diff options
24 files changed, 109 insertions, 163 deletions
diff --git a/.github/workflows/check-c.yml b/.github/workflows/check-c.yml index c194a81af..8b023c830 100644 --- a/.github/workflows/check-c.yml +++ b/.github/workflows/check-c.yml | |||
@@ -150,7 +150,7 @@ jobs: | |||
150 | 150 | ||
151 | # Initializes the CodeQL tools for scanning. | 151 | # Initializes the CodeQL tools for scanning. |
152 | - name: Initialize CodeQL | 152 | - name: Initialize CodeQL |
153 | uses: github/codeql-action/init@c0d1daa7f7e14667747d73a7dbbe8c074bc8bfe2 | 153 | uses: github/codeql-action/init@b374143c1149a9115d881581d29b8390bbcbb59c |
154 | with: | 154 | with: |
155 | languages: cpp | 155 | languages: cpp |
156 | 156 | ||
@@ -161,4 +161,4 @@ jobs: | |||
161 | run: make -j "$(nproc)" | 161 | run: make -j "$(nproc)" |
162 | 162 | ||
163 | - name: Perform CodeQL Analysis | 163 | - name: Perform CodeQL Analysis |
164 | uses: github/codeql-action/analyze@c0d1daa7f7e14667747d73a7dbbe8c074bc8bfe2 | 164 | uses: github/codeql-action/analyze@b374143c1149a9115d881581d29b8390bbcbb59c |
diff --git a/.github/workflows/check-python.yml b/.github/workflows/check-python.yml index 704f53bb4..186e415d1 100644 --- a/.github/workflows/check-python.yml +++ b/.github/workflows/check-python.yml | |||
@@ -50,9 +50,9 @@ jobs: | |||
50 | 50 | ||
51 | # Initializes the CodeQL tools for scanning. | 51 | # Initializes the CodeQL tools for scanning. |
52 | - name: Initialize CodeQL | 52 | - name: Initialize CodeQL |
53 | uses: github/codeql-action/init@c0d1daa7f7e14667747d73a7dbbe8c074bc8bfe2 | 53 | uses: github/codeql-action/init@b374143c1149a9115d881581d29b8390bbcbb59c |
54 | with: | 54 | with: |
55 | languages: python | 55 | languages: python |
56 | 56 | ||
57 | - name: Perform CodeQL Analysis | 57 | - name: Perform CodeQL Analysis |
58 | uses: github/codeql-action/analyze@c0d1daa7f7e14667747d73a7dbbe8c074bc8bfe2 | 58 | uses: github/codeql-action/analyze@b374143c1149a9115d881581d29b8390bbcbb59c |
diff --git a/contrib/syntax/lists/profile_commands_arg0.list b/contrib/syntax/lists/profile_commands_arg0.list index 4d49e96d9..0ac70e5cf 100644 --- a/contrib/syntax/lists/profile_commands_arg0.list +++ b/contrib/syntax/lists/profile_commands_arg0.list | |||
@@ -12,7 +12,7 @@ keep-config-pulse | |||
12 | keep-dev-shm | 12 | keep-dev-shm |
13 | keep-shell-rc | 13 | keep-shell-rc |
14 | keep-var-tmp | 14 | keep-var-tmp |
15 | landlock | 15 | landlock.enforce |
16 | machine-id | 16 | machine-id |
17 | memory-deny-write-execute | 17 | memory-deny-write-execute |
18 | netfilter | 18 | netfilter |
diff --git a/contrib/syntax/lists/profile_commands_arg1.list b/contrib/syntax/lists/profile_commands_arg1.list index cce37efa0..e76b6ef40 100644 --- a/contrib/syntax/lists/profile_commands_arg1.list +++ b/contrib/syntax/lists/profile_commands_arg1.list | |||
@@ -30,7 +30,6 @@ iprange | |||
30 | join-or-start | 30 | join-or-start |
31 | keep-fd | 31 | keep-fd |
32 | landlock.execute | 32 | landlock.execute |
33 | landlock.proc | ||
34 | landlock.read | 33 | landlock.read |
35 | landlock.special | 34 | landlock.special |
36 | landlock.write | 35 | landlock.write |
diff --git a/etc/inc/landlock-common.inc b/etc/inc/landlock-common.inc new file mode 100644 index 000000000..ebe9f98dc --- /dev/null +++ b/etc/inc/landlock-common.inc | |||
@@ -0,0 +1,39 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include landlock-common.local | ||
4 | |||
5 | landlock.read / # whole system read | ||
6 | landlock.read /proc | ||
7 | landlock.special / # sockets etc. | ||
8 | |||
9 | # write access | ||
10 | landlock.write ${HOME} | ||
11 | landlock.write ${RUNUSER} | ||
12 | landlock.write /dev | ||
13 | landlock.write /proc | ||
14 | landlock.write /run/shm | ||
15 | landlock.write /tmp | ||
16 | |||
17 | # exec access | ||
18 | ## misc | ||
19 | landlock.execute /opt | ||
20 | landlock.execute /run/firejail # appimage and various firejail features | ||
21 | ## bin | ||
22 | landlock.execute /bin | ||
23 | landlock.execute /sbin | ||
24 | landlock.execute /usr/bin | ||
25 | landlock.execute /usr/sbin | ||
26 | landlock.execute /usr/games | ||
27 | landlock.execute /usr/local/bin | ||
28 | landlock.execute /usr/local/sbin | ||
29 | landlock.execute /usr/local/games | ||
30 | ## lib | ||
31 | landlock.execute /lib | ||
32 | landlock.execute /lib32 | ||
33 | landlock.execute /libx32 | ||
34 | landlock.execute /lib64 | ||
35 | landlock.execute /usr/lib | ||
36 | landlock.execute /usr/lib32 | ||
37 | landlock.execute /usr/libx32 | ||
38 | landlock.execute /usr/lib64 | ||
39 | landlock.execute /usr/local/lib | ||
diff --git a/etc/profile-a-l/chatterino.profile b/etc/profile-a-l/chatterino.profile index 2a77b6fd6..1b375c508 100644 --- a/etc/profile-a-l/chatterino.profile +++ b/etc/profile-a-l/chatterino.profile | |||
@@ -42,6 +42,7 @@ whitelist-ro ${HOME}/.config/mpv | |||
42 | whitelist-ro ${HOME}/.config/pulse | 42 | whitelist-ro ${HOME}/.config/pulse |
43 | whitelist-ro ${HOME}/.config/vlc | 43 | whitelist-ro ${HOME}/.config/vlc |
44 | whitelist-ro ${HOME}/.local/share/vlc | 44 | whitelist-ro ${HOME}/.local/share/vlc |
45 | whitelist-ro /usr/share/mpv | ||
45 | include whitelist-common.inc | 46 | include whitelist-common.inc |
46 | include whitelist-run-common.inc | 47 | include whitelist-run-common.inc |
47 | include whitelist-runuser-common.inc | 48 | include whitelist-runuser-common.inc |
diff --git a/etc/profile-a-l/default.profile b/etc/profile-a-l/default.profile index c071da4b7..b0ae2d49f 100644 --- a/etc/profile-a-l/default.profile +++ b/etc/profile-a-l/default.profile | |||
@@ -22,6 +22,8 @@ include disable-programs.inc | |||
22 | #include whitelist-usr-share-common.inc | 22 | #include whitelist-usr-share-common.inc |
23 | #include whitelist-var-common.inc | 23 | #include whitelist-var-common.inc |
24 | 24 | ||
25 | include landlock-common.inc | ||
26 | |||
25 | #apparmor | 27 | #apparmor |
26 | caps.drop all | 28 | caps.drop all |
27 | #ipc-namespace | 29 | #ipc-namespace |
diff --git a/etc/profile-a-l/firefox-common-addons.profile b/etc/profile-a-l/firefox-common-addons.profile index 566e88bf8..44e54ec1d 100644 --- a/etc/profile-a-l/firefox-common-addons.profile +++ b/etc/profile-a-l/firefox-common-addons.profile | |||
@@ -78,6 +78,7 @@ whitelist ${HOME}/.zotero | |||
78 | whitelist ${HOME}/dwhelper | 78 | whitelist ${HOME}/dwhelper |
79 | whitelist /usr/share/lua | 79 | whitelist /usr/share/lua |
80 | whitelist /usr/share/lua* | 80 | whitelist /usr/share/lua* |
81 | whitelist /usr/share/mpv | ||
81 | 82 | ||
82 | # GNOME Shell integration (chrome-gnome-shell) needs dbus and python | 83 | # GNOME Shell integration (chrome-gnome-shell) needs dbus and python |
83 | noblacklist ${HOME}/.local/share/gnome-shell | 84 | noblacklist ${HOME}/.local/share/gnome-shell |
diff --git a/etc/profile-m-z/QMediathekView.profile b/etc/profile-m-z/QMediathekView.profile index 853b6ae52..eb0dbba2b 100644 --- a/etc/profile-m-z/QMediathekView.profile +++ b/etc/profile-m-z/QMediathekView.profile | |||
@@ -47,6 +47,7 @@ whitelist ${HOME}/.local/share/totem | |||
47 | whitelist ${HOME}/.local/share/xplayer | 47 | whitelist ${HOME}/.local/share/xplayer |
48 | whitelist ${HOME}/.local/state/mpv | 48 | whitelist ${HOME}/.local/state/mpv |
49 | whitelist ${HOME}/.mplayer | 49 | whitelist ${HOME}/.mplayer |
50 | whitelist /usr/share/mpv | ||
50 | whitelist /usr/share/qtchooser | 51 | whitelist /usr/share/qtchooser |
51 | include whitelist-common.inc | 52 | include whitelist-common.inc |
52 | include whitelist-run-common.inc | 53 | include whitelist-run-common.inc |
diff --git a/etc/profile-m-z/minecraft-launcher.profile b/etc/profile-m-z/minecraft-launcher.profile index 4f2c89b27..15adbcb36 100644 --- a/etc/profile-m-z/minecraft-launcher.profile +++ b/etc/profile-m-z/minecraft-launcher.profile | |||
@@ -25,6 +25,8 @@ include disable-xdg.inc | |||
25 | 25 | ||
26 | mkdir ${HOME}/.minecraft | 26 | mkdir ${HOME}/.minecraft |
27 | whitelist ${HOME}/.minecraft | 27 | whitelist ${HOME}/.minecraft |
28 | # Needs keyring access in order to save logins | ||
29 | whitelist ${RUNUSER}/keyring | ||
28 | include whitelist-common.inc | 30 | include whitelist-common.inc |
29 | include whitelist-runuser-common.inc | 31 | include whitelist-runuser-common.inc |
30 | include whitelist-usr-share-common.inc | 32 | include whitelist-usr-share-common.inc |
@@ -54,7 +56,10 @@ private-etc @tls-ca,@x11,host.conf,java*,mime.types,services,timezone | |||
54 | private-opt minecraft-launcher | 56 | private-opt minecraft-launcher |
55 | private-tmp | 57 | private-tmp |
56 | 58 | ||
57 | dbus-user none | 59 | dbus-user filter |
60 | dbus-user.talk org.freedesktop.secrets | ||
61 | dbus-user.talk org.gnome.keyring.* | ||
62 | dbus-user.talk org.gnome.seahorse.* | ||
58 | dbus-system none | 63 | dbus-system none |
59 | 64 | ||
60 | restrict-namespaces | 65 | restrict-namespaces |
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile index af8f00c0c..9cb1fd0ce 100644 --- a/etc/profile-m-z/mpv.profile +++ b/etc/profile-m-z/mpv.profile | |||
@@ -66,6 +66,7 @@ whitelist ${HOME}/yt-dlp.conf | |||
66 | whitelist ${HOME}/yt-dlp.conf.txt | 66 | whitelist ${HOME}/yt-dlp.conf.txt |
67 | whitelist /usr/share/lua | 67 | whitelist /usr/share/lua |
68 | whitelist /usr/share/lua* | 68 | whitelist /usr/share/lua* |
69 | whitelist /usr/share/mpv | ||
69 | include whitelist-common.inc | 70 | include whitelist-common.inc |
70 | include whitelist-player-common.inc | 71 | include whitelist-player-common.inc |
71 | include whitelist-usr-share-common.inc | 72 | include whitelist-usr-share-common.inc |
diff --git a/etc/profile-m-z/obs.profile b/etc/profile-m-z/obs.profile index 82e7a4137..dbcc07809 100644 --- a/etc/profile-m-z/obs.profile +++ b/etc/profile-m-z/obs.profile | |||
@@ -10,6 +10,9 @@ noblacklist ${MUSIC} | |||
10 | noblacklist ${PICTURES} | 10 | noblacklist ${PICTURES} |
11 | noblacklist ${VIDEOS} | 11 | noblacklist ${VIDEOS} |
12 | 12 | ||
13 | # Allow lua (blacklisted by disable-interpreters.inc) | ||
14 | include allow-lua.inc | ||
15 | |||
13 | # Allow python (blacklisted by disable-interpreters.inc) | 16 | # Allow python (blacklisted by disable-interpreters.inc) |
14 | include allow-python2.inc | 17 | include allow-python2.inc |
15 | include allow-python3.inc | 18 | include allow-python3.inc |
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index 6299d42cd..8882c9012 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
@@ -137,6 +137,13 @@ include globals.local | |||
137 | #include whitelist-usr-share-common.inc | 137 | #include whitelist-usr-share-common.inc |
138 | #include whitelist-var-common.inc | 138 | #include whitelist-var-common.inc |
139 | 139 | ||
140 | # Landlock commands | ||
141 | ##landlock.read PATH | ||
142 | ##landlock.write PATH | ||
143 | ##landlock.special PATH | ||
144 | ##landlock.execute PATH | ||
145 | #include landlock-common.inc | ||
146 | |||
140 | ##allusers | 147 | ##allusers |
141 | #apparmor | 148 | #apparmor |
142 | #caps.drop all | 149 | #caps.drop all |
diff --git a/platform/rpm/mkrpm.sh b/platform/rpm/mkrpm.sh index 0572480c6..f32f4b7de 100755 --- a/platform/rpm/mkrpm.sh +++ b/platform/rpm/mkrpm.sh | |||
@@ -14,7 +14,7 @@ | |||
14 | name="$TARNAME" | 14 | name="$TARNAME" |
15 | # Strip any trailing prefix from the version like -rc1 etc | 15 | # Strip any trailing prefix from the version like -rc1 etc |
16 | version="$(printf '%s\n' "$VERSION" | sed 's/\-.*//g')" | 16 | version="$(printf '%s\n' "$VERSION" | sed 's/\-.*//g')" |
17 | config_opt="$*" | 17 | config_opt="--disable-userns --disable-contrib-install $*" |
18 | 18 | ||
19 | if [[ ! -f "platform/rpm/${name}.spec" ]]; then | 19 | if [[ ! -f "platform/rpm/${name}.spec" ]]; then |
20 | printf 'error: spec file not found for name %s\n' "${name}" >&2 | 20 | printf 'error: spec file not found for name %s\n' "${name}" >&2 |
@@ -26,10 +26,6 @@ if [[ -z "${version}" ]]; then | |||
26 | exit 1 | 26 | exit 1 |
27 | fi | 27 | fi |
28 | 28 | ||
29 | if [[ -z "${config_opt}" ]]; then | ||
30 | config_opt="--disable-userns --disable-contrib-install" | ||
31 | fi | ||
32 | |||
33 | # Make a temporary directory and arrange to clean up on exit | 29 | # Make a temporary directory and arrange to clean up on exit |
34 | tmpdir="$(mktemp -d)" | 30 | tmpdir="$(mktemp -d)" |
35 | mkdir -p "${tmpdir}"/{BUILD,RPMS,SOURCES,SPECS,SRPMS} | 31 | mkdir -p "${tmpdir}"/{BUILD,RPMS,SOURCES,SPECS,SRPMS} |
diff --git a/src/bash_completion/firejail.bash_completion.in b/src/bash_completion/firejail.bash_completion.in index eab0f7df6..76667ca0c 100644 --- a/src/bash_completion/firejail.bash_completion.in +++ b/src/bash_completion/firejail.bash_completion.in | |||
@@ -42,7 +42,7 @@ _firejail() | |||
42 | _filedir -d | 42 | _filedir -d |
43 | return 0 | 43 | return 0 |
44 | ;; | 44 | ;; |
45 | --landlock) | 45 | --landlock.enforce) |
46 | return 0 | 46 | return 0 |
47 | ;; | 47 | ;; |
48 | --landlock.read) | 48 | --landlock.read) |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index d0b903fb4..95b25b658 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -293,8 +293,7 @@ extern int arg_overlay; // overlay option | |||
293 | extern int arg_overlay_keep; // place overlay diff in a known directory | 293 | extern int arg_overlay_keep; // place overlay diff in a known directory |
294 | extern int arg_overlay_reuse; // allow the reuse of overlays | 294 | extern int arg_overlay_reuse; // allow the reuse of overlays |
295 | 295 | ||
296 | extern int arg_landlock; // add basic Landlock rules | 296 | extern int arg_landlock_enforce; // enforce the Landlock ruleset |
297 | extern int arg_landlock_proc; // 0 - no access; 1 -read-only; 2 - read-write | ||
298 | 297 | ||
299 | extern int arg_seccomp; // enable default seccomp filter | 298 | extern int arg_seccomp; // enable default seccomp filter |
300 | extern int arg_seccomp32; // enable default seccomp filter for 32 bit arch | 299 | extern int arg_seccomp32; // enable default seccomp filter for 32 bit arch |
@@ -973,7 +972,6 @@ int ll_read(const char *allowed_path); | |||
973 | int ll_write(const char *allowed_path); | 972 | int ll_write(const char *allowed_path); |
974 | int ll_special(const char *allowed_path); | 973 | int ll_special(const char *allowed_path); |
975 | int ll_exec(const char *allowed_path); | 974 | int ll_exec(const char *allowed_path); |
976 | int ll_basic_system(void); | ||
977 | int ll_restrict(uint32_t flags); | 975 | int ll_restrict(uint32_t flags); |
978 | void ll_add_profile(int type, const char *data); | 976 | void ll_add_profile(int type, const char *data); |
979 | #endif /* HAVE_LANDLOCK */ | 977 | #endif /* HAVE_LANDLOCK */ |
diff --git a/src/firejail/landlock.c b/src/firejail/landlock.c index 9cf5ec165..11de2e297 100644 --- a/src/firejail/landlock.c +++ b/src/firejail/landlock.c | |||
@@ -117,8 +117,8 @@ static int ll_create_full_ruleset(void) { | |||
117 | return ruleset_fd; | 117 | return ruleset_fd; |
118 | } | 118 | } |
119 | 119 | ||
120 | static int ll_fs(const char *allowed_path, const __u64 allowed_access, | 120 | static int _ll_fs(const char *allowed_path, const __u64 allowed_access, |
121 | const char *caller) { | 121 | const char *caller) { |
122 | if (!ll_is_supported()) | 122 | if (!ll_is_supported()) |
123 | return 0; | 123 | return 0; |
124 | 124 | ||
@@ -155,6 +155,16 @@ static int ll_fs(const char *allowed_path, const __u64 allowed_access, | |||
155 | return error; | 155 | return error; |
156 | } | 156 | } |
157 | 157 | ||
158 | // TODO: Add support for the ${PATH} macro. | ||
159 | static int ll_fs(const char *allowed_path, const __u64 allowed_access, | ||
160 | const char *caller) { | ||
161 | char *expanded_path = expand_macros(allowed_path); | ||
162 | int error = _ll_fs(expanded_path, allowed_access, caller); | ||
163 | |||
164 | free(expanded_path); | ||
165 | return error; | ||
166 | } | ||
167 | |||
158 | int ll_read(const char *allowed_path) { | 168 | int ll_read(const char *allowed_path) { |
159 | __u64 allowed_access = | 169 | __u64 allowed_access = |
160 | LANDLOCK_ACCESS_FS_READ_DIR | | 170 | LANDLOCK_ACCESS_FS_READ_DIR | |
@@ -192,58 +202,6 @@ int ll_exec(const char *allowed_path) { | |||
192 | return ll_fs(allowed_path, allowed_access, __func__); | 202 | return ll_fs(allowed_path, allowed_access, __func__); |
193 | } | 203 | } |
194 | 204 | ||
195 | int ll_basic_system(void) { | ||
196 | assert(cfg.homedir); | ||
197 | |||
198 | if (!ll_is_supported()) | ||
199 | return 0; | ||
200 | |||
201 | if (ll_ruleset_fd == -1) | ||
202 | ll_ruleset_fd = ll_create_full_ruleset(); | ||
203 | |||
204 | int error; | ||
205 | char *rundir; | ||
206 | if (asprintf(&rundir, "/run/user/%d", getuid()) == -1) | ||
207 | errExit("asprintf"); | ||
208 | |||
209 | error = | ||
210 | ll_read("/") || // whole system read | ||
211 | ll_special("/") || // sockets etc. | ||
212 | |||
213 | ll_write("/tmp") || // write access | ||
214 | ll_write("/dev") || | ||
215 | ll_write("/run/shm") || | ||
216 | ll_write(cfg.homedir) || | ||
217 | ll_write(rundir) || | ||
218 | |||
219 | ll_exec("/opt") || // exec access | ||
220 | ll_exec("/bin") || | ||
221 | ll_exec("/sbin") || | ||
222 | ll_exec("/lib") || | ||
223 | ll_exec("/lib32") || | ||
224 | ll_exec("/libx32") || | ||
225 | ll_exec("/lib64") || | ||
226 | ll_exec("/usr/bin") || | ||
227 | ll_exec("/usr/sbin") || | ||
228 | ll_exec("/usr/games") || | ||
229 | ll_exec("/usr/lib") || | ||
230 | ll_exec("/usr/lib32") || | ||
231 | ll_exec("/usr/libx32") || | ||
232 | ll_exec("/usr/lib64") || | ||
233 | ll_exec("/usr/local/bin") || | ||
234 | ll_exec("/usr/local/sbin") || | ||
235 | ll_exec("/usr/local/games") || | ||
236 | ll_exec("/usr/local/lib") || | ||
237 | ll_exec("/run/firejail"); // appimage and various firejail features | ||
238 | |||
239 | if (error) { | ||
240 | fprintf(stderr, "Error: %s: failed to set --landlock rules\n", | ||
241 | __func__); | ||
242 | } | ||
243 | free(rundir); | ||
244 | return error; | ||
245 | } | ||
246 | |||
247 | int ll_restrict(uint32_t flags) { | 205 | int ll_restrict(uint32_t flags) { |
248 | if (!ll_is_supported()) | 206 | if (!ll_is_supported()) |
249 | return 0; | 207 | return 0; |
@@ -293,9 +251,6 @@ void ll_add_profile(int type, const char *data) { | |||
293 | assert(type < LL_MAX); | 251 | assert(type < LL_MAX); |
294 | assert(data); | 252 | assert(data); |
295 | 253 | ||
296 | if (!ll_is_supported()) | ||
297 | return; | ||
298 | |||
299 | while (*data == ' ' || *data == '\t') | 254 | while (*data == ' ' || *data == '\t') |
300 | data++; | 255 | data++; |
301 | 256 | ||
diff --git a/src/firejail/main.c b/src/firejail/main.c index 5bcc3a0e5..aaa7c8a2f 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -75,8 +75,7 @@ int arg_overlay = 0; // overlay option | |||
75 | int arg_overlay_keep = 0; // place overlay diff in a known directory | 75 | int arg_overlay_keep = 0; // place overlay diff in a known directory |
76 | int arg_overlay_reuse = 0; // allow the reuse of overlays | 76 | int arg_overlay_reuse = 0; // allow the reuse of overlays |
77 | 77 | ||
78 | int arg_landlock = 0; // add basic Landlock rules | 78 | int arg_landlock_enforce = 0; // enforce the Landlock ruleset |
79 | int arg_landlock_proc = 2; // 0 - no access; 1 -read-only; 2 - read-write | ||
80 | 79 | ||
81 | int arg_seccomp = 0; // enable default seccomp filter | 80 | int arg_seccomp = 0; // enable default seccomp filter |
82 | int arg_seccomp32 = 0; // enable default seccomp filter for 32 bit arch | 81 | int arg_seccomp32 = 0; // enable default seccomp filter for 32 bit arch |
@@ -1504,21 +1503,8 @@ int main(int argc, char **argv, char **envp) { | |||
1504 | exit_err_feature("seccomp"); | 1503 | exit_err_feature("seccomp"); |
1505 | } | 1504 | } |
1506 | #ifdef HAVE_LANDLOCK | 1505 | #ifdef HAVE_LANDLOCK |
1507 | else if (strcmp(argv[i], "--landlock") == 0) | 1506 | else if (strncmp(argv[i], "--landlock.enforce", 18) == 0) |
1508 | arg_landlock = 1; | 1507 | arg_landlock_enforce = 1; |
1509 | else if (strncmp(argv[i], "--landlock.proc=", 16) == 0) { | ||
1510 | if (strncmp(argv[i] + 16, "no", 2) == 0) | ||
1511 | arg_landlock_proc = 0; | ||
1512 | else if (strncmp(argv[i] + 16, "ro", 2) == 0) | ||
1513 | arg_landlock_proc = 1; | ||
1514 | else if (strncmp(argv[i] + 16, "rw", 2) == 0) | ||
1515 | arg_landlock_proc = 2; | ||
1516 | else { | ||
1517 | fprintf(stderr, "Error: invalid landlock.proc value: %s\n", | ||
1518 | argv[i] + 16); | ||
1519 | exit(1); | ||
1520 | } | ||
1521 | } | ||
1522 | else if (strncmp(argv[i], "--landlock.read=", 16) == 0) | 1508 | else if (strncmp(argv[i], "--landlock.read=", 16) == 0) |
1523 | ll_add_profile(LL_READ, argv[i] + 16); | 1509 | ll_add_profile(LL_READ, argv[i] + 16); |
1524 | else if (strncmp(argv[i], "--landlock.write=", 17) == 0) | 1510 | else if (strncmp(argv[i], "--landlock.write=", 17) == 0) |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 62d3c78e7..ddcaa5382 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -1074,24 +1074,9 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1074 | } | 1074 | } |
1075 | 1075 | ||
1076 | #ifdef HAVE_LANDLOCK | 1076 | #ifdef HAVE_LANDLOCK |
1077 | // Landlock ruleset paths | 1077 | if (strncmp(ptr, "landlock.enforce", 16) == 0) { |
1078 | if (strcmp(ptr, "landlock") == 0) { | 1078 | arg_landlock_enforce = 1; |
1079 | arg_landlock = 1; | 1079 | return 0; |
1080 | return 0; | ||
1081 | } | ||
1082 | if (strncmp(ptr, "landlock.proc ", 14) == 0) { | ||
1083 | if (strncmp(ptr + 14, "no", 2) == 0) | ||
1084 | arg_landlock_proc = 0; | ||
1085 | else if (strncmp(ptr + 14, "ro", 2) == 0) | ||
1086 | arg_landlock_proc = 1; | ||
1087 | else if (strncmp(ptr + 14, "rw", 2) == 0) | ||
1088 | arg_landlock_proc = 2; | ||
1089 | else { | ||
1090 | fprintf(stderr, "Error: invalid landlock.proc value: %s\n", | ||
1091 | ptr + 14); | ||
1092 | exit(1); | ||
1093 | } | ||
1094 | return 0; | ||
1095 | } | 1080 | } |
1096 | if (strncmp(ptr, "landlock.read ", 14) == 0) { | 1081 | if (strncmp(ptr, "landlock.read ", 14) == 0) { |
1097 | ll_add_profile(LL_READ, ptr + 14); | 1082 | ll_add_profile(LL_READ, ptr + 14); |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index dbc115137..516f1187e 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -520,21 +520,14 @@ void start_application(int no_sandbox, int fd, char *set_sandbox_status) { | |||
520 | //**************************** | 520 | //**************************** |
521 | // Configure Landlock | 521 | // Configure Landlock |
522 | //**************************** | 522 | //**************************** |
523 | if (arg_landlock) | 523 | if (arg_landlock_enforce && ll_restrict(0)) { |
524 | ll_basic_system(); | ||
525 | |||
526 | if (ll_get_fd() != -1) { | ||
527 | if (arg_landlock_proc >= 1) | ||
528 | ll_read("/proc/"); | ||
529 | if (arg_landlock_proc == 2) | ||
530 | ll_write("/proc/"); | ||
531 | } | ||
532 | |||
533 | if (ll_restrict(0)) { | ||
534 | // It isn't safe to continue if Landlock self-restriction was | 524 | // It isn't safe to continue if Landlock self-restriction was |
535 | // enabled and the "landlock_restrict_self" syscall has failed. | 525 | // enabled and the "landlock_restrict_self" syscall has failed. |
536 | fprintf(stderr, "Error: ll_restrict() failed, exiting...\n"); | 526 | fprintf(stderr, "Error: ll_restrict() failed, exiting...\n"); |
537 | exit(1); | 527 | exit(1); |
528 | } else { | ||
529 | if (arg_debug) | ||
530 | fprintf(stderr, "Not enforcing Landlock\n"); | ||
538 | } | 531 | } |
539 | #endif | 532 | #endif |
540 | 533 | ||
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 5f9185da9..f0f148900 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -134,8 +134,7 @@ static const char *const usage_str = | |||
134 | " --keep-shell-rc - do not copy shell rc files from /etc/skel\n" | 134 | " --keep-shell-rc - do not copy shell rc files from /etc/skel\n" |
135 | " --keep-var-tmp - /var/tmp directory is untouched.\n" | 135 | " --keep-var-tmp - /var/tmp directory is untouched.\n" |
136 | #ifdef HAVE_LANDLOCK | 136 | #ifdef HAVE_LANDLOCK |
137 | " --landlock - add basic rules to the Landlock ruleset.\n" | 137 | " --landlock.enforce - enforce the Landlock ruleset.\n" |
138 | " --landlock.proc=no|ro|rw - add an access rule for /proc to the Landlock ruleset.\n" | ||
139 | " --landlock.read=path - add a read access rule for the path to the Landlock ruleset.\n" | 138 | " --landlock.read=path - add a read access rule for the path to the Landlock ruleset.\n" |
140 | " --landlock.write=path - add a write access rule for the path to the Landlock ruleset.\n" | 139 | " --landlock.write=path - add a write access rule for the path to the Landlock ruleset.\n" |
141 | " --landlock.special=path - add an access rule for the path to the Landlock ruleset for creating block/char devices, named pipes and sockets.\n" | 140 | " --landlock.special=path - add an access rule for the path to the Landlock ruleset for creating block/char devices, named pipes and sockets.\n" |
diff --git a/src/man/firejail-profile.5.in b/src/man/firejail-profile.5.in index 76f5e4d20..e1d7fde94 100644 --- a/src/man/firejail-profile.5.in +++ b/src/man/firejail-profile.5.in | |||
@@ -509,17 +509,10 @@ Blacklist all Linux capabilities. | |||
509 | Whitelist given Linux capabilities. | 509 | Whitelist given Linux capabilities. |
510 | #ifdef HAVE_LANDLOCK | 510 | #ifdef HAVE_LANDLOCK |
511 | .TP | 511 | .TP |
512 | \fBlandlock | 512 | \fBlandlock.enforce |
513 | Create a Landlock ruleset (if it doesn't already exist) and add basic access | 513 | Enforce the Landlock ruleset. |
514 | rules to it. | 514 | .PP |
515 | .TP | 515 | Without it, the other Landlock commands have no effect. |
516 | \fBlandlock.proc no|ro|rw | ||
517 | Add an access rule for /proc directory (read-only if set to \fBro\fR and | ||
518 | read-write if set to \fBrw\fR). | ||
519 | The access rule for /proc is added after this directory is set up in the | ||
520 | sandbox. | ||
521 | Access rules for /proc set up with other Landlock-related profile options have | ||
522 | no effect. | ||
523 | .TP | 516 | .TP |
524 | \fBlandlock.read path | 517 | \fBlandlock.read path |
525 | Create a Landlock ruleset (if it doesn't already exist) and add a read access | 518 | Create a Landlock ruleset (if it doesn't already exist) and add a read access |
diff --git a/src/man/firejail.1.in b/src/man/firejail.1.in index 39f12b005..c63cf350d 100644 --- a/src/man/firejail.1.in +++ b/src/man/firejail.1.in | |||
@@ -1245,31 +1245,15 @@ $ firejail --keep-var-tmp | |||
1245 | 1245 | ||
1246 | #ifdef HAVE_LANDLOCK | 1246 | #ifdef HAVE_LANDLOCK |
1247 | .TP | 1247 | .TP |
1248 | \fB\-\-landlock | 1248 | \fB\-\-landlock.enforce |
1249 | Create a Landlock ruleset (if it doesn't already exist) and add basic access | 1249 | Enforce the Landlock ruleset. |
1250 | rules to it. | ||
1251 | The basic set of rules applies the following access permissions: | ||
1252 | .PP | 1250 | .PP |
1253 | .RS | 1251 | Without it, the other Landlock commands have no effect. |
1254 | - read: /bin, /dev, /etc, /lib, /opt, /proc, /usr, /var | ||
1255 | .br | ||
1256 | - write: /dev, /proc | ||
1257 | .br | ||
1258 | - exec: /bin, /lib, /opt, /usr | ||
1259 | .RE | ||
1260 | .PP | 1252 | .PP |
1261 | .RS | 1253 | .RS |
1262 | See the \fBLANDLOCK\fR section for more information. | 1254 | See the \fBLANDLOCK\fR section for more information. |
1263 | .RE | 1255 | .RE |
1264 | .TP | 1256 | .TP |
1265 | \fB\-\-landlock.proc=no|ro|rw | ||
1266 | Add an access rule for /proc directory (read-only if set to \fBro\fR and | ||
1267 | read-write if set to \fBrw\fR). | ||
1268 | The access rule for /proc is added after this directory is set up in the | ||
1269 | sandbox. | ||
1270 | Access rules for /proc set up with other Landlock-related command-line options | ||
1271 | have no effect. | ||
1272 | .TP | ||
1273 | \fB\-\-landlock.read=path | 1257 | \fB\-\-landlock.read=path |
1274 | Create a Landlock ruleset (if it doesn't already exist) and add a read access | 1258 | Create a Landlock ruleset (if it doesn't already exist) and add a read access |
1275 | rule for path. | 1259 | rule for path. |
@@ -1291,7 +1275,9 @@ permission rule for path. | |||
1291 | .br | 1275 | .br |
1292 | Example: | 1276 | Example: |
1293 | .br | 1277 | .br |
1294 | $ firejail \-\-landlock.read=/ \-\-landlock.write=/home \-\-landlock.execute=/usr | 1278 | $ firejail \-\-landlock.read=/ \-\-landlock.write=/home |
1279 | \-\-landlock.execute=/usr \-\-landlock.enforce | ||
1280 | .PP | ||
1295 | #endif | 1281 | #endif |
1296 | .TP | 1282 | .TP |
1297 | \fB\-\-list | 1283 | \fB\-\-list |
@@ -3426,7 +3412,7 @@ Firejail supports Landlock as an additional sandboxing feature. | |||
3426 | It can be used to ensure that a sandboxed application can only access files and | 3412 | It can be used to ensure that a sandboxed application can only access files and |
3427 | directories that it was explicitly allowed to access. | 3413 | directories that it was explicitly allowed to access. |
3428 | Firejail supports populating the ruleset with both a basic set of rules (see | 3414 | Firejail supports populating the ruleset with both a basic set of rules (see |
3429 | \fB\-\-landlock\fR) and with a custom set of rules. | 3415 | landlock-common.inc) and with a custom set of rules. |
3430 | .TP | 3416 | .TP |
3431 | Important notes: | 3417 | Important notes: |
3432 | .PP | 3418 | .PP |
@@ -3438,9 +3424,6 @@ Because of this, enabling the Landlock feature will also cause Firejail to | |||
3438 | enable the "No New Privileges" restriction, regardless of the profile or the | 3424 | enable the "No New Privileges" restriction, regardless of the profile or the |
3439 | \fB\-\-nonewprivs\fR command line option. | 3425 | \fB\-\-nonewprivs\fR command line option. |
3440 | .PP | 3426 | .PP |
3441 | - Access to the /proc directory is managed through the \fB\-\-landlock.proc\fR | ||
3442 | command line option. | ||
3443 | .PP | ||
3444 | - Access to the /etc directory is automatically allowed. | 3427 | - Access to the /etc directory is automatically allowed. |
3445 | To override this, use the \fB\-\-writable\-etc\fR command line option. | 3428 | To override this, use the \fB\-\-writable\-etc\fR command line option. |
3446 | You can also use the \fB\-\-private\-etc\fR option to restrict access to the | 3429 | You can also use the \fB\-\-private\-etc\fR option to restrict access to the |
@@ -3448,13 +3431,13 @@ You can also use the \fB\-\-private\-etc\fR option to restrict access to the | |||
3448 | .RE | 3431 | .RE |
3449 | .PP | 3432 | .PP |
3450 | To enable Landlock self-restriction on top of your current Firejail security | 3433 | To enable Landlock self-restriction on top of your current Firejail security |
3451 | features, pass \fB\-\-landlock\fR flag to Firejail command line. | 3434 | features, pass \fB\-\-landlock.enforce\fR flag to Firejail command line. |
3452 | You can also use \fB\-\-landlock.read\fR, \fB\-\-landlock.write\fR, | 3435 | Without it, the other Landlock commands have no effect. |
3453 | \fB\-\-landlock.special\fR and \fB\-\-landlock.execute\fR options together with | ||
3454 | \fB\-\-landlock\fR or instead of it. | ||
3455 | Example: | 3436 | Example: |
3456 | .PP | 3437 | .PP |
3457 | $ firejail \-\-landlock \-\-landlock.read=/media \-\-landlock.proc=ro mc | 3438 | $ firejail \-\-landlock.enforce \-\-landlock.read=/media mc |
3439 | .PP | ||
3440 | To disable Landlock self-restriction, use \fB\-\-ignore=landlock.enforce\fR. | ||
3458 | #endif | 3441 | #endif |
3459 | .SH DESKTOP INTEGRATION | 3442 | .SH DESKTOP INTEGRATION |
3460 | A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox. | 3443 | A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox. |
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index ac0554bc5..bea5df2be 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in | |||
@@ -107,8 +107,7 @@ _firejail_args=( | |||
107 | '--keep-shell-rc[do not copy shell rc files from /etc/skel]' | 107 | '--keep-shell-rc[do not copy shell rc files from /etc/skel]' |
108 | '--keep-var-tmp[/var/tmp directory is untouched]' | 108 | '--keep-var-tmp[/var/tmp directory is untouched]' |
109 | #ifdef HAVE_LANDLOCK | 109 | #ifdef HAVE_LANDLOCK |
110 | '--landlock[add basic rules to the Landlock ruleset]' | 110 | '--landlock.enforce[enforce the Landlock ruleset]' |
111 | '--landlock.proc=-[add an access rule for /proc to the Landlock ruleset]: :(no ro rw)' | ||
112 | '--landlock.read=-[add a read access rule for the path to the Landlock ruleset]: :_files' | 111 | '--landlock.read=-[add a read access rule for the path to the Landlock ruleset]: :_files' |
113 | '--landlock.write=-[add a write access rule for the path to the Landlock ruleset]: :_files' | 112 | '--landlock.write=-[add a write access rule for the path to the Landlock ruleset]: :_files' |
114 | '--landlock.special=-[add an access rule for the path to the Landlock ruleset for creating block/char devices, named pipes and sockets]: :_files' | 113 | '--landlock.special=-[add an access rule for the path to the Landlock ruleset for creating block/char devices, named pipes and sockets]: :_files' |