diff options
Diffstat (limited to 'src/firejail/profile.c')
-rw-r--r-- | src/firejail/profile.c | 84 |
1 files changed, 84 insertions, 0 deletions
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index f406e2c53..9a2f8c82c 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -1045,6 +1045,90 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1045 | return 0; | 1045 | return 0; |
1046 | } | 1046 | } |
1047 | 1047 | ||
1048 | #ifdef HAVE_LANDLOCK | ||
1049 | // Landlock ruleset paths | ||
1050 | if (strcmp(ptr, "landlock") == 0) { | ||
1051 | if (arg_landlock == -1) arg_landlock = create_full_ruleset(); | ||
1052 | const char *home_dir = env_get("HOME"); | ||
1053 | int home_fd = open(home_dir,O_PATH | O_CLOEXEC); | ||
1054 | struct landlock_path_beneath_attr target; | ||
1055 | target.parent_fd = home_fd; | ||
1056 | target.allowed_access = LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR | LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SYM; | ||
1057 | if (landlock_add_rule(arg_landlock,LANDLOCK_RULE_PATH_BENEATH,&target,0)) { | ||
1058 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1059 | } | ||
1060 | close(home_fd); | ||
1061 | if (add_read_access_rule_by_path(arg_landlock, "/bin/")) { | ||
1062 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1063 | } | ||
1064 | if (add_execute_rule_by_path(arg_landlock, "/bin/")) { | ||
1065 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1066 | } | ||
1067 | if (add_read_access_rule_by_path(arg_landlock, "/dev/")) { | ||
1068 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1069 | } | ||
1070 | if (add_read_access_rule_by_path(arg_landlock, "/etc/")) { | ||
1071 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1072 | } | ||
1073 | if (add_read_access_rule_by_path(arg_landlock, "/lib/")) { | ||
1074 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1075 | } | ||
1076 | if (add_execute_rule_by_path(arg_landlock, "/lib/")) { | ||
1077 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1078 | } | ||
1079 | if (add_read_access_rule_by_path(arg_landlock, "/opt/")) { | ||
1080 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1081 | } | ||
1082 | if (add_execute_rule_by_path(arg_landlock, "/opt/")) { | ||
1083 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1084 | } | ||
1085 | if (add_read_access_rule_by_path(arg_landlock, "/usr/")) { | ||
1086 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1087 | } | ||
1088 | if (add_execute_rule_by_path(arg_landlock, "/usr/")) { | ||
1089 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1090 | } | ||
1091 | if (add_read_access_rule_by_path(arg_landlock, "/var/")) { | ||
1092 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1093 | } | ||
1094 | return 0; | ||
1095 | } | ||
1096 | if (strncmp(ptr, "landlock.proc ", 14) == 0) { | ||
1097 | if (strncmp(ptr+14, "no", 2) == 0) arg_landlock_proc = 0; | ||
1098 | else if (strncmp(ptr+14, "ro", 2) == 0) arg_landlock_proc = 1; | ||
1099 | else if (strncmp(ptr+14, "rw", 2) == 0) arg_landlock_proc = 2; | ||
1100 | return 0; | ||
1101 | } | ||
1102 | if (strncmp(ptr, "landlock.read ", 14) == 0) { | ||
1103 | if (arg_landlock == -1) arg_landlock = create_full_ruleset(); | ||
1104 | if (add_read_access_rule_by_path(arg_landlock, ptr+14)) { | ||
1105 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1106 | } | ||
1107 | return 0; | ||
1108 | } | ||
1109 | if (strncmp(ptr, "landlock.write ", 15) == 0) { | ||
1110 | if (arg_landlock == -1) arg_landlock = create_full_ruleset(); | ||
1111 | if (add_write_access_rule_by_path(arg_landlock, ptr+15)) { | ||
1112 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1113 | } | ||
1114 | return 0; | ||
1115 | } | ||
1116 | if (strncmp(ptr, "landlock.special ", 26) == 0) { | ||
1117 | if (arg_landlock == -1) arg_landlock = create_full_ruleset(); | ||
1118 | if (add_create_special_rule_by_path(arg_landlock, ptr+26)) { | ||
1119 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1120 | } | ||
1121 | return 0; | ||
1122 | } | ||
1123 | if (strncmp(ptr, "landlock.execute ", 17) == 0) { | ||
1124 | if (arg_landlock == -1) arg_landlock = create_full_ruleset(); | ||
1125 | if (add_execute_rule_by_path(arg_landlock, ptr+17)) { | ||
1126 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1127 | } | ||
1128 | return 0; | ||
1129 | } | ||
1130 | #endif | ||
1131 | |||
1048 | // memory deny write&execute | 1132 | // memory deny write&execute |
1049 | if (strcmp(ptr, "memory-deny-write-execute") == 0) { | 1133 | if (strcmp(ptr, "memory-deny-write-execute") == 0) { |
1050 | if (checkcfg(CFG_SECCOMP)) | 1134 | if (checkcfg(CFG_SECCOMP)) |