From: Stéphane Graber Date: Sat, 30 Aug 2025 03:50:00 +0000 (+0000) Subject: meson: Add optional landlock protection for monitor X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bfacedd4cd5006409d14b60c651a8588451376c1;p=thirdparty%2Flxc.git meson: Add optional landlock protection for monitor This introduces a new optional security feature to the LXC monitor process. With this enabled, the monitor API used for communication between the CLI (or other clients) and the container monitor will now run in a dedicated thread and have a Landlock policy applied to that thread. The thread trick is required as the monitor process is also responsible for running post-stop tasks (hooks) which need full privileges as well as also handling full container reboots which similarly require full privileges. The policy is pretty simple at this point. It allows access to /dev/pts, /dev/ptmx and /sys/fs/cgroup as those are the few paths that the monior actually needs to open (as opposed to just handing out existing filedescriptors). Signed-off-by: Stéphane Graber --- diff --git a/meson.build b/meson.build index a20068cd9..ec7524c24 100644 --- a/meson.build +++ b/meson.build @@ -148,6 +148,7 @@ want_state_dirs = get_option('install-state-dirs') want_thread_safety = get_option('thread-safety') want_memfd_rexec = get_option('memfd-rexec') want_dbus = get_option('dbus') +want_landlock_monitor = get_option('landlock-monitor') # Set sysconfdir fs = import('fs') @@ -289,6 +290,12 @@ else srcconf.set10('HAVE_DBUS', false) endif +if want_landlock_monitor + srcconf.set10('HAVE_LANDLOCK_MONITOR', true) +else + srcconf.set10('HAVE_LANDLOCK_MONITOR', false) +endif + ## Time EPOCH. sh = find_program('sh') date = find_program('date') diff --git a/meson_options.txt b/meson_options.txt index 62f885958..f00e7406d 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -124,6 +124,9 @@ option('distrosysconfdir', type: 'string', value: '', option('dbus', type: 'boolean', value: true, description: 'use dbus') +option('landlock-monitor', type: 'boolean', value: false, + description: 'use Landlock to protect the monitor API') + option('specfile', type: 'boolean', value: true, description: 'whether to prepare RPM spec')