From b61232065d67f17d459e943bb94639ab1d87b5da Mon Sep 17 00:00:00 2001 From: netblue Date: Tue, 31 Oct 2023 16:55:55 -0400 Subject: [PATCH] detect landlock at run time --- configure | 26 ----------------- configure.ac | 10 ------- src/firejail/firejail.h | 4 +-- src/firejail/landlock.c | 65 ++++++++++++++++++++++++++++++++++++----- 4 files changed, 59 insertions(+), 46 deletions(-) diff --git a/configure b/configure index 47c58728356..a94eff86f73 100755 --- a/configure +++ b/configure @@ -738,7 +738,6 @@ enable_sanitizer enable_ids enable_apparmor enable_selinux -enable_landlock enable_dbusproxy enable_output enable_usertmpfs @@ -1398,7 +1397,6 @@ Optional Features: --enable-ids enable ids --enable-apparmor enable apparmor --enable-selinux SELinux labeling support - --enable-landlock Landlock self-restriction support --disable-dbusproxy disable dbus proxy --disable-output disable --output logging --disable-usertmpfs disable tmpfs as regular user @@ -3744,7 +3742,6 @@ fi HAVE_LANDLOCK="" - ac_header= ac_cache= for ac_item in $ac_header_c_list do @@ -3789,29 +3786,6 @@ fi -# Check whether --enable-landlock was given. -if test ${enable_landlock+y} -then : - enableval=$enable_landlock; -fi - -if test "x$enable_landlock" = "xyes" -then : - - ac_fn_c_check_header_compile "$LINENO" "linux/landlock.h" "ac_cv_header_linux_landlock_h" "$ac_includes_default" -if test "x$ac_cv_header_linux_landlock_h" = xyes -then : - -else $as_nop - as_fn_error $? "*** LANDLOCK support is not installed (/usr/include/linux/landlock.h missing) ***" "$LINENO" 5 -fi - - HAVE_LANDLOCK="-DHAVE_LANDLOCK" - -fi - - - HAVE_DBUSPROXY="" diff --git a/configure.ac b/configure.ac index 83219d9e02a..f6bd8f9d407 100644 --- a/configure.ac +++ b/configure.ac @@ -83,22 +83,12 @@ AS_IF([test "x$enable_selinux" = "xyes"], [ HAVE_LANDLOCK="" AC_SUBST([HAVE_LANDLOCK]) - AC_CHECK_HEADER([linux/landlock.h], [ HAVE_LANDLOCK="-DHAVE_LANDLOCK" ], [AC_MSG_WARN([*** Landlock support is not installed (/usr/include/linux/landlock.h missing) ***]) ]) - - -AC_ARG_ENABLE([landlock], - [AS_HELP_STRING([--enable-landlock], [Landlock self-restriction support])]) -AS_IF([test "x$enable_landlock" = "xyes"], [ - AC_CHECK_HEADER([linux/landlock.h], [], AC_MSG_ERROR([*** LANDLOCK support is not installed (/usr/include/linux/landlock.h missing) ***])) - HAVE_LANDLOCK="-DHAVE_LANDLOCK" -]) - AC_SUBST([EXTRA_CFLAGS]) AC_SUBST([EXTRA_LDFLAGS]) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 83098c11391..05173d4b17f 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -968,11 +968,9 @@ int ll_get_fd(void); int ll_create_ruleset(struct landlock_ruleset_attr *rsattr,size_t size,__u32 flags); int ll_add_rule(int fd,enum landlock_rule_type t,void *attr,__u32 flags); int ll_restrict(__u32 flags); -int ll_create_full_ruleset(); +//int ll_create_full_ruleset(); int ll_add_read_access_rule_by_path(char *allowed_path); int ll_add_write_access_rule_by_path(char *allowed_path); -int ll_add_create_special_rule_by_path(char *allowed_path); -int ll_add_execute_rule_by_path(char *allowed_path); void ll_basic_system(void); void ll_add_profile(const char *data); #endif diff --git a/src/firejail/landlock.c b/src/firejail/landlock.c index c45254fc371..5587474bd62 100644 --- a/src/firejail/landlock.c +++ b/src/firejail/landlock.c @@ -26,8 +26,30 @@ #include #include #include +#include + +static int rset_fd = -1; + +// return 1 if the kernel is older than 6.1 +static int old_kernel(void) { + struct utsname u; + int rv = uname(&u); + if (rv != 0) + errExit("uname"); + unsigned major; + unsigned minor; + if (2 != sscanf(u.release, "%u.%u", &major, &minor)) { + fprintf(stderr, "Error: cannot extract Linux kernel version: %s\n", u.version); + exit(1); + } + +return 1; + unsigned version = (major << 8) + minor; + if (version < ((6 << 8) + 1)) + return 1; -int rset_fd = -1; + return 0; +} int ll_get_fd(void) { return rset_fd; @@ -52,7 +74,7 @@ static inline int landlock_restrict_self(const int ruleset_fd, } #endif -int ll_create_full_ruleset() { +static int ll_create_full_ruleset() { struct landlock_ruleset_attr attr; attr.handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR | LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR | @@ -62,6 +84,11 @@ int ll_create_full_ruleset() { } int ll_add_read_access_rule_by_path(char *allowed_path) { + if (old_kernel()) { + fprintf(stderr, "Warning: Landlock not enabled, a 6.1 or newer Linux kernel is required\n"); + return 1; + } + if (rset_fd == -1) rset_fd = ll_create_full_ruleset(); @@ -76,6 +103,11 @@ int ll_add_read_access_rule_by_path(char *allowed_path) { } int ll_add_write_access_rule_by_path(char *allowed_path) { + if (old_kernel()) { + fprintf(stderr, "Warning: Landlock not enabled, a 6.1 or newer Linux kernel is required\n"); + return 1; + } + if (rset_fd == -1) rset_fd = ll_create_full_ruleset(); @@ -91,7 +123,12 @@ int ll_add_write_access_rule_by_path(char *allowed_path) { return result; } -int ll_add_create_special_rule_by_path(char *allowed_path) { +static int ll_add_create_special_rule_by_path(char *allowed_path) { + if (old_kernel()) { + fprintf(stderr, "Warning: Landlock not enabled, a 6.1 or newer Linux kernel is required\n"); + return 1; + } + if (rset_fd == -1) rset_fd = ll_create_full_ruleset(); @@ -105,7 +142,12 @@ int ll_add_create_special_rule_by_path(char *allowed_path) { return result; } -int ll_add_execute_rule_by_path(char *allowed_path) { +static int ll_add_execute_rule_by_path(char *allowed_path) { + if (old_kernel()) { + fprintf(stderr, "Warning: Landlock not enabled, a 6.1 or newer Linux kernel is required\n"); + return 1; + } + if (rset_fd == -1) rset_fd = ll_create_full_ruleset(); @@ -120,6 +162,11 @@ int ll_add_execute_rule_by_path(char *allowed_path) { } void ll_basic_system(void) { + if (old_kernel()) { + fprintf(stderr, "Warning: Landlock not enabled, a 6.1 or newer Linux kernel is required\n"); + return; + } + if (rset_fd == -1) rset_fd = ll_create_full_ruleset(); @@ -152,6 +199,11 @@ void ll_basic_system(void) { } int ll_restrict(__u32 flags) { + if (old_kernel()) { + fprintf(stderr, "Warning: Landlock not enabled, a 6.1 or newer Linux kernel is required\n"); + return 0; + } + LandlockEntry *ptr = cfg.lprofile; while (ptr) { if (strncmp(ptr->data, "landlock.read", 13) == 0) { @@ -187,6 +239,8 @@ int ll_restrict(__u32 flags) { } void ll_add_profile(const char *data) { + if (old_kernel()) + return; LandlockEntry *ptr = malloc(sizeof(LandlockEntry)); if (!ptr) errExit("malloc"); @@ -198,7 +252,4 @@ void ll_add_profile(const char *data) { cfg.lprofile=ptr; } - -#if 0 -#endif #endif