root
/
xz
mirror of https://git.tukaani.org/xz.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Build: Fix Linux Landlock feature test in Autotools and CMake builds. 

The previous Linux Landlock feature test assumed that having the
linux/landlock.h header file was enough. The new feature tests also
requires that prctl() and the required Landlock system calls are
supported.
This commit is contained in:
Jia Tan 2024-02-26 23:02:06 +08:00
parent eb8ad59e9b
commit 328c52da8a
5 changed files with 54 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
CMakeLists.txt
View File

@ -901,10 +901,29 @@ endif()
# Sandboxing: Landlock
if(NOT SANDBOX_FOUND AND ENABLE_SANDBOX MATCHES "^ON$|^landlock$")
check_include_file(linux/landlock.h HAVE_LINUX_LANDLOCK_H)
# A compile check is done here because some systems have
# linux/landlock.h, but do not have the syscalls defined
# in order to actually use Linux Landlock.
check_c_source_compiles("
#include <linux/landlock.h>
#include <sys/syscall.h>
#include <sys/prctl.h>
.
void my_sandbox(void)
{
(void)prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
(void)SYS_landlock_create_ruleset;
(void)SYS_landlock_restrict_self;
(void)LANDLOCK_CREATE_RULESET_VERSION;
return;
}
if(HAVE_LINUX_LANDLOCK_H)
set(SANDBOX_COMPILE_DEFINITION "HAVE_LINUX_LANDLOCK_H")
int main(void) { return 0; }
"
HAVE_LINUX_LANDLOCK)
if(HAVE_LINUX_LANDLOCK)
set(SANDBOX_COMPILE_DEFINITION "HAVE_LINUX_LANDLOCK")
set(SANDBOX_FOUND ON)
# Of our three sandbox methods, only Landlock is incompatible

27
configure.ac
View File

@ -1177,12 +1177,37 @@ AS_CASE([$enable_sandbox],
)
AS_CASE([$enable_sandbox],
[auto | landlock], [
AC_CHECK_HEADERS([linux/landlock.h], [
AC_MSG_CHECKING([if Linux Landlock is usable])
# A compile check is done here because some systems have
# linux/landlock.h, but do not have the syscalls defined
# in order to actually use Linux Landlock.
AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
#include <linux/landlock.h>
#include <sys/syscall.h>
#include <sys/prctl.h>
void my_sandbox(void)
{
(void)prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
(void)SYS_landlock_create_ruleset;
(void)SYS_landlock_restrict_self;
(void)LANDLOCK_CREATE_RULESET_VERSION;
return;
}
]])], [
enable_sandbox=found
AS_CASE([$CFLAGS], [*-fsanitize=*], [AC_MSG_ERROR([
CFLAGS contains '-fsanitize=' which is incompatible with the Landlock
sandboxing. Use --disable-sandbox when using '-fsanitize'.])])
AC_DEFINE([HAVE_LINUX_LANDLOCK], [1],
[Define to 1 if Linux Landlock is supported.
See configure.ac for details.])
AC_MSG_RESULT([yes])
], [
AC_MSG_RESULT([no])
])
]
)

2
src/xz/sandbox.c
View File

@ -109,7 +109,7 @@ sandbox_enable_strict_if_allowed(int src_fd lzma_attribute((__unused__)),
}
#elif defined(HAVE_LINUX_LANDLOCK_H)
#elif defined(HAVE_LINUX_LANDLOCK)
//////////////
// Landlock //

2
src/xz/sandbox.h
View File

@ -9,7 +9,7 @@
//
///////////////////////////////////////////////////////////////////////////////
#if defined(HAVE_PLEDGE) || defined(HAVE_LINUX_LANDLOCK_H) \
#if defined(HAVE_PLEDGE) || defined(HAVE_LINUX_LANDLOCK) \
|| defined(HAVE_CAP_RIGHTS_LIMIT)
# define ENABLE_SANDBOX 1
#endif

8
src/xzdec/xzdec.c
View File

@ -24,14 +24,14 @@
# include <sys/capsicum.h>
#endif
#ifdef HAVE_LINUX_LANDLOCK_H
#ifdef HAVE_LINUX_LANDLOCK
# include <linux/landlock.h>
# include <sys/prctl.h>
# include <sys/syscall.h>
#endif
#if defined(HAVE_CAP_RIGHTS_LIMIT) || defined(HAVE_PLEDGE) \
|| defined(HAVE_LINUX_LANDLOCK_H)
|| defined(HAVE_LINUX_LANDLOCK)
# define ENABLE_SANDBOX 1
#endif
@ -325,7 +325,7 @@ sandbox_enter(int src_fd)
goto error;
(void)src_fd;
#elif defined(HAVE_LINUX_LANDLOCK_H)
#elif defined(HAVE_LINUX_LANDLOCK)
int landlock_abi = syscall(SYS_landlock_create_ruleset,
(void *)NULL, 0, LANDLOCK_CREATE_RULESET_VERSION);
@ -389,7 +389,7 @@ main(int argc, char **argv)
}
#endif
#ifdef HAVE_LINUX_LANDLOCK_H
#ifdef HAVE_LINUX_LANDLOCK
// Prevent the process from gaining new privileges. The return
// is ignored to keep compatibility with old kernels.
(void)prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);