fix private-dev for Jack Audio setups - #1694

author: netblue30 <netblue30@yahoo.com> 2017-12-27 11:36:48 -0500
committer: netblue30 <netblue30@yahoo.com> 2017-12-27 11:36:48 -0500
commit: 1df4a7e02322e5eb662b1e745ce9dfc9b4f22f3a (patch)
tree: bf3171286fb7c0362dfabe624f29adecbba336c0
parent: Merge branch 'master' of https://github.com/netblue30/firejail (diff)
download: firejail-1df4a7e02322e5eb662b1e745ce9dfc9b4f22f3a.tar.gz
firejail-1df4a7e02322e5eb662b1e745ce9dfc9b4f22f3a.tar.zst
firejail-1df4a7e02322e5eb662b1e745ce9dfc9b4f22f3a.zip
2 files changed, 55 insertions, 42 deletions
diff --git a/README b/README
index d210bea28..10851f033 100644
--- a/README
+++ b/README
@@ -143,6 +143,7 @@ Daan Bakker (https://github.com/dbakker)
 Danil Semelenov (https://github.com/sgtpep)
        - blacklist the Electron Cash Wallet
        - blacklist s3cmd and s3fs configs
+        - blacklist Ethereum, Monero wallets
 Dara Adib (https://github.com/daradib)
        - ssh profile fix
        - evince profile fix
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index 523f319ed..cc3bc72b2 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -153,6 +153,37 @@ errexit:
        exit(1);
 }
+static void empty_dev_shm(void) {
+        // create an empty /dev/shm directory
+        mkdir_attr("/dev/shm", 01777, 0, 0);
+        fs_logger("mkdir /dev/shm");
+        fs_logger("create /dev/shm");
+}
+static void process_dev_shm(void) {
+        // Jack audio keeps an Unix socket under (/dev/shm/jack_default_1000_0 or /dev/shm/jack/...)
+        // looking for jack socket
+        glob_t globbuf;
+        int globerr = glob(RUN_DEV_DIR "/shm/jack*", GLOB_NOSORT, NULL, &globbuf);
+        if (globerr) {
+                empty_dev_shm();
+                return;
+        }
+        globfree(&globbuf);
+        // if we got here, it means we have a jack server installed
+        // mount-bind the old /dev/shm
+        mkdir_attr("/dev/shm", 01777, 0, 0);
+        int rv = mount(RUN_DEV_DIR "/shm", "/dev/shm", "none", MS_BIND, "mode=01777,gid=0");
+        if (rv == -1) {
+                fwarning("cannot mount the old /dev/shm in private-dev\n");
+                dbg_test_dir(RUN_DEV_DIR "/shm");
+                empty_dev_shm();
+                return;
+        }
+}
 void fs_private_dev(void){
        // install a new /dev directory
        if (arg_debug)
@@ -199,15 +230,14 @@ void fs_private_dev(void){
                        fs_logger("clone /dev/log");
                }
        }
-        if (mount(RUN_RO_DIR, RUN_DEV_DIR, "none", MS_BIND, "mode=400,gid=0") < 0)
-                errExit("disable run dev directory");
-        // create /dev/shm
+        // bring forward the current /dev/shm directory if necessary
        if (arg_debug)
-                printf("Create /dev/shm directory\n");
+                printf("Process /dev/shm directory\n");
-        mkdir_attr("/dev/shm", 01777, 0, 0);
+        process_dev_shm();
-        fs_logger("mkdir /dev/shm");
-        fs_logger("create /dev/shm");
+        if (mount(RUN_RO_DIR, RUN_DEV_DIR, "none", MS_BIND, "mode=400,gid=0") < 0)
+                errExit("disable run dev directory");
        // create default devices
        create_char_dev("/dev/zero", 0666, 1, 5); // mknod -m 666 /dev/zero c 1 5
@@ -269,41 +299,6 @@ void fs_private_dev(void){
 }
-#if 0
-void fs_dev_shm(void) {
-        uid_t uid = getuid(); // set a new shm only if we started as root
-        if (uid)
-                return;
-        if (is_dir("/dev/shm")) {
-                if (arg_debug)
-                        printf("Mounting tmpfs on /dev/shm\n");
-                if (mount("tmpfs", "/dev/shm", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=1777,gid=0") < 0)
-                        errExit("mounting /dev/shm");
-                fs_logger("tmpfs /dev/shm");
-        }
-        else {
-                char *lnk = realpath("/dev/shm", NULL);
-                if (lnk) {
-                        if (!is_dir(lnk)) {
-                                // create directory
-                                mkdir_attr(lnk, 01777, 0, 0);
-                        }
-                        if (arg_debug)
-                                printf("Mounting tmpfs on %s on behalf of /dev/shm\n", lnk);
-                        if (mount("tmpfs", lnk, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=1777,gid=0") < 0)
-                                errExit("mounting /var/tmp");
-                        fs_logger2("tmpfs", lnk);
-                        free(lnk);
-                }
-                else {
-                        fwarning("/dev/shm not mounted\n");
-                        dbg_test_dir("/dev/shm");
-                }
-        }
-}
-#endif
 static void disable_file_or_dir(const char *fname) {
        if (arg_debug)
@@ -330,6 +325,23 @@ void fs_dev_disable_sound(void) {
                        disable_file_or_dir(dev[i].dev_fname);
                i++;
        }
+        // disable all jack sockets in /dev/shm
+        glob_t globbuf;
+        int globerr = glob("/dev/shm/jack*", GLOB_NOSORT, NULL, &globbuf);
+        if (globerr)
+                return;
+        for (i = 0; i < globbuf.gl_pathc; i++) {
+                char *path = globbuf.gl_pathv[i];
+                assert(path);
+                if (is_link(path)) {
+                        fwarning("skipping nosound for %s because it is a symbolic link\n", path);
+                        continue;
+                }
+                disable_file_or_dir(path);
+        }
+        globfree(&globbuf);
 }
 void fs_dev_disable_video(void) {
author	netblue30 <netblue30@yahoo.com>	2017-12-27 11:36:48 -0500
committer	netblue30 <netblue30@yahoo.com>	2017-12-27 11:36:48 -0500
commit	1df4a7e02322e5eb662b1e745ce9dfc9b4f22f3a (patch)
tree	bf3171286fb7c0362dfabe624f29adecbba336c0
parent	Merge branch 'master' of https://github.com/netblue30/firejail (diff)
download	firejail-1df4a7e02322e5eb662b1e745ce9dfc9b4f22f3a.tar.gz firejail-1df4a7e02322e5eb662b1e745ce9dfc9b4f22f3a.tar.zst firejail-1df4a7e02322e5eb662b1e745ce9dfc9b4f22f3a.zip

diff --git a/README b/README index d210bea28..10851f033 100644 --- a/README +++ b/README
@@ -143,6 +143,7 @@ Daan Bakker (https://github.com/dbakker)
143	Danil Semelenov (https://github.com/sgtpep)	143	Danil Semelenov (https://github.com/sgtpep)
144	- blacklist the Electron Cash Wallet	144	- blacklist the Electron Cash Wallet
145	- blacklist s3cmd and s3fs configs	145	- blacklist s3cmd and s3fs configs
		146	- blacklist Ethereum, Monero wallets
146	Dara Adib (https://github.com/daradib)	147	Dara Adib (https://github.com/daradib)
147	- ssh profile fix	148	- ssh profile fix
148	- evince profile fix	149	- evince profile fix


diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index 523f319ed..cc3bc72b2 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c
@@ -153,6 +153,37 @@ errexit:
153	exit(1);	153	exit(1);
154	}	154	}
155		155
		156	static void empty_dev_shm(void) {
		157	// create an empty /dev/shm directory
		158	mkdir_attr("/dev/shm", 01777, 0, 0);
		159	fs_logger("mkdir /dev/shm");
		160	fs_logger("create /dev/shm");
		161	}
		162
		163	static void process_dev_shm(void) {
		164	// Jack audio keeps an Unix socket under (/dev/shm/jack_default_1000_0 or /dev/shm/jack/...)
		165	// looking for jack socket
		166	glob_t globbuf;
		167	int globerr = glob(RUN_DEV_DIR "/shm/jack*", GLOB_NOSORT, NULL, &globbuf);
		168	if (globerr) {
		169	empty_dev_shm();
		170	return;
		171	}
		172	globfree(&globbuf);
		173
		174	// if we got here, it means we have a jack server installed
		175	// mount-bind the old /dev/shm
		176	mkdir_attr("/dev/shm", 01777, 0, 0);
		177	int rv = mount(RUN_DEV_DIR "/shm", "/dev/shm", "none", MS_BIND, "mode=01777,gid=0");
		178	if (rv == -1) {
		179	fwarning("cannot mount the old /dev/shm in private-dev\n");
		180	dbg_test_dir(RUN_DEV_DIR "/shm");
		181	empty_dev_shm();
		182	return;
		183	}
		184	}
		185
		186
156	void fs_private_dev(void){	187	void fs_private_dev(void){
157	// install a new /dev directory	188	// install a new /dev directory
158	if (arg_debug)	189	if (arg_debug)
@@ -199,15 +230,14 @@ void fs_private_dev(void){
199	fs_logger("clone /dev/log");	230	fs_logger("clone /dev/log");
200	}	231	}
201	}	232	}
202	if (mount(RUN_RO_DIR, RUN_DEV_DIR, "none", MS_BIND, "mode=400,gid=0") < 0)
203	errExit("disable run dev directory");
204		233
205	// create /dev/shm	234	// bring forward the current /dev/shm directory if necessary
206	if (arg_debug)	235	if (arg_debug)
207	printf("Create /dev/shm directory\n");	236	printf("Process /dev/shm directory\n");
208	mkdir_attr("/dev/shm", 01777, 0, 0);	237	process_dev_shm();
209	fs_logger("mkdir /dev/shm");	238
210	fs_logger("create /dev/shm");	239	if (mount(RUN_RO_DIR, RUN_DEV_DIR, "none", MS_BIND, "mode=400,gid=0") < 0)
		240	errExit("disable run dev directory");
211		241
212	// create default devices	242	// create default devices
213	create_char_dev("/dev/zero", 0666, 1, 5); // mknod -m 666 /dev/zero c 1 5	243	create_char_dev("/dev/zero", 0666, 1, 5); // mknod -m 666 /dev/zero c 1 5
@@ -269,41 +299,6 @@ void fs_private_dev(void){
269	}	299	}
270		300
271		301
272	#if 0
273	void fs_dev_shm(void) {
274	uid_t uid = getuid(); // set a new shm only if we started as root
275	if (uid)
276	return;
277
278	if (is_dir("/dev/shm")) {
279	if (arg_debug)
280	printf("Mounting tmpfs on /dev/shm\n");
281	if (mount("tmpfs", "/dev/shm", "tmpfs", MS_NOSUID \| MS_STRICTATIME \| MS_REC, "mode=1777,gid=0") < 0)
282	errExit("mounting /dev/shm");
283	fs_logger("tmpfs /dev/shm");
284	}
285	else {
286	char *lnk = realpath("/dev/shm", NULL);
287	if (lnk) {
288	if (!is_dir(lnk)) {
289	// create directory
290	mkdir_attr(lnk, 01777, 0, 0);
291	}
292	if (arg_debug)
293	printf("Mounting tmpfs on %s on behalf of /dev/shm\n", lnk);
294	if (mount("tmpfs", lnk, "tmpfs", MS_NOSUID \| MS_STRICTATIME \| MS_REC, "mode=1777,gid=0") < 0)
295	errExit("mounting /var/tmp");
296	fs_logger2("tmpfs", lnk);
297	free(lnk);
298	}
299	else {
300	fwarning("/dev/shm not mounted\n");
301	dbg_test_dir("/dev/shm");
302	}
303
304	}
305	}
306	#endif
307		302
308	static void disable_file_or_dir(const char *fname) {	303	static void disable_file_or_dir(const char *fname) {
309	if (arg_debug)	304	if (arg_debug)
@@ -330,6 +325,23 @@ void fs_dev_disable_sound(void) {
330	disable_file_or_dir(dev[i].dev_fname);	325	disable_file_or_dir(dev[i].dev_fname);
331	i++;	326	i++;
332	}	327	}
		328
		329	// disable all jack sockets in /dev/shm
		330	glob_t globbuf;
		331	int globerr = glob("/dev/shm/jack*", GLOB_NOSORT, NULL, &globbuf);
		332	if (globerr)
		333	return;
		334
		335	for (i = 0; i < globbuf.gl_pathc; i++) {
		336	char *path = globbuf.gl_pathv[i];
		337	assert(path);
		338	if (is_link(path)) {
		339	fwarning("skipping nosound for %s because it is a symbolic link\n", path);
		340	continue;
		341	}
		342	disable_file_or_dir(path);
		343	}
		344	globfree(&globbuf);
333	}	345	}
334		346
335	void fs_dev_disable_video(void) {	347	void fs_dev_disable_video(void) {