diff options
Diffstat (limited to 'src/firejail/main.c')
| -rw-r--r-- | src/firejail/main.c | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c index 29c25dfc5..cff6eba5f 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
| @@ -23,6 +23,9 @@ | |||
| 23 | #include "../include/gcov_wrapper.h" | 23 | #include "../include/gcov_wrapper.h" |
| 24 | #include "../include/syscall.h" | 24 | #include "../include/syscall.h" |
| 25 | #include "../include/seccomp.h" | 25 | #include "../include/seccomp.h" |
| 26 | #ifdef HAVE_LANDLOCK | ||
| 27 | #include "../include/tinyLL.h" | ||
| 28 | #endif | ||
| 26 | #define _GNU_SOURCE | 29 | #define _GNU_SOURCE |
| 27 | #include <sys/utsname.h> | 30 | #include <sys/utsname.h> |
| 28 | #include <sched.h> | 31 | #include <sched.h> |
| @@ -81,6 +84,10 @@ int arg_seccomp_postexec = 0; // need postexec ld.preload library? | |||
| 81 | int arg_seccomp_block_secondary = 0; // block any secondary architectures | 84 | int arg_seccomp_block_secondary = 0; // block any secondary architectures |
| 82 | int arg_seccomp_error_action = 0; | 85 | int arg_seccomp_error_action = 0; |
| 83 | 86 | ||
| 87 | #ifdef HAVE_LANDLOCK | ||
| 88 | int arg_landlock = -1; // Landlock ruleset file descriptor (-1 if it doesn't exist) | ||
| 89 | #endif | ||
| 90 | |||
| 84 | int arg_caps_default_filter = 0; // enable default capabilities filter | 91 | int arg_caps_default_filter = 0; // enable default capabilities filter |
| 85 | int arg_caps_drop = 0; // drop list | 92 | int arg_caps_drop = 0; // drop list |
| 86 | int arg_caps_drop_all = 0; // drop all capabilities | 93 | int arg_caps_drop_all = 0; // drop all capabilities |
| @@ -1401,6 +1408,32 @@ int main(int argc, char **argv, char **envp) { | |||
| 1401 | else | 1408 | else |
| 1402 | exit_err_feature("seccomp"); | 1409 | exit_err_feature("seccomp"); |
| 1403 | } | 1410 | } |
| 1411 | #ifdef HAVE_LANDLOCK | ||
| 1412 | else if (strncmp(argv[i], "--landlock-read=", 16) == 0) { | ||
| 1413 | if (arg_landlock == -1) arg_landlock = create_full_ruleset(); | ||
| 1414 | if (add_read_access_rule_by_path(arg_landlock, argv[i]+16)) { | ||
| 1415 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
| 1416 | } | ||
| 1417 | } | ||
| 1418 | else if (strncmp(argv[i], "--landlock-write=", 17) == 0) { | ||
| 1419 | if (arg_landlock == -1) arg_landlock = create_full_ruleset(); | ||
| 1420 | if (add_write_access_rule_by_path(arg_landlock, argv[i]+17,0)) { | ||
| 1421 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
| 1422 | } | ||
| 1423 | } | ||
| 1424 | else if (strncmp(argv[i], "--landlock-restricted-write=", 28) == 0) { | ||
| 1425 | if (arg_landlock == -1) arg_landlock = create_full_ruleset(); | ||
| 1426 | if (add_write_access_rule_by_path(arg_landlock, argv[i]+28,1)) { | ||
| 1427 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
| 1428 | } | ||
| 1429 | } | ||
| 1430 | else if (strncmp(argv[i], "--landlock-execute=", 19) == 0) { | ||
| 1431 | if (arg_landlock == -1) arg_landlock = create_full_ruleset(); | ||
| 1432 | if (add_execute_rule_by_path(arg_landlock, argv[i]+19)) { | ||
| 1433 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
| 1434 | } | ||
| 1435 | } | ||
| 1436 | #endif | ||
| 1404 | else if (strcmp(argv[i], "--memory-deny-write-execute") == 0) { | 1437 | else if (strcmp(argv[i], "--memory-deny-write-execute") == 0) { |
| 1405 | if (checkcfg(CFG_SECCOMP)) | 1438 | if (checkcfg(CFG_SECCOMP)) |
| 1406 | arg_memory_deny_write_execute = 1; | 1439 | arg_memory_deny_write_execute = 1; |