landlock: new filesystem for --landlock command

author: netblue30 <netblue30@protonmail.com> 2023-11-02 08:34:59 -0400
committer: Kelvin M. Klann <kmk3.code@protonmail.com> 2023-11-07 17:55:14 -0300
commit: abc1edccb2c6a0041a05da3f5da71d9025e8ea56 (patch)
tree: bfbb0850afadbd794bf36d356296af5b354b7a27 /src
parent: feature: add Landlock support (diff)
download: firejail-abc1edccb2c6a0041a05da3f5da71d9025e8ea56.tar.gz
firejail-abc1edccb2c6a0041a05da3f5da71d9025e8ea56.tar.zst
firejail-abc1edccb2c6a0041a05da3f5da71d9025e8ea56.zip
1 files changed, 32 insertions, 14 deletions
diff --git a/src/firejail/landlock.c b/src/firejail/landlock.c
index b5f4140c5..602190446 100644
--- a/src/firejail/landlock.c
+++ b/src/firejail/landlock.c
@@ -211,28 +211,46 @@ int ll_basic_system(void) {
        if (ll_ruleset_fd == -1)
                ll_ruleset_fd = ll_create_full_ruleset();
-        int error =
+        int error;
-                ll_read("/bin/") ||
+        char *rundir;
-                ll_read("/dev/") ||
+        if (asprintf(&rundir, "/run/user/%d", getuid()) == -1)
-                ll_read("/etc/") ||
+                errExit("asprintf");
-                ll_read("/lib/") ||
-                ll_read("/opt/") ||
+        error =
-                ll_read("/usr/") ||
+                ll_read("/") ||       // whole system read
-                ll_read("/var/") ||
+                ll_special("/") ||    // sockets etc.
-                ll_read(cfg.homedir) ||
-                ll_write("/dev/") ||
+                ll_write("/tmp") ||   // write access
+                ll_write("/dev") ||
+                ll_write("/run/shm") ||
                ll_write(cfg.homedir) ||
+                ll_write(rundir) ||
-                ll_exec("/bin/") ||
+                ll_exec("/opt") ||    // exec access
-                ll_exec("/lib/") ||
+                ll_exec("/bin") ||
-                ll_exec("/opt/") ||
+                ll_exec("/sbin") ||
-                ll_exec("/usr/");
+                ll_exec("/lib") ||
+                ll_exec("/lib32") ||
+                ll_exec("/libx32") ||
+                ll_exec("/lib64") ||
+                ll_exec("/usr/bin") ||
+                ll_exec("/usr/sbin") ||
+                ll_exec("/usr/games") ||
+                ll_exec("/usr/lib") ||
+                ll_exec("/usr/lib32") ||
+                ll_exec("/usr/libx32") ||
+                ll_exec("/usr/lib64") ||
+                ll_exec("/usr/local/bin") ||
+                ll_exec("/usr/local/sbin") ||
+                ll_exec("/usr/local/games") ||
+                ll_exec("/usr/local/lib") ||
+                ll_exec("/run/firejail"); // appimage and various firejail features
        if (error) {
                fprintf(stderr, "Error: %s: failed to set --landlock rules\n",
                        __func__);
        }
+        free(rundir);
        return error;
 }
author	netblue30 <netblue30@protonmail.com>	2023-11-02 08:34:59 -0400
committer	Kelvin M. Klann <kmk3.code@protonmail.com>	2023-11-07 17:55:14 -0300
commit	abc1edccb2c6a0041a05da3f5da71d9025e8ea56 (patch)
tree	bfbb0850afadbd794bf36d356296af5b354b7a27 /src
parent	feature: add Landlock support (diff)
download	firejail-abc1edccb2c6a0041a05da3f5da71d9025e8ea56.tar.gz firejail-abc1edccb2c6a0041a05da3f5da71d9025e8ea56.tar.zst firejail-abc1edccb2c6a0041a05da3f5da71d9025e8ea56.zip

diff --git a/src/firejail/landlock.c b/src/firejail/landlock.c index b5f4140c5..602190446 100644 --- a/src/firejail/landlock.c +++ b/src/firejail/landlock.c
@@ -211,28 +211,46 @@ int ll_basic_system(void) {
211	if (ll_ruleset_fd == -1)	211	if (ll_ruleset_fd == -1)
212	ll_ruleset_fd = ll_create_full_ruleset();	212	ll_ruleset_fd = ll_create_full_ruleset();
213		213
214	int error =	214	int error;
215	ll_read("/bin/") \|\|	215	char *rundir;
216	ll_read("/dev/") \|\|	216	if (asprintf(&rundir, "/run/user/%d", getuid()) == -1)
217	ll_read("/etc/") \|\|	217	errExit("asprintf");
218	ll_read("/lib/") \|\|	218
219	ll_read("/opt/") \|\|	219	error =
220	ll_read("/usr/") \|\|	220	ll_read("/") \|\| // whole system read
221	ll_read("/var/") \|\|	221	ll_special("/") \|\| // sockets etc.
222	ll_read(cfg.homedir) \|\|
223		222
224	ll_write("/dev/") \|\|	223	ll_write("/tmp") \|\| // write access
		224	ll_write("/dev") \|\|
		225	ll_write("/run/shm") \|\|
225	ll_write(cfg.homedir) \|\|	226	ll_write(cfg.homedir) \|\|
		227	ll_write(rundir) \|\|
226		228
227	ll_exec("/bin/") \|\|	229	ll_exec("/opt") \|\| // exec access
228	ll_exec("/lib/") \|\|	230	ll_exec("/bin") \|\|
229	ll_exec("/opt/") \|\|	231	ll_exec("/sbin") \|\|
230	ll_exec("/usr/");	232	ll_exec("/lib") \|\|
		233	ll_exec("/lib32") \|\|
		234	ll_exec("/libx32") \|\|
		235	ll_exec("/lib64") \|\|
		236	ll_exec("/usr/bin") \|\|
		237	ll_exec("/usr/sbin") \|\|
		238	ll_exec("/usr/games") \|\|
		239	ll_exec("/usr/lib") \|\|
		240	ll_exec("/usr/lib32") \|\|
		241	ll_exec("/usr/libx32") \|\|
		242	ll_exec("/usr/lib64") \|\|
		243	ll_exec("/usr/local/bin") \|\|
		244	ll_exec("/usr/local/sbin") \|\|
		245	ll_exec("/usr/local/games") \|\|
		246	ll_exec("/usr/local/lib") \|\|
		247	ll_exec("/run/firejail"); // appimage and various firejail features
231		248
232	if (error) {	249	if (error) {
233	fprintf(stderr, "Error: %s: failed to set --landlock rules\n",	250	fprintf(stderr, "Error: %s: failed to set --landlock rules\n",
234	__func__);	251	__func__);
235	}	252	}
		253	free(rundir);
236	return error;	254	return error;
237	}	255	}
238		256