landlock: expand simple macros in commands

This includes macros such as `${HOME}` and `${RUNUSER}`, but not `${PATH}`, which may expand to multiple strings. Relates to #6078.
author: Kelvin M. Klann <kmk3.code@protonmail.com> 2023-11-11 14:15:50 -0300
committer: Kelvin M. Klann <kmk3.code@protonmail.com> 2023-12-11 22:46:10 -0300
commit: 19e108248c88605b5470f2e5018f40a74b20a28e (patch)
tree: 919be8e239d7f51b469648f6cc83c6af2ee18bfe
parent: landlock: use uint32_t instead of __u32 in firejail.h (diff)
download: firejail-19e108248c88605b5470f2e5018f40a74b20a28e.tar.gz
firejail-19e108248c88605b5470f2e5018f40a74b20a28e.tar.zst
firejail-19e108248c88605b5470f2e5018f40a74b20a28e.zip
1 files changed, 16 insertions, 13 deletions
diff --git a/src/firejail/landlock.c b/src/firejail/landlock.c
index 9cf5ec165..157c0ba4c 100644
--- a/src/firejail/landlock.c
+++ b/src/firejail/landlock.c
@@ -117,8 +117,8 @@ static int ll_create_full_ruleset(void) {
        return ruleset_fd;
 }
-static int ll_fs(const char *allowed_path, const __u64 allowed_access,
+static int _ll_fs(const char *allowed_path, const __u64 allowed_access,
-                 const char *caller) {
+                  const char *caller) {
        if (!ll_is_supported())
                return 0;
@@ -155,6 +155,16 @@ static int ll_fs(const char *allowed_path, const __u64 allowed_access,
        return error;
 }
+// TODO: Add support for the ${PATH} macro.
+static int ll_fs(const char *allowed_path, const __u64 allowed_access,
+                 const char *caller) {
+        char *expanded_path = expand_macros(allowed_path);
+        int error = _ll_fs(expanded_path, allowed_access, caller);
+        free(expanded_path);
+        return error;
+}
 int ll_read(const char *allowed_path) {
        __u64 allowed_access =
                LANDLOCK_ACCESS_FS_READ_DIR |
@@ -193,28 +203,21 @@ int ll_exec(const char *allowed_path) {
 }
 int ll_basic_system(void) {
-        assert(cfg.homedir);
        if (!ll_is_supported())
                return 0;
        if (ll_ruleset_fd == -1)
                ll_ruleset_fd = ll_create_full_ruleset();
-        int error;
+        int error =
-        char *rundir;
-        if (asprintf(&rundir, "/run/user/%d", getuid()) == -1)
-                errExit("asprintf");
-        error =
                ll_read("/") ||       // whole system read
                ll_special("/") ||    // sockets etc.
                ll_write("/tmp") ||   // write access
                ll_write("/dev") ||
                ll_write("/run/shm") ||
-                ll_write(cfg.homedir) ||
+                ll_write("${HOME}") ||
-                ll_write(rundir) ||
+                ll_write("${RUNUSER}") ||
                ll_exec("/opt") ||    // exec access
                ll_exec("/bin") ||
@@ -240,7 +243,7 @@ int ll_basic_system(void) {
                fprintf(stderr, "Error: %s: failed to set --landlock rules\n",
                        __func__);
        }
-        free(rundir);
        return error;
 }
author	Kelvin M. Klann <kmk3.code@protonmail.com>	2023-11-11 14:15:50 -0300
committer	Kelvin M. Klann <kmk3.code@protonmail.com>	2023-12-11 22:46:10 -0300
commit	19e108248c88605b5470f2e5018f40a74b20a28e (patch)
tree	919be8e239d7f51b469648f6cc83c6af2ee18bfe
parent	landlock: use uint32_t instead of __u32 in firejail.h (diff)
download	firejail-19e108248c88605b5470f2e5018f40a74b20a28e.tar.gz firejail-19e108248c88605b5470f2e5018f40a74b20a28e.tar.zst firejail-19e108248c88605b5470f2e5018f40a74b20a28e.zip

diff --git a/src/firejail/landlock.c b/src/firejail/landlock.c index 9cf5ec165..157c0ba4c 100644 --- a/src/firejail/landlock.c +++ b/src/firejail/landlock.c
@@ -117,8 +117,8 @@ static int ll_create_full_ruleset(void) {
117	return ruleset_fd;	117	return ruleset_fd;
118	}	118	}
119		119
120	static int ll_fs(const char *allowed_path, const __u64 allowed_access,	120	static int _ll_fs(const char *allowed_path, const __u64 allowed_access,
121	const char *caller) {	121	const char *caller) {
122	if (!ll_is_supported())	122	if (!ll_is_supported())
123	return 0;	123	return 0;
124		124
@@ -155,6 +155,16 @@ static int ll_fs(const char *allowed_path, const __u64 allowed_access,
155	return error;	155	return error;
156	}	156	}
157		157
		158	// TODO: Add support for the ${PATH} macro.
		159	static int ll_fs(const char *allowed_path, const __u64 allowed_access,
		160	const char *caller) {
		161	char *expanded_path = expand_macros(allowed_path);
		162	int error = _ll_fs(expanded_path, allowed_access, caller);
		163
		164	free(expanded_path);
		165	return error;
		166	}
		167
158	int ll_read(const char *allowed_path) {	168	int ll_read(const char *allowed_path) {
159	__u64 allowed_access =	169	__u64 allowed_access =
160	LANDLOCK_ACCESS_FS_READ_DIR \|	170	LANDLOCK_ACCESS_FS_READ_DIR \|
@@ -193,28 +203,21 @@ int ll_exec(const char *allowed_path) {
193	}	203	}
194		204
195	int ll_basic_system(void) {	205	int ll_basic_system(void) {
196	assert(cfg.homedir);
197
198	if (!ll_is_supported())	206	if (!ll_is_supported())
199	return 0;	207	return 0;
200		208
201	if (ll_ruleset_fd == -1)	209	if (ll_ruleset_fd == -1)
202	ll_ruleset_fd = ll_create_full_ruleset();	210	ll_ruleset_fd = ll_create_full_ruleset();
203		211
204	int error;	212	int error =
205	char *rundir;
206	if (asprintf(&rundir, "/run/user/%d", getuid()) == -1)
207	errExit("asprintf");
208
209	error =
210	ll_read("/") \|\| // whole system read	213	ll_read("/") \|\| // whole system read
211	ll_special("/") \|\| // sockets etc.	214	ll_special("/") \|\| // sockets etc.
212		215
213	ll_write("/tmp") \|\| // write access	216	ll_write("/tmp") \|\| // write access
214	ll_write("/dev") \|\|	217	ll_write("/dev") \|\|
215	ll_write("/run/shm") \|\|	218	ll_write("/run/shm") \|\|
216	ll_write(cfg.homedir) \|\|	219	ll_write("${HOME}") \|\|
217	ll_write(rundir) \|\|	220	ll_write("${RUNUSER}") \|\|
218		221
219	ll_exec("/opt") \|\| // exec access	222	ll_exec("/opt") \|\| // exec access
220	ll_exec("/bin") \|\|	223	ll_exec("/bin") \|\|
@@ -240,7 +243,7 @@ int ll_basic_system(void) {
240	fprintf(stderr, "Error: %s: failed to set --landlock rules\n",	243	fprintf(stderr, "Error: %s: failed to set --landlock rules\n",
241	__func__);	244	__func__);
242	}	245	}
243	free(rundir);	246
244	return error;	247	return error;
245	}	248	}
246		249