From 8276c7f41c671eee4aa3239490658b23dcfd3021 Mon Sep 17 00:00:00 2001
From: Lasse Collin <lasse.collin@tukaani.org>
Date: Mon, 9 Oct 2023 22:07:52 +0300
Subject: xz: Support basic sandboxing with Linux Landlock (ABI versions 1-3).

It is enabled only when decompressing one file to stdout,
similar to how Capsicum is used.

Landlock was added in Linux 5.13.
---
 configure.ac | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

(limited to 'configure.ac')

diff --git a/configure.ac b/configure.ac
index 9d35071a..00a9e3c0 100644
--- a/configure.ac
+++ b/configure.ac
@@ -519,7 +519,7 @@ AM_CONDITIONAL([COND_DOC], [test x$enable_doc != xno])
 AC_MSG_CHECKING([if sandboxing should be used])
 AC_ARG_ENABLE([sandbox], [AS_HELP_STRING([--enable-sandbox=METHOD],
 		[Sandboxing METHOD can be
-		'auto', 'no', 'capsicum', or 'pledge'.
+		'auto', 'no', 'capsicum', 'pledge', or 'landlock'.
 		The default is 'auto' which enables sandboxing if
 		a supported sandboxing method is found.])],
 	[], [enable_sandbox=auto])
@@ -527,12 +527,12 @@ case $enable_sandbox in
 	auto)
 		AC_MSG_RESULT([maybe (autodetect)])
 		;;
-	no | capsicum | pledge)
+	no | capsicum | pledge | landlock)
 		AC_MSG_RESULT([$enable_sandbox])
 		;;
 	*)
 		AC_MSG_RESULT([])
-		AC_MSG_ERROR([--enable-sandbox only accepts 'auto', 'no', 'capsicum', or 'pledge'.])
+		AC_MSG_ERROR([--enable-sandbox only accepts 'auto', 'no', 'capsicum', 'pledge', or 'landlock'.])
 		;;
 esac
 
@@ -1059,6 +1059,11 @@ AS_CASE([$enable_sandbox],
 		AC_CHECK_FUNCS([pledge], [enable_sandbox=found])
 	]
 )
+AS_CASE([$enable_sandbox],
+	[auto | landlock], [
+		AC_CHECK_HEADERS([linux/landlock.h], [enable_sandbox=found])
+	]
+)
 
 # If a specific sandboxing method was explicitly requested and it wasn't
 # found, give an error.
-- 
cgit v1.2.3