Home Explore Help
Sign In
mirrors
/
snac2
mirror of https://codeberg.org/grunfink/snac2.git
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

Sandbox fixes

- allow reading `/dev/urandom` as it is shown as a failed syscall when
  tracing
- resolve `/etc/ssl/cert.pem` in case it is a symlink
shtrophic 2 months ago
parent
fda3057dc8
commit
cc1d4258e5
1 changed files with 8 additions and 1 deletions
Split View Show Diff Stats
  1. 8 1
      sandbox.c

+ 8 - 1
sandbox.c
View File 

@@ -71,15 +71,22 @@ LL_BEGIN(sbox_enter_linux_, const char* basedir, const char *address, int smail)
 
              LANDLOCK_ACCESS_FS_REFER_COMPAT,
 
         s  = LANDLOCK_ACCESS_FS_MAKE_SOCK,
 
         x  = LANDLOCK_ACCESS_FS_EXECUTE;
 
+    char *resolved_path = NULL;
 
 
     LL_PATH(basedir,                rf|rd|w|c);
 
     LL_PATH("/tmp",                 rf|rd|w|c);
 
 #ifndef WITHOUT_SHM
 
     LL_PATH("/dev/shm",             rf|w|c   );
 
 #endif
 
+    LL_PATH("/dev/urandom",         rf       );
 
     LL_PATH("/etc/resolv.conf",     rf       );
 
     LL_PATH("/etc/hosts",           rf       );
 
-    LL_PATH("/etc/ssl",             rf       );
 
+    LL_PATH("/etc/ssl",             rf|rd    );
 
+    if ((resolved_path = realpath("/etc/ssl/cert.pem", NULL))) {
 
+        /* some distros like cert.pem to be a symlink */
 
+        LL_PATH(resolved_path,      rf       );
 
+        free(resolved_path);
 
+    }
 
     LL_PATH("/usr/share/zoneinfo",  rf       );
 
 
     if (mtime("/etc/pki") > 0)