Merge pull request #6078 from kmk3/landlock_v3

feature: add Landlock support
author: netblue30 <netblue30@protonmail.com> 2023-12-04 09:18:05 -0500
committer: GitHub <noreply@github.com> 2023-12-04 09:18:05 -0500
commit: 9ba5c8d50b2b00244cb539809f8da7ba32043fa4 (patch)
tree: ff28ac831ce0d11591b2c49f66ee9b92ae1c8b8e /src/firejail/sandbox.c
parent: Merge pull request #6104 from kmk3/ci-enable-sort-py (diff)
parent: landlock: detect support at runtime (diff)
download: firejail-9ba5c8d50b2b00244cb539809f8da7ba32043fa4.tar.gz
firejail-9ba5c8d50b2b00244cb539809f8da7ba32043fa4.tar.zst
firejail-9ba5c8d50b2b00244cb539809f8da7ba32043fa4.zip
1 files changed, 22 insertions, 0 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 827be5d85..dbc115137 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -516,6 +516,28 @@ void start_application(int no_sandbox, int fd, char *set_sandbox_status) {
                printf("LD_PRELOAD=%s\n", getenv("LD_PRELOAD"));
        }
+#ifdef HAVE_LANDLOCK
+        //****************************
+        // Configure Landlock
+        //****************************
+        if (arg_landlock)
+                ll_basic_system();
+        if (ll_get_fd() != -1) {
+                if (arg_landlock_proc >= 1)
+                        ll_read("/proc/");
+                if (arg_landlock_proc == 2)
+                        ll_write("/proc/");
+        }
+        if (ll_restrict(0)) {
+                // It isn't safe to continue if Landlock self-restriction was
+                // enabled and the "landlock_restrict_self" syscall has failed.
+                fprintf(stderr, "Error: ll_restrict() failed, exiting...\n");
+                exit(1);
+        }
+#endif
        if (just_run_the_shell) {
                char *arg[2];
                arg[0] = cfg.usershell;
author	netblue30 <netblue30@protonmail.com>	2023-12-04 09:18:05 -0500
committer	GitHub <noreply@github.com>	2023-12-04 09:18:05 -0500
commit	9ba5c8d50b2b00244cb539809f8da7ba32043fa4 (patch)
tree	ff28ac831ce0d11591b2c49f66ee9b92ae1c8b8e /src/firejail/sandbox.c
parent	Merge pull request #6104 from kmk3/ci-enable-sort-py (diff)
parent	landlock: detect support at runtime (diff)
download	firejail-9ba5c8d50b2b00244cb539809f8da7ba32043fa4.tar.gz firejail-9ba5c8d50b2b00244cb539809f8da7ba32043fa4.tar.zst firejail-9ba5c8d50b2b00244cb539809f8da7ba32043fa4.zip

diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 827be5d85..dbc115137 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c
@@ -516,6 +516,28 @@ void start_application(int no_sandbox, int fd, char *set_sandbox_status) {
516	printf("LD_PRELOAD=%s\n", getenv("LD_PRELOAD"));	516	printf("LD_PRELOAD=%s\n", getenv("LD_PRELOAD"));
517	}	517	}
518		518
		519	#ifdef HAVE_LANDLOCK
		520	//****************************
		521	// Configure Landlock
		522	//****************************
		523	if (arg_landlock)
		524	ll_basic_system();
		525
		526	if (ll_get_fd() != -1) {
		527	if (arg_landlock_proc >= 1)
		528	ll_read("/proc/");
		529	if (arg_landlock_proc == 2)
		530	ll_write("/proc/");
		531	}
		532
		533	if (ll_restrict(0)) {
		534	// It isn't safe to continue if Landlock self-restriction was
		535	// enabled and the "landlock_restrict_self" syscall has failed.
		536	fprintf(stderr, "Error: ll_restrict() failed, exiting...\n");
		537	exit(1);
		538	}
		539	#endif
		540
519	if (just_run_the_shell) {	541	if (just_run_the_shell) {
520	char *arg[2];	542	char *arg[2];
521	arg[0] = cfg.usershell;	543	arg[0] = cfg.usershell;