diff options
author | Азалия Смарагдова <charming.flurry@yandex.ru> | 2022-08-15 14:19:27 +0500 |
---|---|---|
committer | Азалия Смарагдова <charming.flurry@yandex.ru> | 2022-08-15 14:36:02 +0500 |
commit | ba828befe06b99b7dc2d504085cb40aa2d710998 (patch) | |
tree | 93e811dc6f03be1045f425e74c016ff9de44eb3b /src | |
parent | Landlock support has been added. (diff) | |
download | firejail-ba828befe06b99b7dc2d504085cb40aa2d710998.tar.gz firejail-ba828befe06b99b7dc2d504085cb40aa2d710998.tar.zst firejail-ba828befe06b99b7dc2d504085cb40aa2d710998.zip |
Landlock functions are added to the code of Firejail, removing the dependency on tinyLL
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/firejail.h | 20 | ||||
-rw-r--r-- | src/firejail/landlock.c | 70 | ||||
-rw-r--r-- | src/firejail/main.c | 3 | ||||
-rw-r--r-- | src/firejail/profile.c | 3 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 3 | ||||
-rw-r--r-- | src/include/landlock.h | 70 | ||||
-rw-r--r-- | src/include/tinyLL.h | 23 |
7 files changed, 159 insertions, 33 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 6a679f849..35e2dbf50 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -22,15 +22,33 @@ | |||
22 | #include "../include/common.h" | 22 | #include "../include/common.h" |
23 | #include "../include/euid_common.h" | 23 | #include "../include/euid_common.h" |
24 | #include "../include/rundefs.h" | 24 | #include "../include/rundefs.h" |
25 | #include <linux/limits.h> // Note: Plain limits.h may break ARG_MAX (see #4583) | 25 | #ifdef HAVE_LANDLOCK |
26 | #include <linux/landlock.h> | 26 | #include <linux/landlock.h> |
27 | #endif | ||
28 | #include <linux/limits.h> // Note: Plain limits.h may break ARG_MAX (see #4583) | ||
27 | #include <stdarg.h> | 29 | #include <stdarg.h> |
28 | #include <sys/stat.h> | 30 | #include <sys/stat.h> |
29 | 31 | ||
30 | // debug restricted shell | 32 | // debug restricted shell |
31 | //#define DEBUG_RESTRICTED_SHELL | 33 | //#define DEBUG_RESTRICTED_SHELL |
32 | 34 | ||
35 | #ifdef HAVE_LANDLOCK | ||
36 | |||
37 | extern int landlock_create_ruleset(struct landlock_ruleset_attr *rsattr,size_t size,__u32 flags); | ||
38 | |||
39 | extern int landlock_add_rule(int fd,enum landlock_rule_type t,void *attr,__u32 flags); | ||
40 | |||
41 | extern int landlock_restrict_self(int fd,__u32 flags); | ||
33 | 42 | ||
43 | extern int create_full_ruleset(); | ||
44 | |||
45 | extern int add_read_access_rule_by_path(int rset_fd,char *allowed_path); | ||
46 | |||
47 | extern int add_write_access_rule_by_path(int rset_fd,char *allowed_path,int restricted); | ||
48 | |||
49 | extern int add_execute_rule_by_path(int rset_fd,char *allowed_path); | ||
50 | |||
51 | #endif | ||
34 | 52 | ||
35 | // profiles | 53 | // profiles |
36 | #define DEFAULT_USER_PROFILE "default" | 54 | #define DEFAULT_USER_PROFILE "default" |
diff --git a/src/firejail/landlock.c b/src/firejail/landlock.c new file mode 100644 index 000000000..5d6b0260e --- /dev/null +++ b/src/firejail/landlock.c | |||
@@ -0,0 +1,70 @@ | |||
1 | #define _GNU_SOURCE | ||
2 | #include <stdio.h> | ||
3 | #include <stddef.h> | ||
4 | #include <stdlib.h> | ||
5 | #include <unistd.h> | ||
6 | #include <fcntl.h> | ||
7 | #include <sys/syscall.h> | ||
8 | #include <sys/types.h> | ||
9 | #include <linux/landlock.h> | ||
10 | |||
11 | int landlock_create_ruleset(struct landlock_ruleset_attr *rsattr,size_t size,__u32 flags) { | ||
12 | return syscall(__NR_landlock_create_ruleset,rsattr,size,flags); | ||
13 | } | ||
14 | |||
15 | int landlock_add_rule(int fd,enum landlock_rule_type t,void *attr,__u32 flags) { | ||
16 | return syscall(__NR_landlock_add_rule,fd,t,attr,flags); | ||
17 | } | ||
18 | |||
19 | int landlock_restrict_self(int fd,__u32 flags) { | ||
20 | int result = syscall(__NR_landlock_restrict_self,fd,flags); | ||
21 | if (result!=0) return result; | ||
22 | else { | ||
23 | close(fd); | ||
24 | return 0; | ||
25 | } | ||
26 | } | ||
27 | |||
28 | int create_full_ruleset() { | ||
29 | struct landlock_ruleset_attr attr; | ||
30 | attr.handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR | LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SOCK | LANDLOCK_ACCESS_FS_MAKE_FIFO | LANDLOCK_ACCESS_FS_MAKE_BLOCK | LANDLOCK_ACCESS_FS_MAKE_SYM | LANDLOCK_ACCESS_FS_EXECUTE; | ||
31 | return landlock_create_ruleset(&attr,sizeof(attr),0); | ||
32 | } | ||
33 | |||
34 | int add_read_access_rule_by_path(int rset_fd,char *allowed_path) { | ||
35 | int result; | ||
36 | int allowed_fd = open(allowed_path,O_PATH | O_CLOEXEC); | ||
37 | struct landlock_path_beneath_attr target; | ||
38 | target.parent_fd = allowed_fd; | ||
39 | target.allowed_access = LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR; | ||
40 | result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0); | ||
41 | close(allowed_fd); | ||
42 | return result; | ||
43 | } | ||
44 | |||
45 | int add_write_access_rule_by_path(int rset_fd,char *allowed_path,int restricted) { | ||
46 | int result; | ||
47 | int allowed_fd = open(allowed_path,O_PATH | O_CLOEXEC); | ||
48 | struct landlock_path_beneath_attr target; | ||
49 | target.parent_fd = allowed_fd; | ||
50 | if (restricted==0) target.allowed_access = LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SOCK | LANDLOCK_ACCESS_FS_MAKE_FIFO | LANDLOCK_ACCESS_FS_MAKE_BLOCK | LANDLOCK_ACCESS_FS_MAKE_SYM; | ||
51 | else if (restricted==1) target.allowed_access = LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SYM; | ||
52 | else { | ||
53 | close(allowed_fd); | ||
54 | return -1; | ||
55 | } | ||
56 | result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0); | ||
57 | close(allowed_fd); | ||
58 | return result; | ||
59 | } | ||
60 | |||
61 | int add_execute_rule_by_path(int rset_fd,char *allowed_path) { | ||
62 | int result; | ||
63 | int allowed_fd = open(allowed_path,O_PATH | O_CLOEXEC); | ||
64 | struct landlock_path_beneath_attr target; | ||
65 | target.parent_fd = allowed_fd; | ||
66 | target.allowed_access = LANDLOCK_ACCESS_FS_EXECUTE; | ||
67 | result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0); | ||
68 | close(allowed_fd); | ||
69 | return result; | ||
70 | } | ||
diff --git a/src/firejail/main.c b/src/firejail/main.c index cff6eba5f..c78d4d2b8 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -23,9 +23,6 @@ | |||
23 | #include "../include/gcov_wrapper.h" | 23 | #include "../include/gcov_wrapper.h" |
24 | #include "../include/syscall.h" | 24 | #include "../include/syscall.h" |
25 | #include "../include/seccomp.h" | 25 | #include "../include/seccomp.h" |
26 | #ifdef HAVE_LANDLOCK | ||
27 | #include "../include/tinyLL.h" | ||
28 | #endif | ||
29 | #define _GNU_SOURCE | 26 | #define _GNU_SOURCE |
30 | #include <sys/utsname.h> | 27 | #include <sys/utsname.h> |
31 | #include <sched.h> | 28 | #include <sched.h> |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 9d154adee..64a82767c 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -21,9 +21,6 @@ | |||
21 | #include "../include/gcov_wrapper.h" | 21 | #include "../include/gcov_wrapper.h" |
22 | #include "../include/seccomp.h" | 22 | #include "../include/seccomp.h" |
23 | #include "../include/syscall.h" | 23 | #include "../include/syscall.h" |
24 | #ifdef HAVE_LANDLOCK | ||
25 | #include "../include/tinyLL.h" | ||
26 | #endif | ||
27 | #include <dirent.h> | 24 | #include <dirent.h> |
28 | #include <sys/stat.h> | 25 | #include <sys/stat.h> |
29 | 26 | ||
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 73f2aa211..014b31932 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -21,9 +21,6 @@ | |||
21 | #include "firejail.h" | 21 | #include "firejail.h" |
22 | #include "../include/gcov_wrapper.h" | 22 | #include "../include/gcov_wrapper.h" |
23 | #include "../include/seccomp.h" | 23 | #include "../include/seccomp.h" |
24 | #ifdef HAVE_LANDLOCK | ||
25 | #include "../include/tinyLL.h" | ||
26 | #endif | ||
27 | #include <sys/mman.h> | 24 | #include <sys/mman.h> |
28 | #include <sys/mount.h> | 25 | #include <sys/mount.h> |
29 | #include <sys/wait.h> | 26 | #include <sys/wait.h> |
diff --git a/src/include/landlock.h b/src/include/landlock.h new file mode 100644 index 000000000..5d6b0260e --- /dev/null +++ b/src/include/landlock.h | |||
@@ -0,0 +1,70 @@ | |||
1 | #define _GNU_SOURCE | ||
2 | #include <stdio.h> | ||
3 | #include <stddef.h> | ||
4 | #include <stdlib.h> | ||
5 | #include <unistd.h> | ||
6 | #include <fcntl.h> | ||
7 | #include <sys/syscall.h> | ||
8 | #include <sys/types.h> | ||
9 | #include <linux/landlock.h> | ||
10 | |||
11 | int landlock_create_ruleset(struct landlock_ruleset_attr *rsattr,size_t size,__u32 flags) { | ||
12 | return syscall(__NR_landlock_create_ruleset,rsattr,size,flags); | ||
13 | } | ||
14 | |||
15 | int landlock_add_rule(int fd,enum landlock_rule_type t,void *attr,__u32 flags) { | ||
16 | return syscall(__NR_landlock_add_rule,fd,t,attr,flags); | ||
17 | } | ||
18 | |||
19 | int landlock_restrict_self(int fd,__u32 flags) { | ||
20 | int result = syscall(__NR_landlock_restrict_self,fd,flags); | ||
21 | if (result!=0) return result; | ||
22 | else { | ||
23 | close(fd); | ||
24 | return 0; | ||
25 | } | ||
26 | } | ||
27 | |||
28 | int create_full_ruleset() { | ||
29 | struct landlock_ruleset_attr attr; | ||
30 | attr.handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR | LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SOCK | LANDLOCK_ACCESS_FS_MAKE_FIFO | LANDLOCK_ACCESS_FS_MAKE_BLOCK | LANDLOCK_ACCESS_FS_MAKE_SYM | LANDLOCK_ACCESS_FS_EXECUTE; | ||
31 | return landlock_create_ruleset(&attr,sizeof(attr),0); | ||
32 | } | ||
33 | |||
34 | int add_read_access_rule_by_path(int rset_fd,char *allowed_path) { | ||
35 | int result; | ||
36 | int allowed_fd = open(allowed_path,O_PATH | O_CLOEXEC); | ||
37 | struct landlock_path_beneath_attr target; | ||
38 | target.parent_fd = allowed_fd; | ||
39 | target.allowed_access = LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR; | ||
40 | result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0); | ||
41 | close(allowed_fd); | ||
42 | return result; | ||
43 | } | ||
44 | |||
45 | int add_write_access_rule_by_path(int rset_fd,char *allowed_path,int restricted) { | ||
46 | int result; | ||
47 | int allowed_fd = open(allowed_path,O_PATH | O_CLOEXEC); | ||
48 | struct landlock_path_beneath_attr target; | ||
49 | target.parent_fd = allowed_fd; | ||
50 | if (restricted==0) target.allowed_access = LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SOCK | LANDLOCK_ACCESS_FS_MAKE_FIFO | LANDLOCK_ACCESS_FS_MAKE_BLOCK | LANDLOCK_ACCESS_FS_MAKE_SYM; | ||
51 | else if (restricted==1) target.allowed_access = LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SYM; | ||
52 | else { | ||
53 | close(allowed_fd); | ||
54 | return -1; | ||
55 | } | ||
56 | result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0); | ||
57 | close(allowed_fd); | ||
58 | return result; | ||
59 | } | ||
60 | |||
61 | int add_execute_rule_by_path(int rset_fd,char *allowed_path) { | ||
62 | int result; | ||
63 | int allowed_fd = open(allowed_path,O_PATH | O_CLOEXEC); | ||
64 | struct landlock_path_beneath_attr target; | ||
65 | target.parent_fd = allowed_fd; | ||
66 | target.allowed_access = LANDLOCK_ACCESS_FS_EXECUTE; | ||
67 | result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0); | ||
68 | close(allowed_fd); | ||
69 | return result; | ||
70 | } | ||
diff --git a/src/include/tinyLL.h b/src/include/tinyLL.h deleted file mode 100644 index f5cd20876..000000000 --- a/src/include/tinyLL.h +++ /dev/null | |||
@@ -1,23 +0,0 @@ | |||
1 | extern int landlock_create_ruleset(struct landlock_ruleset_attr *rsattr,size_t size,__u32 flags); | ||
2 | |||
3 | extern int landlock_add_rule(int fd,enum landlock_rule_type t,void *attr,__u32 flags); | ||
4 | |||
5 | extern int landlock_restrict_self(int fd,__u32 flags); | ||
6 | |||
7 | extern int create_full_ruleset(); | ||
8 | |||
9 | extern int add_read_access_rule(int rset_fd,int allowed_fd); | ||
10 | |||
11 | extern int add_read_access_rule_by_path(int rset_fd,char *allowed_path); | ||
12 | |||
13 | extern int add_write_access_rule(int rset_fd,int allowed_fd,int restricted); | ||
14 | |||
15 | extern int add_write_access_rule_by_path(int rset_fd,char *allowed_path,int restricted); | ||
16 | |||
17 | extern int add_execute_rule(int rset_fd,int allowed_fd); | ||
18 | |||
19 | extern int add_execute_rule_by_path(int rset_fd,char *allowed_path); | ||
20 | |||
21 | extern int check_nnp(); | ||
22 | |||
23 | extern int enable_nnp(); | ||