xzdec: Use my_landlock.h

This commit is contained in:
Lasse Collin 2025-01-02 15:32:10 +02:00
parent 38cb8ec9fd
commit 0fc5a625d7
No known key found for this signature in database
GPG Key ID: 38EE757D69184620
2 changed files with 7 additions and 28 deletions

View File

@ -1940,6 +1940,7 @@ if(HAVE_DECODERS)
foreach(XZDEC ${XZDEC_TOOLS}) foreach(XZDEC ${XZDEC_TOOLS})
add_executable("${XZDEC}" add_executable("${XZDEC}"
src/common/my_landlock.h
src/common/sysdefs.h src/common/sysdefs.h
src/common/tuklib_common.h src/common/tuklib_common.h
src/common/tuklib_config.h src/common/tuklib_config.h

View File

@ -26,14 +26,7 @@
#endif #endif
#ifdef HAVE_LINUX_LANDLOCK #ifdef HAVE_LINUX_LANDLOCK
# include <linux/landlock.h> # include "my_landlock.h"
# include <sys/prctl.h>
# include <sys/syscall.h>
# ifdef LANDLOCK_ACCESS_NET_BIND_TCP
# define LANDLOCK_ABI_MAX 4
# else
# define LANDLOCK_ABI_MAX 3
# endif
#endif #endif
#if defined(HAVE_CAP_RIGHTS_LIMIT) || defined(HAVE_PLEDGE) \ #if defined(HAVE_CAP_RIGHTS_LIMIT) || defined(HAVE_PLEDGE) \
@ -338,32 +331,17 @@ sandbox_enter(int src_fd)
(void)src_fd; (void)src_fd;
#elif defined(HAVE_LINUX_LANDLOCK) #elif defined(HAVE_LINUX_LANDLOCK)
int landlock_abi = syscall(SYS_landlock_create_ruleset, struct landlock_ruleset_attr attr;
(void *)NULL, 0, LANDLOCK_CREATE_RULESET_VERSION); if (my_landlock_ruleset_attr_forbid_all(&attr) > 0) {
const int ruleset_fd = my_landlock_create_ruleset(
if (landlock_abi > 0) { &attr, sizeof(attr), 0);
if (landlock_abi > LANDLOCK_ABI_MAX)
landlock_abi = LANDLOCK_ABI_MAX;
const struct landlock_ruleset_attr attr = {
.handled_access_fs = (1ULL
<< (12 + my_min(3, landlock_abi))) - 1,
# if LANDLOCK_ABI_MAX >= 4
.handled_access_net = landlock_abi < 4 ? 0 :
(LANDLOCK_ACCESS_NET_BIND_TCP
| LANDLOCK_ACCESS_NET_CONNECT_TCP),
# endif
};
const int ruleset_fd = syscall(SYS_landlock_create_ruleset,
&attr, sizeof(attr), 0U);
if (ruleset_fd < 0) if (ruleset_fd < 0)
goto error; goto error;
// All files we need should have already been opened. Thus, // All files we need should have already been opened. Thus,
// we don't need to add any rules using landlock_add_rule(2) // we don't need to add any rules using landlock_add_rule(2)
// before activating the sandbox. // before activating the sandbox.
if (syscall(SYS_landlock_restrict_self, ruleset_fd, 0U) != 0) if (my_landlock_restrict_self(ruleset_fd, 0) != 0)
goto error; goto error;
} }