From 6f3660e471173e3ae0ddbeff49c7fe6638f9d246 Mon Sep 17 00:00:00 2001
From: "Panagiotis \"Ivory\" Vasilopoulos" <git@n0toose.net>
Date: Wed, 8 Jan 2025 20:39:23 +0100
Subject: [PATCH] fix(landlock): minor adjustments

---
 src/isolation/landlock.rs | 21 ++++++++++-----------
 src/vm.rs                 |  2 +-
 2 files changed, 11 insertions(+), 12 deletions(-)

diff --git a/src/isolation/landlock.rs b/src/isolation/landlock.rs
index cede94b5..ae8e9e85 100644
--- a/src/isolation/landlock.rs
+++ b/src/isolation/landlock.rs
@@ -10,7 +10,7 @@ use crate::isolation::split_guest_and_host_path;
 
 /// Contains types of errors that may occur during Landlock's initialization.
 #[derive(Debug, Error)]
-pub enum LandlockRestrictError {
+pub enum RestrictError {
 	#[error(transparent)]
 	Ruleset(#[from] RulesetError),
 	#[error(transparent)]
@@ -53,10 +53,7 @@ impl UhyveLandlockWrapper {
 		}
 	}
 
-	/// This function attempts to enforce different layers of file-related isolation.
-	/// This is currently only used for Landlock. It can be extended for other isolation
-	/// layers, as well as operating system-specific implementations.
-	pub fn enforce_isolation(&self) {
+	pub fn apply_landlock_restrictions(&self) {
 		{
 			let _status = match Self::enforce_landlock(self) {
 				Ok(status) => status,
@@ -75,11 +72,13 @@ impl UhyveLandlockWrapper {
 		let iterations = 2;
 		let mut host_pathbuf: PathBuf = host_path.into();
 		for _i in 0..iterations {
-			if host_pathbuf.exists() {
-				return host_pathbuf.to_str().unwrap().to_owned();
-			} else {
+			if !host_pathbuf.exists() {
+				warn!("Mapped file {:#?} not found. Popping...", host_pathbuf);
 				host_pathbuf.pop();
+				continue;
 			}
+			debug!("Adding {:#?} to Landlock", host_pathbuf);
+			return host_pathbuf.to_str().unwrap().to_owned();
 		}
 		panic!(
 			"The mapped file's parent directory wasn't found within {} iteration(s).",
@@ -89,7 +88,7 @@ impl UhyveLandlockWrapper {
 
 	/// Initializes Landlock by providing R/W-access to user-defined and
 	/// Uhyve-defined paths.
-	pub fn enforce_landlock(&self) -> Result<RestrictionStatus, LandlockRestrictError> {
+	pub fn enforce_landlock(&self) -> Result<RestrictionStatus, RestrictError> {
 		// This should be incremented regularly.
 		let abi = ABI::V5;
 		// Used for explicitly whitelisted files (read & write).
@@ -104,7 +103,7 @@ impl UhyveLandlockWrapper {
 				self.rw_paths
 					.as_slice()
 					.iter()
-					.map::<Result<_, LandlockRestrictError>, _>(|p| {
+					.map::<Result<_, RestrictError>, _>(|p| {
 						Ok(PathBeneath::new(PathFd::new(p)?, access_all))
 					}),
 			)?
@@ -112,7 +111,7 @@ impl UhyveLandlockWrapper {
 				self.ro_paths
 					.as_slice()
 					.iter()
-					.map::<Result<_, LandlockRestrictError>, _>(|p| {
+					.map::<Result<_, RestrictError>, _>(|p| {
 						Ok(PathBeneath::new(PathFd::new(p)?, access_read))
 					}),
 			)?
diff --git a/src/vm.rs b/src/vm.rs
index ff7f802c..cd619274 100644
--- a/src/vm.rs
+++ b/src/vm.rs
@@ -330,7 +330,7 @@ impl<VirtBackend: VirtualizationBackend> UhyveVm<VirtBackend> {
 
 	pub fn load_kernel(&mut self) -> LoadKernelResult<()> {
 		#[cfg(target_os = "linux")]
-		self.landlock.enforce_isolation();
+		self.landlock.apply_landlock_restrictions();
 		let elf = fs::read(self.kernel_path())?;
 		let object = KernelObject::parse(&elf).map_err(LoadKernelError::ParseKernelError)?;