bringing in the fix for always have helpers in sandbox (original pull rq from crass)

author: netblue30 <netblue30@yahoo.com> 2018-10-13 14:05:27 -0400
committer: netblue30 <netblue30@yahoo.com> 2018-10-13 14:05:27 -0400
commit: 82a636a1da84ec2972bf5c10d0992add8affbabe (patch)
tree: 4203e039b51c2a8e1dd50df785bcf744548dc633
parent: Merge branch 'master' of http://github.com/netblue30/firejail (diff)
download: firejail-82a636a1da84ec2972bf5c10d0992add8affbabe.tar.gz
firejail-82a636a1da84ec2972bf5c10d0992add8affbabe.tar.zst
firejail-82a636a1da84ec2972bf5c10d0992add8affbabe.zip
4 files changed, 39 insertions, 15 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index cae767667..441042233 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -32,6 +32,7 @@
 #define RUN_FIREJAIL_DIR        "/run/firejail"
 #define RUN_FIREJAIL_APPIMAGE_DIR       "/run/firejail/appimage"
 #define RUN_FIREJAIL_NAME_DIR   "/run/firejail/name" // also used in src/lib/pid.c - todo: move it in a common place
+#define RUN_FIREJAIL_LIB_DIR            "/run/firejail/lib"
 #define RUN_FIREJAIL_X11_DIR    "/run/firejail/x11"
 #define RUN_FIREJAIL_NETWORK_DIR        "/run/firejail/network"
 #define RUN_FIREJAIL_BANDWIDTH_DIR      "/run/firejail/bandwidth"
@@ -790,16 +791,32 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc,
 // sbox.c
 // programs
-#define PATH_FNET (LIBDIR "/firejail/fnet")
+#define PATH_FNET_MAIN (LIBDIR "/firejail/fnet")                // when called from main thread
-#define PATH_FNETFILTER (LIBDIR "/firejail/fnetfilter")
+#define PATH_FNET (RUN_FIREJAIL_LIB_DIR "/fnet")        // when called from sandbox thread
+//#define PATH_FNETFILTER (LIBDIR "/firejail/fnetfilter")
+#define PATH_FNETFILTER (RUN_FIREJAIL_LIB_DIR "/fnetfilter")
 #define PATH_FIREMON (PREFIX "/bin/firemon")
 #define PATH_FIREJAIL (PREFIX "/bin/firejail")
-#define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp")
+//#define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp")
+#define PATH_FSECCOMP ( RUN_FIREJAIL_LIB_DIR "/fseccomp")
+// FSEC_PRINT is run outside of sandbox by --seccomp.print
+// it is also run from inside the sandbox by --debug; in this case we do an access(filename, X_OK) test first
 #define PATH_FSEC_PRINT (LIBDIR "/firejail/fsec-print")
-#define PATH_FSEC_OPTIMIZE (LIBDIR "/firejail/fsec-optimize")
-#define PATH_FCOPY (LIBDIR "/firejail/fcopy")
+//#define PATH_FSEC_OPTIMIZE (LIBDIR "/firejail/fsec-optimize")
+#define PATH_FSEC_OPTIMIZE (RUN_FIREJAIL_LIB_DIR "/fsec-optimize")
+//#define PATH_FCOPY (LIBDIR "/firejail/fcopy")
+#define PATH_FCOPY (RUN_FIREJAIL_LIB_DIR "/fcopy")
 #define SBOX_STDIN_FILE "/run/firejail/mnt/sbox_stdin"
-#define PATH_FLDD (LIBDIR "/firejail/fldd")
+//#define PATH_FLDD (LIBDIR "/firejail/fldd")
+#define PATH_FLDD (RUN_FIREJAIL_LIB_DIR "/fldd")
 // bitmapped filters for sbox_run
 #define SBOX_ROOT (1 << 0)                      // run the sandbox as root
diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c
index e3c750767..cdb4c6514 100644
--- a/src/firejail/network_main.c
+++ b/src/firejail/network_main.c
@@ -157,7 +157,7 @@ void net_configure_veth_pair(Bridge *br, const char *ifname, pid_t child) {
        char *cstr;
        if (asprintf(&cstr, "%d", child) == -1)
                errExit("asprintf");
-        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 7, PATH_FNET, "create", "veth", dev, ifname, br->dev, cstr);
+        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 7, PATH_FNET_MAIN, "create", "veth", dev, ifname, br->dev, cstr);
        free(cstr);
        char *msg;
@@ -332,42 +332,42 @@ void network_main(pid_t child) {
                        net_configure_veth_pair(&cfg.bridge0, "eth0", child);
                }
                else
-                        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge0.devsandbox, cfg.bridge0.dev, cstr);
+                        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET_MAIN, "create", "macvlan", cfg.bridge0.devsandbox, cfg.bridge0.dev, cstr);
        }
        if (cfg.bridge1.configured) {
                if (cfg.bridge1.macvlan == 0)
                        net_configure_veth_pair(&cfg.bridge1, "eth1", child);
                else
-                        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge1.devsandbox, cfg.bridge1.dev, cstr);
+                        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET_MAIN, "create", "macvlan", cfg.bridge1.devsandbox, cfg.bridge1.dev, cstr);
        }
        if (cfg.bridge2.configured) {
                if (cfg.bridge2.macvlan == 0)
                        net_configure_veth_pair(&cfg.bridge2, "eth2", child);
                else
-                        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge2.devsandbox, cfg.bridge2.dev, cstr);
+                        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET_MAIN, "create", "macvlan", cfg.bridge2.devsandbox, cfg.bridge2.dev, cstr);
        }
        if (cfg.bridge3.configured) {
                if (cfg.bridge3.macvlan == 0)
                        net_configure_veth_pair(&cfg.bridge3, "eth3", child);
                else
-                        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge3.devsandbox, cfg.bridge3.dev, cstr);
+                        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET_MAIN, "create", "macvlan", cfg.bridge3.devsandbox, cfg.bridge3.dev, cstr);
        }
        // move interfaces in sandbox
        if (cfg.interface0.configured) {
-                sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface0.dev, cstr);
+                sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET_MAIN, "moveif", cfg.interface0.dev, cstr);
        }
        if (cfg.interface1.configured) {
-                sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface1.dev, cstr);
+                sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET_MAIN, "moveif", cfg.interface1.dev, cstr);
        }
        if (cfg.interface2.configured) {
-                sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface2.dev, cstr);
+                sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET_MAIN, "moveif", cfg.interface2.dev, cstr);
        }
        if (cfg.interface3.configured) {
-                sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface3.dev, cstr);
+                sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET_MAIN, "moveif", cfg.interface3.dev, cstr);
        }
        free(cstr);
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c
index f519ed85f..236f7f427 100644
--- a/src/firejail/preproc.c
+++ b/src/firejail/preproc.c
@@ -62,6 +62,10 @@ void preproc_build_firejail_dir(void) {
                create_empty_dir_as_root(RUN_FIREJAIL_APPIMAGE_DIR, 0755);
        }
+        if (stat(RUN_FIREJAIL_LIB_DIR, &s)) {
+                create_empty_dir_as_root(RUN_FIREJAIL_LIB_DIR, 0755);
+        }
        if (stat(RUN_MNT_DIR, &s)) {
                create_empty_dir_as_root(RUN_MNT_DIR, 0755);
        }
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 8eede6f93..3abeb174e 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -587,6 +587,9 @@ int sandbox(void* sandbox_arg) {
        }
        // ... and mount a tmpfs on top of /run/firejail/mnt directory
        preproc_mount_mnt_dir();
+        // bind-mount firejail binaries and helper programs
+        if (mount(LIBDIR "/firejail", RUN_FIREJAIL_LIB_DIR, "none", MS_BIND, NULL) < 0)
+                errExit("mounting " RUN_FIREJAIL_LIB_DIR);
        //****************************
        // log sandbox data
author	netblue30 <netblue30@yahoo.com>	2018-10-13 14:05:27 -0400
committer	netblue30 <netblue30@yahoo.com>	2018-10-13 14:05:27 -0400
commit	82a636a1da84ec2972bf5c10d0992add8affbabe (patch)
tree	4203e039b51c2a8e1dd50df785bcf744548dc633
parent	Merge branch 'master' of http://github.com/netblue30/firejail (diff)
download	firejail-82a636a1da84ec2972bf5c10d0992add8affbabe.tar.gz firejail-82a636a1da84ec2972bf5c10d0992add8affbabe.tar.zst firejail-82a636a1da84ec2972bf5c10d0992add8affbabe.zip

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index cae767667..441042233 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -32,6 +32,7 @@
32	#define RUN_FIREJAIL_DIR "/run/firejail"	32	#define RUN_FIREJAIL_DIR "/run/firejail"
33	#define RUN_FIREJAIL_APPIMAGE_DIR "/run/firejail/appimage"	33	#define RUN_FIREJAIL_APPIMAGE_DIR "/run/firejail/appimage"
34	#define RUN_FIREJAIL_NAME_DIR "/run/firejail/name" // also used in src/lib/pid.c - todo: move it in a common place	34	#define RUN_FIREJAIL_NAME_DIR "/run/firejail/name" // also used in src/lib/pid.c - todo: move it in a common place
		35	#define RUN_FIREJAIL_LIB_DIR "/run/firejail/lib"
35	#define RUN_FIREJAIL_X11_DIR "/run/firejail/x11"	36	#define RUN_FIREJAIL_X11_DIR "/run/firejail/x11"
36	#define RUN_FIREJAIL_NETWORK_DIR "/run/firejail/network"	37	#define RUN_FIREJAIL_NETWORK_DIR "/run/firejail/network"
37	#define RUN_FIREJAIL_BANDWIDTH_DIR "/run/firejail/bandwidth"	38	#define RUN_FIREJAIL_BANDWIDTH_DIR "/run/firejail/bandwidth"
@@ -790,16 +791,32 @@ void build_appimage_cmdline(char command_line, char window_title, int argc,
790		791
791	// sbox.c	792	// sbox.c
792	// programs	793	// programs
793	#define PATH_FNET (LIBDIR "/firejail/fnet")	794	#define PATH_FNET_MAIN (LIBDIR "/firejail/fnet") // when called from main thread
794	#define PATH_FNETFILTER (LIBDIR "/firejail/fnetfilter")	795	#define PATH_FNET (RUN_FIREJAIL_LIB_DIR "/fnet") // when called from sandbox thread
		796
		797	//#define PATH_FNETFILTER (LIBDIR "/firejail/fnetfilter")
		798	#define PATH_FNETFILTER (RUN_FIREJAIL_LIB_DIR "/fnetfilter")
		799
795	#define PATH_FIREMON (PREFIX "/bin/firemon")	800	#define PATH_FIREMON (PREFIX "/bin/firemon")
796	#define PATH_FIREJAIL (PREFIX "/bin/firejail")	801	#define PATH_FIREJAIL (PREFIX "/bin/firejail")
797	#define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp")	802
		803	//#define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp")
		804	#define PATH_FSECCOMP ( RUN_FIREJAIL_LIB_DIR "/fseccomp")
		805
		806	// FSEC_PRINT is run outside of sandbox by --seccomp.print
		807	// it is also run from inside the sandbox by --debug; in this case we do an access(filename, X_OK) test first
798	#define PATH_FSEC_PRINT (LIBDIR "/firejail/fsec-print")	808	#define PATH_FSEC_PRINT (LIBDIR "/firejail/fsec-print")
799	#define PATH_FSEC_OPTIMIZE (LIBDIR "/firejail/fsec-optimize")	809
800	#define PATH_FCOPY (LIBDIR "/firejail/fcopy")	810	//#define PATH_FSEC_OPTIMIZE (LIBDIR "/firejail/fsec-optimize")
		811	#define PATH_FSEC_OPTIMIZE (RUN_FIREJAIL_LIB_DIR "/fsec-optimize")
		812
		813	//#define PATH_FCOPY (LIBDIR "/firejail/fcopy")
		814	#define PATH_FCOPY (RUN_FIREJAIL_LIB_DIR "/fcopy")
		815
801	#define SBOX_STDIN_FILE "/run/firejail/mnt/sbox_stdin"	816	#define SBOX_STDIN_FILE "/run/firejail/mnt/sbox_stdin"
802	#define PATH_FLDD (LIBDIR "/firejail/fldd")	817
		818	//#define PATH_FLDD (LIBDIR "/firejail/fldd")
		819	#define PATH_FLDD (RUN_FIREJAIL_LIB_DIR "/fldd")
803		820
804	// bitmapped filters for sbox_run	821	// bitmapped filters for sbox_run
805	#define SBOX_ROOT (1 << 0) // run the sandbox as root	822	#define SBOX_ROOT (1 << 0) // run the sandbox as root


diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c index e3c750767..cdb4c6514 100644 --- a/src/firejail/network_main.c +++ b/src/firejail/network_main.c
@@ -157,7 +157,7 @@ void net_configure_veth_pair(Bridge br, const char ifname, pid_t child) {
157	char *cstr;	157	char *cstr;
158	if (asprintf(&cstr, "%d", child) == -1)	158	if (asprintf(&cstr, "%d", child) == -1)
159	errExit("asprintf");	159	errExit("asprintf");
160	sbox_run(SBOX_ROOT \| SBOX_CAPS_NETWORK \| SBOX_SECCOMP, 7, PATH_FNET, "create", "veth", dev, ifname, br->dev, cstr);	160	sbox_run(SBOX_ROOT \| SBOX_CAPS_NETWORK \| SBOX_SECCOMP, 7, PATH_FNET_MAIN, "create", "veth", dev, ifname, br->dev, cstr);
161	free(cstr);	161	free(cstr);
162		162
163	char *msg;	163	char *msg;
@@ -332,42 +332,42 @@ void network_main(pid_t child) {
332	net_configure_veth_pair(&cfg.bridge0, "eth0", child);	332	net_configure_veth_pair(&cfg.bridge0, "eth0", child);
333	}	333	}
334	else	334	else
335	sbox_run(SBOX_ROOT \| SBOX_CAPS_NETWORK \| SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge0.devsandbox, cfg.bridge0.dev, cstr);	335	sbox_run(SBOX_ROOT \| SBOX_CAPS_NETWORK \| SBOX_SECCOMP, 6, PATH_FNET_MAIN, "create", "macvlan", cfg.bridge0.devsandbox, cfg.bridge0.dev, cstr);
336	}	336	}
337		337
338	if (cfg.bridge1.configured) {	338	if (cfg.bridge1.configured) {
339	if (cfg.bridge1.macvlan == 0)	339	if (cfg.bridge1.macvlan == 0)
340	net_configure_veth_pair(&cfg.bridge1, "eth1", child);	340	net_configure_veth_pair(&cfg.bridge1, "eth1", child);
341	else	341	else
342	sbox_run(SBOX_ROOT \| SBOX_CAPS_NETWORK \| SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge1.devsandbox, cfg.bridge1.dev, cstr);	342	sbox_run(SBOX_ROOT \| SBOX_CAPS_NETWORK \| SBOX_SECCOMP, 6, PATH_FNET_MAIN, "create", "macvlan", cfg.bridge1.devsandbox, cfg.bridge1.dev, cstr);
343	}	343	}
344		344
345	if (cfg.bridge2.configured) {	345	if (cfg.bridge2.configured) {
346	if (cfg.bridge2.macvlan == 0)	346	if (cfg.bridge2.macvlan == 0)
347	net_configure_veth_pair(&cfg.bridge2, "eth2", child);	347	net_configure_veth_pair(&cfg.bridge2, "eth2", child);
348	else	348	else
349	sbox_run(SBOX_ROOT \| SBOX_CAPS_NETWORK \| SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge2.devsandbox, cfg.bridge2.dev, cstr);	349	sbox_run(SBOX_ROOT \| SBOX_CAPS_NETWORK \| SBOX_SECCOMP, 6, PATH_FNET_MAIN, "create", "macvlan", cfg.bridge2.devsandbox, cfg.bridge2.dev, cstr);
350	}	350	}
351		351
352	if (cfg.bridge3.configured) {	352	if (cfg.bridge3.configured) {
353	if (cfg.bridge3.macvlan == 0)	353	if (cfg.bridge3.macvlan == 0)
354	net_configure_veth_pair(&cfg.bridge3, "eth3", child);	354	net_configure_veth_pair(&cfg.bridge3, "eth3", child);
355	else	355	else
356	sbox_run(SBOX_ROOT \| SBOX_CAPS_NETWORK \| SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge3.devsandbox, cfg.bridge3.dev, cstr);	356	sbox_run(SBOX_ROOT \| SBOX_CAPS_NETWORK \| SBOX_SECCOMP, 6, PATH_FNET_MAIN, "create", "macvlan", cfg.bridge3.devsandbox, cfg.bridge3.dev, cstr);
357	}	357	}
358		358
359	// move interfaces in sandbox	359	// move interfaces in sandbox
360	if (cfg.interface0.configured) {	360	if (cfg.interface0.configured) {
361	sbox_run(SBOX_ROOT \| SBOX_CAPS_NETWORK \| SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface0.dev, cstr);	361	sbox_run(SBOX_ROOT \| SBOX_CAPS_NETWORK \| SBOX_SECCOMP, 4, PATH_FNET_MAIN, "moveif", cfg.interface0.dev, cstr);
362	}	362	}
363	if (cfg.interface1.configured) {	363	if (cfg.interface1.configured) {
364	sbox_run(SBOX_ROOT \| SBOX_CAPS_NETWORK \| SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface1.dev, cstr);	364	sbox_run(SBOX_ROOT \| SBOX_CAPS_NETWORK \| SBOX_SECCOMP, 4, PATH_FNET_MAIN, "moveif", cfg.interface1.dev, cstr);
365	}	365	}
366	if (cfg.interface2.configured) {	366	if (cfg.interface2.configured) {
367	sbox_run(SBOX_ROOT \| SBOX_CAPS_NETWORK \| SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface2.dev, cstr);	367	sbox_run(SBOX_ROOT \| SBOX_CAPS_NETWORK \| SBOX_SECCOMP, 4, PATH_FNET_MAIN, "moveif", cfg.interface2.dev, cstr);
368	}	368	}
369	if (cfg.interface3.configured) {	369	if (cfg.interface3.configured) {
370	sbox_run(SBOX_ROOT \| SBOX_CAPS_NETWORK \| SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface3.dev, cstr);	370	sbox_run(SBOX_ROOT \| SBOX_CAPS_NETWORK \| SBOX_SECCOMP, 4, PATH_FNET_MAIN, "moveif", cfg.interface3.dev, cstr);
371	}	371	}
372		372
373	free(cstr);	373	free(cstr);


diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index f519ed85f..236f7f427 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c
@@ -62,6 +62,10 @@ void preproc_build_firejail_dir(void) {
62	create_empty_dir_as_root(RUN_FIREJAIL_APPIMAGE_DIR, 0755);	62	create_empty_dir_as_root(RUN_FIREJAIL_APPIMAGE_DIR, 0755);
63	}	63	}
64		64
		65	if (stat(RUN_FIREJAIL_LIB_DIR, &s)) {
		66	create_empty_dir_as_root(RUN_FIREJAIL_LIB_DIR, 0755);
		67	}
		68
65	if (stat(RUN_MNT_DIR, &s)) {	69	if (stat(RUN_MNT_DIR, &s)) {
66	create_empty_dir_as_root(RUN_MNT_DIR, 0755);	70	create_empty_dir_as_root(RUN_MNT_DIR, 0755);
67	}	71	}


diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 8eede6f93..3abeb174e 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c
@@ -587,6 +587,9 @@ int sandbox(void* sandbox_arg) {
587	}	587	}
588	// ... and mount a tmpfs on top of /run/firejail/mnt directory	588	// ... and mount a tmpfs on top of /run/firejail/mnt directory
589	preproc_mount_mnt_dir();	589	preproc_mount_mnt_dir();
		590	// bind-mount firejail binaries and helper programs
		591	if (mount(LIBDIR "/firejail", RUN_FIREJAIL_LIB_DIR, "none", MS_BIND, NULL) < 0)
		592	errExit("mounting " RUN_FIREJAIL_LIB_DIR);
590		593
591	//****************************	594	//****************************
592	// log sandbox data	595	// log sandbox data