landlock: cleanup

src/firejail/firejail.h

@@ -155,6 +155,12 @@ typedef struct profile_entry_t {
 
 typedef struct landlock_entry_t {
 	struct landlock_entry_t *next;
+#define LL_READ 0
+#define LL_WRITE 1
+#define LL_EXEC 2
+#define LL_SPECIAL 3
+#define LL_MAX 4
+	int type;
 	char *data;
 } LandlockEntry;
 
@@ -971,7 +977,7 @@ int ll_special(const char *allowed_path);
 int ll_exec(const char *allowed_path);
 void ll_basic_system(void);
 int ll_restrict(__u32 flags);
-void ll_add_profile(const char *data);
+void ll_add_profile(int type, const char *data);
 #endif
 
 #endif

src/firejail/landlock.c

@@ -265,32 +265,17 @@ int ll_restrict(__u32 flags) {
 		return 0;
 	}
 
+	int (*fnc[])(const char *) = {
+		ll_read,
+		ll_write,
+		ll_exec,
+		ll_special,
+		NULL
+	};
 	LandlockEntry *ptr = cfg.lprofile;
 	while (ptr) {
-		char *fname = NULL;
-		int (*fnc)(const char *) = NULL;
-
-		if (strncmp(ptr->data, "landlock.read", 13) == 0) {
-			fname = ptr->data + 14;
-			fnc = ll_read;
-		}
-		else if (strncmp(ptr->data, "landlock.write", 14) == 0) {
-			fname = ptr->data + 15;
-			fnc = ll_write;
-		}
-		else if (strncmp(ptr->data, "landlock.special", 16) == 0) {
-			fname = ptr->data + 17;
-			fnc = ll_special;
-		}
-		else if (strncmp(ptr->data, "landlock.execute", 16) == 0) {
-			fname = ptr->data + 17;
-			fnc = ll_exec;
-		}
-		else
-			assert(0);
-
-		if (access(fname, F_OK) == 0) {
-			if (fnc(fname)) {
+		if (access(ptr->data, F_OK) == 0) {
+			if (fnc[ptr->type](ptr->data)) {
 				fprintf(stderr, "Error: failed to add Landlock rule: %s: %s\n",
 				        ptr->data, strerror(errno));
 			}
@@ -311,14 +296,21 @@ int ll_restrict(__u32 flags) {
 	return 0;
 }
 
-void ll_add_profile(const char *data) {
+void ll_add_profile(int type, const char *data) {
+	assert(data);
+	assert(type < LL_MAX);
 	if (old_kernel())
 		return;
+	const char *str = data;
+	while (*str == ' ' || *str == '\t')
+		str++;
+
 	LandlockEntry *ptr = malloc(sizeof(LandlockEntry));
 	if (!ptr)
 		errExit("malloc");
 	memset(ptr, 0, sizeof(LandlockEntry));
-	ptr->data = strdup(data);
+	ptr->type = type;
+	ptr->data = strdup(str);
 	if (!ptr->data)
 		errExit("strdup");
 	ptr->next = cfg.lprofile;

src/firejail/main.c

@@ -1519,13 +1519,13 @@ int main(int argc, char **argv, char **envp) {
 			}
 		}
 		else if (strncmp(argv[i], "--landlock.read=", 16) == 0)
-			ll_add_profile(argv[i] + 2);
+			ll_add_profile(LL_READ, argv[i] + 16);
 		else if (strncmp(argv[i], "--landlock.write=", 17) == 0)
-			ll_add_profile(argv[i] + 2);
+			ll_add_profile(LL_WRITE, argv[i] + 17);
 		else if (strncmp(argv[i], "--landlock.special=", 19) == 0)
-			ll_add_profile(argv[i] + 2);
+			ll_add_profile(LL_SPECIAL, argv[i] + 19);
 		else if (strncmp(argv[i], "--landlock.execute=", 19) == 0)
-			ll_add_profile(argv[i] + 2);
+			ll_add_profile(LL_EXEC, argv[i] + 19);
 #endif
 		else if (strcmp(argv[i], "--memory-deny-write-execute") == 0) {
 			if (checkcfg(CFG_SECCOMP))

src/firejail/profile.c

@@ -1098,19 +1098,19 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 			return 0;
 	}
 	if (strncmp(ptr, "landlock.read ", 14) == 0) {
-		ll_add_profile(ptr);
+		ll_add_profile(LL_READ, ptr + 14);
 		return 0;
 	}
 	if (strncmp(ptr, "landlock.write ", 15) == 0) {
-		ll_add_profile(ptr);
+		ll_add_profile(LL_WRITE, ptr + 15);
 		return 0;
 	}
 	if (strncmp(ptr, "landlock.special ", 17) == 0) {
-		ll_add_profile(ptr);
+		ll_add_profile(LL_SPECIAL, ptr + 17);
 		return 0;
 	}
 	if (strncmp(ptr, "landlock.execute ", 17) == 0) {
-		ll_add_profile(ptr);
+		ll_add_profile(LL_EXEC, ptr + 17);
 		return 0;
 	}
 #endif