snac2

Fork of https://codeberg.org/grunfink/snac2
git clone https://git.inz.fi/snac2
Log | Files | Refs | README | LICENSE
commit 6d1a2868b54972d8176239da78aa50e341b49d81
parent 95d32cbe7cfbb0321ac37b57ada23b6c268815e2
Author: grunfink <grunfink@noreply.codeberg.org>
Date:   Thu, 23 Jan 2025 19:27:09 +0000

Merge pull request 'Linux sandbox fixes' (#287) from shtrophic/snac2:master into master

Reviewed-on: https://codeberg.org/grunfink/snac2/pulls/287

Diffstat:

Msandbox.c | 9++++++++-


1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/sandbox.c b/sandbox.c
@@ -71,15 +71,22 @@ LL_BEGIN(sbox_enter_linux_, const char* basedir, const char *address, int smail)
              LANDLOCK_ACCESS_FS_REFER_COMPAT,
         s  = LANDLOCK_ACCESS_FS_MAKE_SOCK,
         x  = LANDLOCK_ACCESS_FS_EXECUTE;
+    char *resolved_path = NULL;
 
     LL_PATH(basedir,                rf|rd|w|c);
     LL_PATH("/tmp",                 rf|rd|w|c);
 #ifndef WITHOUT_SHM
     LL_PATH("/dev/shm",             rf|w|c   );
 #endif
+    LL_PATH("/dev/urandom",         rf       );
     LL_PATH("/etc/resolv.conf",     rf       );
     LL_PATH("/etc/hosts",           rf       );
-    LL_PATH("/etc/ssl",             rf       );
+    LL_PATH("/etc/ssl",             rf|rd    );
+    if ((resolved_path = realpath("/etc/ssl/cert.pem", NULL))) {
+        /* some distros like cert.pem to be a symlink */
+        LL_PATH(resolved_path,      rf       );
+        free(resolved_path);
+    }
     LL_PATH("/usr/share/zoneinfo",  rf       );
 
     if (mtime("/etc/pki") > 0)