samples/landlock: Print hints about ABI versions
Extend the help with the latest Landlock ABI version supported by the sandboxer. Inform users about the sandboxer or the kernel not being up-to-date. Make the version check code easier to update and harder to misuse. Cc: Paul Moore <paul@paul-moore.com> Signed-off-by: Mickaël Salaün <mic@digikod.net> Reviewed-by: Günther Noack <gnoack3000@gmail.com> Link: https://lore.kernel.org/r/20220923154207.3311629-2-mic@digikod.net
This commit is contained in:
parent
f76349cf41
commit
903cfe8a7a
|
@ -162,11 +162,10 @@ out_free_name:
|
||||||
LANDLOCK_ACCESS_FS_MAKE_SYM | \
|
LANDLOCK_ACCESS_FS_MAKE_SYM | \
|
||||||
LANDLOCK_ACCESS_FS_REFER)
|
LANDLOCK_ACCESS_FS_REFER)
|
||||||
|
|
||||||
#define ACCESS_ABI_2 ( \
|
|
||||||
LANDLOCK_ACCESS_FS_REFER)
|
|
||||||
|
|
||||||
/* clang-format on */
|
/* clang-format on */
|
||||||
|
|
||||||
|
#define LANDLOCK_ABI_LAST 2
|
||||||
|
|
||||||
int main(const int argc, char *const argv[], char *const *const envp)
|
int main(const int argc, char *const argv[], char *const *const envp)
|
||||||
{
|
{
|
||||||
const char *cmd_path;
|
const char *cmd_path;
|
||||||
|
@ -196,8 +195,12 @@ int main(const int argc, char *const argv[], char *const *const envp)
|
||||||
"\nexample:\n"
|
"\nexample:\n"
|
||||||
"%s=\"/bin:/lib:/usr:/proc:/etc:/dev/urandom\" "
|
"%s=\"/bin:/lib:/usr:/proc:/etc:/dev/urandom\" "
|
||||||
"%s=\"/dev/null:/dev/full:/dev/zero:/dev/pts:/tmp\" "
|
"%s=\"/dev/null:/dev/full:/dev/zero:/dev/pts:/tmp\" "
|
||||||
"%s bash -i\n",
|
"%s bash -i\n\n",
|
||||||
ENV_FS_RO_NAME, ENV_FS_RW_NAME, argv[0]);
|
ENV_FS_RO_NAME, ENV_FS_RW_NAME, argv[0]);
|
||||||
|
fprintf(stderr,
|
||||||
|
"This sandboxer can use Landlock features "
|
||||||
|
"up to ABI version %d.\n",
|
||||||
|
LANDLOCK_ABI_LAST);
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -225,12 +228,30 @@ int main(const int argc, char *const argv[], char *const *const envp)
|
||||||
}
|
}
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Best-effort security. */
|
/* Best-effort security. */
|
||||||
if (abi < 2) {
|
switch (abi) {
|
||||||
ruleset_attr.handled_access_fs &= ~ACCESS_ABI_2;
|
case 1:
|
||||||
access_fs_ro &= ~ACCESS_ABI_2;
|
/* Removes LANDLOCK_ACCESS_FS_REFER for ABI < 2 */
|
||||||
access_fs_rw &= ~ACCESS_ABI_2;
|
ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_REFER;
|
||||||
|
|
||||||
|
fprintf(stderr,
|
||||||
|
"Hint: You should update the running kernel "
|
||||||
|
"to leverage Landlock features "
|
||||||
|
"provided by ABI version %d (instead of %d).\n",
|
||||||
|
LANDLOCK_ABI_LAST, abi);
|
||||||
|
__attribute__((fallthrough));
|
||||||
|
case LANDLOCK_ABI_LAST:
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
fprintf(stderr,
|
||||||
|
"Hint: You should update this sandboxer "
|
||||||
|
"to leverage Landlock features "
|
||||||
|
"provided by ABI version %d (instead of %d).\n",
|
||||||
|
abi, LANDLOCK_ABI_LAST);
|
||||||
}
|
}
|
||||||
|
access_fs_ro &= ruleset_attr.handled_access_fs;
|
||||||
|
access_fs_rw &= ruleset_attr.handled_access_fs;
|
||||||
|
|
||||||
ruleset_fd =
|
ruleset_fd =
|
||||||
landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
|
landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
|
||||||
|
|
Loading…
Reference in New Issue