Landlock functions are added to the code of Firejail, removing the dependency on tinyLL

author: Азалия Смарагдова <charming.flurry@yandex.ru> 2022-08-15 14:19:27 +0500
committer: Азалия Смарагдова <charming.flurry@yandex.ru> 2022-08-15 14:36:02 +0500
commit: ba828befe06b99b7dc2d504085cb40aa2d710998 (patch)
tree: 93e811dc6f03be1045f425e74c016ff9de44eb3b /src/firejail
parent: Landlock support has been added. (diff)
download: firejail-ba828befe06b99b7dc2d504085cb40aa2d710998.tar.gz
firejail-ba828befe06b99b7dc2d504085cb40aa2d710998.tar.zst
firejail-ba828befe06b99b7dc2d504085cb40aa2d710998.zip
5 files changed, 89 insertions, 10 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 6a679f849..35e2dbf50 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -22,15 +22,33 @@
 #include "../include/common.h"
 #include "../include/euid_common.h"
 #include "../include/rundefs.h"
-#include <linux/limits.h> // Note: Plain limits.h may break ARG_MAX (see #4583)
+#ifdef HAVE_LANDLOCK
 #include <linux/landlock.h>
+#endif
+#include <linux/limits.h> // Note: Plain limits.h may break ARG_MAX (see #4583)
 #include <stdarg.h>
 #include <sys/stat.h>
 // debug restricted shell
 //#define DEBUG_RESTRICTED_SHELL
+#ifdef HAVE_LANDLOCK
+extern int landlock_create_ruleset(struct landlock_ruleset_attr *rsattr,size_t size,__u32 flags);
+extern int landlock_add_rule(int fd,enum landlock_rule_type t,void *attr,__u32 flags);
+extern int landlock_restrict_self(int fd,__u32 flags);
+extern int create_full_ruleset();
+extern int add_read_access_rule_by_path(int rset_fd,char *allowed_path);
+extern int add_write_access_rule_by_path(int rset_fd,char *allowed_path,int restricted);
+extern int add_execute_rule_by_path(int rset_fd,char *allowed_path);
+#endif
 // profiles
 #define DEFAULT_USER_PROFILE    "default"
diff --git a/src/firejail/landlock.c b/src/firejail/landlock.c
new file mode 100644
index 000000000..5d6b0260e
--- /dev/null
+++ b/src/firejail/landlock.c
@@ -0,0 +1,70 @@
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <linux/landlock.h>
+int landlock_create_ruleset(struct landlock_ruleset_attr *rsattr,size_t size,__u32 flags) {
+        return syscall(__NR_landlock_create_ruleset,rsattr,size,flags);
+}
+int landlock_add_rule(int fd,enum landlock_rule_type t,void *attr,__u32 flags) {
+        return syscall(__NR_landlock_add_rule,fd,t,attr,flags);
+}
+int landlock_restrict_self(int fd,__u32 flags) {
+        int result = syscall(__NR_landlock_restrict_self,fd,flags);
+        if (result!=0) return result;
+        else {
+                close(fd);
+                return 0;
+        }
+}
+int create_full_ruleset() {
+        struct landlock_ruleset_attr attr;
+        attr.handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR | LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SOCK | LANDLOCK_ACCESS_FS_MAKE_FIFO | LANDLOCK_ACCESS_FS_MAKE_BLOCK | LANDLOCK_ACCESS_FS_MAKE_SYM | LANDLOCK_ACCESS_FS_EXECUTE;
+        return landlock_create_ruleset(&attr,sizeof(attr),0);
+}
+int add_read_access_rule_by_path(int rset_fd,char *allowed_path) {
+        int result;
+        int allowed_fd = open(allowed_path,O_PATH | O_CLOEXEC);
+        struct landlock_path_beneath_attr target;
+        target.parent_fd = allowed_fd;
+        target.allowed_access = LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR;
+        result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0);
+        close(allowed_fd);
+        return result;
+}
+int add_write_access_rule_by_path(int rset_fd,char *allowed_path,int restricted) {
+        int result;
+        int allowed_fd = open(allowed_path,O_PATH | O_CLOEXEC);
+        struct landlock_path_beneath_attr target;
+        target.parent_fd = allowed_fd;
+        if (restricted==0) target.allowed_access = LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SOCK | LANDLOCK_ACCESS_FS_MAKE_FIFO | LANDLOCK_ACCESS_FS_MAKE_BLOCK | LANDLOCK_ACCESS_FS_MAKE_SYM;
+        else if (restricted==1) target.allowed_access = LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SYM;
+        else {
+                close(allowed_fd);
+                return -1;
+        }
+        result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0);
+        close(allowed_fd);
+        return result;
+}
+int add_execute_rule_by_path(int rset_fd,char *allowed_path) {
+        int result;
+        int allowed_fd = open(allowed_path,O_PATH | O_CLOEXEC);
+        struct landlock_path_beneath_attr target;
+        target.parent_fd = allowed_fd;
+        target.allowed_access = LANDLOCK_ACCESS_FS_EXECUTE;
+        result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0);
+        close(allowed_fd);
+        return result;
+}
diff --git a/src/firejail/main.c b/src/firejail/main.c
index cff6eba5f..c78d4d2b8 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -23,9 +23,6 @@
 #include "../include/gcov_wrapper.h"
 #include "../include/syscall.h"
 #include "../include/seccomp.h"
-#ifdef HAVE_LANDLOCK
-#include "../include/tinyLL.h"
-#endif
 #define _GNU_SOURCE
 #include <sys/utsname.h>
 #include <sched.h>
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 9d154adee..64a82767c 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -21,9 +21,6 @@
 #include "../include/gcov_wrapper.h"
 #include "../include/seccomp.h"
 #include "../include/syscall.h"
-#ifdef HAVE_LANDLOCK
-#include "../include/tinyLL.h"
-#endif
 #include <dirent.h>
 #include <sys/stat.h>
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 73f2aa211..014b31932 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -21,9 +21,6 @@
 #include "firejail.h"
 #include "../include/gcov_wrapper.h"
 #include "../include/seccomp.h"
-#ifdef HAVE_LANDLOCK
-#include "../include/tinyLL.h"
-#endif
 #include <sys/mman.h>
 #include <sys/mount.h>
 #include <sys/wait.h>
author	Азалия Смарагдова <charming.flurry@yandex.ru>	2022-08-15 14:19:27 +0500
committer	Азалия Смарагдова <charming.flurry@yandex.ru>	2022-08-15 14:36:02 +0500
commit	ba828befe06b99b7dc2d504085cb40aa2d710998 (patch)
tree	93e811dc6f03be1045f425e74c016ff9de44eb3b /src/firejail
parent	Landlock support has been added. (diff)
download	firejail-ba828befe06b99b7dc2d504085cb40aa2d710998.tar.gz firejail-ba828befe06b99b7dc2d504085cb40aa2d710998.tar.zst firejail-ba828befe06b99b7dc2d504085cb40aa2d710998.zip

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 6a679f849..35e2dbf50 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -22,15 +22,33 @@
22	#include "../include/common.h"	22	#include "../include/common.h"
23	#include "../include/euid_common.h"	23	#include "../include/euid_common.h"
24	#include "../include/rundefs.h"	24	#include "../include/rundefs.h"
25	#include <linux/limits.h> // Note: Plain limits.h may break ARG_MAX (see #4583)	25	#ifdef HAVE_LANDLOCK
26	#include <linux/landlock.h>	26	#include <linux/landlock.h>
		27	#endif
		28	#include <linux/limits.h> // Note: Plain limits.h may break ARG_MAX (see #4583)
27	#include <stdarg.h>	29	#include <stdarg.h>
28	#include <sys/stat.h>	30	#include <sys/stat.h>
29		31
30	// debug restricted shell	32	// debug restricted shell
31	//#define DEBUG_RESTRICTED_SHELL	33	//#define DEBUG_RESTRICTED_SHELL
32		34
		35	#ifdef HAVE_LANDLOCK
		36
		37	extern int landlock_create_ruleset(struct landlock_ruleset_attr *rsattr,size_t size,__u32 flags);
		38
		39	extern int landlock_add_rule(int fd,enum landlock_rule_type t,void *attr,__u32 flags);
		40
		41	extern int landlock_restrict_self(int fd,__u32 flags);
33		42
		43	extern int create_full_ruleset();
		44
		45	extern int add_read_access_rule_by_path(int rset_fd,char *allowed_path);
		46
		47	extern int add_write_access_rule_by_path(int rset_fd,char *allowed_path,int restricted);
		48
		49	extern int add_execute_rule_by_path(int rset_fd,char *allowed_path);
		50
		51	#endif
34		52
35	// profiles	53	// profiles
36	#define DEFAULT_USER_PROFILE "default"	54	#define DEFAULT_USER_PROFILE "default"


diff --git a/src/firejail/landlock.c b/src/firejail/landlock.c new file mode 100644 index 000000000..5d6b0260e --- /dev/null +++ b/src/firejail/landlock.c
@@ -0,0 +1,70 @@
		1	#define _GNU_SOURCE
		2	#include <stdio.h>
		3	#include <stddef.h>
		4	#include <stdlib.h>
		5	#include <unistd.h>
		6	#include <fcntl.h>
		7	#include <sys/syscall.h>
		8	#include <sys/types.h>
		9	#include <linux/landlock.h>
		10
		11	int landlock_create_ruleset(struct landlock_ruleset_attr *rsattr,size_t size,__u32 flags) {
		12	return syscall(__NR_landlock_create_ruleset,rsattr,size,flags);
		13	}
		14
		15	int landlock_add_rule(int fd,enum landlock_rule_type t,void *attr,__u32 flags) {
		16	return syscall(__NR_landlock_add_rule,fd,t,attr,flags);
		17	}
		18
		19	int landlock_restrict_self(int fd,__u32 flags) {
		20	int result = syscall(__NR_landlock_restrict_self,fd,flags);
		21	if (result!=0) return result;
		22	else {
		23	close(fd);
		24	return 0;
		25	}
		26	}
		27
		28	int create_full_ruleset() {
		29	struct landlock_ruleset_attr attr;
		30	attr.handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE \| LANDLOCK_ACCESS_FS_READ_DIR \| LANDLOCK_ACCESS_FS_WRITE_FILE \| LANDLOCK_ACCESS_FS_REMOVE_FILE \| LANDLOCK_ACCESS_FS_REMOVE_DIR \| LANDLOCK_ACCESS_FS_MAKE_CHAR \| LANDLOCK_ACCESS_FS_MAKE_DIR \| LANDLOCK_ACCESS_FS_MAKE_REG \| LANDLOCK_ACCESS_FS_MAKE_SOCK \| LANDLOCK_ACCESS_FS_MAKE_FIFO \| LANDLOCK_ACCESS_FS_MAKE_BLOCK \| LANDLOCK_ACCESS_FS_MAKE_SYM \| LANDLOCK_ACCESS_FS_EXECUTE;
		31	return landlock_create_ruleset(&attr,sizeof(attr),0);
		32	}
		33
		34	int add_read_access_rule_by_path(int rset_fd,char *allowed_path) {
		35	int result;
		36	int allowed_fd = open(allowed_path,O_PATH \| O_CLOEXEC);
		37	struct landlock_path_beneath_attr target;
		38	target.parent_fd = allowed_fd;
		39	target.allowed_access = LANDLOCK_ACCESS_FS_READ_FILE \| LANDLOCK_ACCESS_FS_READ_DIR;
		40	result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0);
		41	close(allowed_fd);
		42	return result;
		43	}
		44
		45	int add_write_access_rule_by_path(int rset_fd,char *allowed_path,int restricted) {
		46	int result;
		47	int allowed_fd = open(allowed_path,O_PATH \| O_CLOEXEC);
		48	struct landlock_path_beneath_attr target;
		49	target.parent_fd = allowed_fd;
		50	if (restricted==0) target.allowed_access = LANDLOCK_ACCESS_FS_WRITE_FILE \| LANDLOCK_ACCESS_FS_REMOVE_FILE \| LANDLOCK_ACCESS_FS_REMOVE_DIR \| LANDLOCK_ACCESS_FS_MAKE_CHAR \| LANDLOCK_ACCESS_FS_MAKE_DIR \| LANDLOCK_ACCESS_FS_MAKE_REG \| LANDLOCK_ACCESS_FS_MAKE_SOCK \| LANDLOCK_ACCESS_FS_MAKE_FIFO \| LANDLOCK_ACCESS_FS_MAKE_BLOCK \| LANDLOCK_ACCESS_FS_MAKE_SYM;
		51	else if (restricted==1) target.allowed_access = LANDLOCK_ACCESS_FS_WRITE_FILE \| LANDLOCK_ACCESS_FS_REMOVE_FILE \| LANDLOCK_ACCESS_FS_REMOVE_DIR \| LANDLOCK_ACCESS_FS_MAKE_CHAR \| LANDLOCK_ACCESS_FS_MAKE_DIR \| LANDLOCK_ACCESS_FS_MAKE_REG \| LANDLOCK_ACCESS_FS_MAKE_SYM;
		52	else {
		53	close(allowed_fd);
		54	return -1;
		55	}
		56	result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0);
		57	close(allowed_fd);
		58	return result;
		59	}
		60
		61	int add_execute_rule_by_path(int rset_fd,char *allowed_path) {
		62	int result;
		63	int allowed_fd = open(allowed_path,O_PATH \| O_CLOEXEC);
		64	struct landlock_path_beneath_attr target;
		65	target.parent_fd = allowed_fd;
		66	target.allowed_access = LANDLOCK_ACCESS_FS_EXECUTE;
		67	result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0);
		68	close(allowed_fd);
		69	return result;
		70	}


diff --git a/src/firejail/main.c b/src/firejail/main.c index cff6eba5f..c78d4d2b8 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -23,9 +23,6 @@
23	#include "../include/gcov_wrapper.h"	23	#include "../include/gcov_wrapper.h"
24	#include "../include/syscall.h"	24	#include "../include/syscall.h"
25	#include "../include/seccomp.h"	25	#include "../include/seccomp.h"
26	#ifdef HAVE_LANDLOCK
27	#include "../include/tinyLL.h"
28	#endif
29	#define _GNU_SOURCE	26	#define _GNU_SOURCE
30	#include <sys/utsname.h>	27	#include <sys/utsname.h>
31	#include <sched.h>	28	#include <sched.h>


diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 9d154adee..64a82767c 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c
@@ -21,9 +21,6 @@
21	#include "../include/gcov_wrapper.h"	21	#include "../include/gcov_wrapper.h"
22	#include "../include/seccomp.h"	22	#include "../include/seccomp.h"
23	#include "../include/syscall.h"	23	#include "../include/syscall.h"
24	#ifdef HAVE_LANDLOCK
25	#include "../include/tinyLL.h"
26	#endif
27	#include <dirent.h>	24	#include <dirent.h>
28	#include <sys/stat.h>	25	#include <sys/stat.h>
29		26


diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 73f2aa211..014b31932 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c
@@ -21,9 +21,6 @@
21	#include "firejail.h"	21	#include "firejail.h"
22	#include "../include/gcov_wrapper.h"	22	#include "../include/gcov_wrapper.h"
23	#include "../include/seccomp.h"	23	#include "../include/seccomp.h"
24	#ifdef HAVE_LANDLOCK
25	#include "../include/tinyLL.h"
26	#endif
27	#include <sys/mman.h>	24	#include <sys/mman.h>
28	#include <sys/mount.h>	25	#include <sys/mount.h>
29	#include <sys/wait.h>	26	#include <sys/wait.h>