aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/xz/sandbox.c15
1 files changed, 14 insertions, 1 deletions
diff --git a/src/xz/sandbox.c b/src/xz/sandbox.c
index 9d0df417..9e30a07a 100644
--- a/src/xz/sandbox.c
+++ b/src/xz/sandbox.c
@@ -224,9 +224,17 @@ sandbox_init(void)
// These are all in ABI version 1 already. We don't need truncate
// rights because files are created with open() using O_EXCL and
// without O_TRUNC.
+ //
+ // LANDLOCK_ACCESS_FS_READ_DIR is included here to get a clear error
+ // message if xz is given a directory name. Without this permission
+ // the message would be "Permission denied" but with this permission
+ // it's "Is a directory, skipping". It could be worked around with
+ // stat()/lstat() but just giving this permission is simpler and
+ // shouldn't make the sandbox much weaker in practice.
const uint64_t required_rights
= LANDLOCK_ACCESS_FS_WRITE_FILE
| LANDLOCK_ACCESS_FS_READ_FILE
+ | LANDLOCK_ACCESS_FS_READ_DIR
| LANDLOCK_ACCESS_FS_REMOVE_FILE
| LANDLOCK_ACCESS_FS_MAKE_REG;
@@ -240,7 +248,9 @@ sandbox_enable_read_only(void)
{
// We will be opening files for reading but
// won't create or remove any files.
- const uint64_t required_rights = LANDLOCK_ACCESS_FS_READ_FILE;
+ const uint64_t required_rights
+ = LANDLOCK_ACCESS_FS_READ_FILE
+ | LANDLOCK_ACCESS_FS_READ_DIR;
enable_landlock(required_rights);
return;
}
@@ -256,6 +266,9 @@ sandbox_enable_strict_if_allowed(int src_fd lzma_attribute((__unused__)),
// Allow all restrictions that the kernel supports with the
// highest Landlock ABI version that the kernel or xz supports.
+ //
+ // NOTE: LANDLOCK_ACCESS_FS_READ_DIR isn't needed here because
+ // the only input file has already been opened.
enable_landlock(0);
return;
}