aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLibravatar netblue30 <netblue30@protonmail.com>2023-10-26 10:21:40 -0400
committerLibravatar Kelvin M. Klann <kmk3.code@protonmail.com>2023-11-07 17:55:14 -0300
commitb94cc754a0f88ac5b594c52b6a1a3c88b622772c (patch)
tree50480635c337f305a8f8f2ed27f79cdc0e9b1d4e
parentlandlock: new filesystem for --landlock command (diff)
downloadfirejail-b94cc754a0f88ac5b594c52b6a1a3c88b622772c.tar.gz
firejail-b94cc754a0f88ac5b594c52b6a1a3c88b622772c.tar.zst
firejail-b94cc754a0f88ac5b594c52b6a1a3c88b622772c.zip
landlock: apply rules in sandbox before app start
Apply rules in the sandbox thread before the application is started.
Diffstat
-rw-r--r--src/firejail/firejail.h8
-rw-r--r--src/firejail/landlock.c12
-rw-r--r--src/firejail/main.c8
-rw-r--r--src/firejail/profile.c8
4 files changed, 28 insertions, 8 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index efeda7228..43325de62 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -150,6 +150,11 @@ typedef struct profile_entry_t {
150 150
151} ProfileEntry; 151} ProfileEntry;
152 152
153typedef struct landlock_entry_t {
154 struct landlock_entry_t *next;
155 char *data;
156} LandlockEntry;
157
153typedef struct config_t { 158typedef struct config_t {
154 // user data 159 // user data
155 char *username; 160 char *username;
@@ -159,6 +164,7 @@ typedef struct config_t {
159 // filesystem 164 // filesystem
160 ProfileEntry *profile; 165 ProfileEntry *profile;
161 ProfileEntry *profile_rebuild_etc; // blacklist files in /etc directory used by fs_rebuild_etc() 166 ProfileEntry *profile_rebuild_etc; // blacklist files in /etc directory used by fs_rebuild_etc()
167 LandlockEntry *lprofile;
162 168
163#define MAX_PROFILE_IGNORE 32 169#define MAX_PROFILE_IGNORE 32
164 char *profile_ignore[MAX_PROFILE_IGNORE]; 170 char *profile_ignore[MAX_PROFILE_IGNORE];
@@ -962,6 +968,7 @@ int ll_special(const char *allowed_path);
962int ll_exec(const char *allowed_path); 968int ll_exec(const char *allowed_path);
963int ll_basic_system(void); 969int ll_basic_system(void);
964int ll_restrict(__u32 flags); 970int ll_restrict(__u32 flags);
971void ll_add_profile(const char *data);
965#else 972#else
966static inline int ll_get_fd(void) { return -1; } 973static inline int ll_get_fd(void) { return -1; }
967static inline int ll_read(...) { return 0; } 974static inline int ll_read(...) { return 0; }
@@ -970,6 +977,7 @@ static inline int ll_special(...) { return 0; }
970static inline int ll_exec(...) { return 0; } 977static inline int ll_exec(...) { return 0; }
971static inline int ll_basic_system(void) { return 0; } 978static inline int ll_basic_system(void) { return 0; }
972static inline int ll_restrict(...) { return 0; } 979static inline int ll_restrict(...) { return 0; }
980static inline void ll_add_profile(...) { return; }
973#endif /* HAVE_LANDLOCK */ 981#endif /* HAVE_LANDLOCK */
974 982
975#endif 983#endif
diff --git a/src/firejail/landlock.c b/src/firejail/landlock.c
index 602190446..b2a427047 100644
--- a/src/firejail/landlock.c
+++ b/src/firejail/landlock.c
@@ -278,4 +278,16 @@ out:
278 return error; 278 return error;
279} 279}
280 280
281void ll_add_profile(const char *data) {
282 LandlockEntry *ptr = malloc(sizeof(LandlockEntry));
283 if (!ptr)
284 errExit("malloc");
285 memset(ptr, 0, sizeof(LandlockEntry));
286 ptr->data = strdup(data);
287 if (!ptr->data)
288 errExit("strdup");
289 ptr->next = cfg.lprofile;
290 cfg.lprofile = ptr;
291}
292
281#endif /* HAVE_LANDLOCK */ 293#endif /* HAVE_LANDLOCK */
diff --git a/src/firejail/main.c b/src/firejail/main.c
index df31fe2ce..8715d9486 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1520,13 +1520,13 @@ int main(int argc, char **argv, char **envp) {
1520 } 1520 }
1521 } 1521 }
1522 else if (strncmp(argv[i], "--landlock.read=", 16) == 0) 1522 else if (strncmp(argv[i], "--landlock.read=", 16) == 0)
1523 ll_read(argv[i] + 16); 1523 ll_add_profile(argv[i] + 2);
1524 else if (strncmp(argv[i], "--landlock.write=", 17) == 0) 1524 else if (strncmp(argv[i], "--landlock.write=", 17) == 0)
1525 ll_write(argv[i] + 17); 1525 ll_add_profile(argv[i] + 2);
1526 else if (strncmp(argv[i], "--landlock.special=", 19) == 0) 1526 else if (strncmp(argv[i], "--landlock.special=", 19) == 0)
1527 ll_special(argv[i] + 19); 1527 ll_add_profile(argv[i] + 2);
1528 else if (strncmp(argv[i], "--landlock.execute=", 19) == 0) 1528 else if (strncmp(argv[i], "--landlock.execute=", 19) == 0)
1529 ll_exec(argv[i] + 19); 1529 ll_add_profile(argv[i] + 2);
1530#endif 1530#endif
1531 else if (strcmp(argv[i], "--memory-deny-write-execute") == 0) { 1531 else if (strcmp(argv[i], "--memory-deny-write-execute") == 0) {
1532 if (checkcfg(CFG_SECCOMP)) 1532 if (checkcfg(CFG_SECCOMP))
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 08804c5f3..4e67ec2a3 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -1098,19 +1098,19 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
1098 return 0; 1098 return 0;
1099 } 1099 }
1100 if (strncmp(ptr, "landlock.read ", 14) == 0) { 1100 if (strncmp(ptr, "landlock.read ", 14) == 0) {
1101 ll_read(ptr + 14); 1101 ll_add_profile(ptr);
1102 return 0; 1102 return 0;
1103 } 1103 }
1104 if (strncmp(ptr, "landlock.write ", 15) == 0) { 1104 if (strncmp(ptr, "landlock.write ", 15) == 0) {
1105 ll_write(ptr + 15); 1105 ll_add_profile(ptr);
1106 return 0; 1106 return 0;
1107 } 1107 }
1108 if (strncmp(ptr, "landlock.special ", 17) == 0) { 1108 if (strncmp(ptr, "landlock.special ", 17) == 0) {
1109 ll_special(ptr + 17); 1109 ll_add_profile(ptr);
1110 return 0; 1110 return 0;
1111 } 1111 }
1112 if (strncmp(ptr, "landlock.execute ", 17) == 0) { 1112 if (strncmp(ptr, "landlock.execute ", 17) == 0) {
1113 ll_exec(ptr + 17); 1113 ll_add_profile(ptr);
1114 return 0; 1114 return 0;
1115 } 1115 }
1116#endif 1116#endif
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-06-29 09:06:20 +0000