aboutsummaryrefslogtreecommitdiffstats
path: root/src/firejail/firejail.h
diff options
context:
space:
mode:
Diffstat (limited to 'src/firejail/firejail.h')
-rw-r--r--src/firejail/firejail.h37
1 files changed, 37 insertions, 0 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index c791913ea..5a96fcbfd 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -150,6 +150,17 @@ typedef struct profile_entry_t {
150 150
151} ProfileEntry; 151} ProfileEntry;
152 152
153typedef struct landlock_entry_t {
154 struct landlock_entry_t *next;
155#define LL_READ 0
156#define LL_WRITE 1
157#define LL_SPECIAL 2
158#define LL_EXEC 3
159#define LL_MAX 4
160 int type;
161 char *data;
162} LandlockEntry;
163
153typedef struct config_t { 164typedef struct config_t {
154 // user data 165 // user data
155 char *username; 166 char *username;
@@ -159,6 +170,7 @@ typedef struct config_t {
159 // filesystem 170 // filesystem
160 ProfileEntry *profile; 171 ProfileEntry *profile;
161 ProfileEntry *profile_rebuild_etc; // blacklist files in /etc directory used by fs_rebuild_etc() 172 ProfileEntry *profile_rebuild_etc; // blacklist files in /etc directory used by fs_rebuild_etc()
173 LandlockEntry *lprofile;
162 174
163#define MAX_PROFILE_IGNORE 32 175#define MAX_PROFILE_IGNORE 32
164 char *profile_ignore[MAX_PROFILE_IGNORE]; 176 char *profile_ignore[MAX_PROFILE_IGNORE];
@@ -281,6 +293,9 @@ extern int arg_overlay; // overlay option
281extern int arg_overlay_keep; // place overlay diff in a known directory 293extern int arg_overlay_keep; // place overlay diff in a known directory
282extern int arg_overlay_reuse; // allow the reuse of overlays 294extern int arg_overlay_reuse; // allow the reuse of overlays
283 295
296extern int arg_landlock; // add basic Landlock rules
297extern int arg_landlock_proc; // 0 - no access; 1 -read-only; 2 - read-write
298
284extern int arg_seccomp; // enable default seccomp filter 299extern int arg_seccomp; // enable default seccomp filter
285extern int arg_seccomp32; // enable default seccomp filter for 32 bit arch 300extern int arg_seccomp32; // enable default seccomp filter for 32 bit arch
286extern int arg_seccomp_postexec; // need postexec ld.preload library? 301extern int arg_seccomp_postexec; // need postexec ld.preload library?
@@ -950,4 +965,26 @@ void run_ids(int argc, char **argv);
950// oom.c 965// oom.c
951void oom_set(const char *oom_string); 966void oom_set(const char *oom_string);
952 967
968// landlock.c
969#ifdef HAVE_LANDLOCK
970int ll_get_fd(void);
971int ll_is_supported(void);
972int ll_read(const char *allowed_path);
973int ll_write(const char *allowed_path);
974int ll_special(const char *allowed_path);
975int ll_exec(const char *allowed_path);
976int ll_basic_system(void);
977int ll_restrict(__u32 flags);
978void ll_add_profile(int type, const char *data);
979#else
980static inline int ll_get_fd(void) { return -1; }
981static inline int ll_read(...) { return 0; }
982static inline int ll_write(...) { return 0; }
983static inline int ll_special(...) { return 0; }
984static inline int ll_exec(...) { return 0; }
985static inline int ll_basic_system(void) { return 0; }
986static inline int ll_restrict(...) { return 0; }
987static inline void ll_add_profile(...) { return; }
988#endif /* HAVE_LANDLOCK */
989
953#endif 990#endif