summaryrefslogtreecommitdiffstats
path: root/samples
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2024-03-15 00:00:27 +0100
committerLinus Torvalds <torvalds@linux-foundation.org>2024-03-15 00:00:27 +0100
commit35e886e88c803920644c9d3abb45a9ecb7f1e761 (patch)
tree9595c4b62518a00de2040a199a4653f3abeff8b9 /samples
parentMerge tag 'for-linus' of https://github.com/openrisc/linux (diff)
parentsamples/landlock: Don't error out if a file path cannot be opened (diff)
downloadlinux-35e886e88c803920644c9d3abb45a9ecb7f1e761.tar.xz
linux-35e886e88c803920644c9d3abb45a9ecb7f1e761.zip
Merge tag 'landlock-6.9-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux
Pull landlock updates from Mickaël Salaün: "Some miscellaneous improvements, including new KUnit tests, extended documentation and boot help, and some cosmetic cleanups. Additional test changes already went through the net tree" * tag 'landlock-6.9-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux: samples/landlock: Don't error out if a file path cannot be opened landlock: Use f_cred in security_file_open() hook landlock: Rename "ptrace" files to "task" landlock: Simplify current_check_access_socket() landlock: Warn once if a Landlock action is requested while disabled landlock: Extend documentation for kernel support landlock: Add support for KUnit tests selftests/landlock: Clean up error logs related to capabilities
Diffstat (limited to 'samples')
-rw-r--r--samples/landlock/sandboxer.c13
1 files changed, 8 insertions, 5 deletions
diff --git a/samples/landlock/sandboxer.c b/samples/landlock/sandboxer.c
index 08596c0ef070..32e930c853bb 100644
--- a/samples/landlock/sandboxer.c
+++ b/samples/landlock/sandboxer.c
@@ -1,7 +1,7 @@
// SPDX-License-Identifier: BSD-3-Clause
/*
- * Simple Landlock sandbox manager able to launch a process restricted by a
- * user-defined filesystem access control policy.
+ * Simple Landlock sandbox manager able to execute a process restricted by
+ * user-defined file system and network access control policies.
*
* Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net>
* Copyright © 2020 ANSSI
@@ -120,9 +120,11 @@ static int populate_ruleset_fs(const char *const env_var, const int ruleset_fd,
if (path_beneath.parent_fd < 0) {
fprintf(stderr, "Failed to open \"%s\": %s\n",
path_list[i], strerror(errno));
- goto out_free_name;
+ continue;
}
if (fstat(path_beneath.parent_fd, &statbuf)) {
+ fprintf(stderr, "Failed to stat \"%s\": %s\n",
+ path_list[i], strerror(errno));
close(path_beneath.parent_fd);
goto out_free_name;
}
@@ -227,7 +229,7 @@ int main(const int argc, char *const argv[], char *const *const envp)
ENV_FS_RO_NAME, ENV_FS_RW_NAME, ENV_TCP_BIND_NAME,
ENV_TCP_CONNECT_NAME, argv[0]);
fprintf(stderr,
- "Launch a command in a restricted environment.\n\n");
+ "Execute a command in a restricted environment.\n\n");
fprintf(stderr,
"Environment variables containing paths and ports "
"each separated by a colon:\n");
@@ -248,7 +250,7 @@ int main(const int argc, char *const argv[], char *const *const envp)
ENV_TCP_CONNECT_NAME);
fprintf(stderr,
"\nexample:\n"
- "%s=\"/bin:/lib:/usr:/proc:/etc:/dev/urandom\" "
+ "%s=\"${PATH}:/lib:/usr:/proc:/etc:/dev/urandom\" "
"%s=\"/dev/null:/dev/full:/dev/zero:/dev/pts:/tmp\" "
"%s=\"9418\" "
"%s=\"80:443\" "
@@ -383,6 +385,7 @@ int main(const int argc, char *const argv[], char *const *const envp)
cmd_path = argv[1];
cmd_argv = argv + 1;
+ fprintf(stderr, "Executing the sandboxed command...\n");
execvpe(cmd_path, cmd_argv, envp);
fprintf(stderr, "Failed to execute \"%s\": %s\n", cmd_path,
strerror(errno));