Landlock functions are added to the code of Firejail, removing the de…

…pendency on tinyLL

configure

@@ -3355,7 +3355,7 @@ fi
 if test "x$enable_landlock" = "xyes"; then :
 
 	HAVE_LANDLOCK="-DHAVE_LANDLOCK"
-	EXTRA_LDFLAGS="$EXTRA_LDFLAGS -ltinyll"
+	EXTRA_LDFLAGS="$EXTRA_LDFLAGS"
 
 fi
 

configure.ac

@@ -87,7 +87,7 @@ AC_ARG_ENABLE([landlock])
     [AS_HELP_STRING([--enable-landlock], [Landlock self-restriction support])]
 AS_IF([test "x$enable_landlock" = "xyes"], [
 	HAVE_LANDLOCK="-DHAVE_LANDLOCK"
-	EXTRA_LDFLAGS="$EXTRA_LDFLAGS -ltinyll"
+	EXTRA_LDFLAGS="$EXTRA_LDFLAGS"
 ])
 
 AC_SUBST([EXTRA_CFLAGS])

src/firejail/firejail.h

@@ -22,15 +22,33 @@
 #include "../include/common.h"
 #include "../include/euid_common.h"
 #include "../include/rundefs.h"
-#include <linux/limits.h> // Note: Plain limits.h may break ARG_MAX (see #4583)
+#ifdef HAVE_LANDLOCK
 #include <linux/landlock.h>
+#endif
+#include <linux/limits.h> // Note: Plain limits.h may break ARG_MAX (see #4583)
 #include <stdarg.h>
 #include <sys/stat.h>
 
 // debug restricted shell
 //#define DEBUG_RESTRICTED_SHELL
 
+#ifdef HAVE_LANDLOCK
+
+extern int landlock_create_ruleset(struct landlock_ruleset_attr *rsattr,size_t size,__u32 flags);
+
+extern int landlock_add_rule(int fd,enum landlock_rule_type t,void *attr,__u32 flags);
+
+extern int landlock_restrict_self(int fd,__u32 flags);
 
+extern int create_full_ruleset();
+
+extern int add_read_access_rule_by_path(int rset_fd,char *allowed_path);
+
+extern int add_write_access_rule_by_path(int rset_fd,char *allowed_path,int restricted);
+
+extern int add_execute_rule_by_path(int rset_fd,char *allowed_path);
+
+#endif
 
 // profiles
 #define DEFAULT_USER_PROFILE	"default"

src/firejail/landlock.c

@@ -0,0 +1,70 @@
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <linux/landlock.h>
+
+int landlock_create_ruleset(struct landlock_ruleset_attr *rsattr,size_t size,__u32 flags) {
+	return syscall(__NR_landlock_create_ruleset,rsattr,size,flags);
+}
+
+int landlock_add_rule(int fd,enum landlock_rule_type t,void *attr,__u32 flags) {
+	return syscall(__NR_landlock_add_rule,fd,t,attr,flags);
+}
+
+int landlock_restrict_self(int fd,__u32 flags) {
+	int result = syscall(__NR_landlock_restrict_self,fd,flags);
+	if (result!=0) return result;
+	else {
+		close(fd);
+		return 0;
+	}
+}
+
+int create_full_ruleset() {
+	struct landlock_ruleset_attr attr;
+	attr.handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR | LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SOCK | LANDLOCK_ACCESS_FS_MAKE_FIFO | LANDLOCK_ACCESS_FS_MAKE_BLOCK | LANDLOCK_ACCESS_FS_MAKE_SYM | LANDLOCK_ACCESS_FS_EXECUTE;
+	return landlock_create_ruleset(&attr,sizeof(attr),0);
+}
+
+int add_read_access_rule_by_path(int rset_fd,char *allowed_path) {
+	int result;
+	int allowed_fd = open(allowed_path,O_PATH | O_CLOEXEC);
+	struct landlock_path_beneath_attr target;
+	target.parent_fd = allowed_fd;
+	target.allowed_access = LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR;
+	result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0);
+	close(allowed_fd);
+	return result;
+}
+
+int add_write_access_rule_by_path(int rset_fd,char *allowed_path,int restricted) {
+	int result;
+	int allowed_fd = open(allowed_path,O_PATH | O_CLOEXEC);
+	struct landlock_path_beneath_attr target;
+	target.parent_fd = allowed_fd;
+	if (restricted==0) target.allowed_access = LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SOCK | LANDLOCK_ACCESS_FS_MAKE_FIFO | LANDLOCK_ACCESS_FS_MAKE_BLOCK | LANDLOCK_ACCESS_FS_MAKE_SYM;
+	else if (restricted==1) target.allowed_access = LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SYM;
+	else {
+		close(allowed_fd);
+		return -1;
+	}
+	result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0);
+	close(allowed_fd);
+	return result;
+}
+
+int add_execute_rule_by_path(int rset_fd,char *allowed_path) {
+	int result;
+	int allowed_fd = open(allowed_path,O_PATH | O_CLOEXEC);
+	struct landlock_path_beneath_attr target;
+	target.parent_fd = allowed_fd;
+	target.allowed_access = LANDLOCK_ACCESS_FS_EXECUTE;
+	result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0);
+	close(allowed_fd);
+	return result;
+}

src/firejail/main.c

@@ -23,9 +23,6 @@
 #include "../include/gcov_wrapper.h"
 #include "../include/syscall.h"
 #include "../include/seccomp.h"
-#ifdef HAVE_LANDLOCK
-#include "../include/tinyLL.h"
-#endif
 #define _GNU_SOURCE
 #include <sys/utsname.h>
 #include <sched.h>

src/firejail/profile.c

@@ -21,9 +21,6 @@
 #include "../include/gcov_wrapper.h"
 #include "../include/seccomp.h"
 #include "../include/syscall.h"
-#ifdef HAVE_LANDLOCK
-#include "../include/tinyLL.h"
-#endif
 #include <dirent.h>
 #include <sys/stat.h>
 

src/firejail/sandbox.c

@@ -21,9 +21,6 @@
 #include "firejail.h"
 #include "../include/gcov_wrapper.h"
 #include "../include/seccomp.h"
-#ifdef HAVE_LANDLOCK
-#include "../include/tinyLL.h"
-#endif
 #include <sys/mman.h>
 #include <sys/mount.h>
 #include <sys/wait.h>

src/include/landlock.h

@@ -0,0 +1,70 @@
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <linux/landlock.h>
+
+int landlock_create_ruleset(struct landlock_ruleset_attr *rsattr,size_t size,__u32 flags) {
+	return syscall(__NR_landlock_create_ruleset,rsattr,size,flags);
+}
+
+int landlock_add_rule(int fd,enum landlock_rule_type t,void *attr,__u32 flags) {
+	return syscall(__NR_landlock_add_rule,fd,t,attr,flags);
+}
+
+int landlock_restrict_self(int fd,__u32 flags) {
+	int result = syscall(__NR_landlock_restrict_self,fd,flags);
+	if (result!=0) return result;
+	else {
+		close(fd);
+		return 0;
+	}
+}
+
+int create_full_ruleset() {
+	struct landlock_ruleset_attr attr;
+	attr.handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR | LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SOCK | LANDLOCK_ACCESS_FS_MAKE_FIFO | LANDLOCK_ACCESS_FS_MAKE_BLOCK | LANDLOCK_ACCESS_FS_MAKE_SYM | LANDLOCK_ACCESS_FS_EXECUTE;
+	return landlock_create_ruleset(&attr,sizeof(attr),0);
+}
+
+int add_read_access_rule_by_path(int rset_fd,char *allowed_path) {
+	int result;
+	int allowed_fd = open(allowed_path,O_PATH | O_CLOEXEC);
+	struct landlock_path_beneath_attr target;
+	target.parent_fd = allowed_fd;
+	target.allowed_access = LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR;
+	result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0);
+	close(allowed_fd);
+	return result;
+}
+
+int add_write_access_rule_by_path(int rset_fd,char *allowed_path,int restricted) {
+	int result;
+	int allowed_fd = open(allowed_path,O_PATH | O_CLOEXEC);
+	struct landlock_path_beneath_attr target;
+	target.parent_fd = allowed_fd;
+	if (restricted==0) target.allowed_access = LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SOCK | LANDLOCK_ACCESS_FS_MAKE_FIFO | LANDLOCK_ACCESS_FS_MAKE_BLOCK | LANDLOCK_ACCESS_FS_MAKE_SYM;
+	else if (restricted==1) target.allowed_access = LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SYM;
+	else {
+		close(allowed_fd);
+		return -1;
+	}
+	result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0);
+	close(allowed_fd);
+	return result;
+}
+
+int add_execute_rule_by_path(int rset_fd,char *allowed_path) {
+	int result;
+	int allowed_fd = open(allowed_path,O_PATH | O_CLOEXEC);
+	struct landlock_path_beneath_attr target;
+	target.parent_fd = allowed_fd;
+	target.allowed_access = LANDLOCK_ACCESS_FS_EXECUTE;
+	result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0);
+	close(allowed_fd);
+	return result;
+}