diff options
author | netblue30 <netblue30@yahoo.com> | 2018-10-13 14:05:27 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2018-10-13 14:05:27 -0400 |
commit | 82a636a1da84ec2972bf5c10d0992add8affbabe (patch) | |
tree | 4203e039b51c2a8e1dd50df785bcf744548dc633 | |
parent | Merge branch 'master' of http://github.com/netblue30/firejail (diff) | |
download | firejail-82a636a1da84ec2972bf5c10d0992add8affbabe.tar.gz firejail-82a636a1da84ec2972bf5c10d0992add8affbabe.tar.zst firejail-82a636a1da84ec2972bf5c10d0992add8affbabe.zip |
bringing in the fix for always have helpers in sandbox (original pull rq from crass)
-rw-r--r-- | src/firejail/firejail.h | 29 | ||||
-rw-r--r-- | src/firejail/network_main.c | 18 | ||||
-rw-r--r-- | src/firejail/preproc.c | 4 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 3 |
4 files changed, 39 insertions, 15 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index cae767667..441042233 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -32,6 +32,7 @@ | |||
32 | #define RUN_FIREJAIL_DIR "/run/firejail" | 32 | #define RUN_FIREJAIL_DIR "/run/firejail" |
33 | #define RUN_FIREJAIL_APPIMAGE_DIR "/run/firejail/appimage" | 33 | #define RUN_FIREJAIL_APPIMAGE_DIR "/run/firejail/appimage" |
34 | #define RUN_FIREJAIL_NAME_DIR "/run/firejail/name" // also used in src/lib/pid.c - todo: move it in a common place | 34 | #define RUN_FIREJAIL_NAME_DIR "/run/firejail/name" // also used in src/lib/pid.c - todo: move it in a common place |
35 | #define RUN_FIREJAIL_LIB_DIR "/run/firejail/lib" | ||
35 | #define RUN_FIREJAIL_X11_DIR "/run/firejail/x11" | 36 | #define RUN_FIREJAIL_X11_DIR "/run/firejail/x11" |
36 | #define RUN_FIREJAIL_NETWORK_DIR "/run/firejail/network" | 37 | #define RUN_FIREJAIL_NETWORK_DIR "/run/firejail/network" |
37 | #define RUN_FIREJAIL_BANDWIDTH_DIR "/run/firejail/bandwidth" | 38 | #define RUN_FIREJAIL_BANDWIDTH_DIR "/run/firejail/bandwidth" |
@@ -790,16 +791,32 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc, | |||
790 | 791 | ||
791 | // sbox.c | 792 | // sbox.c |
792 | // programs | 793 | // programs |
793 | #define PATH_FNET (LIBDIR "/firejail/fnet") | 794 | #define PATH_FNET_MAIN (LIBDIR "/firejail/fnet") // when called from main thread |
794 | #define PATH_FNETFILTER (LIBDIR "/firejail/fnetfilter") | 795 | #define PATH_FNET (RUN_FIREJAIL_LIB_DIR "/fnet") // when called from sandbox thread |
796 | |||
797 | //#define PATH_FNETFILTER (LIBDIR "/firejail/fnetfilter") | ||
798 | #define PATH_FNETFILTER (RUN_FIREJAIL_LIB_DIR "/fnetfilter") | ||
799 | |||
795 | #define PATH_FIREMON (PREFIX "/bin/firemon") | 800 | #define PATH_FIREMON (PREFIX "/bin/firemon") |
796 | #define PATH_FIREJAIL (PREFIX "/bin/firejail") | 801 | #define PATH_FIREJAIL (PREFIX "/bin/firejail") |
797 | #define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp") | 802 | |
803 | //#define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp") | ||
804 | #define PATH_FSECCOMP ( RUN_FIREJAIL_LIB_DIR "/fseccomp") | ||
805 | |||
806 | // FSEC_PRINT is run outside of sandbox by --seccomp.print | ||
807 | // it is also run from inside the sandbox by --debug; in this case we do an access(filename, X_OK) test first | ||
798 | #define PATH_FSEC_PRINT (LIBDIR "/firejail/fsec-print") | 808 | #define PATH_FSEC_PRINT (LIBDIR "/firejail/fsec-print") |
799 | #define PATH_FSEC_OPTIMIZE (LIBDIR "/firejail/fsec-optimize") | 809 | |
800 | #define PATH_FCOPY (LIBDIR "/firejail/fcopy") | 810 | //#define PATH_FSEC_OPTIMIZE (LIBDIR "/firejail/fsec-optimize") |
811 | #define PATH_FSEC_OPTIMIZE (RUN_FIREJAIL_LIB_DIR "/fsec-optimize") | ||
812 | |||
813 | //#define PATH_FCOPY (LIBDIR "/firejail/fcopy") | ||
814 | #define PATH_FCOPY (RUN_FIREJAIL_LIB_DIR "/fcopy") | ||
815 | |||
801 | #define SBOX_STDIN_FILE "/run/firejail/mnt/sbox_stdin" | 816 | #define SBOX_STDIN_FILE "/run/firejail/mnt/sbox_stdin" |
802 | #define PATH_FLDD (LIBDIR "/firejail/fldd") | 817 | |
818 | //#define PATH_FLDD (LIBDIR "/firejail/fldd") | ||
819 | #define PATH_FLDD (RUN_FIREJAIL_LIB_DIR "/fldd") | ||
803 | 820 | ||
804 | // bitmapped filters for sbox_run | 821 | // bitmapped filters for sbox_run |
805 | #define SBOX_ROOT (1 << 0) // run the sandbox as root | 822 | #define SBOX_ROOT (1 << 0) // run the sandbox as root |
diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c index e3c750767..cdb4c6514 100644 --- a/src/firejail/network_main.c +++ b/src/firejail/network_main.c | |||
@@ -157,7 +157,7 @@ void net_configure_veth_pair(Bridge *br, const char *ifname, pid_t child) { | |||
157 | char *cstr; | 157 | char *cstr; |
158 | if (asprintf(&cstr, "%d", child) == -1) | 158 | if (asprintf(&cstr, "%d", child) == -1) |
159 | errExit("asprintf"); | 159 | errExit("asprintf"); |
160 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 7, PATH_FNET, "create", "veth", dev, ifname, br->dev, cstr); | 160 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 7, PATH_FNET_MAIN, "create", "veth", dev, ifname, br->dev, cstr); |
161 | free(cstr); | 161 | free(cstr); |
162 | 162 | ||
163 | char *msg; | 163 | char *msg; |
@@ -332,42 +332,42 @@ void network_main(pid_t child) { | |||
332 | net_configure_veth_pair(&cfg.bridge0, "eth0", child); | 332 | net_configure_veth_pair(&cfg.bridge0, "eth0", child); |
333 | } | 333 | } |
334 | else | 334 | else |
335 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge0.devsandbox, cfg.bridge0.dev, cstr); | 335 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET_MAIN, "create", "macvlan", cfg.bridge0.devsandbox, cfg.bridge0.dev, cstr); |
336 | } | 336 | } |
337 | 337 | ||
338 | if (cfg.bridge1.configured) { | 338 | if (cfg.bridge1.configured) { |
339 | if (cfg.bridge1.macvlan == 0) | 339 | if (cfg.bridge1.macvlan == 0) |
340 | net_configure_veth_pair(&cfg.bridge1, "eth1", child); | 340 | net_configure_veth_pair(&cfg.bridge1, "eth1", child); |
341 | else | 341 | else |
342 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge1.devsandbox, cfg.bridge1.dev, cstr); | 342 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET_MAIN, "create", "macvlan", cfg.bridge1.devsandbox, cfg.bridge1.dev, cstr); |
343 | } | 343 | } |
344 | 344 | ||
345 | if (cfg.bridge2.configured) { | 345 | if (cfg.bridge2.configured) { |
346 | if (cfg.bridge2.macvlan == 0) | 346 | if (cfg.bridge2.macvlan == 0) |
347 | net_configure_veth_pair(&cfg.bridge2, "eth2", child); | 347 | net_configure_veth_pair(&cfg.bridge2, "eth2", child); |
348 | else | 348 | else |
349 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge2.devsandbox, cfg.bridge2.dev, cstr); | 349 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET_MAIN, "create", "macvlan", cfg.bridge2.devsandbox, cfg.bridge2.dev, cstr); |
350 | } | 350 | } |
351 | 351 | ||
352 | if (cfg.bridge3.configured) { | 352 | if (cfg.bridge3.configured) { |
353 | if (cfg.bridge3.macvlan == 0) | 353 | if (cfg.bridge3.macvlan == 0) |
354 | net_configure_veth_pair(&cfg.bridge3, "eth3", child); | 354 | net_configure_veth_pair(&cfg.bridge3, "eth3", child); |
355 | else | 355 | else |
356 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge3.devsandbox, cfg.bridge3.dev, cstr); | 356 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET_MAIN, "create", "macvlan", cfg.bridge3.devsandbox, cfg.bridge3.dev, cstr); |
357 | } | 357 | } |
358 | 358 | ||
359 | // move interfaces in sandbox | 359 | // move interfaces in sandbox |
360 | if (cfg.interface0.configured) { | 360 | if (cfg.interface0.configured) { |
361 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface0.dev, cstr); | 361 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET_MAIN, "moveif", cfg.interface0.dev, cstr); |
362 | } | 362 | } |
363 | if (cfg.interface1.configured) { | 363 | if (cfg.interface1.configured) { |
364 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface1.dev, cstr); | 364 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET_MAIN, "moveif", cfg.interface1.dev, cstr); |
365 | } | 365 | } |
366 | if (cfg.interface2.configured) { | 366 | if (cfg.interface2.configured) { |
367 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface2.dev, cstr); | 367 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET_MAIN, "moveif", cfg.interface2.dev, cstr); |
368 | } | 368 | } |
369 | if (cfg.interface3.configured) { | 369 | if (cfg.interface3.configured) { |
370 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface3.dev, cstr); | 370 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET_MAIN, "moveif", cfg.interface3.dev, cstr); |
371 | } | 371 | } |
372 | 372 | ||
373 | free(cstr); | 373 | free(cstr); |
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index f519ed85f..236f7f427 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c | |||
@@ -62,6 +62,10 @@ void preproc_build_firejail_dir(void) { | |||
62 | create_empty_dir_as_root(RUN_FIREJAIL_APPIMAGE_DIR, 0755); | 62 | create_empty_dir_as_root(RUN_FIREJAIL_APPIMAGE_DIR, 0755); |
63 | } | 63 | } |
64 | 64 | ||
65 | if (stat(RUN_FIREJAIL_LIB_DIR, &s)) { | ||
66 | create_empty_dir_as_root(RUN_FIREJAIL_LIB_DIR, 0755); | ||
67 | } | ||
68 | |||
65 | if (stat(RUN_MNT_DIR, &s)) { | 69 | if (stat(RUN_MNT_DIR, &s)) { |
66 | create_empty_dir_as_root(RUN_MNT_DIR, 0755); | 70 | create_empty_dir_as_root(RUN_MNT_DIR, 0755); |
67 | } | 71 | } |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 8eede6f93..3abeb174e 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -587,6 +587,9 @@ int sandbox(void* sandbox_arg) { | |||
587 | } | 587 | } |
588 | // ... and mount a tmpfs on top of /run/firejail/mnt directory | 588 | // ... and mount a tmpfs on top of /run/firejail/mnt directory |
589 | preproc_mount_mnt_dir(); | 589 | preproc_mount_mnt_dir(); |
590 | // bind-mount firejail binaries and helper programs | ||
591 | if (mount(LIBDIR "/firejail", RUN_FIREJAIL_LIB_DIR, "none", MS_BIND, NULL) < 0) | ||
592 | errExit("mounting " RUN_FIREJAIL_LIB_DIR); | ||
590 | 593 | ||
591 | //**************************** | 594 | //**************************** |
592 | // log sandbox data | 595 | // log sandbox data |