diff options
author | Chih-Hsuan Yen <645432-yan12125@users.noreply.gitlab.com> | 2024-09-15 11:49:53 +0800 |
---|---|---|
committer | Allan McRae <allan@archlinux.org> | 2024-09-28 00:35:10 +0000 |
commit | e80569f5dabfb91d073ee474f0194f69a12702e8 (patch) | |
tree | 9b0fa7d8701ab1b5cd150c6c0916d55a1180e9ac | |
parent | 60ec2684584b8a6a9d3be43ec2d6881e5eb84ed2 (diff) |
Correctly configure landlock for older ABIs
For example, with landlock ABI < 3, LANDLOCK_ACCESS_FS_TRUNCATE is not
set in ruleset_attr.handled_access_fs, so it should not be set in
path_beneath.allowed_access either. Otherwise, landlock_add_rule fails
with -EINVAL, and pacman complains:
> error: restricting filesystem access failed because the landlock rule for the temporary download directory could not be added!
The change is tested on Debian Bookworm kernel
linux-image-6.1.0-25-cloud-amd64 6.1.106-3.
-rw-r--r-- | lib/libalpm/sandbox_fs.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/lib/libalpm/sandbox_fs.c b/lib/libalpm/sandbox_fs.c index c97f355e..94bbb104 100644 --- a/lib/libalpm/sandbox_fs.c +++ b/lib/libalpm/sandbox_fs.c @@ -150,6 +150,9 @@ bool _alpm_sandbox_fs_restrict_writes_to(alpm_handle_t *handle, const char *path path_beneath.parent_fd = open(path, O_PATH | O_CLOEXEC | O_DIRECTORY); path_beneath.allowed_access = _LANDLOCK_ACCESS_FS_READ | _LANDLOCK_ACCESS_FS_WRITE | _LANDLOCK_ACCESS_FS_TRUNCATE; + /* make sure allowed_access is a subset of handled_access_fs, which may change for older landlock ABI */ + path_beneath.allowed_access &= ruleset_attr.handled_access_fs; + if(landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, &path_beneath, 0) == 0) { if(landlock_restrict_self(ruleset_fd, 0)) { _alpm_log(handle, ALPM_LOG_ERROR, _("restricting filesystem access failed because the landlock ruleset could not be applied!\n")); |