From cc1d4258e5dea493605c3f09b8279e28dd61e727 Mon Sep 17 00:00:00 2001
From: shtrophic
Date: Thu, 23 Jan 2025 20:15:23 +0100
Subject: Sandbox fixes

- allow reading `/dev/urandom` as it is shown as a failed syscall when
  tracing
- resolve `/etc/ssl/cert.pem` in case it is a symlink
---
 sandbox.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

(limited to 'sandbox.c')

diff --git a/sandbox.c b/sandbox.c
index cbe0043..0fc48ad 100644
--- a/sandbox.c
+++ b/sandbox.c
@@ -71,15 +71,22 @@ LL_BEGIN(sbox_enter_linux_, const char* basedir, const char *address, int smail)
              LANDLOCK_ACCESS_FS_REFER_COMPAT,
         s  = LANDLOCK_ACCESS_FS_MAKE_SOCK,
         x  = LANDLOCK_ACCESS_FS_EXECUTE;
+    char *resolved_path = NULL;
 
     LL_PATH(basedir,                rf|rd|w|c);
     LL_PATH("/tmp",                 rf|rd|w|c);
 #ifndef WITHOUT_SHM
     LL_PATH("/dev/shm",             rf|w|c   );
 #endif
+    LL_PATH("/dev/urandom",         rf       );
     LL_PATH("/etc/resolv.conf",     rf       );
     LL_PATH("/etc/hosts",           rf       );
-    LL_PATH("/etc/ssl",             rf       );
+    LL_PATH("/etc/ssl",             rf|rd    );
+    if ((resolved_path = realpath("/etc/ssl/cert.pem", NULL))) {
+        /* some distros like cert.pem to be a symlink */
+        LL_PATH(resolved_path,      rf       );
+        free(resolved_path);
+    }
     LL_PATH("/usr/share/zoneinfo",  rf       );
 
     if (mtime("/etc/pki") > 0)
-- 
cgit v1.2.3