Build: Fix Linux Landlock feature test in Autotools and CMake builds.

The previous Linux Landlock feature test assumed that having the
linux/landlock.h header file was enough. The new feature tests also
requires that prctl() and the required Landlock system calls are
supported.

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 76700591059711e3a4da5b45cf58474dac4e12a7..d2b1af7ab0ab759b6805ced3dff2555e2a4b3f8e 100644 (file)
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -901,10 +901,29 @@ endif()
 
 # Sandboxing: Landlock
 if(NOT SANDBOX_FOUND AND ENABLE_SANDBOX MATCHES "^ON$|^landlock$")
-    check_include_file(linux/landlock.h HAVE_LINUX_LANDLOCK_H)
+    # A compile check is done here because some systems have
+    # linux/landlock.h, but do not have the syscalls defined
+    # in order to actually use Linux Landlock.
+    check_c_source_compiles("
+        #include <linux/landlock.h>
+        #include <sys/syscall.h>
+        #include <sys/prctl.h>
+.
+        void my_sandbox(void)
+        {
+            (void)prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
+            (void)SYS_landlock_create_ruleset;
+            (void)SYS_landlock_restrict_self;
+            (void)LANDLOCK_CREATE_RULESET_VERSION;
+            return;
+        }
+
+        int main(void) { return 0; }
+        "
+    HAVE_LINUX_LANDLOCK)
 
-    if(HAVE_LINUX_LANDLOCK_H)
-        set(SANDBOX_COMPILE_DEFINITION "HAVE_LINUX_LANDLOCK_H")
+    if(HAVE_LINUX_LANDLOCK)
+        set(SANDBOX_COMPILE_DEFINITION "HAVE_LINUX_LANDLOCK")
         set(SANDBOX_FOUND ON)
 
         # Of our three sandbox methods, only Landlock is incompatible

diff --git a/configure.ac b/configure.ac
index 3676cd037de51bad69f7ef70d41c1a723b794940..446e26e2b79014b339763448130bd7ffc36916d3 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -1177,12 +1177,37 @@ AS_CASE([$enable_sandbox],
 )
 AS_CASE([$enable_sandbox],
        [auto | landlock], [
-               AC_CHECK_HEADERS([linux/landlock.h], [
+               AC_MSG_CHECKING([if Linux Landlock is usable])
+
+               # A compile check is done here because some systems have
+               # linux/landlock.h, but do not have the syscalls defined
+               # in order to actually use Linux Landlock.
+               AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
+                       #include <linux/landlock.h>
+                       #include <sys/syscall.h>
+                       #include <sys/prctl.h>
+
+                       void my_sandbox(void)
+                       {
+                               (void)prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
+                               (void)SYS_landlock_create_ruleset;
+                               (void)SYS_landlock_restrict_self;
+                               (void)LANDLOCK_CREATE_RULESET_VERSION;
+                               return;
+                       }
+               ]])], [
                        enable_sandbox=found
 
                        AS_CASE([$CFLAGS], [*-fsanitize=*], [AC_MSG_ERROR([
     CFLAGS contains '-fsanitize=' which is incompatible with the Landlock
     sandboxing. Use --disable-sandbox when using '-fsanitize'.])])
+
+                       AC_DEFINE([HAVE_LINUX_LANDLOCK], [1],
+                               [Define to 1 if Linux Landlock is supported.
+                               See configure.ac for details.])
+                       AC_MSG_RESULT([yes])
+               ], [
+                       AC_MSG_RESULT([no])
                ])
        ]
 )

diff --git a/src/xz/sandbox.c b/src/xz/sandbox.c
index 3b3069c8b2c8b2d3fb3a0f98822379e66a393a47..5bd2273707519b7f638a2d158e28ea6848f7fcfb 100644 (file)
--- a/src/xz/sandbox.c
+++ b/src/xz/sandbox.c
@@ -109,7 +109,7 @@ sandbox_enable_strict_if_allowed(int src_fd lzma_attribute((__unused__)),
 }
 
 
-#elif defined(HAVE_LINUX_LANDLOCK_H)
+#elif defined(HAVE_LINUX_LANDLOCK)
 
 //////////////
 // Landlock //

diff --git a/src/xz/sandbox.h b/src/xz/sandbox.h
index f41b4725ce3f03b473feb385ce4a463c1806d1d4..98b9862a1c0a4d921edb532c2d7c651cbe1ff337 100644 (file)
--- a/src/xz/sandbox.h
+++ b/src/xz/sandbox.h
@@ -9,7 +9,7 @@
 //
 ///////////////////////////////////////////////////////////////////////////////
 
-#if defined(HAVE_PLEDGE) || defined(HAVE_LINUX_LANDLOCK_H) \
+#if defined(HAVE_PLEDGE) || defined(HAVE_LINUX_LANDLOCK) \
                || defined(HAVE_CAP_RIGHTS_LIMIT)
 #      define ENABLE_SANDBOX 1
 #endif

diff --git a/src/xzdec/xzdec.c b/src/xzdec/xzdec.c
index 6fd0be39e67fb6f3f334c705b885076f2656cdac..ef8c80f31358ff0dc26ff33e008b86845911d30a 100644 (file)
--- a/src/xzdec/xzdec.c
+++ b/src/xzdec/xzdec.c
@@ -24,14 +24,14 @@
 #      include <sys/capsicum.h>
 #endif
 
-#ifdef HAVE_LINUX_LANDLOCK_H
+#ifdef HAVE_LINUX_LANDLOCK
 #      include <linux/landlock.h>
 #      include <sys/prctl.h>
 #      include <sys/syscall.h>
 #endif
 
 #if defined(HAVE_CAP_RIGHTS_LIMIT) || defined(HAVE_PLEDGE) \
-               || defined(HAVE_LINUX_LANDLOCK_H)
+               || defined(HAVE_LINUX_LANDLOCK)
 #      define ENABLE_SANDBOX 1
 #endif
 
@@ -325,7 +325,7 @@ sandbox_enter(int src_fd)
                goto error;
 
        (void)src_fd;
-#elif defined(HAVE_LINUX_LANDLOCK_H)
+#elif defined(HAVE_LINUX_LANDLOCK)
        int landlock_abi = syscall(SYS_landlock_create_ruleset,
                        (void *)NULL, 0, LANDLOCK_CREATE_RULESET_VERSION);
 
@@ -389,7 +389,7 @@ main(int argc, char **argv)
        }
 #endif
 
-#ifdef HAVE_LINUX_LANDLOCK_H
+#ifdef HAVE_LINUX_LANDLOCK
        // Prevent the process from gaining new privileges. The return
        // is ignored to keep compatibility with old kernels.
        (void)prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);