landlock.FSRule {
+	return landlock.PathAccess(truncFile, p)
+}
+
 func LandlockRulesFromConfig(conf *config.Config) {
 	rules = append(rules,
 		landlock.RODirs(