samples/landlock: Extend sample tool to support LANDLOCK_ACCESS_FS_TRUNCATE
Update the sandboxer sample to restrict truncate actions. This is automatically enabled by default if the running kernel supports LANDLOCK_ACCESS_FS_TRUNCATE, except for the paths listed in the LL_FS_RW environment variable. Signed-off-by: Günther Noack <gnoack3000@gmail.com> Link: https://lore.kernel.org/r/20221018182216.301684-11-gnoack3000@gmail.com Signed-off-by: Mickaël Salaün <mic@digikod.net>
This commit is contained in:
parent
0d8c658be2
commit
faeb919766
|
@ -76,7 +76,8 @@ static int parse_path(char *env_path, const char ***const path_list)
|
|||
#define ACCESS_FILE ( \
|
||||
LANDLOCK_ACCESS_FS_EXECUTE | \
|
||||
LANDLOCK_ACCESS_FS_WRITE_FILE | \
|
||||
LANDLOCK_ACCESS_FS_READ_FILE)
|
||||
LANDLOCK_ACCESS_FS_READ_FILE | \
|
||||
LANDLOCK_ACCESS_FS_TRUNCATE)
|
||||
|
||||
/* clang-format on */
|
||||
|
||||
|
@ -160,11 +161,12 @@ out_free_name:
|
|||
LANDLOCK_ACCESS_FS_MAKE_FIFO | \
|
||||
LANDLOCK_ACCESS_FS_MAKE_BLOCK | \
|
||||
LANDLOCK_ACCESS_FS_MAKE_SYM | \
|
||||
LANDLOCK_ACCESS_FS_REFER)
|
||||
LANDLOCK_ACCESS_FS_REFER | \
|
||||
LANDLOCK_ACCESS_FS_TRUNCATE)
|
||||
|
||||
/* clang-format on */
|
||||
|
||||
#define LANDLOCK_ABI_LAST 2
|
||||
#define LANDLOCK_ABI_LAST 3
|
||||
|
||||
int main(const int argc, char *const argv[], char *const *const envp)
|
||||
{
|
||||
|
@ -234,6 +236,10 @@ int main(const int argc, char *const argv[], char *const *const envp)
|
|||
case 1:
|
||||
/* Removes LANDLOCK_ACCESS_FS_REFER for ABI < 2 */
|
||||
ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_REFER;
|
||||
__attribute__((fallthrough));
|
||||
case 2:
|
||||
/* Removes LANDLOCK_ACCESS_FS_TRUNCATE for ABI < 3 */
|
||||
ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_TRUNCATE;
|
||||
|
||||
fprintf(stderr,
|
||||
"Hint: You should update the running kernel "
|
||||
|
|
Loading…
Reference in New Issue