diff options
| -rw-r--r-- | src/firejail/firejail.h | 1 | ||||
| -rw-r--r-- | src/firejail/landlock.c | 45 |
2 files changed, 46 insertions, 0 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index f9f4cb473..5a96fcbfd 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
| @@ -968,6 +968,7 @@ void oom_set(const char *oom_string); | |||
| 968 | // landlock.c | 968 | // landlock.c |
| 969 | #ifdef HAVE_LANDLOCK | 969 | #ifdef HAVE_LANDLOCK |
| 970 | int ll_get_fd(void); | 970 | int ll_get_fd(void); |
| 971 | int ll_is_supported(void); | ||
| 971 | int ll_read(const char *allowed_path); | 972 | int ll_read(const char *allowed_path); |
| 972 | int ll_write(const char *allowed_path); | 973 | int ll_write(const char *allowed_path); |
| 973 | int ll_special(const char *allowed_path); | 974 | int ll_special(const char *allowed_path); |
diff --git a/src/firejail/landlock.c b/src/firejail/landlock.c index 596e35aea..27fc1d748 100644 --- a/src/firejail/landlock.c +++ b/src/firejail/landlock.c | |||
| @@ -28,6 +28,7 @@ | |||
| 28 | #include <fcntl.h> | 28 | #include <fcntl.h> |
| 29 | 29 | ||
| 30 | static int ll_ruleset_fd = -1; | 30 | static int ll_ruleset_fd = -1; |
| 31 | static int ll_abi = -1; | ||
| 31 | 32 | ||
| 32 | int ll_get_fd(void) { | 33 | int ll_get_fd(void) { |
| 33 | return ll_ruleset_fd; | 34 | return ll_ruleset_fd; |
| @@ -59,7 +60,30 @@ landlock_restrict_self(const int ruleset_fd, const __u32 flags) { | |||
| 59 | } | 60 | } |
| 60 | #endif | 61 | #endif |
| 61 | 62 | ||
| 63 | int ll_is_supported(void) { | ||
| 64 | if (ll_abi != -1) | ||
| 65 | goto out; | ||
| 66 | |||
| 67 | ll_abi = landlock_create_ruleset(NULL, 0, | ||
| 68 | LANDLOCK_CREATE_RULESET_VERSION); | ||
| 69 | if (ll_abi < 1) { | ||
| 70 | ll_abi = 0; | ||
| 71 | fprintf(stderr, "Warning: Landlock is disabled or not supported: %s, " | ||
| 72 | "ignoring landlock commands\n", | ||
| 73 | strerror(errno)); | ||
| 74 | goto out; | ||
| 75 | } | ||
| 76 | if (arg_debug) { | ||
| 77 | printf("Detected Landlock ABI version %d\n", ll_abi); | ||
| 78 | } | ||
| 79 | out: | ||
| 80 | return ll_abi; | ||
| 81 | } | ||
| 82 | |||
| 62 | static int ll_create_full_ruleset() { | 83 | static int ll_create_full_ruleset() { |
| 84 | if (!ll_is_supported()) | ||
| 85 | return -1; | ||
| 86 | |||
| 63 | struct landlock_ruleset_attr attr; | 87 | struct landlock_ruleset_attr attr; |
| 64 | attr.handled_access_fs = | 88 | attr.handled_access_fs = |
| 65 | LANDLOCK_ACCESS_FS_EXECUTE | | 89 | LANDLOCK_ACCESS_FS_EXECUTE | |
| @@ -85,6 +109,9 @@ static int ll_create_full_ruleset() { | |||
| 85 | } | 109 | } |
| 86 | 110 | ||
| 87 | int ll_read(const char *allowed_path) { | 111 | int ll_read(const char *allowed_path) { |
| 112 | if (!ll_is_supported()) | ||
| 113 | return 0; | ||
| 114 | |||
| 88 | if (ll_ruleset_fd == -1) | 115 | if (ll_ruleset_fd == -1) |
| 89 | ll_ruleset_fd = ll_create_full_ruleset(); | 116 | ll_ruleset_fd = ll_create_full_ruleset(); |
| 90 | 117 | ||
| @@ -114,6 +141,9 @@ int ll_read(const char *allowed_path) { | |||
| 114 | } | 141 | } |
| 115 | 142 | ||
| 116 | int ll_write(const char *allowed_path) { | 143 | int ll_write(const char *allowed_path) { |
| 144 | if (!ll_is_supported()) | ||
| 145 | return 0; | ||
| 146 | |||
| 117 | if (ll_ruleset_fd == -1) | 147 | if (ll_ruleset_fd == -1) |
| 118 | ll_ruleset_fd = ll_create_full_ruleset(); | 148 | ll_ruleset_fd = ll_create_full_ruleset(); |
| 119 | 149 | ||
| @@ -147,6 +177,9 @@ int ll_write(const char *allowed_path) { | |||
| 147 | } | 177 | } |
| 148 | 178 | ||
| 149 | int ll_special(const char *allowed_path) { | 179 | int ll_special(const char *allowed_path) { |
| 180 | if (!ll_is_supported()) | ||
| 181 | return 0; | ||
| 182 | |||
| 150 | if (ll_ruleset_fd == -1) | 183 | if (ll_ruleset_fd == -1) |
| 151 | ll_ruleset_fd = ll_create_full_ruleset(); | 184 | ll_ruleset_fd = ll_create_full_ruleset(); |
| 152 | 185 | ||
| @@ -178,6 +211,9 @@ int ll_special(const char *allowed_path) { | |||
| 178 | } | 211 | } |
| 179 | 212 | ||
| 180 | int ll_exec(const char *allowed_path) { | 213 | int ll_exec(const char *allowed_path) { |
| 214 | if (!ll_is_supported()) | ||
| 215 | return 0; | ||
| 216 | |||
| 181 | if (ll_ruleset_fd == -1) | 217 | if (ll_ruleset_fd == -1) |
| 182 | ll_ruleset_fd = ll_create_full_ruleset(); | 218 | ll_ruleset_fd = ll_create_full_ruleset(); |
| 183 | 219 | ||
| @@ -208,6 +244,9 @@ int ll_exec(const char *allowed_path) { | |||
| 208 | int ll_basic_system(void) { | 244 | int ll_basic_system(void) { |
| 209 | assert(cfg.homedir); | 245 | assert(cfg.homedir); |
| 210 | 246 | ||
| 247 | if (!ll_is_supported()) | ||
| 248 | return 0; | ||
| 249 | |||
| 211 | if (ll_ruleset_fd == -1) | 250 | if (ll_ruleset_fd == -1) |
| 212 | ll_ruleset_fd = ll_create_full_ruleset(); | 251 | ll_ruleset_fd = ll_create_full_ruleset(); |
| 213 | 252 | ||
| @@ -255,6 +294,9 @@ int ll_basic_system(void) { | |||
| 255 | } | 294 | } |
| 256 | 295 | ||
| 257 | int ll_restrict(__u32 flags) { | 296 | int ll_restrict(__u32 flags) { |
| 297 | if (!ll_is_supported()) | ||
| 298 | return 0; | ||
| 299 | |||
| 258 | int (*fnc[])(const char *) = { | 300 | int (*fnc[])(const char *) = { |
| 259 | ll_read, | 301 | ll_read, |
| 260 | ll_write, | 302 | ll_write, |
| @@ -297,6 +339,9 @@ void ll_add_profile(int type, const char *data) { | |||
| 297 | assert(type < LL_MAX); | 339 | assert(type < LL_MAX); |
| 298 | assert(data); | 340 | assert(data); |
| 299 | 341 | ||
| 342 | if (!ll_is_supported()) | ||
| 343 | return; | ||
| 344 | |||
| 300 | const char *str = data; | 345 | const char *str = data; |
| 301 | while (*str == ' ' || *str == '\t') | 346 | while (*str == ' ' || *str == '\t') |
| 302 | str++; | 347 | str++; |