diff options
author | netblue30 <netblue30@protonmail.com> | 2023-10-26 10:21:40 -0400 |
---|---|---|
committer | Kelvin M. Klann <kmk3.code@protonmail.com> | 2023-11-07 17:55:14 -0300 |
commit | b94cc754a0f88ac5b594c52b6a1a3c88b622772c (patch) | |
tree | 50480635c337f305a8f8f2ed27f79cdc0e9b1d4e /src | |
parent | landlock: new filesystem for --landlock command (diff) | |
download | firejail-b94cc754a0f88ac5b594c52b6a1a3c88b622772c.tar.gz firejail-b94cc754a0f88ac5b594c52b6a1a3c88b622772c.tar.zst firejail-b94cc754a0f88ac5b594c52b6a1a3c88b622772c.zip |
landlock: apply rules in sandbox before app start
Apply rules in the sandbox thread before the application is started.
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/firejail.h | 8 | ||||
-rw-r--r-- | src/firejail/landlock.c | 12 | ||||
-rw-r--r-- | src/firejail/main.c | 8 | ||||
-rw-r--r-- | src/firejail/profile.c | 8 |
4 files changed, 28 insertions, 8 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index efeda7228..43325de62 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -150,6 +150,11 @@ typedef struct profile_entry_t { | |||
150 | 150 | ||
151 | } ProfileEntry; | 151 | } ProfileEntry; |
152 | 152 | ||
153 | typedef struct landlock_entry_t { | ||
154 | struct landlock_entry_t *next; | ||
155 | char *data; | ||
156 | } LandlockEntry; | ||
157 | |||
153 | typedef struct config_t { | 158 | typedef struct config_t { |
154 | // user data | 159 | // user data |
155 | char *username; | 160 | char *username; |
@@ -159,6 +164,7 @@ typedef struct config_t { | |||
159 | // filesystem | 164 | // filesystem |
160 | ProfileEntry *profile; | 165 | ProfileEntry *profile; |
161 | ProfileEntry *profile_rebuild_etc; // blacklist files in /etc directory used by fs_rebuild_etc() | 166 | ProfileEntry *profile_rebuild_etc; // blacklist files in /etc directory used by fs_rebuild_etc() |
167 | LandlockEntry *lprofile; | ||
162 | 168 | ||
163 | #define MAX_PROFILE_IGNORE 32 | 169 | #define MAX_PROFILE_IGNORE 32 |
164 | char *profile_ignore[MAX_PROFILE_IGNORE]; | 170 | char *profile_ignore[MAX_PROFILE_IGNORE]; |
@@ -962,6 +968,7 @@ int ll_special(const char *allowed_path); | |||
962 | int ll_exec(const char *allowed_path); | 968 | int ll_exec(const char *allowed_path); |
963 | int ll_basic_system(void); | 969 | int ll_basic_system(void); |
964 | int ll_restrict(__u32 flags); | 970 | int ll_restrict(__u32 flags); |
971 | void ll_add_profile(const char *data); | ||
965 | #else | 972 | #else |
966 | static inline int ll_get_fd(void) { return -1; } | 973 | static inline int ll_get_fd(void) { return -1; } |
967 | static inline int ll_read(...) { return 0; } | 974 | static inline int ll_read(...) { return 0; } |
@@ -970,6 +977,7 @@ static inline int ll_special(...) { return 0; } | |||
970 | static inline int ll_exec(...) { return 0; } | 977 | static inline int ll_exec(...) { return 0; } |
971 | static inline int ll_basic_system(void) { return 0; } | 978 | static inline int ll_basic_system(void) { return 0; } |
972 | static inline int ll_restrict(...) { return 0; } | 979 | static inline int ll_restrict(...) { return 0; } |
980 | static inline void ll_add_profile(...) { return; } | ||
973 | #endif /* HAVE_LANDLOCK */ | 981 | #endif /* HAVE_LANDLOCK */ |
974 | 982 | ||
975 | #endif | 983 | #endif |
diff --git a/src/firejail/landlock.c b/src/firejail/landlock.c index 602190446..b2a427047 100644 --- a/src/firejail/landlock.c +++ b/src/firejail/landlock.c | |||
@@ -278,4 +278,16 @@ out: | |||
278 | return error; | 278 | return error; |
279 | } | 279 | } |
280 | 280 | ||
281 | void ll_add_profile(const char *data) { | ||
282 | LandlockEntry *ptr = malloc(sizeof(LandlockEntry)); | ||
283 | if (!ptr) | ||
284 | errExit("malloc"); | ||
285 | memset(ptr, 0, sizeof(LandlockEntry)); | ||
286 | ptr->data = strdup(data); | ||
287 | if (!ptr->data) | ||
288 | errExit("strdup"); | ||
289 | ptr->next = cfg.lprofile; | ||
290 | cfg.lprofile = ptr; | ||
291 | } | ||
292 | |||
281 | #endif /* HAVE_LANDLOCK */ | 293 | #endif /* HAVE_LANDLOCK */ |
diff --git a/src/firejail/main.c b/src/firejail/main.c index df31fe2ce..8715d9486 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1520,13 +1520,13 @@ int main(int argc, char **argv, char **envp) { | |||
1520 | } | 1520 | } |
1521 | } | 1521 | } |
1522 | else if (strncmp(argv[i], "--landlock.read=", 16) == 0) | 1522 | else if (strncmp(argv[i], "--landlock.read=", 16) == 0) |
1523 | ll_read(argv[i] + 16); | 1523 | ll_add_profile(argv[i] + 2); |
1524 | else if (strncmp(argv[i], "--landlock.write=", 17) == 0) | 1524 | else if (strncmp(argv[i], "--landlock.write=", 17) == 0) |
1525 | ll_write(argv[i] + 17); | 1525 | ll_add_profile(argv[i] + 2); |
1526 | else if (strncmp(argv[i], "--landlock.special=", 19) == 0) | 1526 | else if (strncmp(argv[i], "--landlock.special=", 19) == 0) |
1527 | ll_special(argv[i] + 19); | 1527 | ll_add_profile(argv[i] + 2); |
1528 | else if (strncmp(argv[i], "--landlock.execute=", 19) == 0) | 1528 | else if (strncmp(argv[i], "--landlock.execute=", 19) == 0) |
1529 | ll_exec(argv[i] + 19); | 1529 | ll_add_profile(argv[i] + 2); |
1530 | #endif | 1530 | #endif |
1531 | else if (strcmp(argv[i], "--memory-deny-write-execute") == 0) { | 1531 | else if (strcmp(argv[i], "--memory-deny-write-execute") == 0) { |
1532 | if (checkcfg(CFG_SECCOMP)) | 1532 | if (checkcfg(CFG_SECCOMP)) |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 08804c5f3..4e67ec2a3 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -1098,19 +1098,19 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1098 | return 0; | 1098 | return 0; |
1099 | } | 1099 | } |
1100 | if (strncmp(ptr, "landlock.read ", 14) == 0) { | 1100 | if (strncmp(ptr, "landlock.read ", 14) == 0) { |
1101 | ll_read(ptr + 14); | 1101 | ll_add_profile(ptr); |
1102 | return 0; | 1102 | return 0; |
1103 | } | 1103 | } |
1104 | if (strncmp(ptr, "landlock.write ", 15) == 0) { | 1104 | if (strncmp(ptr, "landlock.write ", 15) == 0) { |
1105 | ll_write(ptr + 15); | 1105 | ll_add_profile(ptr); |
1106 | return 0; | 1106 | return 0; |
1107 | } | 1107 | } |
1108 | if (strncmp(ptr, "landlock.special ", 17) == 0) { | 1108 | if (strncmp(ptr, "landlock.special ", 17) == 0) { |
1109 | ll_special(ptr + 17); | 1109 | ll_add_profile(ptr); |
1110 | return 0; | 1110 | return 0; |
1111 | } | 1111 | } |
1112 | if (strncmp(ptr, "landlock.execute ", 17) == 0) { | 1112 | if (strncmp(ptr, "landlock.execute ", 17) == 0) { |
1113 | ll_exec(ptr + 17); | 1113 | ll_add_profile(ptr); |
1114 | return 0; | 1114 | return 0; |
1115 | } | 1115 | } |
1116 | #endif | 1116 | #endif |