libsandbox: adjust hard-coded denial for /var/log/sandbox

Move this hack after the read checks, but before the write checks. This
allows processes to read the log directory, but not write to it.

This is helpful in case a process does something like this:

  find /var/log -name system.journal

Bug: https://bugs.gentoo.org/794949
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
Closes: https://bugs.gentoo.org/794949
Signed-off-by: Michał Górny <mgorny@gentoo.org>

1 files changed, 9 insertions, 9 deletions

diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c
index 3d55dd7..758c0dc 100644
--- a/libsandbox/libsandbox.c
+++ b/libsandbox/libsandbox.c
@@ -714,15 +714,6 @@ static int check_access(sbcontext_t *sbcontext, int sb_nr, const char *func,
 			goto out;
 	}
 
-	/* Hardcode denying write to the whole log dir.  While this is a
-	 * parial match and so rejects paths that also start with this
-	 * string, that isn't going to happen in real life so live with
-	 * it.  We can't append a slash to this path either as that would
-	 * allow people to open the dir itself for writing.
-	 */
-	if (!strncmp(resolv_path, SANDBOX_LOG_LOCATION, strlen(SANDBOX_LOG_LOCATION)))
-		goto out;
-
 	if (sbcontext->read_prefixes &&
 	    (sb_nr == SB_NR_ACCESS_RD ||
 	     sb_nr == SB_NR_OPEN_RD   ||
@@ -754,6 +745,15 @@ static int check_access(sbcontext_t *sbcontext, int sb_nr, const char *func,
 		}
 	}
 
+	/* Hardcode denying write to the whole log dir.  While this is a
+	 * parial match and so rejects paths that also start with this
+	 * string, that isn't going to happen in real life so live with
+	 * it.  We can't append a slash to this path either as that would
+	 * allow people to open the dir itself for writing.
+	 */
+	if (!strncmp(resolv_path, SANDBOX_LOG_LOCATION, strlen(SANDBOX_LOG_LOCATION)))
+		goto out;
+
 	if (sb_nr == SB_NR_ACCESS_WR   ||
 	    sb_nr == SB_NR_CHMOD       ||
 	    sb_nr == SB_NR_CHOWN       ||