1 files changed, 28 insertions, 0 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 0327f8bda..5bcc3a0e5 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -75,6 +75,9 @@ int arg_overlay = 0;				// overlay option
 int arg_overlay_keep = 0;                       // place overlay diff in a known directory
 int arg_overlay_reuse = 0;                      // allow the reuse of overlays
+int arg_landlock = 0;                   // add basic Landlock rules
+int arg_landlock_proc = 2;              // 0 - no access; 1 -read-only; 2 - read-write
 int arg_seccomp = 0;                            // enable default seccomp filter
 int arg_seccomp32 = 0;                          // enable default seccomp filter for 32 bit arch
 int arg_seccomp_postexec = 0;                   // need postexec ld.preload library?
@@ -1500,6 +1503,31 @@ int main(int argc, char **argv, char **envp) {
                        else
                                exit_err_feature("seccomp");
                }
+#ifdef HAVE_LANDLOCK
+                else if (strcmp(argv[i], "--landlock") == 0)
+                        arg_landlock = 1;
+                else if (strncmp(argv[i], "--landlock.proc=", 16) == 0) {
+                        if (strncmp(argv[i] + 16, "no", 2) == 0)
+                                arg_landlock_proc = 0;
+                        else if (strncmp(argv[i] + 16, "ro", 2) == 0)
+                                arg_landlock_proc = 1;
+                        else if (strncmp(argv[i] + 16, "rw", 2) == 0)
+                                arg_landlock_proc = 2;
+                        else {
+                                fprintf(stderr, "Error: invalid landlock.proc value: %s\n",
+                                        argv[i] + 16);
+                                exit(1);
+                        }
+                }
+                else if (strncmp(argv[i], "--landlock.read=", 16) == 0)
+                        ll_add_profile(LL_READ, argv[i] + 16);
+                else if (strncmp(argv[i], "--landlock.write=", 17) == 0)
+                        ll_add_profile(LL_WRITE, argv[i] + 17);
+                else if (strncmp(argv[i], "--landlock.special=", 19) == 0)
+                        ll_add_profile(LL_SPECIAL, argv[i] + 19);
+                else if (strncmp(argv[i], "--landlock.execute=", 19) == 0)
+                        ll_add_profile(LL_EXEC, argv[i] + 19);
+#endif
                else if (strcmp(argv[i], "--memory-deny-write-execute") == 0) {
                        if (checkcfg(CFG_SECCOMP))
                                arg_memory_deny_write_execute = 1;

diff --git a/src/firejail/main.c b/src/firejail/main.c index 0327f8bda..5bcc3a0e5 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -75,6 +75,9 @@ int arg_overlay = 0; // overlay option
75	int arg_overlay_keep = 0; // place overlay diff in a known directory	75	int arg_overlay_keep = 0; // place overlay diff in a known directory
76	int arg_overlay_reuse = 0; // allow the reuse of overlays	76	int arg_overlay_reuse = 0; // allow the reuse of overlays
77		77
		78	int arg_landlock = 0; // add basic Landlock rules
		79	int arg_landlock_proc = 2; // 0 - no access; 1 -read-only; 2 - read-write
		80
78	int arg_seccomp = 0; // enable default seccomp filter	81	int arg_seccomp = 0; // enable default seccomp filter
79	int arg_seccomp32 = 0; // enable default seccomp filter for 32 bit arch	82	int arg_seccomp32 = 0; // enable default seccomp filter for 32 bit arch
80	int arg_seccomp_postexec = 0; // need postexec ld.preload library?	83	int arg_seccomp_postexec = 0; // need postexec ld.preload library?
@@ -1500,6 +1503,31 @@ int main(int argc, char argv, char envp) {
1500	else	1503	else
1501	exit_err_feature("seccomp");	1504	exit_err_feature("seccomp");
1502	}	1505	}
		1506	#ifdef HAVE_LANDLOCK
		1507	else if (strcmp(argv[i], "--landlock") == 0)
		1508	arg_landlock = 1;
		1509	else if (strncmp(argv[i], "--landlock.proc=", 16) == 0) {
		1510	if (strncmp(argv[i] + 16, "no", 2) == 0)
		1511	arg_landlock_proc = 0;
		1512	else if (strncmp(argv[i] + 16, "ro", 2) == 0)
		1513	arg_landlock_proc = 1;
		1514	else if (strncmp(argv[i] + 16, "rw", 2) == 0)
		1515	arg_landlock_proc = 2;
		1516	else {
		1517	fprintf(stderr, "Error: invalid landlock.proc value: %s\n",
		1518	argv[i] + 16);
		1519	exit(1);
		1520	}
		1521	}
		1522	else if (strncmp(argv[i], "--landlock.read=", 16) == 0)
		1523	ll_add_profile(LL_READ, argv[i] + 16);
		1524	else if (strncmp(argv[i], "--landlock.write=", 17) == 0)
		1525	ll_add_profile(LL_WRITE, argv[i] + 17);
		1526	else if (strncmp(argv[i], "--landlock.special=", 19) == 0)
		1527	ll_add_profile(LL_SPECIAL, argv[i] + 19);
		1528	else if (strncmp(argv[i], "--landlock.execute=", 19) == 0)
		1529	ll_add_profile(LL_EXEC, argv[i] + 19);
		1530	#endif
1503	else if (strcmp(argv[i], "--memory-deny-write-execute") == 0) {	1531	else if (strcmp(argv[i], "--memory-deny-write-execute") == 0) {
1504	if (checkcfg(CFG_SECCOMP))	1532	if (checkcfg(CFG_SECCOMP))
1505	arg_memory_deny_write_execute = 1;	1533	arg_memory_deny_write_execute = 1;