diff options
author | Kelvin M. Klann <kmk3.code@protonmail.com> | 2024-02-01 23:21:26 -0300 |
---|---|---|
committer | Kelvin M. Klann <kmk3.code@protonmail.com> | 2024-02-02 19:37:06 -0300 |
commit | f70ffbe76cd06c03442132f06d503846a415f24c (patch) | |
tree | f48b2cf278c3b60717ca9ff3b9c3dd26ab2c7ef2 | |
parent | crawl.profile: allow lua (#6182) (diff) | |
download | firejail-f70ffbe76cd06c03442132f06d503846a415f24c.tar.gz firejail-f70ffbe76cd06c03442132f06d503846a415f24c.tar.zst firejail-f70ffbe76cd06c03442132f06d503846a415f24c.zip |
landlock: split .special into .makeipc and .makedev
As discussed with @topimiettinen[1], it is unlikely that an unprivileged
process would need to directly create block or character devices. Also,
`landlock.special` is not very descriptive of what it allows.
So split `landlock.special` into:
* `landlock.makeipc`: allow creating named pipes and sockets (which are
usually used for inter-process communication)
* `landlock.makedev`: allow creating block and character devices
Misc: The `makedev` name is based on `nodev` from mount(8), which makes
mount not interpret block and character devices. `ipc` was suggested by
@rusty-snake[2].
Relates to #6078.
[1] https://github.com/netblue30/firejail/pull/6078#pullrequestreview-1740569786
[2] https://github.com/netblue30/firejail/pull/6187#issuecomment-1924107294
-rw-r--r-- | contrib/syntax/lists/profile_commands_arg1.list | 3 | ||||
-rw-r--r-- | etc/inc/landlock-common.inc | 2 | ||||
-rw-r--r-- | etc/templates/profile.template | 3 | ||||
-rw-r--r-- | src/bash_completion/firejail.bash_completion.in | 6 | ||||
-rw-r--r-- | src/firejail/firejail.h | 7 | ||||
-rw-r--r-- | src/firejail/landlock.c | 15 | ||||
-rw-r--r-- | src/firejail/main.c | 6 | ||||
-rw-r--r-- | src/firejail/profile.c | 8 | ||||
-rw-r--r-- | src/firejail/usage.c | 3 | ||||
-rw-r--r-- | src/man/firejail-profile.5.in | 11 | ||||
-rw-r--r-- | src/man/firejail.1.in | 11 | ||||
-rw-r--r-- | src/zsh_completion/_firejail.in | 3 |
12 files changed, 55 insertions, 23 deletions
diff --git a/contrib/syntax/lists/profile_commands_arg1.list b/contrib/syntax/lists/profile_commands_arg1.list index e76b6ef40..8d5cae7f2 100644 --- a/contrib/syntax/lists/profile_commands_arg1.list +++ b/contrib/syntax/lists/profile_commands_arg1.list | |||
@@ -30,8 +30,9 @@ iprange | |||
30 | join-or-start | 30 | join-or-start |
31 | keep-fd | 31 | keep-fd |
32 | landlock.execute | 32 | landlock.execute |
33 | landlock.makedev | ||
34 | landlock.makeipc | ||
33 | landlock.read | 35 | landlock.read |
34 | landlock.special | ||
35 | landlock.write | 36 | landlock.write |
36 | mac | 37 | mac |
37 | mkdir | 38 | mkdir |
diff --git a/etc/inc/landlock-common.inc b/etc/inc/landlock-common.inc index ebe9f98dc..694d447b5 100644 --- a/etc/inc/landlock-common.inc +++ b/etc/inc/landlock-common.inc | |||
@@ -4,7 +4,7 @@ include landlock-common.local | |||
4 | 4 | ||
5 | landlock.read / # whole system read | 5 | landlock.read / # whole system read |
6 | landlock.read /proc | 6 | landlock.read /proc |
7 | landlock.special / # sockets etc. | 7 | landlock.makeipc / # sockets etc. |
8 | 8 | ||
9 | # write access | 9 | # write access |
10 | landlock.write ${HOME} | 10 | landlock.write ${HOME} |
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index 8882c9012..0e6a5734e 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
@@ -140,7 +140,8 @@ include globals.local | |||
140 | # Landlock commands | 140 | # Landlock commands |
141 | ##landlock.read PATH | 141 | ##landlock.read PATH |
142 | ##landlock.write PATH | 142 | ##landlock.write PATH |
143 | ##landlock.special PATH | 143 | ##landlock.makeipc PATH |
144 | ##landlock.makedev PATH | ||
144 | ##landlock.execute PATH | 145 | ##landlock.execute PATH |
145 | #include landlock-common.inc | 146 | #include landlock-common.inc |
146 | 147 | ||
diff --git a/src/bash_completion/firejail.bash_completion.in b/src/bash_completion/firejail.bash_completion.in index 76667ca0c..6c985bc6e 100644 --- a/src/bash_completion/firejail.bash_completion.in +++ b/src/bash_completion/firejail.bash_completion.in | |||
@@ -53,7 +53,11 @@ _firejail() | |||
53 | _filedir | 53 | _filedir |
54 | return 0 | 54 | return 0 |
55 | ;; | 55 | ;; |
56 | --landlock.special) | 56 | --landlock.makeipc) |
57 | _filedir | ||
58 | return 0 | ||
59 | ;; | ||
60 | --landlock.makedev) | ||
57 | _filedir | 61 | _filedir |
58 | return 0 | 62 | return 0 |
59 | ;; | 63 | ;; |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index eb9287f2e..2122649cf 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -154,9 +154,10 @@ typedef struct landlock_entry_t { | |||
154 | struct landlock_entry_t *next; | 154 | struct landlock_entry_t *next; |
155 | #define LL_READ 0 | 155 | #define LL_READ 0 |
156 | #define LL_WRITE 1 | 156 | #define LL_WRITE 1 |
157 | #define LL_SPECIAL 2 | 157 | #define LL_MAKEIPC 2 |
158 | #define LL_EXEC 3 | 158 | #define LL_MAKEDEV 3 |
159 | #define LL_MAX 4 | 159 | #define LL_EXEC 4 |
160 | #define LL_MAX 5 | ||
160 | int type; | 161 | int type; |
161 | char *data; | 162 | char *data; |
162 | } LandlockEntry; | 163 | } LandlockEntry; |
diff --git a/src/firejail/landlock.c b/src/firejail/landlock.c index 77149a134..c445e74d9 100644 --- a/src/firejail/landlock.c +++ b/src/firejail/landlock.c | |||
@@ -194,16 +194,22 @@ static void ll_write(const char *allowed_path) { | |||
194 | ll_fs(allowed_path, allowed_access, __func__); | 194 | ll_fs(allowed_path, allowed_access, __func__); |
195 | } | 195 | } |
196 | 196 | ||
197 | static void ll_special(const char *allowed_path) { | 197 | static void ll_makeipc(const char *allowed_path) { |
198 | __u64 allowed_access = | 198 | __u64 allowed_access = |
199 | LANDLOCK_ACCESS_FS_MAKE_BLOCK | | ||
200 | LANDLOCK_ACCESS_FS_MAKE_CHAR | | ||
201 | LANDLOCK_ACCESS_FS_MAKE_FIFO | | 199 | LANDLOCK_ACCESS_FS_MAKE_FIFO | |
202 | LANDLOCK_ACCESS_FS_MAKE_SOCK; | 200 | LANDLOCK_ACCESS_FS_MAKE_SOCK; |
203 | 201 | ||
204 | ll_fs(allowed_path, allowed_access, __func__); | 202 | ll_fs(allowed_path, allowed_access, __func__); |
205 | } | 203 | } |
206 | 204 | ||
205 | static void ll_makedev(const char *allowed_path) { | ||
206 | __u64 allowed_access = | ||
207 | LANDLOCK_ACCESS_FS_MAKE_BLOCK | | ||
208 | LANDLOCK_ACCESS_FS_MAKE_CHAR; | ||
209 | |||
210 | ll_fs(allowed_path, allowed_access, __func__); | ||
211 | } | ||
212 | |||
207 | static void ll_exec(const char *allowed_path) { | 213 | static void ll_exec(const char *allowed_path) { |
208 | __u64 allowed_access = | 214 | __u64 allowed_access = |
209 | LANDLOCK_ACCESS_FS_EXECUTE; | 215 | LANDLOCK_ACCESS_FS_EXECUTE; |
@@ -223,7 +229,8 @@ int ll_restrict(uint32_t flags) { | |||
223 | void (*fnc[])(const char *) = { | 229 | void (*fnc[])(const char *) = { |
224 | ll_read, | 230 | ll_read, |
225 | ll_write, | 231 | ll_write, |
226 | ll_special, | 232 | ll_makeipc, |
233 | ll_makedev, | ||
227 | ll_exec, | 234 | ll_exec, |
228 | NULL | 235 | NULL |
229 | }; | 236 | }; |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 341bac058..4d8ea20c3 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1509,8 +1509,10 @@ int main(int argc, char **argv, char **envp) { | |||
1509 | ll_add_profile(LL_READ, argv[i] + 16); | 1509 | ll_add_profile(LL_READ, argv[i] + 16); |
1510 | else if (strncmp(argv[i], "--landlock.write=", 17) == 0) | 1510 | else if (strncmp(argv[i], "--landlock.write=", 17) == 0) |
1511 | ll_add_profile(LL_WRITE, argv[i] + 17); | 1511 | ll_add_profile(LL_WRITE, argv[i] + 17); |
1512 | else if (strncmp(argv[i], "--landlock.special=", 19) == 0) | 1512 | else if (strncmp(argv[i], "--landlock.makeipc=", 19) == 0) |
1513 | ll_add_profile(LL_SPECIAL, argv[i] + 19); | 1513 | ll_add_profile(LL_MAKEIPC, argv[i] + 19); |
1514 | else if (strncmp(argv[i], "--landlock.makedev=", 19) == 0) | ||
1515 | ll_add_profile(LL_MAKEDEV, argv[i] + 19); | ||
1514 | else if (strncmp(argv[i], "--landlock.execute=", 19) == 0) | 1516 | else if (strncmp(argv[i], "--landlock.execute=", 19) == 0) |
1515 | ll_add_profile(LL_EXEC, argv[i] + 19); | 1517 | ll_add_profile(LL_EXEC, argv[i] + 19); |
1516 | #endif | 1518 | #endif |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index c0abc3398..a5a8393e9 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -1086,8 +1086,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1086 | ll_add_profile(LL_WRITE, ptr + 15); | 1086 | ll_add_profile(LL_WRITE, ptr + 15); |
1087 | return 0; | 1087 | return 0; |
1088 | } | 1088 | } |
1089 | if (strncmp(ptr, "landlock.special ", 17) == 0) { | 1089 | if (strncmp(ptr, "landlock.makeipc ", 17) == 0) { |
1090 | ll_add_profile(LL_SPECIAL, ptr + 17); | 1090 | ll_add_profile(LL_MAKEIPC, ptr + 17); |
1091 | return 0; | ||
1092 | } | ||
1093 | if (strncmp(ptr, "landlock.makedev ", 17) == 0) { | ||
1094 | ll_add_profile(LL_MAKEDEV, ptr + 17); | ||
1091 | return 0; | 1095 | return 0; |
1092 | } | 1096 | } |
1093 | if (strncmp(ptr, "landlock.execute ", 17) == 0) { | 1097 | if (strncmp(ptr, "landlock.execute ", 17) == 0) { |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 8598abd9d..c62e8c369 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -137,7 +137,8 @@ static const char *const usage_str = | |||
137 | " --landlock.enforce - enforce the Landlock ruleset.\n" | 137 | " --landlock.enforce - enforce the Landlock ruleset.\n" |
138 | " --landlock.read=path - add a read access rule for the path to the Landlock ruleset.\n" | 138 | " --landlock.read=path - add a read access rule for the path to the Landlock ruleset.\n" |
139 | " --landlock.write=path - add a write access rule for the path to the Landlock ruleset.\n" | 139 | " --landlock.write=path - add a write access rule for the path to the Landlock ruleset.\n" |
140 | " --landlock.special=path - add an access rule for the path to the Landlock ruleset for creating block/char devices, named pipes and sockets.\n" | 140 | " --landlock.makeipc=path - add an access rule for the path to the Landlock ruleset for creating named pipes and sockets.\n" |
141 | " --landlock.makedev=path - add an access rule for the path to the Landlock ruleset for creating block/char devices.\n" | ||
141 | " --landlock.execute=path - add an execute access rule for the path to the Landlock ruleset.\n" | 142 | " --landlock.execute=path - add an execute access rule for the path to the Landlock ruleset.\n" |
142 | #endif | 143 | #endif |
143 | " --list - list all sandboxes.\n" | 144 | " --list - list all sandboxes.\n" |
diff --git a/src/man/firejail-profile.5.in b/src/man/firejail-profile.5.in index e1d7fde94..b6672c16b 100644 --- a/src/man/firejail-profile.5.in +++ b/src/man/firejail-profile.5.in | |||
@@ -522,10 +522,15 @@ rule for path. | |||
522 | Create a Landlock ruleset (if it doesn't already exist) and add a write access | 522 | Create a Landlock ruleset (if it doesn't already exist) and add a write access |
523 | rule for path. | 523 | rule for path. |
524 | .TP | 524 | .TP |
525 | \fBlandlock.special path | 525 | \fBlandlock.makeipc path |
526 | Create a Landlock ruleset (if it doesn't already exist) and add a rule that | 526 | Create a Landlock ruleset (if it doesn't already exist) and add a rule that |
527 | allows the creation of block devices, character devices, named pipes (FIFOs) | 527 | allows the creation of named pipes (FIFOs) and Unix domain sockets beneath |
528 | and Unix domain sockets beneath given path. | 528 | the given path. |
529 | .TP | ||
530 | \fBlandlock.makedev path | ||
531 | Create a Landlock ruleset (if it doesn't already exist) and add a rule that | ||
532 | allows the creation of block devices and character devices beneath the given | ||
533 | path. | ||
529 | .TP | 534 | .TP |
530 | \fBlandlock.execute path | 535 | \fBlandlock.execute path |
531 | Create a Landlock ruleset (if it doesn't already exist) and add an execution | 536 | Create a Landlock ruleset (if it doesn't already exist) and add an execution |
diff --git a/src/man/firejail.1.in b/src/man/firejail.1.in index ccc9a50a5..ed1b0bd4a 100644 --- a/src/man/firejail.1.in +++ b/src/man/firejail.1.in | |||
@@ -1249,10 +1249,15 @@ rule for path. | |||
1249 | Create a Landlock ruleset (if it doesn't already exist) and add a write access | 1249 | Create a Landlock ruleset (if it doesn't already exist) and add a write access |
1250 | rule for path. | 1250 | rule for path. |
1251 | .TP | 1251 | .TP |
1252 | \fB\-\-landlock.special=path | 1252 | \fB\-\-landlock.makeipc=path |
1253 | Create a Landlock ruleset (if it doesn't already exist) and add a rule that | 1253 | Create a Landlock ruleset (if it doesn't already exist) and add a rule that |
1254 | allows the creation of block devices, character devices, named pipes (FIFOs) | 1254 | allows the creation of named pipes (FIFOs) and Unix domain sockets beneath |
1255 | and Unix domain sockets beneath given path. | 1255 | the given path. |
1256 | .TP | ||
1257 | \fB\-\-landlock.makedev=path | ||
1258 | Create a Landlock ruleset (if it doesn't already exist) and add a rule that | ||
1259 | allows the creation of block devices and character devices beneath the given | ||
1260 | path. | ||
1256 | .TP | 1261 | .TP |
1257 | \fB\-\-landlock.execute=path | 1262 | \fB\-\-landlock.execute=path |
1258 | Create a Landlock ruleset (if it doesn't already exist) and add an execution | 1263 | Create a Landlock ruleset (if it doesn't already exist) and add an execution |
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index c4056b902..45f24d5f3 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in | |||
@@ -110,7 +110,8 @@ _firejail_args=( | |||
110 | '--landlock.enforce[enforce the Landlock ruleset]' | 110 | '--landlock.enforce[enforce the Landlock ruleset]' |
111 | '--landlock.read=-[add a read access rule for the path to the Landlock ruleset]: :_files' | 111 | '--landlock.read=-[add a read access rule for the path to the Landlock ruleset]: :_files' |
112 | '--landlock.write=-[add a write access rule for the path to the Landlock ruleset]: :_files' | 112 | '--landlock.write=-[add a write access rule for the path to the Landlock ruleset]: :_files' |
113 | '--landlock.special=-[add an access rule for the path to the Landlock ruleset for creating block/char devices, named pipes and sockets]: :_files' | 113 | '--landlock.makeipc=-[add an access rule for the path to the Landlock ruleset for creating named pipes and sockets]: :_files' |
114 | '--landlock.makedev=-[add an access rule for the path to the Landlock ruleset for creating block/char devices]: :_files' | ||
114 | '--landlock.execute=-[add an execute access rule for the path to the Landlock ruleset]: :_files' | 115 | '--landlock.execute=-[add an execute access rule for the path to the Landlock ruleset]: :_files' |
115 | #endif | 116 | #endif |
116 | '--machine-id[spoof /etc/machine-id with a random id]' | 117 | '--machine-id[spoof /etc/machine-id with a random id]' |