Evolinx/bottle
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Correctly configure landlock for older ABIs

Browse Source 
For example, with landlock ABI < 3, LANDLOCK_ACCESS_FS_TRUNCATE is not
set in ruleset_attr.handled_access_fs, so it should not be set in
path_beneath.allowed_access either. Otherwise, landlock_add_rule fails
with -EINVAL, and pacman complains:

> error: restricting filesystem access failed because the landlock rule for the temporary download directory could not be added!

The change is tested on Debian Bookworm kernel
linux-image-6.1.0-25-cloud-amd64 6.1.106-3.
This commit is contained in:
Chih-Hsuan Yen 2024-09-15 11:49:53 +08:00 committed by Allan McRae
parent 60ec268458
commit e80569f5da
1 changed files with 3 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
lib/libalpm/sandbox_fs.c
View File

@ -150,6 +150,9 @@ bool _alpm_sandbox_fs_restrict_writes_to(alpm_handle_t *handle, const char *path
path_beneath.parent_fd = open(path, O_PATH | O_CLOEXEC | O_DIRECTORY);
path_beneath.allowed_access = _LANDLOCK_ACCESS_FS_READ | _LANDLOCK_ACCESS_FS_WRITE | _LANDLOCK_ACCESS_FS_TRUNCATE;
/* make sure allowed_access is a subset of handled_access_fs, which may change for older landlock ABI */
path_beneath.allowed_access &= ruleset_attr.handled_access_fs;
if(landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, &path_beneath, 0) == 0) {
if(landlock_restrict_self(ruleset_fd, 0)) {
_alpm_log(handle, ALPM_LOG_ERROR, _("restricting filesystem access failed because the landlock ruleset could not be applied!\n"));