diff options
| -rw-r--r-- | src/firejail/landlock.c | 29 |
1 files changed, 17 insertions, 12 deletions
diff --git a/src/firejail/landlock.c b/src/firejail/landlock.c index 157c0ba4c..eadce2d97 100644 --- a/src/firejail/landlock.c +++ b/src/firejail/landlock.c | |||
| @@ -213,31 +213,36 @@ int ll_basic_system(void) { | |||
| 213 | ll_read("/") || // whole system read | 213 | ll_read("/") || // whole system read |
| 214 | ll_special("/") || // sockets etc. | 214 | ll_special("/") || // sockets etc. |
| 215 | 215 | ||
| 216 | ll_write("/tmp") || // write access | 216 | // write access |
| 217 | ll_write("/dev") || | ||
| 218 | ll_write("/run/shm") || | ||
| 219 | ll_write("${HOME}") || | 217 | ll_write("${HOME}") || |
| 220 | ll_write("${RUNUSER}") || | 218 | ll_write("${RUNUSER}") || |
| 219 | ll_write("/dev") || | ||
| 220 | ll_write("/run/shm") || | ||
| 221 | ll_write("/tmp") || | ||
| 221 | 222 | ||
| 222 | ll_exec("/opt") || // exec access | 223 | // exec access |
| 224 | /// misc | ||
| 225 | ll_exec("/opt") || | ||
| 226 | ll_exec("/run/firejail") || // appimage and various firejail features | ||
| 227 | /// bin | ||
| 223 | ll_exec("/bin") || | 228 | ll_exec("/bin") || |
| 224 | ll_exec("/sbin") || | 229 | ll_exec("/sbin") || |
| 230 | ll_exec("/usr/bin") || | ||
| 231 | ll_exec("/usr/sbin") || | ||
| 232 | ll_exec("/usr/games") || | ||
| 233 | ll_exec("/usr/local/bin") || | ||
| 234 | ll_exec("/usr/local/sbin") || | ||
| 235 | ll_exec("/usr/local/games") || | ||
| 236 | /// lib | ||
| 225 | ll_exec("/lib") || | 237 | ll_exec("/lib") || |
| 226 | ll_exec("/lib32") || | 238 | ll_exec("/lib32") || |
| 227 | ll_exec("/libx32") || | 239 | ll_exec("/libx32") || |
| 228 | ll_exec("/lib64") || | 240 | ll_exec("/lib64") || |
| 229 | ll_exec("/usr/bin") || | ||
| 230 | ll_exec("/usr/sbin") || | ||
| 231 | ll_exec("/usr/games") || | ||
| 232 | ll_exec("/usr/lib") || | 241 | ll_exec("/usr/lib") || |
| 233 | ll_exec("/usr/lib32") || | 242 | ll_exec("/usr/lib32") || |
| 234 | ll_exec("/usr/libx32") || | 243 | ll_exec("/usr/libx32") || |
| 235 | ll_exec("/usr/lib64") || | 244 | ll_exec("/usr/lib64") || |
| 236 | ll_exec("/usr/local/bin") || | 245 | ll_exec("/usr/local/lib"); |
| 237 | ll_exec("/usr/local/sbin") || | ||
| 238 | ll_exec("/usr/local/games") || | ||
| 239 | ll_exec("/usr/local/lib") || | ||
| 240 | ll_exec("/run/firejail"); // appimage and various firejail features | ||
| 241 | 246 | ||
| 242 | if (error) { | 247 | if (error) { |
| 243 | fprintf(stderr, "Error: %s: failed to set --landlock rules\n", | 248 | fprintf(stderr, "Error: %s: failed to set --landlock rules\n", |