diff options
Diffstat (limited to 'src/firejail/main.c')
-rw-r--r-- | src/firejail/main.c | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c index 29c25dfc5..cff6eba5f 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -23,6 +23,9 @@ | |||
23 | #include "../include/gcov_wrapper.h" | 23 | #include "../include/gcov_wrapper.h" |
24 | #include "../include/syscall.h" | 24 | #include "../include/syscall.h" |
25 | #include "../include/seccomp.h" | 25 | #include "../include/seccomp.h" |
26 | #ifdef HAVE_LANDLOCK | ||
27 | #include "../include/tinyLL.h" | ||
28 | #endif | ||
26 | #define _GNU_SOURCE | 29 | #define _GNU_SOURCE |
27 | #include <sys/utsname.h> | 30 | #include <sys/utsname.h> |
28 | #include <sched.h> | 31 | #include <sched.h> |
@@ -81,6 +84,10 @@ int arg_seccomp_postexec = 0; // need postexec ld.preload library? | |||
81 | int arg_seccomp_block_secondary = 0; // block any secondary architectures | 84 | int arg_seccomp_block_secondary = 0; // block any secondary architectures |
82 | int arg_seccomp_error_action = 0; | 85 | int arg_seccomp_error_action = 0; |
83 | 86 | ||
87 | #ifdef HAVE_LANDLOCK | ||
88 | int arg_landlock = -1; // Landlock ruleset file descriptor (-1 if it doesn't exist) | ||
89 | #endif | ||
90 | |||
84 | int arg_caps_default_filter = 0; // enable default capabilities filter | 91 | int arg_caps_default_filter = 0; // enable default capabilities filter |
85 | int arg_caps_drop = 0; // drop list | 92 | int arg_caps_drop = 0; // drop list |
86 | int arg_caps_drop_all = 0; // drop all capabilities | 93 | int arg_caps_drop_all = 0; // drop all capabilities |
@@ -1401,6 +1408,32 @@ int main(int argc, char **argv, char **envp) { | |||
1401 | else | 1408 | else |
1402 | exit_err_feature("seccomp"); | 1409 | exit_err_feature("seccomp"); |
1403 | } | 1410 | } |
1411 | #ifdef HAVE_LANDLOCK | ||
1412 | else if (strncmp(argv[i], "--landlock-read=", 16) == 0) { | ||
1413 | if (arg_landlock == -1) arg_landlock = create_full_ruleset(); | ||
1414 | if (add_read_access_rule_by_path(arg_landlock, argv[i]+16)) { | ||
1415 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1416 | } | ||
1417 | } | ||
1418 | else if (strncmp(argv[i], "--landlock-write=", 17) == 0) { | ||
1419 | if (arg_landlock == -1) arg_landlock = create_full_ruleset(); | ||
1420 | if (add_write_access_rule_by_path(arg_landlock, argv[i]+17,0)) { | ||
1421 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1422 | } | ||
1423 | } | ||
1424 | else if (strncmp(argv[i], "--landlock-restricted-write=", 28) == 0) { | ||
1425 | if (arg_landlock == -1) arg_landlock = create_full_ruleset(); | ||
1426 | if (add_write_access_rule_by_path(arg_landlock, argv[i]+28,1)) { | ||
1427 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1428 | } | ||
1429 | } | ||
1430 | else if (strncmp(argv[i], "--landlock-execute=", 19) == 0) { | ||
1431 | if (arg_landlock == -1) arg_landlock = create_full_ruleset(); | ||
1432 | if (add_execute_rule_by_path(arg_landlock, argv[i]+19)) { | ||
1433 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1434 | } | ||
1435 | } | ||
1436 | #endif | ||
1404 | else if (strcmp(argv[i], "--memory-deny-write-execute") == 0) { | 1437 | else if (strcmp(argv[i], "--memory-deny-write-execute") == 0) { |
1405 | if (checkcfg(CFG_SECCOMP)) | 1438 | if (checkcfg(CFG_SECCOMP)) |
1406 | arg_memory_deny_write_execute = 1; | 1439 | arg_memory_deny_write_execute = 1; |