From b94cc754a0f88ac5b594c52b6a1a3c88b622772c Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 26 Oct 2023 10:21:40 -0400 Subject: landlock: apply rules in sandbox before app start Apply rules in the sandbox thread before the application is started. --- src/firejail/firejail.h | 8 ++++++++ src/firejail/landlock.c | 12 ++++++++++++ src/firejail/main.c | 8 ++++---- src/firejail/profile.c | 8 ++++---- 4 files changed, 28 insertions(+), 8 deletions(-) (limited to 'src') diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index efeda7228..43325de62 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -150,6 +150,11 @@ typedef struct profile_entry_t { } ProfileEntry; +typedef struct landlock_entry_t { + struct landlock_entry_t *next; + char *data; +} LandlockEntry; + typedef struct config_t { // user data char *username; @@ -159,6 +164,7 @@ typedef struct config_t { // filesystem ProfileEntry *profile; ProfileEntry *profile_rebuild_etc; // blacklist files in /etc directory used by fs_rebuild_etc() + LandlockEntry *lprofile; #define MAX_PROFILE_IGNORE 32 char *profile_ignore[MAX_PROFILE_IGNORE]; @@ -962,6 +968,7 @@ int ll_special(const char *allowed_path); int ll_exec(const char *allowed_path); int ll_basic_system(void); int ll_restrict(__u32 flags); +void ll_add_profile(const char *data); #else static inline int ll_get_fd(void) { return -1; } static inline int ll_read(...) { return 0; } @@ -970,6 +977,7 @@ static inline int ll_special(...) { return 0; } static inline int ll_exec(...) { return 0; } static inline int ll_basic_system(void) { return 0; } static inline int ll_restrict(...) { return 0; } +static inline void ll_add_profile(...) { return; } #endif /* HAVE_LANDLOCK */ #endif diff --git a/src/firejail/landlock.c b/src/firejail/landlock.c index 602190446..b2a427047 100644 --- a/src/firejail/landlock.c +++ b/src/firejail/landlock.c @@ -278,4 +278,16 @@ out: return error; } +void ll_add_profile(const char *data) { + LandlockEntry *ptr = malloc(sizeof(LandlockEntry)); + if (!ptr) + errExit("malloc"); + memset(ptr, 0, sizeof(LandlockEntry)); + ptr->data = strdup(data); + if (!ptr->data) + errExit("strdup"); + ptr->next = cfg.lprofile; + cfg.lprofile = ptr; +} + #endif /* HAVE_LANDLOCK */ diff --git a/src/firejail/main.c b/src/firejail/main.c index df31fe2ce..8715d9486 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1520,13 +1520,13 @@ int main(int argc, char **argv, char **envp) { } } else if (strncmp(argv[i], "--landlock.read=", 16) == 0) - ll_read(argv[i] + 16); + ll_add_profile(argv[i] + 2); else if (strncmp(argv[i], "--landlock.write=", 17) == 0) - ll_write(argv[i] + 17); + ll_add_profile(argv[i] + 2); else if (strncmp(argv[i], "--landlock.special=", 19) == 0) - ll_special(argv[i] + 19); + ll_add_profile(argv[i] + 2); else if (strncmp(argv[i], "--landlock.execute=", 19) == 0) - ll_exec(argv[i] + 19); + ll_add_profile(argv[i] + 2); #endif else if (strcmp(argv[i], "--memory-deny-write-execute") == 0) { if (checkcfg(CFG_SECCOMP)) diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 08804c5f3..4e67ec2a3 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -1098,19 +1098,19 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { return 0; } if (strncmp(ptr, "landlock.read ", 14) == 0) { - ll_read(ptr + 14); + ll_add_profile(ptr); return 0; } if (strncmp(ptr, "landlock.write ", 15) == 0) { - ll_write(ptr + 15); + ll_add_profile(ptr); return 0; } if (strncmp(ptr, "landlock.special ", 17) == 0) { - ll_special(ptr + 17); + ll_add_profile(ptr); return 0; } if (strncmp(ptr, "landlock.execute ", 17) == 0) { - ll_exec(ptr + 17); + ll_add_profile(ptr); return 0; } #endif -- cgit v1.2.3-70-g09d2