Skip to content

Commit

Permalink
feature: add Landlock support
Browse files Browse the repository at this point in the history
Based on 5315 by ChrysoliteAzalea.

It is based on the same underlying structure, but with a lot of
refactoring/simplification and with bugfixes and improvements.

Co-authored-by: Kelvin M. Klann <[email protected]>
Co-authored-by: Азалия Смарагдова <[email protected]>
  • Loading branch information
3 people committed Nov 7, 2023
1 parent 5456ec6 commit 13b2c56
Show file tree
Hide file tree
Showing 18 changed files with 616 additions and 30 deletions.
3 changes: 2 additions & 1 deletion README
Original file line number Diff line number Diff line change
Expand Up @@ -197,7 +197,8 @@ avoidr (https://github.com/avoidr)
- fixed mpv profile
- various other fixes
Азалия Смарагдова/ChrysoliteAzalea (https://github.com/ChrysoliteAzalea)
- add support for custom AppArmor profiles (--apparmor=)
- add support for custom AppArmor profiles (--apparmor=)
- add Landlock support
backspac (https://github.com/backspac)
- firecfg fixes
- add steam-runtime alias
Expand Down
2 changes: 2 additions & 0 deletions config.mk.in
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ HAVE_FIRETUNNEL=@HAVE_FIRETUNNEL@
HAVE_FORCE_NONEWPRIVS=@HAVE_FORCE_NONEWPRIVS@
HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
HAVE_IDS=@HAVE_IDS@
HAVE_LANDLOCK=@HAVE_LANDLOCK@
HAVE_LTS=@HAVE_LTS@
HAVE_NETWORK=@HAVE_NETWORK@
HAVE_ONLY_SYSCFG_PROFILES=@HAVE_ONLY_SYSCFG_PROFILES@
Expand All @@ -60,6 +61,7 @@ MANFLAGS = \
$(HAVE_FORCE_NONEWPRIVS) \
$(HAVE_GLOBALCFG) \
$(HAVE_IDS) \
$(HAVE_LANDLOCK) \
$(HAVE_LTS) \
$(HAVE_NETWORK) \
$(HAVE_ONLY_SYSCFG_PROFILES) \
Expand Down
86 changes: 57 additions & 29 deletions configure
Original file line number Diff line number Diff line change
Expand Up @@ -675,6 +675,7 @@ HAVE_OVERLAYFS
HAVE_DBUSPROXY
EXTRA_LDFLAGS
EXTRA_CFLAGS
HAVE_LANDLOCK
HAVE_SELINUX
AA_LIBS
AA_CFLAGS
Expand Down Expand Up @@ -737,6 +738,7 @@ enable_sanitizer
enable_ids
enable_apparmor
enable_selinux
enable_landlock
enable_dbusproxy
enable_output
enable_usertmpfs
Expand Down Expand Up @@ -1396,6 +1398,7 @@ Optional Features:
--enable-ids enable ids
--enable-apparmor enable apparmor
--enable-selinux SELinux labeling support
--enable-landlock Landlock self-restriction support
--disable-dbusproxy disable dbus proxy
--disable-output disable --output logging
--disable-usertmpfs disable tmpfs as regular user
Expand Down Expand Up @@ -3739,6 +3742,58 @@ then :
fi
HAVE_LANDLOCK=""
# Check whether --enable-landlock was given.
if test ${enable_landlock+y}
then :
enableval=$enable_landlock;
fi
ac_header= ac_cache=
for ac_item in $ac_header_c_list
do
if test $ac_cache; then
ac_fn_c_check_header_compile "$LINENO" $ac_header ac_cv_header_$ac_cache "$ac_includes_default"
if eval test \"x\$ac_cv_header_$ac_cache\" = xyes; then
printf "%s\n" "#define $ac_item 1" >> confdefs.h
fi
ac_header= ac_cache=
elif test $ac_header; then
ac_cache=$ac_item
else
ac_header=$ac_item
fi
done
if test $ac_cv_header_stdlib_h = yes && test $ac_cv_header_string_h = yes
then :
printf "%s\n" "#define STDC_HEADERS 1" >>confdefs.h
fi
if test "x$enable_landlock" != "xno"
then :
ac_fn_c_check_header_compile "$LINENO" "linux/landlock.h" "ac_cv_header_linux_landlock_h" "$ac_includes_default"
if test "x$ac_cv_header_linux_landlock_h" = xyes
then :
HAVE_LANDLOCK="-DHAVE_LANDLOCK"
else $as_nop
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: header not found: linux/landlock.h, building without Landlock support" >&5
printf "%s\n" "$as_me: WARNING: header not found: linux/landlock.h, building without Landlock support" >&2;}
fi
fi
Expand Down Expand Up @@ -4112,6 +4167,7 @@ if test "x$enable_lts" = "xyes"
then :
HAVE_LTS="-DHAVE_LTS"
HAVE_LANDLOCK=""
HAVE_IDS=""
HAVE_DBUSPROXY=""
HAVE_OVERLAYFS=""
Expand All @@ -4132,35 +4188,6 @@ then :
fi
ac_header= ac_cache=
for ac_item in $ac_header_c_list
do
if test $ac_cache; then
ac_fn_c_check_header_compile "$LINENO" $ac_header ac_cv_header_$ac_cache "$ac_includes_default"
if eval test \"x\$ac_cv_header_$ac_cache\" = xyes; then
printf "%s\n" "#define $ac_item 1" >> confdefs.h
fi
ac_header= ac_cache=
elif test $ac_header; then
ac_cache=$ac_item
else
ac_header=$ac_item
fi
done
if test $ac_cv_header_stdlib_h = yes && test $ac_cv_header_string_h = yes
then :
printf "%s\n" "#define STDC_HEADERS 1" >>confdefs.h
fi
ac_fn_c_check_header_compile "$LINENO" "linux/seccomp.h" "ac_cv_header_linux_seccomp_h" "$ac_includes_default"
if test "x$ac_cv_header_linux_seccomp_h" = xyes
then :
Expand Down Expand Up @@ -5360,6 +5387,7 @@ Features:
firetunnel support: $HAVE_FIRETUNNEL
global config: $HAVE_GLOBALCFG
IDS support: $HAVE_IDS
Landlock support: $HAVE_LANDLOCK
LTS: $HAVE_LTS
manpage support: $HAVE_MAN
network: $HAVE_NETWORK
Expand Down
12 changes: 12 additions & 0 deletions configure.ac
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,16 @@ AS_IF([test "x$enable_selinux" = "xyes"], [
LIBS="$LIBS -lselinux"
])

HAVE_LANDLOCK=""
AC_SUBST([HAVE_LANDLOCK])
AC_ARG_ENABLE([landlock],
[AS_HELP_STRING([--enable-landlock], [Landlock self-restriction support])])
AS_IF([test "x$enable_landlock" != "xno"], [
AC_CHECK_HEADER([linux/landlock.h],
[HAVE_LANDLOCK="-DHAVE_LANDLOCK"],
[AC_MSG_WARN([header not found: linux/landlock.h, building without Landlock support])])
])

AC_SUBST([EXTRA_CFLAGS])
AC_SUBST([EXTRA_LDFLAGS])

Expand Down Expand Up @@ -264,6 +274,7 @@ AC_ARG_ENABLE([lts],
[AS_HELP_STRING([--enable-lts], [enable long-term support software version (LTS)])])
AS_IF([test "x$enable_lts" = "xyes"], [
HAVE_LTS="-DHAVE_LTS"
HAVE_LANDLOCK=""
HAVE_IDS=""
HAVE_DBUSPROXY=""
HAVE_OVERLAYFS=""
Expand Down Expand Up @@ -324,6 +335,7 @@ Features:
firetunnel support: $HAVE_FIRETUNNEL
global config: $HAVE_GLOBALCFG
IDS support: $HAVE_IDS
Landlock support: $HAVE_LANDLOCK
LTS: $HAVE_LTS
manpage support: $HAVE_MAN
network: $HAVE_NETWORK
Expand Down
1 change: 1 addition & 0 deletions contrib/syntax/lists/profile_commands_arg0.list
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ keep-config-pulse
keep-dev-shm
keep-shell-rc
keep-var-tmp
landlock
machine-id
memory-deny-write-execute
netfilter
Expand Down
5 changes: 5 additions & 0 deletions contrib/syntax/lists/profile_commands_arg1.list
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,11 @@ ip6
iprange
join-or-start
keep-fd
landlock.execute
landlock.proc
landlock.read
landlock.special
landlock.write
mac
mkdir
mkfile
Expand Down
19 changes: 19 additions & 0 deletions src/bash_completion/firejail.bash_completion.in
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,25 @@ _firejail()
_filedir -d
return 0
;;
--landlock)
return 0
;;
--landlock.read)
_filedir
return 0
;;
--landlock.write)
_filedir
return 0
;;
--landlock.special)
_filedir
return 0
;;
--landlock.execute)
_filedir
return 0
;;
--tmpfs)
_filedir
return 0
Expand Down
7 changes: 7 additions & 0 deletions src/firejail/checkcfg.c
Original file line number Diff line number Diff line change
Expand Up @@ -363,6 +363,13 @@ static const char *const compiletime_support =
"disabled"
#endif

"\n\t- Landlock support is "
#ifdef HAVE_LANDLOCK
"enabled"
#else
"disabled"
#endif

"\n\t- networking support is "
#ifdef HAVE_NETWORK
"enabled"
Expand Down
22 changes: 22 additions & 0 deletions src/firejail/firejail.h
Original file line number Diff line number Diff line change
Expand Up @@ -281,6 +281,9 @@ extern int arg_overlay; // overlay option
extern int arg_overlay_keep; // place overlay diff in a known directory
extern int arg_overlay_reuse; // allow the reuse of overlays

extern int arg_landlock; // add basic Landlock rules
extern int arg_landlock_proc; // 0 - no access; 1 -read-only; 2 - read-write

extern int arg_seccomp; // enable default seccomp filter
extern int arg_seccomp32; // enable default seccomp filter for 32 bit arch
extern int arg_seccomp_postexec; // need postexec ld.preload library?
Expand Down Expand Up @@ -950,4 +953,23 @@ void run_ids(int argc, char **argv);
// oom.c
void oom_set(const char *oom_string);

// landlock.c
#ifdef HAVE_LANDLOCK
int ll_get_fd(void);
int ll_read(const char *allowed_path);
int ll_write(const char *allowed_path);
int ll_special(const char *allowed_path);
int ll_exec(const char *allowed_path);
int ll_basic_system(void);
int ll_restrict(__u32 flags);
#else
static inline int ll_get_fd(void) { return -1; }
static inline int ll_read(...) { return 0; }
static inline int ll_write(...) { return 0; }
static inline int ll_special(...) { return 0; }
static inline int ll_exec(...) { return 0; }
static inline int ll_basic_system(void) { return 0; }
static inline int ll_restrict(...) { return 0; }
#endif /* HAVE_LANDLOCK */

#endif
Loading

0 comments on commit 13b2c56

Please sign in to comment.