commit - d54c55fbe1a056c4b964e065c0987fcf30da3d6d
commit + 4ab3b651a90a89e18601e20c34a78f79ff86b268
blob - c4e02ae5af2073034cc7d33a426fa6719edddb8f
blob + b5adf7877b778504ad6ad203a29277e2057f32bb
--- sandbox.c
+++ sandbox.c
static int
open_landlock(void)
{
+ int fd;
struct landlock_ruleset_attr attr = {
.handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE |
LANDLOCK_ACCESS_FS_READ_DIR |
LANDLOCK_ACCESS_FS_MAKE_REG,
};
- return landlock_create_ruleset(&attr, sizeof(attr), 0);
+ fd = landlock_create_ruleset(&attr, sizeof(attr), 0);
+ if (fd == -1) {
+ switch (errno) {
+ case ENOSYS:
+ case EOPNOTSUPP:
+ return -1;
+ default:
+ err(1, "can't create landlock ruleset");
+ }
+ }
+ return fd;
}
static int
{
int fd;
+ /*
+ * XXX: landlock disabled at runtime, pretend everything's
+ * good.
+ */
if ((fd = open_landlock()) == -1)
- return -1;
+ return 0;
return landlock_apply(fd);
}
int fd, rwc;
char path[PATH_MAX];
+ /*
+ * XXX: at build-time we found landlock.h but we've just
+ * realized it's not available on this kernel, so do nothing.
+ */
if ((fd = open_landlock()) == -1)
- err(1, "can't create landlock ruleset");
+ return;
rwc = LANDLOCK_ACCESS_FS_READ_FILE |
LANDLOCK_ACCESS_FS_READ_DIR |