diff options
Diffstat (limited to 'src/firejail/profile.c')
| -rw-r--r-- | src/firejail/profile.c | 84 |
1 files changed, 84 insertions, 0 deletions
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index f406e2c53..9a2f8c82c 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
| @@ -1045,6 +1045,90 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
| 1045 | return 0; | 1045 | return 0; |
| 1046 | } | 1046 | } |
| 1047 | 1047 | ||
| 1048 | #ifdef HAVE_LANDLOCK | ||
| 1049 | // Landlock ruleset paths | ||
| 1050 | if (strcmp(ptr, "landlock") == 0) { | ||
| 1051 | if (arg_landlock == -1) arg_landlock = create_full_ruleset(); | ||
| 1052 | const char *home_dir = env_get("HOME"); | ||
| 1053 | int home_fd = open(home_dir,O_PATH | O_CLOEXEC); | ||
| 1054 | struct landlock_path_beneath_attr target; | ||
| 1055 | target.parent_fd = home_fd; | ||
| 1056 | target.allowed_access = LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR | LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SYM; | ||
| 1057 | if (landlock_add_rule(arg_landlock,LANDLOCK_RULE_PATH_BENEATH,&target,0)) { | ||
| 1058 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
| 1059 | } | ||
| 1060 | close(home_fd); | ||
| 1061 | if (add_read_access_rule_by_path(arg_landlock, "/bin/")) { | ||
| 1062 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
| 1063 | } | ||
| 1064 | if (add_execute_rule_by_path(arg_landlock, "/bin/")) { | ||
| 1065 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
| 1066 | } | ||
| 1067 | if (add_read_access_rule_by_path(arg_landlock, "/dev/")) { | ||
| 1068 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
| 1069 | } | ||
| 1070 | if (add_read_access_rule_by_path(arg_landlock, "/etc/")) { | ||
| 1071 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
| 1072 | } | ||
| 1073 | if (add_read_access_rule_by_path(arg_landlock, "/lib/")) { | ||
| 1074 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
| 1075 | } | ||
| 1076 | if (add_execute_rule_by_path(arg_landlock, "/lib/")) { | ||
| 1077 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
| 1078 | } | ||
| 1079 | if (add_read_access_rule_by_path(arg_landlock, "/opt/")) { | ||
| 1080 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
| 1081 | } | ||
| 1082 | if (add_execute_rule_by_path(arg_landlock, "/opt/")) { | ||
| 1083 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
| 1084 | } | ||
| 1085 | if (add_read_access_rule_by_path(arg_landlock, "/usr/")) { | ||
| 1086 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
| 1087 | } | ||
| 1088 | if (add_execute_rule_by_path(arg_landlock, "/usr/")) { | ||
| 1089 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
| 1090 | } | ||
| 1091 | if (add_read_access_rule_by_path(arg_landlock, "/var/")) { | ||
| 1092 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
| 1093 | } | ||
| 1094 | return 0; | ||
| 1095 | } | ||
| 1096 | if (strncmp(ptr, "landlock.proc ", 14) == 0) { | ||
| 1097 | if (strncmp(ptr+14, "no", 2) == 0) arg_landlock_proc = 0; | ||
| 1098 | else if (strncmp(ptr+14, "ro", 2) == 0) arg_landlock_proc = 1; | ||
| 1099 | else if (strncmp(ptr+14, "rw", 2) == 0) arg_landlock_proc = 2; | ||
| 1100 | return 0; | ||
| 1101 | } | ||
| 1102 | if (strncmp(ptr, "landlock.read ", 14) == 0) { | ||
| 1103 | if (arg_landlock == -1) arg_landlock = create_full_ruleset(); | ||
| 1104 | if (add_read_access_rule_by_path(arg_landlock, ptr+14)) { | ||
| 1105 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
| 1106 | } | ||
| 1107 | return 0; | ||
| 1108 | } | ||
| 1109 | if (strncmp(ptr, "landlock.write ", 15) == 0) { | ||
| 1110 | if (arg_landlock == -1) arg_landlock = create_full_ruleset(); | ||
| 1111 | if (add_write_access_rule_by_path(arg_landlock, ptr+15)) { | ||
| 1112 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
| 1113 | } | ||
| 1114 | return 0; | ||
| 1115 | } | ||
| 1116 | if (strncmp(ptr, "landlock.special ", 26) == 0) { | ||
| 1117 | if (arg_landlock == -1) arg_landlock = create_full_ruleset(); | ||
| 1118 | if (add_create_special_rule_by_path(arg_landlock, ptr+26)) { | ||
| 1119 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
| 1120 | } | ||
| 1121 | return 0; | ||
| 1122 | } | ||
| 1123 | if (strncmp(ptr, "landlock.execute ", 17) == 0) { | ||
| 1124 | if (arg_landlock == -1) arg_landlock = create_full_ruleset(); | ||
| 1125 | if (add_execute_rule_by_path(arg_landlock, ptr+17)) { | ||
| 1126 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
| 1127 | } | ||
| 1128 | return 0; | ||
| 1129 | } | ||
| 1130 | #endif | ||
| 1131 | |||
| 1048 | // memory deny write&execute | 1132 | // memory deny write&execute |
| 1049 | if (strcmp(ptr, "memory-deny-write-execute") == 0) { | 1133 | if (strcmp(ptr, "memory-deny-write-execute") == 0) { |
| 1050 | if (checkcfg(CFG_SECCOMP)) | 1134 | if (checkcfg(CFG_SECCOMP)) |