landlock: new filesystem for --landlock command

kmk3 · Nov 5, 2023 · 76e5382 · 76e5382
1 parent b1c8905
commit 76e5382
Showing 1 changed file with 51 additions and 27 deletions.
diff --git a/src/firejail/landlock.c b/src/firejail/landlock.c
@@ -230,23 +230,42 @@ void ll_basic_system(void) {
 	}
 	close(home_fd);
 
-	if (ll_read("/bin/") ||
-	    ll_read("/dev/") ||
-	    ll_read("/etc/") ||
-	    ll_read("/lib/") ||
-	    ll_read("/opt/") ||
-	    ll_read("/usr/") ||
-	    ll_read("/var/") ||
-
-	    ll_write("/dev/") ||
-
-	    ll_exec("/bin/") ||
-	    ll_exec("/lib/") ||
-	    ll_exec("/opt/") ||
-	    ll_exec("/usr/")) {
+	char *rundir;
+	if (asprintf(&rundir, "/run/user/%d", getuid()) == -1)
+		errExit("asprintf");
+
+	if (ll_read("/") ||       // whole system read
+	    ll_special("/") ||    // sockets etc.
+
+	    ll_write("/tmp") ||   // write access
+	    ll_write("/dev") ||
+	    ll_write("/run/shm") ||
+	    ll_write(rundir) ||
+
+	    ll_exec("/opt") ||    // exec access
+	    ll_exec("/bin") ||
+	    ll_exec("/sbin") ||
+	    ll_exec("/lib") ||
+	    ll_exec("/lib32") ||
+	    ll_exec("/libx32") ||
+	    ll_exec("/lib64") ||
+	    ll_exec("/usr/bin") ||
+	    ll_exec("/usr/sbin") ||
+	    ll_exec("/usr/games") ||
+	    ll_exec("/usr/lib") ||
+	    ll_exec("/usr/lib32") ||
+	    ll_exec("/usr/libx32") ||
+	    ll_exec("/usr/lib64") ||
+	    ll_exec("/usr/local/bin") ||
+	    ll_exec("/usr/local/sbin") ||
+	    ll_exec("/usr/local/games") ||
+	    ll_exec("/usr/local/lib") ||
+	    ll_exec("/run/firejail")) { // appimage and various firejail features
 		fprintf(stderr, "Error: failed to set the basic Landlock filesystem: %s\n",
 		        strerror(errno));
 	}
+
+	free(rundir);
 }
 
 int ll_restrict(__u32 flags) {
@@ -257,30 +276,35 @@ int ll_restrict(__u32 flags) {
 
 	LandlockEntry *ptr = cfg.lprofile;
 	while (ptr) {
+		char *fname = NULL;
+		int (*fnc)(const char *) = NULL;
+
 		if (strncmp(ptr->data, "landlock.read", 13) == 0) {
-			if (ll_read(ptr->data + 14)) {
-				fprintf(stderr, "Error: failed to add Landlock rule: %s: %s\n",
-				        ptr->data, strerror(errno));
-			}
+			fname = ptr->data + 14;
+			fnc = ll_read;
 		}
 		else if (strncmp(ptr->data, "landlock.write", 14) == 0) {
-			if (ll_write(ptr->data + 15)) {
-				fprintf(stderr, "Error: failed to add Landlock rule: %s: %s\n",
-				        ptr->data, strerror(errno));
-			}
+			fname = ptr->data + 15;
+			fnc = ll_write;
 		}
 		else if (strncmp(ptr->data, "landlock.special", 16) == 0) {
-			if (ll_special(ptr->data + 17)) {
-				fprintf(stderr, "Error: failed to add Landlock rule: %s: %s\n",
-				        ptr->data, strerror(errno));
-			}
+			fname = ptr->data + 17;
+			fnc = ll_special;
 		}
 		else if (strncmp(ptr->data, "landlock.execute", 16) == 0) {
-			if (ll_exec(ptr->data + 17)) {
+			fname = ptr->data + 17;
+			fnc = ll_exec;
+		}
+		else
+			assert(0);
+
+		if (access(fname, F_OK) == 0) {
+			if (fnc(fname)) {
 				fprintf(stderr, "Error: failed to add Landlock rule: %s: %s\n",
 				        ptr->data, strerror(errno));
 			}
 		}
+
 		ptr = ptr->next;
 	}