diff options
| author |  netblue30 <netblue30@yahoo.com> | 2020-10-06 08:47:15 -0400 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2020-10-06 08:47:15 -0400 |
| commit | 81b2c7aa07e5a0657398a7a34a4dc01e87eeb6ac (patch) | |
| tree | 388a62ad2235a62515620240452d03474b202402 | |
| parent | install vim files to addons directory instead of vimfiles (diff) | |
| download | firejail-81b2c7aa07e5a0657398a7a34a4dc01e87eeb6ac.tar.gz firejail-81b2c7aa07e5a0657398a7a34a4dc01e87eeb6ac.tar.zst firejail-81b2c7aa07e5a0657398a7a34a4dc01e87eeb6ac.zip | |
DHCP fixes
| -rw-r--r-- | src/firejail/dhcp.c | 26 | ||||
| -rw-r--r-- | src/firejail/firejail.h | 1 | ||||
| -rw-r--r-- | src/firejail/main.c | 13 | ||||
| -rw-r--r-- | src/firejail/sandbox.c | 2 | ||||
| -rw-r--r-- | src/include/rundefs.h | 2 |
5 files changed, 40 insertions, 4 deletions
diff --git a/src/firejail/dhcp.c b/src/firejail/dhcp.c index 37547a985..456bba91b 100644 --- a/src/firejail/dhcp.c +++ b/src/firejail/dhcp.c | |||
| @@ -130,7 +130,9 @@ static void dhcp_waitll_all() { | |||
| 130 | dhcp_waitll(cfg.bridge3.devsandbox); | 130 | dhcp_waitll(cfg.bridge3.devsandbox); |
| 131 | } | 131 | } |
| 132 | 132 | ||
| 133 | void dhcp_start(void) { | 133 | // Temporarily copy dhclient executable under /run/firejail/mnt and start it from there |
| 134 | // in order to recognize it later in firemon and firetools | ||
| 135 | void dhcp_store_exec(void) { | ||
| 134 | if (!any_dhcp()) | 136 | if (!any_dhcp()) |
| 135 | return; | 137 | return; |
| 136 | 138 | ||
| @@ -144,6 +146,26 @@ void dhcp_start(void) { | |||
| 144 | } | 146 | } |
| 145 | } | 147 | } |
| 146 | 148 | ||
| 149 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", dhclient_path, RUN_MNT_DIR); | ||
| 150 | } | ||
| 151 | |||
| 152 | void dhcp_start(void) { | ||
| 153 | if (!any_dhcp()) | ||
| 154 | return; | ||
| 155 | |||
| 156 | char *dhclient_path = RUN_MNT_DIR "/dhclient";; | ||
| 157 | struct stat s; | ||
| 158 | if (stat(dhclient_path, &s) == -1) { | ||
| 159 | dhclient_path = "/usr/sbin/dhclient"; | ||
| 160 | if (stat(dhclient_path, &s) == -1) { | ||
| 161 | fprintf(stderr, "Error: dhclient was not found.\n"); | ||
| 162 | exit(1); | ||
| 163 | } | ||
| 164 | } | ||
| 165 | |||
| 166 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", dhclient_path, RUN_MNT_DIR); | ||
| 167 | dhclient_path = RUN_MNT_DIR "/dhclient"; | ||
| 168 | |||
| 147 | EUID_ROOT(); | 169 | EUID_ROOT(); |
| 148 | if (mkdir(RUN_DHCLIENT_DIR, 0700)) | 170 | if (mkdir(RUN_DHCLIENT_DIR, 0700)) |
| 149 | errExit("mkdir"); | 171 | errExit("mkdir"); |
| @@ -163,4 +185,6 @@ void dhcp_start(void) { | |||
| 163 | exit(1); | 185 | exit(1); |
| 164 | } | 186 | } |
| 165 | } | 187 | } |
| 188 | |||
| 189 | unlink(dhclient_path); | ||
| 166 | } | 190 | } |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 2bb8dd351..6c0ebcd43 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
| @@ -867,6 +867,7 @@ void dbus_apply_policy(void); | |||
| 867 | // dhcp.c | 867 | // dhcp.c |
| 868 | extern pid_t dhclient4_pid; | 868 | extern pid_t dhclient4_pid; |
| 869 | extern pid_t dhclient6_pid; | 869 | extern pid_t dhclient6_pid; |
| 870 | void dhcp_store_exec(void); | ||
| 870 | void dhcp_start(void); | 871 | void dhcp_start(void); |
| 871 | 872 | ||
| 872 | // selinux.c | 873 | // selinux.c |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 5cc2d4123..daa924698 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
| @@ -888,19 +888,20 @@ char *guess_shell(void) { | |||
| 888 | return shell; | 888 | return shell; |
| 889 | } | 889 | } |
| 890 | 890 | ||
| 891 | // return argument index | ||
| 891 | static int check_arg(int argc, char **argv, const char *argument, int strict) { | 892 | static int check_arg(int argc, char **argv, const char *argument, int strict) { |
| 892 | int i; | 893 | int i; |
| 893 | int found = 0; | 894 | int found = 0; |
| 894 | for (i = 1; i < argc; i++) { | 895 | for (i = 1; i < argc; i++) { |
| 895 | if (strict) { | 896 | if (strict) { |
| 896 | if (strcmp(argv[i], argument) == 0) { | 897 | if (strcmp(argv[i], argument) == 0) { |
| 897 | found = 1; | 898 | found = i; |
| 898 | break; | 899 | break; |
| 899 | } | 900 | } |
| 900 | } | 901 | } |
| 901 | else { | 902 | else { |
| 902 | if (strncmp(argv[i], argument, strlen(argument)) == 0) { | 903 | if (strncmp(argv[i], argument, strlen(argument)) == 0) { |
| 903 | found = 1; | 904 | found = i; |
| 904 | break; | 905 | break; |
| 905 | } | 906 | } |
| 906 | } | 907 | } |
| @@ -1046,6 +1047,14 @@ int main(int argc, char **argv, char **envp) { | |||
| 1046 | } | 1047 | } |
| 1047 | EUID_USER(); | 1048 | EUID_USER(); |
| 1048 | 1049 | ||
| 1050 | // --ip=dhcp - we need access to /sbin and /usr/sbin directories in order to run ISC DHCP client (dhclient) | ||
| 1051 | // these paths are disabled in disable-common.inc | ||
| 1052 | if ((i = check_arg(argc, argv, "--ip", 0)) != 0) { | ||
| 1053 | if (strncmp(argv[i] + 4, "=dhcp", 5) == 0) { | ||
| 1054 | profile_add("noblacklist /sbin"); | ||
| 1055 | profile_add("noblacklist /usr/sbin"); | ||
| 1056 | } | ||
| 1057 | } | ||
| 1049 | 1058 | ||
| 1050 | // for appimages we need to remove "include disable-shell.inc from the profile | 1059 | // for appimages we need to remove "include disable-shell.inc from the profile |
| 1051 | // a --profile command can show up before --appimage | 1060 | // a --profile command can show up before --appimage |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index ff6be986f..3e8dbe5d9 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
| @@ -651,6 +651,8 @@ int sandbox(void* sandbox_arg) { | |||
| 651 | if (mount(LIBDIR "/firejail", RUN_FIREJAIL_LIB_DIR, NULL, MS_BIND, NULL) < 0 || | 651 | if (mount(LIBDIR "/firejail", RUN_FIREJAIL_LIB_DIR, NULL, MS_BIND, NULL) < 0 || |
| 652 | mount(NULL, RUN_FIREJAIL_LIB_DIR, NULL, MS_RDONLY|MS_NOSUID|MS_NODEV|MS_BIND|MS_REMOUNT, NULL) < 0) | 652 | mount(NULL, RUN_FIREJAIL_LIB_DIR, NULL, MS_RDONLY|MS_NOSUID|MS_NODEV|MS_BIND|MS_REMOUNT, NULL) < 0) |
| 653 | errExit("mounting " RUN_FIREJAIL_LIB_DIR); | 653 | errExit("mounting " RUN_FIREJAIL_LIB_DIR); |
| 654 | // keep a copy of dhclient executable before the filesystem is modified | ||
| 655 | dhcp_store_exec(); | ||
| 654 | 656 | ||
| 655 | //**************************** | 657 | //**************************** |
| 656 | // log sandbox data | 658 | // log sandbox data |
diff --git a/src/include/rundefs.h b/src/include/rundefs.h index 4da2db748..21aad66f7 100644 --- a/src/include/rundefs.h +++ b/src/include/rundefs.h | |||
| @@ -51,7 +51,7 @@ | |||
| 51 | #define RUN_LIB_DIR RUN_MNT_DIR "/lib" | 51 | #define RUN_LIB_DIR RUN_MNT_DIR "/lib" |
| 52 | #define RUN_LIB_FILE RUN_MNT_DIR "/libfiles" | 52 | #define RUN_LIB_FILE RUN_MNT_DIR "/libfiles" |
| 53 | #define RUN_DNS_ETC RUN_MNT_DIR "/dns-etc" | 53 | #define RUN_DNS_ETC RUN_MNT_DIR "/dns-etc" |
| 54 | #define RUN_DHCLIENT_DIR RUN_MNT_DIR "/dhclient" | 54 | #define RUN_DHCLIENT_DIR RUN_MNT_DIR "/dhclient-dir" |
| 55 | #define RUN_DHCLIENT_4_LEASES_FILE RUN_DHCLIENT_DIR "/dhclient.leases" | 55 | #define RUN_DHCLIENT_4_LEASES_FILE RUN_DHCLIENT_DIR "/dhclient.leases" |
| 56 | #define RUN_DHCLIENT_6_LEASES_FILE RUN_DHCLIENT_DIR "/dhclient6.leases" | 56 | #define RUN_DHCLIENT_6_LEASES_FILE RUN_DHCLIENT_DIR "/dhclient6.leases" |
| 57 | #define RUN_DHCLIENT_4_LEASES_FILE RUN_DHCLIENT_DIR "/dhclient.leases" | 57 | #define RUN_DHCLIENT_4_LEASES_FILE RUN_DHCLIENT_DIR "/dhclient.leases" |