landlock: apply rules in sandbox before app start

Apply rules in the sandbox thread before the application is started.
author: netblue30 <netblue30@protonmail.com> 2023-10-26 10:21:40 -0400
committer: Kelvin M. Klann <kmk3.code@protonmail.com> 2023-11-07 17:55:14 -0300
commit: b94cc754a0f88ac5b594c52b6a1a3c88b622772c (patch)
tree: 50480635c337f305a8f8f2ed27f79cdc0e9b1d4e /src/firejail/main.c
parent: landlock: new filesystem for --landlock command (diff)
download: firejail-b94cc754a0f88ac5b594c52b6a1a3c88b622772c.tar.gz
firejail-b94cc754a0f88ac5b594c52b6a1a3c88b622772c.tar.zst
firejail-b94cc754a0f88ac5b594c52b6a1a3c88b622772c.zip
1 files changed, 4 insertions, 4 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c
index df31fe2ce..8715d9486 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1520,13 +1520,13 @@ int main(int argc, char **argv, char **envp) {
                        }
                }
                else if (strncmp(argv[i], "--landlock.read=", 16) == 0)
-                        ll_read(argv[i] + 16);
+                        ll_add_profile(argv[i] + 2);
                else if (strncmp(argv[i], "--landlock.write=", 17) == 0)
-                        ll_write(argv[i] + 17);
+                        ll_add_profile(argv[i] + 2);
                else if (strncmp(argv[i], "--landlock.special=", 19) == 0)
-                        ll_special(argv[i] + 19);
+                        ll_add_profile(argv[i] + 2);
                else if (strncmp(argv[i], "--landlock.execute=", 19) == 0)
-                        ll_exec(argv[i] + 19);
+                        ll_add_profile(argv[i] + 2);
 #endif
                else if (strcmp(argv[i], "--memory-deny-write-execute") == 0) {
                        if (checkcfg(CFG_SECCOMP))
author	netblue30 <netblue30@protonmail.com>	2023-10-26 10:21:40 -0400
committer	Kelvin M. Klann <kmk3.code@protonmail.com>	2023-11-07 17:55:14 -0300
commit	b94cc754a0f88ac5b594c52b6a1a3c88b622772c (patch)
tree	50480635c337f305a8f8f2ed27f79cdc0e9b1d4e /src/firejail/main.c
parent	landlock: new filesystem for --landlock command (diff)
download	firejail-b94cc754a0f88ac5b594c52b6a1a3c88b622772c.tar.gz firejail-b94cc754a0f88ac5b594c52b6a1a3c88b622772c.tar.zst firejail-b94cc754a0f88ac5b594c52b6a1a3c88b622772c.zip

diff --git a/src/firejail/main.c b/src/firejail/main.c index df31fe2ce..8715d9486 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -1520,13 +1520,13 @@ int main(int argc, char argv, char envp) {
1520	}	1520	}
1521	}	1521	}
1522	else if (strncmp(argv[i], "--landlock.read=", 16) == 0)	1522	else if (strncmp(argv[i], "--landlock.read=", 16) == 0)
1523	ll_read(argv[i] + 16);	1523	ll_add_profile(argv[i] + 2);
1524	else if (strncmp(argv[i], "--landlock.write=", 17) == 0)	1524	else if (strncmp(argv[i], "--landlock.write=", 17) == 0)
1525	ll_write(argv[i] + 17);	1525	ll_add_profile(argv[i] + 2);
1526	else if (strncmp(argv[i], "--landlock.special=", 19) == 0)	1526	else if (strncmp(argv[i], "--landlock.special=", 19) == 0)
1527	ll_special(argv[i] + 19);	1527	ll_add_profile(argv[i] + 2);
1528	else if (strncmp(argv[i], "--landlock.execute=", 19) == 0)	1528	else if (strncmp(argv[i], "--landlock.execute=", 19) == 0)
1529	ll_exec(argv[i] + 19);	1529	ll_add_profile(argv[i] + 2);
1530	#endif	1530	#endif
1531	else if (strcmp(argv[i], "--memory-deny-write-execute") == 0) {	1531	else if (strcmp(argv[i], "--memory-deny-write-execute") == 0) {
1532	if (checkcfg(CFG_SECCOMP))	1532	if (checkcfg(CFG_SECCOMP))