aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLibravatar netblue30 <netblue30@yahoo.com>2017-11-13 10:53:04 -0500
committerLibravatar netblue30 <netblue30@yahoo.com>2017-11-13 10:53:04 -0500
commitb24e0e4049229c7772b067c97b439622804112bb (patch)
tree6c20752432721277c94f4fd9b7b2fb3ec89786d9
parentcleanup (diff)
downloadfirejail-b24e0e4049229c7772b067c97b439622804112bb.tar.gz
firejail-b24e0e4049229c7772b067c97b439622804112bb.tar.zst
firejail-b24e0e4049229c7772b067c97b439622804112bb.zip
netfilter split
Diffstat
-rw-r--r--Makefile.in4
-rwxr-xr-xconfigure3
-rw-r--r--configure.ac2
-rw-r--r--src/firejail/firejail.h1
-rw-r--r--src/firejail/fs_lib.c1
-rw-r--r--src/firejail/netfilter.c65
6 files changed, 28 insertions, 48 deletions
diff --git a/Makefile.in b/Makefile.in
index 88ed1f476..54b924288 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,6 +1,6 @@
1all: apps man filters 1all: apps man filters
2MYLIBS = src/lib 2MYLIBS = src/lib
3APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fbuilder src/fcopy src/fldd src/libpostexecseccomp 3APPS = src/firejail src/firemon src/firecfg src/fnetfilter src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fbuilder src/fcopy src/fldd src/libpostexecseccomp
4MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 4MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5
5SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.64 seccomp.block_secondary seccomp.mdwx 5SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.64 seccomp.block_secondary seccomp.mdwx
6 6
@@ -97,6 +97,7 @@ endif
97 install -c -m 0644 src/firecfg/firecfg.config $(DESTDIR)/$(libdir)/firejail/. 97 install -c -m 0644 src/firecfg/firecfg.config $(DESTDIR)/$(libdir)/firejail/.
98 install -c -m 0755 src/faudit/faudit $(DESTDIR)/$(libdir)/firejail/. 98 install -c -m 0755 src/faudit/faudit $(DESTDIR)/$(libdir)/firejail/.
99 install -c -m 0755 src/fnet/fnet $(DESTDIR)/$(libdir)/firejail/. 99 install -c -m 0755 src/fnet/fnet $(DESTDIR)/$(libdir)/firejail/.
100 install -c -m 0755 src/fnetfilter/fnetfilter $(DESTDIR)/$(libdir)/firejail/.
100 install -c -m 0755 src/fcopy/fcopy $(DESTDIR)/$(libdir)/firejail/. 101 install -c -m 0755 src/fcopy/fcopy $(DESTDIR)/$(libdir)/firejail/.
101 install -c -m 0755 src/fldd/fldd $(DESTDIR)/$(libdir)/firejail/. 102 install -c -m 0755 src/fldd/fldd $(DESTDIR)/$(libdir)/firejail/.
102 install -c -m 0755 src/fbuilder/fbuilder $(DESTDIR)/$(libdir)/firejail/. 103 install -c -m 0755 src/fbuilder/fbuilder $(DESTDIR)/$(libdir)/firejail/.
@@ -167,6 +168,7 @@ install-strip: all
167 strip src/ftee/ftee 168 strip src/ftee/ftee
168 strip src/faudit/faudit 169 strip src/faudit/faudit
169 strip src/fnet/fnet 170 strip src/fnet/fnet
171 strip src/fnet/fnetfilter
170 strip src/fseccomp/fseccomp 172 strip src/fseccomp/fseccomp
171 strip src/fcopy/fcopy 173 strip src/fcopy/fcopy
172 strip src/fldd/fldd 174 strip src/fldd/fldd
diff --git a/configure b/configure
index f64aa2dac..cd46ad8fd 100755
--- a/configure
+++ b/configure
@@ -3823,7 +3823,7 @@ if test "$prefix" = /usr; then
3823 sysconfdir="/etc" 3823 sysconfdir="/etc"
3824fi 3824fi
3825 3825
3826ac_config_files="$ac_config_files Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile" 3826ac_config_files="$ac_config_files Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile"
3827 3827
3828cat >confcache <<\_ACEOF 3828cat >confcache <<\_ACEOF
3829# This file is a shell script that caches the results of configure 3829# This file is a shell script that caches the results of configure
@@ -4537,6 +4537,7 @@ do
4537 "src/fcopy/Makefile") CONFIG_FILES="$CONFIG_FILES src/fcopy/Makefile" ;; 4537 "src/fcopy/Makefile") CONFIG_FILES="$CONFIG_FILES src/fcopy/Makefile" ;;
4538 "src/fnet/Makefile") CONFIG_FILES="$CONFIG_FILES src/fnet/Makefile" ;; 4538 "src/fnet/Makefile") CONFIG_FILES="$CONFIG_FILES src/fnet/Makefile" ;;
4539 "src/firejail/Makefile") CONFIG_FILES="$CONFIG_FILES src/firejail/Makefile" ;; 4539 "src/firejail/Makefile") CONFIG_FILES="$CONFIG_FILES src/firejail/Makefile" ;;
4540 "src/fnetfilter/Makefile") CONFIG_FILES="$CONFIG_FILES src/fnetfilter/Makefile" ;;
4540 "src/firemon/Makefile") CONFIG_FILES="$CONFIG_FILES src/firemon/Makefile" ;; 4541 "src/firemon/Makefile") CONFIG_FILES="$CONFIG_FILES src/firemon/Makefile" ;;
4541 "src/libtrace/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtrace/Makefile" ;; 4542 "src/libtrace/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtrace/Makefile" ;;
4542 "src/libtracelog/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtracelog/Makefile" ;; 4543 "src/libtracelog/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtracelog/Makefile" ;;
diff --git a/configure.ac b/configure.ac
index 900c8b959..9254a3ee2 100644
--- a/configure.ac
+++ b/configure.ac
@@ -175,7 +175,7 @@ if test "$prefix" = /usr; then
175 sysconfdir="/etc" 175 sysconfdir="/etc"
176fi 176fi
177 177
178AC_OUTPUT(Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile \ 178AC_OUTPUT(Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \
179src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile \ 179src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile \
180src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile) 180src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile)
181 181
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 59bd4b959..ade23d89e 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -766,6 +766,7 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc,
766// sbox.c 766// sbox.c
767// programs 767// programs
768#define PATH_FNET (LIBDIR "/firejail/fnet") 768#define PATH_FNET (LIBDIR "/firejail/fnet")
769#define PATH_FNETFILTER (LIBDIR "/firejail/fnetfilter")
769#define PATH_FIREMON (PREFIX "/bin/firemon") 770#define PATH_FIREMON (PREFIX "/bin/firemon")
770#define PATH_FIREJAIL (PREFIX "/bin/firejail") 771#define PATH_FIREJAIL (PREFIX "/bin/firejail")
771#define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp") 772#define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp")
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c
index 23fdb8a6a..46ee22bf3 100644
--- a/src/firejail/fs_lib.c
+++ b/src/firejail/fs_lib.c
@@ -387,6 +387,7 @@ void fs_private_lib(void) {
387 fslib_copy_libs(LIBDIR "/firejail/fcopy"); 387 fslib_copy_libs(LIBDIR "/firejail/fcopy");
388 fslib_copy_libs(LIBDIR "/firejail/fldd"); 388 fslib_copy_libs(LIBDIR "/firejail/fldd");
389 fslib_copy_libs(LIBDIR "/firejail/fnet"); 389 fslib_copy_libs(LIBDIR "/firejail/fnet");
390 fslib_copy_libs(LIBDIR "/firejail/fnetfilter");
390 fslib_copy_libs(LIBDIR "/firejail/fseccomp"); 391 fslib_copy_libs(LIBDIR "/firejail/fseccomp");
391 fslib_copy_libs(LIBDIR "/firejail/ftee"); 392 fslib_copy_libs(LIBDIR "/firejail/ftee");
392 // mount lib filesystem 393 // mount lib filesystem
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c
index 7246be8cf..517d0462f 100644
--- a/src/firejail/netfilter.c
+++ b/src/firejail/netfilter.c
@@ -24,33 +24,24 @@
24#include <sys/wait.h> 24#include <sys/wait.h>
25#include <fcntl.h> 25#include <fcntl.h>
26 26
27static char *client_filter =
28"*filter\n"
29":INPUT DROP [0:0]\n"
30":FORWARD DROP [0:0]\n"
31":OUTPUT ACCEPT [0:0]\n"
32"-A INPUT -i lo -j ACCEPT\n"
33"-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n"
34"# echo replay is handled by -m state RELATED/ESTABLISHED below\n"
35"#-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT\n"
36"-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT\n"
37"-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT\n"
38"-A INPUT -p icmp --icmp-type echo-request -j ACCEPT \n"
39"# disable STUN\n"
40"-A OUTPUT -p udp --dport 3478 -j DROP\n"
41"-A OUTPUT -p udp --dport 3479 -j DROP\n"
42"-A OUTPUT -p tcp --dport 3478 -j DROP\n"
43"-A OUTPUT -p tcp --dport 3479 -j DROP\n"
44"COMMIT\n";
45 27
46void check_netfilter_file(const char *fname) { 28void check_netfilter_file(const char *fname) {
47 EUID_ASSERT(); 29 EUID_ASSERT();
48 invalid_filename(fname, 0); // no globbing
49 30
50 if (is_dir(fname) || is_link(fname) || strstr(fname, "..") || access(fname, R_OK )) { 31 char *tmp = strdup(fname);
51 fprintf(stderr, "Error: invalid network filter file %s\n", fname); 32 if (!tmp)
33 errExit("strdup");
34 char *ptr = strchr(tmp, ',');
35 if (ptr)
36 *ptr = '\0';
37
38 invalid_filename(tmp, 0); // no globbing
39
40 if (is_dir(tmp) || is_link(tmp) || strstr(tmp, "..") || access(tmp, R_OK )) {
41 fprintf(stderr, "Error: invalid network filter file %s\n", tmp);
52 exit(1); 42 exit(1);
53 } 43 }
44 free(tmp);
54} 45}
55 46
56 47
@@ -72,29 +63,15 @@ void netfilter(const char *fname) {
72 return; 63 return;
73 } 64 }
74 65
75 // read filter 66 // create an empty user-owned SBOX_STDIN_FILE
76 char *filter = client_filter; 67 create_empty_file_as_root(SBOX_STDIN_FILE, 0644);
77 int allocated = 0; 68 if (set_perms(SBOX_STDIN_FILE, getuid(), getgid(), 0644))
78 if (netfilter_default) 69 errExit("set_perms");
79 fname = netfilter_default;
80 if (fname) {
81 filter = read_text_file_or_exit(fname);
82 allocated = 1;
83 }
84 70
85 // create the filter file 71 if (fname == NULL)
86 FILE *fp = fopen(SBOX_STDIN_FILE, "w"); 72 sbox_run(SBOX_USER| SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FNETFILTER, SBOX_STDIN_FILE);
87 if (!fp) { 73 else
88 fprintf(stderr, "Error: cannot open %s\n", SBOX_STDIN_FILE); 74 sbox_run(SBOX_USER| SBOX_CAPS_NONE | SBOX_SECCOMP, 3, PATH_FNETFILTER, fname, SBOX_STDIN_FILE);
89 exit(1);
90 }
91 fprintf(fp, "%s\n", filter);
92 fclose(fp);
93
94
95 // push filter
96 if (arg_debug)
97 printf("Installing network filter:\n%s\n", filter);
98 75
99 // first run of iptables on this platform installs a number of kernel modules such as ip_tables, x_tables, iptable_filter 76 // first run of iptables on this platform installs a number of kernel modules such as ip_tables, x_tables, iptable_filter
100 // we run this command with caps and seccomp disabled in order to allow the loading of these modules 77 // we run this command with caps and seccomp disabled in order to allow the loading of these modules
@@ -105,8 +82,6 @@ void netfilter(const char *fname) {
105 if (arg_debug) 82 if (arg_debug)
106 sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 2, iptables, "-vL"); 83 sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 2, iptables, "-vL");
107 84
108 if (allocated)
109 free(filter);
110 return; 85 return;
111} 86}
112 87
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-08 17:46:29 +0000