From 9a6cd6df5790ac9f07958179d9be4279b345130a Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 2 Nov 2023 09:25:04 -0400 Subject: [PATCH] cleanup --- src/firejail/firejail.h | 8 ++++++- src/firejail/landlock.c | 50 +++++++++++++++++------------------------ src/firejail/main.c | 9 ++++---- src/firejail/profile.c | 8 +++---- src/firejail/sandbox.c | 5 +---- 5 files changed, 36 insertions(+), 44 deletions(-) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index d4025854284..0e690d57126 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -155,6 +155,12 @@ typedef struct profile_entry_t { typedef struct landlock_entry_t { struct landlock_entry_t *next; +#define LL_READ 0 +#define LL_WRITE 1 +#define LL_EXEC 2 +#define LL_SPECIAL 3 +#define LL_MAX 4 + int type; char *data; } LandlockEntry; @@ -970,7 +976,7 @@ int ll_restrict(__u32 flags); int ll_read(char *allowed_path); int ll_write(char *allowed_path); void ll_basic_system(void); -void ll_add_profile(const char *data); +void ll_add_profile(int type, const char *data); #endif #endif diff --git a/src/firejail/landlock.c b/src/firejail/landlock.c index a956275a7ef..68dcf52c2ee 100644 --- a/src/firejail/landlock.c +++ b/src/firejail/landlock.c @@ -225,39 +225,23 @@ int ll_restrict(__u32 flags) { return 0; } + int (*fnc[])(char *) = { + ll_read, + ll_write, + ll_exec, + ll_special, + NULL + }; LandlockEntry *ptr = cfg.lprofile; while (ptr) { - char *fname = NULL; - int (*fnc)(char *) = NULL; - - if (strncmp(ptr->data, "landlock.read", 13) == 0) { - fname = ptr->data + 14; - fnc = ll_read; - } - else if (strncmp(ptr->data, "landlock.write", 14) == 0) { - fname = ptr->data + 15; - fnc = ll_write; - } - else if (strncmp(ptr->data, "landlock.special", 16) == 0) { - fname = ptr->data + 17; - fnc = ll_special; - } - else if (strncmp(ptr->data, "landlock.execute", 16) == 0) { - fname = ptr->data + 17; - fnc = ll_exec; - } - else - assert(0); - - if (access(fname, F_OK) == 0) { - if (fnc(fname)) - fprintf(stderr,"Error: failed to add Landlock rule for %s\n", fname); + if (access(ptr->data, F_OK) == 0) { + if (fnc[ptr->type](ptr->data)) + fprintf(stderr,"Error: failed to add Landlock rule for %s\n", ptr->data); } ptr = ptr->next; } - if (rset_fd == -1) return 0; @@ -270,19 +254,25 @@ int ll_restrict(__u32 flags) { } } -void ll_add_profile(const char *data) { +void ll_add_profile(int type, const char *data) { + assert(data); + assert(type < LL_MAX); if (old_kernel()) return; + const char *str = data; + while (*str == ' ' || *str == '\t') + str++; + LandlockEntry *ptr = malloc(sizeof(LandlockEntry)); if (!ptr) errExit("malloc"); memset(ptr, 0, sizeof(LandlockEntry)); - ptr->data = strdup(data); + ptr->type = type; + ptr->data = strdup(str); if (!ptr->data) errExit("strdup"); -//printf("add profile #%s#\n", ptr->data); ptr->next = cfg.lprofile; - cfg.lprofile=ptr; + cfg.lprofile = ptr; } #endif diff --git a/src/firejail/main.c b/src/firejail/main.c index f5eb06f56cb..b643b28d539 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1504,7 +1504,6 @@ int main(int argc, char **argv, char **envp) { } #ifdef HAVE_LANDLOCK else if (strcmp(argv[i], "--landlock") == 0) -// ll_basic_system(); arg_landlock = 1; else if (strncmp(argv[i], "--landlock.proc=", 16) == 0) { if (strncmp(argv[i]+16, "no", 2) == 0) arg_landlock_proc = 0; @@ -1512,13 +1511,13 @@ int main(int argc, char **argv, char **envp) { else if (strncmp(argv[i]+16, "rw", 2) == 0) arg_landlock_proc = 2; } else if (strncmp(argv[i], "--landlock.read=", 16) == 0) - ll_add_profile(argv[i] + 2); + ll_add_profile(LL_READ, argv[i] + 16); else if (strncmp(argv[i], "--landlock.write=", 17) == 0) - ll_add_profile(argv[i] + 2); + ll_add_profile(LL_WRITE, argv[i] + 17); else if (strncmp(argv[i], "--landlock.special=", 17) == 0) - ll_add_profile(argv[i] + 2); + ll_add_profile(LL_SPECIAL, argv[i] + 17); else if (strncmp(argv[i], "--landlock.execute=", 19) == 0) - ll_add_profile(argv[i] + 2); + ll_add_profile(LL_EXEC, argv[i] + 19); #endif else if (strcmp(argv[i], "--memory-deny-write-execute") == 0) { if (checkcfg(CFG_SECCOMP)) diff --git a/src/firejail/profile.c b/src/firejail/profile.c index f16ec2175d1..62bd4aa755d 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -1090,19 +1090,19 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { return 0; } if (strncmp(ptr, "landlock.read ", 14) == 0) { - ll_add_profile(ptr); + ll_add_profile(LL_READ, ptr + 14); return 0; } if (strncmp(ptr, "landlock.write ", 15) == 0) { - ll_add_profile(ptr); + ll_add_profile(LL_WRITE, ptr + 15); return 0; } if (strncmp(ptr, "landlock.special ", 17) == 0) { - ll_add_profile(ptr); + ll_add_profile(LL_SPECIAL, ptr + 17); return 0; } if (strncmp(ptr, "landlock.execute ", 17) == 0) { - ll_add_profile(ptr); + ll_add_profile(LL_EXEC, ptr + 17); return 0; } #endif diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index e03e88b3e0a..d09d7cf9448 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -520,12 +520,9 @@ void start_application(int no_sandbox, int fd, char *set_sandbox_status) { //**************************** // Configure Landlock //**************************** - if (arg_landlock) { -printf("set basic system\n"); fflush(0); + if (arg_landlock) ll_basic_system(); -} if (ll_get_fd() != -1) { -printf("proc = %d\n", arg_landlock_proc); if (arg_landlock_proc >= 1) ll_read("/proc/"); if (arg_landlock_proc == 2)