Further improve unveil() implementation

This change addresses review comments from Günther Noack on GitHub.
We're now blacklisting truncate() and setxattr() since Landlock lets
them operate on veiled files. The restriction has been lifted on using
unveil() multiple times, since Landlock does that well.
This commit is contained in:
Justine Tunney 2022-07-24 05:54:26 -07:00
parent 8593580d0a
commit 6c71bd5969
6 changed files with 154 additions and 43 deletions

View file

@ -20,6 +20,8 @@
#include "libc/calls/strace.internal.h"
#include "libc/calls/syscall-sysv.internal.h"
#include "libc/dce.h"
#include "libc/runtime/runtime.h"
#include "libc/sysv/consts/auxv.h"
/**
* Returns effective group ID of calling process.
@ -27,10 +29,12 @@
*/
int getegid(void) {
int rc;
if (!IsWindows()) {
rc = sys_getegid();
} else {
rc = getgid();
if (!(rc = getauxval(AT_EGID))) {
if (!IsWindows()) {
rc = sys_getegid();
} else {
rc = getgid();
}
}
STRACE("%s() → %d% m", "getegid", rc);
return rc;