From 19e108248c88605b5470f2e5018f40a74b20a28e Mon Sep 17 00:00:00 2001
From: "Kelvin M. Klann" <kmk3.code@protonmail.com>
Date: Sat, 11 Nov 2023 14:15:50 -0300
Subject: landlock: expand simple macros in commands

This includes macros such as `${HOME}` and `${RUNUSER}`, but not
`${PATH}`, which may expand to multiple strings.

Relates to #6078.
---
 src/firejail/landlock.c | 29 ++++++++++++++++-------------
 1 file changed, 16 insertions(+), 13 deletions(-)

diff --git a/src/firejail/landlock.c b/src/firejail/landlock.c
index 9cf5ec165..157c0ba4c 100644
--- a/src/firejail/landlock.c
+++ b/src/firejail/landlock.c
@@ -117,8 +117,8 @@ static int ll_create_full_ruleset(void) {
 	return ruleset_fd;
 }
 
-static int ll_fs(const char *allowed_path, const __u64 allowed_access,
-                 const char *caller) {
+static int _ll_fs(const char *allowed_path, const __u64 allowed_access,
+                  const char *caller) {
 	if (!ll_is_supported())
 		return 0;
 
@@ -155,6 +155,16 @@ static int ll_fs(const char *allowed_path, const __u64 allowed_access,
 	return error;
 }
 
+// TODO: Add support for the ${PATH} macro.
+static int ll_fs(const char *allowed_path, const __u64 allowed_access,
+                 const char *caller) {
+	char *expanded_path = expand_macros(allowed_path);
+	int error = _ll_fs(expanded_path, allowed_access, caller);
+
+	free(expanded_path);
+	return error;
+}
+
 int ll_read(const char *allowed_path) {
 	__u64 allowed_access =
 		LANDLOCK_ACCESS_FS_READ_DIR |
@@ -193,28 +203,21 @@ int ll_exec(const char *allowed_path) {
 }
 
 int ll_basic_system(void) {
-	assert(cfg.homedir);
-
 	if (!ll_is_supported())
 		return 0;
 
 	if (ll_ruleset_fd == -1)
 		ll_ruleset_fd = ll_create_full_ruleset();
 
-	int error;
-	char *rundir;
-	if (asprintf(&rundir, "/run/user/%d", getuid()) == -1)
-		errExit("asprintf");
-
-	error =
+	int error =
 		ll_read("/") ||       // whole system read
 		ll_special("/") ||    // sockets etc.
 
 		ll_write("/tmp") ||   // write access
 		ll_write("/dev") ||
 		ll_write("/run/shm") ||
-		ll_write(cfg.homedir) ||
-		ll_write(rundir) ||
+		ll_write("${HOME}") ||
+		ll_write("${RUNUSER}") ||
 
 		ll_exec("/opt") ||    // exec access
 		ll_exec("/bin") ||
@@ -240,7 +243,7 @@ int ll_basic_system(void) {
 		fprintf(stderr, "Error: %s: failed to set --landlock rules\n",
 		        __func__);
 	}
-	free(rundir);
+
 	return error;
 }
 
-- 
cgit v1.2.3-70-g09d2