Blob
- Date:
- Message:
- portable: add support for landlock landlock is a new set of linux APIs that is conceptually similar to unveil(2): the idea is to restrict what a process can do on a specified part of the filesystem. There are some differences in the behaviour: the major one being that the landlock ruleset is inherited across execve(2). This just restricts the libexec helpers by completely revoking ANY filesystem access; after all they are the biggest attack surface. got send/fetch/clone *may* end up spawning ssh(1), so at the moment is not possible to landlock the main process. From Omar Polo.
- Actions:
- History | Blame | Raw File
1 noinst_LIBRARIES = libopenbsd-compat.a3 include $(top_builddir)/Makefile.common6 libopenbsd_compat_a_SOURCES = \7 asprintf.c \8 base64.c \9 closefrom.c \10 fmt_scaled.c \11 freezero.c \12 getdtablecount.c \13 getopt.c \14 getprogname.c \15 imsg-buffer.c \16 imsg.c \17 merge.c \18 reallocarray.c \19 recallocarray.c \20 strlcat.c \21 strlcpy.c \22 strndup.c \23 strnlen.c \24 strsep.c \25 strtonum.c \26 imsg.h \27 queue.h \28 tree.h29 if HOST_FREEBSD30 else31 libopenbsd_compat_a_SOURCES += uuid.c32 endif34 if HAVE_LINUX_LANDLOCK35 libopenbsd_compat_a_SOURCES += landlock.c36 endif38 EXTRA_DIST = \39 $(top_srcdir)/include/got_compat.h \40 imsg.h \41 queue.h \42 tree.h