aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLibravatar netblue30 <netblue30@protonmail.com>2023-11-02 08:34:59 -0400
committerLibravatar Kelvin M. Klann <kmk3.code@protonmail.com>2023-11-07 17:55:14 -0300
commit520508d5be10e7579635193d24bc1ff004ed682b (patch)
tree32b2df274a144365e68c57e3735b30ddc0b9b68f
parentlandlock: apply rules in sandbox before app start (diff)
downloadfirejail-520508d5be10e7579635193d24bc1ff004ed682b.tar.gz
firejail-520508d5be10e7579635193d24bc1ff004ed682b.tar.zst
firejail-520508d5be10e7579635193d24bc1ff004ed682b.zip
landlock: avoid parsing landlock commands twice
Diffstat
-rw-r--r--src/firejail/firejail.h8
-rw-r--r--src/firejail/landlock.c27
-rw-r--r--src/firejail/main.c8
-rw-r--r--src/firejail/profile.c8
4 files changed, 40 insertions, 11 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 43325de62..f9f4cb473 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -152,6 +152,12 @@ typedef struct profile_entry_t {
152 152
153typedef struct landlock_entry_t { 153typedef struct landlock_entry_t {
154 struct landlock_entry_t *next; 154 struct landlock_entry_t *next;
155#define LL_READ 0
156#define LL_WRITE 1
157#define LL_SPECIAL 2
158#define LL_EXEC 3
159#define LL_MAX 4
160 int type;
155 char *data; 161 char *data;
156} LandlockEntry; 162} LandlockEntry;
157 163
@@ -968,7 +974,7 @@ int ll_special(const char *allowed_path);
968int ll_exec(const char *allowed_path); 974int ll_exec(const char *allowed_path);
969int ll_basic_system(void); 975int ll_basic_system(void);
970int ll_restrict(__u32 flags); 976int ll_restrict(__u32 flags);
971void ll_add_profile(const char *data); 977void ll_add_profile(int type, const char *data);
972#else 978#else
973static inline int ll_get_fd(void) { return -1; } 979static inline int ll_get_fd(void) { return -1; }
974static inline int ll_read(...) { return 0; } 980static inline int ll_read(...) { return 0; }
diff --git a/src/firejail/landlock.c b/src/firejail/landlock.c
index b2a427047..596e35aea 100644
--- a/src/firejail/landlock.c
+++ b/src/firejail/landlock.c
@@ -255,6 +255,20 @@ int ll_basic_system(void) {
255} 255}
256 256
257int ll_restrict(__u32 flags) { 257int ll_restrict(__u32 flags) {
258 int (*fnc[])(const char *) = {
259 ll_read,
260 ll_write,
261 ll_special,
262 ll_exec,
263 NULL
264 };
265
266 LandlockEntry *ptr = cfg.lprofile;
267 while (ptr) {
268 fnc[ptr->type](ptr->data);
269 ptr = ptr->next;
270 }
271
258 if (ll_ruleset_fd == -1) 272 if (ll_ruleset_fd == -1)
259 return 0; 273 return 0;
260 274
@@ -278,12 +292,21 @@ out:
278 return error; 292 return error;
279} 293}
280 294
281void ll_add_profile(const char *data) { 295void ll_add_profile(int type, const char *data) {
296 assert(type >= 0);
297 assert(type < LL_MAX);
298 assert(data);
299
300 const char *str = data;
301 while (*str == ' ' || *str == '\t')
302 str++;
303
282 LandlockEntry *ptr = malloc(sizeof(LandlockEntry)); 304 LandlockEntry *ptr = malloc(sizeof(LandlockEntry));
283 if (!ptr) 305 if (!ptr)
284 errExit("malloc"); 306 errExit("malloc");
285 memset(ptr, 0, sizeof(LandlockEntry)); 307 memset(ptr, 0, sizeof(LandlockEntry));
286 ptr->data = strdup(data); 308 ptr->type = type;
309 ptr->data = strdup(str);
287 if (!ptr->data) 310 if (!ptr->data)
288 errExit("strdup"); 311 errExit("strdup");
289 ptr->next = cfg.lprofile; 312 ptr->next = cfg.lprofile;
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 8715d9486..b39693af7 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1520,13 +1520,13 @@ int main(int argc, char **argv, char **envp) {
1520 } 1520 }
1521 } 1521 }
1522 else if (strncmp(argv[i], "--landlock.read=", 16) == 0) 1522 else if (strncmp(argv[i], "--landlock.read=", 16) == 0)
1523 ll_add_profile(argv[i] + 2); 1523 ll_add_profile(LL_READ, argv[i] + 16);
1524 else if (strncmp(argv[i], "--landlock.write=", 17) == 0) 1524 else if (strncmp(argv[i], "--landlock.write=", 17) == 0)
1525 ll_add_profile(argv[i] + 2); 1525 ll_add_profile(LL_WRITE, argv[i] + 17);
1526 else if (strncmp(argv[i], "--landlock.special=", 19) == 0) 1526 else if (strncmp(argv[i], "--landlock.special=", 19) == 0)
1527 ll_add_profile(argv[i] + 2); 1527 ll_add_profile(LL_SPECIAL, argv[i] + 19);
1528 else if (strncmp(argv[i], "--landlock.execute=", 19) == 0) 1528 else if (strncmp(argv[i], "--landlock.execute=", 19) == 0)
1529 ll_add_profile(argv[i] + 2); 1529 ll_add_profile(LL_EXEC, argv[i] + 19);
1530#endif 1530#endif
1531 else if (strcmp(argv[i], "--memory-deny-write-execute") == 0) { 1531 else if (strcmp(argv[i], "--memory-deny-write-execute") == 0) {
1532 if (checkcfg(CFG_SECCOMP)) 1532 if (checkcfg(CFG_SECCOMP))
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 4e67ec2a3..e3554eb12 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -1098,19 +1098,19 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
1098 return 0; 1098 return 0;
1099 } 1099 }
1100 if (strncmp(ptr, "landlock.read ", 14) == 0) { 1100 if (strncmp(ptr, "landlock.read ", 14) == 0) {
1101 ll_add_profile(ptr); 1101 ll_add_profile(LL_READ, ptr + 14);
1102 return 0; 1102 return 0;
1103 } 1103 }
1104 if (strncmp(ptr, "landlock.write ", 15) == 0) { 1104 if (strncmp(ptr, "landlock.write ", 15) == 0) {
1105 ll_add_profile(ptr); 1105 ll_add_profile(LL_WRITE, ptr + 15);
1106 return 0; 1106 return 0;
1107 } 1107 }
1108 if (strncmp(ptr, "landlock.special ", 17) == 0) { 1108 if (strncmp(ptr, "landlock.special ", 17) == 0) {
1109 ll_add_profile(ptr); 1109 ll_add_profile(LL_SPECIAL, ptr + 17);
1110 return 0; 1110 return 0;
1111 } 1111 }
1112 if (strncmp(ptr, "landlock.execute ", 17) == 0) { 1112 if (strncmp(ptr, "landlock.execute ", 17) == 0) {
1113 ll_add_profile(ptr); 1113 ll_add_profile(LL_EXEC, ptr + 17);
1114 return 0; 1114 return 0;
1115 } 1115 }
1116#endif 1116#endif
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-06-29 09:13:12 +0000