Skip to content

Commit

Permalink
landlock: deduplicate fs functions into ll_fs
Browse files Browse the repository at this point in the history
The relevant functions are all identical except for the access flags
used.
  • Loading branch information
kmk3 committed Nov 9, 2023
1 parent e677767 commit 30a215c
Showing 1 changed file with 19 additions and 84 deletions.
103 changes: 19 additions & 84 deletions src/firejail/landlock.c
Original file line number Diff line number Diff line change
Expand Up @@ -108,7 +108,8 @@ static int ll_create_full_ruleset() {
return ruleset_fd;
}

int ll_read(const char *allowed_path) {
static int ll_fs(const char *allowed_path, const __u64 allowed_access,
const char *caller) {
if (!ll_is_supported())
return 0;

Expand All @@ -120,125 +121,59 @@ int ll_read(const char *allowed_path) {
if (allowed_fd < 0) {
if (arg_debug) {
fprintf(stderr, "%s: failed to open %s: %s\n",
__func__, allowed_path, strerror(errno));
caller, allowed_path, strerror(errno));
}
return 0;
}

struct landlock_path_beneath_attr target;
target.parent_fd = allowed_fd;
target.allowed_access =
LANDLOCK_ACCESS_FS_READ_DIR |
LANDLOCK_ACCESS_FS_READ_FILE;

target.allowed_access = allowed_access;
error = landlock_add_rule(ll_ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
&target, 0);
if (error) {
fprintf(stderr, "Error: %s: failed to add Landlock rule for %s: %s\n",
__func__, allowed_path, strerror(errno));
caller, allowed_path, strerror(errno));
}
close(allowed_fd);
return error;
}

int ll_write(const char *allowed_path) {
if (!ll_is_supported())
return 0;
int ll_read(const char *allowed_path) {
__u64 allowed_access =
LANDLOCK_ACCESS_FS_READ_DIR |
LANDLOCK_ACCESS_FS_READ_FILE;

if (ll_ruleset_fd == -1)
ll_ruleset_fd = ll_create_full_ruleset();
return ll_fs(allowed_path, allowed_access, __func__);
}

int error;
int allowed_fd = open(allowed_path, O_PATH | O_CLOEXEC);
if (allowed_fd < 0) {
if (arg_debug) {
fprintf(stderr, "%s: failed to open %s: %s\n",
__func__, allowed_path, strerror(errno));
}
return 0;
}
struct landlock_path_beneath_attr target;
target.parent_fd = allowed_fd;
target.allowed_access =
int ll_write(const char *allowed_path) {
__u64 allowed_access =
LANDLOCK_ACCESS_FS_MAKE_DIR |
LANDLOCK_ACCESS_FS_MAKE_REG |
LANDLOCK_ACCESS_FS_MAKE_SYM |
LANDLOCK_ACCESS_FS_REMOVE_DIR |
LANDLOCK_ACCESS_FS_REMOVE_FILE |
LANDLOCK_ACCESS_FS_WRITE_FILE;

error = landlock_add_rule(ll_ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
&target, 0);
if (error) {
fprintf(stderr, "Error: %s: failed to add Landlock rule for %s: %s\n",
__func__, allowed_path, strerror(errno));
}
close(allowed_fd);
return error;
return ll_fs(allowed_path, allowed_access, __func__);
}

int ll_special(const char *allowed_path) {
if (!ll_is_supported())
return 0;

if (ll_ruleset_fd == -1)
ll_ruleset_fd = ll_create_full_ruleset();

int error;
int allowed_fd = open(allowed_path, O_PATH | O_CLOEXEC);
if (allowed_fd < 0) {
if (arg_debug) {
fprintf(stderr, "%s: failed to open %s: %s\n",
__func__, allowed_path, strerror(errno));
}
return 0;
}
struct landlock_path_beneath_attr target;
target.parent_fd = allowed_fd;
target.allowed_access =
__u64 allowed_access =
LANDLOCK_ACCESS_FS_MAKE_BLOCK |
LANDLOCK_ACCESS_FS_MAKE_CHAR |
LANDLOCK_ACCESS_FS_MAKE_FIFO |
LANDLOCK_ACCESS_FS_MAKE_SOCK;

error = landlock_add_rule(ll_ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
&target, 0);
if (error) {
fprintf(stderr, "Error: %s: failed to add Landlock rule for %s: %s\n",
__func__, allowed_path, strerror(errno));
}
close(allowed_fd);
return error;
return ll_fs(allowed_path, allowed_access, __func__);
}

int ll_exec(const char *allowed_path) {
if (!ll_is_supported())
return 0;

if (ll_ruleset_fd == -1)
ll_ruleset_fd = ll_create_full_ruleset();

int error;
int allowed_fd = open(allowed_path, O_PATH | O_CLOEXEC);
if (allowed_fd < 0) {
if (arg_debug) {
fprintf(stderr, "%s: failed to open %s: %s\n",
__func__, allowed_path, strerror(errno));
}
return 0;
}
struct landlock_path_beneath_attr target;
target.parent_fd = allowed_fd;
target.allowed_access =
__u64 allowed_access =
LANDLOCK_ACCESS_FS_EXECUTE;

error = landlock_add_rule(ll_ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
&target, 0);
if (error) {
fprintf(stderr, "Error: %s: failed to add Landlock rule for %s: %s\n",
__func__, allowed_path, strerror(errno));
}
close(allowed_fd);
return error;
return ll_fs(allowed_path, allowed_access, __func__);
}

int ll_basic_system(void) {
Expand Down

0 comments on commit 30a215c

Please sign in to comment.