leandrof/linux
1
0
Fork 0
forked from Minki/linux
Code Issues Pull Requests Packages Projects Releases Wiki Activity

samples/landlock: Print hints about ABI versions

Browse Source 
Extend the help with the latest Landlock ABI version supported by the
sandboxer.

Inform users about the sandboxer or the kernel not being up-to-date.

Make the version check code easier to update and harder to misuse.

Cc: Paul Moore <paul@paul-moore.com>
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Reviewed-by: Günther Noack <gnoack3000@gmail.com>
Link: https://lore.kernel.org/r/20220923154207.3311629-2-mic@digikod.net
This commit is contained in:
Mickaël Salaün 2022-09-23 17:42:05 +02:00
parent f76349cf41
commit 903cfe8a7a
No known key found for this signature in database
GPG Key ID: E5E3D0E88C82F6D2
1 changed files with 29 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
samples/landlock/sandboxer.c
View File

@ -162,11 +162,10 @@ out_free_name:
LANDLOCK_ACCESS_FS_MAKE_SYM | \ LANDLOCK_ACCESS_FS_MAKE_SYM | \
LANDLOCK_ACCESS_FS_REFER) LANDLOCK_ACCESS_FS_REFER)
#define ACCESS_ABI_2 ( \
LANDLOCK_ACCESS_FS_REFER)
/* clang-format on */ /* clang-format on */
#define LANDLOCK_ABI_LAST 2
int main(const int argc, char *const argv[], char *const *const envp) int main(const int argc, char *const argv[], char *const *const envp)
{ {
const char *cmd_path; const char *cmd_path;
@ -196,8 +195,12 @@ int main(const int argc, char *const argv[], char *const *const envp)
"\nexample:\n" "\nexample:\n"
"%s=\"/bin:/lib:/usr:/proc:/etc:/dev/urandom\" " "%s=\"/bin:/lib:/usr:/proc:/etc:/dev/urandom\" "
"%s=\"/dev/null:/dev/full:/dev/zero:/dev/pts:/tmp\" " "%s=\"/dev/null:/dev/full:/dev/zero:/dev/pts:/tmp\" "
"%s bash -i\n", "%s bash -i\n\n",
ENV_FS_RO_NAME, ENV_FS_RW_NAME, argv[0]); ENV_FS_RO_NAME, ENV_FS_RW_NAME, argv[0]);
fprintf(stderr,
"This sandboxer can use Landlock features "
"up to ABI version %d.\n",
LANDLOCK_ABI_LAST);
return 1; return 1;
} }
@ -225,12 +228,30 @@ int main(const int argc, char *const argv[], char *const *const envp)
} }
return 1; return 1;
} }
/* Best-effort security. */ /* Best-effort security. */
if (abi < 2) { switch (abi) {
ruleset_attr.handled_access_fs &= ~ACCESS_ABI_2; case 1:
access_fs_ro &= ~ACCESS_ABI_2; /* Removes LANDLOCK_ACCESS_FS_REFER for ABI < 2 */
access_fs_rw &= ~ACCESS_ABI_2; ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_REFER;
fprintf(stderr,
"Hint: You should update the running kernel "
"to leverage Landlock features "
"provided by ABI version %d (instead of %d).\n",
LANDLOCK_ABI_LAST, abi);
__attribute__((fallthrough));
case LANDLOCK_ABI_LAST:
break;
default:
fprintf(stderr,
"Hint: You should update this sandboxer "
"to leverage Landlock features "
"provided by ABI version %d (instead of %d).\n",
abi, LANDLOCK_ABI_LAST);
} }
access_fs_ro &= ruleset_attr.handled_access_fs;
access_fs_rw &= ruleset_attr.handled_access_fs;
ruleset_fd = ruleset_fd =
landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0); landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);