diff options
author | Kelvin M. Klann <kmk3.code@protonmail.com> | 2024-04-08 11:22:15 -0300 |
---|---|---|
committer | Kelvin M. Klann <kmk3.code@protonmail.com> | 2024-04-10 02:42:17 -0300 |
commit | a05ae97af2a52b8349d732fecbc4343c86222400 (patch) | |
tree | bc45372e0ee230bd5bcebd06eedc1473556a9b94 /src | |
parent | landlock fix for old kernel versions (diff) | |
download | firejail-a05ae97af2a52b8349d732fecbc4343c86222400.tar.gz firejail-a05ae97af2a52b8349d732fecbc4343c86222400.tar.zst firejail-a05ae97af2a52b8349d732fecbc4343c86222400.zip |
landlock: amend empty functions and comments
Changes:
* Always declare public landlock functions, regardless of
`HAVE_LANDLOCK`
* Make the other public landlock functions (besides `ll_add_profile`)
also be empty when `HAVE_LANDLOCK` is not defined
* Clarify related comments
This amends commit 8259f66e1 ("landlock fix for old kernel versions",
2024-04-06).
For clarity, landlock-common.inc is included by default.profile and the
issue that the aforementioned commit fixes is that if profile.c is built
without the part that parses landlock commands (that is, when
`HAVE_LANDLOCK` is not defined), using default.profile would cause
firejail to abort due to "invalid lines".
Note that the issue would only occur when firejail is built with an
older kernel (or with --disable-landlock), not when simply running on an
older kernel.
See also commit b02a7a337 ("landlock: remove empty functions",
2023-12-07).
Relates to #6078.
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/firejail.h | 2 | ||||
-rw-r--r-- | src/firejail/landlock.c | 14 | ||||
-rw-r--r-- | src/firejail/profile.c | 6 |
3 files changed, 17 insertions, 5 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 4e018476e..b8ec4d474 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -966,10 +966,8 @@ void run_ids(int argc, char **argv); | |||
966 | void oom_set(const char *oom_string); | 966 | void oom_set(const char *oom_string); |
967 | 967 | ||
968 | // landlock.c | 968 | // landlock.c |
969 | #ifdef HAVE_LANDLOCK | ||
970 | int ll_get_fd(void); | 969 | int ll_get_fd(void); |
971 | int ll_restrict(uint32_t flags); | 970 | int ll_restrict(uint32_t flags); |
972 | void ll_add_profile(int type, const char *data); | 971 | void ll_add_profile(int type, const char *data); |
973 | #endif /* HAVE_LANDLOCK */ | ||
974 | 972 | ||
975 | #endif | 973 | #endif |
diff --git a/src/firejail/landlock.c b/src/firejail/landlock.c index 44d7eeafa..a360f155b 100644 --- a/src/firejail/landlock.c +++ b/src/firejail/landlock.c | |||
@@ -18,7 +18,6 @@ | |||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
19 | */ | 19 | */ |
20 | 20 | ||
21 | #ifdef HAVE_LANDLOCK | ||
22 | #include "firejail.h" | 21 | #include "firejail.h" |
23 | #include <linux/landlock.h> | 22 | #include <linux/landlock.h> |
24 | #include <sys/prctl.h> | 23 | #include <sys/prctl.h> |
@@ -27,6 +26,8 @@ | |||
27 | #include <errno.h> | 26 | #include <errno.h> |
28 | #include <fcntl.h> | 27 | #include <fcntl.h> |
29 | 28 | ||
29 | #ifdef HAVE_LANDLOCK | ||
30 | |||
30 | static int ll_ruleset_fd = -1; | 31 | static int ll_ruleset_fd = -1; |
31 | static int ll_abi = -1; | 32 | static int ll_abi = -1; |
32 | 33 | ||
@@ -295,6 +296,17 @@ void ll_add_profile(int type, const char *data) { | |||
295 | } | 296 | } |
296 | 297 | ||
297 | #else | 298 | #else |
299 | |||
300 | int ll_get_fd(void) { | ||
301 | return -1; | ||
302 | } | ||
303 | |||
304 | int ll_restrict(uint32_t flags) { | ||
305 | (void) flags; | ||
306 | |||
307 | return 0; | ||
308 | } | ||
309 | |||
298 | void ll_add_profile(int type, const char *data) { | 310 | void ll_add_profile(int type, const char *data) { |
299 | (void) type; | 311 | (void) type; |
300 | (void) data; | 312 | (void) data; |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 62767f8dc..4c6830250 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -1074,8 +1074,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1074 | } | 1074 | } |
1075 | 1075 | ||
1076 | //#ifdef HAVE_LANDLOCK | 1076 | //#ifdef HAVE_LANDLOCK |
1077 | // landlock_connon.inc included by derfault in landlock.profile | 1077 | // landlock-common.inc is included by default.profile, so the entries of the |
1078 | // all landlcok functions are empty in case landlock is not available in the kernel | 1078 | // former should be processed or ignored instead of aborting. |
1079 | // Note that all landlock functions are empty when building without landlock | ||
1080 | // support. | ||
1079 | if (strncmp(ptr, "landlock.enforce", 16) == 0) { | 1081 | if (strncmp(ptr, "landlock.enforce", 16) == 0) { |
1080 | arg_landlock_enforce = 1; | 1082 | arg_landlock_enforce = 1; |
1081 | return 0; | 1083 | return 0; |