commit f625b7f729c816ea17e69dfa5bf4c09399dece6f
parent fb8145297c45c8fdfbdc3872c8345e51569a4a01
Author: shtrophic <christoph@liebender.dev>
Date: Sun, 8 Dec 2024 09:01:57 +0100
don't try to make files directory-readable
Diffstat:
| M | sandbox.c | | | 44 | ++++++++++++++++++++++---------------------- |
1 file changed, 22 insertions(+), 22 deletions(-)
diff --git a/sandbox.c b/sandbox.c
@@ -13,30 +13,30 @@ static
LL_BEGIN(sbox_enter_linux_, const char* basedir, const char *address, int smail) {
const unsigned long long
- r = LANDLOCK_ACCESS_FS_READ_DIR |
- LANDLOCK_ACCESS_FS_READ_FILE,
- w = LANDLOCK_ACCESS_FS_WRITE_FILE |
- LANDLOCK_ACCESS_FS_TRUNCATE,
- c = LANDLOCK_ACCESS_FS_MAKE_DIR |
- LANDLOCK_ACCESS_FS_MAKE_REG |
- LANDLOCK_ACCESS_FS_TRUNCATE |
- LANDLOCK_ACCESS_FS_MAKE_SYM |
- LANDLOCK_ACCESS_FS_REMOVE_DIR |
- LANDLOCK_ACCESS_FS_REMOVE_FILE |
- LANDLOCK_ACCESS_FS_REFER,
- s = LANDLOCK_ACCESS_FS_MAKE_SOCK,
- x = LANDLOCK_ACCESS_FS_EXECUTE;
-
- LL_PATH(basedir, r|w|c);
- LL_PATH("/tmp", r|w|c);
+ rd = LANDLOCK_ACCESS_FS_READ_DIR,
+ rf = LANDLOCK_ACCESS_FS_READ_FILE,
+ w = LANDLOCK_ACCESS_FS_WRITE_FILE |
+ LANDLOCK_ACCESS_FS_TRUNCATE,
+ c = LANDLOCK_ACCESS_FS_MAKE_DIR |
+ LANDLOCK_ACCESS_FS_MAKE_REG |
+ LANDLOCK_ACCESS_FS_TRUNCATE |
+ LANDLOCK_ACCESS_FS_MAKE_SYM |
+ LANDLOCK_ACCESS_FS_REMOVE_DIR |
+ LANDLOCK_ACCESS_FS_REMOVE_FILE |
+ LANDLOCK_ACCESS_FS_REFER,
+ s = LANDLOCK_ACCESS_FS_MAKE_SOCK,
+ x = LANDLOCK_ACCESS_FS_EXECUTE;
+
+ LL_PATH(basedir, rf|rd|w|c);
+ LL_PATH("/tmp", rf|rd|w|c);
#ifndef WITHOUT_SHM
- LL_PATH("/dev/shm", r|w|c);
+ LL_PATH("/dev/shm", rf|w|c );
#endif
- LL_PATH("/etc/resolv.conf", r );
- LL_PATH("/etc/hosts", r );
- LL_PATH("/etc/ssl/openssl.cnf", r );
- LL_PATH("/etc/ssl/cert.pem", r );
- LL_PATH("/usr/share/zoneinfo", r );
+ LL_PATH("/etc/resolv.conf", rf );
+ LL_PATH("/etc/hosts", rf );
+ LL_PATH("/etc/ssl/openssl.cnf", rf );
+ LL_PATH("/etc/ssl/cert.pem", rf );
+ LL_PATH("/usr/share/zoneinfo", rf );
if (*address == '/')
LL_PATH(address, s);
