fixes

netblue30 · Oct 26, 2023 · d2d135f · d2d135f
1 parent faab26d
commit d2d135f
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 11 deletions.
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
@@ -961,7 +961,7 @@ void oom_set(const char *oom_string);
 int ll_get_fd(void);
 int ll_create_ruleset(struct landlock_ruleset_attr *rsattr,size_t size,__u32 flags);
 int ll_add_rule(int fd,enum landlock_rule_type t,void *attr,__u32 flags);
-int ll_restrict_self(__u32 flags);
+int ll_restrict(__u32 flags);
 int ll_create_full_ruleset();
 int ll_add_read_access_rule_by_path(char *allowed_path);
 int ll_add_write_access_rule_by_path(char *allowed_path);

diff --git a/src/firejail/landlock.c b/src/firejail/landlock.c
@@ -33,21 +33,32 @@ int ll_get_fd(void) {
 	return rset_fd;
 }
 
+#ifndef landlock_create_ruleset
 int ll_create_ruleset(struct landlock_ruleset_attr *rsattr,size_t size,__u32 flags) {
 	return syscall(__NR_landlock_create_ruleset,rsattr,size,flags);
 }
+#endif
 
+#ifndef landlock_add_rule
 int ll_add_rule(int fd,enum landlock_rule_type t,void *attr,__u32 flags) {
 	return syscall(__NR_landlock_add_rule,fd,t,attr,flags);
 }
+#endif
+
+#ifndef landlock_restrict_self
+static inline int landlock_restrict_self(const int ruleset_fd,
+					 const __u32 flags)
+{
+	return syscall(__NR_landlock_restrict_self, ruleset_fd, flags);
+}
+#endif
 
-int ll_restrict_self(__u32 flags) {
+int ll_restrict(__u32 flags) {
 	if (rset_fd == -1)
 		return 0;
 
-
 	prctl(PR_SET_NO_NEW_PRIVS,1,0,0,0);
-	int result = syscall(__NR_landlock_restrict_self, rset_fd, flags);
+	int result = landlock_restrict_self(rset_fd, flags);
 	if (result!=0) return result;
 	else {
 		close(rset_fd);
@@ -126,8 +137,8 @@ void ll_basic_system(void) {
 	if (rset_fd == -1)
 		rset_fd = ll_create_full_ruleset();
 
-	const char *home_dir = env_get("HOME");
-	int home_fd = open(home_dir,O_PATH | O_CLOEXEC);
+	assert(cfg.homedir);
+	int home_fd = open(cfg.homedir,O_PATH | O_CLOEXEC);
 	struct landlock_path_beneath_attr target;
 	target.parent_fd = home_fd;
 	target.allowed_access = LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR |

diff --git a/src/firejail/profile.c b/src/firejail/profile.c
@@ -1935,8 +1935,7 @@ void profile_read(const char *fname) {
 	fclose(fp);
 }
 
-char *profile_list_normalize(char *list)
-{
+char *profile_list_normalize(char *list) {
 	/* Remove redundant commas.
 	 *
 	 * As result is always shorter than original,

diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
@@ -523,16 +523,14 @@ void start_application(int no_sandbox, int fd, char *set_sandbox_status) {
 	if (arg_landlock)
 		ll_basic_system();
 
-#ifdef HAVE_LANDLOCK
 	if (ll_get_fd() != -1) {
 		if (arg_landlock_proc >= 1)
 			ll_add_read_access_rule_by_path("/proc/");
 		if (arg_landlock_proc == 2)
 			ll_add_write_access_rule_by_path("/proc/");
 	}
-#endif
 
-	if (ll_restrict_self(0)) {
+	if (ll_restrict(0)) {
 		fprintf(stderr,"An error has occured while enabling Landlock self-restriction. Exiting...\n");
 		exit(1); // it isn't safe to continue if Landlock self-restriction was enabled and the "landlock_restrict_self" syscall has failed
 	}