summaryrefslogtreecommitdiff
path: root/samples/landlock/sandboxer.c
diff options
context:
space:
mode:
Diffstat (limited to 'samples/landlock/sandboxer.c')
-rw-r--r--samples/landlock/sandboxer.c37
1 files changed, 29 insertions, 8 deletions
diff --git a/samples/landlock/sandboxer.c b/samples/landlock/sandboxer.c
index 3e404e51ec64..f29bb3c72230 100644
--- a/samples/landlock/sandboxer.c
+++ b/samples/landlock/sandboxer.c
@@ -162,11 +162,10 @@ out_free_name:
LANDLOCK_ACCESS_FS_MAKE_SYM | \
LANDLOCK_ACCESS_FS_REFER)
-#define ACCESS_ABI_2 ( \
- LANDLOCK_ACCESS_FS_REFER)
-
/* clang-format on */
+#define LANDLOCK_ABI_LAST 2
+
int main(const int argc, char *const argv[], char *const *const envp)
{
const char *cmd_path;
@@ -196,8 +195,12 @@ int main(const int argc, char *const argv[], char *const *const envp)
"\nexample:\n"
"%s=\"/bin:/lib:/usr:/proc:/etc:/dev/urandom\" "
"%s=\"/dev/null:/dev/full:/dev/zero:/dev/pts:/tmp\" "
- "%s bash -i\n",
+ "%s bash -i\n\n",
ENV_FS_RO_NAME, ENV_FS_RW_NAME, argv[0]);
+ fprintf(stderr,
+ "This sandboxer can use Landlock features "
+ "up to ABI version %d.\n",
+ LANDLOCK_ABI_LAST);
return 1;
}
@@ -225,12 +228,30 @@ int main(const int argc, char *const argv[], char *const *const envp)
}
return 1;
}
+
/* Best-effort security. */
- if (abi < 2) {
- ruleset_attr.handled_access_fs &= ~ACCESS_ABI_2;
- access_fs_ro &= ~ACCESS_ABI_2;
- access_fs_rw &= ~ACCESS_ABI_2;
+ switch (abi) {
+ case 1:
+ /* Removes LANDLOCK_ACCESS_FS_REFER for ABI < 2 */
+ ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_REFER;
+
+ fprintf(stderr,
+ "Hint: You should update the running kernel "
+ "to leverage Landlock features "
+ "provided by ABI version %d (instead of %d).\n",
+ LANDLOCK_ABI_LAST, abi);
+ __attribute__((fallthrough));
+ case LANDLOCK_ABI_LAST:
+ break;
+ default:
+ fprintf(stderr,
+ "Hint: You should update this sandboxer "
+ "to leverage Landlock features "
+ "provided by ABI version %d (instead of %d).\n",
+ abi, LANDLOCK_ABI_LAST);
}
+ access_fs_ro &= ruleset_attr.handled_access_fs;
+ access_fs_rw &= ruleset_attr.handled_access_fs;
ruleset_fd =
landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);