diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2024-03-15 00:00:27 +0100 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2024-03-15 00:00:27 +0100 |
commit | 35e886e88c803920644c9d3abb45a9ecb7f1e761 (patch) | |
tree | 9595c4b62518a00de2040a199a4653f3abeff8b9 /samples | |
parent | Merge tag 'for-linus' of https://github.com/openrisc/linux (diff) | |
parent | samples/landlock: Don't error out if a file path cannot be opened (diff) | |
download | linux-35e886e88c803920644c9d3abb45a9ecb7f1e761.tar.xz linux-35e886e88c803920644c9d3abb45a9ecb7f1e761.zip |
Merge tag 'landlock-6.9-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux
Pull landlock updates from Mickaël Salaün:
"Some miscellaneous improvements, including new KUnit tests, extended
documentation and boot help, and some cosmetic cleanups.
Additional test changes already went through the net tree"
* tag 'landlock-6.9-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux:
samples/landlock: Don't error out if a file path cannot be opened
landlock: Use f_cred in security_file_open() hook
landlock: Rename "ptrace" files to "task"
landlock: Simplify current_check_access_socket()
landlock: Warn once if a Landlock action is requested while disabled
landlock: Extend documentation for kernel support
landlock: Add support for KUnit tests
selftests/landlock: Clean up error logs related to capabilities
Diffstat (limited to 'samples')
-rw-r--r-- | samples/landlock/sandboxer.c | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/samples/landlock/sandboxer.c b/samples/landlock/sandboxer.c index 08596c0ef070..32e930c853bb 100644 --- a/samples/landlock/sandboxer.c +++ b/samples/landlock/sandboxer.c @@ -1,7 +1,7 @@ // SPDX-License-Identifier: BSD-3-Clause /* - * Simple Landlock sandbox manager able to launch a process restricted by a - * user-defined filesystem access control policy. + * Simple Landlock sandbox manager able to execute a process restricted by + * user-defined file system and network access control policies. * * Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net> * Copyright © 2020 ANSSI @@ -120,9 +120,11 @@ static int populate_ruleset_fs(const char *const env_var, const int ruleset_fd, if (path_beneath.parent_fd < 0) { fprintf(stderr, "Failed to open \"%s\": %s\n", path_list[i], strerror(errno)); - goto out_free_name; + continue; } if (fstat(path_beneath.parent_fd, &statbuf)) { + fprintf(stderr, "Failed to stat \"%s\": %s\n", + path_list[i], strerror(errno)); close(path_beneath.parent_fd); goto out_free_name; } @@ -227,7 +229,7 @@ int main(const int argc, char *const argv[], char *const *const envp) ENV_FS_RO_NAME, ENV_FS_RW_NAME, ENV_TCP_BIND_NAME, ENV_TCP_CONNECT_NAME, argv[0]); fprintf(stderr, - "Launch a command in a restricted environment.\n\n"); + "Execute a command in a restricted environment.\n\n"); fprintf(stderr, "Environment variables containing paths and ports " "each separated by a colon:\n"); @@ -248,7 +250,7 @@ int main(const int argc, char *const argv[], char *const *const envp) ENV_TCP_CONNECT_NAME); fprintf(stderr, "\nexample:\n" - "%s=\"/bin:/lib:/usr:/proc:/etc:/dev/urandom\" " + "%s=\"${PATH}:/lib:/usr:/proc:/etc:/dev/urandom\" " "%s=\"/dev/null:/dev/full:/dev/zero:/dev/pts:/tmp\" " "%s=\"9418\" " "%s=\"80:443\" " @@ -383,6 +385,7 @@ int main(const int argc, char *const argv[], char *const *const envp) cmd_path = argv[1]; cmd_argv = argv + 1; + fprintf(stderr, "Executing the sandboxed command...\n"); execvpe(cmd_path, cmd_argv, envp); fprintf(stderr, "Failed to execute \"%s\": %s\n", cmd_path, strerror(errno)); |