commit 9cefc4c1a6b51bc17dbf315d7b79a1da8a8dc846 from: Omar Polo date: Fri Feb 11 20:25:20 2022 UTC fix landlock usage: handled_access_fs must list all actions The ruleset's handled_access_fs has to list all the defined actions because otherwise missing ones are implicitly permitted. Thus, the previous version ended up allowing "almost everything" except reading files. Original diff from Mickaël Salaün, thanks! ok thomas commit - 5e997b01390a9de2b9cefa7c44375da470e447c6 commit + 9cefc4c1a6b51bc17dbf315d7b79a1da8a8dc846 blob - 8f67d1905a83866fe30126bd867be6af9ae4680c blob + 38ea2104f22cc12b748ebd82046d937ed5dadf8a --- compat/landlock.c +++ compat/landlock.c @@ -70,13 +70,24 @@ int landlock_no_fs(void) { struct landlock_ruleset_attr rattr = { - /* - * handled_access_fs can't be zero! Even if we don't - * add any path at all with landlock_add_rule, and thus - * rejecting *any* filesystem access, we still have to - * list some "possible actions" here. + /* + * List all capabilities currently defined by landlock. + * Failure in doing so will implicitly allow those actions + * (i.e. omitting READ_FILE will allow to read _any_ file.) */ - .handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE, + .handled_access_fs = LANDLOCK_ACCESS_FS_EXECUTE | \ + LANDLOCK_ACCESS_FS_READ_FILE | \ + LANDLOCK_ACCESS_FS_READ_DIR | \ + LANDLOCK_ACCESS_FS_WRITE_FILE | \ + LANDLOCK_ACCESS_FS_REMOVE_DIR | \ + LANDLOCK_ACCESS_FS_REMOVE_FILE | \ + LANDLOCK_ACCESS_FS_MAKE_CHAR | \ + LANDLOCK_ACCESS_FS_MAKE_DIR | \ + LANDLOCK_ACCESS_FS_MAKE_REG | \ + LANDLOCK_ACCESS_FS_MAKE_SOCK | \ + LANDLOCK_ACCESS_FS_MAKE_FIFO | \ + LANDLOCK_ACCESS_FS_MAKE_BLOCK | \ + LANDLOCK_ACCESS_FS_MAKE_SYM, }; int fd, saved_errno;