Fix Landlock path rules on non-directory paths (files, devices, FIFOs)

[congwang-mk]

Problem

Any Landlock path rule targeting a non-directory crashed child setup. -r <regular file> and -w /dev/null both failed with add path rule ...: Invalid argument (os error 22) (EINVAL), and the child died before exec.

Two distinct root causes in add_path_rule (crates/sandlock-core/src/landlock.rs):

1. Access mask ignored file type. Every path got a directory-oriented mask (READ_ACCESS carries READ_DIR; write_access also carries MAKE_*, REMOVE_*, REFER). The kernel rejects any access bit outside its ACCESS_FILE set (EXECUTE | WRITE_FILE | READ_FILE | TRUNCATE | IOCTL_DEV) on a non-directory with EINVAL.
2. Opened with O_RDONLY. A rule on a FIFO blocked child setup forever (O_RDONLY waits for a writer), and a rule on a write-only or no-read path failed at open() with EACCES.

This also affected the GPU device rules (/dev/nvidia*), which were silently failing because their EINVAL was swallowed by let _ =.

Fix

• When the opened path is not a directory, mask the requested access down to ACCESS_FILE. Directories are unaffected, and ABI-gated bits (TRUNCATE v3+, IOCTL_DEV v5+) are kept only if already requested.
• Reference the path with O_PATH | O_CLOEXEC instead of O_RDONLY. O_PATH does not block on FIFOs, needs no read permission on the target, and still supports fstat (the file-type check) and serves as a valid parent_fd for landlock_add_rule.

Tests

New regression tests in tests/integration/test_landlock.rs:

• test_path_rule_on_regular_file: read rule on a regular file
• test_path_rule_on_device_node: write rule on /dev/null, and confirms the write actually works
• test_path_rule_on_fifo_does_not_block: read rule on a FIFO, timeout-guarded so a regression fails instead of hanging

All suites pass with no regressions: 216 integration, 275 core lib, 48 FFI smoke. CLI reproduction of all four cases (regular file, device, FIFO, write-only file) now exits 0.

🤖 Generated with Claude Code