From 520508d5be10e7579635193d24bc1ff004ed682b Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 2 Nov 2023 08:34:59 -0400 Subject: landlock: avoid parsing landlock commands twice --- src/firejail/firejail.h | 8 +++++++- src/firejail/landlock.c | 27 +++++++++++++++++++++++++-- src/firejail/main.c | 8 ++++---- src/firejail/profile.c | 8 ++++---- 4 files changed, 40 insertions(+), 11 deletions(-) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 43325de62..f9f4cb473 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -152,6 +152,12 @@ typedef struct profile_entry_t { typedef struct landlock_entry_t { struct landlock_entry_t *next; +#define LL_READ 0 +#define LL_WRITE 1 +#define LL_SPECIAL 2 +#define LL_EXEC 3 +#define LL_MAX 4 + int type; char *data; } LandlockEntry; @@ -968,7 +974,7 @@ int ll_special(const char *allowed_path); int ll_exec(const char *allowed_path); int ll_basic_system(void); int ll_restrict(__u32 flags); -void ll_add_profile(const char *data); +void ll_add_profile(int type, const char *data); #else static inline int ll_get_fd(void) { return -1; } static inline int ll_read(...) { return 0; } diff --git a/src/firejail/landlock.c b/src/firejail/landlock.c index b2a427047..596e35aea 100644 --- a/src/firejail/landlock.c +++ b/src/firejail/landlock.c @@ -255,6 +255,20 @@ int ll_basic_system(void) { } int ll_restrict(__u32 flags) { + int (*fnc[])(const char *) = { + ll_read, + ll_write, + ll_special, + ll_exec, + NULL + }; + + LandlockEntry *ptr = cfg.lprofile; + while (ptr) { + fnc[ptr->type](ptr->data); + ptr = ptr->next; + } + if (ll_ruleset_fd == -1) return 0; @@ -278,12 +292,21 @@ out: return error; } -void ll_add_profile(const char *data) { +void ll_add_profile(int type, const char *data) { + assert(type >= 0); + assert(type < LL_MAX); + assert(data); + + const char *str = data; + while (*str == ' ' || *str == '\t') + str++; + LandlockEntry *ptr = malloc(sizeof(LandlockEntry)); if (!ptr) errExit("malloc"); memset(ptr, 0, sizeof(LandlockEntry)); - ptr->data = strdup(data); + ptr->type = type; + ptr->data = strdup(str); if (!ptr->data) errExit("strdup"); ptr->next = cfg.lprofile; diff --git a/src/firejail/main.c b/src/firejail/main.c index 8715d9486..b39693af7 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1520,13 +1520,13 @@ int main(int argc, char **argv, char **envp) { } } else if (strncmp(argv[i], "--landlock.read=", 16) == 0) - ll_add_profile(argv[i] + 2); + ll_add_profile(LL_READ, argv[i] + 16); else if (strncmp(argv[i], "--landlock.write=", 17) == 0) - ll_add_profile(argv[i] + 2); + ll_add_profile(LL_WRITE, argv[i] + 17); else if (strncmp(argv[i], "--landlock.special=", 19) == 0) - ll_add_profile(argv[i] + 2); + ll_add_profile(LL_SPECIAL, argv[i] + 19); else if (strncmp(argv[i], "--landlock.execute=", 19) == 0) - ll_add_profile(argv[i] + 2); + ll_add_profile(LL_EXEC, argv[i] + 19); #endif else if (strcmp(argv[i], "--memory-deny-write-execute") == 0) { if (checkcfg(CFG_SECCOMP)) diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 4e67ec2a3..e3554eb12 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -1098,19 +1098,19 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { return 0; } if (strncmp(ptr, "landlock.read ", 14) == 0) { - ll_add_profile(ptr); + ll_add_profile(LL_READ, ptr + 14); return 0; } if (strncmp(ptr, "landlock.write ", 15) == 0) { - ll_add_profile(ptr); + ll_add_profile(LL_WRITE, ptr + 15); return 0; } if (strncmp(ptr, "landlock.special ", 17) == 0) { - ll_add_profile(ptr); + ll_add_profile(LL_SPECIAL, ptr + 17); return 0; } if (strncmp(ptr, "landlock.execute ", 17) == 0) { - ll_add_profile(ptr); + ll_add_profile(LL_EXEC, ptr + 17); return 0; } #endif -- cgit v1.2.3-54-g00ecf