landlock: amend empty functions and comments

Changes: * Always declare public landlock functions, regardless of `HAVE_LANDLOCK` * Make the other public landlock functions (besides `ll_add_profile`) also be empty when `HAVE_LANDLOCK` is not defined * Clarify related comments This amends commit 8259f66e1 ("landlock fix for old kernel versions", 2024-04-06). For clarity, landlock-common.inc is included by default.profile and the issue that the aforementioned commit fixes is that if profile.c is built without the part that parses landlock commands (that is, when `HAVE_LANDLOCK` is not defined), using default.profile would cause firejail to abort due to "invalid lines". Note that the issue would only occur when firejail is built with an older kernel (or with --disable-landlock), not when simply running on an older kernel. See also commit b02a7a337 ("landlock: remove empty functions", 2023-12-07). Relates to #6078.
author: Kelvin M. Klann <kmk3.code@protonmail.com> 2024-04-08 11:22:15 -0300
committer: Kelvin M. Klann <kmk3.code@protonmail.com> 2024-04-10 02:42:17 -0300
commit: a05ae97af2a52b8349d732fecbc4343c86222400 (patch)
tree: bc45372e0ee230bd5bcebd06eedc1473556a9b94
parent: landlock fix for old kernel versions (diff)
download: firejail-a05ae97af2a52b8349d732fecbc4343c86222400.tar.gz
firejail-a05ae97af2a52b8349d732fecbc4343c86222400.tar.zst
firejail-a05ae97af2a52b8349d732fecbc4343c86222400.zip
3 files changed, 17 insertions, 5 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 4e018476e..b8ec4d474 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -966,10 +966,8 @@ void run_ids(int argc, char **argv);
 void oom_set(const char *oom_string);
 // landlock.c
-#ifdef HAVE_LANDLOCK
 int ll_get_fd(void);
 int ll_restrict(uint32_t flags);
 void ll_add_profile(int type, const char *data);
-#endif /* HAVE_LANDLOCK */
 #endif
diff --git a/src/firejail/landlock.c b/src/firejail/landlock.c
index 44d7eeafa..a360f155b 100644
--- a/src/firejail/landlock.c
+++ b/src/firejail/landlock.c
@@ -18,7 +18,6 @@
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
-#ifdef HAVE_LANDLOCK
 #include "firejail.h"
 #include <linux/landlock.h>
 #include <sys/prctl.h>
@@ -27,6 +26,8 @@
 #include <errno.h>
 #include <fcntl.h>
+#ifdef HAVE_LANDLOCK
 static int ll_ruleset_fd = -1;
 static int ll_abi = -1;
@@ -295,6 +296,17 @@ void ll_add_profile(int type, const char *data) {
 }
 #else
+int ll_get_fd(void) {
+        return -1;
+}
+int ll_restrict(uint32_t flags) {
+        (void) flags;
+        return 0;
+}
 void ll_add_profile(int type, const char *data) {
        (void) type;
        (void) data;
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 62767f8dc..4c6830250 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -1074,8 +1074,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
        }
 //#ifdef HAVE_LANDLOCK
-// landlock_connon.inc included by derfault in landlock.profile
+// landlock-common.inc is included by default.profile, so the entries of the
-// all landlcok functions are empty in case landlock is not available in the kernel
+// former should be processed or ignored instead of aborting.
+// Note that all landlock functions are empty when building without landlock
+// support.
        if (strncmp(ptr, "landlock.enforce", 16) == 0) {
                arg_landlock_enforce = 1;
                return 0;
author	Kelvin M. Klann <kmk3.code@protonmail.com>	2024-04-08 11:22:15 -0300
committer	Kelvin M. Klann <kmk3.code@protonmail.com>	2024-04-10 02:42:17 -0300
commit	a05ae97af2a52b8349d732fecbc4343c86222400 (patch)
tree	bc45372e0ee230bd5bcebd06eedc1473556a9b94
parent	landlock fix for old kernel versions (diff)
download	firejail-a05ae97af2a52b8349d732fecbc4343c86222400.tar.gz firejail-a05ae97af2a52b8349d732fecbc4343c86222400.tar.zst firejail-a05ae97af2a52b8349d732fecbc4343c86222400.zip