libsandbox: always permit access to '/memfd:'

For memfd objects, the kernel populates the target for symlinks under /proc/$PID/fd as "/memfd:name". Said target does not actually exist. It is unfortunate that the kernel includes the leading slash, but we will just have to work around it. Bug: https://bugs.gentoo.org/910561 Signed-off-by: Mike Gilbert <floppym@gentoo.org> (cherry picked from commit 27232d52fee4abecd5f709acc616fa1296e0464f)
author: Mike Gilbert <floppym@gentoo.org> 2023-07-31 11:39:40 -0400
committer: Mike Gilbert <floppym@gentoo.org> 2023-08-01 10:15:12 -0400
commit: f3c48c3262edab7db3fc95d87ac1511a97ad930e (patch)
tree: 2d1be33fd400ccc93748710328b9c6fd04b5c5e5
parent: v2.37 (diff)
download: sandbox-f3c48c3262edab7db3fc95d87ac1511a97ad930e.tar.gz
sandbox-f3c48c3262edab7db3fc95d87ac1511a97ad930e.tar.bz2
sandbox-f3c48c3262edab7db3fc95d87ac1511a97ad930e.zip
1 files changed, 6 insertions, 0 deletions
diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c
index 847b4e2..e5f6d38 100644
--- a/libsandbox/libsandbox.c
+++ b/libsandbox/libsandbox.c
@@ -713,6 +713,12 @@ static int check_access(sbcontext_t *sbcontext, int sb_nr, const char *func,
 		/* Fall in a read/write denied path, Deny Access */
 		goto out;
 
+	if (!strncmp(resolv_path, "/memfd:", strlen("/memfd:"))) {
+		/* Allow operations on memfd objects #910561 */
+		result = 1;
+		goto out;
+	}
+
 	if (!sym_func) {
 		retval = check_prefixes(sbcontext->deny_prefixes,
 			sbcontext->num_deny_prefixes, resolv_path);
author	Mike Gilbert <floppym@gentoo.org>	2023-07-31 11:39:40 -0400
committer	Mike Gilbert <floppym@gentoo.org>	2023-08-01 10:15:12 -0400
commit	f3c48c3262edab7db3fc95d87ac1511a97ad930e (patch)
tree	2d1be33fd400ccc93748710328b9c6fd04b5c5e5
parent	v2.37 (diff)
download	sandbox-f3c48c3262edab7db3fc95d87ac1511a97ad930e.tar.gz sandbox-f3c48c3262edab7db3fc95d87ac1511a97ad930e.tar.bz2 sandbox-f3c48c3262edab7db3fc95d87ac1511a97ad930e.zip