security fix

author: netblue30 <netblue30@yahoo.com> 2017-01-06 15:39:54 -0500
committer: netblue30 <netblue30@yahoo.com> 2017-01-06 15:39:54 -0500
commit: 85517885bece9209bbcace80fec115b0126263ad (patch)
tree: 40ad1c5a321e6e9d8977b00dba68b533900de5e1
parent: security fixes (diff)
download: firejail-85517885bece9209bbcace80fec115b0126263ad.tar.gz
firejail-85517885bece9209bbcace80fec115b0126263ad.tar.zst
firejail-85517885bece9209bbcace80fec115b0126263ad.zip
3 files changed, 27 insertions, 2 deletions
diff --git a/RELNOTES b/RELNOTES
index 08444bc0a..79c7a20e4 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,5 +1,8 @@
 firejail (0.9.45) baseline; urgency=low
  * development version, work in progress
+  * security: disabled --allow-debuggers when running on kenel
+    versions prior to 4.8; a kernel bug in ptrace system call
+    allows a full bypass of seccomp filter; problem reported by Lizzie Dixon
  * security: overwrite /etc/resolv.conf found by Martin Carpenter
  * secuirty: TOCTOU exploit for --get and --put found by Daniel Hodson
  * security: invalid environment exploit found by Martin Carpenter
diff --git a/src/firejail/main.c b/src/firejail/main.c
index e70e20eec..3a347b3d9 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -35,6 +35,7 @@
 #include <signal.h>
 #include <time.h>
 #include <net/if.h>
+#include <sys/utsname.h>
 #if 0
 #include <sys/times.h>
@@ -817,8 +818,27 @@ int main(int argc, char **argv) {
        
        if (check_arg(argc, argv, "--quiet"))
                arg_quiet = 1;
-        if (check_arg(argc, argv, "--allow-debuggers"))
+        if (check_arg(argc, argv, "--allow-debuggers")) {
+                // check kernel version
+                struct utsname u;
+                int rv = uname(&u);
+                if (rv != 0)
+                        errExit("uname");
+                int major;
+                int minor;
+                if (2 != sscanf(u.release, "%d.%d", &major, &minor)) {
+                        fprintf(stderr, "Error: cannot extract Linux kernel version: %s\n", u.version);
+                        exit(1);
+                }
+                if (major < 4 || (major == 4 && minor < 8)) {
+                        fprintf(stderr, "Error: --allow-debuggers is disabled on Linux kernels prior to 4.8. "
+                                "A bug in ptrace call allows a full bypass of the seccomp filter. "
+                                "Your current kernel version is %d.%d.\n", major, minor);
+                        exit(1);
+                }
                arg_allow_debuggers = 1;
+        }
        // drop permissions by default and rise them when required
        EUID_INIT();
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 60c21cbc1..69d28c788 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -76,7 +76,9 @@ $ firejail [OPTIONS] firefox        # starting Mozilla Firefox
 Signal the end of options and disables further option processing.
 .TP
 \fB\-\-allow-debuggers
-Allow tools such as strace and gdb inside the sandbox.
+Allow tools such as strace and gdb inside the sandbox. This option is only available
+when running on Linux kernels 4.8 or newer - a kernel bug in ptrace system call allows a full
+bypass of the seccomp filter.
 .br
 .br
author	netblue30 <netblue30@yahoo.com>	2017-01-06 15:39:54 -0500
committer	netblue30 <netblue30@yahoo.com>	2017-01-06 15:39:54 -0500
commit	85517885bece9209bbcace80fec115b0126263ad (patch)
tree	40ad1c5a321e6e9d8977b00dba68b533900de5e1
parent	security fixes (diff)
download	firejail-85517885bece9209bbcace80fec115b0126263ad.tar.gz firejail-85517885bece9209bbcace80fec115b0126263ad.tar.zst firejail-85517885bece9209bbcace80fec115b0126263ad.zip