diff options
Diffstat (limited to 'src/firejail/firejail.h')
-rw-r--r-- | src/firejail/firejail.h | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index c791913ea..5a96fcbfd 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -150,6 +150,17 @@ typedef struct profile_entry_t { | |||
150 | 150 | ||
151 | } ProfileEntry; | 151 | } ProfileEntry; |
152 | 152 | ||
153 | typedef struct landlock_entry_t { | ||
154 | struct landlock_entry_t *next; | ||
155 | #define LL_READ 0 | ||
156 | #define LL_WRITE 1 | ||
157 | #define LL_SPECIAL 2 | ||
158 | #define LL_EXEC 3 | ||
159 | #define LL_MAX 4 | ||
160 | int type; | ||
161 | char *data; | ||
162 | } LandlockEntry; | ||
163 | |||
153 | typedef struct config_t { | 164 | typedef struct config_t { |
154 | // user data | 165 | // user data |
155 | char *username; | 166 | char *username; |
@@ -159,6 +170,7 @@ typedef struct config_t { | |||
159 | // filesystem | 170 | // filesystem |
160 | ProfileEntry *profile; | 171 | ProfileEntry *profile; |
161 | ProfileEntry *profile_rebuild_etc; // blacklist files in /etc directory used by fs_rebuild_etc() | 172 | ProfileEntry *profile_rebuild_etc; // blacklist files in /etc directory used by fs_rebuild_etc() |
173 | LandlockEntry *lprofile; | ||
162 | 174 | ||
163 | #define MAX_PROFILE_IGNORE 32 | 175 | #define MAX_PROFILE_IGNORE 32 |
164 | char *profile_ignore[MAX_PROFILE_IGNORE]; | 176 | char *profile_ignore[MAX_PROFILE_IGNORE]; |
@@ -281,6 +293,9 @@ extern int arg_overlay; // overlay option | |||
281 | extern int arg_overlay_keep; // place overlay diff in a known directory | 293 | extern int arg_overlay_keep; // place overlay diff in a known directory |
282 | extern int arg_overlay_reuse; // allow the reuse of overlays | 294 | extern int arg_overlay_reuse; // allow the reuse of overlays |
283 | 295 | ||
296 | extern int arg_landlock; // add basic Landlock rules | ||
297 | extern int arg_landlock_proc; // 0 - no access; 1 -read-only; 2 - read-write | ||
298 | |||
284 | extern int arg_seccomp; // enable default seccomp filter | 299 | extern int arg_seccomp; // enable default seccomp filter |
285 | extern int arg_seccomp32; // enable default seccomp filter for 32 bit arch | 300 | extern int arg_seccomp32; // enable default seccomp filter for 32 bit arch |
286 | extern int arg_seccomp_postexec; // need postexec ld.preload library? | 301 | extern int arg_seccomp_postexec; // need postexec ld.preload library? |
@@ -950,4 +965,26 @@ void run_ids(int argc, char **argv); | |||
950 | // oom.c | 965 | // oom.c |
951 | void oom_set(const char *oom_string); | 966 | void oom_set(const char *oom_string); |
952 | 967 | ||
968 | // landlock.c | ||
969 | #ifdef HAVE_LANDLOCK | ||
970 | int ll_get_fd(void); | ||
971 | int ll_is_supported(void); | ||
972 | int ll_read(const char *allowed_path); | ||
973 | int ll_write(const char *allowed_path); | ||
974 | int ll_special(const char *allowed_path); | ||
975 | int ll_exec(const char *allowed_path); | ||
976 | int ll_basic_system(void); | ||
977 | int ll_restrict(__u32 flags); | ||
978 | void ll_add_profile(int type, const char *data); | ||
979 | #else | ||
980 | static inline int ll_get_fd(void) { return -1; } | ||
981 | static inline int ll_read(...) { return 0; } | ||
982 | static inline int ll_write(...) { return 0; } | ||
983 | static inline int ll_special(...) { return 0; } | ||
984 | static inline int ll_exec(...) { return 0; } | ||
985 | static inline int ll_basic_system(void) { return 0; } | ||
986 | static inline int ll_restrict(...) { return 0; } | ||
987 | static inline void ll_add_profile(...) { return; } | ||
988 | #endif /* HAVE_LANDLOCK */ | ||
989 | |||
953 | #endif | 990 | #endif |