From 3799f9ee5b01bbad2448d7446d2d18e54f1bf84c Mon Sep 17 00:00:00 2001 From: valoq Date: Sun, 29 Jun 2025 13:26:10 +0200 Subject: [PATCH] fix edge cases --- src/commands/decompress.rs | 5 +++++ src/commands/list.rs | 5 ++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/src/commands/decompress.rs b/src/commands/decompress.rs index bbfc0ef..ef11dd7 100644 --- a/src/commands/decompress.rs +++ b/src/commands/decompress.rs @@ -319,6 +319,8 @@ fn execute_decompression( ) -> crate::Result> { // init landlock sandbox to restrict file system write access to output_dir + // The output directory iseither specified with the -d option or the current working directory is used + // TODO: restrict acess to the current working directory to allow only creating new files landlock::init_sandbox(Some(output_dir)); if is_smart_unpack { @@ -384,6 +386,9 @@ fn smart_unpack( nice_directory_display(temp_dir_path) )); + //first attempt to restict to the tmp file and allow only to rename it in the parent + //landlock::init_sandbox(Some(temp_dir_path)); + let files = unpack_fn(temp_dir_path)?; let root_contains_only_one_element = fs::read_dir(temp_dir_path)?.take(2).count() == 1; diff --git a/src/commands/list.rs b/src/commands/list.rs index 5042958..1b43c9b 100644 --- a/src/commands/list.rs +++ b/src/commands/list.rs @@ -25,9 +25,8 @@ pub fn list_archive_contents( password: Option<&[u8]>, ) -> crate::Result<()> { - // Initialize landlock sandbox with empty write path - // This allows only read access to the filesystem - landlock::init_sandbox(None); + // Initialize landlock sandbox with write access restricted to /tmp as required by some formats + landlock::init_sandbox(Some(Path::new("/tmp"))); let reader = fs::File::open(archive_path)?;