detect landlock at run time

configure

@@ -738,7 +738,6 @@ enable_sanitizer
 enable_ids
 enable_apparmor
 enable_selinux
-enable_landlock
 enable_dbusproxy
 enable_output
 enable_usertmpfs
@@ -1398,7 +1397,6 @@ Optional Features:
   --enable-ids            enable ids
   --enable-apparmor       enable apparmor
   --enable-selinux        SELinux labeling support
-  --enable-landlock       Landlock self-restriction support
   --disable-dbusproxy     disable dbus proxy
   --disable-output        disable --output logging
   --disable-usertmpfs     disable tmpfs as regular user
@@ -3744,7 +3742,6 @@ fi
 
 HAVE_LANDLOCK=""
 
-
 ac_header= ac_cache=
 for ac_item in $ac_header_c_list
 do
@@ -3789,29 +3786,6 @@ fi
 
 
 
-# Check whether --enable-landlock was given.
-if test ${enable_landlock+y}
-then :
-  enableval=$enable_landlock;
-fi
-
-if test "x$enable_landlock" = "xyes"
-then :
-
-	ac_fn_c_check_header_compile "$LINENO" "linux/landlock.h" "ac_cv_header_linux_landlock_h" "$ac_includes_default"
-if test "x$ac_cv_header_linux_landlock_h" = xyes
-then :
-
-else $as_nop
-  as_fn_error $? "*** LANDLOCK support is not installed (/usr/include/linux/landlock.h missing) ***" "$LINENO" 5
-fi
-
-	HAVE_LANDLOCK="-DHAVE_LANDLOCK"
-
-fi
-
-
-
 
 HAVE_DBUSPROXY=""
 

configure.ac

@@ -83,22 +83,12 @@ AS_IF([test "x$enable_selinux" = "xyes"], [
 
 HAVE_LANDLOCK=""
 AC_SUBST([HAVE_LANDLOCK])
-
 AC_CHECK_HEADER([linux/landlock.h], [
 	HAVE_LANDLOCK="-DHAVE_LANDLOCK"
 ],
     [AC_MSG_WARN([*** Landlock support is not installed (/usr/include/linux/landlock.h missing) ***])
 ])
 
-
-
-AC_ARG_ENABLE([landlock],
-    [AS_HELP_STRING([--enable-landlock], [Landlock self-restriction support])])
-AS_IF([test "x$enable_landlock" = "xyes"], [
-	AC_CHECK_HEADER([linux/landlock.h], [], AC_MSG_ERROR([*** LANDLOCK support is not installed (/usr/include/linux/landlock.h missing) ***]))
-	HAVE_LANDLOCK="-DHAVE_LANDLOCK"
-])
-
 AC_SUBST([EXTRA_CFLAGS])
 AC_SUBST([EXTRA_LDFLAGS])
 

src/firejail/firejail.h

@@ -968,11 +968,9 @@ int ll_get_fd(void);
 int ll_create_ruleset(struct landlock_ruleset_attr *rsattr,size_t size,__u32 flags);
 int ll_add_rule(int fd,enum landlock_rule_type t,void *attr,__u32 flags);
 int ll_restrict(__u32 flags);
-int ll_create_full_ruleset();
+//int ll_create_full_ruleset();
 int ll_add_read_access_rule_by_path(char *allowed_path);
 int ll_add_write_access_rule_by_path(char *allowed_path);
-int ll_add_create_special_rule_by_path(char *allowed_path);
-int ll_add_execute_rule_by_path(char *allowed_path);
 void ll_basic_system(void);
 void ll_add_profile(const char *data);
 #endif

src/firejail/landlock.c

@@ -26,8 +26,30 @@
 #include <sys/prctl.h>
 #include <linux/prctl.h>
 #include <linux/landlock.h>
+#include <sys/utsname.h>
+
+static int rset_fd = -1;
+
+// return 1 if the kernel is older than 6.1
+static int old_kernel(void) {
+	struct utsname u;
+	int rv = uname(&u);
+	if (rv != 0)
+		errExit("uname");
+	unsigned major;
+	unsigned minor;
+	if (2 != sscanf(u.release, "%u.%u", &major, &minor)) {
+		fprintf(stderr, "Error: cannot extract Linux kernel version: %s\n", u.version);
+		exit(1);
+	}
+
+return 1;
+	unsigned version = (major << 8) + minor;
+	if (version < ((6 << 8) + 1))
+		return 1;
 
-int rset_fd = -1;
+	return 0;
+}
 
 int ll_get_fd(void) {
 	return rset_fd;
@@ -52,7 +74,7 @@ static inline int landlock_restrict_self(const int ruleset_fd,
 }
 #endif
 
-int ll_create_full_ruleset() {
+static int ll_create_full_ruleset() {
 	struct landlock_ruleset_attr attr;
 	attr.handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR | LANDLOCK_ACCESS_FS_WRITE_FILE |
 				 LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR |
@@ -62,6 +84,11 @@ int ll_create_full_ruleset() {
 }
 
 int ll_add_read_access_rule_by_path(char *allowed_path) {
+	if (old_kernel()) {
+		fprintf(stderr, "Warning: Landlock not enabled, a 6.1 or newer Linux kernel is required\n");
+		return 1;
+	}
+
 	if (rset_fd == -1)
 		rset_fd = ll_create_full_ruleset();
 
@@ -76,6 +103,11 @@ int ll_add_read_access_rule_by_path(char *allowed_path) {
 }
 
 int ll_add_write_access_rule_by_path(char *allowed_path) {
+	if (old_kernel()) {
+		fprintf(stderr, "Warning: Landlock not enabled, a 6.1 or newer Linux kernel is required\n");
+		return 1;
+	}
+
 	if (rset_fd == -1)
 		rset_fd = ll_create_full_ruleset();
 
@@ -91,7 +123,12 @@ int ll_add_write_access_rule_by_path(char *allowed_path) {
 	return result;
 }
 
-int ll_add_create_special_rule_by_path(char *allowed_path) {
+static int ll_add_create_special_rule_by_path(char *allowed_path) {
+	if (old_kernel()) {
+		fprintf(stderr, "Warning: Landlock not enabled, a 6.1 or newer Linux kernel is required\n");
+		return 1;
+	}
+
 	if (rset_fd == -1)
 		rset_fd = ll_create_full_ruleset();
 
@@ -105,7 +142,12 @@ int ll_add_create_special_rule_by_path(char *allowed_path) {
 	return result;
 }
 
-int ll_add_execute_rule_by_path(char *allowed_path) {
+static int ll_add_execute_rule_by_path(char *allowed_path) {
+	if (old_kernel()) {
+		fprintf(stderr, "Warning: Landlock not enabled, a 6.1 or newer Linux kernel is required\n");
+		return 1;
+	}
+
 	if (rset_fd == -1)
 		rset_fd = ll_create_full_ruleset();
 
@@ -120,6 +162,11 @@ int ll_add_execute_rule_by_path(char *allowed_path) {
 }
 
 void ll_basic_system(void) {
+	if (old_kernel()) {
+		fprintf(stderr, "Warning: Landlock not enabled, a 6.1 or newer Linux kernel is required\n");
+		return;
+	}
+
 	if (rset_fd == -1)
 		rset_fd = ll_create_full_ruleset();
 
@@ -152,6 +199,11 @@ void ll_basic_system(void) {
 }
 
 int ll_restrict(__u32 flags) {
+	if (old_kernel()) {
+		fprintf(stderr, "Warning: Landlock not enabled, a 6.1 or newer Linux kernel is required\n");
+		return 0;
+	}
+
 	LandlockEntry *ptr = cfg.lprofile;
 	while (ptr) {
 		if (strncmp(ptr->data, "landlock.read", 13) == 0) {
@@ -187,6 +239,8 @@ int ll_restrict(__u32 flags) {
 }
 
 void ll_add_profile(const char *data) {
+	if (old_kernel())
+		return;
 	LandlockEntry *ptr = malloc(sizeof(LandlockEntry));
 	if (!ptr)
 		errExit("malloc");
@@ -198,7 +252,4 @@ void ll_add_profile(const char *data) {
 	cfg.lprofile=ptr;
 }
 
-
-#if 0
-#endif
 #endif