diff options
author | 2023-11-08 07:57:41 -0300 | |
---|---|---|
committer | 2023-12-06 16:27:13 -0300 | |
commit | cfbde6658080ee57f37c7a1149c7f1cd9f7fdf91 (patch) | |
tree | 42e9f3bad10b3f798c4ddcb815db412fe04d52ba /src | |
parent | landlock: fix profile entries processed in reverse (diff) | |
download | firejail-cfbde6658080ee57f37c7a1149c7f1cd9f7fdf91.tar.gz firejail-cfbde6658080ee57f37c7a1149c7f1cd9f7fdf91.tar.zst firejail-cfbde6658080ee57f37c7a1149c7f1cd9f7fdf91.zip |
landlock: deduplicate fs functions into ll_fs
The relevant functions are all identical except for the access flags
used.
Relates to #6078.
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/landlock.c | 103 |
1 files changed, 19 insertions, 84 deletions
diff --git a/src/firejail/landlock.c b/src/firejail/landlock.c index d89b031a8..65a4cd8df 100644 --- a/src/firejail/landlock.c +++ b/src/firejail/landlock.c | |||
@@ -108,7 +108,8 @@ static int ll_create_full_ruleset(void) { | |||
108 | return ruleset_fd; | 108 | return ruleset_fd; |
109 | } | 109 | } |
110 | 110 | ||
111 | int ll_read(const char *allowed_path) { | 111 | static int ll_fs(const char *allowed_path, const __u64 allowed_access, |
112 | const char *caller) { | ||
112 | if (!ll_is_supported()) | 113 | if (!ll_is_supported()) |
113 | return 0; | 114 | return 0; |
114 | 115 | ||
@@ -120,45 +121,34 @@ int ll_read(const char *allowed_path) { | |||
120 | if (allowed_fd < 0) { | 121 | if (allowed_fd < 0) { |
121 | if (arg_debug) { | 122 | if (arg_debug) { |
122 | fprintf(stderr, "%s: failed to open %s: %s\n", | 123 | fprintf(stderr, "%s: failed to open %s: %s\n", |
123 | __func__, allowed_path, strerror(errno)); | 124 | caller, allowed_path, strerror(errno)); |
124 | } | 125 | } |
125 | return 0; | 126 | return 0; |
126 | } | 127 | } |
128 | |||
127 | struct landlock_path_beneath_attr target; | 129 | struct landlock_path_beneath_attr target; |
128 | target.parent_fd = allowed_fd; | 130 | target.parent_fd = allowed_fd; |
129 | target.allowed_access = | 131 | target.allowed_access = allowed_access; |
130 | LANDLOCK_ACCESS_FS_READ_DIR | | ||
131 | LANDLOCK_ACCESS_FS_READ_FILE; | ||
132 | |||
133 | error = landlock_add_rule(ll_ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, | 132 | error = landlock_add_rule(ll_ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, |
134 | &target, 0); | 133 | &target, 0); |
135 | if (error) { | 134 | if (error) { |
136 | fprintf(stderr, "Error: %s: failed to add Landlock rule for %s: %s\n", | 135 | fprintf(stderr, "Error: %s: failed to add Landlock rule for %s: %s\n", |
137 | __func__, allowed_path, strerror(errno)); | 136 | caller, allowed_path, strerror(errno)); |
138 | } | 137 | } |
139 | close(allowed_fd); | 138 | close(allowed_fd); |
140 | return error; | 139 | return error; |
141 | } | 140 | } |
142 | 141 | ||
143 | int ll_write(const char *allowed_path) { | 142 | int ll_read(const char *allowed_path) { |
144 | if (!ll_is_supported()) | 143 | __u64 allowed_access = |
145 | return 0; | 144 | LANDLOCK_ACCESS_FS_READ_DIR | |
145 | LANDLOCK_ACCESS_FS_READ_FILE; | ||
146 | 146 | ||
147 | if (ll_ruleset_fd == -1) | 147 | return ll_fs(allowed_path, allowed_access, __func__); |
148 | ll_ruleset_fd = ll_create_full_ruleset(); | 148 | } |
149 | 149 | ||
150 | int error; | 150 | int ll_write(const char *allowed_path) { |
151 | int allowed_fd = open(allowed_path, O_PATH | O_CLOEXEC); | 151 | __u64 allowed_access = |
152 | if (allowed_fd < 0) { | ||
153 | if (arg_debug) { | ||
154 | fprintf(stderr, "%s: failed to open %s: %s\n", | ||
155 | __func__, allowed_path, strerror(errno)); | ||
156 | } | ||
157 | return 0; | ||
158 | } | ||
159 | struct landlock_path_beneath_attr target; | ||
160 | target.parent_fd = allowed_fd; | ||
161 | target.allowed_access = | ||
162 | LANDLOCK_ACCESS_FS_MAKE_DIR | | 152 | LANDLOCK_ACCESS_FS_MAKE_DIR | |
163 | LANDLOCK_ACCESS_FS_MAKE_REG | | 153 | LANDLOCK_ACCESS_FS_MAKE_REG | |
164 | LANDLOCK_ACCESS_FS_MAKE_SYM | | 154 | LANDLOCK_ACCESS_FS_MAKE_SYM | |
@@ -166,79 +156,24 @@ int ll_write(const char *allowed_path) { | |||
166 | LANDLOCK_ACCESS_FS_REMOVE_FILE | | 156 | LANDLOCK_ACCESS_FS_REMOVE_FILE | |
167 | LANDLOCK_ACCESS_FS_WRITE_FILE; | 157 | LANDLOCK_ACCESS_FS_WRITE_FILE; |
168 | 158 | ||
169 | error = landlock_add_rule(ll_ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, | 159 | return ll_fs(allowed_path, allowed_access, __func__); |
170 | &target, 0); | ||
171 | if (error) { | ||
172 | fprintf(stderr, "Error: %s: failed to add Landlock rule for %s: %s\n", | ||
173 | __func__, allowed_path, strerror(errno)); | ||
174 | } | ||
175 | close(allowed_fd); | ||
176 | return error; | ||
177 | } | 160 | } |
178 | 161 | ||
179 | int ll_special(const char *allowed_path) { | 162 | int ll_special(const char *allowed_path) { |
180 | if (!ll_is_supported()) | 163 | __u64 allowed_access = |
181 | return 0; | ||
182 | |||
183 | if (ll_ruleset_fd == -1) | ||
184 | ll_ruleset_fd = ll_create_full_ruleset(); | ||
185 | |||
186 | int error; | ||
187 | int allowed_fd = open(allowed_path, O_PATH | O_CLOEXEC); | ||
188 | if (allowed_fd < 0) { | ||
189 | if (arg_debug) { | ||
190 | fprintf(stderr, "%s: failed to open %s: %s\n", | ||
191 | __func__, allowed_path, strerror(errno)); | ||
192 | } | ||
193 | return 0; | ||
194 | } | ||
195 | struct landlock_path_beneath_attr target; | ||
196 | target.parent_fd = allowed_fd; | ||
197 | target.allowed_access = | ||
198 | LANDLOCK_ACCESS_FS_MAKE_BLOCK | | 164 | LANDLOCK_ACCESS_FS_MAKE_BLOCK | |
199 | LANDLOCK_ACCESS_FS_MAKE_CHAR | | 165 | LANDLOCK_ACCESS_FS_MAKE_CHAR | |
200 | LANDLOCK_ACCESS_FS_MAKE_FIFO | | 166 | LANDLOCK_ACCESS_FS_MAKE_FIFO | |
201 | LANDLOCK_ACCESS_FS_MAKE_SOCK; | 167 | LANDLOCK_ACCESS_FS_MAKE_SOCK; |
202 | 168 | ||
203 | error = landlock_add_rule(ll_ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, | 169 | return ll_fs(allowed_path, allowed_access, __func__); |
204 | &target, 0); | ||
205 | if (error) { | ||
206 | fprintf(stderr, "Error: %s: failed to add Landlock rule for %s: %s\n", | ||
207 | __func__, allowed_path, strerror(errno)); | ||
208 | } | ||
209 | close(allowed_fd); | ||
210 | return error; | ||
211 | } | 170 | } |
212 | 171 | ||
213 | int ll_exec(const char *allowed_path) { | 172 | int ll_exec(const char *allowed_path) { |
214 | if (!ll_is_supported()) | 173 | __u64 allowed_access = |
215 | return 0; | ||
216 | |||
217 | if (ll_ruleset_fd == -1) | ||
218 | ll_ruleset_fd = ll_create_full_ruleset(); | ||
219 | |||
220 | int error; | ||
221 | int allowed_fd = open(allowed_path, O_PATH | O_CLOEXEC); | ||
222 | if (allowed_fd < 0) { | ||
223 | if (arg_debug) { | ||
224 | fprintf(stderr, "%s: failed to open %s: %s\n", | ||
225 | __func__, allowed_path, strerror(errno)); | ||
226 | } | ||
227 | return 0; | ||
228 | } | ||
229 | struct landlock_path_beneath_attr target; | ||
230 | target.parent_fd = allowed_fd; | ||
231 | target.allowed_access = | ||
232 | LANDLOCK_ACCESS_FS_EXECUTE; | 174 | LANDLOCK_ACCESS_FS_EXECUTE; |
233 | 175 | ||
234 | error = landlock_add_rule(ll_ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, | 176 | return ll_fs(allowed_path, allowed_access, __func__); |
235 | &target, 0); | ||
236 | if (error) { | ||
237 | fprintf(stderr, "Error: %s: failed to add Landlock rule for %s: %s\n", | ||
238 | __func__, allowed_path, strerror(errno)); | ||
239 | } | ||
240 | close(allowed_fd); | ||
241 | return error; | ||
242 | } | 177 | } |
243 | 178 | ||
244 | int ll_basic_system(void) { | 179 | int ll_basic_system(void) { |