diff options
author | Lasse Collin <lasse.collin@tukaani.org> | 2024-02-22 15:18:25 +0200 |
---|---|---|
committer | Lasse Collin <lasse.collin@tukaani.org> | 2024-02-22 15:18:25 +0200 |
commit | de4337fd89ca7db5feb97b5c40143404f6e22986 (patch) | |
tree | a76e4d53af285937571fe6365566ee7e95cd788c | |
parent | liblzma: Disable branchless C version in range decoder. (diff) | |
download | xz-de4337fd89ca7db5feb97b5c40143404f6e22986.tar.xz |
xz: Landlock: Fix error message if input file is a directory.
If xz is given a directory, it should look like this:
$ xz /usr/bin
xz: /usr/bin: Is a directory, skipping
The Landlock rules didn't allow opening directories for reading:
$ xz /usr/bin
xz: /usr/bin: Permission denied
The simplest fix was to allow opening directories for reading.
While it's a bit silly to allow it solely for the error message,
it shouldn't make the sandbox significantly weaker.
The single-file use case (like when called from GNU tar) is
still as strict as possible: all Landlock restrictions are
enabled before (de)compression starts.
-rw-r--r-- | src/xz/sandbox.c | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/src/xz/sandbox.c b/src/xz/sandbox.c index 9d0df417..9e30a07a 100644 --- a/src/xz/sandbox.c +++ b/src/xz/sandbox.c @@ -224,9 +224,17 @@ sandbox_init(void) // These are all in ABI version 1 already. We don't need truncate // rights because files are created with open() using O_EXCL and // without O_TRUNC. + // + // LANDLOCK_ACCESS_FS_READ_DIR is included here to get a clear error + // message if xz is given a directory name. Without this permission + // the message would be "Permission denied" but with this permission + // it's "Is a directory, skipping". It could be worked around with + // stat()/lstat() but just giving this permission is simpler and + // shouldn't make the sandbox much weaker in practice. const uint64_t required_rights = LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_READ_FILE + | LANDLOCK_ACCESS_FS_READ_DIR | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_MAKE_REG; @@ -240,7 +248,9 @@ sandbox_enable_read_only(void) { // We will be opening files for reading but // won't create or remove any files. - const uint64_t required_rights = LANDLOCK_ACCESS_FS_READ_FILE; + const uint64_t required_rights + = LANDLOCK_ACCESS_FS_READ_FILE + | LANDLOCK_ACCESS_FS_READ_DIR; enable_landlock(required_rights); return; } @@ -256,6 +266,9 @@ sandbox_enable_strict_if_allowed(int src_fd lzma_attribute((__unused__)), // Allow all restrictions that the kernel supports with the // highest Landlock ABI version that the kernel or xz supports. + // + // NOTE: LANDLOCK_ACCESS_FS_READ_DIR isn't needed here because + // the only input file has already been opened. enable_landlock(0); return; } |