xz: Landlock: Fix error message if input file is a directory.
If xz is given a directory, it should look like this: $ xz /usr/bin xz: /usr/bin: Is a directory, skipping The Landlock rules didn't allow opening directories for reading: $ xz /usr/bin xz: /usr/bin: Permission denied The simplest fix was to allow opening directories for reading. While it's a bit silly to allow it solely for the error message, it shouldn't make the sandbox significantly weaker. The single-file use case (like when called from GNU tar) is still as strict as possible: all Landlock restrictions are enabled before (de)compression starts.
This commit is contained in:
parent
120da10ae1
commit
de4337fd89
|
@ -224,9 +224,17 @@ sandbox_init(void)
|
||||||
// These are all in ABI version 1 already. We don't need truncate
|
// These are all in ABI version 1 already. We don't need truncate
|
||||||
// rights because files are created with open() using O_EXCL and
|
// rights because files are created with open() using O_EXCL and
|
||||||
// without O_TRUNC.
|
// without O_TRUNC.
|
||||||
|
//
|
||||||
|
// LANDLOCK_ACCESS_FS_READ_DIR is included here to get a clear error
|
||||||
|
// message if xz is given a directory name. Without this permission
|
||||||
|
// the message would be "Permission denied" but with this permission
|
||||||
|
// it's "Is a directory, skipping". It could be worked around with
|
||||||
|
// stat()/lstat() but just giving this permission is simpler and
|
||||||
|
// shouldn't make the sandbox much weaker in practice.
|
||||||
const uint64_t required_rights
|
const uint64_t required_rights
|
||||||
= LANDLOCK_ACCESS_FS_WRITE_FILE
|
= LANDLOCK_ACCESS_FS_WRITE_FILE
|
||||||
| LANDLOCK_ACCESS_FS_READ_FILE
|
| LANDLOCK_ACCESS_FS_READ_FILE
|
||||||
|
| LANDLOCK_ACCESS_FS_READ_DIR
|
||||||
| LANDLOCK_ACCESS_FS_REMOVE_FILE
|
| LANDLOCK_ACCESS_FS_REMOVE_FILE
|
||||||
| LANDLOCK_ACCESS_FS_MAKE_REG;
|
| LANDLOCK_ACCESS_FS_MAKE_REG;
|
||||||
|
|
||||||
|
@ -240,7 +248,9 @@ sandbox_enable_read_only(void)
|
||||||
{
|
{
|
||||||
// We will be opening files for reading but
|
// We will be opening files for reading but
|
||||||
// won't create or remove any files.
|
// won't create or remove any files.
|
||||||
const uint64_t required_rights = LANDLOCK_ACCESS_FS_READ_FILE;
|
const uint64_t required_rights
|
||||||
|
= LANDLOCK_ACCESS_FS_READ_FILE
|
||||||
|
| LANDLOCK_ACCESS_FS_READ_DIR;
|
||||||
enable_landlock(required_rights);
|
enable_landlock(required_rights);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
@ -256,6 +266,9 @@ sandbox_enable_strict_if_allowed(int src_fd lzma_attribute((__unused__)),
|
||||||
|
|
||||||
// Allow all restrictions that the kernel supports with the
|
// Allow all restrictions that the kernel supports with the
|
||||||
// highest Landlock ABI version that the kernel or xz supports.
|
// highest Landlock ABI version that the kernel or xz supports.
|
||||||
|
//
|
||||||
|
// NOTE: LANDLOCK_ACCESS_FS_READ_DIR isn't needed here because
|
||||||
|
// the only input file has already been opened.
|
||||||
enable_landlock(0);
|
enable_landlock(0);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue