aboutsummaryrefslogtreecommitdiff
path: root/src/xz/sandbox.h
diff options
context:
space:
mode:
authorLasse Collin <lasse.collin@tukaani.org>2024-02-17 23:07:35 +0200
committerLasse Collin <lasse.collin@tukaani.org>2024-02-17 23:07:35 +0200
commit374868d81d473ab56556a1cfd6b1b36a1fab348b (patch)
tree195da6ba1f931c4ec7783832428ea3c2bbcac2b5 /src/xz/sandbox.h
parentxz: Tweak comments. (diff)
downloadxz-374868d81d473ab56556a1cfd6b1b36a1fab348b.tar.xz
xz: Move sandboxing code to sandbox.c and improve Landlock sandbox.
Landlock is now always used just like pledge(2) is: first in more permissive mode and later (under certain common conditions) in a strict mode that doesn't allow opening more files. I put pledge(2) first in sandbox.c because it's the simplest API to use and still somewhat fine-grained for basic applications. So it's the simplest thing to understand for anyone reading sandbox.c.
Diffstat (limited to 'src/xz/sandbox.h')
-rw-r--r--src/xz/sandbox.h39
1 files changed, 39 insertions, 0 deletions
diff --git a/src/xz/sandbox.h b/src/xz/sandbox.h
new file mode 100644
index 00000000..795c550f
--- /dev/null
+++ b/src/xz/sandbox.h
@@ -0,0 +1,39 @@
+// SPDX-License-Identifier: 0BSD
+
+///////////////////////////////////////////////////////////////////////////////
+//
+/// \file sandbox.h
+/// \brief Sandbox support
+//
+// Author: Lasse Collin
+//
+///////////////////////////////////////////////////////////////////////////////
+
+#if defined(HAVE_PLEDGE) || defined(HAVE_LINUX_LANDLOCK_H) \
+ || defined(HAVE_CAP_RIGHTS_LIMIT)
+# define ENABLE_SANDBOX 1
+#endif
+
+
+/// \brief Enables early sandboxing that can always be enabled
+///
+/// This requires that tuklib_progname() and io_init() have been called.
+extern void sandbox_init(void);
+
+
+/// \brief Tell sandboxing code that strict sandboxing can be used
+///
+/// This function only sets a flag which will be read by
+/// sandbox_enable_strict_if_allowed().
+extern void sandbox_allow_strict(void);
+
+
+/// \brief Enable sandboxing that allows reading from one file
+///
+/// This does nothing if sandbox_allow_strict() hasn't been called.
+///
+/// \param src_fd File descriptor open for reading
+/// \param pipe_event_fd user_abort_pipe[0] from file_io.c
+/// \param pipe_write_fd user_abort_pipe[1] from file_io.c
+extern void sandbox_enable_strict_if_allowed(
+ int src_fd, int pipe_event_fd, int pipe_write_fd);