diff options
| author |  Kelvin M. Klann <kmk3.code@protonmail.com> | 2023-11-08 07:57:41 -0300 |
|---|---|---|
| committer | Kelvin M. Klann <kmk3.code@protonmail.com> | 2023-12-06 16:27:13 -0300 |
| commit | cfbde6658080ee57f37c7a1149c7f1cd9f7fdf91 (patch) | |
| tree | 42e9f3bad10b3f798c4ddcb815db412fe04d52ba | |
| parent | landlock: fix profile entries processed in reverse (diff) | |
| download | firejail-cfbde6658080ee57f37c7a1149c7f1cd9f7fdf91.tar.gz firejail-cfbde6658080ee57f37c7a1149c7f1cd9f7fdf91.tar.zst firejail-cfbde6658080ee57f37c7a1149c7f1cd9f7fdf91.zip | |
landlock: deduplicate fs functions into ll_fs
The relevant functions are all identical except for the access flags
used.
Relates to #6078.
| -rw-r--r-- | src/firejail/landlock.c | 103 |
1 files changed, 19 insertions, 84 deletions
diff --git a/src/firejail/landlock.c b/src/firejail/landlock.c index d89b031a8..65a4cd8df 100644 --- a/src/firejail/landlock.c +++ b/src/firejail/landlock.c | |||
| @@ -108,7 +108,8 @@ static int ll_create_full_ruleset(void) { | |||
| 108 | return ruleset_fd; | 108 | return ruleset_fd; |
| 109 | } | 109 | } |
| 110 | 110 | ||
| 111 | int ll_read(const char *allowed_path) { | 111 | static int ll_fs(const char *allowed_path, const __u64 allowed_access, |
| 112 | const char *caller) { | ||
| 112 | if (!ll_is_supported()) | 113 | if (!ll_is_supported()) |
| 113 | return 0; | 114 | return 0; |
| 114 | 115 | ||
| @@ -120,45 +121,34 @@ int ll_read(const char *allowed_path) { | |||
| 120 | if (allowed_fd < 0) { | 121 | if (allowed_fd < 0) { |
| 121 | if (arg_debug) { | 122 | if (arg_debug) { |
| 122 | fprintf(stderr, "%s: failed to open %s: %s\n", | 123 | fprintf(stderr, "%s: failed to open %s: %s\n", |
| 123 | __func__, allowed_path, strerror(errno)); | 124 | caller, allowed_path, strerror(errno)); |
| 124 | } | 125 | } |
| 125 | return 0; | 126 | return 0; |
| 126 | } | 127 | } |
| 128 | |||
| 127 | struct landlock_path_beneath_attr target; | 129 | struct landlock_path_beneath_attr target; |
| 128 | target.parent_fd = allowed_fd; | 130 | target.parent_fd = allowed_fd; |
| 129 | target.allowed_access = | 131 | target.allowed_access = allowed_access; |
| 130 | LANDLOCK_ACCESS_FS_READ_DIR | | ||
| 131 | LANDLOCK_ACCESS_FS_READ_FILE; | ||
| 132 | |||
| 133 | error = landlock_add_rule(ll_ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, | 132 | error = landlock_add_rule(ll_ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, |
| 134 | &target, 0); | 133 | &target, 0); |
| 135 | if (error) { | 134 | if (error) { |
| 136 | fprintf(stderr, "Error: %s: failed to add Landlock rule for %s: %s\n", | 135 | fprintf(stderr, "Error: %s: failed to add Landlock rule for %s: %s\n", |
| 137 | __func__, allowed_path, strerror(errno)); | 136 | caller, allowed_path, strerror(errno)); |
| 138 | } | 137 | } |
| 139 | close(allowed_fd); | 138 | close(allowed_fd); |
| 140 | return error; | 139 | return error; |
| 141 | } | 140 | } |
| 142 | 141 | ||
| 143 | int ll_write(const char *allowed_path) { | 142 | int ll_read(const char *allowed_path) { |
| 144 | if (!ll_is_supported()) | 143 | __u64 allowed_access = |
| 145 | return 0; | 144 | LANDLOCK_ACCESS_FS_READ_DIR | |
| 145 | LANDLOCK_ACCESS_FS_READ_FILE; | ||
| 146 | 146 | ||
| 147 | if (ll_ruleset_fd == -1) | 147 | return ll_fs(allowed_path, allowed_access, __func__); |
| 148 | ll_ruleset_fd = ll_create_full_ruleset(); | 148 | } |
| 149 | 149 | ||
| 150 | int error; | 150 | int ll_write(const char *allowed_path) { |
| 151 | int allowed_fd = open(allowed_path, O_PATH | O_CLOEXEC); | 151 | __u64 allowed_access = |
| 152 | if (allowed_fd < 0) { | ||
| 153 | if (arg_debug) { | ||
| 154 | fprintf(stderr, "%s: failed to open %s: %s\n", | ||
| 155 | __func__, allowed_path, strerror(errno)); | ||
| 156 | } | ||
| 157 | return 0; | ||
| 158 | } | ||
| 159 | struct landlock_path_beneath_attr target; | ||
| 160 | target.parent_fd = allowed_fd; | ||
| 161 | target.allowed_access = | ||
| 162 | LANDLOCK_ACCESS_FS_MAKE_DIR | | 152 | LANDLOCK_ACCESS_FS_MAKE_DIR | |
| 163 | LANDLOCK_ACCESS_FS_MAKE_REG | | 153 | LANDLOCK_ACCESS_FS_MAKE_REG | |
| 164 | LANDLOCK_ACCESS_FS_MAKE_SYM | | 154 | LANDLOCK_ACCESS_FS_MAKE_SYM | |
| @@ -166,79 +156,24 @@ int ll_write(const char *allowed_path) { | |||
| 166 | LANDLOCK_ACCESS_FS_REMOVE_FILE | | 156 | LANDLOCK_ACCESS_FS_REMOVE_FILE | |
| 167 | LANDLOCK_ACCESS_FS_WRITE_FILE; | 157 | LANDLOCK_ACCESS_FS_WRITE_FILE; |
| 168 | 158 | ||
| 169 | error = landlock_add_rule(ll_ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, | 159 | return ll_fs(allowed_path, allowed_access, __func__); |
| 170 | &target, 0); | ||
| 171 | if (error) { | ||
| 172 | fprintf(stderr, "Error: %s: failed to add Landlock rule for %s: %s\n", | ||
| 173 | __func__, allowed_path, strerror(errno)); | ||
| 174 | } | ||
| 175 | close(allowed_fd); | ||
| 176 | return error; | ||
| 177 | } | 160 | } |
| 178 | 161 | ||
| 179 | int ll_special(const char *allowed_path) { | 162 | int ll_special(const char *allowed_path) { |
| 180 | if (!ll_is_supported()) | 163 | __u64 allowed_access = |
| 181 | return 0; | ||
| 182 | |||
| 183 | if (ll_ruleset_fd == -1) | ||
| 184 | ll_ruleset_fd = ll_create_full_ruleset(); | ||
| 185 | |||
| 186 | int error; | ||
| 187 | int allowed_fd = open(allowed_path, O_PATH | O_CLOEXEC); | ||
| 188 | if (allowed_fd < 0) { | ||
| 189 | if (arg_debug) { | ||
| 190 | fprintf(stderr, "%s: failed to open %s: %s\n", | ||
| 191 | __func__, allowed_path, strerror(errno)); | ||
| 192 | } | ||
| 193 | return 0; | ||
| 194 | } | ||
| 195 | struct landlock_path_beneath_attr target; | ||
| 196 | target.parent_fd = allowed_fd; | ||
| 197 | target.allowed_access = | ||
| 198 | LANDLOCK_ACCESS_FS_MAKE_BLOCK | | 164 | LANDLOCK_ACCESS_FS_MAKE_BLOCK | |
| 199 | LANDLOCK_ACCESS_FS_MAKE_CHAR | | 165 | LANDLOCK_ACCESS_FS_MAKE_CHAR | |
| 200 | LANDLOCK_ACCESS_FS_MAKE_FIFO | | 166 | LANDLOCK_ACCESS_FS_MAKE_FIFO | |
| 201 | LANDLOCK_ACCESS_FS_MAKE_SOCK; | 167 | LANDLOCK_ACCESS_FS_MAKE_SOCK; |
| 202 | 168 | ||
| 203 | error = landlock_add_rule(ll_ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, | 169 | return ll_fs(allowed_path, allowed_access, __func__); |
| 204 | &target, 0); | ||
| 205 | if (error) { | ||
| 206 | fprintf(stderr, "Error: %s: failed to add Landlock rule for %s: %s\n", | ||
| 207 | __func__, allowed_path, strerror(errno)); | ||
| 208 | } | ||
| 209 | close(allowed_fd); | ||
| 210 | return error; | ||
| 211 | } | 170 | } |
| 212 | 171 | ||
| 213 | int ll_exec(const char *allowed_path) { | 172 | int ll_exec(const char *allowed_path) { |
| 214 | if (!ll_is_supported()) | 173 | __u64 allowed_access = |
| 215 | return 0; | ||
| 216 | |||
| 217 | if (ll_ruleset_fd == -1) | ||
| 218 | ll_ruleset_fd = ll_create_full_ruleset(); | ||
| 219 | |||
| 220 | int error; | ||
| 221 | int allowed_fd = open(allowed_path, O_PATH | O_CLOEXEC); | ||
| 222 | if (allowed_fd < 0) { | ||
| 223 | if (arg_debug) { | ||
| 224 | fprintf(stderr, "%s: failed to open %s: %s\n", | ||
| 225 | __func__, allowed_path, strerror(errno)); | ||
| 226 | } | ||
| 227 | return 0; | ||
| 228 | } | ||
| 229 | struct landlock_path_beneath_attr target; | ||
| 230 | target.parent_fd = allowed_fd; | ||
| 231 | target.allowed_access = | ||
| 232 | LANDLOCK_ACCESS_FS_EXECUTE; | 174 | LANDLOCK_ACCESS_FS_EXECUTE; |
| 233 | 175 | ||
| 234 | error = landlock_add_rule(ll_ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, | 176 | return ll_fs(allowed_path, allowed_access, __func__); |
| 235 | &target, 0); | ||
| 236 | if (error) { | ||
| 237 | fprintf(stderr, "Error: %s: failed to add Landlock rule for %s: %s\n", | ||
| 238 | __func__, allowed_path, strerror(errno)); | ||
| 239 | } | ||
| 240 | close(allowed_fd); | ||
| 241 | return error; | ||
| 242 | } | 177 | } |
| 243 | 178 | ||
| 244 | int ll_basic_system(void) { | 179 | int ll_basic_system(void) { |