summaryrefslogtreecommitdiff
path: root/sandbox.c
diff options
context:
space:
mode:
authorGravatar shtrophic2025-01-23 20:15:23 +0100
committerGravatar shtrophic2025-01-23 20:15:23 +0100
commitcc1d4258e5dea493605c3f09b8279e28dd61e727 (patch)
treee2ccec69176d90f9d1242df8bfb76e162fd0931d /sandbox.c
parentMore hashtag following tweaks. (diff)
downloadsnac2-cc1d4258e5dea493605c3f09b8279e28dd61e727.tar.gz
snac2-cc1d4258e5dea493605c3f09b8279e28dd61e727.tar.xz
snac2-cc1d4258e5dea493605c3f09b8279e28dd61e727.zip
Sandbox fixes
- allow reading `/dev/urandom` as it is shown as a failed syscall when tracing - resolve `/etc/ssl/cert.pem` in case it is a symlink
Diffstat (limited to 'sandbox.c')
-rw-r--r--sandbox.c9
1 files changed, 8 insertions, 1 deletions
diff --git a/sandbox.c b/sandbox.c
index cbe0043..0fc48ad 100644
--- a/sandbox.c
+++ b/sandbox.c
@@ -71,15 +71,22 @@ LL_BEGIN(sbox_enter_linux_, const char* basedir, const char *address, int smail)
71 LANDLOCK_ACCESS_FS_REFER_COMPAT, 71 LANDLOCK_ACCESS_FS_REFER_COMPAT,
72 s = LANDLOCK_ACCESS_FS_MAKE_SOCK, 72 s = LANDLOCK_ACCESS_FS_MAKE_SOCK,
73 x = LANDLOCK_ACCESS_FS_EXECUTE; 73 x = LANDLOCK_ACCESS_FS_EXECUTE;
74 char *resolved_path = NULL;
74 75
75 LL_PATH(basedir, rf|rd|w|c); 76 LL_PATH(basedir, rf|rd|w|c);
76 LL_PATH("/tmp", rf|rd|w|c); 77 LL_PATH("/tmp", rf|rd|w|c);
77#ifndef WITHOUT_SHM 78#ifndef WITHOUT_SHM
78 LL_PATH("/dev/shm", rf|w|c ); 79 LL_PATH("/dev/shm", rf|w|c );
79#endif 80#endif
81 LL_PATH("/dev/urandom", rf );
80 LL_PATH("/etc/resolv.conf", rf ); 82 LL_PATH("/etc/resolv.conf", rf );
81 LL_PATH("/etc/hosts", rf ); 83 LL_PATH("/etc/hosts", rf );
82 LL_PATH("/etc/ssl", rf ); 84 LL_PATH("/etc/ssl", rf|rd );
85 if ((resolved_path = realpath("/etc/ssl/cert.pem", NULL))) {
86 /* some distros like cert.pem to be a symlink */
87 LL_PATH(resolved_path, rf );
88 free(resolved_path);
89 }
83 LL_PATH("/usr/share/zoneinfo", rf ); 90 LL_PATH("/usr/share/zoneinfo", rf );
84 91
85 if (mtime("/etc/pki") > 0) 92 if (mtime("/etc/pki") > 0)
HIC SVNT DRACONES