aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorLasse Collin <lasse.collin@tukaani.org>2024-02-22 15:18:25 +0200
committerLasse Collin <lasse.collin@tukaani.org>2024-02-22 15:18:25 +0200
commitde4337fd89ca7db5feb97b5c40143404f6e22986 (patch)
treea76e4d53af285937571fe6365566ee7e95cd788c /src
parentliblzma: Disable branchless C version in range decoder. (diff)
downloadxz-de4337fd89ca7db5feb97b5c40143404f6e22986.tar.xz
xz: Landlock: Fix error message if input file is a directory.
If xz is given a directory, it should look like this: $ xz /usr/bin xz: /usr/bin: Is a directory, skipping The Landlock rules didn't allow opening directories for reading: $ xz /usr/bin xz: /usr/bin: Permission denied The simplest fix was to allow opening directories for reading. While it's a bit silly to allow it solely for the error message, it shouldn't make the sandbox significantly weaker. The single-file use case (like when called from GNU tar) is still as strict as possible: all Landlock restrictions are enabled before (de)compression starts.
Diffstat (limited to '')
-rw-r--r--src/xz/sandbox.c15
1 files changed, 14 insertions, 1 deletions
diff --git a/src/xz/sandbox.c b/src/xz/sandbox.c
index 9d0df417..9e30a07a 100644
--- a/src/xz/sandbox.c
+++ b/src/xz/sandbox.c
@@ -224,9 +224,17 @@ sandbox_init(void)
// These are all in ABI version 1 already. We don't need truncate
// rights because files are created with open() using O_EXCL and
// without O_TRUNC.
+ //
+ // LANDLOCK_ACCESS_FS_READ_DIR is included here to get a clear error
+ // message if xz is given a directory name. Without this permission
+ // the message would be "Permission denied" but with this permission
+ // it's "Is a directory, skipping". It could be worked around with
+ // stat()/lstat() but just giving this permission is simpler and
+ // shouldn't make the sandbox much weaker in practice.
const uint64_t required_rights
= LANDLOCK_ACCESS_FS_WRITE_FILE
| LANDLOCK_ACCESS_FS_READ_FILE
+ | LANDLOCK_ACCESS_FS_READ_DIR
| LANDLOCK_ACCESS_FS_REMOVE_FILE
| LANDLOCK_ACCESS_FS_MAKE_REG;
@@ -240,7 +248,9 @@ sandbox_enable_read_only(void)
{
// We will be opening files for reading but
// won't create or remove any files.
- const uint64_t required_rights = LANDLOCK_ACCESS_FS_READ_FILE;
+ const uint64_t required_rights
+ = LANDLOCK_ACCESS_FS_READ_FILE
+ | LANDLOCK_ACCESS_FS_READ_DIR;
enable_landlock(required_rights);
return;
}
@@ -256,6 +266,9 @@ sandbox_enable_strict_if_allowed(int src_fd lzma_attribute((__unused__)),
// Allow all restrictions that the kernel supports with the
// highest Landlock ABI version that the kernel or xz supports.
+ //
+ // NOTE: LANDLOCK_ACCESS_FS_READ_DIR isn't needed here because
+ // the only input file has already been opened.
enable_landlock(0);
return;
}