Skip to content

Commit

Permalink
landlock: detect support at runtime
Browse files Browse the repository at this point in the history
And ignore landlock-related commands if Landlock is unsupported at
runtime.
  • Loading branch information
kmk3 committed Nov 7, 2023
1 parent fcf04d0 commit 05ce614
Show file tree
Hide file tree
Showing 2 changed files with 46 additions and 0 deletions.
1 change: 1 addition & 0 deletions src/firejail/firejail.h
Original file line number Diff line number Diff line change
Expand Up @@ -968,6 +968,7 @@ void oom_set(const char *oom_string);
// landlock.c
#ifdef HAVE_LANDLOCK
int ll_get_fd(void);
int ll_is_supported(void);
int ll_read(const char *allowed_path);
int ll_write(const char *allowed_path);
int ll_special(const char *allowed_path);
Expand Down
45 changes: 45 additions & 0 deletions src/firejail/landlock.c
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@
#include <fcntl.h>

static int ll_ruleset_fd = -1;
static int ll_abi = -1;

int ll_get_fd(void) {
return ll_ruleset_fd;
Expand Down Expand Up @@ -59,7 +60,30 @@ landlock_restrict_self(const int ruleset_fd, const __u32 flags) {
}
#endif

int ll_is_supported(void) {
if (ll_abi != -1)
goto out;

int ll_abi = landlock_create_ruleset(NULL, 0,
LANDLOCK_CREATE_RULESET_VERSION);
if (ll_abi < 1) {
ll_abi = 0;
fprintf(stderr, "Warning: Landlock is disabled or not supported: %s, "
"ignoring landlock commands\n",
strerror(errno));
goto out;
}
if (arg_debug) {
printf("Detected Landlock ABI version %d\n", ll_abi);
}
out:
return ll_abi;
}

static int ll_create_full_ruleset() {
if (!ll_is_supported())
return -1;

int error;
struct landlock_ruleset_attr attr;
attr.handled_access_fs =
Expand All @@ -86,6 +110,9 @@ static int ll_create_full_ruleset() {
}

int ll_read(const char *allowed_path) {
if (!ll_is_supported())
return 0;

if (ll_ruleset_fd == -1)
ll_ruleset_fd = ll_create_full_ruleset();

Expand Down Expand Up @@ -115,6 +142,9 @@ int ll_read(const char *allowed_path) {
}

int ll_write(const char *allowed_path) {
if (!ll_is_supported())
return 0;

if (ll_ruleset_fd == -1)
ll_ruleset_fd = ll_create_full_ruleset();

Expand Down Expand Up @@ -148,6 +178,9 @@ int ll_write(const char *allowed_path) {
}

int ll_special(const char *allowed_path) {
if (!ll_is_supported())
return 0;

if (ll_ruleset_fd == -1)
ll_ruleset_fd = ll_create_full_ruleset();

Expand Down Expand Up @@ -179,6 +212,9 @@ int ll_special(const char *allowed_path) {
}

int ll_exec(const char *allowed_path) {
if (!ll_is_supported())
return 0;

if (ll_ruleset_fd == -1)
ll_ruleset_fd = ll_create_full_ruleset();

Expand Down Expand Up @@ -209,6 +245,9 @@ int ll_exec(const char *allowed_path) {
int ll_basic_system(void) {
assert(cfg.homedir);

if (!ll_is_supported())
return 0;

if (ll_ruleset_fd == -1)
ll_ruleset_fd = ll_create_full_ruleset();

Expand Down Expand Up @@ -256,6 +295,9 @@ int ll_basic_system(void) {
}

int ll_restrict(__u32 flags) {
if (!ll_is_supported())
return 0;

int (*fnc[])(const char *) = {
ll_read,
ll_write,
Expand Down Expand Up @@ -298,6 +340,9 @@ void ll_add_profile(int type, const char *data) {
assert(type < LL_MAX);
assert(data);

if (!ll_is_supported())
return;

const char *str = data;
while (*str == ' ' || *str == '\t')
str++;
Expand Down

0 comments on commit 05ce614

Please sign in to comment.