landlock: sort --landlock commands

Relates to #6078.
author: Kelvin M. Klann <kmk3.code@protonmail.com> 2023-12-09 16:58:38 -0300
committer: Kelvin M. Klann <kmk3.code@protonmail.com> 2023-12-11 22:46:10 -0300
commit: f0dc85e60e495511bbeba521edc8749d3e81dc38 (patch)
tree: 61628e0d423d428df0f1840beb451cefa0a569b9 /src
parent: landlock: expand simple macros in commands (diff)
download: firejail-f0dc85e60e495511bbeba521edc8749d3e81dc38.tar.gz
firejail-f0dc85e60e495511bbeba521edc8749d3e81dc38.tar.zst
firejail-f0dc85e60e495511bbeba521edc8749d3e81dc38.zip
1 files changed, 17 insertions, 12 deletions
diff --git a/src/firejail/landlock.c b/src/firejail/landlock.c
index 157c0ba4c..eadce2d97 100644
--- a/src/firejail/landlock.c
+++ b/src/firejail/landlock.c
@@ -213,31 +213,36 @@ int ll_basic_system(void) {
                ll_read("/") ||       // whole system read
                ll_special("/") ||    // sockets etc.
-                ll_write("/tmp") ||   // write access
+                // write access
-                ll_write("/dev") ||
-                ll_write("/run/shm") ||
                ll_write("${HOME}") ||
                ll_write("${RUNUSER}") ||
+                ll_write("/dev") ||
+                ll_write("/run/shm") ||
+                ll_write("/tmp") ||
-                ll_exec("/opt") ||    // exec access
+                // exec access
+                /// misc
+                ll_exec("/opt") ||
+                ll_exec("/run/firejail") || // appimage and various firejail features
+                /// bin
                ll_exec("/bin") ||
                ll_exec("/sbin") ||
+                ll_exec("/usr/bin") ||
+                ll_exec("/usr/sbin") ||
+                ll_exec("/usr/games") ||
+                ll_exec("/usr/local/bin") ||
+                ll_exec("/usr/local/sbin") ||
+                ll_exec("/usr/local/games") ||
+                /// lib
                ll_exec("/lib") ||
                ll_exec("/lib32") ||
                ll_exec("/libx32") ||
                ll_exec("/lib64") ||
-                ll_exec("/usr/bin") ||
-                ll_exec("/usr/sbin") ||
-                ll_exec("/usr/games") ||
                ll_exec("/usr/lib") ||
                ll_exec("/usr/lib32") ||
                ll_exec("/usr/libx32") ||
                ll_exec("/usr/lib64") ||
-                ll_exec("/usr/local/bin") ||
+                ll_exec("/usr/local/lib");
-                ll_exec("/usr/local/sbin") ||
-                ll_exec("/usr/local/games") ||
-                ll_exec("/usr/local/lib") ||
-                ll_exec("/run/firejail"); // appimage and various firejail features
        if (error) {
                fprintf(stderr, "Error: %s: failed to set --landlock rules\n",
author	Kelvin M. Klann <kmk3.code@protonmail.com>	2023-12-09 16:58:38 -0300
committer	Kelvin M. Klann <kmk3.code@protonmail.com>	2023-12-11 22:46:10 -0300
commit	f0dc85e60e495511bbeba521edc8749d3e81dc38 (patch)
tree	61628e0d423d428df0f1840beb451cefa0a569b9 /src
parent	landlock: expand simple macros in commands (diff)
download	firejail-f0dc85e60e495511bbeba521edc8749d3e81dc38.tar.gz firejail-f0dc85e60e495511bbeba521edc8749d3e81dc38.tar.zst firejail-f0dc85e60e495511bbeba521edc8749d3e81dc38.zip