landlock: Grant permission for artefact handling

pjbgf · pjbgf · commit 6e45ac8cb1c9 · 2025-10-28T19:48:08.000Z
When downloading artefacts from an image using Docker Buildx, slsactl
requires write access to ~/.docker/buildx. Without this change the command
slsactl download provenance may fail with:

failed to run download: open /home/levi/.docker/buildx/.lock: permission denied

Signed-off-by: Paulo Gomes &lt;paulo.gomes@suse.com&gt;
diff --git a/internal/landlock/landlock.go b/internal/landlock/landlock.go
@@ -38,7 +38,8 @@ func EnforceOrDie() {
 	}
 
 	rwDirs := []string{
-		filepath.Join(home, ".sigstore"), // Sigstore TUF DB.
+		filepath.Join(home, ".sigstore"),         // Sigstore TUF DB.
+		filepath.Join(home, ".docker", "buildx"), // Image artefacts handling.
 	}
 
 	cwd, err := os.Getwd()

Original file line number	Diff line number	Diff line change
`@@ -38,7 +38,8 @@ func EnforceOrDie() {`
`38`	`38`	`}`
`39`	`39`
`40`	`40`	`rwDirs := []string{`
`41`		`- filepath.Join(home, ".sigstore"), // Sigstore TUF DB.`
	`41`	`+ filepath.Join(home, ".sigstore"), // Sigstore TUF DB.`
	`42`	`+ filepath.Join(home, ".docker", "buildx"), // Image artefacts handling.`
`42`	`43`	`}`
`43`	`44`
`44`	`45`	`cwd, err := os.Getwd()`