From 61f918052d1c22bf610ffdae033470f390015fef Mon Sep 17 00:00:00 2001
From: Morten Linderud <morten@linderud.pw>
Date: Wed, 31 Jul 2024 16:16:07 +0200
Subject: [PATCH] create-keys: ensure we have access to /var/lib

Signed-off-by: Morten Linderud <morten@linderud.pw>
---
 cmd/sbctl/create-keys.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/cmd/sbctl/create-keys.go b/cmd/sbctl/create-keys.go
index 5069ba7..40515bd 100644
--- a/cmd/sbctl/create-keys.go
+++ b/cmd/sbctl/create-keys.go
@@ -3,12 +3,14 @@ package main
 import (
 	"fmt"
 	"path"
+	"path/filepath"
 
 	"github.com/foxboron/sbctl"
 	"github.com/foxboron/sbctl/backend"
 	"github.com/foxboron/sbctl/config"
 	"github.com/foxboron/sbctl/logging"
 	"github.com/foxboron/sbctl/lsm"
+	"github.com/landlock-lsm/go-landlock/landlock"
 	"github.com/spf13/cobra"
 )
 
@@ -30,6 +32,9 @@ var createKeysCmd = &cobra.Command{
 
 func RunCreateKeys(state *config.State) error {
 	if state.Config.Landlock {
+		lsm.RestrictAdditionalPaths(
+			landlock.RWDirs(filepath.Dir(filepath.Dir(filepath.Clean(state.Config.Keydir)))),
+		)
 		if err := lsm.Restrict(); err != nil {
 			return err
 		}