diff options
-rw-r--r-- | src/firejail/landlock.c | 29 |
1 files changed, 16 insertions, 13 deletions
diff --git a/src/firejail/landlock.c b/src/firejail/landlock.c index 9cf5ec165..157c0ba4c 100644 --- a/src/firejail/landlock.c +++ b/src/firejail/landlock.c | |||
@@ -117,8 +117,8 @@ static int ll_create_full_ruleset(void) { | |||
117 | return ruleset_fd; | 117 | return ruleset_fd; |
118 | } | 118 | } |
119 | 119 | ||
120 | static int ll_fs(const char *allowed_path, const __u64 allowed_access, | 120 | static int _ll_fs(const char *allowed_path, const __u64 allowed_access, |
121 | const char *caller) { | 121 | const char *caller) { |
122 | if (!ll_is_supported()) | 122 | if (!ll_is_supported()) |
123 | return 0; | 123 | return 0; |
124 | 124 | ||
@@ -155,6 +155,16 @@ static int ll_fs(const char *allowed_path, const __u64 allowed_access, | |||
155 | return error; | 155 | return error; |
156 | } | 156 | } |
157 | 157 | ||
158 | // TODO: Add support for the ${PATH} macro. | ||
159 | static int ll_fs(const char *allowed_path, const __u64 allowed_access, | ||
160 | const char *caller) { | ||
161 | char *expanded_path = expand_macros(allowed_path); | ||
162 | int error = _ll_fs(expanded_path, allowed_access, caller); | ||
163 | |||
164 | free(expanded_path); | ||
165 | return error; | ||
166 | } | ||
167 | |||
158 | int ll_read(const char *allowed_path) { | 168 | int ll_read(const char *allowed_path) { |
159 | __u64 allowed_access = | 169 | __u64 allowed_access = |
160 | LANDLOCK_ACCESS_FS_READ_DIR | | 170 | LANDLOCK_ACCESS_FS_READ_DIR | |
@@ -193,28 +203,21 @@ int ll_exec(const char *allowed_path) { | |||
193 | } | 203 | } |
194 | 204 | ||
195 | int ll_basic_system(void) { | 205 | int ll_basic_system(void) { |
196 | assert(cfg.homedir); | ||
197 | |||
198 | if (!ll_is_supported()) | 206 | if (!ll_is_supported()) |
199 | return 0; | 207 | return 0; |
200 | 208 | ||
201 | if (ll_ruleset_fd == -1) | 209 | if (ll_ruleset_fd == -1) |
202 | ll_ruleset_fd = ll_create_full_ruleset(); | 210 | ll_ruleset_fd = ll_create_full_ruleset(); |
203 | 211 | ||
204 | int error; | 212 | int error = |
205 | char *rundir; | ||
206 | if (asprintf(&rundir, "/run/user/%d", getuid()) == -1) | ||
207 | errExit("asprintf"); | ||
208 | |||
209 | error = | ||
210 | ll_read("/") || // whole system read | 213 | ll_read("/") || // whole system read |
211 | ll_special("/") || // sockets etc. | 214 | ll_special("/") || // sockets etc. |
212 | 215 | ||
213 | ll_write("/tmp") || // write access | 216 | ll_write("/tmp") || // write access |
214 | ll_write("/dev") || | 217 | ll_write("/dev") || |
215 | ll_write("/run/shm") || | 218 | ll_write("/run/shm") || |
216 | ll_write(cfg.homedir) || | 219 | ll_write("${HOME}") || |
217 | ll_write(rundir) || | 220 | ll_write("${RUNUSER}") || |
218 | 221 | ||
219 | ll_exec("/opt") || // exec access | 222 | ll_exec("/opt") || // exec access |
220 | ll_exec("/bin") || | 223 | ll_exec("/bin") || |
@@ -240,7 +243,7 @@ int ll_basic_system(void) { | |||
240 | fprintf(stderr, "Error: %s: failed to set --landlock rules\n", | 243 | fprintf(stderr, "Error: %s: failed to set --landlock rules\n", |
241 | __func__); | 244 | __func__); |
242 | } | 245 | } |
243 | free(rundir); | 246 | |
244 | return error; | 247 | return error; |
245 | } | 248 | } |
246 | 249 | ||