diff options
author | Lasse Collin <lasse.collin@tukaani.org> | 2023-10-09 22:07:52 +0300 |
---|---|---|
committer | Lasse Collin <lasse.collin@tukaani.org> | 2023-10-22 19:03:52 +0300 |
commit | 8276c7f41c671eee4aa3239490658b23dcfd3021 (patch) | |
tree | 0ea5a10ee423725d55b888281678784da2bb5aac /src/xz/main.c | |
parent | CMake: Edit threading related messages. (diff) | |
download | xz-8276c7f41c671eee4aa3239490658b23dcfd3021.tar.xz |
xz: Support basic sandboxing with Linux Landlock (ABI versions 1-3).
It is enabled only when decompressing one file to stdout,
similar to how Capsicum is used.
Landlock was added in Linux 5.13.
Diffstat (limited to '')
-rw-r--r-- | src/xz/main.c | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/src/xz/main.c b/src/xz/main.c index f0c2194c..9c902833 100644 --- a/src/xz/main.c +++ b/src/xz/main.c @@ -13,6 +13,13 @@ #include "private.h" #include <ctype.h> +// prctl(PR_SET_NO_NEW_PRIVS, ...) is required with Landlock but it can be +// activated even when conditions for strict sandboxing aren't met. +#ifdef HAVE_LINUX_LANDLOCK_H +# include <sys/prctl.h> +#endif + + /// Exit status to use. This can be changed with set_exit_status(). static enum exit_status_type exit_status = E_SUCCESS; @@ -156,6 +163,18 @@ main(int argc, char **argv) } #endif +#ifdef HAVE_LINUX_LANDLOCK_H + // Prevent the process from gaining new privileges. This must be done + // before landlock_restrict_self(2) in file_io.c but since we will + // never need new privileges, this call can be done here already. + // + // This is supported since Linux 3.5. Ignore the return value to + // keep compatibility with old kernels. landlock_restrict_self(2) + // will fail if the no_new_privs attribute isn't set, thus if prctl() + // fails here the error will still be detected when it matters. + (void)prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); +#endif + #if defined(_WIN32) && !defined(__CYGWIN__) InitializeCriticalSection(&exit_status_cs); #endif |