diff options
| author |  Kelvin M. Klann <kmk3.code@protonmail.com> | 2024-02-08 06:14:00 +0000 |
|---|---|---|
| committer |  GitHub <noreply@github.com> | 2024-02-08 06:14:00 +0000 |
| commit | 5f33d8e03f2d373516709e8c89f2fdca361e94ab (patch) | |
| tree | 23e2a5b1d20091844dff9169587abc74f9568da3 /src | |
| parent | build: fix running make clean with undefined vars (diff) | |
| download | firejail-5f33d8e03f2d373516709e8c89f2fdca361e94ab.tar.gz firejail-5f33d8e03f2d373516709e8c89f2fdca361e94ab.tar.zst firejail-5f33d8e03f2d373516709e8c89f2fdca361e94ab.zip | |
landlock: fix struct initialization (#6200)
Recently (as of Landlock ABI 4), the `handled_access_net` field was
added to the `landlock_ruleset_attr` struct in the Linux kernel (in
linux/landlock.h). In src/firejail/landlock.c, that field is not being
set in the struct (as we currently do not use it) before passing it to
the `landlock_create_full_ruleset` syscall, so it is likely to contain
random garbage when used, resulting in the syscall returning EINVAL:
$ firejail --debug --profile=/etc/firejail/landlock-common.inc \
--landlock.enforce true
[...]
ll_is_supported: Detected Landlock ABI version 4
ll_restrict: Starting Landlock restrict
ll_create_full_ruleset: Creating Landlock ruleset (abi=4 fs=1fff)
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
ll_read: Adding Landlock rule (abi=4 fs=c) for /
Error: ll_read: failed to add Landlock rule (abi=4 fs=c) for /: Bad file descriptor
[...]
Not enforcing Landlock
So ensure that all structs in src/firejail/landlock.c are initialized to
0 before using them.
Note: Arch has recently (2024-01-31) updated the linux-api-headers
package from version 6.4-1 to 6.7-1[1]. The former version is not affected
(as it does not contain the extra struct field in linux/landlock.h),
while the latter is.
Fixes #6195.
Relates to #6078.
[1] https://gitlab.archlinux.org/archlinux/packaging/packages/linux-api-headers/-/commit/b4223b0c2bfba54c26acc4dc289415b81b15989f
Reported-by: @curiosityseeker
Diffstat (limited to 'src')
| -rw-r--r-- | src/firejail/landlock.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/firejail/landlock.c b/src/firejail/landlock.c index bb8b1d364..ce222624b 100644 --- a/src/firejail/landlock.c +++ b/src/firejail/landlock.c | |||
| @@ -83,7 +83,7 @@ out: | |||
| 83 | } | 83 | } |
| 84 | 84 | ||
| 85 | static int ll_create_full_ruleset(void) { | 85 | static int ll_create_full_ruleset(void) { |
| 86 | struct landlock_ruleset_attr attr; | 86 | struct landlock_ruleset_attr attr = {0}; |
| 87 | attr.handled_access_fs = | 87 | attr.handled_access_fs = |
| 88 | LANDLOCK_ACCESS_FS_EXECUTE | | 88 | LANDLOCK_ACCESS_FS_EXECUTE | |
| 89 | LANDLOCK_ACCESS_FS_MAKE_BLOCK | | 89 | LANDLOCK_ACCESS_FS_MAKE_BLOCK | |
| @@ -133,7 +133,7 @@ static void _ll_fs(const char *allowed_path, const __u64 allowed_access, | |||
| 133 | return; | 133 | return; |
| 134 | } | 134 | } |
| 135 | 135 | ||
| 136 | struct landlock_path_beneath_attr target; | 136 | struct landlock_path_beneath_attr target = {0}; |
| 137 | target.parent_fd = allowed_fd; | 137 | target.parent_fd = allowed_fd; |
| 138 | target.allowed_access = allowed_access; | 138 | target.allowed_access = allowed_access; |
| 139 | int error = landlock_add_rule(ll_ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, | 139 | int error = landlock_add_rule(ll_ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, |