From a8efa930527f0e0fc2dc3cca2c484af679ad7ce2 Mon Sep 17 00:00:00 2001 From: Quentin Kaiser Date: Tue, 11 Feb 2025 14:44:18 +0100 Subject: [PATCH] fix(report): adapt landlock passthrough for report file Report writing only worked if the report was being written to a child location of the extract directory. This was a byproduct of setting rw permissions on the extraction directory. It did not work when the report file was being written to a location that is unrelated to the extraction directory. Fixed by requesting rw access to the report's file parent directory. I tried to get smart by only allowing make_reg and read_write on the file, but it never fully worked because of file truncation and the fact that LANDLOCK_ACCESS_FS_TRUNCATE is only available since ABI version 3 in landlock. --- python/unblob/processing.py | 5 +++++ python/unblob/sandbox.py | 3 +-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/python/unblob/processing.py b/python/unblob/processing.py index 9511cfc7a3..5b08c6b46d 100644 --- a/python/unblob/processing.py +++ b/python/unblob/processing.py @@ -209,6 +209,11 @@ def prepare_report_file(config: ExtractionConfig, report_file: Optional[Path]) - "Report file exists and --force not specified", path=report_file ) return False + if not report_file.parent.exists(): + logger.error( + "Trying to write report file to a non-existent directory", path=report_file + ) + return False return True diff --git a/python/unblob/sandbox.py b/python/unblob/sandbox.py index 9536fe9584..ff9e90884c 100644 --- a/python/unblob/sandbox.py +++ b/python/unblob/sandbox.py @@ -58,8 +58,7 @@ def __init__( if report_file: self.passthrough += [ - AccessFS.read_write(report_file), - AccessFS.make_reg(report_file.parent), + AccessFS.read_write(report_file.parent), ] def run(self, callback: Callable[P, R], *args: P.args, **kwargs: P.kwargs) -> R: