Merge pull request #6125 from kmk3/landlock-enforce

landlock: move commands into profile and add landlock.enforce

Author: netblue30

contrib/syntax/lists/profile_commands_arg0.list

@@ -12,7 +12,7 @@ keep-config-pulse
 keep-dev-shm
 keep-shell-rc
 keep-var-tmp
-landlock
+landlock.enforce
 machine-id
 memory-deny-write-execute
 netfilter

contrib/syntax/lists/profile_commands_arg1.list

@@ -30,7 +30,6 @@ iprange
 join-or-start
 keep-fd
 landlock.execute
-landlock.proc
 landlock.read
 landlock.special
 landlock.write

etc/inc/landlock-common.inc

@@ -0,0 +1,39 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include landlock-common.local
+
+landlock.read /          # whole system read
+landlock.read /proc
+landlock.special /       # sockets etc.
+
+# write access
+landlock.write ${HOME}
+landlock.write ${RUNUSER}
+landlock.write /dev
+landlock.write /proc
+landlock.write /run/shm
+landlock.write /tmp
+
+# exec access
+## misc
+landlock.execute /opt
+landlock.execute /run/firejail # appimage and various firejail features
+## bin
+landlock.execute /bin
+landlock.execute /sbin
+landlock.execute /usr/bin
+landlock.execute /usr/sbin
+landlock.execute /usr/games
+landlock.execute /usr/local/bin
+landlock.execute /usr/local/sbin
+landlock.execute /usr/local/games
+## lib
+landlock.execute /lib
+landlock.execute /lib32
+landlock.execute /libx32
+landlock.execute /lib64
+landlock.execute /usr/lib
+landlock.execute /usr/lib32
+landlock.execute /usr/libx32
+landlock.execute /usr/lib64
+landlock.execute /usr/local/lib

etc/profile-a-l/default.profile

@@ -22,6 +22,8 @@ include disable-programs.inc
 #include whitelist-usr-share-common.inc
 #include whitelist-var-common.inc
 
+include landlock-common.inc
+
 #apparmor
 caps.drop all
 #ipc-namespace

etc/templates/profile.template

@@ -137,6 +137,13 @@ include globals.local
 #include whitelist-usr-share-common.inc
 #include whitelist-var-common.inc
 
+# Landlock commands
+##landlock.read PATH
+##landlock.write PATH
+##landlock.special PATH
+##landlock.execute PATH
+#include landlock-common.inc
+
 ##allusers
 #apparmor
 #caps.drop all

src/bash_completion/firejail.bash_completion.in

@@ -42,7 +42,7 @@ _firejail()
             _filedir -d
             return 0
             ;;
-        --landlock)
+        --landlock.enforce)
             return 0
             ;;
         --landlock.read)

src/firejail/firejail.h

@@ -293,8 +293,7 @@ extern int arg_overlay;		// overlay option
 extern int arg_overlay_keep;	// place overlay diff in a known directory
 extern int arg_overlay_reuse;	// allow the reuse of overlays
 
-extern int arg_landlock;		// add basic Landlock rules
-extern int arg_landlock_proc;		// 0 - no access; 1 -read-only; 2 - read-write
+extern int arg_landlock_enforce;	// enforce the Landlock ruleset
 
 extern int arg_seccomp;	// enable default seccomp filter
 extern int arg_seccomp32;	// enable default seccomp filter for 32 bit arch
@@ -973,7 +972,6 @@ int ll_read(const char *allowed_path);
 int ll_write(const char *allowed_path);
 int ll_special(const char *allowed_path);
 int ll_exec(const char *allowed_path);
-int ll_basic_system(void);
 int ll_restrict(uint32_t flags);
 void ll_add_profile(int type, const char *data);
 #endif /* HAVE_LANDLOCK */

src/firejail/landlock.c

@@ -117,8 +117,8 @@ static int ll_create_full_ruleset(void) {
 	return ruleset_fd;
 }
 
-static int ll_fs(const char *allowed_path, const __u64 allowed_access,
-                 const char *caller) {
+static int _ll_fs(const char *allowed_path, const __u64 allowed_access,
+                  const char *caller) {
 	if (!ll_is_supported())
 		return 0;
 
@@ -155,6 +155,16 @@ static int ll_fs(const char *allowed_path, const __u64 allowed_access,
 	return error;
 }
 
+// TODO: Add support for the ${PATH} macro.
+static int ll_fs(const char *allowed_path, const __u64 allowed_access,
+                 const char *caller) {
+	char *expanded_path = expand_macros(allowed_path);
+	int error = _ll_fs(expanded_path, allowed_access, caller);
+
+	free(expanded_path);
+	return error;
+}
+
 int ll_read(const char *allowed_path) {
 	__u64 allowed_access =
 		LANDLOCK_ACCESS_FS_READ_DIR |
@@ -192,58 +202,6 @@ int ll_exec(const char *allowed_path) {
 	return ll_fs(allowed_path, allowed_access, __func__);
 }
 
-int ll_basic_system(void) {
-	assert(cfg.homedir);
-
-	if (!ll_is_supported())
-		return 0;
-
-	if (ll_ruleset_fd == -1)
-		ll_ruleset_fd = ll_create_full_ruleset();
-
-	int error;
-	char *rundir;
-	if (asprintf(&rundir, "/run/user/%d", getuid()) == -1)
-		errExit("asprintf");
-
-	error =
-		ll_read("/") ||       // whole system read
-		ll_special("/") ||    // sockets etc.
-
-		ll_write("/tmp") ||   // write access
-		ll_write("/dev") ||
-		ll_write("/run/shm") ||
-		ll_write(cfg.homedir) ||
-		ll_write(rundir) ||
-
-		ll_exec("/opt") ||    // exec access
-		ll_exec("/bin") ||
-		ll_exec("/sbin") ||
-		ll_exec("/lib") ||
-		ll_exec("/lib32") ||
-		ll_exec("/libx32") ||
-		ll_exec("/lib64") ||
-		ll_exec("/usr/bin") ||
-		ll_exec("/usr/sbin") ||
-		ll_exec("/usr/games") ||
-		ll_exec("/usr/lib") ||
-		ll_exec("/usr/lib32") ||
-		ll_exec("/usr/libx32") ||
-		ll_exec("/usr/lib64") ||
-		ll_exec("/usr/local/bin") ||
-		ll_exec("/usr/local/sbin") ||
-		ll_exec("/usr/local/games") ||
-		ll_exec("/usr/local/lib") ||
-		ll_exec("/run/firejail"); // appimage and various firejail features
-
-	if (error) {
-		fprintf(stderr, "Error: %s: failed to set --landlock rules\n",
-		        __func__);
-	}
-	free(rundir);
-	return error;
-}
-
 int ll_restrict(uint32_t flags) {
 	if (!ll_is_supported())
 		return 0;
@@ -293,9 +251,6 @@ void ll_add_profile(int type, const char *data) {
 	assert(type < LL_MAX);
 	assert(data);
 
-	if (!ll_is_supported())
-		return;
-
 	while (*data == ' ' || *data == '\t')
 		data++;
 

src/firejail/main.c

@@ -75,8 +75,7 @@ int arg_overlay = 0;				// overlay option
 int arg_overlay_keep = 0;			// place overlay diff in a known directory
 int arg_overlay_reuse = 0;			// allow the reuse of overlays
 
-int arg_landlock = 0;			// add basic Landlock rules
-int arg_landlock_proc = 2;		// 0 - no access; 1 -read-only; 2 - read-write
+int arg_landlock_enforce = 0;		// enforce the Landlock ruleset
 
 int arg_seccomp = 0;				// enable default seccomp filter
 int arg_seccomp32 = 0;				// enable default seccomp filter for 32 bit arch
@@ -1504,21 +1503,8 @@ int main(int argc, char **argv, char **envp) {
 				exit_err_feature("seccomp");
 		}
 #ifdef HAVE_LANDLOCK
-		else if (strcmp(argv[i], "--landlock") == 0)
-			arg_landlock = 1;
-		else if (strncmp(argv[i], "--landlock.proc=", 16) == 0) {
-			if (strncmp(argv[i] + 16, "no", 2) == 0)
-				arg_landlock_proc = 0;
-			else if (strncmp(argv[i] + 16, "ro", 2) == 0)
-				arg_landlock_proc = 1;
-			else if (strncmp(argv[i] + 16, "rw", 2) == 0)
-				arg_landlock_proc = 2;
-			else {
-				fprintf(stderr, "Error: invalid landlock.proc value: %s\n",
-				        argv[i] + 16);
-				exit(1);
-			}
-		}
+		else if (strncmp(argv[i], "--landlock.enforce", 18) == 0)
+			arg_landlock_enforce = 1;
 		else if (strncmp(argv[i], "--landlock.read=", 16) == 0)
 			ll_add_profile(LL_READ, argv[i] + 16);
 		else if (strncmp(argv[i], "--landlock.write=", 17) == 0)

src/firejail/profile.c

@@ -1074,24 +1074,9 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 	}
 
 #ifdef HAVE_LANDLOCK
-	// Landlock ruleset paths
-	if (strcmp(ptr, "landlock") == 0) {
-		arg_landlock = 1;
-		return 0;
-	}
-	if (strncmp(ptr, "landlock.proc ", 14) == 0) {
-			if (strncmp(ptr + 14, "no", 2) == 0)
-				arg_landlock_proc = 0;
-			else if (strncmp(ptr + 14, "ro", 2) == 0)
-				arg_landlock_proc = 1;
-			else if (strncmp(ptr + 14, "rw", 2) == 0)
-				arg_landlock_proc = 2;
-			else {
-				fprintf(stderr, "Error: invalid landlock.proc value: %s\n",
-				        ptr + 14);
-				exit(1);
-			}
-			return 0;
+	if (strncmp(ptr, "landlock.enforce", 16) == 0) {
+		arg_landlock_enforce = 1;
+		return 0;
 	}
 	if (strncmp(ptr, "landlock.read ", 14) == 0) {
 		ll_add_profile(LL_READ, ptr + 14);

src/firejail/sandbox.c

@@ -520,21 +520,14 @@ void start_application(int no_sandbox, int fd, char *set_sandbox_status) {
 	//****************************
 	// Configure Landlock
 	//****************************
-	if (arg_landlock)
-		ll_basic_system();
-
-	if (ll_get_fd() != -1) {
-		if (arg_landlock_proc >= 1)
-			ll_read("/proc/");
-		if (arg_landlock_proc == 2)
-			ll_write("/proc/");
-	}
-
-	if (ll_restrict(0)) {
+	if (arg_landlock_enforce && ll_restrict(0)) {
 		// It isn't safe to continue if Landlock self-restriction was
 		// enabled and the "landlock_restrict_self" syscall has failed.
 		fprintf(stderr, "Error: ll_restrict() failed, exiting...\n");
 		exit(1);
+	} else {
+		if (arg_debug)
+			fprintf(stderr, "Not enforcing Landlock\n");
 	}
 #endif
 

src/firejail/usage.c

@@ -134,8 +134,7 @@ static const char *const usage_str =
 	"    --keep-shell-rc - do not copy shell rc files from /etc/skel\n"
 	"    --keep-var-tmp - /var/tmp directory is untouched.\n"
 #ifdef HAVE_LANDLOCK
-	"    --landlock - add basic rules to the Landlock ruleset.\n"
-	"    --landlock.proc=no|ro|rw - add an access rule for /proc to the Landlock ruleset.\n"
+	"    --landlock.enforce - enforce the Landlock ruleset.\n"
 	"    --landlock.read=path - add a read access rule for the path to the Landlock ruleset.\n"
 	"    --landlock.write=path - add a write access rule for the path to the Landlock ruleset.\n"
 	"    --landlock.special=path - add an access rule for the path to the Landlock ruleset for creating block/char devices, named pipes and sockets.\n"

src/man/firejail-profile.5.in

@@ -509,17 +509,10 @@ Blacklist all Linux capabilities.
 Whitelist given Linux capabilities.
 #ifdef HAVE_LANDLOCK
 .TP
-\fBlandlock
-Create a Landlock ruleset (if it doesn't already exist) and add basic access
-rules to it.
-.TP
-\fBlandlock.proc no|ro|rw
-Add an access rule for /proc directory (read-only if set to \fBro\fR and
-read-write if set to \fBrw\fR).
-The access rule for /proc is added after this directory is set up in the
-sandbox.
-Access rules for /proc set up with other Landlock-related profile options have
-no effect.
+\fBlandlock.enforce
+Enforce the Landlock ruleset.
+.PP
+Without it, the other Landlock commands have no effect.
 .TP
 \fBlandlock.read path
 Create a Landlock ruleset (if it doesn't already exist) and add a read access