From 374868d81d473ab56556a1cfd6b1b36a1fab348b Mon Sep 17 00:00:00 2001
From: Lasse Collin <lasse.collin@tukaani.org>
Date: Sat, 17 Feb 2024 23:07:35 +0200
Subject: xz: Move sandboxing code to sandbox.c and improve Landlock sandbox.

Landlock is now always used just like pledge(2) is: first in more
permissive mode and later (under certain common conditions) in
a strict mode that doesn't allow opening more files.

I put pledge(2) first in sandbox.c because it's the simplest API
to use and still somewhat fine-grained for basic applications.
So it's the simplest thing to understand for anyone reading sandbox.c.
---
 CMakeLists.txt | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'CMakeLists.txt')

diff --git a/CMakeLists.txt b/CMakeLists.txt
index f30a82b6..96ff980b 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -1393,6 +1393,8 @@ if(NOT MSVC OR MSVC_VERSION GREATER_EQUAL 1900)
         src/xz/options.c
         src/xz/options.h
         src/xz/private.h
+        src/xz/sandbox.c
+        src/xz/sandbox.h
         src/xz/signals.c
         src/xz/signals.h
         src/xz/suffix.c
-- 
cgit v1.2.3