mirror of https://git.tukaani.org/xz.git
xzdec: Support Landlock ABI version 4
This was added to xz in02e3505991
but I forgot to do the same in xzdec. The Landlock sandbox in xzdec could be stricter as now it's active only for the last file being decompressed. In xz, read-only sandbox is used for multi-file case. On the other hand, xz doesn't go to the strictest mode when processing the last file when more than one file was specified; xzdec does. (cherry picked from commit3334c71d3d
)
This commit is contained in:
parent
bfe9be7a46
commit
f99e7c69ad
|
@ -28,6 +28,11 @@
|
||||||
# include <linux/landlock.h>
|
# include <linux/landlock.h>
|
||||||
# include <sys/prctl.h>
|
# include <sys/prctl.h>
|
||||||
# include <sys/syscall.h>
|
# include <sys/syscall.h>
|
||||||
|
# ifdef LANDLOCK_ACCESS_NET_BIND_TCP
|
||||||
|
# define LANDLOCK_ABI_MAX 4
|
||||||
|
# else
|
||||||
|
# define LANDLOCK_ABI_MAX 3
|
||||||
|
# endif
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if defined(HAVE_CAP_RIGHTS_LIMIT) || defined(HAVE_PLEDGE) \
|
#if defined(HAVE_CAP_RIGHTS_LIMIT) || defined(HAVE_PLEDGE) \
|
||||||
|
@ -333,12 +338,17 @@ sandbox_enter(int src_fd)
|
||||||
(void *)NULL, 0, LANDLOCK_CREATE_RULESET_VERSION);
|
(void *)NULL, 0, LANDLOCK_CREATE_RULESET_VERSION);
|
||||||
|
|
||||||
if (landlock_abi > 0) {
|
if (landlock_abi > 0) {
|
||||||
// We support ABI versions 1-3.
|
if (landlock_abi > LANDLOCK_ABI_MAX)
|
||||||
if (landlock_abi > 3)
|
landlock_abi = LANDLOCK_ABI_MAX;
|
||||||
landlock_abi = 3;
|
|
||||||
|
|
||||||
const struct landlock_ruleset_attr attr = {
|
const struct landlock_ruleset_attr attr = {
|
||||||
.handled_access_fs = (1ULL << (12 + landlock_abi)) - 1
|
.handled_access_fs = (1ULL
|
||||||
|
<< (12 + my_min(3, landlock_abi))) - 1,
|
||||||
|
# if LANDLOCK_ABI_MAX >= 4
|
||||||
|
.handled_access_net = landlock_abi < 4 ? 0 :
|
||||||
|
(LANDLOCK_ACCESS_NET_BIND_TCP
|
||||||
|
| LANDLOCK_ACCESS_NET_CONNECT_TCP),
|
||||||
|
# endif
|
||||||
};
|
};
|
||||||
|
|
||||||
const int ruleset_fd = syscall(SYS_landlock_create_ruleset,
|
const int ruleset_fd = syscall(SYS_landlock_create_ruleset,
|
||||||
|
|
Loading…
Reference in New Issue