From 3334c71d3d4294a4f6569df3ba9bcf2443dfa501 Mon Sep 17 00:00:00 2001
From: Lasse Collin <lasse.collin@tukaani.org>
Date: Fri, 19 Apr 2024 12:11:09 +0300
Subject: [PATCH] xzdec: Support Landlock ABI version 4

This was added to xz in 02e3505991233901575b7eabc06b2c6c62a96899
but I forgot to do the same in xzdec.

The Landlock sandbox in xzdec could be stricter as now it's
active only for the last file being decompressed. In xz,
read-only sandbox is used for multi-file case. On the other hand,
xz doesn't go to the strictest mode when processing the last file
when more than one file was specified; xzdec does.
---
 src/xzdec/xzdec.c | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/src/xzdec/xzdec.c b/src/xzdec/xzdec.c
index adfa17e8..4d881748 100644
--- a/src/xzdec/xzdec.c
+++ b/src/xzdec/xzdec.c
@@ -28,6 +28,11 @@
 #	include <linux/landlock.h>
 #	include <sys/prctl.h>
 #	include <sys/syscall.h>
+#	ifdef LANDLOCK_ACCESS_NET_BIND_TCP
+#		define LANDLOCK_ABI_MAX 4
+#	else
+#		define LANDLOCK_ABI_MAX 3
+#	endif
 #endif
 
 #if defined(HAVE_CAP_RIGHTS_LIMIT) || defined(HAVE_PLEDGE) \
@@ -333,12 +338,17 @@ sandbox_enter(int src_fd)
 			(void *)NULL, 0, LANDLOCK_CREATE_RULESET_VERSION);
 
 	if (landlock_abi > 0) {
-		// We support ABI versions 1-3.
-		if (landlock_abi > 3)
-			landlock_abi = 3;
+		if (landlock_abi > LANDLOCK_ABI_MAX)
+			landlock_abi = LANDLOCK_ABI_MAX;
 
 		const struct landlock_ruleset_attr attr = {
-			.handled_access_fs = (1ULL << (12 + landlock_abi)) - 1
+			.handled_access_fs = (1ULL
+				<< (12 + my_min(3, landlock_abi))) - 1,
+#	if LANDLOCK_ABI_MAX >= 4
+			.handled_access_net = landlock_abi < 4 ? 0 :
+				(LANDLOCK_ACCESS_NET_BIND_TCP
+				| LANDLOCK_ACCESS_NET_CONNECT_TCP),
+#	endif
 		};
 
 		const int ruleset_fd = syscall(SYS_landlock_create_ruleset,