Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Recently (as of Landlock ABI 4), the `handled_access_net` field was
added to the `landlock_ruleset_attr` struct in the Linux kernel (in
linux/landlock.h). In src/firejail/landlock.c, that field is not being
set in the struct (as we currently do not use it) before passing it to
the `landlock_create_full_ruleset` syscall, so it may contain random
garbage when used, resulting in the syscall sometimes returning EINVAL
(depending on whether the garbage is valid)[1]:
ll_is_supported: Detected Landlock ABI version 4
ll_restrict: Starting Landlock restrict
ll_create_full_ruleset: Creating Landlock ruleset (abi=4 fs=1fff)
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
ll_read: Adding Landlock rule (abi=4 fs=c) for /
Error: ll_read: failed to add Landlock rule (abi=4 fs=c) for /: Bad file descriptor
ll_create_full_ruleset: Creating Landlock ruleset (abi=4 fs=1fff)
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
ll_read: Adding Landlock rule (abi=4 fs=c) for /proc
Error: ll_read: failed to add Landlock rule (abi=4 fs=c) for /proc: Bad file descriptor
[...]
So ensure that all structs in landlock.c are initialized to 0 before
using them.
Note: This currently affects Arch but not Artix, as the former packages
a more recent version of the Linux headers (linux-api-headers 6.7-1 vs
6.4-1).
Fixes netblue30#6195.
Relates to netblue30#6078.
[1] netblue30#6195 (comment)- Loading branch information
