commit - d5df63dab35a6063d2fa0b9abfdbd8fd9a50deb8
commit + 762ddcd8e63f22e481054b5046adb0f913f2bada
blob - dc6c5b47ca22fd7c72e5f927a8779a2b71e8e2f7
blob + 258337e16f81c1150f8b245693b587afe86be143
--- libexec/got-read-patch/got-read-patch.c
+++ libexec/got-read-patch/got-read-patch.c
@@ -448,6 +448,13 @@ main(int argc, char **argv)
 		got_privsep_send_error(&ibuf, err);
 		return 1;
 	}
+
+	/* revoke fs access */
+	if (landlock_no_fs() == -1) {
+		err = got_error_from_errno("landlock_no_fs");
+		got_privsep_send_error(&ibuf, err);
+		return 1;
+	}
 #endif
 
 	err = got_privsep_recv_imsg(&imsg, &ibuf, 0);