On 14/01/2021 04:21, Jann Horn wrote:
On Wed, Dec 9, 2020 at 8:29 PM Mickaël Salaün mic@digikod.net wrote:
Add a basic sandbox tool to launch a command which can only access a whitelist of file hierarchies in a read-only or read-write way.
I have to admit that I didn't really look at this closely before because it's just sample code... but I guess I should. You can add
Reviewed-by: Jann Horn jannh@google.com
if you fix the following nits:
OK, I will!
[...]
diff --git a/samples/Kconfig b/samples/Kconfig
[...]
+config SAMPLE_LANDLOCK
bool "Build Landlock sample code"depends on HEADERS_INSTALLhelpBuild a simple Landlock sandbox manager able to launch a processrestricted by a user-defined filesystem access control.nit: s/filesystem access control/filesystem access control policy/
[...]
diff --git a/samples/landlock/sandboxer.c b/samples/landlock/sandboxer.c
[...]
+/*
- Simple Landlock sandbox manager able to launch a process restricted by a
- user-defined filesystem access control.
nit: s/filesystem access control/filesystem access control policy/
[...]
+int main(const int argc, char *const argv[], char *const *const envp) +{
[...]
if (argc < 2) {[...]
fprintf(stderr, "* %s: list of paths allowed to be used in a read-only way.\n",ENV_FS_RO_NAME);fprintf(stderr, "* %s: list of paths allowed to be used in a read-write way.\n",ENV_FS_RO_NAME);s/ENV_FS_RO_NAME/ENV_FS_RW_NAME/
fprintf(stderr, "\nexample:\n""%s=\"/bin:/lib:/usr:/proc:/etc:/dev/urandom\" ""%s=\"/dev/null:/dev/full:/dev/zero:/dev/pts:/tmp\" ""%s bash -i\n",ENV_FS_RO_NAME, ENV_FS_RW_NAME, argv[0]);return 1;}ruleset_fd = landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);if (ruleset_fd < 0) {perror("Failed to create a ruleset");switch (errno) {(Just as a note: In theory perror() can change the value of errno, as far as I know - so AFAIK you'd theoretically have to do something like:
int errno_ = errno; perror("..."); switch (errno_) { ... }
Indeed :)
I'll almost certainly work fine as-is in practice though.)