mirror of
https://github.com/netblue30/firejail.git
synced 2026-05-15 14:16:14 -06:00
cleanup
This commit is contained in:
netblue30
parent
32c58dcf79
commit
9a6cd6df57
5 changed files with 36 additions and 44 deletions
|
|
@ -155,6 +155,12 @@ typedef struct profile_entry_t {
|
||||||
|
|
||||||
typedef struct landlock_entry_t {
|
typedef struct landlock_entry_t {
|
||||||
struct landlock_entry_t *next;
|
struct landlock_entry_t *next;
|
||||||
|
#define LL_READ 0
|
||||||
|
#define LL_WRITE 1
|
||||||
|
#define LL_EXEC 2
|
||||||
|
#define LL_SPECIAL 3
|
||||||
|
#define LL_MAX 4
|
||||||
|
int type;
|
||||||
char *data;
|
char *data;
|
||||||
} LandlockEntry;
|
} LandlockEntry;
|
||||||
|
|
||||||
|
|
@ -970,7 +976,7 @@ int ll_restrict(__u32 flags);
|
||||||
int ll_read(char *allowed_path);
|
int ll_read(char *allowed_path);
|
||||||
int ll_write(char *allowed_path);
|
int ll_write(char *allowed_path);
|
||||||
void ll_basic_system(void);
|
void ll_basic_system(void);
|
||||||
void ll_add_profile(const char *data);
|
void ll_add_profile(int type, const char *data);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
|
|
||||||
|
|
@ -225,39 +225,23 @@ int ll_restrict(__u32 flags) {
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
int (*fnc[])(char *) = {
|
||||||
|
ll_read,
|
||||||
|
ll_write,
|
||||||
|
ll_exec,
|
||||||
|
ll_special,
|
||||||
|
NULL
|
||||||
|
};
|
||||||
LandlockEntry *ptr = cfg.lprofile;
|
LandlockEntry *ptr = cfg.lprofile;
|
||||||
while (ptr) {
|
while (ptr) {
|
||||||
char *fname = NULL;
|
if (access(ptr->data, F_OK) == 0) {
|
||||||
int (*fnc)(char *) = NULL;
|
if (fnc[ptr->type](ptr->data))
|
||||||
|
fprintf(stderr,"Error: failed to add Landlock rule for %s\n", ptr->data);
|
||||||
if (strncmp(ptr->data, "landlock.read", 13) == 0) {
|
|
||||||
fname = ptr->data + 14;
|
|
||||||
fnc = ll_read;
|
|
||||||
}
|
|
||||||
else if (strncmp(ptr->data, "landlock.write", 14) == 0) {
|
|
||||||
fname = ptr->data + 15;
|
|
||||||
fnc = ll_write;
|
|
||||||
}
|
|
||||||
else if (strncmp(ptr->data, "landlock.special", 16) == 0) {
|
|
||||||
fname = ptr->data + 17;
|
|
||||||
fnc = ll_special;
|
|
||||||
}
|
|
||||||
else if (strncmp(ptr->data, "landlock.execute", 16) == 0) {
|
|
||||||
fname = ptr->data + 17;
|
|
||||||
fnc = ll_exec;
|
|
||||||
}
|
|
||||||
else
|
|
||||||
assert(0);
|
|
||||||
|
|
||||||
if (access(fname, F_OK) == 0) {
|
|
||||||
if (fnc(fname))
|
|
||||||
fprintf(stderr,"Error: failed to add Landlock rule for %s\n", fname);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
ptr = ptr->next;
|
ptr = ptr->next;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
if (rset_fd == -1)
|
if (rset_fd == -1)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
|
|
@ -270,19 +254,25 @@ int ll_restrict(__u32 flags) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
void ll_add_profile(const char *data) {
|
void ll_add_profile(int type, const char *data) {
|
||||||
|
assert(data);
|
||||||
|
assert(type < LL_MAX);
|
||||||
if (old_kernel())
|
if (old_kernel())
|
||||||
return;
|
return;
|
||||||
|
const char *str = data;
|
||||||
|
while (*str == ' ' || *str == '\t')
|
||||||
|
str++;
|
||||||
|
|
||||||
LandlockEntry *ptr = malloc(sizeof(LandlockEntry));
|
LandlockEntry *ptr = malloc(sizeof(LandlockEntry));
|
||||||
if (!ptr)
|
if (!ptr)
|
||||||
errExit("malloc");
|
errExit("malloc");
|
||||||
memset(ptr, 0, sizeof(LandlockEntry));
|
memset(ptr, 0, sizeof(LandlockEntry));
|
||||||
ptr->data = strdup(data);
|
ptr->type = type;
|
||||||
|
ptr->data = strdup(str);
|
||||||
if (!ptr->data)
|
if (!ptr->data)
|
||||||
errExit("strdup");
|
errExit("strdup");
|
||||||
//printf("add profile #%s#\n", ptr->data);
|
|
||||||
ptr->next = cfg.lprofile;
|
ptr->next = cfg.lprofile;
|
||||||
cfg.lprofile=ptr;
|
cfg.lprofile = ptr;
|
||||||
}
|
}
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
|
|
||||||
|
|
@ -1504,7 +1504,6 @@ int main(int argc, char **argv, char **envp) {
|
||||||
}
|
}
|
||||||
#ifdef HAVE_LANDLOCK
|
#ifdef HAVE_LANDLOCK
|
||||||
else if (strcmp(argv[i], "--landlock") == 0)
|
else if (strcmp(argv[i], "--landlock") == 0)
|
||||||
// ll_basic_system();
|
|
||||||
arg_landlock = 1;
|
arg_landlock = 1;
|
||||||
else if (strncmp(argv[i], "--landlock.proc=", 16) == 0) {
|
else if (strncmp(argv[i], "--landlock.proc=", 16) == 0) {
|
||||||
if (strncmp(argv[i]+16, "no", 2) == 0) arg_landlock_proc = 0;
|
if (strncmp(argv[i]+16, "no", 2) == 0) arg_landlock_proc = 0;
|
||||||
|
|
@ -1512,13 +1511,13 @@ int main(int argc, char **argv, char **envp) {
|
||||||
else if (strncmp(argv[i]+16, "rw", 2) == 0) arg_landlock_proc = 2;
|
else if (strncmp(argv[i]+16, "rw", 2) == 0) arg_landlock_proc = 2;
|
||||||
}
|
}
|
||||||
else if (strncmp(argv[i], "--landlock.read=", 16) == 0)
|
else if (strncmp(argv[i], "--landlock.read=", 16) == 0)
|
||||||
ll_add_profile(argv[i] + 2);
|
ll_add_profile(LL_READ, argv[i] + 16);
|
||||||
else if (strncmp(argv[i], "--landlock.write=", 17) == 0)
|
else if (strncmp(argv[i], "--landlock.write=", 17) == 0)
|
||||||
ll_add_profile(argv[i] + 2);
|
ll_add_profile(LL_WRITE, argv[i] + 17);
|
||||||
else if (strncmp(argv[i], "--landlock.special=", 17) == 0)
|
else if (strncmp(argv[i], "--landlock.special=", 17) == 0)
|
||||||
ll_add_profile(argv[i] + 2);
|
ll_add_profile(LL_SPECIAL, argv[i] + 17);
|
||||||
else if (strncmp(argv[i], "--landlock.execute=", 19) == 0)
|
else if (strncmp(argv[i], "--landlock.execute=", 19) == 0)
|
||||||
ll_add_profile(argv[i] + 2);
|
ll_add_profile(LL_EXEC, argv[i] + 19);
|
||||||
#endif
|
#endif
|
||||||
else if (strcmp(argv[i], "--memory-deny-write-execute") == 0) {
|
else if (strcmp(argv[i], "--memory-deny-write-execute") == 0) {
|
||||||
if (checkcfg(CFG_SECCOMP))
|
if (checkcfg(CFG_SECCOMP))
|
||||||
|
|
|
||||||
|
|
@ -1090,19 +1090,19 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
if (strncmp(ptr, "landlock.read ", 14) == 0) {
|
if (strncmp(ptr, "landlock.read ", 14) == 0) {
|
||||||
ll_add_profile(ptr);
|
ll_add_profile(LL_READ, ptr + 14);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
if (strncmp(ptr, "landlock.write ", 15) == 0) {
|
if (strncmp(ptr, "landlock.write ", 15) == 0) {
|
||||||
ll_add_profile(ptr);
|
ll_add_profile(LL_WRITE, ptr + 15);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
if (strncmp(ptr, "landlock.special ", 17) == 0) {
|
if (strncmp(ptr, "landlock.special ", 17) == 0) {
|
||||||
ll_add_profile(ptr);
|
ll_add_profile(LL_SPECIAL, ptr + 17);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
if (strncmp(ptr, "landlock.execute ", 17) == 0) {
|
if (strncmp(ptr, "landlock.execute ", 17) == 0) {
|
||||||
ll_add_profile(ptr);
|
ll_add_profile(LL_EXEC, ptr + 17);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
|
||||||
|
|
@ -520,12 +520,9 @@ void start_application(int no_sandbox, int fd, char *set_sandbox_status) {
|
||||||
//****************************
|
//****************************
|
||||||
// Configure Landlock
|
// Configure Landlock
|
||||||
//****************************
|
//****************************
|
||||||
if (arg_landlock) {
|
if (arg_landlock)
|
||||||
printf("set basic system\n"); fflush(0);
|
|
||||||
ll_basic_system();
|
ll_basic_system();
|
||||||
}
|
|
||||||
if (ll_get_fd() != -1) {
|
if (ll_get_fd() != -1) {
|
||||||
printf("proc = %d\n", arg_landlock_proc);
|
|
||||||
if (arg_landlock_proc >= 1)
|
if (arg_landlock_proc >= 1)
|
||||||
ll_read("/proc/");
|
ll_read("/proc/");
|
||||||
if (arg_landlock_proc == 2)
|
if (arg_landlock_proc == 2)
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue