diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 2964371347a..50f8f9554fd 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -155,6 +155,12 @@ typedef struct profile_entry_t { typedef struct landlock_entry_t { struct landlock_entry_t *next; +#define LL_READ 0 +#define LL_WRITE 1 +#define LL_EXEC 2 +#define LL_SPECIAL 3 +#define LL_MAX 4 + int type; char *data; } LandlockEntry; @@ -971,7 +977,7 @@ int ll_special(const char *allowed_path); int ll_exec(const char *allowed_path); void ll_basic_system(void); int ll_restrict(__u32 flags); -void ll_add_profile(const char *data); +void ll_add_profile(int type, const char *data); #endif #endif diff --git a/src/firejail/landlock.c b/src/firejail/landlock.c index c672142508d..8f642a0eef1 100644 --- a/src/firejail/landlock.c +++ b/src/firejail/landlock.c @@ -265,32 +265,17 @@ int ll_restrict(__u32 flags) { return 0; } + int (*fnc[])(const char *) = { + ll_read, + ll_write, + ll_exec, + ll_special, + NULL + }; LandlockEntry *ptr = cfg.lprofile; while (ptr) { - char *fname = NULL; - int (*fnc)(const char *) = NULL; - - if (strncmp(ptr->data, "landlock.read", 13) == 0) { - fname = ptr->data + 14; - fnc = ll_read; - } - else if (strncmp(ptr->data, "landlock.write", 14) == 0) { - fname = ptr->data + 15; - fnc = ll_write; - } - else if (strncmp(ptr->data, "landlock.special", 16) == 0) { - fname = ptr->data + 17; - fnc = ll_special; - } - else if (strncmp(ptr->data, "landlock.execute", 16) == 0) { - fname = ptr->data + 17; - fnc = ll_exec; - } - else - assert(0); - - if (access(fname, F_OK) == 0) { - if (fnc(fname)) { + if (access(ptr->data, F_OK) == 0) { + if (fnc[ptr->type](ptr->data)) { fprintf(stderr, "Error: failed to add Landlock rule: %s: %s\n", ptr->data, strerror(errno)); } @@ -311,14 +296,21 @@ int ll_restrict(__u32 flags) { return 0; } -void ll_add_profile(const char *data) { +void ll_add_profile(int type, const char *data) { + assert(data); + assert(type < LL_MAX); if (old_kernel()) return; + const char *str = data; + while (*str == ' ' || *str == '\t') + str++; + LandlockEntry *ptr = malloc(sizeof(LandlockEntry)); if (!ptr) errExit("malloc"); memset(ptr, 0, sizeof(LandlockEntry)); - ptr->data = strdup(data); + ptr->type = type; + ptr->data = strdup(str); if (!ptr->data) errExit("strdup"); ptr->next = cfg.lprofile; diff --git a/src/firejail/main.c b/src/firejail/main.c index e6ddf98f46d..d03a35e1e11 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1519,13 +1519,13 @@ int main(int argc, char **argv, char **envp) { } } else if (strncmp(argv[i], "--landlock.read=", 16) == 0) - ll_add_profile(argv[i] + 2); + ll_add_profile(LL_READ, argv[i] + 16); else if (strncmp(argv[i], "--landlock.write=", 17) == 0) - ll_add_profile(argv[i] + 2); + ll_add_profile(LL_WRITE, argv[i] + 17); else if (strncmp(argv[i], "--landlock.special=", 19) == 0) - ll_add_profile(argv[i] + 2); + ll_add_profile(LL_SPECIAL, argv[i] + 19); else if (strncmp(argv[i], "--landlock.execute=", 19) == 0) - ll_add_profile(argv[i] + 2); + ll_add_profile(LL_EXEC, argv[i] + 19); #endif else if (strcmp(argv[i], "--memory-deny-write-execute") == 0) { if (checkcfg(CFG_SECCOMP)) diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 4e67ec2a3ca..e3554eb12ec 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -1098,19 +1098,19 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { return 0; } if (strncmp(ptr, "landlock.read ", 14) == 0) { - ll_add_profile(ptr); + ll_add_profile(LL_READ, ptr + 14); return 0; } if (strncmp(ptr, "landlock.write ", 15) == 0) { - ll_add_profile(ptr); + ll_add_profile(LL_WRITE, ptr + 15); return 0; } if (strncmp(ptr, "landlock.special ", 17) == 0) { - ll_add_profile(ptr); + ll_add_profile(LL_SPECIAL, ptr + 17); return 0; } if (strncmp(ptr, "landlock.execute ", 17) == 0) { - ll_add_profile(ptr); + ll_add_profile(LL_EXEC, ptr + 17); return 0; } #endif