diff options
| -rw-r--r-- | .github/workflows/check-c.yml | 4 | ||||
| -rw-r--r-- | .github/workflows/check-python.yml | 4 | ||||
| -rw-r--r-- | etc/inc/disable-programs.inc | 2 | ||||
| -rw-r--r-- | etc/profile-a-l/curl.profile | 1 | ||||
| -rw-r--r-- | etc/profile-a-l/fractal.profile | 1 | ||||
| -rw-r--r-- | etc/profile-m-z/obs.profile | 3 | ||||
| -rw-r--r-- | etc/profile-m-z/steam.profile | 3 | ||||
| -rw-r--r-- | src/firejail/firejail.h | 12 | ||||
| -rw-r--r-- | src/firejail/landlock.c | 37 |
9 files changed, 43 insertions, 24 deletions
diff --git a/.github/workflows/check-c.yml b/.github/workflows/check-c.yml index 3324906f7..8b023c830 100644 --- a/.github/workflows/check-c.yml +++ b/.github/workflows/check-c.yml | |||
| @@ -150,7 +150,7 @@ jobs: | |||
| 150 | 150 | ||
| 151 | # Initializes the CodeQL tools for scanning. | 151 | # Initializes the CodeQL tools for scanning. |
| 152 | - name: Initialize CodeQL | 152 | - name: Initialize CodeQL |
| 153 | uses: github/codeql-action/init@407ffafae6a767df3e0230c3df91b6443ae8df75 | 153 | uses: github/codeql-action/init@b374143c1149a9115d881581d29b8390bbcbb59c |
| 154 | with: | 154 | with: |
| 155 | languages: cpp | 155 | languages: cpp |
| 156 | 156 | ||
| @@ -161,4 +161,4 @@ jobs: | |||
| 161 | run: make -j "$(nproc)" | 161 | run: make -j "$(nproc)" |
| 162 | 162 | ||
| 163 | - name: Perform CodeQL Analysis | 163 | - name: Perform CodeQL Analysis |
| 164 | uses: github/codeql-action/analyze@407ffafae6a767df3e0230c3df91b6443ae8df75 | 164 | uses: github/codeql-action/analyze@b374143c1149a9115d881581d29b8390bbcbb59c |
diff --git a/.github/workflows/check-python.yml b/.github/workflows/check-python.yml index 4425af2b7..186e415d1 100644 --- a/.github/workflows/check-python.yml +++ b/.github/workflows/check-python.yml | |||
| @@ -50,9 +50,9 @@ jobs: | |||
| 50 | 50 | ||
| 51 | # Initializes the CodeQL tools for scanning. | 51 | # Initializes the CodeQL tools for scanning. |
| 52 | - name: Initialize CodeQL | 52 | - name: Initialize CodeQL |
| 53 | uses: github/codeql-action/init@407ffafae6a767df3e0230c3df91b6443ae8df75 | 53 | uses: github/codeql-action/init@b374143c1149a9115d881581d29b8390bbcbb59c |
| 54 | with: | 54 | with: |
| 55 | languages: python | 55 | languages: python |
| 56 | 56 | ||
| 57 | - name: Perform CodeQL Analysis | 57 | - name: Perform CodeQL Analysis |
| 58 | uses: github/codeql-action/analyze@407ffafae6a767df3e0230c3df91b6443ae8df75 | 58 | uses: github/codeql-action/analyze@b374143c1149a9115d881581d29b8390bbcbb59c |
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 13b4b2078..50e4854ac 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
| @@ -411,6 +411,7 @@ blacklist ${HOME}/.config/com.github.bleakgrey.tootle | |||
| 411 | blacklist ${HOME}/.config/com.lettura.dev | 411 | blacklist ${HOME}/.config/com.lettura.dev |
| 412 | blacklist ${HOME}/.config/corebird | 412 | blacklist ${HOME}/.config/corebird |
| 413 | blacklist ${HOME}/.config/coyim | 413 | blacklist ${HOME}/.config/coyim |
| 414 | blacklist ${HOME}/.config/curlrc | ||
| 414 | blacklist ${HOME}/.config/d-feet | 415 | blacklist ${HOME}/.config/d-feet |
| 415 | blacklist ${HOME}/.config/darktable | 416 | blacklist ${HOME}/.config/darktable |
| 416 | blacklist ${HOME}/.config/deadbeef | 417 | blacklist ${HOME}/.config/deadbeef |
| @@ -1219,6 +1220,7 @@ blacklist ${HOME}/Standard Notes Backups | |||
| 1219 | blacklist ${HOME}/TeamSpeak3-Client-linux_amd64 | 1220 | blacklist ${HOME}/TeamSpeak3-Client-linux_amd64 |
| 1220 | blacklist ${HOME}/TeamSpeak3-Client-linux_x86 | 1221 | blacklist ${HOME}/TeamSpeak3-Client-linux_x86 |
| 1221 | blacklist ${HOME}/UpdateInfo | 1222 | blacklist ${HOME}/UpdateInfo |
| 1223 | blacklist ${HOME}/Zomboid | ||
| 1222 | blacklist ${HOME}/hyperrogue.ini | 1224 | blacklist ${HOME}/hyperrogue.ini |
| 1223 | blacklist ${HOME}/i2p | 1225 | blacklist ${HOME}/i2p |
| 1224 | blacklist ${HOME}/mps | 1226 | blacklist ${HOME}/mps |
diff --git a/etc/profile-a-l/curl.profile b/etc/profile-a-l/curl.profile index 42ade7ce9..417abcc91 100644 --- a/etc/profile-a-l/curl.profile +++ b/etc/profile-a-l/curl.profile | |||
| @@ -7,6 +7,7 @@ include curl.local | |||
| 7 | # Persistent global definitions | 7 | # Persistent global definitions |
| 8 | include globals.local | 8 | include globals.local |
| 9 | 9 | ||
| 10 | noblacklist ${HOME}/.config/curlrc # since curl 7.73.0 | ||
| 10 | # curl 7.74.0 introduces experimental support for HSTS cache | 11 | # curl 7.74.0 introduces experimental support for HSTS cache |
| 11 | # https://daniel.haxx.se/blog/2020/11/03/hsts-your-curl/ | 12 | # https://daniel.haxx.se/blog/2020/11/03/hsts-your-curl/ |
| 12 | # Technically this file can be anywhere but let's assume users have it in ${HOME}/.curl-hsts. | 13 | # Technically this file can be anywhere but let's assume users have it in ${HOME}/.curl-hsts. |
diff --git a/etc/profile-a-l/fractal.profile b/etc/profile-a-l/fractal.profile index fe0bc8756..d35055d43 100644 --- a/etc/profile-a-l/fractal.profile +++ b/etc/profile-a-l/fractal.profile | |||
| @@ -23,6 +23,7 @@ include disable-xdg.inc | |||
| 23 | mkdir ${HOME}/.cache/fractal | 23 | mkdir ${HOME}/.cache/fractal |
| 24 | whitelist ${HOME}/.cache/fractal | 24 | whitelist ${HOME}/.cache/fractal |
| 25 | whitelist ${DOWNLOADS} | 25 | whitelist ${DOWNLOADS} |
| 26 | whitelist /usr/share/fractal | ||
| 26 | include whitelist-common.inc | 27 | include whitelist-common.inc |
| 27 | include whitelist-runuser-common.inc | 28 | include whitelist-runuser-common.inc |
| 28 | include whitelist-usr-share-common.inc | 29 | include whitelist-usr-share-common.inc |
diff --git a/etc/profile-m-z/obs.profile b/etc/profile-m-z/obs.profile index 82e7a4137..dbcc07809 100644 --- a/etc/profile-m-z/obs.profile +++ b/etc/profile-m-z/obs.profile | |||
| @@ -10,6 +10,9 @@ noblacklist ${MUSIC} | |||
| 10 | noblacklist ${PICTURES} | 10 | noblacklist ${PICTURES} |
| 11 | noblacklist ${VIDEOS} | 11 | noblacklist ${VIDEOS} |
| 12 | 12 | ||
| 13 | # Allow lua (blacklisted by disable-interpreters.inc) | ||
| 14 | include allow-lua.inc | ||
| 15 | |||
| 13 | # Allow python (blacklisted by disable-interpreters.inc) | 16 | # Allow python (blacklisted by disable-interpreters.inc) |
| 14 | include allow-python2.inc | 17 | include allow-python2.inc |
| 15 | include allow-python3.inc | 18 | include allow-python3.inc |
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile index 41de746dd..e0ced2030 100644 --- a/etc/profile-m-z/steam.profile +++ b/etc/profile-m-z/steam.profile | |||
| @@ -44,6 +44,7 @@ noblacklist ${HOME}/.prey | |||
| 44 | noblacklist ${HOME}/.steam | 44 | noblacklist ${HOME}/.steam |
| 45 | noblacklist ${HOME}/.steampath | 45 | noblacklist ${HOME}/.steampath |
| 46 | noblacklist ${HOME}/.steampid | 46 | noblacklist ${HOME}/.steampid |
| 47 | noblacklist ${HOME}/Zomboid | ||
| 47 | # needed for STEAM_RUNTIME_PREFER_HOST_LIBRARIES=1 to work | 48 | # needed for STEAM_RUNTIME_PREFER_HOST_LIBRARIES=1 to work |
| 48 | noblacklist /sbin | 49 | noblacklist /sbin |
| 49 | noblacklist /usr/sbin | 50 | noblacklist /usr/sbin |
| @@ -95,6 +96,7 @@ mkdir ${HOME}/.paradoxinteractive | |||
| 95 | mkdir ${HOME}/.paradoxlauncher | 96 | mkdir ${HOME}/.paradoxlauncher |
| 96 | mkdir ${HOME}/.prey | 97 | mkdir ${HOME}/.prey |
| 97 | mkdir ${HOME}/.steam | 98 | mkdir ${HOME}/.steam |
| 99 | mkdir ${HOME}/Zomboid | ||
| 98 | mkfile ${HOME}/.steampath | 100 | mkfile ${HOME}/.steampath |
| 99 | mkfile ${HOME}/.steampid | 101 | mkfile ${HOME}/.steampid |
| 100 | whitelist ${HOME}/.config/Epic | 102 | whitelist ${HOME}/.config/Epic |
| @@ -136,6 +138,7 @@ whitelist ${HOME}/.prey | |||
| 136 | whitelist ${HOME}/.steam | 138 | whitelist ${HOME}/.steam |
| 137 | whitelist ${HOME}/.steampath | 139 | whitelist ${HOME}/.steampath |
| 138 | whitelist ${HOME}/.steampid | 140 | whitelist ${HOME}/.steampid |
| 141 | whitelist ${HOME}/Zomboid | ||
| 139 | include whitelist-common.inc | 142 | include whitelist-common.inc |
| 140 | include whitelist-var-common.inc | 143 | include whitelist-var-common.inc |
| 141 | 144 | ||
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 0b34c3019..d0b903fb4 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
| @@ -974,18 +974,8 @@ int ll_write(const char *allowed_path); | |||
| 974 | int ll_special(const char *allowed_path); | 974 | int ll_special(const char *allowed_path); |
| 975 | int ll_exec(const char *allowed_path); | 975 | int ll_exec(const char *allowed_path); |
| 976 | int ll_basic_system(void); | 976 | int ll_basic_system(void); |
| 977 | int ll_restrict(__u32 flags); | 977 | int ll_restrict(uint32_t flags); |
| 978 | void ll_add_profile(int type, const char *data); | 978 | void ll_add_profile(int type, const char *data); |
| 979 | #else | ||
| 980 | static inline int ll_get_fd(void) { return -1; } | ||
| 981 | static inline int ll_is_supported(void) { return 0; } | ||
| 982 | static inline int ll_read(...) { return 0; } | ||
| 983 | static inline int ll_write(...) { return 0; } | ||
| 984 | static inline int ll_special(...) { return 0; } | ||
| 985 | static inline int ll_exec(...) { return 0; } | ||
| 986 | static inline int ll_basic_system(void) { return 0; } | ||
| 987 | static inline int ll_restrict(...) { return 0; } | ||
| 988 | static inline void ll_add_profile(...) { return; } | ||
| 989 | #endif /* HAVE_LANDLOCK */ | 979 | #endif /* HAVE_LANDLOCK */ |
| 990 | 980 | ||
| 991 | #endif | 981 | #endif |
diff --git a/src/firejail/landlock.c b/src/firejail/landlock.c index 65a4cd8df..9cf5ec165 100644 --- a/src/firejail/landlock.c +++ b/src/firejail/landlock.c | |||
| @@ -68,14 +68,16 @@ int ll_is_supported(void) { | |||
| 68 | LANDLOCK_CREATE_RULESET_VERSION); | 68 | LANDLOCK_CREATE_RULESET_VERSION); |
| 69 | if (ll_abi < 1) { | 69 | if (ll_abi < 1) { |
| 70 | ll_abi = 0; | 70 | ll_abi = 0; |
| 71 | fprintf(stderr, "Warning: Landlock is disabled or not supported: %s, " | 71 | fprintf(stderr, "Warning: %s: Landlock is disabled or not supported: %s, " |
| 72 | "ignoring landlock commands\n", | 72 | "ignoring landlock commands\n", |
| 73 | strerror(errno)); | 73 | __func__, strerror(errno)); |
| 74 | goto out; | 74 | goto out; |
| 75 | } | 75 | } |
| 76 | 76 | ||
| 77 | if (arg_debug) | 77 | if (arg_debug) { |
| 78 | printf("Detected Landlock ABI version %d\n", ll_abi); | 78 | fprintf(stderr, "%s: Detected Landlock ABI version %d\n", |
| 79 | __func__, ll_abi); | ||
| 80 | } | ||
| 79 | out: | 81 | out: |
| 80 | return ll_abi; | 82 | return ll_abi; |
| 81 | } | 83 | } |
| @@ -100,9 +102,16 @@ static int ll_create_full_ruleset(void) { | |||
| 100 | LANDLOCK_ACCESS_FS_REMOVE_FILE | | 102 | LANDLOCK_ACCESS_FS_REMOVE_FILE | |
| 101 | LANDLOCK_ACCESS_FS_WRITE_FILE; | 103 | LANDLOCK_ACCESS_FS_WRITE_FILE; |
| 102 | 104 | ||
| 105 | if (arg_debug) { | ||
| 106 | fprintf(stderr, "%s: Creating Landlock ruleset (abi=%d fs=%llx)\n", | ||
| 107 | __func__, ll_abi, attr.handled_access_fs); | ||
| 108 | } | ||
| 109 | |||
| 103 | int ruleset_fd = landlock_create_ruleset(&attr, sizeof(attr), 0); | 110 | int ruleset_fd = landlock_create_ruleset(&attr, sizeof(attr), 0); |
| 104 | if (ruleset_fd < 0) { | 111 | if (ruleset_fd < 0) { |
| 105 | fprintf(stderr, "Error: failed to create a Landlock ruleset: %s\n", | 112 | fprintf(stderr, "%s: Error: failed to create Landlock ruleset " |
| 113 | "(abi=%d fs=%llx): %s\n", | ||
| 114 | __func__, ll_abi, attr.handled_access_fs, | ||
| 106 | strerror(errno)); | 115 | strerror(errno)); |
| 107 | } | 116 | } |
| 108 | return ruleset_fd; | 117 | return ruleset_fd; |
| @@ -116,6 +125,11 @@ static int ll_fs(const char *allowed_path, const __u64 allowed_access, | |||
| 116 | if (ll_ruleset_fd == -1) | 125 | if (ll_ruleset_fd == -1) |
| 117 | ll_ruleset_fd = ll_create_full_ruleset(); | 126 | ll_ruleset_fd = ll_create_full_ruleset(); |
| 118 | 127 | ||
| 128 | if (arg_debug) { | ||
| 129 | fprintf(stderr, "%s: Adding Landlock rule (abi=%d fs=%llx) for %s\n", | ||
| 130 | caller, ll_abi, allowed_access, allowed_path); | ||
| 131 | } | ||
| 132 | |||
| 119 | int error; | 133 | int error; |
| 120 | int allowed_fd = open(allowed_path, O_PATH | O_CLOEXEC); | 134 | int allowed_fd = open(allowed_path, O_PATH | O_CLOEXEC); |
| 121 | if (allowed_fd < 0) { | 135 | if (allowed_fd < 0) { |
| @@ -132,8 +146,10 @@ static int ll_fs(const char *allowed_path, const __u64 allowed_access, | |||
| 132 | error = landlock_add_rule(ll_ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, | 146 | error = landlock_add_rule(ll_ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, |
| 133 | &target, 0); | 147 | &target, 0); |
| 134 | if (error) { | 148 | if (error) { |
| 135 | fprintf(stderr, "Error: %s: failed to add Landlock rule for %s: %s\n", | 149 | fprintf(stderr, "Error: %s: failed to add Landlock rule " |
| 136 | caller, allowed_path, strerror(errno)); | 150 | "(abi=%d fs=%llx) for %s: %s\n", |
| 151 | caller, ll_abi, allowed_access, allowed_path, | ||
| 152 | strerror(errno)); | ||
| 137 | } | 153 | } |
| 138 | close(allowed_fd); | 154 | close(allowed_fd); |
| 139 | return error; | 155 | return error; |
| @@ -228,10 +244,13 @@ int ll_basic_system(void) { | |||
| 228 | return error; | 244 | return error; |
| 229 | } | 245 | } |
| 230 | 246 | ||
| 231 | int ll_restrict(__u32 flags) { | 247 | int ll_restrict(uint32_t flags) { |
| 232 | if (!ll_is_supported()) | 248 | if (!ll_is_supported()) |
| 233 | return 0; | 249 | return 0; |
| 234 | 250 | ||
| 251 | if (arg_debug) | ||
| 252 | fprintf(stderr, "%s: Starting Landlock restrict\n", __func__); | ||
| 253 | |||
| 235 | int (*fnc[])(const char *) = { | 254 | int (*fnc[])(const char *) = { |
| 236 | ll_read, | 255 | ll_read, |
| 237 | ll_write, | 256 | ll_write, |
| @@ -263,7 +282,7 @@ int ll_restrict(__u32 flags) { | |||
| 263 | goto out; | 282 | goto out; |
| 264 | } | 283 | } |
| 265 | if (arg_debug) | 284 | if (arg_debug) |
| 266 | printf("%s: Enforcing Landlock\n", __func__); | 285 | fprintf(stderr, "%s: Enforcing Landlock\n", __func__); |
| 267 | out: | 286 | out: |
| 268 | close(ll_ruleset_fd); | 287 | close(ll_ruleset_fd); |
| 269 | return error; | 288 | return error; |