diff options
author | smitsohu <smitsohu@gmail.com> | 2021-01-08 21:24:06 +0100 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2021-01-08 21:24:06 +0100 |
commit | d94e757019808c1c0975df53fd76df3606689c31 (patch) | |
tree | 9d1a3cd5bcefe0fb9a1d51adb931480de275d16d | |
parent | fbuilder: whitelist-common.inc processing (diff) | |
download | firejail-d94e757019808c1c0975df53fd76df3606689c31.tar.gz firejail-d94e757019808c1c0975df53fd76df3606689c31.tar.zst firejail-d94e757019808c1c0975df53fd76df3606689c31.zip |
fbuilder: check Yama permissions
closes #3237
-rw-r--r-- | src/fbuilder/build_profile.c | 26 |
1 files changed, 19 insertions, 7 deletions
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c index adc00e67b..0517c837e 100644 --- a/src/fbuilder/build_profile.c +++ b/src/fbuilder/build_profile.c | |||
@@ -80,10 +80,19 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
80 | stroutput, | 80 | stroutput, |
81 | }; | 81 | }; |
82 | 82 | ||
83 | // detect strace | 83 | // detect strace and check if Yama LSM allows us to use it |
84 | int have_strace = 0; | 84 | int have_strace = 0; |
85 | if (access("/usr/bin/strace", X_OK) == 0) | 85 | int have_yama_permission = 1; |
86 | if (access("/usr/bin/strace", X_OK) == 0) { | ||
86 | have_strace = 1; | 87 | have_strace = 1; |
88 | FILE *fp = fopen("/proc/sys/kernel/yama/ptrace_scope", "r"); | ||
89 | if (fp) { | ||
90 | unsigned val; | ||
91 | if (fscanf(fp, "%u", &val) == 1) | ||
92 | have_yama_permission = (val < 2); | ||
93 | fclose(fp); | ||
94 | } | ||
95 | } | ||
87 | 96 | ||
88 | // calculate command length | 97 | // calculate command length |
89 | unsigned len = (int) sizeof(cmdlist) / sizeof(char*) + argc - index + 1; | 98 | unsigned len = (int) sizeof(cmdlist) / sizeof(char*) + argc - index + 1; |
@@ -93,10 +102,11 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
93 | cmd[0] = cmdlist[0]; // explicit assignment to clean scan-build error | 102 | cmd[0] = cmdlist[0]; // explicit assignment to clean scan-build error |
94 | 103 | ||
95 | // build command | 104 | // build command |
105 | int skip_strace = !(have_strace && have_yama_permission); | ||
96 | unsigned i = 0; | 106 | unsigned i = 0; |
97 | for (i = 0; i < (int) sizeof(cmdlist) / sizeof(char*); i++) { | 107 | for (i = 0; i < (int) sizeof(cmdlist) / sizeof(char*); i++) { |
98 | // skip strace if not installed | 108 | // skip strace if not installed, or no permission to use it |
99 | if (have_strace == 0 && strcmp(cmdlist[i], "/usr/bin/strace") == 0) | 109 | if (skip_strace && strcmp(cmdlist[i], "/usr/bin/strace") == 0) |
100 | break; | 110 | break; |
101 | cmd[i] = cmdlist[i]; | 111 | cmd[i] = cmdlist[i]; |
102 | } | 112 | } |
@@ -172,12 +182,14 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
172 | fprintf(fp, "caps.drop all\n"); | 182 | fprintf(fp, "caps.drop all\n"); |
173 | fprintf(fp, "nonewprivs\n"); | 183 | fprintf(fp, "nonewprivs\n"); |
174 | fprintf(fp, "seccomp\n"); | 184 | fprintf(fp, "seccomp\n"); |
175 | if (have_strace) | 185 | if (!have_strace) { |
176 | build_seccomp(strace_output, fp); | ||
177 | else { | ||
178 | fprintf(fp, "# If you install strace on your system, Firejail will also create a\n"); | 186 | fprintf(fp, "# If you install strace on your system, Firejail will also create a\n"); |
179 | fprintf(fp, "# whitelisted seccomp filter.\n"); | 187 | fprintf(fp, "# whitelisted seccomp filter.\n"); |
180 | } | 188 | } |
189 | else if (!have_yama_permission) | ||
190 | fprintf(fp, "# Yama security module prevents creation of a whitelisted seccomp filter\n"); | ||
191 | else | ||
192 | build_seccomp(strace_output, fp); | ||
181 | fprintf(fp, "\n"); | 193 | fprintf(fp, "\n"); |
182 | 194 | ||
183 | fprintf(fp, "### network\n"); | 195 | fprintf(fp, "### network\n"); |