On 05/01/2023 04:46, Konstantin Meskhidze (A) wrote:
11/16/2022 5:25 PM, Mickaël Salaün пишет:
[...]
fprintf(stderr, "Hint: You should update the running kernel " "to leverage Landlock features " @@ -259,16 +342,36 @@ int main(const int argc, char *const argv[], char *const *const envp) access_fs_ro &= ruleset_attr.handled_access_fs; access_fs_rw &= ruleset_attr.handled_access_fs; + /* Removes bind access attribute if not supported by a user. */ + env_port_name = getenv(ENV_TCP_BIND_NAME); + if (!env_port_name) {You can move this logic at the populate_ruleset_net() call site and update this helper to not call getenv() twice for the same variable.But here I exclude ruleset attributes, not rule itself. It will break the logic: creating a ruleset then applying rules. I suggest to leave here as its.
Right, but you can still avoid the duplicate getenv() calls.
+ access_net_tcp &= ~LANDLOCK_ACCESS_NET_BIND_TCP; + } + /* Removes connect access attribute if not supported by a user. */ + env_port_name = getenv(ENV_TCP_CONNECT_NAME); + if (!env_port_name) { + access_net_tcp &= ~LANDLOCK_ACCESS_NET_CONNECT_TCP; + } + ruleset_attr.handled_access_net &= access_net_tcp;
