summaryrefslogtreecommitdiff
path: root/samples/landlock
diff options
context:
space:
mode:
authorGünther Noack <gnoack3000@gmail.com>2022-10-18 20:22:15 +0200
committerMickaël Salaün <mic@digikod.net>2022-10-19 09:01:47 +0200
commitfaeb9197669c23d983f6485d278b20f0194432f4 (patch)
tree7b237d996b8d075d38078dedc47d0522b533285a /samples/landlock
parent0d8c658be264eb2106349c50377ef8a81edc0106 (diff)
samples/landlock: Extend sample tool to support LANDLOCK_ACCESS_FS_TRUNCATE
Update the sandboxer sample to restrict truncate actions. This is automatically enabled by default if the running kernel supports LANDLOCK_ACCESS_FS_TRUNCATE, except for the paths listed in the LL_FS_RW environment variable. Signed-off-by: Günther Noack <gnoack3000@gmail.com> Link: https://lore.kernel.org/r/20221018182216.301684-11-gnoack3000@gmail.com Signed-off-by: Mickaël Salaün <mic@digikod.net>
Diffstat (limited to 'samples/landlock')
-rw-r--r--samples/landlock/sandboxer.c12
1 files changed, 9 insertions, 3 deletions
diff --git a/samples/landlock/sandboxer.c b/samples/landlock/sandboxer.c
index f29bb3c72230..fd4237c64fb2 100644
--- a/samples/landlock/sandboxer.c
+++ b/samples/landlock/sandboxer.c
@@ -76,7 +76,8 @@ static int parse_path(char *env_path, const char ***const path_list)
#define ACCESS_FILE ( \
LANDLOCK_ACCESS_FS_EXECUTE | \
LANDLOCK_ACCESS_FS_WRITE_FILE | \
- LANDLOCK_ACCESS_FS_READ_FILE)
+ LANDLOCK_ACCESS_FS_READ_FILE | \
+ LANDLOCK_ACCESS_FS_TRUNCATE)
/* clang-format on */
@@ -160,11 +161,12 @@ out_free_name:
LANDLOCK_ACCESS_FS_MAKE_FIFO | \
LANDLOCK_ACCESS_FS_MAKE_BLOCK | \
LANDLOCK_ACCESS_FS_MAKE_SYM | \
- LANDLOCK_ACCESS_FS_REFER)
+ LANDLOCK_ACCESS_FS_REFER | \
+ LANDLOCK_ACCESS_FS_TRUNCATE)
/* clang-format on */
-#define LANDLOCK_ABI_LAST 2
+#define LANDLOCK_ABI_LAST 3
int main(const int argc, char *const argv[], char *const *const envp)
{
@@ -234,6 +236,10 @@ int main(const int argc, char *const argv[], char *const *const envp)
case 1:
/* Removes LANDLOCK_ACCESS_FS_REFER for ABI < 2 */
ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_REFER;
+ __attribute__((fallthrough));
+ case 2:
+ /* Removes LANDLOCK_ACCESS_FS_TRUNCATE for ABI < 3 */
+ ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_TRUNCATE;
fprintf(stderr,
"Hint: You should update the running kernel "
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-21 17:14:02 +0000