Unverified Commit 903cfe8a authored by Mickaël Salaün's avatar Mickaël Salaün
Browse files

samples/landlock: Print hints about ABI versions 



Extend the help with the latest Landlock ABI version supported by the
sandboxer.

Inform users about the sandboxer or the kernel not being up-to-date.

Make the version check code easier to update and harder to misuse.

Cc: Paul Moore <paul@paul-moore.com>
Signed-off-by: default avatarMickaël Salaün <mic@digikod.net>
Reviewed-by: default avatarGünther Noack <gnoack3000@gmail.com>
Link: https://lore.kernel.org/r/20220923154207.3311629-2-mic@digikod.net
parent f76349cf

samples/landlock/sandboxer.c

+29 −8
Original line number Diff line number Diff line
@@ -162,11 +162,10 @@ static int populate_ruleset(const char *const env_var, const int ruleset_fd, 
	LANDLOCK_ACCESS_FS_MAKE_SYM | \

	LANDLOCK_ACCESS_FS_REFER)



#define ACCESS_ABI_2 ( \

	LANDLOCK_ACCESS_FS_REFER)



/* clang-format on */



#define LANDLOCK_ABI_LAST 2



int main(const int argc, char *const argv[], char *const *const envp)

{

	const char *cmd_path;
@@ -196,8 +195,12 @@ int main(const int argc, char *const argv[], char *const *const envp) 
			"\nexample:\n"

			"%s=\"/bin:/lib:/usr:/proc:/etc:/dev/urandom\" "

			"%s=\"/dev/null:/dev/full:/dev/zero:/dev/pts:/tmp\" "

			"%s bash -i\n",

			"%s bash -i\n\n",

			ENV_FS_RO_NAME, ENV_FS_RW_NAME, argv[0]);

		fprintf(stderr,

			"This sandboxer can use Landlock features "

			"up to ABI version %d.\n",

			LANDLOCK_ABI_LAST);

		return 1;

	}
@@ -225,12 +228,30 @@ int main(const int argc, char *const argv[], char *const *const envp) 
		}

		return 1;

	}



	/* Best-effort security. */

	if (abi < 2) {

		ruleset_attr.handled_access_fs &= ~ACCESS_ABI_2;

		access_fs_ro &= ~ACCESS_ABI_2;

		access_fs_rw &= ~ACCESS_ABI_2;

	switch (abi) {

	case 1:

		/* Removes LANDLOCK_ACCESS_FS_REFER for ABI < 2 */

		ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_REFER;



		fprintf(stderr,

			"Hint: You should update the running kernel "

			"to leverage Landlock features "

			"provided by ABI version %d (instead of %d).\n",

			LANDLOCK_ABI_LAST, abi);

		__attribute__((fallthrough));

	case LANDLOCK_ABI_LAST:

		break;

	default:

		fprintf(stderr,

			"Hint: You should update this sandboxer "

			"to leverage Landlock features "

			"provided by ABI version %d (instead of %d).\n",

			abi, LANDLOCK_ABI_LAST);

	}

	access_fs_ro &= ruleset_attr.handled_access_fs;

	access_fs_rw &= ruleset_attr.handled_access_fs;



	ruleset_fd =

		landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);