diff options
| author |  netblue30 <netblue30@protonmail.com> | 2023-11-02 09:25:04 -0400 |
|---|---|---|
| committer | netblue30 <netblue30@protonmail.com> | 2023-11-02 09:25:04 -0400 |
| commit | 9a6cd6df5790ac9f07958179d9be4279b345130a (patch) | |
| tree | b04c26c058d634f09bd7c59ce87d72573932c172 | |
| parent | shorter function names, new filesystem for --landlock command (diff) | |
| download | firejail-landlock.tar.gz firejail-landlock.tar.zst firejail-landlock.zip | |
cleanuplandlock
| -rw-r--r-- | src/firejail/firejail.h | 8 | ||||
| -rw-r--r-- | src/firejail/landlock.c | 50 | ||||
| -rw-r--r-- | src/firejail/main.c | 9 | ||||
| -rw-r--r-- | src/firejail/profile.c | 8 | ||||
| -rw-r--r-- | src/firejail/sandbox.c | 5 |
5 files changed, 36 insertions, 44 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index d40258542..0e690d571 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
| @@ -155,6 +155,12 @@ typedef struct profile_entry_t { | |||
| 155 | 155 | ||
| 156 | typedef struct landlock_entry_t { | 156 | typedef struct landlock_entry_t { |
| 157 | struct landlock_entry_t *next; | 157 | struct landlock_entry_t *next; |
| 158 | #define LL_READ 0 | ||
| 159 | #define LL_WRITE 1 | ||
| 160 | #define LL_EXEC 2 | ||
| 161 | #define LL_SPECIAL 3 | ||
| 162 | #define LL_MAX 4 | ||
| 163 | int type; | ||
| 158 | char *data; | 164 | char *data; |
| 159 | } LandlockEntry; | 165 | } LandlockEntry; |
| 160 | 166 | ||
| @@ -970,7 +976,7 @@ int ll_restrict(__u32 flags); | |||
| 970 | int ll_read(char *allowed_path); | 976 | int ll_read(char *allowed_path); |
| 971 | int ll_write(char *allowed_path); | 977 | int ll_write(char *allowed_path); |
| 972 | void ll_basic_system(void); | 978 | void ll_basic_system(void); |
| 973 | void ll_add_profile(const char *data); | 979 | void ll_add_profile(int type, const char *data); |
| 974 | #endif | 980 | #endif |
| 975 | 981 | ||
| 976 | #endif | 982 | #endif |
diff --git a/src/firejail/landlock.c b/src/firejail/landlock.c index a956275a7..68dcf52c2 100644 --- a/src/firejail/landlock.c +++ b/src/firejail/landlock.c | |||
| @@ -225,39 +225,23 @@ int ll_restrict(__u32 flags) { | |||
| 225 | return 0; | 225 | return 0; |
| 226 | } | 226 | } |
| 227 | 227 | ||
| 228 | int (*fnc[])(char *) = { | ||
| 229 | ll_read, | ||
| 230 | ll_write, | ||
| 231 | ll_exec, | ||
| 232 | ll_special, | ||
| 233 | NULL | ||
| 234 | }; | ||
| 228 | LandlockEntry *ptr = cfg.lprofile; | 235 | LandlockEntry *ptr = cfg.lprofile; |
| 229 | while (ptr) { | 236 | while (ptr) { |
| 230 | char *fname = NULL; | 237 | if (access(ptr->data, F_OK) == 0) { |
| 231 | int (*fnc)(char *) = NULL; | 238 | if (fnc[ptr->type](ptr->data)) |
| 232 | 239 | fprintf(stderr,"Error: failed to add Landlock rule for %s\n", ptr->data); | |
| 233 | if (strncmp(ptr->data, "landlock.read", 13) == 0) { | ||
| 234 | fname = ptr->data + 14; | ||
| 235 | fnc = ll_read; | ||
| 236 | } | ||
| 237 | else if (strncmp(ptr->data, "landlock.write", 14) == 0) { | ||
| 238 | fname = ptr->data + 15; | ||
| 239 | fnc = ll_write; | ||
| 240 | } | ||
| 241 | else if (strncmp(ptr->data, "landlock.special", 16) == 0) { | ||
| 242 | fname = ptr->data + 17; | ||
| 243 | fnc = ll_special; | ||
| 244 | } | ||
| 245 | else if (strncmp(ptr->data, "landlock.execute", 16) == 0) { | ||
| 246 | fname = ptr->data + 17; | ||
| 247 | fnc = ll_exec; | ||
| 248 | } | ||
| 249 | else | ||
| 250 | assert(0); | ||
| 251 | |||
| 252 | if (access(fname, F_OK) == 0) { | ||
| 253 | if (fnc(fname)) | ||
| 254 | fprintf(stderr,"Error: failed to add Landlock rule for %s\n", fname); | ||
| 255 | } | 240 | } |
| 256 | 241 | ||
| 257 | ptr = ptr->next; | 242 | ptr = ptr->next; |
| 258 | } | 243 | } |
| 259 | 244 | ||
| 260 | |||
| 261 | if (rset_fd == -1) | 245 | if (rset_fd == -1) |
| 262 | return 0; | 246 | return 0; |
| 263 | 247 | ||
| @@ -270,19 +254,25 @@ int ll_restrict(__u32 flags) { | |||
| 270 | } | 254 | } |
| 271 | } | 255 | } |
| 272 | 256 | ||
| 273 | void ll_add_profile(const char *data) { | 257 | void ll_add_profile(int type, const char *data) { |
| 258 | assert(data); | ||
| 259 | assert(type < LL_MAX); | ||
| 274 | if (old_kernel()) | 260 | if (old_kernel()) |
| 275 | return; | 261 | return; |
| 262 | const char *str = data; | ||
| 263 | while (*str == ' ' || *str == '\t') | ||
| 264 | str++; | ||
| 265 | |||
| 276 | LandlockEntry *ptr = malloc(sizeof(LandlockEntry)); | 266 | LandlockEntry *ptr = malloc(sizeof(LandlockEntry)); |
| 277 | if (!ptr) | 267 | if (!ptr) |
| 278 | errExit("malloc"); | 268 | errExit("malloc"); |
| 279 | memset(ptr, 0, sizeof(LandlockEntry)); | 269 | memset(ptr, 0, sizeof(LandlockEntry)); |
| 280 | ptr->data = strdup(data); | 270 | ptr->type = type; |
| 271 | ptr->data = strdup(str); | ||
| 281 | if (!ptr->data) | 272 | if (!ptr->data) |
| 282 | errExit("strdup"); | 273 | errExit("strdup"); |
| 283 | //printf("add profile #%s#\n", ptr->data); | ||
| 284 | ptr->next = cfg.lprofile; | 274 | ptr->next = cfg.lprofile; |
| 285 | cfg.lprofile=ptr; | 275 | cfg.lprofile = ptr; |
| 286 | } | 276 | } |
| 287 | 277 | ||
| 288 | #endif | 278 | #endif |
diff --git a/src/firejail/main.c b/src/firejail/main.c index f5eb06f56..b643b28d5 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
| @@ -1504,7 +1504,6 @@ int main(int argc, char **argv, char **envp) { | |||
| 1504 | } | 1504 | } |
| 1505 | #ifdef HAVE_LANDLOCK | 1505 | #ifdef HAVE_LANDLOCK |
| 1506 | else if (strcmp(argv[i], "--landlock") == 0) | 1506 | else if (strcmp(argv[i], "--landlock") == 0) |
| 1507 | // ll_basic_system(); | ||
| 1508 | arg_landlock = 1; | 1507 | arg_landlock = 1; |
| 1509 | else if (strncmp(argv[i], "--landlock.proc=", 16) == 0) { | 1508 | else if (strncmp(argv[i], "--landlock.proc=", 16) == 0) { |
| 1510 | if (strncmp(argv[i]+16, "no", 2) == 0) arg_landlock_proc = 0; | 1509 | if (strncmp(argv[i]+16, "no", 2) == 0) arg_landlock_proc = 0; |
| @@ -1512,13 +1511,13 @@ int main(int argc, char **argv, char **envp) { | |||
| 1512 | else if (strncmp(argv[i]+16, "rw", 2) == 0) arg_landlock_proc = 2; | 1511 | else if (strncmp(argv[i]+16, "rw", 2) == 0) arg_landlock_proc = 2; |
| 1513 | } | 1512 | } |
| 1514 | else if (strncmp(argv[i], "--landlock.read=", 16) == 0) | 1513 | else if (strncmp(argv[i], "--landlock.read=", 16) == 0) |
| 1515 | ll_add_profile(argv[i] + 2); | 1514 | ll_add_profile(LL_READ, argv[i] + 16); |
| 1516 | else if (strncmp(argv[i], "--landlock.write=", 17) == 0) | 1515 | else if (strncmp(argv[i], "--landlock.write=", 17) == 0) |
| 1517 | ll_add_profile(argv[i] + 2); | 1516 | ll_add_profile(LL_WRITE, argv[i] + 17); |
| 1518 | else if (strncmp(argv[i], "--landlock.special=", 17) == 0) | 1517 | else if (strncmp(argv[i], "--landlock.special=", 17) == 0) |
| 1519 | ll_add_profile(argv[i] + 2); | 1518 | ll_add_profile(LL_SPECIAL, argv[i] + 17); |
| 1520 | else if (strncmp(argv[i], "--landlock.execute=", 19) == 0) | 1519 | else if (strncmp(argv[i], "--landlock.execute=", 19) == 0) |
| 1521 | ll_add_profile(argv[i] + 2); | 1520 | ll_add_profile(LL_EXEC, argv[i] + 19); |
| 1522 | #endif | 1521 | #endif |
| 1523 | else if (strcmp(argv[i], "--memory-deny-write-execute") == 0) { | 1522 | else if (strcmp(argv[i], "--memory-deny-write-execute") == 0) { |
| 1524 | if (checkcfg(CFG_SECCOMP)) | 1523 | if (checkcfg(CFG_SECCOMP)) |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index f16ec2175..62bd4aa75 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
| @@ -1090,19 +1090,19 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
| 1090 | return 0; | 1090 | return 0; |
| 1091 | } | 1091 | } |
| 1092 | if (strncmp(ptr, "landlock.read ", 14) == 0) { | 1092 | if (strncmp(ptr, "landlock.read ", 14) == 0) { |
| 1093 | ll_add_profile(ptr); | 1093 | ll_add_profile(LL_READ, ptr + 14); |
| 1094 | return 0; | 1094 | return 0; |
| 1095 | } | 1095 | } |
| 1096 | if (strncmp(ptr, "landlock.write ", 15) == 0) { | 1096 | if (strncmp(ptr, "landlock.write ", 15) == 0) { |
| 1097 | ll_add_profile(ptr); | 1097 | ll_add_profile(LL_WRITE, ptr + 15); |
| 1098 | return 0; | 1098 | return 0; |
| 1099 | } | 1099 | } |
| 1100 | if (strncmp(ptr, "landlock.special ", 17) == 0) { | 1100 | if (strncmp(ptr, "landlock.special ", 17) == 0) { |
| 1101 | ll_add_profile(ptr); | 1101 | ll_add_profile(LL_SPECIAL, ptr + 17); |
| 1102 | return 0; | 1102 | return 0; |
| 1103 | } | 1103 | } |
| 1104 | if (strncmp(ptr, "landlock.execute ", 17) == 0) { | 1104 | if (strncmp(ptr, "landlock.execute ", 17) == 0) { |
| 1105 | ll_add_profile(ptr); | 1105 | ll_add_profile(LL_EXEC, ptr + 17); |
| 1106 | return 0; | 1106 | return 0; |
| 1107 | } | 1107 | } |
| 1108 | #endif | 1108 | #endif |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index e03e88b3e..d09d7cf94 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
| @@ -520,12 +520,9 @@ void start_application(int no_sandbox, int fd, char *set_sandbox_status) { | |||
| 520 | //**************************** | 520 | //**************************** |
| 521 | // Configure Landlock | 521 | // Configure Landlock |
| 522 | //**************************** | 522 | //**************************** |
| 523 | if (arg_landlock) { | 523 | if (arg_landlock) |
| 524 | printf("set basic system\n"); fflush(0); | ||
| 525 | ll_basic_system(); | 524 | ll_basic_system(); |
| 526 | } | ||
| 527 | if (ll_get_fd() != -1) { | 525 | if (ll_get_fd() != -1) { |
| 528 | printf("proc = %d\n", arg_landlock_proc); | ||
| 529 | if (arg_landlock_proc >= 1) | 526 | if (arg_landlock_proc >= 1) |
| 530 | ll_read("/proc/"); | 527 | ll_read("/proc/"); |
| 531 | if (arg_landlock_proc == 2) | 528 | if (arg_landlock_proc == 2) |