Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feature: add Landlock support #6078

Merged
merged 6 commits into from
Dec 4, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion README
Original file line number Diff line number Diff line change
Expand Up @@ -197,7 +197,8 @@ avoidr (https://github.com/avoidr)
- fixed mpv profile
- various other fixes
Азалия Смарагдова/ChrysoliteAzalea (https://github.com/ChrysoliteAzalea)
- add support for custom AppArmor profiles (--apparmor=)
- add support for custom AppArmor profiles (--apparmor=)
- add Landlock support
backspac (https://github.com/backspac)
- firecfg fixes
- add steam-runtime alias
Expand Down
2 changes: 2 additions & 0 deletions config.mk.in
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ HAVE_FIRETUNNEL=@HAVE_FIRETUNNEL@
HAVE_FORCE_NONEWPRIVS=@HAVE_FORCE_NONEWPRIVS@
HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
HAVE_IDS=@HAVE_IDS@
HAVE_LANDLOCK=@HAVE_LANDLOCK@
HAVE_LTS=@HAVE_LTS@
HAVE_NETWORK=@HAVE_NETWORK@
HAVE_ONLY_SYSCFG_PROFILES=@HAVE_ONLY_SYSCFG_PROFILES@
Expand All @@ -60,6 +61,7 @@ MANFLAGS = \
$(HAVE_FORCE_NONEWPRIVS) \
$(HAVE_GLOBALCFG) \
$(HAVE_IDS) \
$(HAVE_LANDLOCK) \
$(HAVE_LTS) \
$(HAVE_NETWORK) \
$(HAVE_ONLY_SYSCFG_PROFILES) \
Expand Down
86 changes: 57 additions & 29 deletions configure
Original file line number Diff line number Diff line change
Expand Up @@ -675,6 +675,7 @@ HAVE_OVERLAYFS
HAVE_DBUSPROXY
EXTRA_LDFLAGS
EXTRA_CFLAGS
HAVE_LANDLOCK
HAVE_SELINUX
AA_LIBS
AA_CFLAGS
Expand Down Expand Up @@ -737,6 +738,7 @@ enable_sanitizer
enable_ids
enable_apparmor
enable_selinux
enable_landlock
enable_dbusproxy
enable_output
enable_usertmpfs
Expand Down Expand Up @@ -1396,6 +1398,7 @@ Optional Features:
--enable-ids enable ids
--enable-apparmor enable apparmor
--enable-selinux SELinux labeling support
--enable-landlock Landlock self-restriction support
--disable-dbusproxy disable dbus proxy
--disable-output disable --output logging
--disable-usertmpfs disable tmpfs as regular user
Expand Down Expand Up @@ -3739,6 +3742,58 @@ then :
fi
HAVE_LANDLOCK=""
# Check whether --enable-landlock was given.
if test ${enable_landlock+y}
then :
enableval=$enable_landlock;
fi
ac_header= ac_cache=
for ac_item in $ac_header_c_list
do
if test $ac_cache; then
ac_fn_c_check_header_compile "$LINENO" $ac_header ac_cv_header_$ac_cache "$ac_includes_default"
if eval test \"x\$ac_cv_header_$ac_cache\" = xyes; then
printf "%s\n" "#define $ac_item 1" >> confdefs.h
fi
ac_header= ac_cache=
elif test $ac_header; then
ac_cache=$ac_item
else
ac_header=$ac_item
fi
done
if test $ac_cv_header_stdlib_h = yes && test $ac_cv_header_string_h = yes
then :
printf "%s\n" "#define STDC_HEADERS 1" >>confdefs.h
fi
if test "x$enable_landlock" != "xno"
then :
ac_fn_c_check_header_compile "$LINENO" "linux/landlock.h" "ac_cv_header_linux_landlock_h" "$ac_includes_default"
if test "x$ac_cv_header_linux_landlock_h" = xyes
then :
HAVE_LANDLOCK="-DHAVE_LANDLOCK"
else $as_nop
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: header not found: linux/landlock.h, building without Landlock support" >&5
printf "%s\n" "$as_me: WARNING: header not found: linux/landlock.h, building without Landlock support" >&2;}
fi
fi
Expand Down Expand Up @@ -4112,6 +4167,7 @@ if test "x$enable_lts" = "xyes"
then :
HAVE_LTS="-DHAVE_LTS"
HAVE_LANDLOCK=""
HAVE_IDS=""
HAVE_DBUSPROXY=""
HAVE_OVERLAYFS=""
Expand All @@ -4132,35 +4188,6 @@ then :
fi
ac_header= ac_cache=
for ac_item in $ac_header_c_list
do
if test $ac_cache; then
ac_fn_c_check_header_compile "$LINENO" $ac_header ac_cv_header_$ac_cache "$ac_includes_default"
if eval test \"x\$ac_cv_header_$ac_cache\" = xyes; then
printf "%s\n" "#define $ac_item 1" >> confdefs.h
fi
ac_header= ac_cache=
elif test $ac_header; then
ac_cache=$ac_item
else
ac_header=$ac_item
fi
done
if test $ac_cv_header_stdlib_h = yes && test $ac_cv_header_string_h = yes
then :
printf "%s\n" "#define STDC_HEADERS 1" >>confdefs.h
fi
ac_fn_c_check_header_compile "$LINENO" "linux/seccomp.h" "ac_cv_header_linux_seccomp_h" "$ac_includes_default"
if test "x$ac_cv_header_linux_seccomp_h" = xyes
then :
Expand Down Expand Up @@ -5360,6 +5387,7 @@ Features:
firetunnel support: $HAVE_FIRETUNNEL
global config: $HAVE_GLOBALCFG
IDS support: $HAVE_IDS
Landlock support: $HAVE_LANDLOCK
LTS: $HAVE_LTS
manpage support: $HAVE_MAN
network: $HAVE_NETWORK
Expand Down
12 changes: 12 additions & 0 deletions configure.ac
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,16 @@ AS_IF([test "x$enable_selinux" = "xyes"], [
LIBS="$LIBS -lselinux"
])

HAVE_LANDLOCK=""
AC_SUBST([HAVE_LANDLOCK])
AC_ARG_ENABLE([landlock],
[AS_HELP_STRING([--enable-landlock], [Landlock self-restriction support])])
AS_IF([test "x$enable_landlock" != "xno"], [
AC_CHECK_HEADER([linux/landlock.h],
[HAVE_LANDLOCK="-DHAVE_LANDLOCK"],
[AC_MSG_WARN([header not found: linux/landlock.h, building without Landlock support])])
])

AC_SUBST([EXTRA_CFLAGS])
AC_SUBST([EXTRA_LDFLAGS])

Expand Down Expand Up @@ -264,6 +274,7 @@ AC_ARG_ENABLE([lts],
[AS_HELP_STRING([--enable-lts], [enable long-term support software version (LTS)])])
AS_IF([test "x$enable_lts" = "xyes"], [
HAVE_LTS="-DHAVE_LTS"
HAVE_LANDLOCK=""
HAVE_IDS=""
HAVE_DBUSPROXY=""
HAVE_OVERLAYFS=""
Expand Down Expand Up @@ -324,6 +335,7 @@ Features:
firetunnel support: $HAVE_FIRETUNNEL
global config: $HAVE_GLOBALCFG
IDS support: $HAVE_IDS
Landlock support: $HAVE_LANDLOCK
LTS: $HAVE_LTS
manpage support: $HAVE_MAN
network: $HAVE_NETWORK
Expand Down
1 change: 1 addition & 0 deletions contrib/syntax/lists/profile_commands_arg0.list
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ keep-config-pulse
keep-dev-shm
keep-shell-rc
keep-var-tmp
landlock
machine-id
memory-deny-write-execute
netfilter
Expand Down
5 changes: 5 additions & 0 deletions contrib/syntax/lists/profile_commands_arg1.list
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,11 @@ ip6
iprange
join-or-start
keep-fd
landlock.execute
landlock.proc
landlock.read
landlock.special
landlock.write
mac
mkdir
mkfile
Expand Down
19 changes: 19 additions & 0 deletions src/bash_completion/firejail.bash_completion.in
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,25 @@ _firejail()
_filedir -d
return 0
;;
--landlock)
return 0
;;
--landlock.read)
_filedir
return 0
;;
--landlock.write)
_filedir
return 0
;;
--landlock.special)
_filedir
return 0
;;
--landlock.execute)
_filedir
return 0
;;
--tmpfs)
_filedir
return 0
Expand Down
7 changes: 7 additions & 0 deletions src/firejail/checkcfg.c
Original file line number Diff line number Diff line change
Expand Up @@ -363,6 +363,13 @@ static const char *const compiletime_support =
"disabled"
#endif

"\n\t- Landlock support is "
#ifdef HAVE_LANDLOCK
"enabled"
#else
"disabled"
#endif

"\n\t- networking support is "
#ifdef HAVE_NETWORK
"enabled"
Expand Down
37 changes: 37 additions & 0 deletions src/firejail/firejail.h
Original file line number Diff line number Diff line change
Expand Up @@ -150,6 +150,17 @@ typedef struct profile_entry_t {

} ProfileEntry;

typedef struct landlock_entry_t {
struct landlock_entry_t *next;
#define LL_READ 0
#define LL_WRITE 1
#define LL_SPECIAL 2
#define LL_EXEC 3
#define LL_MAX 4
int type;
char *data;
} LandlockEntry;

typedef struct config_t {
// user data
char *username;
Expand All @@ -159,6 +170,7 @@ typedef struct config_t {
// filesystem
ProfileEntry *profile;
ProfileEntry *profile_rebuild_etc; // blacklist files in /etc directory used by fs_rebuild_etc()
LandlockEntry *lprofile;

#define MAX_PROFILE_IGNORE 32
char *profile_ignore[MAX_PROFILE_IGNORE];
Expand Down Expand Up @@ -281,6 +293,9 @@ extern int arg_overlay; // overlay option
extern int arg_overlay_keep; // place overlay diff in a known directory
extern int arg_overlay_reuse; // allow the reuse of overlays

extern int arg_landlock; // add basic Landlock rules
extern int arg_landlock_proc; // 0 - no access; 1 -read-only; 2 - read-write

extern int arg_seccomp; // enable default seccomp filter
extern int arg_seccomp32; // enable default seccomp filter for 32 bit arch
extern int arg_seccomp_postexec; // need postexec ld.preload library?
Expand Down Expand Up @@ -950,4 +965,26 @@ void run_ids(int argc, char **argv);
// oom.c
void oom_set(const char *oom_string);

// landlock.c
#ifdef HAVE_LANDLOCK
int ll_get_fd(void);
int ll_is_supported(void);
int ll_read(const char *allowed_path);
int ll_write(const char *allowed_path);
int ll_special(const char *allowed_path);
int ll_exec(const char *allowed_path);
int ll_basic_system(void);
int ll_restrict(__u32 flags);
void ll_add_profile(int type, const char *data);
#else
static inline int ll_get_fd(void) { return -1; }
static inline int ll_read(...) { return 0; }
static inline int ll_write(...) { return 0; }
static inline int ll_special(...) { return 0; }
static inline int ll_exec(...) { return 0; }
static inline int ll_basic_system(void) { return 0; }
static inline int ll_restrict(...) { return 0; }
static inline void ll_add_profile(...) { return; }
#endif /* HAVE_LANDLOCK */

#endif
Loading