diff options
| author |  smitsohu <smitsohu@gmail.com> | 2021-01-08 21:24:06 +0100 |
|---|---|---|
| committer | smitsohu <smitsohu@gmail.com> | 2021-01-08 21:24:06 +0100 |
| commit | d94e757019808c1c0975df53fd76df3606689c31 (patch) | |
| tree | 9d1a3cd5bcefe0fb9a1d51adb931480de275d16d | |
| parent | fbuilder: whitelist-common.inc processing (diff) | |
| download | firejail-d94e757019808c1c0975df53fd76df3606689c31.tar.gz firejail-d94e757019808c1c0975df53fd76df3606689c31.tar.zst firejail-d94e757019808c1c0975df53fd76df3606689c31.zip | |
fbuilder: check Yama permissions
closes #3237
| -rw-r--r-- | src/fbuilder/build_profile.c | 26 |
1 files changed, 19 insertions, 7 deletions
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c index adc00e67b..0517c837e 100644 --- a/src/fbuilder/build_profile.c +++ b/src/fbuilder/build_profile.c | |||
| @@ -80,10 +80,19 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
| 80 | stroutput, | 80 | stroutput, |
| 81 | }; | 81 | }; |
| 82 | 82 | ||
| 83 | // detect strace | 83 | // detect strace and check if Yama LSM allows us to use it |
| 84 | int have_strace = 0; | 84 | int have_strace = 0; |
| 85 | if (access("/usr/bin/strace", X_OK) == 0) | 85 | int have_yama_permission = 1; |
| 86 | if (access("/usr/bin/strace", X_OK) == 0) { | ||
| 86 | have_strace = 1; | 87 | have_strace = 1; |
| 88 | FILE *fp = fopen("/proc/sys/kernel/yama/ptrace_scope", "r"); | ||
| 89 | if (fp) { | ||
| 90 | unsigned val; | ||
| 91 | if (fscanf(fp, "%u", &val) == 1) | ||
| 92 | have_yama_permission = (val < 2); | ||
| 93 | fclose(fp); | ||
| 94 | } | ||
| 95 | } | ||
| 87 | 96 | ||
| 88 | // calculate command length | 97 | // calculate command length |
| 89 | unsigned len = (int) sizeof(cmdlist) / sizeof(char*) + argc - index + 1; | 98 | unsigned len = (int) sizeof(cmdlist) / sizeof(char*) + argc - index + 1; |
| @@ -93,10 +102,11 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
| 93 | cmd[0] = cmdlist[0]; // explicit assignment to clean scan-build error | 102 | cmd[0] = cmdlist[0]; // explicit assignment to clean scan-build error |
| 94 | 103 | ||
| 95 | // build command | 104 | // build command |
| 105 | int skip_strace = !(have_strace && have_yama_permission); | ||
| 96 | unsigned i = 0; | 106 | unsigned i = 0; |
| 97 | for (i = 0; i < (int) sizeof(cmdlist) / sizeof(char*); i++) { | 107 | for (i = 0; i < (int) sizeof(cmdlist) / sizeof(char*); i++) { |
| 98 | // skip strace if not installed | 108 | // skip strace if not installed, or no permission to use it |
| 99 | if (have_strace == 0 && strcmp(cmdlist[i], "/usr/bin/strace") == 0) | 109 | if (skip_strace && strcmp(cmdlist[i], "/usr/bin/strace") == 0) |
| 100 | break; | 110 | break; |
| 101 | cmd[i] = cmdlist[i]; | 111 | cmd[i] = cmdlist[i]; |
| 102 | } | 112 | } |
| @@ -172,12 +182,14 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
| 172 | fprintf(fp, "caps.drop all\n"); | 182 | fprintf(fp, "caps.drop all\n"); |
| 173 | fprintf(fp, "nonewprivs\n"); | 183 | fprintf(fp, "nonewprivs\n"); |
| 174 | fprintf(fp, "seccomp\n"); | 184 | fprintf(fp, "seccomp\n"); |
| 175 | if (have_strace) | 185 | if (!have_strace) { |
| 176 | build_seccomp(strace_output, fp); | ||
| 177 | else { | ||
| 178 | fprintf(fp, "# If you install strace on your system, Firejail will also create a\n"); | 186 | fprintf(fp, "# If you install strace on your system, Firejail will also create a\n"); |
| 179 | fprintf(fp, "# whitelisted seccomp filter.\n"); | 187 | fprintf(fp, "# whitelisted seccomp filter.\n"); |
| 180 | } | 188 | } |
| 189 | else if (!have_yama_permission) | ||
| 190 | fprintf(fp, "# Yama security module prevents creation of a whitelisted seccomp filter\n"); | ||
| 191 | else | ||
| 192 | build_seccomp(strace_output, fp); | ||
| 181 | fprintf(fp, "\n"); | 193 | fprintf(fp, "\n"); |
| 182 | 194 | ||
| 183 | fprintf(fp, "### network\n"); | 195 | fprintf(fp, "### network\n"); |