commit - be88c5d657e2a2e0a2a9f6d75910e5f08ec5e755
commit + 98c6f8de41647ba565dcbdaccf876277b404161e
blob - a561d88b26a8dd02e222ed1160e7aacb5b5f76e6
blob + 43f210de4b18322649f4363523377f93519c5dd2
--- sandbox.c
+++ sandbox.c
{
int fd;
- /*
- * These are all the actions that we may want to
- * allow. Anything not specified here is implicitly blocked
- * (e.g. LANDLOCK_ACCESS_FS_EXECUTE.)
- */
struct landlock_ruleset_attr attr = {
- .handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE |
- LANDLOCK_ACCESS_FS_READ_DIR,
+ .handled_access_fs = LANDLOCK_ACCESS_FS_EXECUTE |
+ LANDLOCK_ACCESS_FS_READ_FILE |
+ LANDLOCK_ACCESS_FS_READ_DIR |
+ LANDLOCK_ACCESS_FS_WRITE_FILE |
+ LANDLOCK_ACCESS_FS_REMOVE_DIR |
+ LANDLOCK_ACCESS_FS_REMOVE_FILE |
+ LANDLOCK_ACCESS_FS_MAKE_CHAR |
+ LANDLOCK_ACCESS_FS_MAKE_DIR |
+ LANDLOCK_ACCESS_FS_MAKE_REG |
+ LANDLOCK_ACCESS_FS_MAKE_SOCK |
+ LANDLOCK_ACCESS_FS_MAKE_FIFO |
+ LANDLOCK_ACCESS_FS_MAKE_BLOCK |
+ LANDLOCK_ACCESS_FS_MAKE_SYM,
};
fd = landlock_create_ruleset(&attr, sizeof(attr), 0);