diff options
author | netblue30 <netblue30@yahoo.com> | 2016-08-02 13:09:23 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-08-02 13:09:23 -0400 |
commit | 48dd1fbece66d6e13a099da24e651d57c3491028 (patch) | |
tree | b1a4f2ab1a407a8226b5fc93850a924f2c0d55be | |
parent | apparmor (diff) | |
download | firejail-48dd1fbece66d6e13a099da24e651d57c3491028.tar.gz firejail-48dd1fbece66d6e13a099da24e651d57c3491028.tar.zst firejail-48dd1fbece66d6e13a099da24e651d57c3491028.zip |
apparmor
-rw-r--r-- | RELNOTES | 1 | ||||
-rw-r--r-- | src/firejail/checkcfg.c | 81 | ||||
-rw-r--r-- | src/firejail/firejail.h | 2 | ||||
-rw-r--r-- | src/firejail/main.c | 36 | ||||
-rw-r--r-- | src/firejail/profile.c | 7 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 14 | ||||
-rw-r--r-- | src/firejail/usage.c | 1 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 3 | ||||
-rw-r--r-- | src/man/firejail.txt | 41 |
9 files changed, 156 insertions, 30 deletions
@@ -3,6 +3,7 @@ firejail (0.9.42~rc2) baseline; urgency=low | |||
3 | * --read-write option rework | 3 | * --read-write option rework |
4 | * allow symlinks in home directory for --whitelist option | 4 | * allow symlinks in home directory for --whitelist option |
5 | * AppImage support (--appimage) | 5 | * AppImage support (--appimage) |
6 | * AppArmor support (--apparmor) | ||
6 | * Sandbox auditing support (--audit) | 7 | * Sandbox auditing support (--audit) |
7 | * remove environment variable (--rmenv) | 8 | * remove environment variable (--rmenv) |
8 | * noexec support (--noexec) | 9 | * noexec support (--noexec) |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 7de491f5f..12921e294 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -239,3 +239,84 @@ errout: | |||
239 | exit(1); | 239 | exit(1); |
240 | } | 240 | } |
241 | 241 | ||
242 | |||
243 | void print_compiletime_support(void) { | ||
244 | printf("Compile time support:\n"); | ||
245 | printf("\t- AppArmor support is %s\n", | ||
246 | #ifdef HAVE_APPARMOR | ||
247 | "enabled" | ||
248 | #else | ||
249 | "disabled" | ||
250 | #endif | ||
251 | ); | ||
252 | |||
253 | |||
254 | printf("\t- bind support is %s\n", | ||
255 | #ifdef HAVE_BIND | ||
256 | "enabled" | ||
257 | #else | ||
258 | "disabled" | ||
259 | #endif | ||
260 | ); | ||
261 | |||
262 | printf("\t- chroot support is %s\n", | ||
263 | #ifdef HAVE_CHROOT | ||
264 | "enabled" | ||
265 | #else | ||
266 | "disabled" | ||
267 | #endif | ||
268 | ); | ||
269 | |||
270 | printf("\t- file and directory whitelisting support is %s\n", | ||
271 | #ifdef HAVE_WHITELIST | ||
272 | "enabled" | ||
273 | #else | ||
274 | "disabled" | ||
275 | #endif | ||
276 | ); | ||
277 | |||
278 | printf("\t- file transfer support is %s\n", | ||
279 | #ifdef HAVE_FILE_TRANSFER | ||
280 | "enabled" | ||
281 | #else | ||
282 | "disabled" | ||
283 | #endif | ||
284 | ); | ||
285 | |||
286 | printf("\t- networking support is %s\n", | ||
287 | #ifdef HAVE_NETWORK | ||
288 | "enabled" | ||
289 | #else | ||
290 | "disabled" | ||
291 | #endif | ||
292 | ); | ||
293 | |||
294 | |||
295 | #ifdef HAVE_NETWORK_RESTRICTED | ||
296 | printf("\t- networking features are available only to root user\n"); | ||
297 | #endif | ||
298 | |||
299 | printf("\t- seccomp-bpf support is %s\n", | ||
300 | #ifdef HAVE_SECCOMP | ||
301 | "enabled" | ||
302 | #else | ||
303 | "disabled" | ||
304 | #endif | ||
305 | ); | ||
306 | |||
307 | printf("\t- user namespace support is %s\n", | ||
308 | #ifdef HAVE_USERNS | ||
309 | "enabled" | ||
310 | #else | ||
311 | "disabled" | ||
312 | #endif | ||
313 | ); | ||
314 | |||
315 | printf("\t- X11 snadboxing support is %s\n", | ||
316 | #ifdef HAVE_X11 | ||
317 | "enabled" | ||
318 | #else | ||
319 | "disabled" | ||
320 | #endif | ||
321 | ); | ||
322 | } | ||
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 1546dc403..821a8e003 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -263,6 +263,7 @@ extern int arg_writable_var; // writable var | |||
263 | extern int arg_appimage; // appimage | 263 | extern int arg_appimage; // appimage |
264 | extern int arg_audit; // audit | 264 | extern int arg_audit; // audit |
265 | extern char *arg_audit_prog; // audit | 265 | extern char *arg_audit_prog; // audit |
266 | extern int arg_apparmor; // apparmor | ||
266 | 267 | ||
267 | extern int parent_to_child_fds[2]; | 268 | extern int parent_to_child_fds[2]; |
268 | extern int child_to_parent_fds[2]; | 269 | extern int child_to_parent_fds[2]; |
@@ -584,6 +585,7 @@ extern char *xephyr_screen; | |||
584 | extern char *xephyr_extra_params; | 585 | extern char *xephyr_extra_params; |
585 | extern char *netfilter_default; | 586 | extern char *netfilter_default; |
586 | int checkcfg(int val); | 587 | int checkcfg(int val); |
588 | void print_compiletime_support(void); | ||
587 | 589 | ||
588 | // appimage.c | 590 | // appimage.c |
589 | void appimage_set(const char *appimage_path); | 591 | void appimage_set(const char *appimage_path); |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 8bb438ba4..b6fd745a2 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -102,6 +102,7 @@ int arg_writable_var = 0; // writable var | |||
102 | int arg_appimage = 0; // appimage | 102 | int arg_appimage = 0; // appimage |
103 | int arg_audit = 0; // audit | 103 | int arg_audit = 0; // audit |
104 | char *arg_audit_prog; // audit | 104 | char *arg_audit_prog; // audit |
105 | int arg_apparmor; // apparmor | ||
105 | 106 | ||
106 | int parent_to_child_fds[2]; | 107 | int parent_to_child_fds[2]; |
107 | int child_to_parent_fds[2]; | 108 | int child_to_parent_fds[2]; |
@@ -241,6 +242,7 @@ void check_user_namespace(void) { | |||
241 | } | 242 | } |
242 | #endif | 243 | #endif |
243 | 244 | ||
245 | |||
244 | // exit commands | 246 | // exit commands |
245 | static void run_cmd_and_exit(int i, int argc, char **argv) { | 247 | static void run_cmd_and_exit(int i, int argc, char **argv) { |
246 | EUID_ASSERT(); | 248 | EUID_ASSERT(); |
@@ -255,33 +257,9 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
255 | } | 257 | } |
256 | else if (strcmp(argv[i], "--version") == 0) { | 258 | else if (strcmp(argv[i], "--version") == 0) { |
257 | printf("firejail version %s\n", VERSION); | 259 | printf("firejail version %s\n", VERSION); |
258 | #ifndef HAVE_NETWORK | 260 | printf("\n"); |
259 | printf("Networking support is disabled.\n"); | 261 | print_compiletime_support(); |
260 | #endif | 262 | printf("\n"); |
261 | #ifdef HAVE_NETWORK_RESTRICTED | ||
262 | printf("Networking support is allowed only to root user.\n"); | ||
263 | #endif | ||
264 | #ifndef HAVE_USERNS | ||
265 | printf("User namespace support is disabled.\n"); | ||
266 | #endif | ||
267 | #ifndef HAVE_SECCOMP | ||
268 | printf("Seccomp-bpf support is disabled.\n"); | ||
269 | #endif | ||
270 | #ifndef HAVE_BIND | ||
271 | printf("Bind support is disabled.\n"); | ||
272 | #endif | ||
273 | #ifndef HAVE_CHROOT | ||
274 | printf("Chroot support is disabled.\n"); | ||
275 | #endif | ||
276 | #ifndef HAVE_X11 | ||
277 | printf("X11 support is disabled.\n"); | ||
278 | #endif | ||
279 | #ifndef HAVE_FILE_TRANSFER | ||
280 | printf("File transfer support is disabled.\n"); | ||
281 | #endif | ||
282 | #ifndef HAVE_WHITELIST | ||
283 | printf("whitelisting support is disabled.\n"); | ||
284 | #endif | ||
285 | exit(0); | 263 | exit(0); |
286 | } | 264 | } |
287 | #ifdef HAVE_X11 | 265 | #ifdef HAVE_X11 |
@@ -905,6 +883,10 @@ int main(int argc, char **argv) { | |||
905 | //************************************* | 883 | //************************************* |
906 | // filtering | 884 | // filtering |
907 | //************************************* | 885 | //************************************* |
886 | #ifdef HAVE_APPARMOR | ||
887 | else if (strcmp(argv[i], "--apparmor") == 0) | ||
888 | arg_apparmor = 1; | ||
889 | #endif | ||
908 | #ifdef HAVE_SECCOMP | 890 | #ifdef HAVE_SECCOMP |
909 | else if (strncmp(argv[i], "--protocol=", 11) == 0) { | 891 | else if (strncmp(argv[i], "--protocol=", 11) == 0) { |
910 | if (checkcfg(CFG_SECCOMP)) { | 892 | if (checkcfg(CFG_SECCOMP)) { |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 8c2970639..15cc1e55a 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -446,6 +446,13 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
446 | return 0; | 446 | return 0; |
447 | } | 447 | } |
448 | 448 | ||
449 | if (strcmp(ptr, "apparmor") == 0) { | ||
450 | #ifdef HAVE_APPARMOR | ||
451 | arg_apparmor = 1; | ||
452 | #endif | ||
453 | return 0; | ||
454 | } | ||
455 | |||
449 | if (strncmp(ptr, "protocol ", 9) == 0) { | 456 | if (strncmp(ptr, "protocol ", 9) == 0) { |
450 | #ifdef HAVE_SECCOMP | 457 | #ifdef HAVE_SECCOMP |
451 | if (checkcfg(CFG_SECCOMP)) | 458 | if (checkcfg(CFG_SECCOMP)) |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 1502a0312..9bf2a0a39 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -804,9 +804,17 @@ int sandbox(void* sandbox_arg) { | |||
804 | 804 | ||
805 | if (app_pid == 0) { | 805 | if (app_pid == 0) { |
806 | #ifdef HAVE_APPARMOR | 806 | #ifdef HAVE_APPARMOR |
807 | errno = 0; | 807 | if (arg_apparmor) { |
808 | if (aa_change_onexec("firejail-default")) | 808 | errno = 0; |
809 | fprintf(stderr, "Warning: apparmor profile not loaded, errno %d\n", errno); | 809 | if (aa_change_onexec("firejail-default")) { |
810 | fprintf(stderr, "Error: cannot confine the application using AppArmor.\n"); | ||
811 | fprintf(stderr, "Maybe firejail-default AppArmor profile is not loaded into the kernel.\n"); | ||
812 | fprintf(stderr, "As root, run \"aa-enforce firejail-default\" to load it.\n"); | ||
813 | exit(1); | ||
814 | } | ||
815 | else if (arg_debug) | ||
816 | printf("AppArmor enabled\n"); | ||
817 | } | ||
810 | #endif | 818 | #endif |
811 | prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died | 819 | prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died |
812 | start_application(); // start app | 820 | start_application(); // start app |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index f7a93174f..958a16da7 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -34,6 +34,7 @@ void usage(void) { | |||
34 | printf("\n"); | 34 | printf("\n"); |
35 | printf("Options:\n\n"); | 35 | printf("Options:\n\n"); |
36 | printf(" -- - signal the end of options and disables further option processing.\n\n"); | 36 | printf(" -- - signal the end of options and disables further option processing.\n\n"); |
37 | printf(" --apparmor - enable AppArmor confinement\n\n"); | ||
37 | printf(" --appimage - sandbox an AppImage application\n\n"); | 38 | printf(" --appimage - sandbox an AppImage application\n\n"); |
38 | printf(" --audit - audit the sandbox, see Audit section for more details\n\n"); | 39 | printf(" --audit - audit the sandbox, see Audit section for more details\n\n"); |
39 | printf(" --audit=test-program - audit the sandbox, see Audit section for more details\n\n"); | 40 | printf(" --audit=test-program - audit the sandbox, see Audit section for more details\n\n"); |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index b6908dd00..637519902 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -211,6 +211,9 @@ Mount /var directory read-write. | |||
211 | The following security filters are currently implemented: | 211 | The following security filters are currently implemented: |
212 | 212 | ||
213 | .TP | 213 | .TP |
214 | \fBapparmor | ||
215 | Enable AppArmor confinement. | ||
216 | .TP | ||
214 | \fBcaps | 217 | \fBcaps |
215 | Enable default Linux capabilities filter. | 218 | Enable default Linux capabilities filter. |
216 | .TP | 219 | .TP |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index d34cfdb20..9e6916534 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -75,6 +75,9 @@ $ firejail [OPTIONS] firefox # starting Mozilla Firefox | |||
75 | \fB\-\- | 75 | \fB\-\- |
76 | Signal the end of options and disables further option processing. | 76 | Signal the end of options and disables further option processing. |
77 | .TP | 77 | .TP |
78 | \fB\-\-apparmor | ||
79 | Enable AppArmor confinement. Formore information, please see \fBAPPARMOR\fR section below. | ||
80 | .TP | ||
78 | \fB\-\-appimage | 81 | \fB\-\-appimage |
79 | Sandbox an AppImage (http://appimage.org/) application. | 82 | Sandbox an AppImage (http://appimage.org/) application. |
80 | .br | 83 | .br |
@@ -1672,6 +1675,44 @@ $ firejail --tree | |||
1672 | 1221:netblue:/usr/lib/firefox/firefox | 1675 | 1221:netblue:/usr/lib/firefox/firefox |
1673 | .RE | 1676 | .RE |
1674 | 1677 | ||
1678 | .SH APPARMOR | ||
1679 | .TP | ||
1680 | AppArmor support is disabled by default at compile time. Use --enable-apparmor configuration option to enable it: | ||
1681 | .br | ||
1682 | |||
1683 | .br | ||
1684 | $ ./configure --prefix=/usr --enable-apparmor | ||
1685 | .TP | ||
1686 | During software install, a generic AppArmor profile file, firejail-default, is placed in /etc/apparmor.d directory. The profile needs to be loaded into the kernel by running the following command as root: | ||
1687 | .br | ||
1688 | |||
1689 | .br | ||
1690 | # aa-enforce firejail-default | ||
1691 | .TP | ||
1692 | The installed profile tries to replicate some advanced security features inspired by kernel-based Grsecurity: | ||
1693 | .br | ||
1694 | |||
1695 | .br | ||
1696 | - Prevent information leakage in /proc and /sys directories. The resulting filesystem is barely enough for running | ||
1697 | commands such as "top" and "ps aux". | ||
1698 | .br | ||
1699 | |||
1700 | .br | ||
1701 | - Allow running programs only from well-known system paths, such as /bin, /sbin, /usr/bin etc. Running | ||
1702 | programs and scripts from user home or other directories writable by the user is not allowed. | ||
1703 | .br | ||
1704 | |||
1705 | .br | ||
1706 | - Disable D-Bus. D-Bus has long been a huge security hole, and most programs don't use it anyway. | ||
1707 | You should have no problems running Chromium or Firefox. | ||
1708 | |||
1709 | .TP | ||
1710 | To enable AppArmor confinement on top of your current Firejail security features, pass \fB\-\-apparmor\fR flag to Firejail command line. You can also include \fBapparmor\fR command in a Firejail profile file. Example: | ||
1711 | .br | ||
1712 | |||
1713 | .br | ||
1714 | $ firejail --apparmor firefox | ||
1715 | |||
1675 | .SH FILE TRANSFER | 1716 | .SH FILE TRANSFER |
1676 | These features allow the user to inspect the filesystem container of an existing sandbox | 1717 | These features allow the user to inspect the filesystem container of an existing sandbox |
1677 | and transfer files from the container to the host filesystem. | 1718 | and transfer files from the container to the host filesystem. |