diff options
author | netblue30 <netblue30@protonmail.com> | 2023-11-02 08:34:59 -0400 |
---|---|---|
committer | Kelvin M. Klann <kmk3.code@protonmail.com> | 2023-11-07 17:55:14 -0300 |
commit | 520508d5be10e7579635193d24bc1ff004ed682b (patch) | |
tree | 32b2df274a144365e68c57e3735b30ddc0b9b68f /src | |
parent | landlock: apply rules in sandbox before app start (diff) | |
download | firejail-520508d5be10e7579635193d24bc1ff004ed682b.tar.gz firejail-520508d5be10e7579635193d24bc1ff004ed682b.tar.zst firejail-520508d5be10e7579635193d24bc1ff004ed682b.zip |
landlock: avoid parsing landlock commands twice
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/firejail.h | 8 | ||||
-rw-r--r-- | src/firejail/landlock.c | 27 | ||||
-rw-r--r-- | src/firejail/main.c | 8 | ||||
-rw-r--r-- | src/firejail/profile.c | 8 |
4 files changed, 40 insertions, 11 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 43325de62..f9f4cb473 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -152,6 +152,12 @@ typedef struct profile_entry_t { | |||
152 | 152 | ||
153 | typedef struct landlock_entry_t { | 153 | typedef struct landlock_entry_t { |
154 | struct landlock_entry_t *next; | 154 | struct landlock_entry_t *next; |
155 | #define LL_READ 0 | ||
156 | #define LL_WRITE 1 | ||
157 | #define LL_SPECIAL 2 | ||
158 | #define LL_EXEC 3 | ||
159 | #define LL_MAX 4 | ||
160 | int type; | ||
155 | char *data; | 161 | char *data; |
156 | } LandlockEntry; | 162 | } LandlockEntry; |
157 | 163 | ||
@@ -968,7 +974,7 @@ int ll_special(const char *allowed_path); | |||
968 | int ll_exec(const char *allowed_path); | 974 | int ll_exec(const char *allowed_path); |
969 | int ll_basic_system(void); | 975 | int ll_basic_system(void); |
970 | int ll_restrict(__u32 flags); | 976 | int ll_restrict(__u32 flags); |
971 | void ll_add_profile(const char *data); | 977 | void ll_add_profile(int type, const char *data); |
972 | #else | 978 | #else |
973 | static inline int ll_get_fd(void) { return -1; } | 979 | static inline int ll_get_fd(void) { return -1; } |
974 | static inline int ll_read(...) { return 0; } | 980 | static inline int ll_read(...) { return 0; } |
diff --git a/src/firejail/landlock.c b/src/firejail/landlock.c index b2a427047..596e35aea 100644 --- a/src/firejail/landlock.c +++ b/src/firejail/landlock.c | |||
@@ -255,6 +255,20 @@ int ll_basic_system(void) { | |||
255 | } | 255 | } |
256 | 256 | ||
257 | int ll_restrict(__u32 flags) { | 257 | int ll_restrict(__u32 flags) { |
258 | int (*fnc[])(const char *) = { | ||
259 | ll_read, | ||
260 | ll_write, | ||
261 | ll_special, | ||
262 | ll_exec, | ||
263 | NULL | ||
264 | }; | ||
265 | |||
266 | LandlockEntry *ptr = cfg.lprofile; | ||
267 | while (ptr) { | ||
268 | fnc[ptr->type](ptr->data); | ||
269 | ptr = ptr->next; | ||
270 | } | ||
271 | |||
258 | if (ll_ruleset_fd == -1) | 272 | if (ll_ruleset_fd == -1) |
259 | return 0; | 273 | return 0; |
260 | 274 | ||
@@ -278,12 +292,21 @@ out: | |||
278 | return error; | 292 | return error; |
279 | } | 293 | } |
280 | 294 | ||
281 | void ll_add_profile(const char *data) { | 295 | void ll_add_profile(int type, const char *data) { |
296 | assert(type >= 0); | ||
297 | assert(type < LL_MAX); | ||
298 | assert(data); | ||
299 | |||
300 | const char *str = data; | ||
301 | while (*str == ' ' || *str == '\t') | ||
302 | str++; | ||
303 | |||
282 | LandlockEntry *ptr = malloc(sizeof(LandlockEntry)); | 304 | LandlockEntry *ptr = malloc(sizeof(LandlockEntry)); |
283 | if (!ptr) | 305 | if (!ptr) |
284 | errExit("malloc"); | 306 | errExit("malloc"); |
285 | memset(ptr, 0, sizeof(LandlockEntry)); | 307 | memset(ptr, 0, sizeof(LandlockEntry)); |
286 | ptr->data = strdup(data); | 308 | ptr->type = type; |
309 | ptr->data = strdup(str); | ||
287 | if (!ptr->data) | 310 | if (!ptr->data) |
288 | errExit("strdup"); | 311 | errExit("strdup"); |
289 | ptr->next = cfg.lprofile; | 312 | ptr->next = cfg.lprofile; |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 8715d9486..b39693af7 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1520,13 +1520,13 @@ int main(int argc, char **argv, char **envp) { | |||
1520 | } | 1520 | } |
1521 | } | 1521 | } |
1522 | else if (strncmp(argv[i], "--landlock.read=", 16) == 0) | 1522 | else if (strncmp(argv[i], "--landlock.read=", 16) == 0) |
1523 | ll_add_profile(argv[i] + 2); | 1523 | ll_add_profile(LL_READ, argv[i] + 16); |
1524 | else if (strncmp(argv[i], "--landlock.write=", 17) == 0) | 1524 | else if (strncmp(argv[i], "--landlock.write=", 17) == 0) |
1525 | ll_add_profile(argv[i] + 2); | 1525 | ll_add_profile(LL_WRITE, argv[i] + 17); |
1526 | else if (strncmp(argv[i], "--landlock.special=", 19) == 0) | 1526 | else if (strncmp(argv[i], "--landlock.special=", 19) == 0) |
1527 | ll_add_profile(argv[i] + 2); | 1527 | ll_add_profile(LL_SPECIAL, argv[i] + 19); |
1528 | else if (strncmp(argv[i], "--landlock.execute=", 19) == 0) | 1528 | else if (strncmp(argv[i], "--landlock.execute=", 19) == 0) |
1529 | ll_add_profile(argv[i] + 2); | 1529 | ll_add_profile(LL_EXEC, argv[i] + 19); |
1530 | #endif | 1530 | #endif |
1531 | else if (strcmp(argv[i], "--memory-deny-write-execute") == 0) { | 1531 | else if (strcmp(argv[i], "--memory-deny-write-execute") == 0) { |
1532 | if (checkcfg(CFG_SECCOMP)) | 1532 | if (checkcfg(CFG_SECCOMP)) |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 4e67ec2a3..e3554eb12 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -1098,19 +1098,19 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1098 | return 0; | 1098 | return 0; |
1099 | } | 1099 | } |
1100 | if (strncmp(ptr, "landlock.read ", 14) == 0) { | 1100 | if (strncmp(ptr, "landlock.read ", 14) == 0) { |
1101 | ll_add_profile(ptr); | 1101 | ll_add_profile(LL_READ, ptr + 14); |
1102 | return 0; | 1102 | return 0; |
1103 | } | 1103 | } |
1104 | if (strncmp(ptr, "landlock.write ", 15) == 0) { | 1104 | if (strncmp(ptr, "landlock.write ", 15) == 0) { |
1105 | ll_add_profile(ptr); | 1105 | ll_add_profile(LL_WRITE, ptr + 15); |
1106 | return 0; | 1106 | return 0; |
1107 | } | 1107 | } |
1108 | if (strncmp(ptr, "landlock.special ", 17) == 0) { | 1108 | if (strncmp(ptr, "landlock.special ", 17) == 0) { |
1109 | ll_add_profile(ptr); | 1109 | ll_add_profile(LL_SPECIAL, ptr + 17); |
1110 | return 0; | 1110 | return 0; |
1111 | } | 1111 | } |
1112 | if (strncmp(ptr, "landlock.execute ", 17) == 0) { | 1112 | if (strncmp(ptr, "landlock.execute ", 17) == 0) { |
1113 | ll_add_profile(ptr); | 1113 | ll_add_profile(LL_EXEC, ptr + 17); |
1114 | return 0; | 1114 | return 0; |
1115 | } | 1115 | } |
1116 | #endif | 1116 | #endif |