search

landlock-lsm / go-landlock

A Go library for the Linux Landlock sandboxing feature
MIT License
105 stars 7 forks source link

BUG(go-landlock) visible when adding non-file access rights on files #26

Closed gnoack closed 2 weeks ago

gnoack commented 8 months ago

When using non-file access rights on files (rather than directories), it is possible to get go-landlock to return a BUG(go-landlock) error.

This is unintended and should be fixed.

Reported by https://www.reddit.com/user/ikmckenz/ on https://www.reddit.com/r/linuxquestions/comments/17qg6fj/give_landlock_access_to_devnull_properly/

ikmckenz commented 8 months ago

Example: 

package main

import (
    "fmt"
    "github.com/landlock-lsm/go-landlock/landlock"
)

func main() {
    err := landlock.V3.BestEffort().RestrictPaths(
        landlock.PathAccess(0b1111111111111, "/dev/null"),
    )
    if err != nil {
        fmt.Println(err)
    }
}

Returns: populating ruleset for "/dev/null" with access {execute,write_file,read_file,read_dir,remove_dir,remove_file,make_char,make_dir,make_reg,make_sock,make_fifo,make_block,make_sym}: landlock_add_rule: BUG(go-landlock): This should not have happened: invalid flags, or inconsistent access in the rule: invalid argument