Merge pull request #859 from valoq/master

added /srv in whitelist option
author: netblue30 <netblue30@yahoo.com> 2016-10-16 08:41:07 -0400
committer: GitHub <noreply@github.com> 2016-10-16 08:41:07 -0400
commit: c165e40c3db9e9bd3d6d524a8381b37f73fdd36a (patch)
tree: 60e4bfd40d60b31581304d0b1398b0f9a54801a1
parent: Merge pull request #860 from rccavalcanti/chromium-arch (diff)
parent: added /srv in whitelist option (diff)
download: firejail-c165e40c3db9e9bd3d6d524a8381b37f73fdd36a.tar.gz
firejail-c165e40c3db9e9bd3d6d524a8381b37f73fdd36a.tar.zst
firejail-c165e40c3db9e9bd3d6d524a8381b37f73fdd36a.zip
4 files changed, 63 insertions, 4 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 5f736f700..dafa5919c 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -60,6 +60,7 @@
 #define RUN_WHITELIST_VAR_DIR   "/run/firejail/mnt/orig-var"
 #define RUN_WHITELIST_DEV_DIR   "/run/firejail/mnt/orig-dev"
 #define RUN_WHITELIST_OPT_DIR   "/run/firejail/mnt/orig-opt"
+#define RUN_WHITELIST_SRV_DIR   "/run/firejail/mnt/orig-srv"
 #define RUN_XAUTHORITY_FILE     "/run/firejail/mnt/.Xauthority"
 #define RUN_XAUTHORITY_SEC_FILE "/run/firejail/mnt/sec.Xauthority"
@@ -173,6 +174,7 @@ typedef struct profile_entry_t {
        unsigned var_dir:1;     // whitelist in /var directory
        unsigned dev_dir:1;     // whitelist in /dev directory
        unsigned opt_dir:1;     // whitelist in /opt directory
+        unsigned srv_dir:1;     // whitelist in /srv directory
 }ProfileEntry;
 typedef struct config_t {
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index 849861805..b1c2774e2 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -254,7 +254,16 @@ static void whitelist_path(ProfileEntry *entry) {
                if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_OPT_DIR, fname) == -1)
                        errExit("asprintf");
        }
+        else if (entry->srv_dir) {
+                fname = path + 4; // strlen("/srv")
+                if (*fname == '\0') {
+                        fprintf(stderr, "Error: file %s is not in /srv directory, exiting...\n", path);
+                        exit(1);
+                }
+                if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_SRV_DIR, fname) == -1)
+                        errExit("asprintf");
+        }
        // check if the file exists
        struct stat s;
        if (wfile && stat(wfile, &s) == 0) {
@@ -317,7 +326,7 @@ void fs_whitelist(void) {
        int var_dir = 0;                // /var directory flag
        int dev_dir = 0;                // /dev directory flag
        int opt_dir = 0;                // /opt directory flag
+        int srv_dir = 0;                // /srv directory flag
        // verify whitelist files, extract symbolic links, etc.
        while (entry) {
                // handle only whitelist commands
@@ -387,7 +396,9 @@ void fs_whitelist(void) {
                                dev_dir = 1;
                        else if (strncmp(new_name, "/opt/", 5) == 0)
                                opt_dir = 1;
+                        else if (strncmp(new_name, "/srv/", 5) == 0)
+                                opt_dir = 1;
+                        
                        continue;
                }
                
@@ -481,6 +492,16 @@ void fs_whitelist(void) {
                                goto errexit;
                        }
                }
+                else if (strncmp(new_name, "/srv/", 5) == 0) {
+                        entry->srv_dir = 1;
+                        srv_dir = 1;
+                        // both path and absolute path are under /srv
+                        if (strncmp(fname, "/srv/", 5) != 0) {
+                                if (arg_debug)
+                                        fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname);
+                                goto errexit;
+                        }
+                }
                else {
                        if (arg_debug)
                                fprintf(stderr, "Debug %d: \n", __LINE__);
@@ -675,6 +696,36 @@ void fs_whitelist(void) {
                fs_logger("tmpfs /opt");
        }
+        // /srv mountpoint
+        if (srv_dir) {
+                // check if /srv directory exists
+                struct stat s;
+                if (stat("/srv", &s) == 0) {
+                        // keep a copy of real /srv directory in RUN_WHITELIST_SRV_DIR
+                        int rv = mkdir(RUN_WHITELIST_SRV_DIR, 0755);
+                        if (rv == -1)
+                                errExit("mkdir");
+                        if (chown(RUN_WHITELIST_SRV_DIR, 0, 0) < 0)
+                                errExit("chown");
+                        if (chmod(RUN_WHITELIST_SRV_DIR, 0755) < 0)
+                                errExit("chmod");
+                        if (mount("/srv", RUN_WHITELIST_SRV_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
+                                errExit("mount bind");
+                        // mount tmpfs on /srv
+                        if (arg_debug || arg_debug_whitelists)
+                                printf("Mounting tmpfs on /srv directory\n");
+                        if (mount("tmpfs", "/srv", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                                errExit("mounting tmpfs on /srv");
+                        fs_logger("tmpfs /srv");
+                }
+                else
+                        srv_dir = 0;
+        }
+        
        // go through profile rules again, and interpret whitelist commands
        entry = cfg.profile;
        while (entry) {
@@ -766,6 +817,12 @@ void fs_whitelist(void) {
                fs_logger2("tmpfs", RUN_WHITELIST_MNT_DIR);
        }
+        // mask the real /srv directory, currently mounted on RUN_WHITELIST_SRV_DIR
+        if (srv_dir) {
+                if (mount("tmpfs", RUN_WHITELIST_SRV_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                        errExit("mount tmpfs");
+                fs_logger2("tmpfs", RUN_WHITELIST_SRV_DIR);
        if (new_name)
                free(new_name);
                
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index d420fab7a..09dc46bbc 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -218,7 +218,7 @@ Blacklist violations logged to syslog.
 Whitelist directory or file. A temporary file system is mounted on the top directory, and the
 whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent,
 everything else is discarded when the sandbox is closed. The top directory could be 
-user home, /dev, /media, /mnt, /opt, /var, and /tmp.
+user home, /dev, /media, /mnt, /opt, /srv, /var, and /tmp.
 .br
 .br
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 4aebb71e8..666a6a8ef 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1622,7 +1622,7 @@ $ firejail \-\-net=br0 --veth-name=if0
 Whitelist directory or file. A temporary file system is mounted on the top directory, and the
 whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent,
 everything else is discarded when the sandbox is closed. The top directory could be 
-user home, /dev, /media, /mnt, /opt, /var, and /tmp.
+user home, /dev, /media, /mnt, /opt, /srv, /var, and /tmp.
 .br
 .br
author	netblue30 <netblue30@yahoo.com>	2016-10-16 08:41:07 -0400
committer	GitHub <noreply@github.com>	2016-10-16 08:41:07 -0400
commit	c165e40c3db9e9bd3d6d524a8381b37f73fdd36a (patch)
tree	60e4bfd40d60b31581304d0b1398b0f9a54801a1
parent	Merge pull request #860 from rccavalcanti/chromium-arch (diff)
parent	added /srv in whitelist option (diff)
download	firejail-c165e40c3db9e9bd3d6d524a8381b37f73fdd36a.tar.gz firejail-c165e40c3db9e9bd3d6d524a8381b37f73fdd36a.tar.zst firejail-c165e40c3db9e9bd3d6d524a8381b37f73fdd36a.zip

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 5f736f700..dafa5919c 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -60,6 +60,7 @@
60	#define RUN_WHITELIST_VAR_DIR "/run/firejail/mnt/orig-var"	60	#define RUN_WHITELIST_VAR_DIR "/run/firejail/mnt/orig-var"
61	#define RUN_WHITELIST_DEV_DIR "/run/firejail/mnt/orig-dev"	61	#define RUN_WHITELIST_DEV_DIR "/run/firejail/mnt/orig-dev"
62	#define RUN_WHITELIST_OPT_DIR "/run/firejail/mnt/orig-opt"	62	#define RUN_WHITELIST_OPT_DIR "/run/firejail/mnt/orig-opt"
		63	#define RUN_WHITELIST_SRV_DIR "/run/firejail/mnt/orig-srv"
63		64
64	#define RUN_XAUTHORITY_FILE "/run/firejail/mnt/.Xauthority"	65	#define RUN_XAUTHORITY_FILE "/run/firejail/mnt/.Xauthority"
65	#define RUN_XAUTHORITY_SEC_FILE "/run/firejail/mnt/sec.Xauthority"	66	#define RUN_XAUTHORITY_SEC_FILE "/run/firejail/mnt/sec.Xauthority"
@@ -173,6 +174,7 @@ typedef struct profile_entry_t {
173	unsigned var_dir:1; // whitelist in /var directory	174	unsigned var_dir:1; // whitelist in /var directory
174	unsigned dev_dir:1; // whitelist in /dev directory	175	unsigned dev_dir:1; // whitelist in /dev directory
175	unsigned opt_dir:1; // whitelist in /opt directory	176	unsigned opt_dir:1; // whitelist in /opt directory
		177	unsigned srv_dir:1; // whitelist in /srv directory
176	}ProfileEntry;	178	}ProfileEntry;
177		179
178	typedef struct config_t {	180	typedef struct config_t {


diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 849861805..b1c2774e2 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c
@@ -254,7 +254,16 @@ static void whitelist_path(ProfileEntry *entry) {
254	if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_OPT_DIR, fname) == -1)	254	if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_OPT_DIR, fname) == -1)
255	errExit("asprintf");	255	errExit("asprintf");
256	}	256	}
		257	else if (entry->srv_dir) {
		258	fname = path + 4; // strlen("/srv")
		259	if (*fname == '\0') {
		260	fprintf(stderr, "Error: file %s is not in /srv directory, exiting...\n", path);
		261	exit(1);
		262	}
257		263
		264	if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_SRV_DIR, fname) == -1)
		265	errExit("asprintf");
		266	}
258	// check if the file exists	267	// check if the file exists
259	struct stat s;	268	struct stat s;
260	if (wfile && stat(wfile, &s) == 0) {	269	if (wfile && stat(wfile, &s) == 0) {
@@ -317,7 +326,7 @@ void fs_whitelist(void) {
317	int var_dir = 0; // /var directory flag	326	int var_dir = 0; // /var directory flag
318	int dev_dir = 0; // /dev directory flag	327	int dev_dir = 0; // /dev directory flag
319	int opt_dir = 0; // /opt directory flag	328	int opt_dir = 0; // /opt directory flag
320		329	int srv_dir = 0; // /srv directory flag
321	// verify whitelist files, extract symbolic links, etc.	330	// verify whitelist files, extract symbolic links, etc.
322	while (entry) {	331	while (entry) {
323	// handle only whitelist commands	332	// handle only whitelist commands
@@ -387,7 +396,9 @@ void fs_whitelist(void) {
387	dev_dir = 1;	396	dev_dir = 1;
388	else if (strncmp(new_name, "/opt/", 5) == 0)	397	else if (strncmp(new_name, "/opt/", 5) == 0)
389	opt_dir = 1;	398	opt_dir = 1;
390		399	else if (strncmp(new_name, "/srv/", 5) == 0)
		400	opt_dir = 1;
		401
391	continue;	402	continue;
392	}	403	}
393		404
@@ -481,6 +492,16 @@ void fs_whitelist(void) {
481	goto errexit;	492	goto errexit;
482	}	493	}
483	}	494	}
		495	else if (strncmp(new_name, "/srv/", 5) == 0) {
		496	entry->srv_dir = 1;
		497	srv_dir = 1;
		498	// both path and absolute path are under /srv
		499	if (strncmp(fname, "/srv/", 5) != 0) {
		500	if (arg_debug)
		501	fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname);
		502	goto errexit;
		503	}
		504	}
484	else {	505	else {
485	if (arg_debug)	506	if (arg_debug)
486	fprintf(stderr, "Debug %d: \n", __LINE__);	507	fprintf(stderr, "Debug %d: \n", __LINE__);
@@ -675,6 +696,36 @@ void fs_whitelist(void) {
675	fs_logger("tmpfs /opt");	696	fs_logger("tmpfs /opt");
676	}	697	}
677		698
		699	// /srv mountpoint
		700	if (srv_dir) {
		701	// check if /srv directory exists
		702	struct stat s;
		703	if (stat("/srv", &s) == 0) {
		704	// keep a copy of real /srv directory in RUN_WHITELIST_SRV_DIR
		705	int rv = mkdir(RUN_WHITELIST_SRV_DIR, 0755);
		706	if (rv == -1)
		707	errExit("mkdir");
		708	if (chown(RUN_WHITELIST_SRV_DIR, 0, 0) < 0)
		709	errExit("chown");
		710	if (chmod(RUN_WHITELIST_SRV_DIR, 0755) < 0)
		711	errExit("chmod");
		712
		713	if (mount("/srv", RUN_WHITELIST_SRV_DIR, NULL, MS_BIND\|MS_REC, NULL) < 0)
		714	errExit("mount bind");
		715
		716	// mount tmpfs on /srv
		717	if (arg_debug \|\| arg_debug_whitelists)
		718	printf("Mounting tmpfs on /srv directory\n");
		719	if (mount("tmpfs", "/srv", "tmpfs", MS_NOSUID \| MS_STRICTATIME \| MS_REC, "mode=755,gid=0") < 0)
		720	errExit("mounting tmpfs on /srv");
		721	fs_logger("tmpfs /srv");
		722	}
		723	else
		724	srv_dir = 0;
		725	}
		726
		727
		728
678	// go through profile rules again, and interpret whitelist commands	729	// go through profile rules again, and interpret whitelist commands
679	entry = cfg.profile;	730	entry = cfg.profile;
680	while (entry) {	731	while (entry) {
@@ -766,6 +817,12 @@ void fs_whitelist(void) {
766	fs_logger2("tmpfs", RUN_WHITELIST_MNT_DIR);	817	fs_logger2("tmpfs", RUN_WHITELIST_MNT_DIR);
767	}	818	}
768		819
		820	// mask the real /srv directory, currently mounted on RUN_WHITELIST_SRV_DIR
		821	if (srv_dir) {
		822	if (mount("tmpfs", RUN_WHITELIST_SRV_DIR, "tmpfs", MS_NOSUID \| MS_STRICTATIME \| MS_REC, "mode=755,gid=0") < 0)
		823	errExit("mount tmpfs");
		824	fs_logger2("tmpfs", RUN_WHITELIST_SRV_DIR);
		825
769	if (new_name)	826	if (new_name)
770	free(new_name);	827	free(new_name);
771		828


diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index d420fab7a..09dc46bbc 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt
@@ -218,7 +218,7 @@ Blacklist violations logged to syslog.
218	Whitelist directory or file. A temporary file system is mounted on the top directory, and the	218	Whitelist directory or file. A temporary file system is mounted on the top directory, and the
219	whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent,	219	whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent,
220	everything else is discarded when the sandbox is closed. The top directory could be	220	everything else is discarded when the sandbox is closed. The top directory could be
221	user home, /dev, /media, /mnt, /opt, /var, and /tmp.	221	user home, /dev, /media, /mnt, /opt, /srv, /var, and /tmp.
222	.br	222	.br
223		223
224	.br	224	.br


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 4aebb71e8..666a6a8ef 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -1622,7 +1622,7 @@ $ firejail \-\-net=br0 --veth-name=if0
1622	Whitelist directory or file. A temporary file system is mounted on the top directory, and the	1622	Whitelist directory or file. A temporary file system is mounted on the top directory, and the
1623	whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent,	1623	whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent,
1624	everything else is discarded when the sandbox is closed. The top directory could be	1624	everything else is discarded when the sandbox is closed. The top directory could be
1625	user home, /dev, /media, /mnt, /opt, /var, and /tmp.	1625	user home, /dev, /media, /mnt, /opt, /srv, /var, and /tmp.
1626	.br	1626	.br
1627		1627
1628	.br	1628	.br