mirror of
https://github.com/netblue30/firejail.git
synced 2026-05-15 14:16:14 -06:00
landlock: apply rules in sandbox before app start
Apply rules in the sandbox thread before the application is started.
This commit is contained in:
netblue30
Kelvin M. Klann
parent
abc1edccb2
commit
b94cc754a0
4 changed files with 28 additions and 8 deletions
|
|
@ -150,6 +150,11 @@ typedef struct profile_entry_t {
|
|||
|
||||
} ProfileEntry;
|
||||
|
||||
typedef struct landlock_entry_t {
|
||||
struct landlock_entry_t *next;
|
||||
char *data;
|
||||
} LandlockEntry;
|
||||
|
||||
typedef struct config_t {
|
||||
// user data
|
||||
char *username;
|
||||
|
|
@ -159,6 +164,7 @@ typedef struct config_t {
|
|||
// filesystem
|
||||
ProfileEntry *profile;
|
||||
ProfileEntry *profile_rebuild_etc; // blacklist files in /etc directory used by fs_rebuild_etc()
|
||||
LandlockEntry *lprofile;
|
||||
|
||||
#define MAX_PROFILE_IGNORE 32
|
||||
char *profile_ignore[MAX_PROFILE_IGNORE];
|
||||
|
|
@ -962,6 +968,7 @@ int ll_special(const char *allowed_path);
|
|||
int ll_exec(const char *allowed_path);
|
||||
int ll_basic_system(void);
|
||||
int ll_restrict(__u32 flags);
|
||||
void ll_add_profile(const char *data);
|
||||
#else
|
||||
static inline int ll_get_fd(void) { return -1; }
|
||||
static inline int ll_read(...) { return 0; }
|
||||
|
|
@ -970,6 +977,7 @@ static inline int ll_special(...) { return 0; }
|
|||
static inline int ll_exec(...) { return 0; }
|
||||
static inline int ll_basic_system(void) { return 0; }
|
||||
static inline int ll_restrict(...) { return 0; }
|
||||
static inline void ll_add_profile(...) { return; }
|
||||
#endif /* HAVE_LANDLOCK */
|
||||
|
||||
#endif
|
||||
|
|
|
|||
|
|
@ -278,4 +278,16 @@ out:
|
|||
return error;
|
||||
}
|
||||
|
||||
void ll_add_profile(const char *data) {
|
||||
LandlockEntry *ptr = malloc(sizeof(LandlockEntry));
|
||||
if (!ptr)
|
||||
errExit("malloc");
|
||||
memset(ptr, 0, sizeof(LandlockEntry));
|
||||
ptr->data = strdup(data);
|
||||
if (!ptr->data)
|
||||
errExit("strdup");
|
||||
ptr->next = cfg.lprofile;
|
||||
cfg.lprofile = ptr;
|
||||
}
|
||||
|
||||
#endif /* HAVE_LANDLOCK */
|
||||
|
|
|
|||
|
|
@ -1520,13 +1520,13 @@ int main(int argc, char **argv, char **envp) {
|
|||
}
|
||||
}
|
||||
else if (strncmp(argv[i], "--landlock.read=", 16) == 0)
|
||||
ll_read(argv[i] + 16);
|
||||
ll_add_profile(argv[i] + 2);
|
||||
else if (strncmp(argv[i], "--landlock.write=", 17) == 0)
|
||||
ll_write(argv[i] + 17);
|
||||
ll_add_profile(argv[i] + 2);
|
||||
else if (strncmp(argv[i], "--landlock.special=", 19) == 0)
|
||||
ll_special(argv[i] + 19);
|
||||
ll_add_profile(argv[i] + 2);
|
||||
else if (strncmp(argv[i], "--landlock.execute=", 19) == 0)
|
||||
ll_exec(argv[i] + 19);
|
||||
ll_add_profile(argv[i] + 2);
|
||||
#endif
|
||||
else if (strcmp(argv[i], "--memory-deny-write-execute") == 0) {
|
||||
if (checkcfg(CFG_SECCOMP))
|
||||
|
|
|
|||
|
|
@ -1098,19 +1098,19 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
|
|||
return 0;
|
||||
}
|
||||
if (strncmp(ptr, "landlock.read ", 14) == 0) {
|
||||
ll_read(ptr + 14);
|
||||
ll_add_profile(ptr);
|
||||
return 0;
|
||||
}
|
||||
if (strncmp(ptr, "landlock.write ", 15) == 0) {
|
||||
ll_write(ptr + 15);
|
||||
ll_add_profile(ptr);
|
||||
return 0;
|
||||
}
|
||||
if (strncmp(ptr, "landlock.special ", 17) == 0) {
|
||||
ll_special(ptr + 17);
|
||||
ll_add_profile(ptr);
|
||||
return 0;
|
||||
}
|
||||
if (strncmp(ptr, "landlock.execute ", 17) == 0) {
|
||||
ll_exec(ptr + 17);
|
||||
ll_add_profile(ptr);
|
||||
return 0;
|
||||
}
|
||||
#endif
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue