Merge pull request #6187 from kmk3/landlock-add-dev

landlock: split .special into .makeipc and .makedev
author: Kelvin M. Klann <kmk3.code@protonmail.com> 2024-02-05 07:44:09 +0000
committer: GitHub <noreply@github.com> 2024-02-05 07:44:09 +0000
commit: e488eb3605735eb05676921da5a2d20179bdcc64 (patch)
tree: c35ec56313950b1cf56fd3d9e2ce3276af267220 /src
parent: build(deps): bump github/codeql-action from 3.23.2 to 3.24.0 (diff)
parent: landlock: split .special into .makeipc and .makedev (diff)
download: firejail-e488eb3605735eb05676921da5a2d20179bdcc64.tar.gz
firejail-e488eb3605735eb05676921da5a2d20179bdcc64.tar.zst
firejail-e488eb3605735eb05676921da5a2d20179bdcc64.zip
9 files changed, 50 insertions, 20 deletions
diff --git a/src/bash_completion/firejail.bash_completion.in b/src/bash_completion/firejail.bash_completion.in
index 76667ca0c..6c985bc6e 100644
--- a/src/bash_completion/firejail.bash_completion.in
+++ b/src/bash_completion/firejail.bash_completion.in
@@ -53,7 +53,11 @@ _firejail()
            _filedir
            return 0
            ;;
-        --landlock.special)
+        --landlock.makeipc)
+            _filedir
+            return 0
+            ;;
+        --landlock.makedev)
            _filedir
            return 0
            ;;
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index eb9287f2e..2122649cf 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -154,9 +154,10 @@ typedef struct landlock_entry_t {
        struct landlock_entry_t *next;
 #define LL_READ 0
 #define LL_WRITE 1
-#define LL_SPECIAL 2
+#define LL_MAKEIPC 2
-#define LL_EXEC 3
+#define LL_MAKEDEV 3
-#define LL_MAX 4
+#define LL_EXEC 4
+#define LL_MAX 5
        int type;
        char *data;
 } LandlockEntry;
diff --git a/src/firejail/landlock.c b/src/firejail/landlock.c
index 77149a134..c445e74d9 100644
--- a/src/firejail/landlock.c
+++ b/src/firejail/landlock.c
@@ -194,16 +194,22 @@ static void ll_write(const char *allowed_path) {
        ll_fs(allowed_path, allowed_access, __func__);
 }
-static void ll_special(const char *allowed_path) {
+static void ll_makeipc(const char *allowed_path) {
        __u64 allowed_access =
-                LANDLOCK_ACCESS_FS_MAKE_BLOCK |
-                LANDLOCK_ACCESS_FS_MAKE_CHAR |
                LANDLOCK_ACCESS_FS_MAKE_FIFO |
                LANDLOCK_ACCESS_FS_MAKE_SOCK;
        ll_fs(allowed_path, allowed_access, __func__);
 }
+static void ll_makedev(const char *allowed_path) {
+        __u64 allowed_access =
+                LANDLOCK_ACCESS_FS_MAKE_BLOCK |
+                LANDLOCK_ACCESS_FS_MAKE_CHAR;
+        ll_fs(allowed_path, allowed_access, __func__);
+}
 static void ll_exec(const char *allowed_path) {
        __u64 allowed_access =
                LANDLOCK_ACCESS_FS_EXECUTE;
@@ -223,7 +229,8 @@ int ll_restrict(uint32_t flags) {
        void (*fnc[])(const char *) = {
                ll_read,
                ll_write,
-                ll_special,
+                ll_makeipc,
+                ll_makedev,
                ll_exec,
                NULL
        };
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 341bac058..4d8ea20c3 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1509,8 +1509,10 @@ int main(int argc, char **argv, char **envp) {
                        ll_add_profile(LL_READ, argv[i] + 16);
                else if (strncmp(argv[i], "--landlock.write=", 17) == 0)
                        ll_add_profile(LL_WRITE, argv[i] + 17);
-                else if (strncmp(argv[i], "--landlock.special=", 19) == 0)
+                else if (strncmp(argv[i], "--landlock.makeipc=", 19) == 0)
-                        ll_add_profile(LL_SPECIAL, argv[i] + 19);
+                        ll_add_profile(LL_MAKEIPC, argv[i] + 19);
+                else if (strncmp(argv[i], "--landlock.makedev=", 19) == 0)
+                        ll_add_profile(LL_MAKEDEV, argv[i] + 19);
                else if (strncmp(argv[i], "--landlock.execute=", 19) == 0)
                        ll_add_profile(LL_EXEC, argv[i] + 19);
 #endif
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index c0abc3398..a5a8393e9 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -1086,8 +1086,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                ll_add_profile(LL_WRITE, ptr + 15);
                return 0;
        }
-        if (strncmp(ptr, "landlock.special ", 17) == 0) {
+        if (strncmp(ptr, "landlock.makeipc ", 17) == 0) {
-                ll_add_profile(LL_SPECIAL, ptr + 17);
+                ll_add_profile(LL_MAKEIPC, ptr + 17);
+                return 0;
+        }
+        if (strncmp(ptr, "landlock.makedev ", 17) == 0) {
+                ll_add_profile(LL_MAKEDEV, ptr + 17);
                return 0;
        }
        if (strncmp(ptr, "landlock.execute ", 17) == 0) {
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 8598abd9d..c62e8c369 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -137,7 +137,8 @@ static const char *const usage_str =
        "    --landlock.enforce - enforce the Landlock ruleset.\n"
        "    --landlock.read=path - add a read access rule for the path to the Landlock ruleset.\n"
        "    --landlock.write=path - add a write access rule for the path to the Landlock ruleset.\n"
-        "    --landlock.special=path - add an access rule for the path to the Landlock ruleset for creating block/char devices, named pipes and sockets.\n"
+        "    --landlock.makeipc=path - add an access rule for the path to the Landlock ruleset for creating named pipes and sockets.\n"
+        "    --landlock.makedev=path - add an access rule for the path to the Landlock ruleset for creating block/char devices.\n"
        "    --landlock.execute=path - add an execute access rule for the path to the Landlock ruleset.\n"
 #endif
        "    --list - list all sandboxes.\n"
diff --git a/src/man/firejail-profile.5.in b/src/man/firejail-profile.5.in
index e1d7fde94..b6672c16b 100644
--- a/src/man/firejail-profile.5.in
+++ b/src/man/firejail-profile.5.in
@@ -522,10 +522,15 @@ rule for path.
 Create a Landlock ruleset (if it doesn't already exist) and add a write access
 rule for path.
 .TP
-\fBlandlock.special path
+\fBlandlock.makeipc path
 Create a Landlock ruleset (if it doesn't already exist) and add a rule that
-allows the creation of block devices, character devices, named pipes (FIFOs)
+allows the creation of named pipes (FIFOs) and Unix domain sockets beneath
-and Unix domain sockets beneath given path.
+the given path.
+.TP
+\fBlandlock.makedev path
+Create a Landlock ruleset (if it doesn't already exist) and add a rule that
+allows the creation of block devices and character devices beneath the given
+path.
 .TP
 \fBlandlock.execute path
 Create a Landlock ruleset (if it doesn't already exist) and add an execution
diff --git a/src/man/firejail.1.in b/src/man/firejail.1.in
index ccc9a50a5..ed1b0bd4a 100644
--- a/src/man/firejail.1.in
+++ b/src/man/firejail.1.in
@@ -1249,10 +1249,15 @@ rule for path.
 Create a Landlock ruleset (if it doesn't already exist) and add a write access
 rule for path.
 .TP
-\fB\-\-landlock.special=path
+\fB\-\-landlock.makeipc=path
 Create a Landlock ruleset (if it doesn't already exist) and add a rule that
-allows the creation of block devices, character devices, named pipes (FIFOs)
+allows the creation of named pipes (FIFOs) and Unix domain sockets beneath
-and Unix domain sockets beneath given path.
+the given path.
+.TP
+\fB\-\-landlock.makedev=path
+Create a Landlock ruleset (if it doesn't already exist) and add a rule that
+allows the creation of block devices and character devices beneath the given
+path.
 .TP
 \fB\-\-landlock.execute=path
 Create a Landlock ruleset (if it doesn't already exist) and add an execution
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in
index c4056b902..45f24d5f3 100644
--- a/src/zsh_completion/_firejail.in
+++ b/src/zsh_completion/_firejail.in
@@ -110,7 +110,8 @@ _firejail_args=(
    '--landlock.enforce[enforce the Landlock ruleset]'
    '--landlock.read=-[add a read access rule for the path to the Landlock ruleset]: :_files'
    '--landlock.write=-[add a write access rule for the path to the Landlock ruleset]: :_files'
-    '--landlock.special=-[add an access rule for the path to the Landlock ruleset for creating block/char devices, named pipes and sockets]: :_files'
+    '--landlock.makeipc=-[add an access rule for the path to the Landlock ruleset for creating named pipes and sockets]: :_files'
+    '--landlock.makedev=-[add an access rule for the path to the Landlock ruleset for creating block/char devices]: :_files'
    '--landlock.execute=-[add an execute access rule for the path to the Landlock ruleset]: :_files'
 #endif
    '--machine-id[spoof /etc/machine-id with a random id]'
author	Kelvin M. Klann <kmk3.code@protonmail.com>	2024-02-05 07:44:09 +0000
committer	GitHub <noreply@github.com>	2024-02-05 07:44:09 +0000
commit	e488eb3605735eb05676921da5a2d20179bdcc64 (patch)
tree	c35ec56313950b1cf56fd3d9e2ce3276af267220 /src
parent	build(deps): bump github/codeql-action from 3.23.2 to 3.24.0 (diff)
parent	landlock: split .special into .makeipc and .makedev (diff)
download	firejail-e488eb3605735eb05676921da5a2d20179bdcc64.tar.gz firejail-e488eb3605735eb05676921da5a2d20179bdcc64.tar.zst firejail-e488eb3605735eb05676921da5a2d20179bdcc64.zip