mirror of
https://github.com/netblue30/firejail.git
synced 2026-05-16 14:16:16 -06:00
integration: home directory (private, whitelist)
This commit is contained in:
netblue30
parent
be69206621
commit
5ceced9e73
6 changed files with 91 additions and 83 deletions
|
|
@ -958,14 +958,15 @@ void oom_set(const char *oom_string);
|
|||
|
||||
// landlock.c
|
||||
#ifdef HAVE_LANDLOCK
|
||||
int ll_get_fd(void);
|
||||
int ll_create_ruleset(struct landlock_ruleset_attr *rsattr,size_t size,__u32 flags);
|
||||
int ll_add_rule(int fd,enum landlock_rule_type t,void *attr,__u32 flags);
|
||||
int ll_restrict_self(int fd,__u32 flags);
|
||||
int ll_restrict_self(__u32 flags);
|
||||
int ll_create_full_ruleset();
|
||||
int ll_add_read_access_rule_by_path(int rset_fd,char *allowed_path);
|
||||
int ll_add_write_access_rule_by_path(int rset_fd,char *allowed_path);
|
||||
int ll_add_create_special_rule_by_path(int rset_fd,char *allowed_path);
|
||||
int ll_add_execute_rule_by_path(int rset_fd,char *allowed_path);
|
||||
int ll_add_read_access_rule_by_path(char *allowed_path);
|
||||
int ll_add_write_access_rule_by_path(char *allowed_path);
|
||||
int ll_add_create_special_rule_by_path(char *allowed_path);
|
||||
int ll_add_execute_rule_by_path(char *allowed_path);
|
||||
void ll_basic_system(void);
|
||||
#endif
|
||||
|
||||
|
|
|
|||
|
|
@ -27,6 +27,12 @@
|
|||
#include <linux/prctl.h>
|
||||
#include <linux/landlock.h>
|
||||
|
||||
int rset_fd = -1;
|
||||
|
||||
int ll_get_fd(void) {
|
||||
return rset_fd;
|
||||
}
|
||||
|
||||
int ll_create_ruleset(struct landlock_ruleset_attr *rsattr,size_t size,__u32 flags) {
|
||||
return syscall(__NR_landlock_create_ruleset,rsattr,size,flags);
|
||||
}
|
||||
|
|
@ -35,12 +41,16 @@ int ll_add_rule(int fd,enum landlock_rule_type t,void *attr,__u32 flags) {
|
|||
return syscall(__NR_landlock_add_rule,fd,t,attr,flags);
|
||||
}
|
||||
|
||||
int ll_restrict_self(int fd,__u32 flags) {
|
||||
int ll_restrict_self(__u32 flags) {
|
||||
if (rset_fd == -1)
|
||||
return 0;
|
||||
|
||||
|
||||
prctl(PR_SET_NO_NEW_PRIVS,1,0,0,0);
|
||||
int result = syscall(__NR_landlock_restrict_self,fd,flags);
|
||||
int result = syscall(__NR_landlock_restrict_self, rset_fd, flags);
|
||||
if (result!=0) return result;
|
||||
else {
|
||||
close(fd);
|
||||
close(rset_fd);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
|
@ -54,7 +64,10 @@ int ll_create_full_ruleset() {
|
|||
return ll_create_ruleset(&attr,sizeof(attr),0);
|
||||
}
|
||||
|
||||
int ll_add_read_access_rule_by_path(int rset_fd,char *allowed_path) {
|
||||
int ll_add_read_access_rule_by_path(char *allowed_path) {
|
||||
if (rset_fd == -1)
|
||||
rset_fd = ll_create_full_ruleset();
|
||||
|
||||
int result;
|
||||
int allowed_fd = open(allowed_path,O_PATH | O_CLOEXEC);
|
||||
struct landlock_path_beneath_attr target;
|
||||
|
|
@ -65,7 +78,10 @@ int ll_add_read_access_rule_by_path(int rset_fd,char *allowed_path) {
|
|||
return result;
|
||||
}
|
||||
|
||||
int ll_add_write_access_rule_by_path(int rset_fd,char *allowed_path) {
|
||||
int ll_add_write_access_rule_by_path(char *allowed_path) {
|
||||
if (rset_fd == -1)
|
||||
rset_fd = ll_create_full_ruleset();
|
||||
|
||||
int result;
|
||||
int allowed_fd = open(allowed_path,O_PATH | O_CLOEXEC);
|
||||
struct landlock_path_beneath_attr target;
|
||||
|
|
@ -78,7 +94,10 @@ int ll_add_write_access_rule_by_path(int rset_fd,char *allowed_path) {
|
|||
return result;
|
||||
}
|
||||
|
||||
int ll_add_create_special_rule_by_path(int rset_fd,char *allowed_path) {
|
||||
int ll_add_create_special_rule_by_path(char *allowed_path) {
|
||||
if (rset_fd == -1)
|
||||
rset_fd = ll_create_full_ruleset();
|
||||
|
||||
int result;
|
||||
int allowed_fd = open(allowed_path,O_PATH | O_CLOEXEC);
|
||||
struct landlock_path_beneath_attr target;
|
||||
|
|
@ -89,7 +108,10 @@ int ll_add_create_special_rule_by_path(int rset_fd,char *allowed_path) {
|
|||
return result;
|
||||
}
|
||||
|
||||
int ll_add_execute_rule_by_path(int rset_fd,char *allowed_path) {
|
||||
int ll_add_execute_rule_by_path(char *allowed_path) {
|
||||
if (rset_fd == -1)
|
||||
rset_fd = ll_create_full_ruleset();
|
||||
|
||||
int result;
|
||||
int allowed_fd = open(allowed_path,O_PATH | O_CLOEXEC);
|
||||
struct landlock_path_beneath_attr target;
|
||||
|
|
@ -101,8 +123,8 @@ int ll_add_execute_rule_by_path(int rset_fd,char *allowed_path) {
|
|||
}
|
||||
|
||||
void ll_basic_system(void) {
|
||||
if (arg_landlock == -1)
|
||||
arg_landlock = ll_create_full_ruleset();
|
||||
if (rset_fd == -1)
|
||||
rset_fd = ll_create_full_ruleset();
|
||||
|
||||
const char *home_dir = env_get("HOME");
|
||||
int home_fd = open(home_dir,O_PATH | O_CLOEXEC);
|
||||
|
|
@ -113,25 +135,23 @@ void ll_basic_system(void) {
|
|||
LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_MAKE_CHAR |
|
||||
LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG |
|
||||
LANDLOCK_ACCESS_FS_MAKE_SYM;
|
||||
if (ll_add_rule(arg_landlock,LANDLOCK_RULE_PATH_BENEATH,&target,0)) {
|
||||
fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
|
||||
}
|
||||
if (ll_add_rule(rset_fd, LANDLOCK_RULE_PATH_BENEATH,&target,0))
|
||||
fprintf(stderr,"Error: cannot set the basic Landlock filesystem\n");
|
||||
close(home_fd);
|
||||
|
||||
if (ll_add_read_access_rule_by_path(arg_landlock, "/bin/") ||
|
||||
ll_add_execute_rule_by_path(arg_landlock, "/bin/") ||
|
||||
ll_add_read_access_rule_by_path(arg_landlock, "/dev/") ||
|
||||
ll_add_write_access_rule_by_path(arg_landlock, "/dev/") ||
|
||||
// ll_add_execute_rule_by_path(arg_landlock, "/dev/") ||
|
||||
ll_add_read_access_rule_by_path(arg_landlock, "/etc/") ||
|
||||
ll_add_read_access_rule_by_path(arg_landlock, "/lib/") ||
|
||||
ll_add_execute_rule_by_path(arg_landlock, "/lib/") ||
|
||||
ll_add_read_access_rule_by_path(arg_landlock, "/opt/") ||
|
||||
ll_add_execute_rule_by_path(arg_landlock, "/opt/") ||
|
||||
ll_add_read_access_rule_by_path(arg_landlock, "/usr/") ||
|
||||
ll_add_execute_rule_by_path(arg_landlock, "/usr/") ||
|
||||
ll_add_read_access_rule_by_path(arg_landlock, "/var/"))
|
||||
fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
|
||||
if (ll_add_read_access_rule_by_path("/bin/") ||
|
||||
ll_add_execute_rule_by_path("/bin/") ||
|
||||
ll_add_read_access_rule_by_path("/dev/") ||
|
||||
ll_add_write_access_rule_by_path("/dev/") ||
|
||||
ll_add_read_access_rule_by_path("/etc/") ||
|
||||
ll_add_read_access_rule_by_path("/lib/") ||
|
||||
ll_add_execute_rule_by_path("/lib/") ||
|
||||
ll_add_read_access_rule_by_path("/opt/") ||
|
||||
ll_add_execute_rule_by_path("/opt/") ||
|
||||
ll_add_read_access_rule_by_path("/usr/") ||
|
||||
ll_add_execute_rule_by_path("/usr/") ||
|
||||
ll_add_read_access_rule_by_path("/var/"))
|
||||
fprintf(stderr,"Error: cannot set the basic Landlock filesystem\n");
|
||||
}
|
||||
|
||||
#endif
|
||||
|
|
|
|||
|
|
@ -166,7 +166,7 @@ int login_shell = 0;
|
|||
int just_run_the_shell = 0;
|
||||
int arg_netlock = 0;
|
||||
int arg_restrict_namespaces = 0;
|
||||
int arg_landlock = -1;
|
||||
int arg_landlock = 0;
|
||||
int arg_landlock_proc = 2; // 0 - no access; 1 -read-only; 2 - read-write
|
||||
|
||||
int parent_to_child_fds[2];
|
||||
|
|
@ -1504,35 +1504,28 @@ int main(int argc, char **argv, char **envp) {
|
|||
}
|
||||
#ifdef HAVE_LANDLOCK
|
||||
else if (strcmp(argv[i], "--landlock") == 0)
|
||||
ll_basic_system();
|
||||
// ll_basic_system();
|
||||
arg_landlock = 1;
|
||||
else if (strncmp(argv[i], "--landlock.proc=", 16) == 0) {
|
||||
if (strncmp(argv[i]+16, "no", 2) == 0) arg_landlock_proc = 0;
|
||||
else if (strncmp(argv[i]+16, "ro", 2) == 0) arg_landlock_proc = 1;
|
||||
else if (strncmp(argv[i]+16, "rw", 2) == 0) arg_landlock_proc = 2;
|
||||
}
|
||||
else if (strncmp(argv[i], "--landlock.read=", 16) == 0) {
|
||||
if (arg_landlock == -1) arg_landlock = ll_create_full_ruleset();
|
||||
if (ll_add_read_access_rule_by_path(arg_landlock, argv[i]+16)) {
|
||||
fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
|
||||
}
|
||||
if (ll_add_read_access_rule_by_path(argv[i]+16))
|
||||
fprintf(stderr,"Error: cannot add Landlock rule\n");
|
||||
}
|
||||
else if (strncmp(argv[i], "--landlock.write=", 17) == 0) {
|
||||
if (arg_landlock == -1) arg_landlock = ll_create_full_ruleset();
|
||||
if (ll_add_write_access_rule_by_path(arg_landlock, argv[i]+17)) {
|
||||
fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
|
||||
}
|
||||
if (ll_add_write_access_rule_by_path(argv[i]+17))
|
||||
fprintf(stderr,"Error: cannot add Landlock rule\n");
|
||||
}
|
||||
else if (strncmp(argv[i], "--landlock.special=", 17) == 0) {
|
||||
if (arg_landlock == -1) arg_landlock = ll_create_full_ruleset();
|
||||
if (ll_add_create_special_rule_by_path(arg_landlock, argv[i]+17)) {
|
||||
fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
|
||||
}
|
||||
if (ll_add_create_special_rule_by_path(argv[i]+17))
|
||||
fprintf(stderr,"Error: cannot add Landlock rule\n");
|
||||
}
|
||||
else if (strncmp(argv[i], "--landlock.execute=", 19) == 0) {
|
||||
if (arg_landlock == -1) arg_landlock = ll_create_full_ruleset();
|
||||
if (ll_add_execute_rule_by_path(arg_landlock, argv[i]+19)) {
|
||||
fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
|
||||
}
|
||||
if (ll_add_execute_rule_by_path(argv[i]+19))
|
||||
fprintf(stderr,"Error: cannot add Landlock rule\n");
|
||||
}
|
||||
#endif
|
||||
else if (strcmp(argv[i], "--memory-deny-write-execute") == 0) {
|
||||
|
|
|
|||
|
|
@ -1090,31 +1090,23 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
|
|||
return 0;
|
||||
}
|
||||
if (strncmp(ptr, "landlock.read ", 14) == 0) {
|
||||
if (arg_landlock == -1) arg_landlock = ll_create_full_ruleset();
|
||||
if (ll_add_read_access_rule_by_path(arg_landlock, ptr+14)) {
|
||||
fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
|
||||
}
|
||||
if (ll_add_read_access_rule_by_path(ptr+14))
|
||||
fprintf(stderr,"Error: cannot add Landlock rule, file %s, line %d\n", fname, lineno);
|
||||
return 0;
|
||||
}
|
||||
if (strncmp(ptr, "landlock.write ", 15) == 0) {
|
||||
if (arg_landlock == -1) arg_landlock = ll_create_full_ruleset();
|
||||
if (ll_add_write_access_rule_by_path(arg_landlock, ptr+15)) {
|
||||
fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
|
||||
}
|
||||
if (ll_add_write_access_rule_by_path(ptr+15))
|
||||
fprintf(stderr,"Error: cannot add Landlock rule, file %s, line %d\n", fname, lineno);
|
||||
return 0;
|
||||
}
|
||||
if (strncmp(ptr, "landlock.special ", 26) == 0) {
|
||||
if (arg_landlock == -1) arg_landlock = ll_create_full_ruleset();
|
||||
if (ll_add_create_special_rule_by_path(arg_landlock, ptr+26)) {
|
||||
fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
|
||||
}
|
||||
if (ll_add_create_special_rule_by_path(ptr+26))
|
||||
fprintf(stderr,"Error: cannot add Landlock rule, file %s, line %d\n", fname, lineno);
|
||||
return 0;
|
||||
}
|
||||
if (strncmp(ptr, "landlock.execute ", 17) == 0) {
|
||||
if (arg_landlock == -1) arg_landlock = ll_create_full_ruleset();
|
||||
if (ll_add_execute_rule_by_path(arg_landlock, ptr+17)) {
|
||||
fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
|
||||
}
|
||||
if (ll_add_execute_rule_by_path(ptr+17))
|
||||
fprintf(stderr,"Error: cannot add Landlock rule, file %s, line %d\n", fname, lineno);
|
||||
return 0;
|
||||
}
|
||||
#endif
|
||||
|
|
|
|||
|
|
@ -517,12 +517,24 @@ void start_application(int no_sandbox, int fd, char *set_sandbox_status) {
|
|||
}
|
||||
|
||||
#ifdef HAVE_LANDLOCK
|
||||
// set Landlock
|
||||
if (arg_landlock >= 0) {
|
||||
if (ll_restrict_self(arg_landlock,0)) {
|
||||
fprintf(stderr,"An error has occured while enabling Landlock self-restriction. Exiting...\n");
|
||||
exit(1); // it isn't safe to continue if Landlock self-restriction was enabled and the "landlock_restrict_self" syscall has failed
|
||||
}
|
||||
//****************************
|
||||
// Configure Landlock
|
||||
//****************************
|
||||
if (arg_landlock)
|
||||
ll_basic_system();
|
||||
|
||||
#ifdef HAVE_LANDLOCK
|
||||
if (ll_get_fd() != -1) {
|
||||
if (arg_landlock_proc >= 1)
|
||||
ll_add_read_access_rule_by_path("/proc/");
|
||||
if (arg_landlock_proc == 2)
|
||||
ll_add_write_access_rule_by_path("/proc/");
|
||||
}
|
||||
#endif
|
||||
|
||||
if (ll_restrict_self(0)) {
|
||||
fprintf(stderr,"An error has occured while enabling Landlock self-restriction. Exiting...\n");
|
||||
exit(1); // it isn't safe to continue if Landlock self-restriction was enabled and the "landlock_restrict_self" syscall has failed
|
||||
}
|
||||
#endif
|
||||
|
||||
|
|
@ -1011,17 +1023,6 @@ int sandbox(void* sandbox_arg) {
|
|||
//****************************
|
||||
fs_proc_sys_dev_boot();
|
||||
|
||||
//****************************
|
||||
// Allow access to /proc
|
||||
//****************************
|
||||
#ifdef HAVE_LANDLOCK
|
||||
if (arg_landlock > -1) {
|
||||
if (arg_landlock_proc >= 1)
|
||||
ll_add_read_access_rule_by_path(arg_landlock, "/proc/");
|
||||
if (arg_landlock_proc == 2)
|
||||
ll_add_write_access_rule_by_path(arg_landlock, "/proc/");
|
||||
}
|
||||
#endif
|
||||
//****************************
|
||||
// handle /mnt and /media
|
||||
//****************************
|
||||
|
|
|
|||
|
|
@ -1340,7 +1340,8 @@ void close_all(int *keep_list, size_t sz) {
|
|||
|
||||
// don't close the file descriptor of the Landlock ruleset -- it will be automatically closed by the landlock_restrict_self wrapper function
|
||||
#ifdef HAVE_LANDLOCK
|
||||
if (fd == arg_landlock) continue;
|
||||
if (fd == ll_get_fd())
|
||||
continue;
|
||||
#endif
|
||||
close(fd);
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue