commit dc607f079dc09cab9843a918024c3771f5214f05 from: Omar Polo date: Sun Jul 16 16:11:22 2023 UTC support landlock ABI v2 and v3 Add the right #ifdef for backward-compatibility and block REFER and TRUNCATE as well, otherwise they're silently and implicitly allowed. The funny part is that LANDLOCK_ACCESS_FS_TRUNCATE doesn't even need write permissions. ok thomas commit - 3530f6ee16aaaddef48c026e2dab926bd7f2ef36 commit + dc607f079dc09cab9843a918024c3771f5214f05 blob - b6c32dad6cdbc3675520fd2632841f96ab8be1c7 blob + 3a9158dd54f0f2e7eb4a9e9ec82f9927159eb553 --- compat/landlock.c +++ compat/landlock.c @@ -58,6 +58,19 @@ landlock_restrict_self(int ruleset_fd, __u32 flags) #endif /* + * Maybe we should ship with a full copy of the linux headers because + * you never know... + */ + +#ifndef LANDLOCK_ACCESS_FS_REFER +#define LANDLOCK_ACCESS_FS_REFER (1ULL << 13) +#endif + +#ifndef LANDLOCK_ACCESS_FS_TRUNCATE +#define LANDLOCK_ACCESS_FS_TRUNCATE (1ULL << 14) +#endif + +/* * Revoke any fs access. */ int @@ -81,21 +94,31 @@ landlock_no_fs(void) LANDLOCK_ACCESS_FS_MAKE_SOCK | LANDLOCK_ACCESS_FS_MAKE_FIFO | LANDLOCK_ACCESS_FS_MAKE_BLOCK | - LANDLOCK_ACCESS_FS_MAKE_SYM, + LANDLOCK_ACCESS_FS_MAKE_SYM | + LANDLOCK_ACCESS_FS_REFER | + LANDLOCK_ACCESS_FS_TRUNCATE, }; - int fd, saved_errno; + int fd, abi, saved_errno; if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1) return -1; - fd = landlock_create_ruleset(&rattr, sizeof(rattr), 0); - if (fd == -1) { + abi = landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_VERSION); + if (abi == -1) { /* this kernel doesn't have landlock built in */ if (errno == ENOSYS || errno == EOPNOTSUPP) return 0; return -1; } + if (abi < 2) + rattr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_REFER; + if (abi < 3) + rattr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_TRUNCATE; + fd = landlock_create_ruleset(&rattr, sizeof(rattr), 0); + if (fd == -1) + return -1; + if (landlock_restrict_self(fd, 0)) { saved_errno = errno; close(fd);