search

netblue30 / firejail

Linux namespaces and seccomp-bpf sandbox
https://firejail.wordpress.com
GNU General Public License v2.0
5.68k stars 557 forks source link

Landlock: "Invalid argument" error when creating the ruleset #6195

Closed curiosityseeker closed 7 months ago

curiosityseeker commented 7 months ago

Description

After adding several Landlock rules I'm seeing errors after today's update of firejail-git

Steps to Reproduce

Steps to reproduce the behavior

Add the following rules to ~/.config/firejail/firefox:

landlock.enforce

landlock.write ${HOME}/.cache/mozilla/firefox
landlock.write ${HOME}/.mozilla
landlock.write ${HOME}/.local/share/pki
landlock.write ${HOME}/.pki
landlock.write ${DOWNLOADS}
landlock.write /media/Multimedia/Downloads
landlock.write ${RUNUSER}/*firefox*
landlock.write ${RUNUSER}/psd/*firefox*
ignore landlock.write ${HOME}
ignore landlock.execute /opt
ignore landlock.execute /usr/local/sbin
ignore landlock.execute /usr/local/games
include landlock-common.inc

Expected behavior

Until yesterday I haven't seen Landlock-related errors.

Actual behavior

ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_write: failed to add Landlock rule (abi=4 fs=11b2) for /home/seeker/.cache/mozilla/firefox: Bad file descriptor
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_write: failed to add Landlock rule (abi=4 fs=11b2) for /home/seeker/.mozilla: Bad file descriptor
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_write: failed to add Landlock rule (abi=4 fs=11b2) for /home/seeker/.local/share/pki: Bad file descriptor
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_write: failed to add Landlock rule (abi=4 fs=11b2) for /home/V/.pki: Bad file descriptor
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_write: failed to add Landlock rule (abi=4 fs=11b2) for /home/V/Downloads: Bad file descriptor
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_write: failed to add Landlock rule (abi=4 fs=11b2) for /media/Multimedia/Downloads: Bad file descriptor
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_read: failed to add Landlock rule (abi=4 fs=c) for /: Bad file descriptor
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_read: failed to add Landlock rule (abi=4 fs=c) for /proc: Bad file descriptor
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_makeipc: failed to add Landlock rule (abi=4 fs=600) for /: Bad file descriptor
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_write: failed to add Landlock rule (abi=4 fs=11b2) for /run/user/1000: Bad file descriptor
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_write: failed to add Landlock rule (abi=4 fs=11b2) for /dev: Bad file descriptor
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_write: failed to add Landlock rule (abi=4 fs=11b2) for /proc: Bad file descriptor
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_write: failed to add Landlock rule (abi=4 fs=11b2) for /tmp: Bad file descriptor
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /run/firejail: Bad file descriptor
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /bin: Bad file descriptor
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /sbin: Bad file descriptor
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /usr/bin: Bad file descriptor
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /usr/sbin: Bad file descriptor
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /usr/local/bin: Bad file descriptor
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /lib: Bad file descriptor
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /lib64: Bad file descriptor
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /usr/lib: Bad file descriptor
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /usr/lib32: Bad file descriptor
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /usr/lib64: Bad file descriptor
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /usr/local/lib: Bad file descriptor

Environment

kmk3 commented 7 months ago

Add the following rules to ~/.config/firejail/firefox:

ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument

Cannot reproduce it on Artix with:

firejail --profile=firefox true

What is the command-line used?

What is the kernel version?

PR #6187 has Landlock-related changes but it did not change the full ruleset.

Can you try to bisect?

glitsj16 commented 7 months ago

I can (fully) reproduce on my Arch Linux. Will try to find some time to bisect.

curiosityseeker commented 7 months ago

What is the command-line used?

Nothing special. Just firefox with the default profile and the additions to the local profile as mentioned above.

What is the kernel version?

6.7.3-arch1-2

The latest 2 commits didn't change anything:

Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_write: failed to add Landlock rule (abi=4 fs=11b2) for /home/seeker/.cache/mozilla/firefox: Bad file descriptor
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_write: failed to add Landlock rule (abi=4 fs=11b2) for /home/seeker/.mozilla: Bad file descriptor
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_write: failed to add Landlock rule (abi=4 fs=11b2) for /home/seeker/.local/share/pki: Bad file descriptor
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_write: failed to add Landlock rule (abi=4 fs=11b2) for /home/seeker/.pki: Bad file descriptor
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_read: failed to add Landlock rule (abi=4 fs=c) for /: Bad file descriptor
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_read: failed to add Landlock rule (abi=4 fs=c) for /proc: Bad file descriptor
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_makeipc: failed to add Landlock rule (abi=4 fs=600) for /: Bad file descriptor
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_write: failed to add Landlock rule (abi=4 fs=11b2) for /run/user/1000: Bad file descriptor
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_write: failed to add Landlock rule (abi=4 fs=11b2) for /dev: Bad file descriptor
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_write: failed to add Landlock rule (abi=4 fs=11b2) for /proc: Bad file descriptor
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_write: failed to add Landlock rule (abi=4 fs=11b2) for /tmp: Bad file descriptor
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /run/firejail: Bad file descriptor
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /bin: Bad file descriptor
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /sbin: Bad file descriptor
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /usr/bin: Bad file descriptor
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /usr/sbin: Bad file descriptor
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /usr/local/bin: Bad file descriptor
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /lib: Bad file descriptor
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /lib64: Bad file descriptor
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /usr/lib: Bad file descriptor
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /usr/lib32: Bad file descriptor
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /usr/lib64: Bad file descriptor
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /usr/local/lib: Bad file descriptor
glitsj16 commented 7 months ago

Bisecting shows https://github.com/netblue30/firejail/commit/760f50f78ad13664d7a32b4577381c0341ab2d4a as the first commit where this starts to show. As it happens that is the commit that introduced landlock.enforce. Anything after that doesn't affect this (up and including latest git build).

kmk3 commented 7 months ago

@glitsj16 on Feb 6:

Bisecting shows 760f50f as the first commit where this starts to show. As it happens that is the commit that introduced landlock.enforce. Anything after that doesn't affect this (up and including latest git build).

Are the firefox profile changes needed to reproduce the errors (other than landlock.enforce / landlock)? If so, which line(s) seem to cause them?

Could you run the following in 760f50f and post the output?

firejail --debug --profile=firefox --landlock true
kmk3 commented 7 months ago

@curiosityseeker on Feb 6:

What is the command-line used?

Nothing special. Just firefox with the default profile and the additions to the local profile as mentioned above.

Does it work without the profile changes (but with landlock.enforce)?

Could you run the following and post the output in a gist?

firejail --debug --profile=firefox --landlock.enforce true

At least from the Active seccomp files: line until the end.

glitsj16 commented 7 months ago

@kmk3

Are the firefox profile changes needed to reproduce the errors (other than landlock.enforce / landlock)? If so, which line(s) seem to cause them?

Negative. The errors show, even when there's only one line in the firefox.local: include landlock-common.inc.

Could you run the following in https://github.com/netblue30/firejail/commit/760f50f78ad13664d7a32b4577381c0341ab2d4a and post the output?

Here are the logs.

kmk3 commented 7 months ago

The only thing that I could imagine being an invalid argument in that syscall was if a struct had some wrong value/uninitialized field. And indeed, after looking at linux/landlock.h I noticed that there was a new field. I was able to reproduce it after upgrading linux-api-headers and initializing the structs to 0 fixed the issue.

It should be fixed in #6200.

@curiosityseeker @glitsj16

Thanks for reporting/testing/bisecting.

glitsj16 commented 7 months ago

@kmk3

It should be fixed in #6200.

Confirmed, just checked with a firejail build carrying the patch from #6200. All fine now. Thanks for your speedy and intense detective-work on this issue!

curiosityseeker commented 7 months ago

Cool! I can confirm that that commit fixed the Issue:

32 Landlock rules initialized in 0.23 ms

Thanks a lot, @kmk3 !