Commits
- Commit:
5e997b01390a9de2b9cefa7c44375da470e447c6
- From:
- Omar Polo <op@omarpolo.com>
- Date:
s/ENOTSUP/EOPNOTSUPP/
linux defines these errors to the same values, but the landlock doc uses
`EOPNOTSUPP' consistently. Spotted initially by brynet@ and reminded by
Mickaël Salaün, thanks!
ok thomas
- Commit:
97799ccd4b67a81f97039305d4fdd66588da9962
- From:
- Thomas Adam <thomas@xteddy.org>
- Date:
portable: add support for landlock
landlock is a new set of linux APIs that is conceptually similar to
unveil(2): the idea is to restrict what a process can do on a
specified part of the filesystem. There are some differences in the
behaviour: the major one being that the landlock ruleset is inherited
across execve(2).
This just restricts the libexec helpers by completely revoking ANY
filesystem access; after all they are the biggest attack surface. got
send/fetch/clone *may* end up spawning ssh(1), so at the moment is not
possible to landlock the main process.
From Omar Polo.