github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

Merge pull request #5347 from kmk3/revert-landlock

Browse source 
Revert "Add Landlock support to Firejail"
This commit is contained in:
Kelvin M. Klann 2022-09-06 11:20:55 +00:00 committed by GitHub
commit 60db9f7851
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
19 changed files with 338 additions and 899 deletions
Download patch file Download diff file Expand all files Collapse all files

2
README
View file

@ -253,8 +253,6 @@ cayday (https://github.com/caydey)
Christian Pinedo (https://github.com/chrpinedo)
- added nicotine profile
- allow python3 in totem profile
ChrysoliteAzalea (https://github.com/ChrysoliteAzalea)
- Landlock support
creideiki (https://github.com/creideiki)
- make the sandbox process reap all children
- tor browser profile fix

84
README.md
View file

@ -230,90 +230,6 @@ Milestone page: https://github.com/netblue30/firejail/milestone/1
kernel. For more information, please see APPARMOR section be
`````
### Landlock support - EXPERIMENTAL
For the next release (0.9.72), landlock support is experimental. It is disabled in the normal build
or in the executable archives we provide. It will be "officially" released
in 0.9.74, sometime early next year. For now, use --enable-landlock during software compile:
`````
$ ./configure --enable-landlock
`````
The functionality is segragated with ifdefs in the code, at times it might not even compile!
Work in progress, the interface described in the man page below could change.
`````
--landlock
Create a Landlock ruleset (if it doesn't already exist) and add
basic access rules to it. See LANDLOCK section for more informa
tion.
--landlock.proc=no|ro|rw
Add an access rule for /proc directory (read-only if set to ro
and read-write if set to rw). The access rule for /proc is added
after this directory is set up in the sandbox. Access rules for
/proc set up with other Landlock-related command-line options
have no effect.
--landlock.read=path
Create a Landlock ruleset (if it doesn't already exist) and add
a read access rule for path.
--landlock.write=path
Create a Landlock ruleset (if it doesn't already exist) and add
a write access rule for path.
--landlock.special=path
Create a Landlock ruleset (if it doesn't already exist) and add
a permission rule to create FIFO pipes, Unix domain sockets and
block devices beneath given path.
--landlock.execute=path
Create a Landlock ruleset (if it doesn't already exist) and add
an execution permission rule for path.
Example:
$ firejail --landlock.read=/ --landlock.write=/home --land
lock.execute=/usr
LANDLOCK
Landlock is a Linux security module first introduced in the 5.13 ver
sion of Linux kernel. It allows unprivileged processes to restrict
their access to the filesystem. Once imposed, these restrictions can
never be removed, and all child processes created by a Landlock-re
stricted processes inherit these restrictions. Firejail supports Land
lock as an additional sandboxing feature. It can be used to ensure that
a sandboxed application can only access files and directories that it
was explicitly allowed to access. Firejail supports populating the
ruleset with both basic set of rules and with custom set of rules. Ba
sic set of rules allows read-only access to /bin, /dev, /etc, /lib,
/opt, /proc, /usr and /var, read-write access to the home directory,
and allows execution of binaries located in /bin, /opt and /usr.
Important notes:
- A process can install a Landlock ruleset only if it has either
CAP_SYS_ADMIN in its effective capability set, or the "No New
Privileges" restriction enabled. Because of this, enabling the
Landlock feature will also cause Firejail to enable the "No New
Privileges" restriction, regardless of the profile or the
--no-new-privs command line option.
- Access to the /proc directory is managed through the --land
lock.proc command line option.
- Access to the /etc directory is automatically allowed. To
override this, use the --writable-etc command line option. You
can also use the --private-etc option to restrict access to the
/etc directory.
To enable Landlock self-restriction on top of your current Firejail se
curity features, pass --landlock flag to Firejail command line. You can
also use --landlock.read, --landlock.write, --landlock.special and
--landlock.execute options together with --landlock or instead of it.
Example:
$ firejail --landlock --landlock.read=/media --landlock.proc=ro
mc
`````
### Profile Statistics
A small tool to print profile statistics. Compile and install as usual. The tool is installed in /usr/lib/firejail directory.

1
RELNOTES
View file

@ -16,7 +16,6 @@ firejail (0.9.71) baseline; urgency=low
a seccomp filter for both 64 and 32 bit architectures (#4939 #5259)
* feature: support for custom AppArmor profiles (--apparmor=) (#5274 #5316
#5317)
* feature: Landlock support (#5269)
* bugfix: Flood of seccomp audit log entries (#5207)
* build: deduplicate configure-time vars into new config files (#5140 #5284)
* build: fix file mode of shell scripts (644 -> 755) (#5206)

3
config.mk.in
View file

@ -41,7 +41,6 @@ HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
HAVE_IDS=@HAVE_IDS@
HAVE_GCOV=@HAVE_GCOV@
HAVE_SELINUX=@HAVE_SELINUX@
HAVE_LANDLOCK=@HAVE_LANDLOCK@
HAVE_SUID=@HAVE_SUID@
HAVE_DBUSPROXY=@HAVE_DBUSPROXY@
HAVE_USERTMPFS=@HAVE_USERTMPFS@
@ -50,7 +49,7 @@ HAVE_LTS=@HAVE_LTS@
HAVE_FORCE_NONEWPRIVS=@HAVE_FORCE_NONEWPRIVS@
HAVE_ONLY_SYSCFG_PROFILES=@HAVE_ONLY_SYSCFG_PROFILES@
MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_IDS) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_LANDLOCK) $(HAVE_FORCE_NONEWPRIVS) $(HAVE_ONLY_SYSCFG_PROFILES)
MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_IDS) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS) $(HAVE_ONLY_SYSCFG_PROFILES)
CC=@CC@
CFLAGS=@CFLAGS@

688
configure vendored
View file

@ -624,6 +624,9 @@ ac_includes_default="\
ac_subst_vars='LTLIBOBJS
LIBOBJS
EGREP
GREP
CPP
HAVE_LTS
HAVE_ONLY_SYSCFG_PROFILES
HAVE_FORCE_NONEWPRIVS
@ -648,10 +651,6 @@ HAVE_OVERLAYFS
HAVE_DBUSPROXY
EXTRA_LDFLAGS
EXTRA_CFLAGS
EGREP
GREP
CPP
HAVE_LANDLOCK
HAVE_SELINUX
AA_LIBS
AA_CFLAGS
@ -714,7 +713,6 @@ enable_sanitizer
enable_ids
enable_apparmor
enable_selinux
enable_landlock
enable_dbusproxy
enable_output
enable_usertmpfs
@ -1376,7 +1374,6 @@ Optional Features:
--enable-ids enable ids
--enable-apparmor enable apparmor
--enable-selinux SELinux labeling support
--enable-landlock Landlock self-restriction support
--disable-dbusproxy disable dbus proxy
--disable-output disable --output logging
--disable-usertmpfs disable tmpfs as regular user
@ -3345,11 +3342,336 @@ if test "x$enable_selinux" = "xyes"; then :
fi
HAVE_LANDLOCK=""
# Check whether --enable-landlock was given.
if test "${enable_landlock+set}" = set; then :
enableval=$enable_landlock;
HAVE_DBUSPROXY=""
# Check whether --enable-dbusproxy was given.
if test "${enable_dbusproxy+set}" = set; then :
enableval=$enable_dbusproxy;
fi
if test "x$enable_dbusproxy" != "xno"; then :
HAVE_DBUSPROXY="-DHAVE_DBUSPROXY"
fi
# overlayfs features temporarily disabled pending fixes
HAVE_OVERLAYFS=""
#AC_ARG_ENABLE([overlayfs],
# [AS_HELP_STRING([--disable-overlayfs], [disable overlayfs])])
#AS_IF([test "x$enable_overlayfs" != "xno"], [
# HAVE_OVERLAYFS="-DHAVE_OVERLAYFS"
#])
HAVE_OUTPUT=""
# Check whether --enable-output was given.
if test "${enable_output+set}" = set; then :
enableval=$enable_output;
fi
if test "x$enable_output" != "xno"; then :
HAVE_OUTPUT="-DHAVE_OUTPUT"
fi
HAVE_USERTMPFS=""
# Check whether --enable-usertmpfs was given.
if test "${enable_usertmpfs+set}" = set; then :
enableval=$enable_usertmpfs;
fi
if test "x$enable_usertmpfs" != "xno"; then :
HAVE_USERTMPFS="-DHAVE_USERTMPFS"
fi
HAVE_MAN="no"
# Check whether --enable-man was given.
if test "${enable_man+set}" = set; then :
enableval=$enable_man;
fi
if test "x$enable_man" != "xno"; then :
HAVE_MAN="-DHAVE_MAN"
# Extract the first word of "gawk", so it can be a program name with args.
set dummy gawk; ac_word=$2
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
$as_echo_n "checking for $ac_word... " >&6; }
if ${ac_cv_prog_HAVE_GAWK+:} false; then :
$as_echo_n "(cached) " >&6
else
if test -n "$HAVE_GAWK"; then
ac_cv_prog_HAVE_GAWK="$HAVE_GAWK" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
ac_cv_prog_HAVE_GAWK="yes"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
fi
done
done
IFS=$as_save_IFS
test -z "$ac_cv_prog_HAVE_GAWK" && ac_cv_prog_HAVE_GAWK="no"
fi
fi
HAVE_GAWK=$ac_cv_prog_HAVE_GAWK
if test -n "$HAVE_GAWK"; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $HAVE_GAWK" >&5
$as_echo "$HAVE_GAWK" >&6; }
else
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
fi
if test "x$HAVE_GAWK" != "xyes"; then :
as_fn_error $? "*** gawk not found ***" "$LINENO" 5
fi
fi
HAVE_FIRETUNNEL=""
# Check whether --enable-firetunnel was given.
if test "${enable_firetunnel+set}" = set; then :
enableval=$enable_firetunnel;
fi
if test "x$enable_firetunnel" = "xyes"; then :
HAVE_FIRETUNNEL="-DHAVE_FIRETUNNEL"
fi
HAVE_PRIVATE_HOME=""
# Check whether --enable-private-home was given.
if test "${enable_private_home+set}" = set; then :
enableval=$enable_private_home;
fi
if test "x$enable_private_home" != "xno"; then :
HAVE_PRIVATE_HOME="-DHAVE_PRIVATE_HOME"
fi
HAVE_CHROOT=""
# Check whether --enable-chroot was given.
if test "${enable_chroot+set}" = set; then :
enableval=$enable_chroot;
fi
if test "x$enable_chroot" != "xno"; then :
HAVE_CHROOT="-DHAVE_CHROOT"
fi
HAVE_GLOBALCFG=""
# Check whether --enable-globalcfg was given.
if test "${enable_globalcfg+set}" = set; then :
enableval=$enable_globalcfg;
fi
if test "x$enable_globalcfg" != "xno"; then :
HAVE_GLOBALCFG="-DHAVE_GLOBALCFG"
fi
HAVE_NETWORK=""
# Check whether --enable-network was given.
if test "${enable_network+set}" = set; then :
enableval=$enable_network;
fi
if test "x$enable_network" != "xno"; then :
HAVE_NETWORK="-DHAVE_NETWORK"
fi
HAVE_USERNS=""
# Check whether --enable-userns was given.
if test "${enable_userns+set}" = set; then :
enableval=$enable_userns;
fi
if test "x$enable_userns" != "xno"; then :
HAVE_USERNS="-DHAVE_USERNS"
fi
HAVE_X11=""
# Check whether --enable-x11 was given.
if test "${enable_x11+set}" = set; then :
enableval=$enable_x11;
fi
if test "x$enable_x11" != "xno"; then :
HAVE_X11="-DHAVE_X11"
fi
HAVE_FILE_TRANSFER=""
# Check whether --enable-file-transfer was given.
if test "${enable_file_transfer+set}" = set; then :
enableval=$enable_file_transfer;
fi
if test "x$enable_file_transfer" != "xno"; then :
HAVE_FILE_TRANSFER="-DHAVE_FILE_TRANSFER"
fi
HAVE_SUID=""
# Check whether --enable-suid was given.
if test "${enable_suid+set}" = set; then :
enableval=$enable_suid;
fi
if test "x$enable_suid" != "xno"; then :
HAVE_SUID="-DHAVE_SUID"
fi
HAVE_FATAL_WARNINGS=""
# Check whether --enable-fatal_warnings was given.
if test "${enable_fatal_warnings+set}" = set; then :
enableval=$enable_fatal_warnings;
fi
if test "x$enable_fatal_warnings" = "xyes"; then :
HAVE_FATAL_WARNINGS="-W -Wall -Werror"
fi
BUSYBOX_WORKAROUND="no"
# Check whether --enable-busybox-workaround was given.
if test "${enable_busybox_workaround+set}" = set; then :
enableval=$enable_busybox_workaround;
fi
if test "x$enable_busybox_workaround" = "xyes"; then :
BUSYBOX_WORKAROUND="yes"
fi
HAVE_GCOV=""
# Check whether --enable-gcov was given.
if test "${enable_gcov+set}" = set; then :
enableval=$enable_gcov;
fi
if test "x$enable_gcov" = "xyes"; then :
HAVE_GCOV="--coverage -DHAVE_GCOV"
EXTRA_LDFLAGS="$EXTRA_LDFLAGS -lgcov --coverage"
fi
HAVE_CONTRIB_INSTALL="yes"
# Check whether --enable-contrib-install was given.
if test "${enable_contrib_install+set}" = set; then :
enableval=$enable_contrib_install;
fi
if test "x$enable_contrib_install" = "xno"; then :
HAVE_CONTRIB_INSTALL="no"
fi
HAVE_FORCE_NONEWPRIVS=""
# Check whether --enable-force-nonewprivs was given.
if test "${enable_force_nonewprivs+set}" = set; then :
enableval=$enable_force_nonewprivs;
fi
if test "x$enable_force_nonewprivs" = "xyes"; then :
HAVE_FORCE_NONEWPRIVS="-DHAVE_FORCE_NONEWPRIVS"
fi
HAVE_ONLY_SYSCFG_PROFILES=""
# Check whether --enable-only-syscfg-profiles was given.
if test "${enable_only_syscfg_profiles+set}" = set; then :
enableval=$enable_only_syscfg_profiles;
fi
if test "x$enable_only_syscfg_profiles" = "xyes"; then :
HAVE_ONLY_SYSCFG_PROFILES="-DHAVE_ONLY_SYSCFG_PROFILES"
fi
HAVE_LTS=""
# Check whether --enable-lts was given.
if test "${enable_lts+set}" = set; then :
enableval=$enable_lts;
fi
if test "x$enable_lts" = "xyes"; then :
HAVE_LTS="-DHAVE_LTS"
HAVE_IDS=""
HAVE_DBUSPROXY=""
HAVE_OVERLAYFS=""
HAVE_OUTPUT=""
HAVE_USERTMPFS=""
HAVE_MAN="-DHAVE_MAN"
HAVE_FIRETUNNEL=""
HAVE_PRIVATE_HOME=""
HAVE_CHROOT=""
HAVE_GLOBALCFG=""
HAVE_USERNS=""
HAVE_X11=""
HAVE_FILE_TRANSFER=""
HAVE_SUID="-DHAVE_SUID"
BUSYBOX_WORKAROUND="no"
HAVE_CONTRIB_INSTALL="no",
fi
ac_ext=c
@ -3749,352 +4071,6 @@ fi
done
if test "x$enable_landlock" = "xyes"; then :
ac_fn_c_check_header_mongrel "$LINENO" "linux/landlock.h" "ac_cv_header_linux_landlock_h" "$ac_includes_default"
if test "x$ac_cv_header_linux_landlock_h" = xyes; then :
else
as_fn_error $? "*** LANDLOCK support is not installed (/usr/include/linux/landlock.h missing) ***" "$LINENO" 5
fi
HAVE_LANDLOCK="-DHAVE_LANDLOCK"
EXTRA_LDFLAGS="$EXTRA_LDFLAGS"
fi
HAVE_DBUSPROXY=""
# Check whether --enable-dbusproxy was given.
if test "${enable_dbusproxy+set}" = set; then :
enableval=$enable_dbusproxy;
fi
if test "x$enable_dbusproxy" != "xno"; then :
HAVE_DBUSPROXY="-DHAVE_DBUSPROXY"
fi
# overlayfs features temporarily disabled pending fixes
HAVE_OVERLAYFS=""
#AC_ARG_ENABLE([overlayfs],
# [AS_HELP_STRING([--disable-overlayfs], [disable overlayfs])])
#AS_IF([test "x$enable_overlayfs" != "xno"], [
# HAVE_OVERLAYFS="-DHAVE_OVERLAYFS"
#])
HAVE_OUTPUT=""
# Check whether --enable-output was given.
if test "${enable_output+set}" = set; then :
enableval=$enable_output;
fi
if test "x$enable_output" != "xno"; then :
HAVE_OUTPUT="-DHAVE_OUTPUT"
fi
HAVE_USERTMPFS=""
# Check whether --enable-usertmpfs was given.
if test "${enable_usertmpfs+set}" = set; then :
enableval=$enable_usertmpfs;
fi
if test "x$enable_usertmpfs" != "xno"; then :
HAVE_USERTMPFS="-DHAVE_USERTMPFS"
fi
HAVE_MAN="no"
# Check whether --enable-man was given.
if test "${enable_man+set}" = set; then :
enableval=$enable_man;
fi
if test "x$enable_man" != "xno"; then :
HAVE_MAN="-DHAVE_MAN"
# Extract the first word of "gawk", so it can be a program name with args.
set dummy gawk; ac_word=$2
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
$as_echo_n "checking for $ac_word... " >&6; }
if ${ac_cv_prog_HAVE_GAWK+:} false; then :
$as_echo_n "(cached) " >&6
else
if test -n "$HAVE_GAWK"; then
ac_cv_prog_HAVE_GAWK="$HAVE_GAWK" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
ac_cv_prog_HAVE_GAWK="yes"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
fi
done
done
IFS=$as_save_IFS
test -z "$ac_cv_prog_HAVE_GAWK" && ac_cv_prog_HAVE_GAWK="no"
fi
fi
HAVE_GAWK=$ac_cv_prog_HAVE_GAWK
if test -n "$HAVE_GAWK"; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $HAVE_GAWK" >&5
$as_echo "$HAVE_GAWK" >&6; }
else
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
fi
if test "x$HAVE_GAWK" != "xyes"; then :
as_fn_error $? "*** gawk not found ***" "$LINENO" 5
fi
fi
HAVE_FIRETUNNEL=""
# Check whether --enable-firetunnel was given.
if test "${enable_firetunnel+set}" = set; then :
enableval=$enable_firetunnel;
fi
if test "x$enable_firetunnel" = "xyes"; then :
HAVE_FIRETUNNEL="-DHAVE_FIRETUNNEL"
fi
HAVE_PRIVATE_HOME=""
# Check whether --enable-private-home was given.
if test "${enable_private_home+set}" = set; then :
enableval=$enable_private_home;
fi
if test "x$enable_private_home" != "xno"; then :
HAVE_PRIVATE_HOME="-DHAVE_PRIVATE_HOME"
fi
HAVE_CHROOT=""
# Check whether --enable-chroot was given.
if test "${enable_chroot+set}" = set; then :
enableval=$enable_chroot;
fi
if test "x$enable_chroot" != "xno"; then :
HAVE_CHROOT="-DHAVE_CHROOT"
fi
HAVE_GLOBALCFG=""
# Check whether --enable-globalcfg was given.
if test "${enable_globalcfg+set}" = set; then :
enableval=$enable_globalcfg;
fi
if test "x$enable_globalcfg" != "xno"; then :
HAVE_GLOBALCFG="-DHAVE_GLOBALCFG"
fi
HAVE_NETWORK=""
# Check whether --enable-network was given.
if test "${enable_network+set}" = set; then :
enableval=$enable_network;
fi
if test "x$enable_network" != "xno"; then :
HAVE_NETWORK="-DHAVE_NETWORK"
fi
HAVE_USERNS=""
# Check whether --enable-userns was given.
if test "${enable_userns+set}" = set; then :
enableval=$enable_userns;
fi
if test "x$enable_userns" != "xno"; then :
HAVE_USERNS="-DHAVE_USERNS"
fi
HAVE_X11=""
# Check whether --enable-x11 was given.
if test "${enable_x11+set}" = set; then :
enableval=$enable_x11;
fi
if test "x$enable_x11" != "xno"; then :
HAVE_X11="-DHAVE_X11"
fi
HAVE_FILE_TRANSFER=""
# Check whether --enable-file-transfer was given.
if test "${enable_file_transfer+set}" = set; then :
enableval=$enable_file_transfer;
fi
if test "x$enable_file_transfer" != "xno"; then :
HAVE_FILE_TRANSFER="-DHAVE_FILE_TRANSFER"
fi
HAVE_SUID=""
# Check whether --enable-suid was given.
if test "${enable_suid+set}" = set; then :
enableval=$enable_suid;
fi
if test "x$enable_suid" != "xno"; then :
HAVE_SUID="-DHAVE_SUID"
fi
HAVE_FATAL_WARNINGS=""
# Check whether --enable-fatal_warnings was given.
if test "${enable_fatal_warnings+set}" = set; then :
enableval=$enable_fatal_warnings;
fi
if test "x$enable_fatal_warnings" = "xyes"; then :
HAVE_FATAL_WARNINGS="-W -Wall -Werror"
fi
BUSYBOX_WORKAROUND="no"
# Check whether --enable-busybox-workaround was given.
if test "${enable_busybox_workaround+set}" = set; then :
enableval=$enable_busybox_workaround;
fi
if test "x$enable_busybox_workaround" = "xyes"; then :
BUSYBOX_WORKAROUND="yes"
fi
HAVE_GCOV=""
# Check whether --enable-gcov was given.
if test "${enable_gcov+set}" = set; then :
enableval=$enable_gcov;
fi
if test "x$enable_gcov" = "xyes"; then :
HAVE_GCOV="--coverage -DHAVE_GCOV"
EXTRA_LDFLAGS="$EXTRA_LDFLAGS -lgcov --coverage"
fi
HAVE_CONTRIB_INSTALL="yes"
# Check whether --enable-contrib-install was given.
if test "${enable_contrib_install+set}" = set; then :
enableval=$enable_contrib_install;
fi
if test "x$enable_contrib_install" = "xno"; then :
HAVE_CONTRIB_INSTALL="no"
fi
HAVE_FORCE_NONEWPRIVS=""
# Check whether --enable-force-nonewprivs was given.
if test "${enable_force_nonewprivs+set}" = set; then :
enableval=$enable_force_nonewprivs;
fi
if test "x$enable_force_nonewprivs" = "xyes"; then :
HAVE_FORCE_NONEWPRIVS="-DHAVE_FORCE_NONEWPRIVS"
fi
HAVE_ONLY_SYSCFG_PROFILES=""
# Check whether --enable-only-syscfg-profiles was given.
if test "${enable_only_syscfg_profiles+set}" = set; then :
enableval=$enable_only_syscfg_profiles;
fi
if test "x$enable_only_syscfg_profiles" = "xyes"; then :
HAVE_ONLY_SYSCFG_PROFILES="-DHAVE_ONLY_SYSCFG_PROFILES"
fi
HAVE_LTS=""
# Check whether --enable-lts was given.
if test "${enable_lts+set}" = set; then :
enableval=$enable_lts;
fi
if test "x$enable_lts" = "xyes"; then :
HAVE_LTS="-DHAVE_LTS"
HAVE_IDS=""
HAVE_DBUSPROXY=""
HAVE_OVERLAYFS=""
HAVE_OUTPUT=""
HAVE_USERTMPFS=""
HAVE_MAN="-DHAVE_MAN"
HAVE_FIRETUNNEL=""
HAVE_PRIVATE_HOME=""
HAVE_CHROOT=""
HAVE_GLOBALCFG=""
HAVE_USERNS=""
HAVE_X11=""
HAVE_FILE_TRANSFER=""
HAVE_SUID="-DHAVE_SUID"
BUSYBOX_WORKAROUND="no"
HAVE_CONTRIB_INSTALL="no",
fi
ac_fn_c_check_header_mongrel "$LINENO" "linux/seccomp.h" "ac_cv_header_linux_seccomp_h" "$ac_includes_default"
if test "x$ac_cv_header_linux_seccomp_h" = xyes; then :

11
configure.ac
View file

@ -81,19 +81,10 @@ AS_IF([test "x$enable_selinux" = "xyes"], [
EXTRA_LDFLAGS="$EXTRA_LDFLAGS -lselinux"
])
HAVE_LANDLOCK=""
AC_SUBST([HAVE_LANDLOCK])
AC_ARG_ENABLE([landlock],
[AS_HELP_STRING([--enable-landlock], [Landlock self-restriction support])])
AS_IF([test "x$enable_landlock" = "xyes"], [
AC_CHECK_HEADER([linux/landlock.h], [], AC_MSG_ERROR([*** LANDLOCK support is not installed (/usr/include/linux/landlock.h missing) ***]))
HAVE_LANDLOCK="-DHAVE_LANDLOCK"
EXTRA_LDFLAGS="$EXTRA_LDFLAGS"
])
AC_SUBST([EXTRA_CFLAGS])
AC_SUBST([EXTRA_LDFLAGS])
HAVE_DBUSPROXY=""
AC_SUBST([HAVE_DBUSPROXY])
AC_ARG_ENABLE([dbusproxy],

2
contrib/vim/syntax/firejail.vim
View file

@ -52,7 +52,7 @@ syn match fjVar /\v\$\{(CFG|DESKTOP|DOCUMENTS|DOWNLOADS|HOME|MUSIC|PATH|PICTURES
" Commands grabbed from: src/firejail/profile.c
" Generate list with: { rg -o 'strn?cmp\(ptr, "([^"]+) "' -r '$1' src/firejail/profile.c; echo private-lib; } | grep -vEx '(include|ignore|caps\.drop|caps\.keep|protocol|restrict-namespaces|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)' | sort -u | tr $'\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword)
syn match fjCommand /\v(apparmor|bind|blacklist|blacklist-nolog|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|landlock|landlock.proc|landlock.read|landlock.write|landlock.special|landlock.execute|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained
syn match fjCommand /\v(apparmor|bind|blacklist|blacklist-nolog|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained
" Generate list with: rg -o 'strn?cmp\(ptr, "([^ "]*[^ ])"' -r '$1' src/firejail/profile.c | grep -vEx '(include|rlimit|quiet)' | sed -e 's/\./\\./' | sort -u | tr $'\n' '|' # include/rlimit are false positives, quiet is special-cased below
syn match fjCommand /\v(allow-debuggers|allusers|apparmor|caps|deterministic-exit-code|deterministic-shutdown|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-fd|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noprinters|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-cwd|private-dev|private-lib|private-tmp|seccomp|seccomp\.32|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained
syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained

16
src/bash_completion/firejail.bash_completion.in
View file

@ -42,22 +42,6 @@ _firejail()
_filedir -d
return 0
;;
--landlock.read)
_filedir
return 0
;;
--landlock.write)
_filedir
return 0
;;
--landlock.special)
_filedir
return 0
;;
--landlock.execute)
_filedir
return 0
;;
--tmpfs)
_filedir
return 0

8
src/firejail/checkcfg.c
View file

@ -378,14 +378,6 @@ void print_compiletime_support(void) {
#endif
);
printf("\t- Landlock support is %s\n",
#ifdef HAVE_LANDLOCK
"enabled"
#else
"disabled"
#endif
);
printf("\t- networking support is %s\n",
#ifdef HAVE_NETWORK
"enabled"

21
src/firejail/firejail.h
View file

@ -22,9 +22,6 @@
#include "../include/common.h"
#include "../include/euid_common.h"
#include "../include/rundefs.h"
#ifdef HAVE_LANDLOCK
#include <linux/landlock.h>
#endif
#include <linux/limits.h> // Note: Plain limits.h may break ARG_MAX (see #4583)
#include <stdarg.h>
#include <sys/stat.h>
@ -33,6 +30,7 @@
//#define DEBUG_RESTRICTED_SHELL
// profiles
#define DEFAULT_USER_PROFILE "default"
#define DEFAULT_ROOT_PROFILE "server"
@ -288,11 +286,6 @@ extern int arg_seccomp32; // enable default seccomp filter for 32 bit arch
extern int arg_seccomp_postexec; // need postexec ld.preload library?
extern int arg_seccomp_block_secondary; // block any secondary architectures
#ifdef HAVE_LANDLOCK
extern int arg_landlock; // Landlock ruleset file descriptor
extern int arg_landlock_proc; // Landlock rule for accessing /proc (0 for no access, 1 for read-only and 2 for read-write)
#endif
extern int arg_caps_default_filter; // enable default capabilities filter
extern int arg_caps_drop; // drop list
extern int arg_caps_drop_all; // drop all capabilities
@ -945,16 +938,4 @@ void run_ids(int argc, char **argv);
// oom.c
void oom_set(const char *oom_string);
// landlock.c
#ifdef HAVE_LANDLOCK
int landlock_create_ruleset(struct landlock_ruleset_attr *rsattr,size_t size,__u32 flags);
int landlock_add_rule(int fd,enum landlock_rule_type t,void *attr,__u32 flags);
int landlock_restrict_self(int fd,__u32 flags);
int create_full_ruleset();
int add_read_access_rule_by_path(int rset_fd,char *allowed_path);
int add_write_access_rule_by_path(int rset_fd,char *allowed_path);
int add_create_special_rule_by_path(int rset_fd,char *allowed_path);
int add_execute_rule_by_path(int rset_fd,char *allowed_path);
#endif
#endif

101
src/firejail/landlock.c
View file

@ -1,101 +0,0 @@
/*
* Copyright (C) 2014-2022 Firejail Authors
*
* This file is part of firejail project
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, write to the Free Software Foundation, Inc.,
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_LANDLOCK
#define _GNU_SOURCE
#include <stdio.h>
#include <stddef.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <sys/prctl.h>
#include <linux/prctl.h>
#include <linux/landlock.h>
int landlock_create_ruleset(struct landlock_ruleset_attr *rsattr,size_t size,__u32 flags) {
return syscall(__NR_landlock_create_ruleset,rsattr,size,flags);
}
int landlock_add_rule(int fd,enum landlock_rule_type t,void *attr,__u32 flags) {
return syscall(__NR_landlock_add_rule,fd,t,attr,flags);
}
int landlock_restrict_self(int fd,__u32 flags) {
prctl(PR_SET_NO_NEW_PRIVS,1,0,0,0);
int result = syscall(__NR_landlock_restrict_self,fd,flags);
if (result!=0) return result;
else {
close(fd);
return 0;
}
}
int create_full_ruleset() {
struct landlock_ruleset_attr attr;
attr.handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR | LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SOCK | LANDLOCK_ACCESS_FS_MAKE_FIFO | LANDLOCK_ACCESS_FS_MAKE_BLOCK | LANDLOCK_ACCESS_FS_MAKE_SYM | LANDLOCK_ACCESS_FS_EXECUTE;
return landlock_create_ruleset(&attr,sizeof(attr),0);
}
int add_read_access_rule_by_path(int rset_fd,char *allowed_path) {
int result;
int allowed_fd = open(allowed_path,O_PATH | O_CLOEXEC);
struct landlock_path_beneath_attr target;
target.parent_fd = allowed_fd;
target.allowed_access = LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR;
result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0);
close(allowed_fd);
return result;
}
int add_write_access_rule_by_path(int rset_fd,char *allowed_path) {
int result;
int allowed_fd = open(allowed_path,O_PATH | O_CLOEXEC);
struct landlock_path_beneath_attr target;
target.parent_fd = allowed_fd;
target.allowed_access = LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SYM;
result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0);
close(allowed_fd);
return result;
}
int add_create_special_rule_by_path(int rset_fd,char *allowed_path) {
int result;
int allowed_fd = open(allowed_path,O_PATH | O_CLOEXEC);
struct landlock_path_beneath_attr target;
target.parent_fd = allowed_fd;
target.allowed_access = LANDLOCK_ACCESS_FS_MAKE_SOCK | LANDLOCK_ACCESS_FS_MAKE_FIFO | LANDLOCK_ACCESS_FS_MAKE_BLOCK;
result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0);
close(allowed_fd);
return result;
}
int add_execute_rule_by_path(int rset_fd,char *allowed_path) {
int result;
int allowed_fd = open(allowed_path,O_PATH | O_CLOEXEC);
struct landlock_path_beneath_attr target;
target.parent_fd = allowed_fd;
target.allowed_access = LANDLOCK_ACCESS_FS_EXECUTE;
result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0);
close(allowed_fd);
return result;
}
#endif

81
src/firejail/main.c
View file

@ -81,11 +81,6 @@ int arg_seccomp_postexec = 0; // need postexec ld.preload library?
int arg_seccomp_block_secondary = 0; // block any secondary architectures
int arg_seccomp_error_action = 0;
#ifdef HAVE_LANDLOCK
int arg_landlock = -1; // Landlock ruleset file descriptor (-1 if it doesn't exist)
int arg_landlock_proc = 0; // Landlock rule for accessing /proc (0 for no access, 1 for read-only and 2 for read-write)
#endif
int arg_caps_default_filter = 0; // enable default capabilities filter
int arg_caps_drop = 0; // drop list
int arg_caps_drop_all = 0; // drop all capabilities
@ -1407,82 +1402,6 @@ int main(int argc, char **argv, char **envp) {
else
exit_err_feature("seccomp");
}
#ifdef HAVE_LANDLOCK
else if (strcmp(argv[i], "--landlock") == 0) {
if (arg_landlock == -1) arg_landlock = create_full_ruleset();
const char *home_dir = env_get("HOME");
int home_fd = open(home_dir,O_PATH | O_CLOEXEC);
struct landlock_path_beneath_attr target;
target.parent_fd = home_fd;
target.allowed_access = LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR | LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SYM;
if (landlock_add_rule(arg_landlock,LANDLOCK_RULE_PATH_BENEATH,&target,0)) {
fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
}
close(home_fd);
if (add_read_access_rule_by_path(arg_landlock, "/bin/")) {
fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
}
if (add_execute_rule_by_path(arg_landlock, "/bin/")) {
fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
}
if (add_read_access_rule_by_path(arg_landlock, "/dev/")) {
fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
}
if (add_read_access_rule_by_path(arg_landlock, "/etc/")) {
fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
}
if (add_read_access_rule_by_path(arg_landlock, "/lib/")) {
fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
}
if (add_execute_rule_by_path(arg_landlock, "/lib/")) {
fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
}
if (add_read_access_rule_by_path(arg_landlock, "/opt/")) {
fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
}
if (add_execute_rule_by_path(arg_landlock, "/opt/")) {
fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
}
if (add_read_access_rule_by_path(arg_landlock, "/usr/")) {
fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
}
if (add_execute_rule_by_path(arg_landlock, "/usr/")) {
fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
}
if (add_read_access_rule_by_path(arg_landlock, "/var/")) {
fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
}
}
else if (strncmp(argv[i], "--landlock.proc=", 16) == 0) {
if (strncmp(argv[i]+16, "no", 2) == 0) arg_landlock_proc = 0;
else if (strncmp(argv[i]+16, "ro", 2) == 0) arg_landlock_proc = 1;
else if (strncmp(argv[i]+16, "rw", 2) == 0) arg_landlock_proc = 2;
}
else if (strncmp(argv[i], "--landlock.read=", 16) == 0) {
if (arg_landlock == -1) arg_landlock = create_full_ruleset();
if (add_read_access_rule_by_path(arg_landlock, argv[i]+16)) {
fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
}
}
else if (strncmp(argv[i], "--landlock.write=", 17) == 0) {
if (arg_landlock == -1) arg_landlock = create_full_ruleset();
if (add_write_access_rule_by_path(arg_landlock, argv[i]+17)) {
fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
}
}
else if (strncmp(argv[i], "--landlock.special=", 17) == 0) {
if (arg_landlock == -1) arg_landlock = create_full_ruleset();
if (add_create_special_rule_by_path(arg_landlock, argv[i]+17)) {
fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
}
}
else if (strncmp(argv[i], "--landlock.execute=", 19) == 0) {
if (arg_landlock == -1) arg_landlock = create_full_ruleset();
if (add_execute_rule_by_path(arg_landlock, argv[i]+19)) {
fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
}
}
#endif
else if (strcmp(argv[i], "--memory-deny-write-execute") == 0) {
if (checkcfg(CFG_SECCOMP))
arg_memory_deny_write_execute = 1;

84
src/firejail/profile.c
View file

@ -1047,90 +1047,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
return 0;
}
#ifdef HAVE_LANDLOCK
// Landlock ruleset paths
if (strcmp(ptr, "landlock") == 0) {
if (arg_landlock == -1) arg_landlock = create_full_ruleset();
const char *home_dir = env_get("HOME");
int home_fd = open(home_dir,O_PATH | O_CLOEXEC);
struct landlock_path_beneath_attr target;
target.parent_fd = home_fd;
target.allowed_access = LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR | LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SYM;
if (landlock_add_rule(arg_landlock,LANDLOCK_RULE_PATH_BENEATH,&target,0)) {
fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
}
close(home_fd);
if (add_read_access_rule_by_path(arg_landlock, "/bin/")) {
fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
}
if (add_execute_rule_by_path(arg_landlock, "/bin/")) {
fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
}
if (add_read_access_rule_by_path(arg_landlock, "/dev/")) {
fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
}
if (add_read_access_rule_by_path(arg_landlock, "/etc/")) {
fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
}
if (add_read_access_rule_by_path(arg_landlock, "/lib/")) {
fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
}
if (add_execute_rule_by_path(arg_landlock, "/lib/")) {
fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
}
if (add_read_access_rule_by_path(arg_landlock, "/opt/")) {
fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
}
if (add_execute_rule_by_path(arg_landlock, "/opt/")) {
fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
}
if (add_read_access_rule_by_path(arg_landlock, "/usr/")) {
fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
}
if (add_execute_rule_by_path(arg_landlock, "/usr/")) {
fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
}
if (add_read_access_rule_by_path(arg_landlock, "/var/")) {
fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
}
return 0;
}
if (strncmp(ptr, "landlock.proc ", 14) == 0) {
if (strncmp(ptr+14, "no", 2) == 0) arg_landlock_proc = 0;
else if (strncmp(ptr+14, "ro", 2) == 0) arg_landlock_proc = 1;
else if (strncmp(ptr+14, "rw", 2) == 0) arg_landlock_proc = 2;
return 0;
}
if (strncmp(ptr, "landlock.read ", 14) == 0) {
if (arg_landlock == -1) arg_landlock = create_full_ruleset();
if (add_read_access_rule_by_path(arg_landlock, ptr+14)) {
fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
}
return 0;
}
if (strncmp(ptr, "landlock.write ", 15) == 0) {
if (arg_landlock == -1) arg_landlock = create_full_ruleset();
if (add_write_access_rule_by_path(arg_landlock, ptr+15)) {
fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
}
return 0;
}
if (strncmp(ptr, "landlock.special ", 26) == 0) {
if (arg_landlock == -1) arg_landlock = create_full_ruleset();
if (add_create_special_rule_by_path(arg_landlock, ptr+26)) {
fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
}
return 0;
}
if (strncmp(ptr, "landlock.execute ", 17) == 0) {
if (arg_landlock == -1) arg_landlock = create_full_ruleset();
if (add_execute_rule_by_path(arg_landlock, ptr+17)) {
fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
}
return 0;
}
#endif
// memory deny write&execute
if (strcmp(ptr, "memory-deny-write-execute") == 0) {
if (checkcfg(CFG_SECCOMP))

27
src/firejail/sandbox.c
View file

@ -488,7 +488,6 @@ void start_application(int no_sandbox, int fd, char *set_sandbox_status) {
#ifdef HAVE_APPARMOR
set_apparmor();
#endif
close_file_descriptors();
// set nice and rlimits
@ -510,16 +509,6 @@ void start_application(int no_sandbox, int fd, char *set_sandbox_status) {
printf("LD_PRELOAD=%s\n", getenv("LD_PRELOAD"));
}
#ifdef HAVE_LANDLOCK
// set Landlock
if (arg_landlock >= 0) {
if (landlock_restrict_self(arg_landlock,0)) {
fprintf(stderr,"An error has occured while enabling Landlock self-restriction. Exiting...\n");
exit(1); // it isn't safe to continue if Landlock self-restriction was enabled and the "landlock_restrict_self" syscall has failed
}
}
#endif
if (just_run_the_shell) {
char *arg[2];
arg[0] = cfg.usershell;
@ -1009,15 +998,6 @@ int sandbox(void* sandbox_arg) {
//****************************
fs_proc_sys_dev_boot();
//****************************
// Allow access to /proc
//****************************
#ifdef HAVE_LANDLOCK
if (arg_landlock>-1) {
if (arg_landlock_proc >= 1) add_read_access_rule_by_path(arg_landlock, "/proc/");
if (arg_landlock_proc == 2) add_write_access_rule_by_path(arg_landlock, "/proc/");
}
#endif
//****************************
// handle /mnt and /media
//****************************
@ -1113,12 +1093,9 @@ int sandbox(void* sandbox_arg) {
//****************************
// rebuild etc directory, set dns
//****************************
if (!arg_writable_etc){
if (!arg_writable_etc)
fs_rebuild_etc();
#ifdef HAVE_LANDLOCK
if (arg_landlock>-1) add_read_access_rule_by_path(arg_landlock, "/etc/");
#endif
}
//****************************
// start dhcp client
//****************************

6
src/firejail/usage.c
View file

@ -122,12 +122,6 @@ static char *usage_str =
" --keep-dev-shm - /dev/shm directory is untouched (even with --private-dev).\n"
" --keep-fd - inherit open file descriptors to sandbox.\n"
" --keep-var-tmp - /var/tmp directory is untouched.\n"
" --landlock - add basic rules to the Landlock ruleset.\n"
" --landlock.proc=no|ro|rw - add an access rule for /proc to the Landlock ruleset.\n"
" --landlock.read=path - add a read access rule for the path to the Landlock ruleset.\n"
" --landlock.write=path - add a write access rule for the path to the Landlock ruleset.\n"
" --landlock.special=path - add an access rule for creating FIFO pipes, Unix domain sockets and block devices for the path to the Landlock ruleset.\n"
" --landlock.execute=path - add an execution-permitting rule for the path to the Landlock ruleset.\n"
" --list - list all sandboxes.\n"
#ifdef HAVE_FILE_TRANSFER
" --ls=name|pid dir_or_filename - list files in sandbox container.\n"

4
src/firejail/util.c
View file

@ -1338,10 +1338,6 @@ void close_all(int *keep_list, size_t sz) {
if (keep)
continue;
// don't close the file descriptor of the Landlock ruleset -- it will be automatically closed by the landlock_restrict_self wrapper function
#ifdef HAVE_LANDLOCK
if (fd == arg_landlock) continue;
#endif
close(fd);
}
closedir(dir);

29
src/man/firejail-profile.txt
View file

@ -497,35 +497,6 @@ Blacklist all Linux capabilities.
.TP
\fBcaps.keep capability,capability,capability
Whitelist given Linux capabilities.
#ifdef HAVE_LANDLOCK
.TP
\fBlandlock
Create a Landlock ruleset (if it doesn't already exist) and add basic access rules to it.
.br
.TP
\fBlandlock.proc no|ro|rw
Add an access rule for /proc directory (read-only if set to \fBro\fR and read-write if set to \fBrw\fR). The access rule for /proc is added after this directory is set up in the sandbox. Access rules for /proc set up with other Landlock-related profile options have no effect.
.br
.TP
\fBlandlock.read path
Create a Landlock ruleset (if it doesn't already exist) and add a read access rule for path.
.br
.TP
\fBlandlock.write path
Create a Landlock ruleset (if it doesn't already exist) and add a write access rule for path.
.br
.TP
\fBlandlock.special path
Create a Landlock ruleset (if it doesn't already exist) and add an access rule for creation of FIFO pipes, Unix-domain sockets and block devices beneath given path.
.br
.TP
\fBlandlock.execute path
Create a Landlock ruleset (if it doesn't already exist) and add an execution permission rule for path.
.br
#endif
.TP
\fBmemory-deny-write-execute
Install a seccomp filter to block attempts to create memory mappings

63
src/man/firejail.txt
View file

@ -1151,41 +1151,6 @@ Example:
.br
$ firejail --keep-var-tmp
#ifdef HAVE_LANDLOCK
.TP
\fB\-\-landlock
Create a Landlock ruleset (if it doesn't already exist) and add basic access rules to it. See \fBLANDLOCK\fR section for more information.
.br
.TP
\fB\-\-landlock.proc=no|ro|rw
Add an access rule for /proc directory (read-only if set to \fBro\fR and read-write if set to \fBrw\fR). The access rule for /proc is added after this directory is set up in the sandbox. Access rules for /proc set up with other Landlock-related command-line options have no effect.
.br
.TP
\fB\-\-landlock.read=path
Create a Landlock ruleset (if it doesn't already exist) and add a read access rule for path.
.br
.TP
\fB\-\-landlock.write=path
Create a Landlock ruleset (if it doesn't already exist) and add a write access rule for path.
.br
.TP
\fB\-\-landlock.special=path
Create a Landlock ruleset (if it doesn't already exist) and add a permission rule to create FIFO pipes, Unix domain sockets and block devices beneath given path.
.br
.TP
\fB\-\-landlock.execute=path
Create a Landlock ruleset (if it doesn't already exist) and add an execution permission rule for path.
.br
.br
Example:
.br
$ firejail \-\-landlock.read=/ \-\-landlock.write=/home \-\-landlock.execute=/usr
#endif
.TP
\fB\-\-list
List all sandboxes, see \fBMONITORING\fR section for more details.
@ -1303,7 +1268,6 @@ $ firejail --list
.br
1312:netblue:browser-1312:firejail --name=browser --private firefox --no-remote
.br
#ifdef HAVE_NETWORK
.TP
\fB\-\-net=bridge_interface
@ -3237,34 +3201,7 @@ To enable AppArmor confinement on top of your current Firejail security features
.br
$ firejail --apparmor firefox
#endif
#ifdef HAVE_LANDLOCK
.SH LANDLOCK
.TP
Landlock is a Linux security module first introduced in the 5.13 version of Linux kernel. It allows unprivileged processes to restrict their access to the filesystem. Once imposed, these restrictions can never be removed, and all child processes created by a Landlock-restricted processes inherit these restrictions. Firejail supports Landlock as an additional sandboxing feature. It can be used to ensure that a sandboxed application can only access files and directories that it was explicitly allowed to access. Firejail supports populating the ruleset with both basic set of rules and with custom set of rules. Basic set of rules allows read-only access to /bin, /dev, /etc, /lib, /opt, /proc, /usr and /var, read-write access to the home directory, and allows execution of binaries located in /bin, /opt and /usr.
.br
.TP
Important notes:
.br
.br
- A process can install a Landlock ruleset only if it has either \fBCAP_SYS_ADMIN\fR in its effective capability set, or the "No New Privileges" restriction enabled. Because of this, enabling the Landlock feature will also cause Firejail to enable the "No New Privileges" restriction, regardless of the profile or the \fB\-\-no\-new\-privs\fR command line option.
.br
.br
- Access to the /proc directory is managed through the \fB\-\-landlock.proc\fR command line option.
.br
- Access to the /etc directory is automatically allowed. To override this, use the \fB\-\-writable\-etc\fR command line option. You can also use the \fB\-\-private\-etc\fR option to restrict access to the /etc directory.
.br
.TP
To enable Landlock self-restriction on top of your current Firejail security features, pass \fB\-\-landlock\fR flag to Firejail command line. You can also use \fB\-\-landlock.read\fR, \fB\-\-landlock.write\fR, \fB\-\-landlock.special\fR and \fB\-\-landlock.execute\fR options together with \fB\-\-landlock\fR or instead of it. Example:
.br
.br
$ firejail --landlock --landlock.read=/media --landlock.proc=ro mc
#endif
.SH DESKTOP INTEGRATION
A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox.
The symbolic link should be placed in the first $PATH position. On most systems, a good place

6
src/zsh_completion/_firejail.in
View file

@ -105,12 +105,6 @@ _firejail_args=(
'--keep-dev-shm[/dev/shm directory is untouched (even with --private-dev)]'
'--keep-fd[inherit open file descriptors to sandbox]: :'
'--keep-var-tmp[/var/tmp directory is untouched]'
'--landlock[Basic Landlock ruleset]'
'--landlock.proc=-[Access to the /proc directory]: :(no ro rw)'
'--landlock.read=-[Landlock read access rule]: :_files'
'--landlock.write=-[Landlock write access rule]: :_files'
"--landlock.special=-[Landlock access rule for creation of FIFO pipes, sockets and block devices]: :_files"
'--landlock.execute=-[Landlock execution-permitting rule]: :_files'
'--machine-id[spoof /etc/machine-id with a random id]'
'--memory-deny-write-execute[seccomp filter to block attempts to create memory mappings that are both writable and executable]'
'*--mkdir=-[create a directory]:'