diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/xz/sandbox.c | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/src/xz/sandbox.c b/src/xz/sandbox.c index 9d0df417..9e30a07a 100644 --- a/src/xz/sandbox.c +++ b/src/xz/sandbox.c @@ -224,9 +224,17 @@ sandbox_init(void) // These are all in ABI version 1 already. We don't need truncate // rights because files are created with open() using O_EXCL and // without O_TRUNC. + // + // LANDLOCK_ACCESS_FS_READ_DIR is included here to get a clear error + // message if xz is given a directory name. Without this permission + // the message would be "Permission denied" but with this permission + // it's "Is a directory, skipping". It could be worked around with + // stat()/lstat() but just giving this permission is simpler and + // shouldn't make the sandbox much weaker in practice. const uint64_t required_rights = LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_READ_FILE + | LANDLOCK_ACCESS_FS_READ_DIR | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_MAKE_REG; @@ -240,7 +248,9 @@ sandbox_enable_read_only(void) { // We will be opening files for reading but // won't create or remove any files. - const uint64_t required_rights = LANDLOCK_ACCESS_FS_READ_FILE; + const uint64_t required_rights + = LANDLOCK_ACCESS_FS_READ_FILE + | LANDLOCK_ACCESS_FS_READ_DIR; enable_landlock(required_rights); return; } @@ -256,6 +266,9 @@ sandbox_enable_strict_if_allowed(int src_fd lzma_attribute((__unused__)), // Allow all restrictions that the kernel supports with the // highest Landlock ABI version that the kernel or xz supports. + // + // NOTE: LANDLOCK_ACCESS_FS_READ_DIR isn't needed here because + // the only input file has already been opened. enable_landlock(0); return; } |