From a52063f4dbad954efea0b0961f2e5b878f0a9932 Mon Sep 17 00:00:00 2001
From: Dima Krasner <dima@dimakrasner.com>
Date: Wed, 6 Sep 2023 08:32:25 +0300
Subject: [PATCH] adjust spot-sandbox for Landlock ABI 3 in Linux >= 6.2

---
 .../rootfs-petbuilds/spot-pkexec/sandbox.c    | 22 ++++++++++++++++---
 1 file changed, 19 insertions(+), 3 deletions(-)

diff --git a/woof-code/rootfs-petbuilds/spot-pkexec/sandbox.c b/woof-code/rootfs-petbuilds/spot-pkexec/sandbox.c
index c7b65c3095e..3f1078d4540 100644
--- a/woof-code/rootfs-petbuilds/spot-pkexec/sandbox.c
+++ b/woof-code/rootfs-petbuilds/spot-pkexec/sandbox.c
@@ -16,6 +16,10 @@
 
 #ifdef HAVE_LANDLOCK
 
+#	ifndef LANDLOCK_ACCESS_FS_TRUNCATE
+#		define LANDLOCK_ACCESS_FS_TRUNCATE 0
+#	endif
+
 #	ifndef LANDLOCK_ACCESS_FS_REFER
 #		define LANDLOCK_ACCESS_FS_REFER 0
 #	endif
@@ -88,7 +92,8 @@ int main(int argc, char *argv[])
 			LANDLOCK_ACCESS_FS_MAKE_FIFO |
 			LANDLOCK_ACCESS_FS_MAKE_BLOCK |
 			LANDLOCK_ACCESS_FS_MAKE_SYM |
-			LANDLOCK_ACCESS_FS_REFER
+			LANDLOCK_ACCESS_FS_REFER |
+			LANDLOCK_ACCESS_FS_TRUNCATE
 	};
 	struct landlock_path_beneath_attr ro_attr = {
 		.allowed_access =
@@ -111,10 +116,12 @@ int main(int argc, char *argv[])
 			LANDLOCK_ACCESS_FS_MAKE_FIFO |
 			LANDLOCK_ACCESS_FS_MAKE_BLOCK |
 			LANDLOCK_ACCESS_FS_MAKE_SYM |
-			LANDLOCK_ACCESS_FS_REFER
+			LANDLOCK_ACCESS_FS_REFER |
+			LANDLOCK_ACCESS_FS_TRUNCATE
 	};
 	DIR *dir = NULL;
 	struct dirent *ent;
+	long abi;
 	int i, root_fd = -1, ruleset_fd = -1;
 #endif
 	struct passwd *spot;
@@ -124,8 +131,17 @@ int main(int argc, char *argv[])
 	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) goto exec;
 
 #ifdef HAVE_LANDLOCK
+	abi = landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_VERSION);
+
+#	if LANDLOCK_ACCESS_FS_TRUNCATE != 0
+	if (abi < 3) {
+		ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_TRUNCATE;
+		rw_attr.allowed_access &= ~LANDLOCK_ACCESS_FS_TRUNCATE;
+	}
+#	endif
+
 #	if LANDLOCK_ACCESS_FS_REFER != 0
-	if (landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_VERSION) < 2) {
+	if (abi < 2) {
 		ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_REFER;
 		rw_attr.allowed_access &= ~LANDLOCK_ACCESS_FS_REFER;
 	}