diff options
author | Kelvin M. Klann <kmk3.code@protonmail.com> | 2023-11-08 09:59:15 -0300 |
---|---|---|
committer | Kelvin M. Klann <kmk3.code@protonmail.com> | 2023-12-11 14:50:37 -0300 |
commit | 01a9ddbbee65ca04423ecf8402e9c55092c771d2 (patch) | |
tree | b3f9d342ec50c00ec42ece2f884b15b796261d3f /src | |
parent | curl: add support for ~/.config/curlrc (#6120) (diff) | |
download | firejail-01a9ddbbee65ca04423ecf8402e9c55092c771d2.tar.gz firejail-01a9ddbbee65ca04423ecf8402e9c55092c771d2.tar.zst firejail-01a9ddbbee65ca04423ecf8402e9c55092c771d2.zip |
landlock: improve logs for debugging
Changes:
* Print everything to stderr (to ensure that the messages are shown in
order)
* Print debug messages at the beginning of most functions
* Include the function name and access flags used
Relates to #6078.
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/landlock.c | 35 |
1 files changed, 27 insertions, 8 deletions
diff --git a/src/firejail/landlock.c b/src/firejail/landlock.c index 65a4cd8df..054d31ee4 100644 --- a/src/firejail/landlock.c +++ b/src/firejail/landlock.c | |||
@@ -68,14 +68,16 @@ int ll_is_supported(void) { | |||
68 | LANDLOCK_CREATE_RULESET_VERSION); | 68 | LANDLOCK_CREATE_RULESET_VERSION); |
69 | if (ll_abi < 1) { | 69 | if (ll_abi < 1) { |
70 | ll_abi = 0; | 70 | ll_abi = 0; |
71 | fprintf(stderr, "Warning: Landlock is disabled or not supported: %s, " | 71 | fprintf(stderr, "Warning: %s: Landlock is disabled or not supported: %s, " |
72 | "ignoring landlock commands\n", | 72 | "ignoring landlock commands\n", |
73 | strerror(errno)); | 73 | __func__, strerror(errno)); |
74 | goto out; | 74 | goto out; |
75 | } | 75 | } |
76 | 76 | ||
77 | if (arg_debug) | 77 | if (arg_debug) { |
78 | printf("Detected Landlock ABI version %d\n", ll_abi); | 78 | fprintf(stderr, "%s: Detected Landlock ABI version %d\n", |
79 | __func__, ll_abi); | ||
80 | } | ||
79 | out: | 81 | out: |
80 | return ll_abi; | 82 | return ll_abi; |
81 | } | 83 | } |
@@ -100,9 +102,16 @@ static int ll_create_full_ruleset(void) { | |||
100 | LANDLOCK_ACCESS_FS_REMOVE_FILE | | 102 | LANDLOCK_ACCESS_FS_REMOVE_FILE | |
101 | LANDLOCK_ACCESS_FS_WRITE_FILE; | 103 | LANDLOCK_ACCESS_FS_WRITE_FILE; |
102 | 104 | ||
105 | if (arg_debug) { | ||
106 | fprintf(stderr, "%s: Creating Landlock ruleset (abi=%d fs=%llx)\n", | ||
107 | __func__, ll_abi, attr.handled_access_fs); | ||
108 | } | ||
109 | |||
103 | int ruleset_fd = landlock_create_ruleset(&attr, sizeof(attr), 0); | 110 | int ruleset_fd = landlock_create_ruleset(&attr, sizeof(attr), 0); |
104 | if (ruleset_fd < 0) { | 111 | if (ruleset_fd < 0) { |
105 | fprintf(stderr, "Error: failed to create a Landlock ruleset: %s\n", | 112 | fprintf(stderr, "%s: Error: failed to create Landlock ruleset " |
113 | "(abi=%d fs=%llx): %s\n", | ||
114 | __func__, ll_abi, attr.handled_access_fs, | ||
106 | strerror(errno)); | 115 | strerror(errno)); |
107 | } | 116 | } |
108 | return ruleset_fd; | 117 | return ruleset_fd; |
@@ -116,6 +125,11 @@ static int ll_fs(const char *allowed_path, const __u64 allowed_access, | |||
116 | if (ll_ruleset_fd == -1) | 125 | if (ll_ruleset_fd == -1) |
117 | ll_ruleset_fd = ll_create_full_ruleset(); | 126 | ll_ruleset_fd = ll_create_full_ruleset(); |
118 | 127 | ||
128 | if (arg_debug) { | ||
129 | fprintf(stderr, "%s: Adding Landlock rule (abi=%d fs=%llx) for %s\n", | ||
130 | caller, ll_abi, allowed_access, allowed_path); | ||
131 | } | ||
132 | |||
119 | int error; | 133 | int error; |
120 | int allowed_fd = open(allowed_path, O_PATH | O_CLOEXEC); | 134 | int allowed_fd = open(allowed_path, O_PATH | O_CLOEXEC); |
121 | if (allowed_fd < 0) { | 135 | if (allowed_fd < 0) { |
@@ -132,8 +146,10 @@ static int ll_fs(const char *allowed_path, const __u64 allowed_access, | |||
132 | error = landlock_add_rule(ll_ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, | 146 | error = landlock_add_rule(ll_ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, |
133 | &target, 0); | 147 | &target, 0); |
134 | if (error) { | 148 | if (error) { |
135 | fprintf(stderr, "Error: %s: failed to add Landlock rule for %s: %s\n", | 149 | fprintf(stderr, "Error: %s: failed to add Landlock rule " |
136 | caller, allowed_path, strerror(errno)); | 150 | "(abi=%d fs=%llx) for %s: %s\n", |
151 | caller, ll_abi, allowed_access, allowed_path, | ||
152 | strerror(errno)); | ||
137 | } | 153 | } |
138 | close(allowed_fd); | 154 | close(allowed_fd); |
139 | return error; | 155 | return error; |
@@ -232,6 +248,9 @@ int ll_restrict(__u32 flags) { | |||
232 | if (!ll_is_supported()) | 248 | if (!ll_is_supported()) |
233 | return 0; | 249 | return 0; |
234 | 250 | ||
251 | if (arg_debug) | ||
252 | fprintf(stderr, "%s: Starting Landlock restrict\n", __func__); | ||
253 | |||
235 | int (*fnc[])(const char *) = { | 254 | int (*fnc[])(const char *) = { |
236 | ll_read, | 255 | ll_read, |
237 | ll_write, | 256 | ll_write, |
@@ -263,7 +282,7 @@ int ll_restrict(__u32 flags) { | |||
263 | goto out; | 282 | goto out; |
264 | } | 283 | } |
265 | if (arg_debug) | 284 | if (arg_debug) |
266 | printf("%s: Enforcing Landlock\n", __func__); | 285 | fprintf(stderr, "%s: Enforcing Landlock\n", __func__); |
267 | out: | 286 | out: |
268 | close(ll_ruleset_fd); | 287 | close(ll_ruleset_fd); |
269 | return error; | 288 | return error; |