bryson/pacman
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

libalpm: Better error messages when landlock setup fails

Browse source 
As suggested by @l0kod in the comments of #167.
This commit is contained in:
Remi Gacogne 2024-09-16 17:39:56 +02:00
parent 64299ccfbb
commit 1941b3d3f5
No known key found for this signature in database
GPG key ID: 40825C6BDD1A4146
1 changed files with 12 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
lib/libalpm/sandbox_fs.c
View file

@ -129,16 +129,20 @@ bool _alpm_sandbox_fs_restrict_writes_to(alpm_handle_t *handle, const char *path
ruleset_fd = landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0); ruleset_fd = landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
if(ruleset_fd < 0) { if(ruleset_fd < 0) {
_alpm_log(handle, ALPM_LOG_ERROR, _("restricting filesystem access failed because the landlock ruleset could not be created!\n")); _alpm_log(handle, ALPM_LOG_ERROR, _("restricting filesystem access failed because the landlock ruleset could not be created: %s\n"), strerror(errno));
return false; return false;
} }
/* allow / as read-only */ /* allow / as read-only */
path_beneath.parent_fd = open("/", O_PATH | O_CLOEXEC | O_DIRECTORY); path_beneath.parent_fd = open("/", O_PATH | O_CLOEXEC | O_DIRECTORY);
if(path_beneath.parent_fd == -1) {
_alpm_log(handle, ALPM_LOG_ERROR, _("opening the root filesystem to make it read-only via landlock failed: %s\n"), strerror(errno));
return false;
}
path_beneath.allowed_access = _LANDLOCK_ACCESS_FS_READ; path_beneath.allowed_access = _LANDLOCK_ACCESS_FS_READ;
if(landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, &path_beneath, 0) != 0) { if(landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, &path_beneath, 0) != 0) {
_alpm_log(handle, ALPM_LOG_ERROR, _("restricting filesystem access failed because the landlock rule for / could not be added!\n")); _alpm_log(handle, ALPM_LOG_ERROR, _("restricting filesystem access failed because the landlock rule for / could not be added: %s\n"), strerror(errno));
close(path_beneath.parent_fd); close(path_beneath.parent_fd);
close(ruleset_fd); close(ruleset_fd);
return false; return false;
@ -148,6 +152,10 @@ bool _alpm_sandbox_fs_restrict_writes_to(alpm_handle_t *handle, const char *path
/* allow read-write access to the directory passed as parameter */ /* allow read-write access to the directory passed as parameter */
path_beneath.parent_fd = open(path, O_PATH | O_CLOEXEC | O_DIRECTORY); path_beneath.parent_fd = open(path, O_PATH | O_CLOEXEC | O_DIRECTORY);
if(path_beneath.parent_fd == -1) {
_alpm_log(handle, ALPM_LOG_ERROR, _("opening the download directory to make it writable via landlock failed: %s\n"), strerror(errno));
return false;
}
path_beneath.allowed_access = _LANDLOCK_ACCESS_FS_READ | _LANDLOCK_ACCESS_FS_WRITE | _LANDLOCK_ACCESS_FS_TRUNCATE; path_beneath.allowed_access = _LANDLOCK_ACCESS_FS_READ | _LANDLOCK_ACCESS_FS_WRITE | _LANDLOCK_ACCESS_FS_TRUNCATE;
/* make sure allowed_access is a subset of handled_access_fs, which may change for older landlock ABI */ /* make sure allowed_access is a subset of handled_access_fs, which may change for older landlock ABI */
@ -155,12 +163,12 @@ bool _alpm_sandbox_fs_restrict_writes_to(alpm_handle_t *handle, const char *path
if(landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, &path_beneath, 0) == 0) { if(landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, &path_beneath, 0) == 0) {
if(landlock_restrict_self(ruleset_fd, 0)) { if(landlock_restrict_self(ruleset_fd, 0)) {
_alpm_log(handle, ALPM_LOG_ERROR, _("restricting filesystem access failed because the landlock ruleset could not be applied!\n"));
result = errno; result = errno;
_alpm_log(handle, ALPM_LOG_ERROR, _("restricting filesystem access failed because the landlock ruleset could not be applied: %s\n"), strerror(result));
} }
} else { } else {
result = errno; result = errno;
_alpm_log(handle, ALPM_LOG_ERROR, _("restricting filesystem access failed because the landlock rule for the temporary download directory could not be added!\n")); _alpm_log(handle, ALPM_LOG_ERROR, _("restricting filesystem access failed because the landlock rule for the temporary download directory could not be added: %s\n"), strerror(result));
} }
close(path_beneath.parent_fd); close(path_beneath.parent_fd);