1 files changed, 13 insertions, 0 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 9299268a3..73f2aa211 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -21,6 +21,9 @@
 #include "firejail.h"
 #include "../include/gcov_wrapper.h"
 #include "../include/seccomp.h"
+#ifdef HAVE_LANDLOCK
+#include "../include/tinyLL.h"
+#endif
 #include <sys/mman.h>
 #include <sys/mount.h>
 #include <sys/wait.h>
@@ -488,6 +491,16 @@ void start_application(int no_sandbox, int fd, char *set_sandbox_status) {
 #ifdef HAVE_APPARMOR
                set_apparmor();
 #endif
+#ifdef HAVE_LANDLOCK
+                // set Landlock
+                if (arg_landlock >= 0) {
+                        if (landlock_restrict_self(arg_landlock,0)) {
+                                fprintf(stderr,"An error has occured while enabling Landlock self-restriction. Exiting...\n");
+                                exit(1); // it isn't safe to continue if Landlock self-restriction was enabled and the "landlock_restrict_self" syscall has failed
+                        }
+                }
+#endif
                close_file_descriptors();
                // set nice and rlimits

diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 9299268a3..73f2aa211 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c
@@ -21,6 +21,9 @@
21	#include "firejail.h"	21	#include "firejail.h"
22	#include "../include/gcov_wrapper.h"	22	#include "../include/gcov_wrapper.h"
23	#include "../include/seccomp.h"	23	#include "../include/seccomp.h"
		24	#ifdef HAVE_LANDLOCK
		25	#include "../include/tinyLL.h"
		26	#endif
24	#include <sys/mman.h>	27	#include <sys/mman.h>
25	#include <sys/mount.h>	28	#include <sys/mount.h>
26	#include <sys/wait.h>	29	#include <sys/wait.h>
@@ -488,6 +491,16 @@ void start_application(int no_sandbox, int fd, char *set_sandbox_status) {
488	#ifdef HAVE_APPARMOR	491	#ifdef HAVE_APPARMOR
489	set_apparmor();	492	set_apparmor();
490	#endif	493	#endif
		494	#ifdef HAVE_LANDLOCK
		495	// set Landlock
		496	if (arg_landlock >= 0) {
		497	if (landlock_restrict_self(arg_landlock,0)) {
		498	fprintf(stderr,"An error has occured while enabling Landlock self-restriction. Exiting...\n");
		499	exit(1); // it isn't safe to continue if Landlock self-restriction was enabled and the "landlock_restrict_self" syscall has failed
		500	}
		501	}
		502	#endif
		503
491	close_file_descriptors();	504	close_file_descriptors();
492		505
493	// set nice and rlimits	506	// set nice and rlimits