diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 05173d4b17f..d4025854284 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -965,12 +965,10 @@ void oom_set(const char *oom_string); // landlock.c #ifdef HAVE_LANDLOCK int ll_get_fd(void); -int ll_create_ruleset(struct landlock_ruleset_attr *rsattr,size_t size,__u32 flags); int ll_add_rule(int fd,enum landlock_rule_type t,void *attr,__u32 flags); int ll_restrict(__u32 flags); -//int ll_create_full_ruleset(); -int ll_add_read_access_rule_by_path(char *allowed_path); -int ll_add_write_access_rule_by_path(char *allowed_path); +int ll_read(char *allowed_path); +int ll_write(char *allowed_path); void ll_basic_system(void); void ll_add_profile(const char *data); #endif diff --git a/src/firejail/landlock.c b/src/firejail/landlock.c index 5587474bd62..a956275a7ef 100644 --- a/src/firejail/landlock.c +++ b/src/firejail/landlock.c @@ -43,7 +43,6 @@ static int old_kernel(void) { exit(1); } -return 1; unsigned version = (major << 8) + minor; if (version < ((6 << 8) + 1)) return 1; @@ -83,7 +82,7 @@ static int ll_create_full_ruleset() { return ll_create_ruleset(&attr, sizeof(attr), 0); } -int ll_add_read_access_rule_by_path(char *allowed_path) { +int ll_read(char *allowed_path) { if (old_kernel()) { fprintf(stderr, "Warning: Landlock not enabled, a 6.1 or newer Linux kernel is required\n"); return 1; @@ -102,7 +101,7 @@ int ll_add_read_access_rule_by_path(char *allowed_path) { return result; } -int ll_add_write_access_rule_by_path(char *allowed_path) { +int ll_write(char *allowed_path) { if (old_kernel()) { fprintf(stderr, "Warning: Landlock not enabled, a 6.1 or newer Linux kernel is required\n"); return 1; @@ -123,7 +122,7 @@ int ll_add_write_access_rule_by_path(char *allowed_path) { return result; } -static int ll_add_create_special_rule_by_path(char *allowed_path) { +static int ll_special(char *allowed_path) { if (old_kernel()) { fprintf(stderr, "Warning: Landlock not enabled, a 6.1 or newer Linux kernel is required\n"); return 1; @@ -142,7 +141,7 @@ static int ll_add_create_special_rule_by_path(char *allowed_path) { return result; } -static int ll_add_execute_rule_by_path(char *allowed_path) { +static int ll_exec(char *allowed_path) { if (old_kernel()) { fprintf(stderr, "Warning: Landlock not enabled, a 6.1 or newer Linux kernel is required\n"); return 1; @@ -183,19 +182,41 @@ void ll_basic_system(void) { fprintf(stderr, "Error: cannot set the basic Landlock filesystem\n"); close(home_fd); - if (ll_add_read_access_rule_by_path("/bin/") || - ll_add_execute_rule_by_path("/bin/") || - ll_add_read_access_rule_by_path("/dev/") || - ll_add_write_access_rule_by_path("/dev/") || - ll_add_read_access_rule_by_path("/etc/") || - ll_add_read_access_rule_by_path("/lib/") || - ll_add_execute_rule_by_path("/lib/") || - ll_add_read_access_rule_by_path("/opt/") || - ll_add_execute_rule_by_path("/opt/") || - ll_add_read_access_rule_by_path("/usr/") || - ll_add_execute_rule_by_path("/usr/") || - ll_add_read_access_rule_by_path("/var/")) + char *rundir; + if (asprintf(&rundir, "/run/user/%d", getuid()) == -1) + errExit("asprintf"); + + if (ll_read("/") || // whole system read + ll_special("/") || // sockets etc. + + ll_write("/tmp") || // write access + ll_write("/dev") || + ll_write("/run/shm") || + ll_write(rundir) || + + ll_exec("/opt") || // exec access + ll_exec("/bin") || + ll_exec("/sbin") || + ll_exec("/bin") || + ll_exec("/lib") || + ll_exec("/lib32") || + ll_exec("/libx32") || + ll_exec("/lib64") || + ll_exec("/usr/bin") || + ll_exec("/usr/sbin") || + ll_exec("/usr/games") || + ll_exec("/usr/lib") || + ll_exec("/usr/lib32") || + ll_exec("/usr/libx32") || + ll_exec("/usr/lib64") || + ll_exec("/usr/local/bin") || + ll_exec("/usr/local/sbin") || + ll_exec("/usr/local/games") || + ll_exec("/usr/local/lib") || + ll_exec("/run/firejail")) // appimage and various firejail features fprintf(stderr, "Error: cannot set the basic Landlock filesystem\n"); + + free(rundir); } int ll_restrict(__u32 flags) { @@ -206,22 +227,33 @@ int ll_restrict(__u32 flags) { LandlockEntry *ptr = cfg.lprofile; while (ptr) { + char *fname = NULL; + int (*fnc)(char *) = NULL; + if (strncmp(ptr->data, "landlock.read", 13) == 0) { - if (ll_add_read_access_rule_by_path(ptr->data + 14)) - fprintf(stderr,"Error: cannot add Landlock rule\n"); + fname = ptr->data + 14; + fnc = ll_read; } else if (strncmp(ptr->data, "landlock.write", 14) == 0) { - if (ll_add_write_access_rule_by_path(ptr->data + 15)) - fprintf(stderr,"Error: cannot add Landlock rule\n"); + fname = ptr->data + 15; + fnc = ll_write; } else if (strncmp(ptr->data, "landlock.special", 16) == 0) { - if (ll_add_create_special_rule_by_path(ptr->data + 17)) - fprintf(stderr,"Error: cannot add Landlock rule\n"); + fname = ptr->data + 17; + fnc = ll_special; } else if (strncmp(ptr->data, "landlock.execute", 16) == 0) { - if (ll_add_execute_rule_by_path(ptr->data + 17)) - fprintf(stderr,"Error: cannot add Landlock rule\n"); + fname = ptr->data + 17; + fnc = ll_exec; } + else + assert(0); + + if (access(fname, F_OK) == 0) { + if (fnc(fname)) + fprintf(stderr,"Error: failed to add Landlock rule for %s\n", fname); + } + ptr = ptr->next; } @@ -248,6 +280,7 @@ void ll_add_profile(const char *data) { ptr->data = strdup(data); if (!ptr->data) errExit("strdup"); +//printf("add profile #%s#\n", ptr->data); ptr->next = cfg.lprofile; cfg.lprofile=ptr; } diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 47a1ec1e12e..e03e88b3e0a 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -520,14 +520,16 @@ void start_application(int no_sandbox, int fd, char *set_sandbox_status) { //**************************** // Configure Landlock //**************************** - if (arg_landlock) + if (arg_landlock) { +printf("set basic system\n"); fflush(0); ll_basic_system(); - +} if (ll_get_fd() != -1) { +printf("proc = %d\n", arg_landlock_proc); if (arg_landlock_proc >= 1) - ll_add_read_access_rule_by_path("/proc/"); + ll_read("/proc/"); if (arg_landlock_proc == 2) - ll_add_write_access_rule_by_path("/proc/"); + ll_write("/proc/"); } if (ll_restrict(0)) {