From aa5326edf99719d53a0b8f3602b9848936b5c5e5 Mon Sep 17 00:00:00 2001
From: CismonX <admin@cismon.net>
Date: Tue, 14 Jan 2025 19:45:22 +0800
Subject: [PATCH] sandbox: fix landlock rule fd close

---
 src/sandbox.c | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/src/sandbox.c b/src/sandbox.c
index 994c7d9..b8078a6 100644
--- a/src/sandbox.c
+++ b/src/sandbox.c
@@ -269,6 +269,7 @@ sandbox_enter (
     if (flags & SANDBOX_NO_LANDLOCK) {
         goto apply_seccomp;
     }
+    status = -1;
 #ifdef BOOKMARKFS_SANDBOX_LANDLOCK
     int ruleset_version = landlock_create_ruleset(NULL, 0,
             LANDLOCK_CREATE_RULESET_VERSION);
@@ -326,21 +327,25 @@ sandbox_enter (
         log_printf("landlock_restrict_self(): %s", xstrerror(errno));
         goto free_ruleset;
     }
+    status = 0;
+
+  free_ruleset:
+    close(lrfd);
+
 #else
     log_printf("landlock is not supported on this build");
-    status = -1;
-    goto free_sfctx;
 #endif  /* defined(BOOKMARKFS_SANDBOX_LANDLOCK) */
 
+    if (status < 0) {
+        goto free_sfctx;
+    }
+
   apply_seccomp:
     status = seccomp_load(sfctx);
     if (unlikely(status != 0)) {
         log_printf("seccomp_load(): %s", xstrerror(-status));
     }
 
-  free_ruleset:
-    close(lrfd);
-
   free_sfctx:
     seccomp_release(sfctx);