Readit News logoReadit News
raimue commented on Xz: Can you spot the single character that disabled Linux landlock?   git.tukaani.org/?p=xz.git... · Posted by u/dhx
SAI_Peregrinus · 2 years ago
The only source of the claim that the existence of.linux/landlock.h is insufficient is (AFAICT) the malicious git commit. Why trust the comment, written by the attacker, to explain away a malicious change?
raimue · 2 years ago
I already explained above why the existence of linux/landlock.h is not sufficient. Why do you still question it? If you know a bit about system programming and how configure checks work, the change in itself is totally reasonable.
raimue commented on Xz: Can you spot the single character that disabled Linux landlock?   git.tukaani.org/?p=xz.git... · Posted by u/dhx
viraptor · 2 years ago
Should've said function call not library call. My bad. Basically if you already have the linux/landlock.h, that should provide everything you need to do without explicit references to SYS...
raimue · 2 years ago
Now we are running in circles. As you see in the git commit, the compile check was added because the existance of linux/landlock.h alone was not enough to check that the feature can be used.

This header defines the data types for the Linux kernel interface, but not how the syscall landlock_create_ruleset(2) will be issued. That is provided by libc either as a separate wrapper function (does not exist in glibc) or the implementation needs to use syscall(SYS_landlock_create_ruleset, ...), with the constant also being provided by libc. That is how it works for all syscalls and you won't be able to change this.

raimue commented on Xz: Can you spot the single character that disabled Linux landlock?   git.tukaani.org/?p=xz.git... · Posted by u/dhx
viraptor · 2 years ago
I'd say this MR is a bad approach in general. The headers say what interfaces are known, not what features are available. You should be able to compile with landlock support on a system which doesn't enable it. Same situation as seccomp and others. Your build machine doesn't have to match the capabilities of the target runner.

But yeah, to test it, you can have a mock version of landlock which responds with the error/success as you want, regardless of what the system would normally do. It relies on the test not being sabotaged too though...

raimue · 2 years ago
Read the code of the check again. It mostly checks that the required SYS_* constants are defined to be able to use the syscalls. You can compile this on a system that does not have landlock enabled in the running kernel, but the libc (which imports the kernel system call interface) has to provide the syscall numbers.
Posted by u/raimue 2 years ago
Show HN: Flaticron – mail notifications for pending Flatpak updatesgithub.com/raimue/flaticr...
Posted by u/raimue 2 years ago
A new Copilot key to kick off the year of AI-powered Windows PCsblogs.windows.com/windows...
Posted by u/raimue 2 years ago
Apollo 11 vs. USB-C Chargers (2020)forrestheller.com/Apollo-...
raimue commented on Reproducible Git Bundles   baecher.dev/stdout/reprod... · Posted by u/pbhn
raimue · 2 years ago
The question is whether you can expect this format to stay stable and reproducible across git versions. Remember the fallout from git 2.38 when the output of 'git archive' changed. Although for this backup use case it would just mean the next backup with a new format would make a full copy once.
Posted by u/raimue 2 years ago
Antarctic research base Vostok local timemm.icann.org/pipermail/tz...
Posted by u/raimue 2 years ago
A story of Docker, QEMU, and memfd_create()raimue.blog/2023/11/23/a-...
raimue commented on Apple unveils M3, M3 Pro, and M3 Max   apple.com/newsroom/2023/1... · Posted by u/ehPReth
s3p · 2 years ago
A Mac can also be called a personal computer if i'm not mistaken
raimue · 2 years ago
In the 2000s, Apple ran a big campaign with the phrase "I'm a Mac - I'm a PC" to highlight the difference.
r

u/raimue

KarmaCake day2608November 10, 2012
About
https://hachyderm.io/@raimue

https://twitter.com/raimue

https://github.com/raimue

https://raimue.blog/

View Original