landlock sandbox: allow access to /tmp #1216
Description
Some handlers may require access to /tmp in order to work in temporary files (e.g. handler performing intermediate decryption or decompression).
Right now this is blocked by our landlock policy.
Ideally, we would add a tmp_dir to ExtractionConfig. This temporary directory would be created when unblob is launched and safely deleted at the end of the extraction run.
This way, we can extend the policy this way:
diff --git a/python/unblob/sandbox.py b/python/unblob/sandbox.py
index 61b02b0..689800f 100644
--- a/python/unblob/sandbox.py
+++ b/python/unblob/sandbox.py
@@ -49,6 +49,12 @@ class Sandbox:
AccessFS.read("/"),
# Multiprocessing
AccessFS.read_write("/dev/shm"), # noqa: S108
+ # Temporary directory
+ AccessFS.read_write(config.tmp_dir),
+ AccessFS.remove_dir(config.tmp_dir),
+ AccessFS.remove_file(config.tmp_dir),
+ AccessFS.make_dir(config.tmp_dir.parent),
+ AccessFS.remove_dir(config.tmp_dir.parent),
# Extracted contents
AccessFS.read_write(config.extract_root),
AccessFS.remove_dir(config.extract_root),One open question is how we could expose that temporary directory to handlers. If it's not possible without introducing breaking changes, we can also choose to work within /tmp.