diff options
| author | Omar Polo <op@omarpolo.com> | 2022-02-10 22:29:51 +0000 |
|---|---|---|
| committer | Omar Polo <op@omarpolo.com> | 2022-02-10 22:29:51 +0000 |
| commit | 98c6f8de41647ba565dcbdaccf876277b404161e (patch) | |
| tree | 39a6226c6d8a24a36e99a0bab2cae4d1b2bf46d0 /sandbox.c | |
| parent | be88c5d657e2a2e0a2a9f6d75910e5f08ec5e755 (diff) | |
fix landlock usage
Mickaël Salaün, the landlock author, pointed out the same error on the
got implementation. The assumption that not listed access
capabilities are implicitly denied is completely wrong:
> In a nutshell, the ruleset's handled_access_fs is required for
> backward and forward compatibility (i.e. the kernel and user space may
> not know each other's supported restrictions), hence the need to be
> explicit about the denied-by-default access rights.
Diffstat (limited to 'sandbox.c')
| -rw-r--r-- | sandbox.c | 20 |
1 files changed, 13 insertions, 7 deletions
@@ -429,14 +429,20 @@ open_landlock(void) { int fd; - /* - * These are all the actions that we may want to - * allow. Anything not specified here is implicitly blocked - * (e.g. LANDLOCK_ACCESS_FS_EXECUTE.) - */ struct landlock_ruleset_attr attr = { - .handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE | - LANDLOCK_ACCESS_FS_READ_DIR, + .handled_access_fs = LANDLOCK_ACCESS_FS_EXECUTE | + LANDLOCK_ACCESS_FS_READ_FILE | + LANDLOCK_ACCESS_FS_READ_DIR | + LANDLOCK_ACCESS_FS_WRITE_FILE | + LANDLOCK_ACCESS_FS_REMOVE_DIR | + LANDLOCK_ACCESS_FS_REMOVE_FILE | + LANDLOCK_ACCESS_FS_MAKE_CHAR | + LANDLOCK_ACCESS_FS_MAKE_DIR | + LANDLOCK_ACCESS_FS_MAKE_REG | + LANDLOCK_ACCESS_FS_MAKE_SOCK | + LANDLOCK_ACCESS_FS_MAKE_FIFO | + LANDLOCK_ACCESS_FS_MAKE_BLOCK | + LANDLOCK_ACCESS_FS_MAKE_SYM, }; fd = landlock_create_ruleset(&attr, sizeof(attr), 0); |