Treat EINVAL from landlock_add_rule error correctly

landlock_add_rule(2) can return EINVAL when you try to use directory-only access rights on a regular file. Fixes #26
landlock-lsm · Jul 5, 2024 · 788c6b0 · 788c6b0
1 parent 2ff0359
commit 788c6b0
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 1 deletion.
diff --git a/landlock/path_opt_linux.go b/landlock/path_opt_linux.go
@@ -43,7 +43,7 @@ func addPath(rulesetFd int, path string, access AccessFSSet) error {
 		if errors.Is(err, syscall.EINVAL) {
 			// The ruleset access permissions must be a superset of the ones we restrict to.
 			// This should never happen because the call to addPath() ensures that.
-			err = bug(fmt.Errorf("invalid flags, or inconsistent access in the rule: %w", err))
+			err = fmt.Errorf("inconsistent access rights (using directory access rights on a regular file?): %w", err)
 		} else if errors.Is(err, syscall.ENOMSG) && access == 0 {
 			err = fmt.Errorf("empty access rights: %w", err)
 		} else {

diff --git a/landlock/restrict_failure_test.go b/landlock/restrict_failure_test.go
@@ -103,6 +103,13 @@ func TestRestrictingPlainFileWithDirectoryFlags(t *testing.T) {
 	if !errors.Is(err, unix.EINVAL) {
 		t.Errorf("expected 'invalid argument' error, got: %v", err)
 	}
+	if isGoLandlockBug(err) {
+		t.Errorf("should not be marked as a go-landlock bug, but was: %v", err)
+	}
+}
+
+func isGoLandlockBug(err error) bool {
+	return strings.Contains(err.Error(), "BUG(go-landlock)")
 }
 
 func TestEmptyAccessRights(t *testing.T) {