aboutsummaryrefslogtreecommitdiff
path: root/src/xz/main.c
diff options
context:
space:
mode:
authorLasse Collin <lasse.collin@tukaani.org>2023-10-09 22:07:52 +0300
committerLasse Collin <lasse.collin@tukaani.org>2023-10-22 19:03:52 +0300
commit8276c7f41c671eee4aa3239490658b23dcfd3021 (patch)
tree0ea5a10ee423725d55b888281678784da2bb5aac /src/xz/main.c
parentCMake: Edit threading related messages. (diff)
downloadxz-8276c7f41c671eee4aa3239490658b23dcfd3021.tar.xz
xz: Support basic sandboxing with Linux Landlock (ABI versions 1-3).
It is enabled only when decompressing one file to stdout, similar to how Capsicum is used. Landlock was added in Linux 5.13.
Diffstat (limited to 'src/xz/main.c')
-rw-r--r--src/xz/main.c19
1 files changed, 19 insertions, 0 deletions
diff --git a/src/xz/main.c b/src/xz/main.c
index f0c2194c..9c902833 100644
--- a/src/xz/main.c
+++ b/src/xz/main.c
@@ -13,6 +13,13 @@
#include "private.h"
#include <ctype.h>
+// prctl(PR_SET_NO_NEW_PRIVS, ...) is required with Landlock but it can be
+// activated even when conditions for strict sandboxing aren't met.
+#ifdef HAVE_LINUX_LANDLOCK_H
+# include <sys/prctl.h>
+#endif
+
+
/// Exit status to use. This can be changed with set_exit_status().
static enum exit_status_type exit_status = E_SUCCESS;
@@ -156,6 +163,18 @@ main(int argc, char **argv)
}
#endif
+#ifdef HAVE_LINUX_LANDLOCK_H
+ // Prevent the process from gaining new privileges. This must be done
+ // before landlock_restrict_self(2) in file_io.c but since we will
+ // never need new privileges, this call can be done here already.
+ //
+ // This is supported since Linux 3.5. Ignore the return value to
+ // keep compatibility with old kernels. landlock_restrict_self(2)
+ // will fail if the no_new_privs attribute isn't set, thus if prctl()
+ // fails here the error will still be detected when it matters.
+ (void)prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
+#endif
+
#if defined(_WIN32) && !defined(__CYGWIN__)
InitializeCriticalSection(&exit_status_cs);
#endif