From f625b7f729c816ea17e69dfa5bf4c09399dece6f Mon Sep 17 00:00:00 2001 From: shtrophic Date: Sun, 8 Dec 2024 09:01:57 +0100 Subject: don't try to make files directory-readable --- sandbox.c | 44 ++++++++++++++++++++++---------------------- 1 file changed, 22 insertions(+), 22 deletions(-) (limited to 'sandbox.c') diff --git a/sandbox.c b/sandbox.c index 3a5ca48..6eafc43 100644 --- a/sandbox.c +++ b/sandbox.c @@ -13,30 +13,30 @@ static LL_BEGIN(sbox_enter_linux_, const char* basedir, const char *address, int smail) { const unsigned long long - r = LANDLOCK_ACCESS_FS_READ_DIR | - LANDLOCK_ACCESS_FS_READ_FILE, - w = LANDLOCK_ACCESS_FS_WRITE_FILE | - LANDLOCK_ACCESS_FS_TRUNCATE, - c = LANDLOCK_ACCESS_FS_MAKE_DIR | - LANDLOCK_ACCESS_FS_MAKE_REG | - LANDLOCK_ACCESS_FS_TRUNCATE | - LANDLOCK_ACCESS_FS_MAKE_SYM | - LANDLOCK_ACCESS_FS_REMOVE_DIR | - LANDLOCK_ACCESS_FS_REMOVE_FILE | - LANDLOCK_ACCESS_FS_REFER, - s = LANDLOCK_ACCESS_FS_MAKE_SOCK, - x = LANDLOCK_ACCESS_FS_EXECUTE; - - LL_PATH(basedir, r|w|c); - LL_PATH("/tmp", r|w|c); + rd = LANDLOCK_ACCESS_FS_READ_DIR, + rf = LANDLOCK_ACCESS_FS_READ_FILE, + w = LANDLOCK_ACCESS_FS_WRITE_FILE | + LANDLOCK_ACCESS_FS_TRUNCATE, + c = LANDLOCK_ACCESS_FS_MAKE_DIR | + LANDLOCK_ACCESS_FS_MAKE_REG | + LANDLOCK_ACCESS_FS_TRUNCATE | + LANDLOCK_ACCESS_FS_MAKE_SYM | + LANDLOCK_ACCESS_FS_REMOVE_DIR | + LANDLOCK_ACCESS_FS_REMOVE_FILE | + LANDLOCK_ACCESS_FS_REFER, + s = LANDLOCK_ACCESS_FS_MAKE_SOCK, + x = LANDLOCK_ACCESS_FS_EXECUTE; + + LL_PATH(basedir, rf|rd|w|c); + LL_PATH("/tmp", rf|rd|w|c); #ifndef WITHOUT_SHM - LL_PATH("/dev/shm", r|w|c); + LL_PATH("/dev/shm", rf|w|c ); #endif - LL_PATH("/etc/resolv.conf", r ); - LL_PATH("/etc/hosts", r ); - LL_PATH("/etc/ssl/openssl.cnf", r ); - LL_PATH("/etc/ssl/cert.pem", r ); - LL_PATH("/usr/share/zoneinfo", r ); + LL_PATH("/etc/resolv.conf", rf ); + LL_PATH("/etc/hosts", rf ); + LL_PATH("/etc/ssl/openssl.cnf", rf ); + LL_PATH("/etc/ssl/cert.pem", rf ); + LL_PATH("/usr/share/zoneinfo", rf ); if (*address == '/') LL_PATH(address, s); -- cgit v1.2.3