]> git.ipfire.org Git - thirdparty/xz.git/commitdiff
xz: Landlock: Fix error message if input file is a directory.
authorLasse Collin <lasse.collin@tukaani.org>
Thu, 22 Feb 2024 13:18:25 +0000 (15:18 +0200)
committerLasse Collin <lasse.collin@tukaani.org>
Thu, 22 Feb 2024 13:18:25 +0000 (15:18 +0200)
If xz is given a directory, it should look like this:

    $ xz /usr/bin
    xz: /usr/bin: Is a directory, skipping

The Landlock rules didn't allow opening directories for reading:

    $ xz /usr/bin
    xz: /usr/bin: Permission denied

The simplest fix was to allow opening directories for reading.
While it's a bit silly to allow it solely for the error message,
it shouldn't make the sandbox significantly weaker.

The single-file use case (like when called from GNU tar) is
still as strict as possible: all Landlock restrictions are
enabled before (de)compression starts.

src/xz/sandbox.c

index 9d0df4171d830eb62da2a2a2a90f9d604ba73c8b..9e30a07a2cbce353456b9475d038af0034624c53 100644 (file)
@@ -224,9 +224,17 @@ sandbox_init(void)
        // These are all in ABI version 1 already. We don't need truncate
        // rights because files are created with open() using O_EXCL and
        // without O_TRUNC.
+       //
+       // LANDLOCK_ACCESS_FS_READ_DIR is included here to get a clear error
+       // message if xz is given a directory name. Without this permission
+       // the message would be "Permission denied" but with this permission
+       // it's "Is a directory, skipping". It could be worked around with
+       // stat()/lstat() but just giving this permission is simpler and
+       // shouldn't make the sandbox much weaker in practice.
        const uint64_t required_rights
                        = LANDLOCK_ACCESS_FS_WRITE_FILE
                        | LANDLOCK_ACCESS_FS_READ_FILE
+                       | LANDLOCK_ACCESS_FS_READ_DIR
                        | LANDLOCK_ACCESS_FS_REMOVE_FILE
                        | LANDLOCK_ACCESS_FS_MAKE_REG;
 
@@ -240,7 +248,9 @@ sandbox_enable_read_only(void)
 {
        // We will be opening files for reading but
        // won't create or remove any files.
-       const uint64_t required_rights = LANDLOCK_ACCESS_FS_READ_FILE;
+       const uint64_t required_rights
+                       = LANDLOCK_ACCESS_FS_READ_FILE
+                       | LANDLOCK_ACCESS_FS_READ_DIR;
        enable_landlock(required_rights);
        return;
 }
@@ -256,6 +266,9 @@ sandbox_enable_strict_if_allowed(int src_fd lzma_attribute((__unused__)),
 
        // Allow all restrictions that the kernel supports with the
        // highest Landlock ABI version that the kernel or xz supports.
+       //
+       // NOTE: LANDLOCK_ACCESS_FS_READ_DIR isn't needed here because
+       // the only input file has already been opened.
        enable_landlock(0);
        return;
 }