aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorLasse Collin <lasse.collin@tukaani.org>2024-02-17 23:07:35 +0200
committerLasse Collin <lasse.collin@tukaani.org>2024-02-17 23:07:35 +0200
commit02e3505991233901575b7eabc06b2c6c62a96899 (patch)
treef3d8729f9fc5655bbc870b377510b17034d13e56 /src
parentxz: Move sandboxing code to sandbox.c and improve Landlock sandbox. (diff)
downloadxz-02e3505991233901575b7eabc06b2c6c62a96899.tar.xz
xz: Support Landlock ABI version 4.
Linux 6.7 added support for ABI version 4 which restricts TCP connections which xz won't need and thus those can be forbidden now. Since the ABI version is handled at runtime, supporting version 4 won't cause any compatibility issues. Note that new enough kernel headers are required to get version 4 support enabled at build time.
Diffstat (limited to 'src')
-rw-r--r--src/xz/sandbox.c25
1 files changed, 20 insertions, 5 deletions
diff --git a/src/xz/sandbox.c b/src/xz/sandbox.c
index 2c40db71..8a2c115c 100644
--- a/src/xz/sandbox.c
+++ b/src/xz/sandbox.c
@@ -107,8 +107,18 @@ sandbox_enable_strict_if_allowed(int src_fd lzma_attribute((__unused__)),
#include <sys/prctl.h>
-// Highest Landlock ABI version supported by this file
-#define LANDLOCK_ABI_MAX 3
+// Highest Landlock ABI version supported by this file:
+// - For ABI versions 1-3 we don't need anything from <linux/landlock.h>
+// that isn't part of version 1.
+// - For ABI version 4 we need the larger struct landlock_ruleset_attr
+// with the handled_access_net member. That is bundled with the macros
+// LANDLOCK_ACCESS_NET_BIND_TCP and LANDLOCK_ACCESS_NET_CONNECT_TCP.
+#ifdef LANDLOCK_ACCESS_NET_BIND_TCP
+# define LANDLOCK_ABI_MAX 4
+#else
+# define LANDLOCK_ABI_MAX 3
+#endif
+
/// Landlock ABI version supported by the kernel
static int landlock_abi;
@@ -142,10 +152,15 @@ enable_landlock(uint64_t required_rights)
//
// This makes it simple to set the mask based on the ABI
// version and we don't need to care which flags are #defined
- // in the installed <linux/landlock.h>.
+ // in the installed <linux/landlock.h> for ABI versions 1-3.
const struct landlock_ruleset_attr attr = {
- .handled_access_fs = ((1ULL << (12 + landlock_abi)) - 1)
- & ~required_rights,
+ .handled_access_fs = ~required_rights
+ & ((1ULL << (12 + my_min(3, landlock_abi))) - 1),
+#if LANDLOCK_ABI_MAX >= 4
+ .handled_access_net = landlock_abi < 4 ? 0 :
+ (LANDLOCK_ACCESS_NET_BIND_TCP
+ | LANDLOCK_ACCESS_NET_CONNECT_TCP),
+#endif
};
const int ruleset_fd = syscall(SYS_landlock_create_ruleset,