diff options
author | netblue30 <netblue30@yahoo.com> | 2016-06-09 08:42:59 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-06-09 08:42:59 -0400 |
commit | d073a425b3e3ed3829a0e042e8c41963f0f40f0e (patch) | |
tree | 3241c3053a4d3ccba63c633015fddb6e21c9cf74 | |
parent | fixes (diff) | |
download | firejail-d073a425b3e3ed3829a0e042e8c41963f0f40f0e.tar.gz firejail-d073a425b3e3ed3829a0e042e8c41963f0f40f0e.tar.zst firejail-d073a425b3e3ed3829a0e042e8c41963f0f40f0e.zip |
whitelist support in /etc/firejail/firejail.config
-rwxr-xr-x | configure | 17 | ||||
-rw-r--r-- | configure.ac | 9 | ||||
-rw-r--r-- | etc/firejail.config | 15 | ||||
-rw-r--r-- | src/firejail/Makefile.in | 3 | ||||
-rw-r--r-- | src/firejail/checkcfg.c | 11 | ||||
-rw-r--r-- | src/firejail/firejail.h | 3 | ||||
-rw-r--r-- | src/firejail/main.c | 25 | ||||
-rw-r--r-- | src/firejail/profile.c | 12 | ||||
-rw-r--r-- | src/firejail/usage.c | 6 | ||||
-rw-r--r-- | src/man/firejail-config.txt | 19 |
10 files changed, 93 insertions, 27 deletions
@@ -629,6 +629,7 @@ EGREP | |||
629 | GREP | 629 | GREP |
630 | CPP | 630 | CPP |
631 | HAVE_FATAL_WARNINGS | 631 | HAVE_FATAL_WARNINGS |
632 | HAVE_WHITELIST | ||
632 | HAVE_FILE_TRANSFER | 633 | HAVE_FILE_TRANSFER |
633 | HAVE_X11 | 634 | HAVE_X11 |
634 | HAVE_USERNS | 635 | HAVE_USERNS |
@@ -695,6 +696,7 @@ enable_network | |||
695 | enable_userns | 696 | enable_userns |
696 | enable_x11 | 697 | enable_x11 |
697 | enable_file_transfer | 698 | enable_file_transfer |
699 | enable_whitelist | ||
698 | enable_fatal_warnings | 700 | enable_fatal_warnings |
699 | ' | 701 | ' |
700 | ac_precious_vars='build_alias | 702 | ac_precious_vars='build_alias |
@@ -1324,6 +1326,7 @@ Optional Features: | |||
1324 | --disable-userns disable user namespace | 1326 | --disable-userns disable user namespace |
1325 | --disable-x11 disable X11 sandboxing support | 1327 | --disable-x11 disable X11 sandboxing support |
1326 | --disable-file-transfer disable file transfer | 1328 | --disable-file-transfer disable file transfer |
1329 | --disable-whitelist disable whitelist | ||
1327 | --enable-fatal-warnings -W -Wall -Werror | 1330 | --enable-fatal-warnings -W -Wall -Werror |
1328 | 1331 | ||
1329 | Some influential environment variables: | 1332 | Some influential environment variables: |
@@ -3163,6 +3166,19 @@ if test "x$enable_file_transfer" != "xno"; then : | |||
3163 | 3166 | ||
3164 | fi | 3167 | fi |
3165 | 3168 | ||
3169 | HAVE_WHITELIST="" | ||
3170 | # Check whether --enable-whitelist was given. | ||
3171 | if test "${enable_whitelist+set}" = set; then : | ||
3172 | enableval=$enable_whitelist; | ||
3173 | fi | ||
3174 | |||
3175 | if test "x$enable_whitelist" != "xno"; then : | ||
3176 | |||
3177 | HAVE_WHITELIST="-DHAVE_WHITELIST" | ||
3178 | |||
3179 | |||
3180 | fi | ||
3181 | |||
3166 | HAVE_FATAL_WARNINGS="" | 3182 | HAVE_FATAL_WARNINGS="" |
3167 | # Check whether --enable-fatal_warnings was given. | 3183 | # Check whether --enable-fatal_warnings was given. |
3168 | if test "${enable_fatal_warnings+set}" = set; then : | 3184 | if test "${enable_fatal_warnings+set}" = set; then : |
@@ -4823,6 +4839,7 @@ echo " bind: $HAVE_BIND" | |||
4823 | echo " network: $HAVE_NETWORK" | 4839 | echo " network: $HAVE_NETWORK" |
4824 | echo " user namespace: $HAVE_USERNS" | 4840 | echo " user namespace: $HAVE_USERNS" |
4825 | echo " X11 sandboxing support: $HAVE_X11" | 4841 | echo " X11 sandboxing support: $HAVE_X11" |
4842 | echo " whitelisting: $HAVE_WHITELIST" | ||
4826 | echo " file transfer support: $HAVE_FILE_TRANSFER" | 4843 | echo " file transfer support: $HAVE_FILE_TRANSFER" |
4827 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" | 4844 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" |
4828 | echo | 4845 | echo |
diff --git a/configure.ac b/configure.ac index ef6a11af5..c9061f219 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -70,6 +70,14 @@ AS_IF([test "x$enable_file_transfer" != "xno"], [ | |||
70 | AC_SUBST(HAVE_FILE_TRANSFER) | 70 | AC_SUBST(HAVE_FILE_TRANSFER) |
71 | ]) | 71 | ]) |
72 | 72 | ||
73 | HAVE_WHITELIST="" | ||
74 | AC_ARG_ENABLE([whitelist], | ||
75 | AS_HELP_STRING([--disable-whitelist], [disable whitelist])) | ||
76 | AS_IF([test "x$enable_whitelist" != "xno"], [ | ||
77 | HAVE_WHITELIST="-DHAVE_WHITELIST" | ||
78 | AC_SUBST(HAVE_WHITELIST) | ||
79 | ]) | ||
80 | |||
73 | HAVE_FATAL_WARNINGS="" | 81 | HAVE_FATAL_WARNINGS="" |
74 | AC_ARG_ENABLE([fatal_warnings], | 82 | AC_ARG_ENABLE([fatal_warnings], |
75 | AS_HELP_STRING([--enable-fatal-warnings], [-W -Wall -Werror])) | 83 | AS_HELP_STRING([--enable-fatal-warnings], [-W -Wall -Werror])) |
@@ -103,6 +111,7 @@ echo " bind: $HAVE_BIND" | |||
103 | echo " network: $HAVE_NETWORK" | 111 | echo " network: $HAVE_NETWORK" |
104 | echo " user namespace: $HAVE_USERNS" | 112 | echo " user namespace: $HAVE_USERNS" |
105 | echo " X11 sandboxing support: $HAVE_X11" | 113 | echo " X11 sandboxing support: $HAVE_X11" |
114 | echo " whitelisting: $HAVE_WHITELIST" | ||
106 | echo " file transfer support: $HAVE_FILE_TRANSFER" | 115 | echo " file transfer support: $HAVE_FILE_TRANSFER" |
107 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" | 116 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" |
108 | echo | 117 | echo |
diff --git a/etc/firejail.config b/etc/firejail.config index 55d2faa9f..4fcaee213 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
@@ -12,6 +12,12 @@ | |||
12 | # Enable or disable file transfer support, default enabled. | 12 | # Enable or disable file transfer support, default enabled. |
13 | # file-transfer yes | 13 | # file-transfer yes |
14 | 14 | ||
15 | # Force use of nonewprivs. This mitigates the possibility of | ||
16 | # a user abusing firejail's features to trick a privileged (suid | ||
17 | # or file capabilities) process into loading code or configuration | ||
18 | # that is partially under their control. Default disabled | ||
19 | # force-nonewprivs no | ||
20 | |||
15 | # Enable or disable networking features, default enabled. | 21 | # Enable or disable networking features, default enabled. |
16 | # network yes | 22 | # network yes |
17 | 23 | ||
@@ -27,15 +33,12 @@ | |||
27 | # Enable or disable user namespace support, default enabled. | 33 | # Enable or disable user namespace support, default enabled. |
28 | # userns yes | 34 | # userns yes |
29 | 35 | ||
36 | # Enable or disable whitelisting support, default enabled | ||
37 | # whitelist yes | ||
38 | |||
30 | # Enable or disable X11 sandboxing support, default enabled. | 39 | # Enable or disable X11 sandboxing support, default enabled. |
31 | # x11 yes | 40 | # x11 yes |
32 | 41 | ||
33 | # Force use of nonewprivs. This mitigates the possibility of | ||
34 | # a user abusing firejail's features to trick a privileged (suid | ||
35 | # or file capabilities) process into loading code or configuration | ||
36 | # that is partially under their control. Default disabled | ||
37 | # force-nonewprivs no | ||
38 | |||
39 | # Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for | 42 | # Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for |
40 | # a full list of resolutions available on your specific setup. | 43 | # a full list of resolutions available on your specific setup. |
41 | # xephyr-screen 640x480 | 44 | # xephyr-screen 640x480 |
diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in index 3ad4ba75e..a8af1a4e0 100644 --- a/src/firejail/Makefile.in +++ b/src/firejail/Makefile.in | |||
@@ -16,13 +16,14 @@ HAVE_NETWORK=@HAVE_NETWORK@ | |||
16 | HAVE_USERNS=@HAVE_USERNS@ | 16 | HAVE_USERNS=@HAVE_USERNS@ |
17 | HAVE_X11=@HAVE_X11@ | 17 | HAVE_X11=@HAVE_X11@ |
18 | HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@ | 18 | HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@ |
19 | HAVE_WHITELIST=@HAVE_WHITELIST@ | ||
19 | 20 | ||
20 | 21 | ||
21 | H_FILE_LIST = $(sort $(wildcard *.[h])) | 22 | H_FILE_LIST = $(sort $(wildcard *.[h])) |
22 | C_FILE_LIST = $(sort $(wildcard *.c)) | 23 | C_FILE_LIST = $(sort $(wildcard *.c)) |
23 | OBJS = $(C_FILE_LIST:.c=.o) | 24 | OBJS = $(C_FILE_LIST:.c=.o) |
24 | BINOBJS = $(foreach file, $(OBJS), $file) | 25 | BINOBJS = $(foreach file, $(OBJS), $file) |
25 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_SECCOMP) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security | 26 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_SECCOMP) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security |
26 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread | 27 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread |
27 | 28 | ||
28 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h | 29 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 3ea8caf5b..bf85436c3 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -38,7 +38,7 @@ int checkcfg(int val) { | |||
38 | cfg_val[i] = 1; // most of them are enabled by default | 38 | cfg_val[i] = 1; // most of them are enabled by default |
39 | 39 | ||
40 | cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default | 40 | cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default |
41 | cfg_val[CFG_FORCE_NONEWPRIVS ] = 0; // disabled by default | 41 | cfg_val[CFG_FORCE_NONEWPRIVS] = 0; // disabled by default |
42 | 42 | ||
43 | // open configuration file | 43 | // open configuration file |
44 | char *fname; | 44 | char *fname; |
@@ -126,6 +126,15 @@ int checkcfg(int val) { | |||
126 | else | 126 | else |
127 | goto errout; | 127 | goto errout; |
128 | } | 128 | } |
129 | // whitelist | ||
130 | else if (strncmp(ptr, "whitelist ", 10) == 0) { | ||
131 | if (strcmp(ptr + 10, "yes") == 0) | ||
132 | cfg_val[CFG_WHITELIST] = 1; | ||
133 | else if (strcmp(ptr + 10, "no") == 0) | ||
134 | cfg_val[CFG_WHITELIST] = 0; | ||
135 | else | ||
136 | goto errout; | ||
137 | } | ||
129 | // network | 138 | // network |
130 | else if (strncmp(ptr, "network ", 8) == 0) { | 139 | else if (strncmp(ptr, "network ", 8) == 0) { |
131 | if (strcmp(ptr + 8, "yes") == 0) | 140 | if (strcmp(ptr + 8, "yes") == 0) |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 2d5e05f79..026273aa3 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -568,7 +568,8 @@ void sandboxfs(int op, pid_t pid, const char *patqh); | |||
568 | #define CFG_NETWORK 6 | 568 | #define CFG_NETWORK 6 |
569 | #define CFG_RESTRICTED_NETWORK 7 | 569 | #define CFG_RESTRICTED_NETWORK 7 |
570 | #define CFG_FORCE_NONEWPRIVS 8 | 570 | #define CFG_FORCE_NONEWPRIVS 8 |
571 | #define CFG_MAX 9 // this should always be the last entry | 571 | #define CFG_WHITELIST 9 |
572 | #define CFG_MAX 10 // this should always be the last entry | ||
572 | int checkcfg(int val); | 573 | int checkcfg(int val); |
573 | 574 | ||
574 | // fs_rdwr.c | 575 | // fs_rdwr.c |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 1c2f021bb..1621d810f 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -277,6 +277,9 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
277 | #ifndef HAVE_FILE_TRANSFER | 277 | #ifndef HAVE_FILE_TRANSFER |
278 | printf("File transfer support is disabled.\n"); | 278 | printf("File transfer support is disabled.\n"); |
279 | #endif | 279 | #endif |
280 | #ifndef HAVE_WHITELIST | ||
281 | printf("whitelisting support is disabled.\n"); | ||
282 | #endif | ||
280 | exit(0); | 283 | exit(0); |
281 | } | 284 | } |
282 | #ifdef HAVE_X11 | 285 | #ifdef HAVE_X11 |
@@ -1114,14 +1117,24 @@ int main(int argc, char **argv) { | |||
1114 | profile_check_line(line, 0, NULL); // will exit if something wrong | 1117 | profile_check_line(line, 0, NULL); // will exit if something wrong |
1115 | profile_add(line); | 1118 | profile_add(line); |
1116 | } | 1119 | } |
1120 | |||
1121 | #ifdef HAVE_WHITELIST | ||
1117 | else if (strncmp(argv[i], "--whitelist=", 12) == 0) { | 1122 | else if (strncmp(argv[i], "--whitelist=", 12) == 0) { |
1118 | char *line; | 1123 | if (checkcfg(CFG_WHITELIST)) { |
1119 | if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1) | 1124 | char *line; |
1120 | errExit("asprintf"); | 1125 | if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1) |
1121 | 1126 | errExit("asprintf"); | |
1122 | profile_check_line(line, 0, NULL); // will exit if something wrong | 1127 | |
1123 | profile_add(line); | 1128 | profile_check_line(line, 0, NULL); // will exit if something wrong |
1129 | profile_add(line); | ||
1130 | } | ||
1131 | else { | ||
1132 | fprintf(stderr, "Error: whitelist feature is disabled in Firejail configuration file\n"); | ||
1133 | exit(1); | ||
1134 | } | ||
1124 | } | 1135 | } |
1136 | #endif | ||
1137 | |||
1125 | else if (strncmp(argv[i], "--read-only=", 12) == 0) { | 1138 | else if (strncmp(argv[i], "--read-only=", 12) == 0) { |
1126 | char *line; | 1139 | char *line; |
1127 | if (asprintf(&line, "read-only %s", argv[i] + 12) == -1) | 1140 | if (asprintf(&line, "read-only %s", argv[i] + 12) == -1) |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 192f36974..a64f28c9a 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -726,8 +726,16 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
726 | else if (strncmp(ptr, "noblacklist ", 12) == 0) | 726 | else if (strncmp(ptr, "noblacklist ", 12) == 0) |
727 | ptr += 12; | 727 | ptr += 12; |
728 | else if (strncmp(ptr, "whitelist ", 10) == 0) { | 728 | else if (strncmp(ptr, "whitelist ", 10) == 0) { |
729 | arg_whitelist = 1; | 729 | #ifdef HAVE_WHITELIST |
730 | ptr += 10; | 730 | if (checkcfg(CFG_WHITELIST)) { |
731 | arg_whitelist = 1; | ||
732 | ptr += 10; | ||
733 | } | ||
734 | else | ||
735 | return 0; | ||
736 | #else | ||
737 | return 0; | ||
738 | #endif | ||
731 | } | 739 | } |
732 | else if (strncmp(ptr, "read-only ", 10) == 0) | 740 | else if (strncmp(ptr, "read-only ", 10) == 0) |
733 | ptr += 10; | 741 | ptr += 10; |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index d2f7d9460..af1a30ac3 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -72,8 +72,9 @@ void usage(void) { | |||
72 | printf("\tsoftware build.\n\n"); | 72 | printf("\tsoftware build.\n\n"); |
73 | printf(" --debug-syscalls - print all recognized system calls in the current Firejail\n"); | 73 | printf(" --debug-syscalls - print all recognized system calls in the current Firejail\n"); |
74 | printf("\tsoftware build.\n\n"); | 74 | printf("\tsoftware build.\n\n"); |
75 | #ifdef HAVE_WHITELIST | ||
75 | printf(" --debug-whitelists - debug whitelisting.\n\n"); | 76 | printf(" --debug-whitelists - debug whitelisting.\n\n"); |
76 | 77 | #endif | |
77 | 78 | ||
78 | 79 | ||
79 | #ifdef HAVE_NETWORK | 80 | #ifdef HAVE_NETWORK |
@@ -250,8 +251,9 @@ void usage(void) { | |||
250 | printf(" --tree - print a tree of all sandboxed processes.\n\n"); | 251 | printf(" --tree - print a tree of all sandboxed processes.\n\n"); |
251 | printf(" --user=new_user - switch the user before starting the sandbox.\n\n"); | 252 | printf(" --user=new_user - switch the user before starting the sandbox.\n\n"); |
252 | printf(" --version - print program version and exit.\n\n"); | 253 | printf(" --version - print program version and exit.\n\n"); |
254 | #ifdef HAVE_WHITELIST | ||
253 | printf(" --whitelist=dirname_or_filename - whitelist directory or file.\n\n"); | 255 | printf(" --whitelist=dirname_or_filename - whitelist directory or file.\n\n"); |
254 | 256 | #endif | |
255 | printf(" --writable-etc - /etc directory is mounted read-write.\n\n"); | 257 | printf(" --writable-etc - /etc directory is mounted read-write.\n\n"); |
256 | printf(" --writable-var - /var directory is mounted read-write.\n\n"); | 258 | printf(" --writable-var - /var directory is mounted read-write.\n\n"); |
257 | 259 | ||
diff --git a/src/man/firejail-config.txt b/src/man/firejail-config.txt index 026765f1a..6a66c7f75 100644 --- a/src/man/firejail-config.txt +++ b/src/man/firejail-config.txt | |||
@@ -26,6 +26,13 @@ Enable or disable chroot support, default enabled. | |||
26 | Enable or disable file transfer support, default enabled. | 26 | Enable or disable file transfer support, default enabled. |
27 | 27 | ||
28 | .TP | 28 | .TP |
29 | \fBforce-nonewprivs | ||
30 | Force use of nonewprivs. This mitigates the possibility of | ||
31 | a user abusing firejail's features to trick a privileged (suid | ||
32 | or file capabilities) process into loading code or configuration | ||
33 | that is partially under their control. Default disabled. | ||
34 | |||
35 | .TP | ||
29 | \fBnetwork | 36 | \fBnetwork |
30 | Enable or disable networking features, default enabled. | 37 | Enable or disable networking features, default enabled. |
31 | 38 | ||
@@ -45,16 +52,12 @@ Enable or disable seccomp support, default enabled. | |||
45 | Enable or disable user namespace support, default enabled. | 52 | Enable or disable user namespace support, default enabled. |
46 | 53 | ||
47 | .TP | 54 | .TP |
48 | \fBx11 | 55 | \fBwhitelist |
49 | Enable or disable X11 sandboxing support, default enabled. | 56 | Enable or disable whitelisting support, default enabled. |
50 | 57 | ||
51 | .TP | 58 | .TP |
52 | \fBforce-nonewprivs | 59 | \fBx11 |
53 | Force use of nonewprivs. This mitigates the possibility of | 60 | Enable or disable X11 sandboxing support, default enabled. |
54 | a user abusing firejail's features to trick a privileged (suid | ||
55 | or file capabilities) process into loading code or configuration | ||
56 | that is partially under their control. Default disabled. | ||
57 | |||
58 | 61 | ||
59 | .TP | 62 | .TP |
60 | \fBxephyr-screen | 63 | \fBxephyr-screen |