e1447c3009
### Motivation - Landlock alone cannot prevent writes to sensitive in-repo files like `.git/` when the repo root is writable, so explicit mount restrictions are required for those paths. - The sandbox must set up any mounts before calling Landlock so Landlock can still be applied afterwards and the two mechanisms compose correctly. ### Description - Add a new `linux-sandbox` helper `apply_read_only_mounts` in `linux-sandbox/src/mounts.rs` that: unshares namespaces, maps uids/gids when required, makes mounts private, bind-mounts targets, and remounts them read-only. - Wire the mount step into the sandbox flow by calling `apply_read_only_mounts(...)` before network/seccomp and before applying Landlock rules in `linux-sandbox/src/landlock.rs`.
16 lines
341 B
Rust
16 lines
341 B
Rust
#[cfg(target_os = "linux")]
|
|
mod landlock;
|
|
#[cfg(target_os = "linux")]
|
|
mod linux_run_main;
|
|
#[cfg(target_os = "linux")]
|
|
mod mounts;
|
|
|
|
#[cfg(target_os = "linux")]
|
|
pub fn run_main() -> ! {
|
|
linux_run_main::run_main();
|
|
}
|
|
|
|
#[cfg(not(target_os = "linux"))]
|
|
pub fn run_main() -> ! {
|
|
panic!("codex-linux-sandbox is only supported on Linux");
|
|
}
|