xz: Support basic sandboxing with Linux Landlock (ABI versions 1-3).

It is enabled only when decompressing one file to stdout,
similar to how Capsicum is used.

Landlock was added in Linux 5.13.

1 files changed, 11 insertions, 1 deletions

diff --git a/CMakeLists.txt b/CMakeLists.txt
index e62f762b..6de086be 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -1246,7 +1246,8 @@ if(NOT MSVC OR MSVC_VERSION GREATER_EQUAL 1900)
     # OFF       Disable sandboxing.
     # capsicum  Require Capsicum (FreeBSD >= 10.2) and fail if not found.
     # pledge    Require pledge(2) (OpenBSD >= 5.9) and fail if not found.
-    set(SUPPORTED_SANDBOX_METHODS ON OFF capsicum pledge)
+    # landlock  Require Landlock (Linux >= 5.13) and fail if not found.
+    set(SUPPORTED_SANDBOX_METHODS ON OFF capsicum pledge landlock)
 
     set(ENABLE_SANDBOX ON CACHE STRING "Sandboxing method to use in 'xz'")
 
@@ -1285,6 +1286,15 @@ if(NOT MSVC OR MSVC_VERSION GREATER_EQUAL 1900)
         endif()
     endif()
 
+    # Sandboxing: Landlock
+    if(NOT SANDBOX_FOUND AND ENABLE_SANDBOX MATCHES "^ON$|^landlock$")
+        check_include_file(linux/landlock.h HAVE_LINUX_LANDLOCK_H)
+        if(HAVE_LINUX_LANDLOCK_H)
+            target_compile_definitions(xz PRIVATE HAVE_LINUX_LANDLOCK_H)
+            set(SANDBOX_FOUND ON)
+        endif()
+    endif()
+
     if(NOT SANDBOX_FOUND AND NOT ENABLE_SANDBOX MATCHES "^ON$|^OFF$")
         message(SEND_ERROR "ENABLE_SANDBOX=${ENABLE_SANDBOX} was used but "
                            "support for the sandboxing method wasn't found.")