Skip to content

fix: add user-configured allowRead paths to Landlock ruleset#8

Merged
tito merged 1 commit intomainfrom
fix/landlock-allowread-paths
Mar 12, 2026
Merged

fix: add user-configured allowRead paths to Landlock ruleset#8
tito merged 1 commit intomainfrom
fix/landlock-allowread-paths

Conversation

@tito
Copy link
Contributor

@tito tito commented Mar 12, 2026
edited
Loading

Summary

  • ApplyLandlockFromConfig was not processing cfg.Filesystem.AllowRead paths, only hardcoded system/tooling paths and AllowWrite paths
  • Since Landlock is deny-by-default, any user-configured allowRead path (e.g. ~/.gitconfig) was blocked despite bwrap mounting it correctly as --ro-bind
  • Added AllowRead processing mirroring the existing AllowWrite pattern, with glob expansion and direct path support

Closes #6

Test plan

  • Run greywall --debug with allowRead: ["~/.gitconfig"] and denyWrite: ["~/.gitconfig"] in config; verify ~/.gitconfig appears in Landlock rules output
  • Run git log inside sandbox; verify no Permission denied on .gitconfig
  • Run make test to verify no regressions

@tito
fix: add user-configured allowRead paths to Landlock ruleset
cac7aaa 
ApplyLandlockFromConfig was not processing cfg.Filesystem.AllowRead
paths, causing them to be blocked by Landlock despite bwrap mounting
them correctly as read-only. This made files like ~/.gitconfig
inaccessible inside the sandbox when using DefaultDenyRead mode.

Closes #6
@tito tito merged commit 3925d67 into main Mar 12, 2026
4 checks passed
@tito tito deleted the fix/landlock-allowread-paths branch March 12, 2026 21:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Landlock wrapper ignores user-configured allowRead paths

1 participant

@tito