From 33a72c2d01ebfac50e60dfb60e8b5deea9d03911 Mon Sep 17 00:00:00 2001 From: Chris Roberts Date: Fri, 22 Aug 2025 14:04:55 -0700 Subject: [PATCH] [landlock] Allow read access for random content (#26510) When attempting to clone a git repository within a sandbox that is configured with landlock, the clone will fail with error messages related to inability to get random bytes for a temporary file. Including a read rule for `/dev/urandom` resolves the error and the git clone works as expected. --- client/allocrunner/taskrunner/getter/util_linux.go | 8 +++++++- client/allocrunner/taskrunner/getter/util_linux_test.go | 7 +++++++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/client/allocrunner/taskrunner/getter/util_linux.go b/client/allocrunner/taskrunner/getter/util_linux.go index e79a1ec4f..6934f81f7 100644 --- a/client/allocrunner/taskrunner/getter/util_linux.go +++ b/client/allocrunner/taskrunner/getter/util_linux.go @@ -89,6 +89,7 @@ func additionalFilesForVCS() []*landlock.Path { gitGlobalFile = "/etc/gitconfig" // https://git-scm.com/docs/git-config#SCOPES hgGlobalFile = "/etc/mercurial/hgrc" // https://www.mercurial-scm.org/doc/hgrc.5.html#files hgGlobalDir = "/etc/mercurial/hgrc.d" // https://www.mercurial-scm.org/doc/hgrc.5.html#files + urandom = "/dev/urandom" // git ) return filesForVCS( homeSSHDir, @@ -98,6 +99,7 @@ func additionalFilesForVCS() []*landlock.Path { gitGlobalFile, hgGlobalFile, hgGlobalDir, + urandom, ) } @@ -108,7 +110,8 @@ func filesForVCS( etcKnownHosts, gitGlobalFile, hgGlobalFile, - hgGlobalDir string) []*landlock.Path { + hgGlobalDir, + urandom string) []*landlock.Path { // omit ssh if there is no home directory home := findHomeDir() @@ -143,5 +146,8 @@ func filesForVCS( if exists(hgGlobalDir) { result = append(result, landlock.Dir(hgGlobalDir, "r")) } + if exists(urandom) { + result = append(result, landlock.File(urandom, "r")) + } return result } diff --git a/client/allocrunner/taskrunner/getter/util_linux_test.go b/client/allocrunner/taskrunner/getter/util_linux_test.go index 7dc01ca34..d4c68e984 100644 --- a/client/allocrunner/taskrunner/getter/util_linux_test.go +++ b/client/allocrunner/taskrunner/getter/util_linux_test.go @@ -23,6 +23,7 @@ func TestUtil_loadVersionControlGlobalConfigs(t *testing.T) { fakeEtc := t.TempDir() fakeHome := t.TempDir() + fakeDev := t.TempDir() homedir.DisableCache = true t.Cleanup(func() { @@ -44,6 +45,7 @@ func TestUtil_loadVersionControlGlobalConfigs(t *testing.T) { etcKnownHosts = filepath.Join(fakeEtc, "ssh/ssh_known_hosts") sshDir = filepath.Join(fakeHome, homeSSH) knownHostsFile = filepath.Join(fakeHome, homeKnownHosts) + urandom = filepath.Join(fakeDev, "urandom") ) err := os.WriteFile(gitConfig, []byte("git"), filePerm) @@ -70,6 +72,9 @@ func TestUtil_loadVersionControlGlobalConfigs(t *testing.T) { err = os.WriteFile(knownHostsFile, []byte("home known hosts"), filePerm) must.NoError(t, err) + err = os.WriteFile(urandom, []byte("urandom"), filePerm) + must.NoError(t, err) + paths := filesForVCS( homeSSH, homeKnownHosts, @@ -78,6 +83,7 @@ func TestUtil_loadVersionControlGlobalConfigs(t *testing.T) { gitConfig, hgFile, hgDir, + urandom, ) must.SliceEqual(t, []*landlock.Path{ landlock.Dir(sshDir, "r"), @@ -87,5 +93,6 @@ func TestUtil_loadVersionControlGlobalConfigs(t *testing.T) { landlock.File(gitConfig, "r"), landlock.File(hgFile, "r"), landlock.Dir(hgDir, "r"), + landlock.File(urandom, "r"), }, paths) }