diff options
author | netblue30 <netblue30@yahoo.com> | 2016-07-12 08:21:57 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-07-12 08:21:57 -0400 |
commit | 67f8a71cd721b1786dc5b17248316a714ea71869 (patch) | |
tree | 2c4ed7ce9d754835b8a9f838ce5a4c5db902214e | |
parent | audit work (diff) | |
download | firejail-67f8a71cd721b1786dc5b17248316a714ea71869.tar.gz firejail-67f8a71cd721b1786dc5b17248316a714ea71869.tar.zst firejail-67f8a71cd721b1786dc5b17248316a714ea71869.zip |
whitelist rework
-rw-r--r-- | README.md | 17 | ||||
-rw-r--r-- | src/firejail/fs_whitelist.c | 28 | ||||
-rw-r--r-- | src/man/firejail.txt | 6 | ||||
-rw-r--r-- | todo | 57 |
4 files changed, 92 insertions, 16 deletions
@@ -40,6 +40,23 @@ FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/ | |||
40 | 40 | ||
41 | --user option was deprecated, please use "sudo -u username firejail application" instead. | 41 | --user option was deprecated, please use "sudo -u username firejail application" instead. |
42 | 42 | ||
43 | ## --whitelist rework | ||
44 | |||
45 | Symlinks outside user home directories are allowed: | ||
46 | ````` | ||
47 | --whitelist=dirname_or_filename | ||
48 | Whitelist directory or file. This feature is implemented only | ||
49 | for user home, /dev, /media, /opt, /var, and /tmp directories. | ||
50 | With the exeception of user home, both the link and the real | ||
51 | file should be in the same top directory. | ||
52 | |||
53 | Example: | ||
54 | $ firejail --noprofile --whitelist=~/.mozilla | ||
55 | $ firejail --whitelist=/tmp/.X11-unix --whitelist=/dev/null | ||
56 | $ firejail "--whitelist=/home/username/My Virtual Machines" | ||
57 | ````` | ||
58 | |||
59 | |||
43 | ## AppImage | 60 | ## AppImage |
44 | 61 | ||
45 | AppImage (http://appimage.org/) is a distribution-agnostic packaging format. | 62 | AppImage (http://appimage.org/) is a distribution-agnostic packaging format. |
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index ba6c8cd74..926e5415c 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -181,11 +181,15 @@ static void whitelist_path(ProfileEntry *entry) { | |||
181 | char *wfile = NULL; | 181 | char *wfile = NULL; |
182 | 182 | ||
183 | if (entry->home_dir) { | 183 | if (entry->home_dir) { |
184 | fname = path + strlen(cfg.homedir); | 184 | if (strncmp(path, cfg.homedir, strlen(cfg.homedir)) == 0) { |
185 | if (*fname == '\0') { | 185 | fname = path + strlen(cfg.homedir); |
186 | fprintf(stderr, "Error: file %s is not in user home directory, exiting...\n", path); | 186 | if (*fname == '\0') { |
187 | exit(1); | 187 | fprintf(stderr, "Error: file %s is not in user home directory, exiting...\n", path); |
188 | exit(1); | ||
189 | } | ||
188 | } | 190 | } |
191 | else | ||
192 | fname = path; | ||
189 | 193 | ||
190 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_HOME_USER_DIR, fname) == -1) | 194 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_HOME_USER_DIR, fname) == -1) |
191 | errExit("asprintf"); | 195 | errExit("asprintf"); |
@@ -248,9 +252,6 @@ static void whitelist_path(ProfileEntry *entry) { | |||
248 | printf("Whitelisting %s\n", path); | 252 | printf("Whitelisting %s\n", path); |
249 | } | 253 | } |
250 | else { | 254 | else { |
251 | if (arg_debug || arg_debug_whitelists) { | ||
252 | fprintf(stderr, "Warning (whitelisting): %s is an invalid file, skipping...\n", path); | ||
253 | } | ||
254 | return; | 255 | return; |
255 | } | 256 | } |
256 | 257 | ||
@@ -390,13 +391,14 @@ void fs_whitelist(void) { | |||
390 | 391 | ||
391 | entry->home_dir = 1; | 392 | entry->home_dir = 1; |
392 | home_dir = 1; | 393 | home_dir = 1; |
394 | if (arg_debug) | ||
395 | fprintf(stderr, "Debug %d: fname #%s#, cfg.homedir #%s#\n", | ||
396 | __LINE__, fname, cfg.homedir); | ||
397 | |||
393 | // both path and absolute path are under /home | 398 | // both path and absolute path are under /home |
394 | if (strncmp(fname, cfg.homedir, strlen(cfg.homedir)) != 0) { | 399 | // if (strncmp(fname, cfg.homedir, strlen(cfg.homedir)) != 0) { |
395 | if (arg_debug) | 400 | // goto errexit; |
396 | fprintf(stderr, "Debug %d: fname #%s#, cfg.homedir #%s#\n", | 401 | // } |
397 | __LINE__, fname, cfg.homedir); | ||
398 | goto errexit; | ||
399 | } | ||
400 | } | 402 | } |
401 | else if (strncmp(new_name, "/tmp/", 5) == 0) { | 403 | else if (strncmp(new_name, "/tmp/", 5) == 0) { |
402 | entry->tmp_dir = 1; | 404 | entry->tmp_dir = 1; |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index cd9ea6a8a..f7079200e 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1515,14 +1515,14 @@ firejail version 0.9.27 | |||
1515 | .TP | 1515 | .TP |
1516 | \fB\-\-whitelist=dirname_or_filename | 1516 | \fB\-\-whitelist=dirname_or_filename |
1517 | Whitelist directory or file. This feature is implemented only for user home, /dev, /media, /opt, /var, and /tmp directories. | 1517 | Whitelist directory or file. This feature is implemented only for user home, /dev, /media, /opt, /var, and /tmp directories. |
1518 | When whitlisting symbolic links, both the link and the real file should be in the same top directory | 1518 | With the exeception of user home, both the link and the real file should be in |
1519 | (home user, /media, /var etc.) | 1519 | the same top directory. |
1520 | .br | 1520 | .br |
1521 | 1521 | ||
1522 | .br | 1522 | .br |
1523 | Example: | 1523 | Example: |
1524 | .br | 1524 | .br |
1525 | $ firejail \-\-whitelist=~/.mozilla \-\-whitelist=~/Downloads | 1525 | $ firejail \-\-noprofile \-\-whitelist=~/.mozilla |
1526 | .br | 1526 | .br |
1527 | $ firejail \-\-whitelist=/tmp/.X11-unix --whitelist=/dev/null | 1527 | $ firejail \-\-whitelist=/tmp/.X11-unix --whitelist=/dev/null |
1528 | .br | 1528 | .br |
@@ -161,3 +161,60 @@ To disable Vsync | |||
161 | 161 | ||
162 | $ vblank_mode=0 glxgears | 162 | $ vblank_mode=0 glxgears |
163 | 163 | ||
164 | 18. Bring in nvidia drives in private-dev | ||
165 | |||
166 | /dev/nvidia[0-9], /dev/nvidiactl, /dev/nvidia-modset and /dev/nvidia-uvm | ||
167 | |||
168 | 19. testing snaps | ||
169 | |||
170 | Install firejail from official repository | ||
171 | sudo apt-get install firejail | ||
172 | |||
173 | Check firejail version | ||
174 | firejail --version | ||
175 | |||
176 | Above command outputs: firejail version 0.9.38 | ||
177 | |||
178 | Search the snap 'ubuntu clock' application | ||
179 | sudo snap find ubuntu-clock-app | ||
180 | |||
181 | Install 'ubuntu clock' application using snap | ||
182 | sudo snap install ubuntu-clock-app | ||
183 | |||
184 | Ubuntu snap packages are installed in /snap/// directory and can be executed from /snap/bin/ | ||
185 | cd /snap/bin/ | ||
186 | ls -l | ||
187 | |||
188 | Note: We see application name is: ubuntu-clock-app.clock | ||
189 | |||
190 | Run application | ||
191 | /snap/bin/ubuntu-clock-app.clock | ||
192 | |||
193 | Note: Application starts-up without a problem and clock is displayed. | ||
194 | |||
195 | Close application using mouse. | ||
196 | |||
197 | Now try to firejail the application. | ||
198 | firejail /snap/bin/ubuntu-clock-app.clock | ||
199 | |||
200 | -------- Error message -------- | ||
201 | Reading profile /etc/firejail/generic.profile | ||
202 | Reading profile /etc/firejail/disable-mgmt.inc | ||
203 | Reading profile /etc/firejail/disable-secret.inc | ||
204 | Reading profile /etc/firejail/disable-common.inc | ||
205 | |||
206 | ** Note: you can use --noprofile to disable generic.profile ** | ||
207 | |||
208 | Parent pid 3770, child pid 3771 | ||
209 | |||
210 | Child process initialized | ||
211 | need to run as root or suid | ||
212 | |||
213 | parent is shutting down, bye... | ||
214 | -------- End of Error message -------- | ||
215 | |||
216 | Try running as root as message instructs. | ||
217 | sudo firejail /snap/bin/ubuntu-clock-app.clock | ||
218 | |||
219 | extract env for process | ||
220 | ps e -p <pid> | sed 's/ /\n/g' | ||