mount runtime seccomp files read-only (#2602)

avoid creating locations in the file system that are both writable and executable (in this case for processes with euid of the user). for the same reason also remove user owned libfiles when it is not needed any more
author: smitsohu <smitsohu@gmail.com> 2019-03-23 22:32:30 +0000
committer: GitHub <noreply@github.com> 2019-03-23 22:32:30 +0000
commit: eecf35c2f8249489a1d3e512bb07f0d427183134 (patch)
tree: daa2959c75d282672d9a4bb7469a21b99f9ed809
parent: Add kid3, kid3-cli, kid3-qt (#2614) (diff)
download: firejail-eecf35c2f8249489a1d3e512bb07f0d427183134.tar.gz
firejail-eecf35c2f8249489a1d3e512bb07f0d427183134.tar.zst
firejail-eecf35c2f8249489a1d3e512bb07f0d427183134.zip
4 files changed, 16 insertions, 11 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 5291361c8..4cb10c875 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -57,13 +57,14 @@
 #define RUN_LIB_FILE    "/run/firejail/mnt/libfiles"
 #define RUN_DNS_ETC     "/run/firejail/mnt/dns-etc"
-#define RUN_SECCOMP_LIST        "/run/firejail/mnt/seccomp.list"        // list of seccomp files installed
+#define RUN_SECCOMP_DIR "/run/firejail/mnt/seccomp"
-#define RUN_SECCOMP_PROTOCOL    "/run/firejail/mnt/seccomp.protocol"    // protocol filter
+#define RUN_SECCOMP_LIST        "/run/firejail/mnt/seccomp/seccomp.list"        // list of seccomp files installed
-#define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp"                     // configured filter
+#define RUN_SECCOMP_PROTOCOL    "/run/firejail/mnt/seccomp/seccomp.protocol"    // protocol filter
-#define RUN_SECCOMP_32  "/run/firejail/mnt/seccomp.32"          // 32bit arch filter installed on 64bit architectures
+#define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp/seccomp"                     // configured filter
-#define RUN_SECCOMP_MDWX        "/run/firejail/mnt/seccomp.mdwx"                // filter for memory-deny-write-execute
+#define RUN_SECCOMP_32          "/run/firejail/mnt/seccomp/seccomp.32"          // 32bit arch filter installed on 64bit architectures
-#define RUN_SECCOMP_BLOCK_SECONDARY     "/run/firejail/mnt/seccomp.block_secondary"     // secondary arch blocking filter
+#define RUN_SECCOMP_MDWX        "/run/firejail/mnt/seccomp/seccomp.mdwx"                // filter for memory-deny-write-execute
-#define RUN_SECCOMP_POSTEXEC    "/run/firejail/mnt/seccomp.postexec"            // filter for post-exec library
+#define RUN_SECCOMP_BLOCK_SECONDARY     "/run/firejail/mnt/seccomp/seccomp.block_secondary"     // secondary arch blocking filter
+#define RUN_SECCOMP_POSTEXEC    "/run/firejail/mnt/seccomp/seccomp.postexec"            // filter for post-exec library
 #define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp")                       // default filter built during make
 #define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug")   // default filter built during make
 #define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32")                 // 32bit arch filter built during make
@@ -95,7 +96,6 @@
 #define RUN_ASOUNDRC_FILE       "/run/firejail/mnt/.asoundrc"
 #define RUN_HOSTNAME_FILE       "/run/firejail/mnt/hostname"
 #define RUN_HOSTS_FILE  "/run/firejail/mnt/hosts"
-#define RUN_RESOLVCONF_FILE     "/run/firejail/mnt/resolv.conf"
 #define RUN_MACHINEID   "/run/firejail/mnt/machine-id"
 #define RUN_LDPRELOAD_FILE      "/run/firejail/mnt/ld.so.preload"
 #define RUN_UTMP_FILE           "/run/firejail/mnt/utmp"
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c
index 808ead240..70c6ac88a 100644
--- a/src/firejail/fs_lib.c
+++ b/src/firejail/fs_lib.c
@@ -133,6 +133,7 @@ void fslib_copy_libs(const char *full_path) {
                fslib_duplicate(buf);
        }
        fclose(fp);
+        unlink(RUN_LIB_FILE);
 }
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c
index 2effebbaa..a7af4b127 100644
--- a/src/firejail/preproc.c
+++ b/src/firejail/preproc.c
@@ -86,6 +86,8 @@ void preproc_mount_mnt_dir(void) {
                fs_logger2("tmpfs", RUN_MNT_DIR);
 #ifdef HAVE_SECCOMP
+                create_empty_dir_as_root(RUN_SECCOMP_DIR, 0755);
                if (arg_seccomp_block_secondary)
                        copy_file(PATH_SECCOMP_BLOCK_SECONDARY, RUN_SECCOMP_BLOCK_SECONDARY, getuid(), getgid(), 0644); // root needed
                else {
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 2b5d30158..101a16d00 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -1053,9 +1053,6 @@ int sandbox(void* sandbox_arg) {
        // save state of nonewprivs
        save_nonewprivs();
-        // set capabilities
-        set_caps();
        // save cpu affinity mask to CPU_CFG file
        save_cpu();
@@ -1101,8 +1098,13 @@ int sandbox(void* sandbox_arg) {
                int rv = unlink(RUN_SECCOMP_MDWX);
                (void) rv;
        }
+        // make seccomp filters read-only
+        fs_rdonly(RUN_SECCOMP_DIR);
 #endif
+        // set capabilities
+        set_caps();
        //****************************************
        // communicate progress of sandbox set up
        // to --join
author	smitsohu <smitsohu@gmail.com>	2019-03-23 22:32:30 +0000
committer	GitHub <noreply@github.com>	2019-03-23 22:32:30 +0000
commit	eecf35c2f8249489a1d3e512bb07f0d427183134 (patch)
tree	daa2959c75d282672d9a4bb7469a21b99f9ed809
parent	Add kid3, kid3-cli, kid3-qt (#2614) (diff)
download	firejail-eecf35c2f8249489a1d3e512bb07f0d427183134.tar.gz firejail-eecf35c2f8249489a1d3e512bb07f0d427183134.tar.zst firejail-eecf35c2f8249489a1d3e512bb07f0d427183134.zip