merge: mount runtime seccomp files read-only

author: startx2017 <vradu.startx@yandex.com> 2019-06-03 11:53:52 -0400
committer: startx2017 <vradu.startx@yandex.com> 2019-06-03 11:53:52 -0400
commit: 1f206ab956324b18fd19f5bf8716c2b5a011b935 (patch)
tree: 33e499c597361c2f780aed5124e0848105705a5b
parent: fix firemon reporting for processes started with --join (diff)
download: firejail-1f206ab956324b18fd19f5bf8716c2b5a011b935.tar.gz
firejail-1f206ab956324b18fd19f5bf8716c2b5a011b935.tar.zst
firejail-1f206ab956324b18fd19f5bf8716c2b5a011b935.zip
4 files changed, 16 insertions, 11 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index f52ab6706..690d2d4bc 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -59,13 +59,14 @@
 #define RUN_LIB_FILE    "/run/firejail/mnt/libfiles"
 #define RUN_DNS_ETC     "/run/firejail/mnt/dns-etc"
-#define RUN_SECCOMP_LIST        "/run/firejail/mnt/seccomp.list"        // list of seccomp files installed
+#define RUN_SECCOMP_DIR "/run/firejail/mnt/seccomp"
-#define RUN_SECCOMP_PROTOCOL    "/run/firejail/mnt/seccomp.protocol"    // protocol filter
+#define RUN_SECCOMP_LIST        "/run/firejail/mnt/seccomp/seccomp.list"        // list of seccomp files installed
-#define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp"                     // configured filter
+#define RUN_SECCOMP_PROTOCOL    "/run/firejail/mnt/seccomp/seccomp.protocol"    // protocol filter
-#define RUN_SECCOMP_32  "/run/firejail/mnt/seccomp.32"          // 32bit arch filter installed on 64bit architectures
+#define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp/seccomp"                     // configured filter
-#define RUN_SECCOMP_MDWX        "/run/firejail/mnt/seccomp.mdwx"                // filter for memory-deny-write-execute
+#define RUN_SECCOMP_32  "/run/firejail/mnt/seccomp/seccomp.32"          // 32bit arch filter installed on 64bit architectures
-#define RUN_SECCOMP_BLOCK_SECONDARY     "/run/firejail/mnt/seccomp.block_secondary"     // secondary arch blocking filter
+#define RUN_SECCOMP_MDWX        "/run/firejail/mnt/seccomp/seccomp.mdwx"                // filter for memory-deny-write-execute
-#define RUN_SECCOMP_POSTEXEC    "/run/firejail/mnt/seccomp.postexec"            // filter for post-exec library
+#define RUN_SECCOMP_BLOCK_SECONDARY     "/run/firejail/mnt/seccomp/seccomp.block_secondary"     // secondary arch blocking filter
+#define RUN_SECCOMP_POSTEXEC    "/run/firejail/mnt/seccomp/seccomp.postexec"            // filter for post-exec library
 #define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp")                       // default filter built during make
 #define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug")   // default filter built during make
 #define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32")                 // 32bit arch filter built during make
@@ -96,7 +97,6 @@
 #define RUN_ASOUNDRC_FILE       "/run/firejail/mnt/.asoundrc"
 #define RUN_HOSTNAME_FILE       "/run/firejail/mnt/hostname"
 #define RUN_HOSTS_FILE  "/run/firejail/mnt/hosts"
-#define RUN_RESOLVCONF_FILE     "/run/firejail/mnt/resolv.conf"
 #define RUN_MACHINEID   "/run/firejail/mnt/machine-id"
 #define RUN_LDPRELOAD_FILE      "/run/firejail/mnt/ld.so.preload"
 #define RUN_UTMP_FILE           "/run/firejail/mnt/utmp"
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c
index f519ed85f..423119a37 100644
--- a/src/firejail/preproc.c
+++ b/src/firejail/preproc.c
@@ -82,6 +82,8 @@ void preproc_mount_mnt_dir(void) {
                fs_logger2("tmpfs", RUN_MNT_DIR);
 #ifdef HAVE_SECCOMP
+                create_empty_dir_as_root(RUN_SECCOMP_DIR, 0755);
                if (arg_seccomp_block_secondary)
                        copy_file(PATH_SECCOMP_BLOCK_SECONDARY, RUN_SECCOMP_BLOCK_SECONDARY, getuid(), getgid(), 0644); // root needed
                else {
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 2ac4952b7..5996433a9 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -898,8 +898,6 @@ int sandbox(void* sandbox_arg) {
        //****************************
        // set security filters
        //****************************
-        // set capabilities
-        set_caps();
        // set cpu affinity
        if (cfg.cpus) {
                save_cpu(); // save cpu affinity mask to CPU_CFG file
@@ -947,7 +945,12 @@ int sandbox(void* sandbox_arg) {
                int rv = unlink(RUN_SECCOMP_MDWX);
                (void) rv;
        }
+        // make seccomp filters read-only
+        fs_rdonly(RUN_SECCOMP_DIR);
 #endif
+        // set capabilities
+        set_caps();
        //****************************************
        // communicate progress of sandbox set up
diff --git a/status b/status
index 6c5d0cf32..b3f0e5a63 100644
--- a/status
+++ b/status
@@ -11,7 +11,7 @@ May 17: Merge pull request #2688 from laomaiweng/nodbus-enhancements
 May 17: Merge pull request #2701 from smitsohu/opath - bring back support for Centos6
 May 4: update man pages (private-dev, noexec)
 April 21: typo
-todo Mar 23: mount runtime seccomp files read-only
+Mar 23: mount runtime seccomp files read-only
 Jan 13: fix parent death signal
 Feb 26: Sort items alphabetically in man firejail #2479
author	startx2017 <vradu.startx@yandex.com>	2019-06-03 11:53:52 -0400
committer	startx2017 <vradu.startx@yandex.com>	2019-06-03 11:53:52 -0400
commit	1f206ab956324b18fd19f5bf8716c2b5a011b935 (patch)
tree	33e499c597361c2f780aed5124e0848105705a5b
parent	fix firemon reporting for processes started with --join (diff)
download	firejail-1f206ab956324b18fd19f5bf8716c2b5a011b935.tar.gz firejail-1f206ab956324b18fd19f5bf8716c2b5a011b935.tar.zst firejail-1f206ab956324b18fd19f5bf8716c2b5a011b935.zip