diff options
| author |   Mike Gilbert <floppym@gentoo.org> | 2023-07-31 11:39:40 -0400 |
|---|---|---|
| committer | Mike Gilbert <floppym@gentoo.org> | 2023-07-31 11:42:59 -0400 |
| commit | 27232d52fee4abecd5f709acc616fa1296e0464f (patch) | |
| tree | 4a3623e6bc70ddd55a5a12e0b490deb209d56a23 | |
| parent | sb_exists: drop use of faccessat (diff) | |
| download | sandbox-27232d52fee4abecd5f709acc616fa1296e0464f.tar.gz sandbox-27232d52fee4abecd5f709acc616fa1296e0464f.tar.bz2 sandbox-27232d52fee4abecd5f709acc616fa1296e0464f.zip | |
libsandbox: always permit access to '/memfd:'
For memfd objects, the kernel populates the target for symlinks under
/proc/$PID/fd as "/memfd:name". Said target does not actually exist.
It is unfortunate that the kernel includes the leading slash, but we
will just have to work around it.
Bug: https://bugs.gentoo.org/910561
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
| -rw-r--r-- | libsandbox/libsandbox.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c index 847b4e2..e5f6d38 100644 --- a/libsandbox/libsandbox.c +++ b/libsandbox/libsandbox.c @@ -713,6 +713,12 @@ static int check_access(sbcontext_t *sbcontext, int sb_nr, const char *func, /* Fall in a read/write denied path, Deny Access */ goto out; + if (!strncmp(resolv_path, "/memfd:", strlen("/memfd:"))) { + /* Allow operations on memfd objects #910561 */ + result = 1; + goto out; + } + if (!sym_func) { retval = check_prefixes(sbcontext->deny_prefixes, sbcontext->num_deny_prefixes, resolv_path); |