diff options
author | netblue30 <netblue30@yahoo.com> | 2016-02-21 09:43:33 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-02-21 09:43:33 -0500 |
commit | c89ebb846a9df5288b482941fe8d205f675be39b (patch) | |
tree | 14bf7bb798142c869b4a1edf1d0ddf818a37581d | |
parent | testing (diff) | |
download | firejail-c89ebb846a9df5288b482941fe8d205f675be39b.tar.gz firejail-c89ebb846a9df5288b482941fe8d205f675be39b.tar.zst firejail-c89ebb846a9df5288b482941fe8d205f675be39b.zip |
small fixes
-rw-r--r-- | src/firejail/fs.c | 12 | ||||
-rw-r--r-- | src/firejail/main.c | 2 | ||||
-rw-r--r-- | src/firejail/profile.c | 4 | ||||
-rw-r--r-- | todo | 100 |
4 files changed, 17 insertions, 101 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 92cf4c1bc..df5e8410b 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -580,12 +580,14 @@ void fs_proc_sys_dev_boot(void) { | |||
580 | /* Mount a version of /sys that describes the network namespace */ | 580 | /* Mount a version of /sys that describes the network namespace */ |
581 | if (arg_debug) | 581 | if (arg_debug) |
582 | printf("Remounting /sys directory\n"); | 582 | printf("Remounting /sys directory\n"); |
583 | if (umount2("/sys", MNT_DETACH) < 0) | 583 | if (umount2("/sys", MNT_DETACH) < 0) |
584 | fprintf(stderr, "Warning: failed to unmount /sys\n"); | 584 | fprintf(stderr, "Warning: failed to unmount /sys\n"); |
585 | if (mount("sysfs", "/sys", "sysfs", MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REC, NULL) < 0) | 585 | else { |
586 | fprintf(stderr, "Warning: failed to mount /sys\n"); | 586 | if (mount("sysfs", "/sys", "sysfs", MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REC, NULL) < 0) |
587 | else | 587 | fprintf(stderr, "Warning: failed to mount /sys\n"); |
588 | fs_logger("remount /sys"); | 588 | else |
589 | fs_logger("remount /sys"); | ||
590 | } | ||
589 | 591 | ||
590 | if (stat("/sys/firmware", &s) == 0) { | 592 | if (stat("/sys/firmware", &s) == 0) { |
591 | disable_file(BLACKLIST_FILE, "/sys/firmware"); | 593 | disable_file(BLACKLIST_FILE, "/sys/firmware"); |
diff --git a/src/firejail/main.c b/src/firejail/main.c index fe4027a55..f02da66aa 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -142,7 +142,7 @@ static inline Bridge *last_bridge_configured(void) { | |||
142 | } | 142 | } |
143 | 143 | ||
144 | // return 1 if error, 0 if a valid pid was found | 144 | // return 1 if error, 0 if a valid pid was found |
145 | static int read_pid(char *str, pid_t *pid) { | 145 | static inline int read_pid(char *str, pid_t *pid) { |
146 | char *endptr; | 146 | char *endptr; |
147 | errno = 0; | 147 | errno = 0; |
148 | long int pidtmp = strtol(str, &endptr, 10); | 148 | long int pidtmp = strtol(str, &endptr, 10); |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 112454396..ba287027c 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -363,6 +363,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
363 | fprintf(stderr, "Error: invalid file name.\n"); | 363 | fprintf(stderr, "Error: invalid file name.\n"); |
364 | exit(1); | 364 | exit(1); |
365 | } | 365 | } |
366 | if (is_link(dname1) || is_link(dname2)) { | ||
367 | fprintf(stderr, "Symbolic links are not allowed for bind command\n"); | ||
368 | exit(1); | ||
369 | } | ||
366 | 370 | ||
367 | // insert comma back | 371 | // insert comma back |
368 | *(dname2 - 1) = ','; | 372 | *(dname2 - 1) = ','; |
@@ -1,41 +1,4 @@ | |||
1 | 1. Getting "Warning: failed to unmount /sys" on --chroot and --overlay | 1 | 1. Disable /dev/tcp in bash. Compiled time: --enable-net-redirections, --disable-net-redirections |
2 | |||
3 | 2. Startup warnings on Arch Linux: | ||
4 | |||
5 | (all fine here) | ||
6 | $ ./firejail | ||
7 | Parent pid 2495, child pid 2496 | ||
8 | Child process initialized | ||
9 | $ | ||
10 | |||
11 | (warnings) | ||
12 | $ ./firejail --overlay | ||
13 | Parent pid 2500, child pid 2501 | ||
14 | OverlayFS configured in /home/ablive/.firejail/2500 directory | ||
15 | Warning: /var/lock not mounted | ||
16 | Warning: cannot find /var/run/utmp | ||
17 | Warning: failed to unmount /sys | ||
18 | Child process initialized | ||
19 | $ | ||
20 | |||
21 | (warnings) | ||
22 | $ ./firejail --chroot=/media/mylinux | ||
23 | Parent pid 2503, child pid 2504 | ||
24 | Warning: cannot find /var/run/utmp | ||
25 | Dropping all Linux capabilities and enforcing default seccomp filter | ||
26 | Warning: failed to unmount /sys | ||
27 | Child process initialized | ||
28 | $ | ||
29 | |||
30 | 5. Add IRC clients: KVIrc (KDE), BitchX (CLI), Smuxi, Konversation (KDE), HexChat, Irssi (CLI), WeeChat (CLI) | ||
31 | RSS: Liferea, akregator (KDE), newsbeuter (CLI), rawdog, | ||
32 | |||
33 | 6. Tests not working on Arch: | ||
34 | profile_syntax.exp (profile syntax) | ||
35 | fs_chroot.exp (chroot as user) | ||
36 | private-etc.exp | ||
37 | |||
38 | 7. Disable /dev/tcp in bash. Compiled time: --enable-net-redirections, --disable-net-redirections | ||
39 | ksh and zsh seem to have it. | 2 | ksh and zsh seem to have it. |
40 | 3 | ||
41 | Tests: | 4 | Tests: |
@@ -50,74 +13,21 @@ cat <&3 | |||
50 | c) A list of attacks | 13 | c) A list of attacks |
51 | http://www.lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/ | 14 | http://www.lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/ |
52 | 15 | ||
53 | 8. SELinux | 16 | 2. SELinux integration |
54 | 17 | ||
55 | Firefox selinux disabled (RedHat): http://danwalsh.livejournal.com/72697.html | 18 | Firefox selinux disabled (RedHat): http://danwalsh.livejournal.com/72697.html |
56 | Firefox selinux enabled (Gentoo hardened): http://blog.siphos.be/2015/08/why-we-do-confine-firefox/ | 19 | Firefox selinux enabled (Gentoo hardened): http://blog.siphos.be/2015/08/why-we-do-confine-firefox/ |
57 | "desktops are notoriously difficult to use a mandatory access control system on" | 20 | "desktops are notoriously difficult to use a mandatory access control system on" |
58 | 21 | ||
59 | 9. blacklist .muttrc, contains passwords in clear text | 22 | 3. abstract unix socket bridge, example for ibus: |
60 | |||
61 | 10. abstract unix socket bridge, example for ibus: | ||
62 | 23 | ||
63 | before the sandbox is started | 24 | before the sandbox is started |
64 | socat UNIX-LISTEN:/tmp/mysoc,fork ABSTRACT-CONNECT:/tmp/dbus-awBoQTCc & | 25 | socat UNIX-LISTEN:/tmp/mysoc,fork ABSTRACT-CONNECT:/tmp/dbus-awBoQTCc & |
65 | |||
66 | in sandbox | 26 | in sandbox |
67 | socat ABSTRACT-LISTEN:/tmp/dbus-awBoQTCc,fork UNIX-CONNECT:/tmp/mysock | 27 | socat ABSTRACT-LISTEN:/tmp/dbus-awBoQTCc,fork UNIX-CONNECT:/tmp/mysock |
68 | 28 | ||
69 | 12. do not allow symlinks for --bind | 29 | 5. add support for --ip, --iprange, --mac and --mtu for --interface option |
70 | |||
71 | 13. While using --net=eth0 assign the name of the interface inside the sandbox as eth0 | ||
72 | |||
73 | 15. do not attempt to mount /sys if unmount fails | ||
74 | |||
75 | $ firejail --noprofile --chroot=/tmp/chroot | ||
76 | Parent pid 13915, child pid 13916 | ||
77 | Warning: cannot mount tmpfs on top of /var/log | ||
78 | Warning: cannot find /var/run/utmp | ||
79 | Warning: cannot find home directory | ||
80 | Dropping all Linux capabilities and enforcing default seccomp filter | ||
81 | Warning: failed to unmount /sys | ||
82 | Warning: failed to mount /sys | ||
83 | Warning: cannot disable /sys/firmware directory | ||
84 | Warning: cannot disable /sys/hypervisor directory | ||
85 | Warning: cannot disable /sys/fs directory | ||
86 | Warning: cannot disable /sys/module directory | ||
87 | Warning: cannot disable /sys/power directory | ||
88 | Child process initialized | ||
89 | |||
90 | 16. add support for --ip, --iprange, --mac and --mtu for --interface option | ||
91 | |||
92 | 17. private-home clashing with blacklist | ||
93 | whitelist clashing with blacklist | ||
94 | |||
95 | 19. Try --overlay on a Ubuntu 14.04 32bit.Without adding --dns, there will be no network connectivity - see issue 151 | ||
96 | |||
97 | 21. restrict chars in filenames | ||
98 | |||
99 | try to open url-encoded filenames | ||
100 | |||
101 | const char badChars[] = "-\n\r ,;'\\<\""; | ||
102 | (https://www.securecoding.cert.org/confluence/display/c/MSC09-C.+Character+encoding%3A+Use+subset+of+ASCII+for+safety) | ||
103 | |||
104 | strip = array("~", "`", "!", "@", "#", "$", "%", "^", "&", "*", "(", ")", "_", "=", "+", "[", "{", "]", | ||
105 | "}", "\\", "|", ";", ":", "\"", "'", "‘", "’", "“", "”", "–", "—", | ||
106 | "—", "–", ",", "<", ".", ">", "/", "?"); | ||
107 | (https://github.com/vito/chyrp/blob/35c646dda657300b345a233ab10eaca7ccd4ec10/includes/helpers.php#L516) | ||
108 | |||
109 | $special_chars = array("?", "[", "]", "/", "\\", "=", "<", ">", ":", ";", ",", "'", "\"", "&", "$", "#", "*", "(", ")", "|", "~", "`", "!", "{", "}"); | ||
110 | (wordpress) | ||
111 | |||
112 | rework the calls to invalid_filename(), depending if globing is allowed or not, include * in the list for non-globing files | ||
113 | |||
114 | The POSIX standard defines what a “portable filename” is. This turns out to be just A-Z, a-z, 0-9, <period>, <underscore>, and <hyphen> | ||
115 | http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap03.html#tag_03_276 | ||
116 | |||
117 | 22. --shutdown does not clear sandboxes started with --join on Debian jessie | ||
118 | 30 | ||
119 | 23. to document: | 31 | 6. --shutdown does not clear sandboxes started with --join |
120 | 32 | ||
121 | http://lwn.net/Articles/414813/ | ||
122 | echo 1 > /proc/sys/kernel/dmesg_restrict | ||
123 | 33 | ||