Skip to content

Commit

Permalink
ruleset: Fix ruleset creation without effective handled access
Browse files Browse the repository at this point in the history 
Check that a ruleset really handles at least one access right.

Signed-off-by: Mickaël Salaün <mic@digikod.net>
  • Loading branch information
@l0kod
l0kod committed Aug 30, 2023
1 parent c30529f commit 95addc1
Showing 1 changed file with 46 additions and 2 deletions.
48 changes: 46 additions & 2 deletions src/ruleset.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -224,14 +224,30 @@ impl Ruleset {
/// The returned [`RulesetCreated`] is also a builder.
///
/// On error, returns a wrapped [`CreateRulesetError`].
pub fn create(self) -> Result<RulesetCreated, RulesetError> {
pub fn create(mut self) -> Result<RulesetCreated, RulesetError> {
let body = || -> Result<RulesetCreated, CreateRulesetError> {
// Checks that the ruleset handles at least an access.
// Checks that there is at least one requested access.
if self.requested_handled_fs.is_empty() {
// No handle_access() call.
return Err(CreateRulesetError::MissingHandledAccess);
}

// Checks that the ruleset handles at least one access.
if self.actual_handled_fs.is_empty() {
match self.compat.level {
CompatLevel::BestEffort => {}
CompatLevel::SoftRequirement => {
// This sets the ABI to Unsupported and then only returns an error if
// set_no_new_privs is supported by the running system (as for the
// best-effort level).
self.compat.update(CompatState::Final);
}
CompatLevel::HardRequirement => {
return Err(CreateRulesetError::MissingHandledAccess);
}
}
}

let attr = uapi::landlock_ruleset_attr {
handled_access_fs: self.actual_handled_fs.bits(),
};
Expand Down Expand Up @@ -654,6 +670,7 @@ fn ruleset_created_attr() {
fn ruleset_unsupported() {
assert_eq!(
Ruleset::from(ABI::Unsupported)
// BestEffort for Ruleset.
.handle_access(AccessFs::Execute)
.unwrap()
.create()
Expand All @@ -662,10 +679,37 @@ fn ruleset_unsupported() {
.unwrap(),
RestrictionStatus {
ruleset: RulesetStatus::NotEnforced,
// With BestEffort, no_new_privs is still enabled.
no_new_privs: true,
}
);

assert_eq!(
Ruleset::from(ABI::Unsupported)
// SoftRequirement for Ruleset.
.set_compatibility(CompatLevel::SoftRequirement)
.handle_access(AccessFs::Execute)
.unwrap()
.create()
.unwrap()
.restrict_self()
.unwrap(),
RestrictionStatus {
ruleset: RulesetStatus::NotEnforced,
// With SoftRequirement, no_new_privs is discarded.
no_new_privs: false,
}
);

matches!(
Ruleset::from(ABI::Unsupported)
// HardRequirement for Ruleset.
.set_compatibility(CompatLevel::HardRequirement)
.handle_access(AccessFs::Execute)
.unwrap_err(),
RulesetError::CreateRuleset(CreateRulesetError::MissingHandledAccess)
);

assert_eq!(
Ruleset::from(ABI::Unsupported)
.handle_access(AccessFs::Execute)
Expand Down

0 comments on commit 95addc1

Please sign in to comment.