[landlock] Allow read access for random content (#26510)

When attempting to clone a git repository within a sandbox that is configured with landlock, the clone will fail with error messages related to inability to get random bytes for a temporary file. Including a read rule for `/dev/urandom` resolves the error and the git clone works as expected.
2026-01-01 16:05:42 +03:00 · 2025-08-22 14:04:55 -07:00
parent 767683ce3e
commit 33a72c2d01
2 changed files with 14 additions and 1 deletions
--- a/client/allocrunner/taskrunner/getter/util_linux.go
+++ b/client/allocrunner/taskrunner/getter/util_linux.go
@@ -89,6 +89,7 @@ func additionalFilesForVCS() []*landlock.Path {
 		gitGlobalFile  = "/etc/gitconfig"           // https://git-scm.com/docs/git-config#SCOPES
 		hgGlobalFile   = "/etc/mercurial/hgrc"      // https://www.mercurial-scm.org/doc/hgrc.5.html#files
 		hgGlobalDir    = "/etc/mercurial/hgrc.d"    // https://www.mercurial-scm.org/doc/hgrc.5.html#files
+		urandom        = "/dev/urandom"             // git
 	)
 	return filesForVCS(
 		homeSSHDir,
@@ -98,6 +99,7 @@ func additionalFilesForVCS() []*landlock.Path {
 		gitGlobalFile,
 		hgGlobalFile,
 		hgGlobalDir,
+		urandom,
 	)
 }

@@ -108,7 +110,8 @@ func filesForVCS(
 	etcKnownHosts,
 	gitGlobalFile,
 	hgGlobalFile,
-	hgGlobalDir string) []*landlock.Path {
+	hgGlobalDir,
+	urandom string) []*landlock.Path {

 	// omit ssh if there is no home directory
 	home := findHomeDir()
@@ -143,5 +146,8 @@ func filesForVCS(
 	if exists(hgGlobalDir) {
 		result = append(result, landlock.Dir(hgGlobalDir, "r"))
 	}
+	if exists(urandom) {
+		result = append(result, landlock.File(urandom, "r"))
+	}
 	return result
 }
--- a/client/allocrunner/taskrunner/getter/util_linux_test.go
+++ b/client/allocrunner/taskrunner/getter/util_linux_test.go
@@ -23,6 +23,7 @@ func TestUtil_loadVersionControlGlobalConfigs(t *testing.T) {

 	fakeEtc := t.TempDir()
 	fakeHome := t.TempDir()
+	fakeDev := t.TempDir()

 	homedir.DisableCache = true
 	t.Cleanup(func() {
@@ -44,6 +45,7 @@ func TestUtil_loadVersionControlGlobalConfigs(t *testing.T) {
 		etcKnownHosts  = filepath.Join(fakeEtc, "ssh/ssh_known_hosts")
 		sshDir         = filepath.Join(fakeHome, homeSSH)
 		knownHostsFile = filepath.Join(fakeHome, homeKnownHosts)
+		urandom        = filepath.Join(fakeDev, "urandom")
 	)

 	err := os.WriteFile(gitConfig, []byte("git"), filePerm)
@@ -70,6 +72,9 @@ func TestUtil_loadVersionControlGlobalConfigs(t *testing.T) {
 	err = os.WriteFile(knownHostsFile, []byte("home known hosts"), filePerm)
 	must.NoError(t, err)

+	err = os.WriteFile(urandom, []byte("urandom"), filePerm)
+	must.NoError(t, err)
+
 	paths := filesForVCS(
 		homeSSH,
 		homeKnownHosts,
@@ -78,6 +83,7 @@ func TestUtil_loadVersionControlGlobalConfigs(t *testing.T) {
 		gitConfig,
 		hgFile,
 		hgDir,
+		urandom,
 	)
 	must.SliceEqual(t, []*landlock.Path{
 		landlock.Dir(sshDir, "r"),
@@ -87,5 +93,6 @@ func TestUtil_loadVersionControlGlobalConfigs(t *testing.T) {
 		landlock.File(gitConfig, "r"),
 		landlock.File(hgFile, "r"),
 		landlock.Dir(hgDir, "r"),
+		landlock.File(urandom, "r"),
 	}, paths)
 }