diff options
| author |  Kelvin M. Klann <kmk3.code@protonmail.com> | 2023-11-08 09:59:15 -0300 |
|---|---|---|
| committer | Kelvin M. Klann <kmk3.code@protonmail.com> | 2023-12-11 14:50:37 -0300 |
| commit | 01a9ddbbee65ca04423ecf8402e9c55092c771d2 (patch) | |
| tree | b3f9d342ec50c00ec42ece2f884b15b796261d3f | |
| parent | curl: add support for ~/.config/curlrc (#6120) (diff) | |
| download | firejail-01a9ddbbe.tar.gz firejail-01a9ddbbe.tar.zst firejail-01a9ddbbe.zip | |
landlock: improve logs for debugging
Changes:
* Print everything to stderr (to ensure that the messages are shown in
order)
* Print debug messages at the beginning of most functions
* Include the function name and access flags used
Relates to #6078.
| -rw-r--r-- | src/firejail/landlock.c | 35 |
1 files changed, 27 insertions, 8 deletions
diff --git a/src/firejail/landlock.c b/src/firejail/landlock.c index 65a4cd8df..054d31ee4 100644 --- a/src/firejail/landlock.c +++ b/src/firejail/landlock.c | |||
| @@ -68,14 +68,16 @@ int ll_is_supported(void) { | |||
| 68 | LANDLOCK_CREATE_RULESET_VERSION); | 68 | LANDLOCK_CREATE_RULESET_VERSION); |
| 69 | if (ll_abi < 1) { | 69 | if (ll_abi < 1) { |
| 70 | ll_abi = 0; | 70 | ll_abi = 0; |
| 71 | fprintf(stderr, "Warning: Landlock is disabled or not supported: %s, " | 71 | fprintf(stderr, "Warning: %s: Landlock is disabled or not supported: %s, " |
| 72 | "ignoring landlock commands\n", | 72 | "ignoring landlock commands\n", |
| 73 | strerror(errno)); | 73 | __func__, strerror(errno)); |
| 74 | goto out; | 74 | goto out; |
| 75 | } | 75 | } |
| 76 | 76 | ||
| 77 | if (arg_debug) | 77 | if (arg_debug) { |
| 78 | printf("Detected Landlock ABI version %d\n", ll_abi); | 78 | fprintf(stderr, "%s: Detected Landlock ABI version %d\n", |
| 79 | __func__, ll_abi); | ||
| 80 | } | ||
| 79 | out: | 81 | out: |
| 80 | return ll_abi; | 82 | return ll_abi; |
| 81 | } | 83 | } |
| @@ -100,9 +102,16 @@ static int ll_create_full_ruleset(void) { | |||
| 100 | LANDLOCK_ACCESS_FS_REMOVE_FILE | | 102 | LANDLOCK_ACCESS_FS_REMOVE_FILE | |
| 101 | LANDLOCK_ACCESS_FS_WRITE_FILE; | 103 | LANDLOCK_ACCESS_FS_WRITE_FILE; |
| 102 | 104 | ||
| 105 | if (arg_debug) { | ||
| 106 | fprintf(stderr, "%s: Creating Landlock ruleset (abi=%d fs=%llx)\n", | ||
| 107 | __func__, ll_abi, attr.handled_access_fs); | ||
| 108 | } | ||
| 109 | |||
| 103 | int ruleset_fd = landlock_create_ruleset(&attr, sizeof(attr), 0); | 110 | int ruleset_fd = landlock_create_ruleset(&attr, sizeof(attr), 0); |
| 104 | if (ruleset_fd < 0) { | 111 | if (ruleset_fd < 0) { |
| 105 | fprintf(stderr, "Error: failed to create a Landlock ruleset: %s\n", | 112 | fprintf(stderr, "%s: Error: failed to create Landlock ruleset " |
| 113 | "(abi=%d fs=%llx): %s\n", | ||
| 114 | __func__, ll_abi, attr.handled_access_fs, | ||
| 106 | strerror(errno)); | 115 | strerror(errno)); |
| 107 | } | 116 | } |
| 108 | return ruleset_fd; | 117 | return ruleset_fd; |
| @@ -116,6 +125,11 @@ static int ll_fs(const char *allowed_path, const __u64 allowed_access, | |||
| 116 | if (ll_ruleset_fd == -1) | 125 | if (ll_ruleset_fd == -1) |
| 117 | ll_ruleset_fd = ll_create_full_ruleset(); | 126 | ll_ruleset_fd = ll_create_full_ruleset(); |
| 118 | 127 | ||
| 128 | if (arg_debug) { | ||
| 129 | fprintf(stderr, "%s: Adding Landlock rule (abi=%d fs=%llx) for %s\n", | ||
| 130 | caller, ll_abi, allowed_access, allowed_path); | ||
| 131 | } | ||
| 132 | |||
| 119 | int error; | 133 | int error; |
| 120 | int allowed_fd = open(allowed_path, O_PATH | O_CLOEXEC); | 134 | int allowed_fd = open(allowed_path, O_PATH | O_CLOEXEC); |
| 121 | if (allowed_fd < 0) { | 135 | if (allowed_fd < 0) { |
| @@ -132,8 +146,10 @@ static int ll_fs(const char *allowed_path, const __u64 allowed_access, | |||
| 132 | error = landlock_add_rule(ll_ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, | 146 | error = landlock_add_rule(ll_ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, |
| 133 | &target, 0); | 147 | &target, 0); |
| 134 | if (error) { | 148 | if (error) { |
| 135 | fprintf(stderr, "Error: %s: failed to add Landlock rule for %s: %s\n", | 149 | fprintf(stderr, "Error: %s: failed to add Landlock rule " |
| 136 | caller, allowed_path, strerror(errno)); | 150 | "(abi=%d fs=%llx) for %s: %s\n", |
| 151 | caller, ll_abi, allowed_access, allowed_path, | ||
| 152 | strerror(errno)); | ||
| 137 | } | 153 | } |
| 138 | close(allowed_fd); | 154 | close(allowed_fd); |
| 139 | return error; | 155 | return error; |
| @@ -232,6 +248,9 @@ int ll_restrict(__u32 flags) { | |||
| 232 | if (!ll_is_supported()) | 248 | if (!ll_is_supported()) |
| 233 | return 0; | 249 | return 0; |
| 234 | 250 | ||
| 251 | if (arg_debug) | ||
| 252 | fprintf(stderr, "%s: Starting Landlock restrict\n", __func__); | ||
| 253 | |||
| 235 | int (*fnc[])(const char *) = { | 254 | int (*fnc[])(const char *) = { |
| 236 | ll_read, | 255 | ll_read, |
| 237 | ll_write, | 256 | ll_write, |
| @@ -263,7 +282,7 @@ int ll_restrict(__u32 flags) { | |||
| 263 | goto out; | 282 | goto out; |
| 264 | } | 283 | } |
| 265 | if (arg_debug) | 284 | if (arg_debug) |
| 266 | printf("%s: Enforcing Landlock\n", __func__); | 285 | fprintf(stderr, "%s: Enforcing Landlock\n", __func__); |
| 267 | out: | 286 | out: |
| 268 | close(ll_ruleset_fd); | 287 | close(ll_ruleset_fd); |
| 269 | return error; | 288 | return error; |