From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from atuin.qyliss.net (localhost [IPv6:::1])
	by atuin.qyliss.net (Postfix) with ESMTP id 8F8FDB804;
	Sat, 13 Dec 2025 22:33:07 +0000 (UTC)
Received: by atuin.qyliss.net (Postfix, from userid 993)
	id 79A7FB769; Sat, 13 Dec 2025 22:33:05 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,DMARC_MISSING,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS
	autolearn=unavailable autolearn_force=no version=4.0.1
Received: from fout-a8-smtp.messagingengine.com
 (fout-a8-smtp.messagingengine.com [103.168.172.151])
	by atuin.qyliss.net (Postfix) with ESMTPS id 1C170B767
	for <devel@spectrum-os.org>; Sat, 13 Dec 2025 22:33:04 +0000 (UTC)
Received: from phl-compute-03.internal (phl-compute-03.internal [10.202.2.43])
	by mailfout.phl.internal (Postfix) with ESMTP id 60DEBEC01A8;
	Sat, 13 Dec 2025 17:33:01 -0500 (EST)
Received: from phl-mailfrontend-01 ([10.202.2.162])
  by phl-compute-03.internal (MEProxy); Sat, 13 Dec 2025 17:33:01 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alyssa.is; h=cc
	:cc:content-transfer-encoding:content-type:date:date:from:from
	:in-reply-to:message-id:mime-version:reply-to:subject:subject:to
	:to; s=fm3; t=1765665181; x=1765751581; bh=t9ytIs1zB05Ycw1svk7Rv
	kzdcvNDjMS0II1Nos81uns=; b=aYZ5lSlwi5f7U8XkCZuD1arrHJc9QtwW1RvB7
	c5oEFttqDv81kVJjpWAaNubBePQQsgLyzQJvfpwOfnpke6wueI493Gf+0qzN3zgj
	3iFMZFye2f7cUYf391tLy7+cb8/IQSk/VXNv3vbLwtIWPwz8njK/QX/S9A1Z6ePl
	a5WznqyQ0ZH2lgtO/WsJlIQCmmMoYXipJv3smcfCwyg5cLfQzNh3qdpjs9u52VYm
	X0xipUAn5pAds8HH/ZV/sQpJnLbzYE9aRDQqzWCeZVeoSMsy2X5a3Zv6HsOzeRZ9
	m9nQmZntucMo8Kb7aKFYd+xWnWALTURFH+2mLoz345rOIBINw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:cc:content-transfer-encoding
	:content-type:date:date:feedback-id:feedback-id:from:from
	:in-reply-to:message-id:mime-version:reply-to:subject:subject:to
	:to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=
	1765665181; x=1765751581; bh=t9ytIs1zB05Ycw1svk7RvkzdcvNDjMS0II1
	Nos81uns=; b=ps8qIjXcqEoErKsTGPakeETVScb4HeT9mNJKQKfbGNnMcXkl6MG
	aKCceU0zYlSqhuDHyJBY3mgn8poiSAkMgnwMHUDwqUKLcA6+03rlSFgwLwr3DtRP
	pot05TmLksikA6FxfLg6y196cZbm4QiJq1HWCr/IMvFYAHBVHV07ple5muyVpLb1
	sX0ILefZtclp7rj8tOarVDGxuPNpB/MF7q+KOPirZWDED5E44M3lyXpo93E0TNKY
	WJdLxHoX+dLXRt7uBS3/Z4mu7jcJUbDYLN3dDkrlpgXZuuk4I5mNh70GEJ4oOkx+
	vUj4wRGKYArqtRXh8iQZYl+JkibVYjOie9g==
X-ME-Sender: <xms:nek9aafiOoaW1ceiyVOYAwWbnjGlwBnIqwOe-00CvCb2QAaz4XzYhg>
    <xme:nek9aQh4U5TCQpk2Tc3Pl309adFMkdLFCTuy2uBF1s6Rg4Y6FbkkpfxCKYiIYClt-
    Nn-7750Tg_mIC3F4wYaNOp3KxEkCgwRIKCIqHUeAWXNXJ3U5Olojw>
X-ME-Received: 
 <xmr:nek9aeRUwMsG_fZ-eul9lDLs2QifLtNBVzadzTnshVCVegz1ua4tWBVyxhzLRWzFVQ>
X-ME-Proxy-Cause: 
 gggruggvucftvghtrhhoucdtuddrgeefgedrtddtgdefvddvjecutefuodetggdotefrod
    ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpuffrtefokffrpgfnqfghnecuuegr
    ihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjug
    hrpefhvfevufffkffoggfgsedtkeertdertddtnecuhfhrohhmpeetlhihshhsrgcutfho
    shhsuceohhhisegrlhihshhsrgdrihhsqeenucggtffrrghtthgvrhhnpeetfffghfeuje
    eihfejleetgfdvieekvddvfedutefhfedthfevvdehudefteeifeenucffohhmrghinhep
    ghhithhhuhgsrdgtohhmnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrg
    hilhhfrhhomhephhhisegrlhihshhsrgdrihhspdhnsggprhgtphhtthhopedvpdhmohgu
    vgepshhmthhpohhuthdprhgtphhtthhopeguvghmihhosggvnhhouhhrsehgmhgrihhlrd
    gtohhmpdhrtghpthhtohepuggvvhgvlhesshhpvggtthhruhhmqdhoshdrohhrgh
X-ME-Proxy: <xmx:nek9aZyc7F88nqDKI3MdGtIoXSooRuddGarqWnMKRz_YVFNDE_CIpA>
    <xmx:nek9aZfMi0j_W5Au6KYycM-2dt277TxzssTPPgdk3loP3GsQCM6MBQ>
    <xmx:nek9aVIPZDIRemDh_LsFfN3pYf44VW5wfTOkLIaMVlzLQ4y9cZZdRQ>
    <xmx:nek9aaGvvH-r-dxxIyA8IY7SpvYeYgAw0xpoelHSOql2FfHKujXi5Q>
    <xmx:nek9aWqk_Dm7M8O-UkVMlUf2TFoCp_0tt5_ybXdwWjKIqHk79jxI4FV4>
Feedback-ID: i12284293:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sat,
 13 Dec 2025 17:33:00 -0500 (EST)
Received: by fw12.qyliss.net (Postfix, from userid 1000)
	id BA3EC7AF31FC; Sat, 13 Dec 2025 23:32:39 +0100 (CET)
From: Alyssa Ross <hi@alyssa.is>
To: devel@spectrum-os.org
Subject: [PATCH] tools/xdg-desktop-portal-spectrum-host: landlock
Date: Sat, 13 Dec 2025 23:32:28 +0100
Message-ID: <20251213223228.675216-1-hi@alyssa.is>
X-Mailer: git-send-email 2.51.0
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-ID-Hash: 5KZ6SBN73N32Z4EQD7SKA3XMTFGOCLVT
X-Message-ID-Hash: 5KZ6SBN73N32Z4EQD7SKA3XMTFGOCLVT
X-MailFrom: hi@alyssa.is
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation;
 header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1;
 header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3;
 header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 digests; suspicious-header
CC: Demi Marie Obenour <demiobenour@gmail.com>
X-Mailman-Version: 3.3.9
Precedence: list
List-Id: Patches and low-level development discussion <devel.spectrum-os.org>
Archived-At: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/message/5KZ6SBN73N32Z4EQD7SKA3XMTFGOCLVT/>
List-Archive: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/>
List-Help: <mailto:devel-request@spectrum-os.org?subject=help>
List-Owner: <mailto:devel-owner@spectrum-os.org>
List-Post: <mailto:devel@spectrum-os.org>
List-Subscribe: <mailto:devel-join@spectrum-os.org>
List-Unsubscribe: <mailto:devel-leave@spectrum-os.org>

This program doesn't do anything restricted by landlock, so we can
just set up a maximally restrictive ruleset and be done with it.

Signed-off-by: Alyssa Ross <hi@alyssa.is>
---
 .../Cargo.lock                                | 32 +++++++++++++++++++
 .../Cargo.toml                                |  1 +
 .../src/main.rs                               | 19 ++++++++++-
 3 files changed, 51 insertions(+), 1 deletion(-)

diff --git a/tools/xdg-desktop-portal-spectrum-host/Cargo.lock b/tools/xdg-desktop-portal-spectrum-host/Cargo.lock
index d09e36ff..147a6b9a 100644
--- a/tools/xdg-desktop-portal-spectrum-host/Cargo.lock
+++ b/tools/xdg-desktop-portal-spectrum-host/Cargo.lock
@@ -513,6 +513,17 @@ dependencies = [
  "hashbrown",
 ]
 
+[[package]]
+name = "landlock"
+version = "0.4.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "49fefd6652c57d68aaa32544a4c0e642929725bdc1fd929367cdeb673ab81088"
+dependencies = [
+ "enumflags2",
+ "libc",
+ "thiserror",
+]
+
 [[package]]
 name = "libc"
 version = "0.2.178"
@@ -767,6 +778,26 @@ dependencies = [
  "windows-sys",
 ]
 
+[[package]]
+name = "thiserror"
+version = "2.0.17"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f63587ca0f12b72a0600bcba1d40081f830876000bb46dd2337a3051618f4fc8"
+dependencies = [
+ "thiserror-impl",
+]
+
+[[package]]
+name = "thiserror-impl"
+version = "2.0.17"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3ff15c8ecd7de3849db632e14d18d2571fa09dfc5ed93479bc4485c7a517c913"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
 [[package]]
 name = "tinystr"
 version = "0.7.6"
@@ -988,6 +1019,7 @@ dependencies = [
  "async-executor",
  "async-io",
  "futures-lite",
+ "landlock",
  "percent-encoding",
  "rustix",
  "url",
diff --git a/tools/xdg-desktop-portal-spectrum-host/Cargo.toml b/tools/xdg-desktop-portal-spectrum-host/Cargo.toml
index 96459c82..7b177cbf 100644
--- a/tools/xdg-desktop-portal-spectrum-host/Cargo.toml
+++ b/tools/xdg-desktop-portal-spectrum-host/Cargo.toml
@@ -10,6 +10,7 @@ edition = "2024"
 async-executor = { version = "1.12.0", features = ["static"] }
 async-io = "2.3.2"
 futures-lite = "2.3.0"
+landlock = "0.4.4"
 percent-encoding = "2.3.1"
 rustix = "0.38.34"
 url = "2.5.0"
diff --git a/tools/xdg-desktop-portal-spectrum-host/src/main.rs b/tools/xdg-desktop-portal-spectrum-host/src/main.rs
index 3fc49cf3..a8672197 100644
--- a/tools/xdg-desktop-portal-spectrum-host/src/main.rs
+++ b/tools/xdg-desktop-portal-spectrum-host/src/main.rs
@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: EUPL-1.2+
-// SPDX-FileCopyrightText: 2024 Alyssa Ross <hi@alyssa.is>
+// SPDX-FileCopyrightText: 2024-2025 Alyssa Ross <hi@alyssa.is>
 
 mod documents;
 mod file_chooser;
@@ -19,6 +19,10 @@ use async_executor::StaticExecutor;
 use async_io::Async;
 use futures_lite::prelude::*;
 use futures_lite::stream::StreamExt;
+use landlock::{
+    ABI, Access, AccessFs, AccessNet, CompatLevel, Compatible, Ruleset, RulesetAttr, RulesetError,
+    Scope,
+};
 use zbus::{AuthMechanism, Connection, MessageStream, connection};
 
 use file_chooser::FileChooser;
@@ -208,6 +212,17 @@ fn listening_vsock_path(connection: &UnixListener) -> Result<PathBuf, String> {
     Ok(OsString::from_vec(listening_addr).into())
 }
 
+fn set_up_landlock() -> Result<(), RulesetError> {
+    Ruleset::default()
+        .handle_access(AccessFs::from_all(ABI::V6))?
+        .handle_access(AccessNet::from_all(ABI::V6))?
+        .scope(Scope::from_all(ABI::V6))?
+        .create()?
+        .set_compatibility(CompatLevel::HardRequirement)
+        .restrict_self()?;
+    Ok(())
+}
+
 fn read_argv() {
     let mut args = args_os();
     args.next();
@@ -219,6 +234,8 @@ fn read_argv() {
 }
 
 fn run() -> Result<(), String> {
+    set_up_landlock().map_err(|e| format!("setting up landlock: {e}"))?;
+
     read_argv();
 
     async_io::block_on(EXECUTOR.run(async {

base-commit: 073642b88d65fd3d5a10e45226cb8ba580ac7bd3
-- 
2.51.0