1 files changed, 25 insertions, 2 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 9299268a3..5fcccbd92 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -488,6 +488,7 @@ void start_application(int no_sandbox, int fd, char *set_sandbox_status) {
 #ifdef HAVE_APPARMOR
                set_apparmor();
 #endif
                close_file_descriptors();
                // set nice and rlimits
@@ -509,6 +510,16 @@ void start_application(int no_sandbox, int fd, char *set_sandbox_status) {
                printf("LD_PRELOAD=%s\n", getenv("LD_PRELOAD"));
        }
+#ifdef HAVE_LANDLOCK
+                // set Landlock
+                if (arg_landlock >= 0) {
+                        if (landlock_restrict_self(arg_landlock,0)) {
+                                fprintf(stderr,"An error has occured while enabling Landlock self-restriction. Exiting...\n");
+                                exit(1); // it isn't safe to continue if Landlock self-restriction was enabled and the "landlock_restrict_self" syscall has failed
+                        }
+                }
+#endif
        if (just_run_the_shell) {
                char *arg[2];
                arg[0] = cfg.usershell;
@@ -999,6 +1010,15 @@ int sandbox(void* sandbox_arg) {
        fs_proc_sys_dev_boot();
        //****************************
+        // Allow access to /proc
+        //****************************
+#ifdef HAVE_LANDLOCK
+        if (arg_landlock>-1) {
+                if (arg_landlock_proc >= 1) add_read_access_rule_by_path(arg_landlock, "/proc/");
+                if (arg_landlock_proc == 2) add_write_access_rule_by_path(arg_landlock, "/proc/");
+}
+#endif
+        //****************************
        // handle /mnt and /media
        //****************************
        if (checkcfg(CFG_DISABLE_MNT))
@@ -1093,9 +1113,12 @@ int sandbox(void* sandbox_arg) {
        //****************************
        // rebuild etc directory, set dns
        //****************************
-        if (!arg_writable_etc)
+        if (!arg_writable_etc){
                fs_rebuild_etc();
+#ifdef HAVE_LANDLOCK
+                if (arg_landlock>-1) add_read_access_rule_by_path(arg_landlock, "/etc/");
+#endif
+        }
        //****************************
        // start dhcp client
        //****************************

diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 9299268a3..5fcccbd92 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c
@@ -488,6 +488,7 @@ void start_application(int no_sandbox, int fd, char *set_sandbox_status) {
488	#ifdef HAVE_APPARMOR	488	#ifdef HAVE_APPARMOR
489	set_apparmor();	489	set_apparmor();
490	#endif	490	#endif
		491
491	close_file_descriptors();	492	close_file_descriptors();
492		493
493	// set nice and rlimits	494	// set nice and rlimits
@@ -509,6 +510,16 @@ void start_application(int no_sandbox, int fd, char *set_sandbox_status) {
509	printf("LD_PRELOAD=%s\n", getenv("LD_PRELOAD"));	510	printf("LD_PRELOAD=%s\n", getenv("LD_PRELOAD"));
510	}	511	}
511		512
		513	#ifdef HAVE_LANDLOCK
		514	// set Landlock
		515	if (arg_landlock >= 0) {
		516	if (landlock_restrict_self(arg_landlock,0)) {
		517	fprintf(stderr,"An error has occured while enabling Landlock self-restriction. Exiting...\n");
		518	exit(1); // it isn't safe to continue if Landlock self-restriction was enabled and the "landlock_restrict_self" syscall has failed
		519	}
		520	}
		521	#endif
		522
512	if (just_run_the_shell) {	523	if (just_run_the_shell) {
513	char *arg[2];	524	char *arg[2];
514	arg[0] = cfg.usershell;	525	arg[0] = cfg.usershell;
@@ -999,6 +1010,15 @@ int sandbox(void* sandbox_arg) {
999	fs_proc_sys_dev_boot();	1010	fs_proc_sys_dev_boot();
1000		1011
1001	//****************************	1012	//****************************
		1013	// Allow access to /proc
		1014	//****************************
		1015	#ifdef HAVE_LANDLOCK
		1016	if (arg_landlock>-1) {
		1017	if (arg_landlock_proc >= 1) add_read_access_rule_by_path(arg_landlock, "/proc/");
		1018	if (arg_landlock_proc == 2) add_write_access_rule_by_path(arg_landlock, "/proc/");
		1019	}
		1020	#endif
		1021	//****************************
1002	// handle /mnt and /media	1022	// handle /mnt and /media
1003	//****************************	1023	//****************************
1004	if (checkcfg(CFG_DISABLE_MNT))	1024	if (checkcfg(CFG_DISABLE_MNT))
@@ -1093,9 +1113,12 @@ int sandbox(void* sandbox_arg) {
1093	//****************************	1113	//****************************
1094	// rebuild etc directory, set dns	1114	// rebuild etc directory, set dns
1095	//****************************	1115	//****************************
1096	if (!arg_writable_etc)	1116	if (!arg_writable_etc){
1097	fs_rebuild_etc();	1117	fs_rebuild_etc();
1098		1118	#ifdef HAVE_LANDLOCK
		1119	if (arg_landlock>-1) add_read_access_rule_by_path(arg_landlock, "/etc/");
		1120	#endif
		1121	}
1099	//****************************	1122	//****************************
1100	// start dhcp client	1123	// start dhcp client
1101	//****************************	1124	//****************************