1 files changed, 37 insertions, 0 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index c791913ea..5a96fcbfd 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -150,6 +150,17 @@ typedef struct profile_entry_t {
 } ProfileEntry;
+typedef struct landlock_entry_t {
+        struct landlock_entry_t *next;
+#define LL_READ 0
+#define LL_WRITE 1
+#define LL_SPECIAL 2
+#define LL_EXEC 3
+#define LL_MAX 4
+        int type;
+        char *data;
+} LandlockEntry;
 typedef struct config_t {
        // user data
        char *username;
@@ -159,6 +170,7 @@ typedef struct config_t {
        // filesystem
        ProfileEntry *profile;
        ProfileEntry *profile_rebuild_etc;      // blacklist files in /etc directory used by fs_rebuild_etc()
+        LandlockEntry *lprofile;
 #define MAX_PROFILE_IGNORE 32
        char *profile_ignore[MAX_PROFILE_IGNORE];
@@ -281,6 +293,9 @@ extern int arg_overlay;		// overlay option
 extern int arg_overlay_keep;    // place overlay diff in a known directory
 extern int arg_overlay_reuse;   // allow the reuse of overlays
+extern int arg_landlock;                // add basic Landlock rules
+extern int arg_landlock_proc;           // 0 - no access; 1 -read-only; 2 - read-write
 extern int arg_seccomp; // enable default seccomp filter
 extern int arg_seccomp32;       // enable default seccomp filter for 32 bit arch
 extern int arg_seccomp_postexec;        // need postexec ld.preload library?
@@ -950,4 +965,26 @@ void run_ids(int argc, char **argv);
 // oom.c
 void oom_set(const char *oom_string);
+// landlock.c
+#ifdef HAVE_LANDLOCK
+int ll_get_fd(void);
+int ll_is_supported(void);
+int ll_read(const char *allowed_path);
+int ll_write(const char *allowed_path);
+int ll_special(const char *allowed_path);
+int ll_exec(const char *allowed_path);
+int ll_basic_system(void);
+int ll_restrict(__u32 flags);
+void ll_add_profile(int type, const char *data);
+#else
+static inline int ll_get_fd(void) { return -1; }
+static inline int ll_read(...) { return 0; }
+static inline int ll_write(...) { return 0; }
+static inline int ll_special(...) { return 0; }
+static inline int ll_exec(...) { return 0; }
+static inline int ll_basic_system(void) { return 0; }
+static inline int ll_restrict(...) { return 0; }
+static inline void ll_add_profile(...) { return; }
+#endif /* HAVE_LANDLOCK */
 #endif

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index c791913ea..5a96fcbfd 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -150,6 +150,17 @@ typedef struct profile_entry_t {
150		150
151	} ProfileEntry;	151	} ProfileEntry;
152		152
		153	typedef struct landlock_entry_t {
		154	struct landlock_entry_t *next;
		155	#define LL_READ 0
		156	#define LL_WRITE 1
		157	#define LL_SPECIAL 2
		158	#define LL_EXEC 3
		159	#define LL_MAX 4
		160	int type;
		161	char *data;
		162	} LandlockEntry;
		163
153	typedef struct config_t {	164	typedef struct config_t {
154	// user data	165	// user data
155	char *username;	166	char *username;
@@ -159,6 +170,7 @@ typedef struct config_t {
159	// filesystem	170	// filesystem
160	ProfileEntry *profile;	171	ProfileEntry *profile;
161	ProfileEntry *profile_rebuild_etc; // blacklist files in /etc directory used by fs_rebuild_etc()	172	ProfileEntry *profile_rebuild_etc; // blacklist files in /etc directory used by fs_rebuild_etc()
		173	LandlockEntry *lprofile;
162		174
163	#define MAX_PROFILE_IGNORE 32	175	#define MAX_PROFILE_IGNORE 32
164	char *profile_ignore[MAX_PROFILE_IGNORE];	176	char *profile_ignore[MAX_PROFILE_IGNORE];
@@ -281,6 +293,9 @@ extern int arg_overlay; // overlay option
281	extern int arg_overlay_keep; // place overlay diff in a known directory	293	extern int arg_overlay_keep; // place overlay diff in a known directory
282	extern int arg_overlay_reuse; // allow the reuse of overlays	294	extern int arg_overlay_reuse; // allow the reuse of overlays
283		295
		296	extern int arg_landlock; // add basic Landlock rules
		297	extern int arg_landlock_proc; // 0 - no access; 1 -read-only; 2 - read-write
		298
284	extern int arg_seccomp; // enable default seccomp filter	299	extern int arg_seccomp; // enable default seccomp filter
285	extern int arg_seccomp32; // enable default seccomp filter for 32 bit arch	300	extern int arg_seccomp32; // enable default seccomp filter for 32 bit arch
286	extern int arg_seccomp_postexec; // need postexec ld.preload library?	301	extern int arg_seccomp_postexec; // need postexec ld.preload library?
@@ -950,4 +965,26 @@ void run_ids(int argc, char **argv);
950	// oom.c	965	// oom.c
951	void oom_set(const char *oom_string);	966	void oom_set(const char *oom_string);
952		967
		968	// landlock.c
		969	#ifdef HAVE_LANDLOCK
		970	int ll_get_fd(void);
		971	int ll_is_supported(void);
		972	int ll_read(const char *allowed_path);
		973	int ll_write(const char *allowed_path);
		974	int ll_special(const char *allowed_path);
		975	int ll_exec(const char *allowed_path);
		976	int ll_basic_system(void);
		977	int ll_restrict(__u32 flags);
		978	void ll_add_profile(int type, const char *data);
		979	#else
		980	static inline int ll_get_fd(void) { return -1; }
		981	static inline int ll_read(...) { return 0; }
		982	static inline int ll_write(...) { return 0; }
		983	static inline int ll_special(...) { return 0; }
		984	static inline int ll_exec(...) { return 0; }
		985	static inline int ll_basic_system(void) { return 0; }
		986	static inline int ll_restrict(...) { return 0; }
		987	static inline void ll_add_profile(...) { return; }
		988	#endif /* HAVE_LANDLOCK */
		989
953	#endif	990	#endif