diff options
author | netblue30 <netblue30@yahoo.com> | 2016-08-09 07:46:28 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-08-09 07:46:28 -0400 |
commit | c22f9de02db17cb10b08f3d4893987228799ca89 (patch) | |
tree | 592437e48f29b98a18fefc7f60e2cc7abf0b7c04 | |
parent | --private-bin and --private-etc fix (diff) | |
download | firejail-c22f9de02db17cb10b08f3d4893987228799ca89.tar.gz firejail-c22f9de02db17cb10b08f3d4893987228799ca89.tar.zst firejail-c22f9de02db17cb10b08f3d4893987228799ca89.zip |
various fixes
-rw-r--r-- | src/firejail/sandbox.c | 27 | ||||
-rw-r--r-- | src/firejail/seccomp.c | 12 | ||||
-rwxr-xr-x | test/features/1.2.exp | 24 | ||||
-rwxr-xr-x | test/features/3.6.exp | 11 | ||||
-rwxr-xr-x | test/features/3.8.exp | 8 |
5 files changed, 56 insertions, 26 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index f37605e20..a131d9e91 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -460,8 +460,9 @@ int sandbox(void* sandbox_arg) { | |||
460 | #ifdef HAVE_CHROOT | 460 | #ifdef HAVE_CHROOT |
461 | if (cfg.chrootdir) { | 461 | if (cfg.chrootdir) { |
462 | fs_chroot(cfg.chrootdir); | 462 | fs_chroot(cfg.chrootdir); |
463 | // redo cp command | 463 | |
464 | fs_build_cp_command(); | 464 | // // redo cp command |
465 | // fs_build_cp_command(); | ||
465 | 466 | ||
466 | // force caps and seccomp if not started as root | 467 | // force caps and seccomp if not started as root |
467 | if (getuid() != 0) { | 468 | if (getuid() != 0) { |
@@ -482,7 +483,7 @@ int sandbox(void* sandbox_arg) { | |||
482 | 483 | ||
483 | // disable all capabilities | 484 | // disable all capabilities |
484 | if (arg_caps_default_filter || arg_caps_list) | 485 | if (arg_caps_default_filter || arg_caps_list) |
485 | fprintf(stderr, "Warning: all capabilities disabled for a regular user during chroot\n"); | 486 | fprintf(stderr, "Warning: all capabilities disabled for a regular user in chroot\n"); |
486 | arg_caps_drop_all = 1; | 487 | arg_caps_drop_all = 1; |
487 | 488 | ||
488 | // drop all supplementary groups; /etc/group file inside chroot | 489 | // drop all supplementary groups; /etc/group file inside chroot |
@@ -530,13 +531,21 @@ int sandbox(void* sandbox_arg) { | |||
530 | if (arg_private_dev) | 531 | if (arg_private_dev) |
531 | fs_private_dev(); | 532 | fs_private_dev(); |
532 | if (arg_private_etc) { | 533 | if (arg_private_etc) { |
533 | fs_private_etc_list(); | 534 | if (cfg.chrootdir) |
534 | // create /etc/ld.so.preload file again | 535 | fprintf(stderr, "Warning: private-etc feature is disabled in chroot\n"); |
535 | if (arg_trace || arg_tracelog) | 536 | else { |
536 | fs_trace_preload(); | 537 | fs_private_etc_list(); |
538 | // create /etc/ld.so.preload file again | ||
539 | if (arg_trace || arg_tracelog) | ||
540 | fs_trace_preload(); | ||
541 | } | ||
542 | } | ||
543 | if (arg_private_bin) { | ||
544 | if (cfg.chrootdir) | ||
545 | fprintf(stderr, "Warning: private-bin feature is disabled in chroot\n"); | ||
546 | else | ||
547 | fs_private_bin_list(); | ||
537 | } | 548 | } |
538 | if (arg_private_bin) | ||
539 | fs_private_bin_list(); | ||
540 | if (arg_private_tmp) | 549 | if (arg_private_tmp) |
541 | fs_private_tmp(); | 550 | fs_private_tmp(); |
542 | 551 | ||
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index efe24a211..88620d1dd 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -101,10 +101,22 @@ static void filter_init(void) { | |||
101 | sfilter_alloc_size = SECSIZE; | 101 | sfilter_alloc_size = SECSIZE; |
102 | 102 | ||
103 | // copy the start entries | 103 | // copy the start entries |
104 | #if defined(__x86_64__) | ||
105 | #define X32_SYSCALL_BIT 0x40000000 | ||
106 | struct sock_filter filter[] = { | ||
107 | VALIDATE_ARCHITECTURE, | ||
108 | EXAMINE_SYSCALL, | ||
109 | // handle X32 ABI | ||
110 | BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, X32_SYSCALL_BIT, 1, 0), | ||
111 | BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, 0, 1, 0), | ||
112 | RETURN_ERRNO(EPERM) | ||
113 | }; | ||
114 | #else | ||
104 | struct sock_filter filter[] = { | 115 | struct sock_filter filter[] = { |
105 | VALIDATE_ARCHITECTURE, | 116 | VALIDATE_ARCHITECTURE, |
106 | EXAMINE_SYSCALL | 117 | EXAMINE_SYSCALL |
107 | }; | 118 | }; |
119 | #endif | ||
108 | sfilter_index = sizeof(filter) / sizeof(struct sock_filter); | 120 | sfilter_index = sizeof(filter) / sizeof(struct sock_filter); |
109 | memcpy(sfilter, filter, sizeof(filter)); | 121 | memcpy(sfilter, filter, sizeof(filter)); |
110 | } | 122 | } |
diff --git a/test/features/1.2.exp b/test/features/1.2.exp index 685acf737..bcb227304 100755 --- a/test/features/1.2.exp +++ b/test/features/1.2.exp | |||
@@ -115,22 +115,22 @@ if { $chroot == "chroot" } { | |||
115 | timeout {puts "TESTING ERROR 5.3\n";exit} | 115 | timeout {puts "TESTING ERROR 5.3\n";exit} |
116 | "proc /proc/sys proc" | 116 | "proc /proc/sys proc" |
117 | } | 117 | } |
118 | expect { | 118 | # expect { |
119 | timeout {puts "TESTING ERROR 5.4\n";exit} | 119 | # timeout {puts "TESTING ERROR 5.4\n";exit} |
120 | "proc /proc/sysrq-trigger proc" | 120 | # "proc /proc/sysrq-trigger proc" |
121 | } | 121 | # } |
122 | # expect { | 122 | # expect { |
123 | # timeout {puts "TESTING ERROR 5.5\n";exit} | 123 | # timeout {puts "TESTING ERROR 5.5\n";exit} |
124 | # "proc /proc/sys/kernel/hotplug" | 124 | # "proc /proc/sys/kernel/hotplug" |
125 | # } | 125 | # } |
126 | expect { | 126 | # expect { |
127 | timeout {puts "TESTING ERROR 5.6\n";exit} | 127 | # timeout {puts "TESTING ERROR 5.6\n";exit} |
128 | "proc /proc/irq proc" | 128 | # "proc /proc/irq proc" |
129 | } | 129 | # } |
130 | expect { | 130 | # expect { |
131 | timeout {puts "TESTING ERROR 5.7\n";exit} | 131 | # timeout {puts "TESTING ERROR 5.7\n";exit} |
132 | "proc /proc/bus proc" | 132 | # "proc /proc/bus proc" |
133 | } | 133 | # } |
134 | after 100 | 134 | after 100 |
135 | send -- "exit\r" | 135 | send -- "exit\r" |
136 | sleep 1 | 136 | sleep 1 |
diff --git a/test/features/3.6.exp b/test/features/3.6.exp index a00517716..389e63a1d 100755 --- a/test/features/3.6.exp +++ b/test/features/3.6.exp | |||
@@ -60,14 +60,19 @@ if { $chroot == "chroot" } { | |||
60 | expect { | 60 | expect { |
61 | timeout {puts "TESTING ERROR 4\n";exit} | 61 | timeout {puts "TESTING ERROR 4\n";exit} |
62 | "chroot option is not available" {puts "grsecurity\n"; exit} | 62 | "chroot option is not available" {puts "grsecurity\n"; exit} |
63 | "private-etc feature is disabled in chroot" | ||
64 | } | ||
65 | expect { | ||
66 | timeout {puts "TESTING ERROR 5\n";exit} | ||
67 | "chroot option is not available" {puts "grsecurity\n"; exit} | ||
63 | "Child process initialized" | 68 | "Child process initialized" |
64 | } | 69 | } |
65 | sleep 1 | 70 | sleep 1 |
66 | 71 | ||
67 | send -- "ls -al /etc | wc -l\r" | 72 | send -- "ls /etc | grep firejail\r" |
68 | expect { | 73 | expect { |
69 | timeout {puts "TESTING ERROR 5.1\n";exit} | 74 | timeout {puts "TESTING ERROR 6\n";exit} |
70 | "10" | 75 | "firejail" |
71 | } | 76 | } |
72 | 77 | ||
73 | after 100 | 78 | after 100 |
diff --git a/test/features/3.8.exp b/test/features/3.8.exp index 94a1abf67..d941fa9b7 100755 --- a/test/features/3.8.exp +++ b/test/features/3.8.exp | |||
@@ -61,14 +61,18 @@ if { $chroot == "chroot" } { | |||
61 | send -- "firejail --noprofile --chroot=/tmp/chroot --private-bin=bash,cat,cp,ls,wc\r" | 61 | send -- "firejail --noprofile --chroot=/tmp/chroot --private-bin=bash,cat,cp,ls,wc\r" |
62 | expect { | 62 | expect { |
63 | timeout {puts "TESTING ERROR 4\n";exit} | 63 | timeout {puts "TESTING ERROR 4\n";exit} |
64 | "private-bin feature is disabled in chroot" | ||
65 | } | ||
66 | expect { | ||
67 | timeout {puts "TESTING ERROR 5\n";exit} | ||
64 | "Child process initialized" | 68 | "Child process initialized" |
65 | } | 69 | } |
66 | sleep 1 | 70 | sleep 1 |
67 | 71 | ||
68 | send -- "ls -l /usr/bin | wc -l\r" | 72 | send -- "ls -l /usr/bin | wc -l\r" |
69 | expect { | 73 | expect { |
70 | timeout {puts "TESTING ERROR 5.1\n";exit} | 74 | timeout {puts "TESTING ERROR 6\n";exit} |
71 | "6" | 75 | "9" |
72 | } | 76 | } |
73 | 77 | ||
74 | after 100 | 78 | after 100 |