Grant full access to /proc/self on Linux for process substitution

Richard Feldman created 1 month ago

Bash process substitution (e.g. <(command)) creates FIFOs under
/proc/self/fd/ that need write access. Change from fs_read() to fs_all()
so these FIFOs can be written to by the shell.

Change summary

crates/sandbox/src/sandbox_linux.rs | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

Detailed changes

crates/sandbox/src/sandbox_linux.rs 🔗

@@ -125,7 +125,7 @@ pub fn apply_sandbox(config: &SandboxConfig) -> Result<()> {
         }
         let proc_self = Path::new("/proc/self");
         if proc_self.exists() {
-            ruleset = add_path_rule(ruleset, proc_self, fs_read())
+            ruleset = add_path_rule(ruleset, proc_self, fs_all())
                 .map_err(|e| Error::other(format!("landlock /proc/self rule: {e}")))?;
         }
     }