Allow custom files and directories to be added the the getter landlock

[astudentofblake]

Proposal

I would like to be able to configure the landlock in the getter to include custom files + directories
I propose adding config to ArtifactConfig. I'll raise a PR later

Use-cases

Currently I set SSL_CERT_DIR=<CUSTOM_DIRECTORY>:/etc/ssl/certs:/etc/pki/tls/certs to allow the getter to use ca certificates I have in a custom directory.
The default git on RHEL also needs access to "/dev/urandom"
A link to the git code: -
https://github.com/git/git/blob/19981daefd7c147444462739375462b49412ce33/wrapper.c#L797

In order to turn on landlock, I need to add read access to these paths

Attempted Solutions

I have turned off landlock, so that I can access these paths, but I would like the extra security.
I can't add the certificates to the OS.

[tgross]

Hi @astudentofblake! I did a little digging to verify the existing behavior and see if there are known workarounds, and it looks like no. The order of operations for Templates, Artifacts, and Dispatch Payloads means that none of the usual tools that someone might use to workaround this problem (ex. templating the certs into the allocdir) exist at the time the artifact is downloaded.

We do have a client.artifact configuration block that seems like the right place for this feature. Under the personas in our security model would allow the cluster administrator to add paths to the Landlock sandbox without letting a job author break its protection. It ends up being similar to the client.chroot_env block in that way.

I'm going to label this issue as accepted and mark it for roadmapping. If you are interested in submitting a PR for it, we'd be happy to review that. Thanks!