From 788c6b0aa2c4bb8c4e508bd7963cafce4ef2a8c7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Noack?= Date: Fri, 5 Jul 2024 17:34:12 +0200 Subject: [PATCH] Treat EINVAL from landlock_add_rule error correctly landlock_add_rule(2) can return EINVAL when you try to use directory-only access rights on a regular file. Fixes #26 --- landlock/path_opt_linux.go | 2 +- landlock/restrict_failure_test.go | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/landlock/path_opt_linux.go b/landlock/path_opt_linux.go index 91103f1..40777c1 100644 --- a/landlock/path_opt_linux.go +++ b/landlock/path_opt_linux.go @@ -43,7 +43,7 @@ func addPath(rulesetFd int, path string, access AccessFSSet) error { if errors.Is(err, syscall.EINVAL) { // The ruleset access permissions must be a superset of the ones we restrict to. // This should never happen because the call to addPath() ensures that. - err = bug(fmt.Errorf("invalid flags, or inconsistent access in the rule: %w", err)) + err = fmt.Errorf("inconsistent access rights (using directory access rights on a regular file?): %w", err) } else if errors.Is(err, syscall.ENOMSG) && access == 0 { err = fmt.Errorf("empty access rights: %w", err) } else { diff --git a/landlock/restrict_failure_test.go b/landlock/restrict_failure_test.go index ce9d5dc..05b682e 100644 --- a/landlock/restrict_failure_test.go +++ b/landlock/restrict_failure_test.go @@ -103,6 +103,13 @@ func TestRestrictingPlainFileWithDirectoryFlags(t *testing.T) { if !errors.Is(err, unix.EINVAL) { t.Errorf("expected 'invalid argument' error, got: %v", err) } + if isGoLandlockBug(err) { + t.Errorf("should not be marked as a go-landlock bug, but was: %v", err) + } +} + +func isGoLandlockBug(err error) bool { + return strings.Contains(err.Error(), "BUG(go-landlock)") } func TestEmptyAccessRights(t *testing.T) {