diff options
Diffstat (limited to 'src/firejail/main.c')
-rw-r--r-- | src/firejail/main.c | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c index 0327f8bda..5bcc3a0e5 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -75,6 +75,9 @@ int arg_overlay = 0; // overlay option | |||
75 | int arg_overlay_keep = 0; // place overlay diff in a known directory | 75 | int arg_overlay_keep = 0; // place overlay diff in a known directory |
76 | int arg_overlay_reuse = 0; // allow the reuse of overlays | 76 | int arg_overlay_reuse = 0; // allow the reuse of overlays |
77 | 77 | ||
78 | int arg_landlock = 0; // add basic Landlock rules | ||
79 | int arg_landlock_proc = 2; // 0 - no access; 1 -read-only; 2 - read-write | ||
80 | |||
78 | int arg_seccomp = 0; // enable default seccomp filter | 81 | int arg_seccomp = 0; // enable default seccomp filter |
79 | int arg_seccomp32 = 0; // enable default seccomp filter for 32 bit arch | 82 | int arg_seccomp32 = 0; // enable default seccomp filter for 32 bit arch |
80 | int arg_seccomp_postexec = 0; // need postexec ld.preload library? | 83 | int arg_seccomp_postexec = 0; // need postexec ld.preload library? |
@@ -1500,6 +1503,31 @@ int main(int argc, char **argv, char **envp) { | |||
1500 | else | 1503 | else |
1501 | exit_err_feature("seccomp"); | 1504 | exit_err_feature("seccomp"); |
1502 | } | 1505 | } |
1506 | #ifdef HAVE_LANDLOCK | ||
1507 | else if (strcmp(argv[i], "--landlock") == 0) | ||
1508 | arg_landlock = 1; | ||
1509 | else if (strncmp(argv[i], "--landlock.proc=", 16) == 0) { | ||
1510 | if (strncmp(argv[i] + 16, "no", 2) == 0) | ||
1511 | arg_landlock_proc = 0; | ||
1512 | else if (strncmp(argv[i] + 16, "ro", 2) == 0) | ||
1513 | arg_landlock_proc = 1; | ||
1514 | else if (strncmp(argv[i] + 16, "rw", 2) == 0) | ||
1515 | arg_landlock_proc = 2; | ||
1516 | else { | ||
1517 | fprintf(stderr, "Error: invalid landlock.proc value: %s\n", | ||
1518 | argv[i] + 16); | ||
1519 | exit(1); | ||
1520 | } | ||
1521 | } | ||
1522 | else if (strncmp(argv[i], "--landlock.read=", 16) == 0) | ||
1523 | ll_add_profile(LL_READ, argv[i] + 16); | ||
1524 | else if (strncmp(argv[i], "--landlock.write=", 17) == 0) | ||
1525 | ll_add_profile(LL_WRITE, argv[i] + 17); | ||
1526 | else if (strncmp(argv[i], "--landlock.special=", 19) == 0) | ||
1527 | ll_add_profile(LL_SPECIAL, argv[i] + 19); | ||
1528 | else if (strncmp(argv[i], "--landlock.execute=", 19) == 0) | ||
1529 | ll_add_profile(LL_EXEC, argv[i] + 19); | ||
1530 | #endif | ||
1503 | else if (strcmp(argv[i], "--memory-deny-write-execute") == 0) { | 1531 | else if (strcmp(argv[i], "--memory-deny-write-execute") == 0) { |
1504 | if (checkcfg(CFG_SECCOMP)) | 1532 | if (checkcfg(CFG_SECCOMP)) |
1505 | arg_memory_deny_write_execute = 1; | 1533 | arg_memory_deny_write_execute = 1; |