xz: Landlock: Fix error message if input file is a directory.

If xz is given a directory, it should look like this:

    $ xz /usr/bin
    xz: /usr/bin: Is a directory, skipping

The Landlock rules didn't allow opening directories for reading:

    $ xz /usr/bin
    xz: /usr/bin: Permission denied

The simplest fix was to allow opening directories for reading.
While it's a bit silly to allow it solely for the error message,
it shouldn't make the sandbox significantly weaker.

The single-file use case (like when called from GNU tar) is
still as strict as possible: all Landlock restrictions are
enabled before (de)compression starts.
This commit is contained in:
Lasse Collin 2024-02-22 15:18:25 +02:00
parent 120da10ae1
commit de4337fd89
1 changed files with 14 additions and 1 deletions

View File

@ -224,9 +224,17 @@ sandbox_init(void)
// These are all in ABI version 1 already. We don't need truncate // These are all in ABI version 1 already. We don't need truncate
// rights because files are created with open() using O_EXCL and // rights because files are created with open() using O_EXCL and
// without O_TRUNC. // without O_TRUNC.
//
// LANDLOCK_ACCESS_FS_READ_DIR is included here to get a clear error
// message if xz is given a directory name. Without this permission
// the message would be "Permission denied" but with this permission
// it's "Is a directory, skipping". It could be worked around with
// stat()/lstat() but just giving this permission is simpler and
// shouldn't make the sandbox much weaker in practice.
const uint64_t required_rights const uint64_t required_rights
= LANDLOCK_ACCESS_FS_WRITE_FILE = LANDLOCK_ACCESS_FS_WRITE_FILE
| LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_FILE
| LANDLOCK_ACCESS_FS_READ_DIR
| LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REMOVE_FILE
| LANDLOCK_ACCESS_FS_MAKE_REG; | LANDLOCK_ACCESS_FS_MAKE_REG;
@ -240,7 +248,9 @@ sandbox_enable_read_only(void)
{ {
// We will be opening files for reading but // We will be opening files for reading but
// won't create or remove any files. // won't create or remove any files.
const uint64_t required_rights = LANDLOCK_ACCESS_FS_READ_FILE; const uint64_t required_rights
= LANDLOCK_ACCESS_FS_READ_FILE
| LANDLOCK_ACCESS_FS_READ_DIR;
enable_landlock(required_rights); enable_landlock(required_rights);
return; return;
} }
@ -256,6 +266,9 @@ sandbox_enable_strict_if_allowed(int src_fd lzma_attribute((__unused__)),
// Allow all restrictions that the kernel supports with the // Allow all restrictions that the kernel supports with the
// highest Landlock ABI version that the kernel or xz supports. // highest Landlock ABI version that the kernel or xz supports.
//
// NOTE: LANDLOCK_ACCESS_FS_READ_DIR isn't needed here because
// the only input file has already been opened.
enable_landlock(0); enable_landlock(0);
return; return;
} }