diff options
-rw-r--r-- | .github/workflows/check-c.yml | 4 | ||||
-rw-r--r-- | .github/workflows/check-python.yml | 4 | ||||
-rw-r--r-- | etc/profile-m-z/mov-cli.profile | 9 | ||||
-rw-r--r-- | src/firejail/firejail.h | 2 | ||||
-rw-r--r-- | src/firejail/landlock.c | 20 | ||||
-rw-r--r-- | src/firejail/profile.c | 8 |
6 files changed, 36 insertions, 11 deletions
diff --git a/.github/workflows/check-c.yml b/.github/workflows/check-c.yml index 349f92525..307b0c37c 100644 --- a/.github/workflows/check-c.yml +++ b/.github/workflows/check-c.yml | |||
@@ -161,7 +161,7 @@ jobs: | |||
161 | 161 | ||
162 | # Initializes the CodeQL tools for scanning. | 162 | # Initializes the CodeQL tools for scanning. |
163 | - name: Initialize CodeQL | 163 | - name: Initialize CodeQL |
164 | uses: github/codeql-action/init@1b1aada464948af03b950897e5eb522f92603cc2 | 164 | uses: github/codeql-action/init@4355270be187e1b672a7a1c7c7bae5afdc1ab94a |
165 | with: | 165 | with: |
166 | languages: cpp | 166 | languages: cpp |
167 | 167 | ||
@@ -172,4 +172,4 @@ jobs: | |||
172 | run: make -j "$(nproc)" | 172 | run: make -j "$(nproc)" |
173 | 173 | ||
174 | - name: Perform CodeQL Analysis | 174 | - name: Perform CodeQL Analysis |
175 | uses: github/codeql-action/analyze@1b1aada464948af03b950897e5eb522f92603cc2 | 175 | uses: github/codeql-action/analyze@4355270be187e1b672a7a1c7c7bae5afdc1ab94a |
diff --git a/.github/workflows/check-python.yml b/.github/workflows/check-python.yml index 507b975af..43d139c9f 100644 --- a/.github/workflows/check-python.yml +++ b/.github/workflows/check-python.yml | |||
@@ -51,9 +51,9 @@ jobs: | |||
51 | 51 | ||
52 | # Initializes the CodeQL tools for scanning. | 52 | # Initializes the CodeQL tools for scanning. |
53 | - name: Initialize CodeQL | 53 | - name: Initialize CodeQL |
54 | uses: github/codeql-action/init@1b1aada464948af03b950897e5eb522f92603cc2 | 54 | uses: github/codeql-action/init@4355270be187e1b672a7a1c7c7bae5afdc1ab94a |
55 | with: | 55 | with: |
56 | languages: python | 56 | languages: python |
57 | 57 | ||
58 | - name: Perform CodeQL Analysis | 58 | - name: Perform CodeQL Analysis |
59 | uses: github/codeql-action/analyze@1b1aada464948af03b950897e5eb522f92603cc2 | 59 | uses: github/codeql-action/analyze@4355270be187e1b672a7a1c7c7bae5afdc1ab94a |
diff --git a/etc/profile-m-z/mov-cli.profile b/etc/profile-m-z/mov-cli.profile index 1efd1e8f9..85f72f478 100644 --- a/etc/profile-m-z/mov-cli.profile +++ b/etc/profile-m-z/mov-cli.profile | |||
@@ -10,11 +10,16 @@ include mov-cli.local | |||
10 | 10 | ||
11 | noblacklist ${HOME}/.config/mov-cli | 11 | noblacklist ${HOME}/.config/mov-cli |
12 | 12 | ||
13 | # Allow /bin/sh (blacklisted by disable-shell.inc) | ||
14 | include allow-bin-sh.inc | ||
15 | |||
13 | include disable-proc.inc | 16 | include disable-proc.inc |
14 | include disable-xdg.inc | 17 | include disable-xdg.inc |
15 | 18 | ||
16 | mkdir ${HOME}/.config/mov-cli | 19 | mkdir ${HOME}/.config/mov-cli |
17 | whitelist ${HOME}/.config/mov-cli | 20 | whitelist ${HOME}/.config/mov-cli |
21 | whitelist ${DOWNLOADS} | ||
22 | whitelist /usr/share/nano | ||
18 | include whitelist-run-common.inc | 23 | include whitelist-run-common.inc |
19 | include whitelist-runuser-common.inc | 24 | include whitelist-runuser-common.inc |
20 | 25 | ||
@@ -24,9 +29,9 @@ noprinters | |||
24 | notv | 29 | notv |
25 | 30 | ||
26 | disable-mnt | 31 | disable-mnt |
27 | private-bin ffmpeg,fzf,mov-cli | 32 | private-bin fzf,mov-cli,nano,sh,uname |
28 | #private-cache | 33 | #private-cache |
29 | private-etc X11,alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,magic,magic.mgc,mime.types,nsswitch.conf,pango,passwd,pki,protocols,pulse,resolv.conf,rpc,services,ssl,xdg | 34 | private-etc X11,alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,magic,magic.mgc,mime.types,nanorc,nsswitch.conf,pango,passwd,pki,protocols,pulse,resolv.conf,rpc,services,ssl,xdg |
30 | private-tmp | 35 | private-tmp |
31 | 36 | ||
32 | # Redirect | 37 | # Redirect |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 4e018476e..b8ec4d474 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -966,10 +966,8 @@ void run_ids(int argc, char **argv); | |||
966 | void oom_set(const char *oom_string); | 966 | void oom_set(const char *oom_string); |
967 | 967 | ||
968 | // landlock.c | 968 | // landlock.c |
969 | #ifdef HAVE_LANDLOCK | ||
970 | int ll_get_fd(void); | 969 | int ll_get_fd(void); |
971 | int ll_restrict(uint32_t flags); | 970 | int ll_restrict(uint32_t flags); |
972 | void ll_add_profile(int type, const char *data); | 971 | void ll_add_profile(int type, const char *data); |
973 | #endif /* HAVE_LANDLOCK */ | ||
974 | 972 | ||
975 | #endif | 973 | #endif |
diff --git a/src/firejail/landlock.c b/src/firejail/landlock.c index 453ad8f10..a360f155b 100644 --- a/src/firejail/landlock.c +++ b/src/firejail/landlock.c | |||
@@ -18,7 +18,6 @@ | |||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
19 | */ | 19 | */ |
20 | 20 | ||
21 | #ifdef HAVE_LANDLOCK | ||
22 | #include "firejail.h" | 21 | #include "firejail.h" |
23 | #include <linux/landlock.h> | 22 | #include <linux/landlock.h> |
24 | #include <sys/prctl.h> | 23 | #include <sys/prctl.h> |
@@ -27,6 +26,8 @@ | |||
27 | #include <errno.h> | 26 | #include <errno.h> |
28 | #include <fcntl.h> | 27 | #include <fcntl.h> |
29 | 28 | ||
29 | #ifdef HAVE_LANDLOCK | ||
30 | |||
30 | static int ll_ruleset_fd = -1; | 31 | static int ll_ruleset_fd = -1; |
31 | static int ll_abi = -1; | 32 | static int ll_abi = -1; |
32 | 33 | ||
@@ -294,4 +295,21 @@ void ll_add_profile(int type, const char *data) { | |||
294 | ptr->next = entry; | 295 | ptr->next = entry; |
295 | } | 296 | } |
296 | 297 | ||
298 | #else | ||
299 | |||
300 | int ll_get_fd(void) { | ||
301 | return -1; | ||
302 | } | ||
303 | |||
304 | int ll_restrict(uint32_t flags) { | ||
305 | (void) flags; | ||
306 | |||
307 | return 0; | ||
308 | } | ||
309 | |||
310 | void ll_add_profile(int type, const char *data) { | ||
311 | (void) type; | ||
312 | (void) data; | ||
313 | } | ||
314 | |||
297 | #endif /* HAVE_LANDLOCK */ | 315 | #endif /* HAVE_LANDLOCK */ |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 4e0b17a8c..4c6830250 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -1073,7 +1073,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1073 | return 0; | 1073 | return 0; |
1074 | } | 1074 | } |
1075 | 1075 | ||
1076 | #ifdef HAVE_LANDLOCK | 1076 | //#ifdef HAVE_LANDLOCK |
1077 | // landlock-common.inc is included by default.profile, so the entries of the | ||
1078 | // former should be processed or ignored instead of aborting. | ||
1079 | // Note that all landlock functions are empty when building without landlock | ||
1080 | // support. | ||
1077 | if (strncmp(ptr, "landlock.enforce", 16) == 0) { | 1081 | if (strncmp(ptr, "landlock.enforce", 16) == 0) { |
1078 | arg_landlock_enforce = 1; | 1082 | arg_landlock_enforce = 1; |
1079 | return 0; | 1083 | return 0; |
@@ -1098,7 +1102,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1098 | ll_add_profile(LL_FS_EXEC, ptr + 20); | 1102 | ll_add_profile(LL_FS_EXEC, ptr + 20); |
1099 | return 0; | 1103 | return 0; |
1100 | } | 1104 | } |
1101 | #endif | 1105 | //#endif |
1102 | 1106 | ||
1103 | // memory deny write&execute | 1107 | // memory deny write&execute |
1104 | if (strcmp(ptr, "memory-deny-write-execute") == 0) { | 1108 | if (strcmp(ptr, "memory-deny-write-execute") == 0) { |