diff options
author | netblue30 <netblue30@yahoo.com> | 2016-08-23 07:01:46 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-08-23 07:01:46 -0400 |
commit | 0c7a3b7269e481065bff70ecdf342de37039b602 (patch) | |
tree | 704c282247461350acb7793dccf9fac5d7bd93bd | |
parent | x11 command in profile files (diff) | |
download | firejail-0c7a3b7269e481065bff70ecdf342de37039b602.tar.gz firejail-0c7a3b7269e481065bff70ecdf342de37039b602.tar.zst firejail-0c7a3b7269e481065bff70ecdf342de37039b602.zip |
overlayfs fixes
-rw-r--r-- | RELNOTES | 1 | ||||
-rw-r--r-- | src/firejail/fs.c | 8 | ||||
-rw-r--r-- | src/firejail/main.c | 9 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 63 | ||||
-rw-r--r-- | src/firejail/usage.c | 20 | ||||
-rw-r--r-- | src/man/firejail.txt | 18 |
6 files changed, 71 insertions, 48 deletions
@@ -16,7 +16,6 @@ firejail (0.9.42~rc2) baseline; urgency=low | |||
16 | * noexec support (--noexec) | 16 | * noexec support (--noexec) |
17 | * --overlay-clean option | 17 | * --overlay-clean option |
18 | * --overlay-named=name option | 18 | * --overlay-named=name option |
19 | * --overlay-path=path option | ||
20 | * compile time and run time support to disable overlayfs | 19 | * compile time and run time support to disable overlayfs |
21 | * Ubuntu snap support | 20 | * Ubuntu snap support |
22 | * include /dev/snd in --private-dev | 21 | * include /dev/snd in --private-dev |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index ddb25c2dd..c5ef27615 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -817,9 +817,10 @@ void fs_basic_fs(void) { | |||
817 | 817 | ||
818 | #ifdef HAVE_OVERLAYFS | 818 | #ifdef HAVE_OVERLAYFS |
819 | char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) { | 819 | char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) { |
820 | // create ~/.firejail directory | ||
821 | struct stat s; | 820 | struct stat s; |
822 | char *dirname; | 821 | char *dirname; |
822 | |||
823 | // create ~/.firejail directory | ||
823 | if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1) | 824 | if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1) |
824 | errExit("asprintf"); | 825 | errExit("asprintf"); |
825 | if (stat(dirname, &s) == -1) { | 826 | if (stat(dirname, &s) == -1) { |
@@ -835,12 +836,15 @@ char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) { | |||
835 | fprintf(stderr, "Error: invalid ~/.firejail directory\n"); | 836 | fprintf(stderr, "Error: invalid ~/.firejail directory\n"); |
836 | exit(1); | 837 | exit(1); |
837 | } | 838 | } |
838 | |||
839 | free(dirname); | 839 | free(dirname); |
840 | 840 | ||
841 | // check overlay directory | 841 | // check overlay directory |
842 | if (asprintf(&dirname, "%s/.firejail/%s", cfg.homedir, subdirname) == -1) | 842 | if (asprintf(&dirname, "%s/.firejail/%s", cfg.homedir, subdirname) == -1) |
843 | errExit("asprintf"); | 843 | errExit("asprintf"); |
844 | if (is_link(dirname)) { | ||
845 | fprintf(stderr, "Error: overlay directory is a symbolic link\n"); | ||
846 | exit(1); | ||
847 | } | ||
844 | if (allow_reuse == 0) { | 848 | if (allow_reuse == 0) { |
845 | if (stat(dirname, &s) == 0) { | 849 | if (stat(dirname, &s) == 0) { |
846 | fprintf(stderr, "Error: overlay directory already exists: %s\n", dirname); | 850 | fprintf(stderr, "Error: overlay directory already exists: %s\n", dirname); |
diff --git a/src/firejail/main.c b/src/firejail/main.c index bdb8e0df5..27e2a7f1a 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1365,6 +1365,13 @@ int main(int argc, char **argv) { | |||
1365 | fprintf(stderr, "Error: invalid overlay option\n"); | 1365 | fprintf(stderr, "Error: invalid overlay option\n"); |
1366 | exit(1); | 1366 | exit(1); |
1367 | } | 1367 | } |
1368 | |||
1369 | // check name | ||
1370 | invalid_filename(subdirname); | ||
1371 | if (strstr(subdirname, "..") || strstr(subdirname, "/")) { | ||
1372 | fprintf(stderr, "Error: invalid overlay name\n"); | ||
1373 | exit(1); | ||
1374 | } | ||
1368 | cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse); | 1375 | cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse); |
1369 | } | 1376 | } |
1370 | else { | 1377 | else { |
@@ -1373,6 +1380,7 @@ int main(int argc, char **argv) { | |||
1373 | } | 1380 | } |
1374 | 1381 | ||
1375 | } | 1382 | } |
1383 | #if 0 // disabled for now, it could be used to overwrite system directories | ||
1376 | else if (strncmp(argv[i], "--overlay-path=", 15) == 0) { | 1384 | else if (strncmp(argv[i], "--overlay-path=", 15) == 0) { |
1377 | if (checkcfg(CFG_OVERLAYFS)) { | 1385 | if (checkcfg(CFG_OVERLAYFS)) { |
1378 | if (cfg.chrootdir) { | 1386 | if (cfg.chrootdir) { |
@@ -1400,6 +1408,7 @@ int main(int argc, char **argv) { | |||
1400 | exit(1); | 1408 | exit(1); |
1401 | } | 1409 | } |
1402 | } | 1410 | } |
1411 | #endif | ||
1403 | else if (strcmp(argv[i], "--overlay-tmpfs") == 0) { | 1412 | else if (strcmp(argv[i], "--overlay-tmpfs") == 0) { |
1404 | if (checkcfg(CFG_OVERLAYFS)) { | 1413 | if (checkcfg(CFG_OVERLAYFS)) { |
1405 | if (cfg.chrootdir) { | 1414 | if (cfg.chrootdir) { |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 0818bf450..0851e71cd 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -378,7 +378,30 @@ void start_application(void) { | |||
378 | exit(1); // it should never get here!!! | 378 | exit(1); // it should never get here!!! |
379 | } | 379 | } |
380 | 380 | ||
381 | 381 | static void enforce_filters(void) { | |
382 | // force default seccomp inside the chroot, no keep or drop list | ||
383 | // the list build on top of the default drop list is kept intact | ||
384 | arg_seccomp = 1; | ||
385 | if (cfg.seccomp_list_drop) { | ||
386 | free(cfg.seccomp_list_drop); | ||
387 | cfg.seccomp_list_drop = NULL; | ||
388 | } | ||
389 | if (cfg.seccomp_list_keep) { | ||
390 | free(cfg.seccomp_list_keep); | ||
391 | cfg.seccomp_list_keep = NULL; | ||
392 | } | ||
393 | |||
394 | // disable all capabilities | ||
395 | if (arg_caps_default_filter || arg_caps_list) | ||
396 | fprintf(stderr, "Warning: all capabilities disabled for a regular user in chroot\n"); | ||
397 | arg_caps_drop_all = 1; | ||
398 | |||
399 | // drop all supplementary groups; /etc/group file inside chroot | ||
400 | // is controlled by a regular usr | ||
401 | arg_nogroups = 1; | ||
402 | if (!arg_quiet) | ||
403 | printf("Dropping all Linux capabilities and enforcing default seccomp filter\n"); | ||
404 | } | ||
382 | 405 | ||
383 | int sandbox(void* sandbox_arg) { | 406 | int sandbox(void* sandbox_arg) { |
384 | // Get rid of unused parameter warning | 407 | // Get rid of unused parameter warning |
@@ -463,37 +486,13 @@ int sandbox(void* sandbox_arg) { | |||
463 | #ifdef HAVE_CHROOT | 486 | #ifdef HAVE_CHROOT |
464 | if (cfg.chrootdir) { | 487 | if (cfg.chrootdir) { |
465 | fs_chroot(cfg.chrootdir); | 488 | fs_chroot(cfg.chrootdir); |
466 | |||
467 | // // redo cp command | ||
468 | // fs_build_cp_command(); | ||
469 | 489 | ||
470 | // force caps and seccomp if not started as root | 490 | // force caps and seccomp if not started as root |
471 | if (getuid() != 0) { | 491 | if (getuid() != 0) { |
472 | // force default seccomp inside the chroot, no keep or drop list | 492 | enforce_filters(); |
473 | // the list build on top of the default drop list is kept intact | ||
474 | arg_seccomp = 1; | ||
475 | #ifdef HAVE_SECCOMP | 493 | #ifdef HAVE_SECCOMP |
476 | enforce_seccomp = 1; | 494 | enforce_seccomp = 1; |
477 | #endif | 495 | #endif |
478 | if (cfg.seccomp_list_drop) { | ||
479 | free(cfg.seccomp_list_drop); | ||
480 | cfg.seccomp_list_drop = NULL; | ||
481 | } | ||
482 | if (cfg.seccomp_list_keep) { | ||
483 | free(cfg.seccomp_list_keep); | ||
484 | cfg.seccomp_list_keep = NULL; | ||
485 | } | ||
486 | |||
487 | // disable all capabilities | ||
488 | if (arg_caps_default_filter || arg_caps_list) | ||
489 | fprintf(stderr, "Warning: all capabilities disabled for a regular user in chroot\n"); | ||
490 | arg_caps_drop_all = 1; | ||
491 | |||
492 | // drop all supplementary groups; /etc/group file inside chroot | ||
493 | // is controlled by a regular usr | ||
494 | arg_nogroups = 1; | ||
495 | if (!arg_quiet) | ||
496 | printf("Dropping all Linux capabilities and enforcing default seccomp filter\n"); | ||
497 | } | 496 | } |
498 | else | 497 | else |
499 | arg_seccomp = 1; | 498 | arg_seccomp = 1; |
@@ -507,8 +506,18 @@ int sandbox(void* sandbox_arg) { | |||
507 | else | 506 | else |
508 | #endif | 507 | #endif |
509 | #ifdef HAVE_OVERLAYFS | 508 | #ifdef HAVE_OVERLAYFS |
510 | if (arg_overlay) | 509 | if (arg_overlay) { |
511 | fs_overlayfs(); | 510 | fs_overlayfs(); |
511 | // force caps and seccomp if not started as root | ||
512 | if (getuid() != 0) { | ||
513 | enforce_filters(); | ||
514 | #ifdef HAVE_SECCOMP | ||
515 | enforce_seccomp = 1; | ||
516 | #endif | ||
517 | } | ||
518 | else | ||
519 | arg_seccomp = 1; | ||
520 | } | ||
512 | else | 521 | else |
513 | #endif | 522 | #endif |
514 | fs_basic_fs(); | 523 | fs_basic_fs(); |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index ebe1c8830..d4eab7802 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -185,10 +185,30 @@ void usage(void) { | |||
185 | printf("\t$HOME/.firejail/<NAME> directory. (OverlayFS support is required in\n"); | 185 | printf("\t$HOME/.firejail/<NAME> directory. (OverlayFS support is required in\n"); |
186 | printf("\tLinux kernel for this option to work). \n\n"); | 186 | printf("\tLinux kernel for this option to work). \n\n"); |
187 | 187 | ||
188 | #if 0 // disabled for now, it could be used to overwrite system directories | ||
188 | printf(" --overlay-path=path - mount a filesystem overlay on top of the current\n"); | 189 | printf(" --overlay-path=path - mount a filesystem overlay on top of the current\n"); |
189 | printf("\tfilesystem. The upper filesystem layer is persistent, and stored in\n"); | 190 | printf("\tfilesystem. The upper filesystem layer is persistent, and stored in\n"); |
190 | printf("\tthe specified path. (OverlayFS support is required in Linux kernel for\n"); | 191 | printf("\tthe specified path. (OverlayFS support is required in Linux kernel for\n"); |
191 | printf("\tthis option to work). \n\n"); | 192 | printf("\tthis option to work). \n\n"); |
193 | |||
194 | .TP | ||
195 | \fB\-\-overlay-path=path | ||
196 | Mount a filesystem overlay on top of the current filesystem. Unlike the regular filesystem container, | ||
197 | the system directories are mounted read-write. All filesystem modifications go into the overlay. | ||
198 | The overlay is stored in the specified path. The created overlay can be reused between multiple sessions. | ||
199 | .br | ||
200 | |||
201 | .br | ||
202 | OverlayFS support is required in Linux kernel for this option to work. | ||
203 | OverlayFS was officially introduced in Linux kernel version 3.18. | ||
204 | This option is not available on Grsecurity systems. | ||
205 | .br | ||
206 | |||
207 | .br | ||
208 | Example: | ||
209 | .br | ||
210 | $ firejail \-\-overlay-path=~/jails/jail1 firefox | ||
211 | #endif | ||
192 | 212 | ||
193 | printf(" --overlay-tmpfs - mount a filesystem overlay on top of the current\n"); | 213 | printf(" --overlay-tmpfs - mount a filesystem overlay on top of the current\n"); |
194 | printf("\tfilesystem. The upper layer is stored in a tmpfs filesystem,\n"); | 214 | printf("\tfilesystem. The upper layer is stored in a tmpfs filesystem,\n"); |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index b258c3d20..19fca9854 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1037,24 +1037,6 @@ Example: | |||
1037 | $ firejail \-\-overlay-named=jail1 firefox | 1037 | $ firejail \-\-overlay-named=jail1 firefox |
1038 | 1038 | ||
1039 | .TP | 1039 | .TP |
1040 | \fB\-\-overlay-path=path | ||
1041 | Mount a filesystem overlay on top of the current filesystem. Unlike the regular filesystem container, | ||
1042 | the system directories are mounted read-write. All filesystem modifications go into the overlay. | ||
1043 | The overlay is stored in the specified path. The created overlay can be reused between multiple sessions. | ||
1044 | .br | ||
1045 | |||
1046 | .br | ||
1047 | OverlayFS support is required in Linux kernel for this option to work. | ||
1048 | OverlayFS was officially introduced in Linux kernel version 3.18. | ||
1049 | This option is not available on Grsecurity systems. | ||
1050 | .br | ||
1051 | |||
1052 | .br | ||
1053 | Example: | ||
1054 | .br | ||
1055 | $ firejail \-\-overlay-path=~/jails/jail1 firefox | ||
1056 | |||
1057 | .TP | ||
1058 | \fB\-\-overlay-tmpfs | 1040 | \fB\-\-overlay-tmpfs |
1059 | Mount a filesystem overlay on top of the current filesystem. All filesystem modifications go into the overlay, | 1041 | Mount a filesystem overlay on top of the current filesystem. All filesystem modifications go into the overlay, |
1060 | and are discarded when the sandbox is closed. | 1042 | and are discarded when the sandbox is closed. |