diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/landlock.c | 45 |
2 files changed, 46 insertions, 0 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index f9f4cb473..5a96fcbfd 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -968,6 +968,7 @@ void oom_set(const char *oom_string); | |||
968 | // landlock.c | 968 | // landlock.c |
969 | #ifdef HAVE_LANDLOCK | 969 | #ifdef HAVE_LANDLOCK |
970 | int ll_get_fd(void); | 970 | int ll_get_fd(void); |
971 | int ll_is_supported(void); | ||
971 | int ll_read(const char *allowed_path); | 972 | int ll_read(const char *allowed_path); |
972 | int ll_write(const char *allowed_path); | 973 | int ll_write(const char *allowed_path); |
973 | int ll_special(const char *allowed_path); | 974 | int ll_special(const char *allowed_path); |
diff --git a/src/firejail/landlock.c b/src/firejail/landlock.c index 596e35aea..27fc1d748 100644 --- a/src/firejail/landlock.c +++ b/src/firejail/landlock.c | |||
@@ -28,6 +28,7 @@ | |||
28 | #include <fcntl.h> | 28 | #include <fcntl.h> |
29 | 29 | ||
30 | static int ll_ruleset_fd = -1; | 30 | static int ll_ruleset_fd = -1; |
31 | static int ll_abi = -1; | ||
31 | 32 | ||
32 | int ll_get_fd(void) { | 33 | int ll_get_fd(void) { |
33 | return ll_ruleset_fd; | 34 | return ll_ruleset_fd; |
@@ -59,7 +60,30 @@ landlock_restrict_self(const int ruleset_fd, const __u32 flags) { | |||
59 | } | 60 | } |
60 | #endif | 61 | #endif |
61 | 62 | ||
63 | int ll_is_supported(void) { | ||
64 | if (ll_abi != -1) | ||
65 | goto out; | ||
66 | |||
67 | ll_abi = landlock_create_ruleset(NULL, 0, | ||
68 | LANDLOCK_CREATE_RULESET_VERSION); | ||
69 | if (ll_abi < 1) { | ||
70 | ll_abi = 0; | ||
71 | fprintf(stderr, "Warning: Landlock is disabled or not supported: %s, " | ||
72 | "ignoring landlock commands\n", | ||
73 | strerror(errno)); | ||
74 | goto out; | ||
75 | } | ||
76 | if (arg_debug) { | ||
77 | printf("Detected Landlock ABI version %d\n", ll_abi); | ||
78 | } | ||
79 | out: | ||
80 | return ll_abi; | ||
81 | } | ||
82 | |||
62 | static int ll_create_full_ruleset() { | 83 | static int ll_create_full_ruleset() { |
84 | if (!ll_is_supported()) | ||
85 | return -1; | ||
86 | |||
63 | struct landlock_ruleset_attr attr; | 87 | struct landlock_ruleset_attr attr; |
64 | attr.handled_access_fs = | 88 | attr.handled_access_fs = |
65 | LANDLOCK_ACCESS_FS_EXECUTE | | 89 | LANDLOCK_ACCESS_FS_EXECUTE | |
@@ -85,6 +109,9 @@ static int ll_create_full_ruleset() { | |||
85 | } | 109 | } |
86 | 110 | ||
87 | int ll_read(const char *allowed_path) { | 111 | int ll_read(const char *allowed_path) { |
112 | if (!ll_is_supported()) | ||
113 | return 0; | ||
114 | |||
88 | if (ll_ruleset_fd == -1) | 115 | if (ll_ruleset_fd == -1) |
89 | ll_ruleset_fd = ll_create_full_ruleset(); | 116 | ll_ruleset_fd = ll_create_full_ruleset(); |
90 | 117 | ||
@@ -114,6 +141,9 @@ int ll_read(const char *allowed_path) { | |||
114 | } | 141 | } |
115 | 142 | ||
116 | int ll_write(const char *allowed_path) { | 143 | int ll_write(const char *allowed_path) { |
144 | if (!ll_is_supported()) | ||
145 | return 0; | ||
146 | |||
117 | if (ll_ruleset_fd == -1) | 147 | if (ll_ruleset_fd == -1) |
118 | ll_ruleset_fd = ll_create_full_ruleset(); | 148 | ll_ruleset_fd = ll_create_full_ruleset(); |
119 | 149 | ||
@@ -147,6 +177,9 @@ int ll_write(const char *allowed_path) { | |||
147 | } | 177 | } |
148 | 178 | ||
149 | int ll_special(const char *allowed_path) { | 179 | int ll_special(const char *allowed_path) { |
180 | if (!ll_is_supported()) | ||
181 | return 0; | ||
182 | |||
150 | if (ll_ruleset_fd == -1) | 183 | if (ll_ruleset_fd == -1) |
151 | ll_ruleset_fd = ll_create_full_ruleset(); | 184 | ll_ruleset_fd = ll_create_full_ruleset(); |
152 | 185 | ||
@@ -178,6 +211,9 @@ int ll_special(const char *allowed_path) { | |||
178 | } | 211 | } |
179 | 212 | ||
180 | int ll_exec(const char *allowed_path) { | 213 | int ll_exec(const char *allowed_path) { |
214 | if (!ll_is_supported()) | ||
215 | return 0; | ||
216 | |||
181 | if (ll_ruleset_fd == -1) | 217 | if (ll_ruleset_fd == -1) |
182 | ll_ruleset_fd = ll_create_full_ruleset(); | 218 | ll_ruleset_fd = ll_create_full_ruleset(); |
183 | 219 | ||
@@ -208,6 +244,9 @@ int ll_exec(const char *allowed_path) { | |||
208 | int ll_basic_system(void) { | 244 | int ll_basic_system(void) { |
209 | assert(cfg.homedir); | 245 | assert(cfg.homedir); |
210 | 246 | ||
247 | if (!ll_is_supported()) | ||
248 | return 0; | ||
249 | |||
211 | if (ll_ruleset_fd == -1) | 250 | if (ll_ruleset_fd == -1) |
212 | ll_ruleset_fd = ll_create_full_ruleset(); | 251 | ll_ruleset_fd = ll_create_full_ruleset(); |
213 | 252 | ||
@@ -255,6 +294,9 @@ int ll_basic_system(void) { | |||
255 | } | 294 | } |
256 | 295 | ||
257 | int ll_restrict(__u32 flags) { | 296 | int ll_restrict(__u32 flags) { |
297 | if (!ll_is_supported()) | ||
298 | return 0; | ||
299 | |||
258 | int (*fnc[])(const char *) = { | 300 | int (*fnc[])(const char *) = { |
259 | ll_read, | 301 | ll_read, |
260 | ll_write, | 302 | ll_write, |
@@ -297,6 +339,9 @@ void ll_add_profile(int type, const char *data) { | |||
297 | assert(type < LL_MAX); | 339 | assert(type < LL_MAX); |
298 | assert(data); | 340 | assert(data); |
299 | 341 | ||
342 | if (!ll_is_supported()) | ||
343 | return; | ||
344 | |||
300 | const char *str = data; | 345 | const char *str = data; |
301 | while (*str == ' ' || *str == '\t') | 346 | while (*str == ' ' || *str == '\t') |
302 | str++; | 347 | str++; |