commit: f3c48c3262edab7db3fc95d87ac1511a97ad930e Author: Mike Gilbert <floppym <AT> gentoo <DOT> org> AuthorDate: Mon Jul 31 15:39:40 2023 +0000 Commit: Mike Gilbert <floppym <AT> gentoo <DOT> org> CommitDate: Tue Aug 1 14:15:12 2023 +0000 URL: https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=f3c48c32
libsandbox: always permit access to '/memfd:' For memfd objects, the kernel populates the target for symlinks under /proc/$PID/fd as "/memfd:name". Said target does not actually exist. It is unfortunate that the kernel includes the leading slash, but we will just have to work around it. Bug: https://bugs.gentoo.org/910561 Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org> (cherry picked from commit 27232d52fee4abecd5f709acc616fa1296e0464f) libsandbox/libsandbox.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c index 847b4e2..e5f6d38 100644 --- a/libsandbox/libsandbox.c +++ b/libsandbox/libsandbox.c @@ -713,6 +713,12 @@ static int check_access(sbcontext_t *sbcontext, int sb_nr, const char *func, /* Fall in a read/write denied path, Deny Access */ goto out; + if (!strncmp(resolv_path, "/memfd:", strlen("/memfd:"))) { + /* Allow operations on memfd objects #910561 */ + result = 1; + goto out; + } + if (!sym_func) { retval = check_prefixes(sbcontext->deny_prefixes, sbcontext->num_deny_prefixes, resolv_path);
