internal/maincmd: push landlock to after SSH/net.Dial

stapelberg · stapelberg · commit 4f71665b22cc · 2026-01-11T10:36:44.000+01:00
This allows us to make our Landlock policy stricter.
diff --git a/internal/maincmd/clientmaincmd.go b/internal/maincmd/clientmaincmd.go
@@ -103,11 +103,6 @@ func rsyncMain(ctx context.Context, osenv *rsyncos.Env, opts *rsyncopts.Options,
 			rwDirs = paths
 		}
 	}
-	if osenv.Restrict() {
-		if err := restrict.MaybeFileSystem(roDirs, rwDirs); err != nil {
-			return nil, err
-		}
-	}
 
 	module := path
 	if idx := strings.IndexByte(module, '/'); idx > -1 {
@@ -118,7 +113,7 @@ func rsyncMain(ctx context.Context, osenv *rsyncos.Env, opts *rsyncopts.Options,
 	}
 
 	if daemonConnection < 0 {
-		stats, err := socketClient(ctx, osenv, opts, host, path, port, paths)
+		stats, err := socketClient(ctx, osenv, opts, host, path, port, paths, roDirs, rwDirs)
 		if err != nil {
 			return nil, err
 		}
@@ -141,6 +136,13 @@ func rsyncMain(ctx context.Context, osenv *rsyncos.Env, opts *rsyncopts.Options,
 		r: rc,
 		w: wc,
 	}
+
+	if osenv.Restrict() {
+		if err := restrict.MaybeFileSystem(roDirs, rwDirs); err != nil {
+			return nil, err
+		}
+	}
+
 	negotiate := true
 	if daemonConnection != 0 {
 		done, err := startInbandExchange(osenv, opts, conn, module, path)
diff --git a/internal/maincmd/clientserver.go b/internal/maincmd/clientserver.go
@@ -11,13 +11,14 @@ import (
 	"time"
 
 	"github.com/gokrazy/rsync"
+	"github.com/gokrazy/rsync/internal/restrict"
 	"github.com/gokrazy/rsync/internal/rsyncopts"
 	"github.com/gokrazy/rsync/internal/rsyncos"
 	"github.com/gokrazy/rsync/internal/rsyncstats"
 )
 
 // rsync/clientserver.c:start_socket_client
-func socketClient(ctx context.Context, osenv *rsyncos.Env, opts *rsyncopts.Options, host string, path string, port int, paths []string) (*rsyncstats.TransferStats, error) {
+func socketClient(ctx context.Context, osenv *rsyncos.Env, opts *rsyncopts.Options, host string, path string, port int, paths []string, roDirs, rwDirs []string) (*rsyncstats.TransferStats, error) {
 	if port < 0 {
 		if port := opts.RsyncPort(); port > 0 {
 			host += ":" + strconv.Itoa(port)
@@ -51,6 +52,11 @@ func socketClient(ctx context.Context, osenv *rsyncos.Env, opts *rsyncopts.Optio
 		module = module[:idx]
 	}
 	osenv.Logf("rsync module %q, path %q", module, path)
+	if osenv.Restrict() {
+		if err := restrict.MaybeFileSystem(roDirs, rwDirs); err != nil {
+			return nil, err
+		}
+	}
 	done, err := startInbandExchange(osenv, opts, conn, module, path)
 	if err != nil {
 		return nil, err
diff --git a/internal/restrict/restrict_linux.go b/internal/restrict/restrict_linux.go
@@ -6,7 +6,6 @@ import (
 	"fmt"
 	"log"
 	"os"
-	"path/filepath"
 
 	"github.com/landlock-lsm/go-landlock/landlock"
 )
@@ -28,19 +27,6 @@ var userLookup = []string{
 	"/etc/group",  // group lookup
 }
 
-// ssh(1) needs to read its config and key files
-var sshConfigDirs = []string{
-	filepath.Join(os.Getenv("HOME"), ".ssh"), // user
-	"/etc/ssh",                               // system-wide
-}
-var sshDirs = []string{
-	"/usr", // for running ssh(1)
-	"/nix", // for running ssh(1) on NixOS
-}
-var sshDevices = []string{
-	"/dev/null",
-}
-
 func MaybeFileSystem(roDirsOrFiles []string, rwDirs []string) error {
 	re := ExtraHook
 	if re == nil {
@@ -65,9 +51,6 @@ func MaybeFileSystem(roDirsOrFiles []string, rwDirs []string) error {
 		append(re(), []landlock.Rule{
 			landlock.ROFiles(dnsLookup...).IgnoreIfMissing(),
 			landlock.ROFiles(userLookup...).IgnoreIfMissing(),
-			landlock.RODirs(sshConfigDirs...).IgnoreIfMissing(),
-			landlock.RODirs(sshDirs...).IgnoreIfMissing(),
-			landlock.RWFiles(sshDevices...).IgnoreIfMissing(),
 			landlock.RODirs(roDirs...).IgnoreIfMissing(),
 			landlock.ROFiles(roFiles...).IgnoreIfMissing(),
 			landlock.RWDirs(rwDirs...).WithRefer(),
diff --git a/internal/rsynctest/restrict.go b/internal/rsynctest/restrict.go
@@ -12,6 +12,7 @@ func init() {
 		return []landlock.Rule{
 			// contains /usr/bin/rsync (and library deps)
 			landlock.RODirs("/usr"),
+			landlock.RODirs("/nix").IgnoreIfMissing(),
 
 			// for t.TempDir()
 			landlock.RWDirs(os.TempDir()).WithRefer(),
