From 206236039ccd78e86b3c84278729cd4974a85848 Mon Sep 17 00:00:00 2001
From: astudentofblake <66838296+astudentofblake@users.noreply.github.com>
Date: Thu, 20 Apr 2023 17:16:04 +0100
Subject: [PATCH] fix: added landlock access to /usr/libexec for getter
 (#16900)

---
 .changelog/16900.txt                               | 3 +++
 client/allocrunner/taskrunner/getter/util_linux.go | 1 +
 2 files changed, 4 insertions(+)
 create mode 100644 .changelog/16900.txt

diff --git a/.changelog/16900.txt b/.changelog/16900.txt
new file mode 100644
index 000000000..d705b0101
--- /dev/null
+++ b/.changelog/16900.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+fix: Added "/usr/libexec" to the landlocked directories the getter has access to
+```
diff --git a/client/allocrunner/taskrunner/getter/util_linux.go b/client/allocrunner/taskrunner/getter/util_linux.go
index a45e2999c..af7d63caf 100644
--- a/client/allocrunner/taskrunner/getter/util_linux.go
+++ b/client/allocrunner/taskrunner/getter/util_linux.go
@@ -63,6 +63,7 @@ func lockdown(allocDir, taskDir string) error {
 		landlock.Dir("/bin", "rx"),
 		landlock.Dir("/usr/bin", "rx"),
 		landlock.Dir("/usr/local/bin", "rx"),
+		landlock.Dir("/usr/libexec", "rx"),
 		landlock.Dir(allocDir, "rwc"),
 		landlock.Dir(taskDir, "rwc"),
 	}