Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BUG(go-landlock) visible when adding non-file access rights on files #26

Closed
gnoack opened this issue Nov 8, 2023 · 1 comment
Closed

BUG(go-landlock) visible when adding non-file access rights on files #26

gnoack opened this issue Nov 8, 2023 · 1 comment
Assignees
@gnoack

Comments

@gnoack
Copy link
Collaborator

gnoack commented Nov 8, 2023

When using non-file access rights on files (rather than directories),
it is possible to get go-landlock to return a BUG(go-landlock) error.

This is unintended and should be fixed.

Reported by https://www.reddit.com/user/ikmckenz/ on https://www.reddit.com/r/linuxquestions/comments/17qg6fj/give_landlock_access_to_devnull_properly/
@ikmckenz
Copy link

Example:

package main

import (
	"fmt"
	"github.com/landlock-lsm/go-landlock/landlock"
)

func main() {
	err := landlock.V3.BestEffort().RestrictPaths(
		landlock.PathAccess(0b1111111111111, "/dev/null"),
	)
	if err != nil {
		fmt.Println(err)
	}
}

Returns:
populating ruleset for "/dev/null" with access {execute,write_file,read_file,read_dir,remove_dir,remove_file,make_char,make_dir,make_reg,make_sock,make_fifo,make_block,make_sym}: landlock_add_rule: BUG(go-landlock): This should not have happened: invalid flags, or inconsistent access in the rule: invalid argument

@gnoack gnoack self-assigned this Nov 18, 2023
@gnoack gnoack closed this as completed in 788c6b0 Jul 5, 2024
gnoack added a commit that referenced this issue Oct 13, 2024
@gnoack
Treat EINVAL from landlock_add_rule error correctly
d3c7ab7 
landlock_add_rule(2) can return EINVAL when you try to use
directory-only access rights on a regular file.

Fixes #26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gnoack gnoack

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gnoack @ikmckenz