linter: Seal the file after reading it into memory

This avoids that something (either intentionally or unintentionally) can
be changed when the file is being analyzed.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/src/libpakfire/linter.c b/src/libpakfire/linter.c
index 3f033ae1540f35cf4475c227f146df318646fc58..ae796e027bbb746bfb7019cef9e7f0e84d1cbe7b 100644 (file)
--- a/src/libpakfire/linter.c
+++ b/src/libpakfire/linter.c
@@ -19,6 +19,7 @@
 #############################################################################*/
 
 #include <errno.h>
+#include <fcntl.h>
 #include <stdlib.h>
 #include <sys/mman.h>
 #include <sys/queue.h>
@@ -228,7 +229,7 @@ static int pakfire_linter_read_file(
        const char* path = pakfire_file_get_path(file);
 
        // Allocate a new buffer
-       fd = memfd_create(path, MFD_CLOEXEC);
+       fd = memfd_create(path, MFD_ALLOW_SEALING|MFD_CLOEXEC);
        if (fd < 0) {
                CTX_ERROR(linter->ctx, "memfd_create() failed: %m\n");
                r = -errno;
@@ -285,6 +286,15 @@ static int pakfire_linter_read_file(
                goto ERROR;
        }
 
+       // Seal the file so that nothing can be changed
+       r = fcntl(fd, F_ADD_SEALS,
+                       F_SEAL_SEAL|F_SEAL_SHRINK|F_SEAL_GROW|F_SEAL_WRITE|F_SEAL_FUTURE_WRITE);
+       if (r < 0) {
+               CTX_ERROR(linter->ctx, "Could not seal the file: %m\n");
+               r = -errno;
+               goto ERROR;
+       }
+
        return fd;
 
 ERROR: