diff options
author | The Fox in the Shell <KellerFuchs@hashbang.sh> | 2016-05-25 02:19:02 +0200 |
---|---|---|
committer | The Fox in the Shell <KellerFuchs@hashbang.sh> | 2016-05-25 15:01:13 +0200 |
commit | 0688847fa8287752e2bdd209bde37029dff48dc5 (patch) | |
tree | c71776187e4b3a9c6250281701511f706aaaf3cd | |
parent | sandbox: Add NO_NEW_PRIVS inconditionally (diff) | |
download | firejail-0688847fa8287752e2bdd209bde37029dff48dc5.tar.gz firejail-0688847fa8287752e2bdd209bde37029dff48dc5.tar.zst firejail-0688847fa8287752e2bdd209bde37029dff48dc5.zip |
Make NO_NEW_PRIVS configurable
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/main.c | 4 | ||||
-rw-r--r-- | src/firejail/profile.c | 4 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 13 | ||||
-rw-r--r-- | src/firejail/usage.c | 3 |
5 files changed, 20 insertions, 5 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index f4a176caf..c9c090a97 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -237,6 +237,7 @@ extern int arg_rlimit_nproc; // rlimit nproc | |||
237 | extern int arg_rlimit_fsize; // rlimit fsize | 237 | extern int arg_rlimit_fsize; // rlimit fsize |
238 | extern int arg_rlimit_sigpending;// rlimit sigpending | 238 | extern int arg_rlimit_sigpending;// rlimit sigpending |
239 | extern int arg_nogroups; // disable supplementary groups | 239 | extern int arg_nogroups; // disable supplementary groups |
240 | extern int arg_nonewprivs; // set the NO_NEW_PRIVS prctl | ||
240 | extern int arg_noroot; // create a new user namespace and disable root user | 241 | extern int arg_noroot; // create a new user namespace and disable root user |
241 | extern int arg_netfilter; // enable netfilter | 242 | extern int arg_netfilter; // enable netfilter |
242 | extern int arg_netfilter6; // enable netfilter6 | 243 | extern int arg_netfilter6; // enable netfilter6 |
diff --git a/src/firejail/main.c b/src/firejail/main.c index a540d468b..2f4a78d4b 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -77,6 +77,7 @@ int arg_rlimit_nproc = 0; // rlimit nproc | |||
77 | int arg_rlimit_fsize = 0; // rlimit fsize | 77 | int arg_rlimit_fsize = 0; // rlimit fsize |
78 | int arg_rlimit_sigpending = 0; // rlimit fsize | 78 | int arg_rlimit_sigpending = 0; // rlimit fsize |
79 | int arg_nogroups = 0; // disable supplementary groups | 79 | int arg_nogroups = 0; // disable supplementary groups |
80 | int arg_nonewprivs = 0; // set the NO_NEW_PRIVS prctl | ||
80 | int arg_noroot = 0; // create a new user namespace and disable root user | 81 | int arg_noroot = 0; // create a new user namespace and disable root user |
81 | int arg_netfilter; // enable netfilter | 82 | int arg_netfilter; // enable netfilter |
82 | int arg_netfilter6; // enable netfilter6 | 83 | int arg_netfilter6; // enable netfilter6 |
@@ -1367,6 +1368,9 @@ int main(int argc, char **argv) { | |||
1367 | } | 1368 | } |
1368 | } | 1369 | } |
1369 | #endif | 1370 | #endif |
1371 | else if (strcmp(argv[i], "--nonewprivs") == 0) { | ||
1372 | arg_nonewprivs = 1; | ||
1373 | } | ||
1370 | else if (strncmp(argv[i], "--env=", 6) == 0) | 1374 | else if (strncmp(argv[i], "--env=", 6) == 0) |
1371 | env_store(argv[i] + 6); | 1375 | env_store(argv[i] + 6); |
1372 | else if (strncmp(argv[i], "--nosound", 9) == 0) { | 1376 | else if (strncmp(argv[i], "--nosound", 9) == 0) { |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 3bf294e00..192f36974 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -131,6 +131,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
131 | 131 | ||
132 | return 0; | 132 | return 0; |
133 | } | 133 | } |
134 | else if (strcmp(ptr, "nonewprivs") == 0) { | ||
135 | arg_nonewprivs = 1; | ||
136 | return 0; | ||
137 | } | ||
134 | else if (strcmp(ptr, "seccomp") == 0) { | 138 | else if (strcmp(ptr, "seccomp") == 0) { |
135 | #ifdef HAVE_SECCOMP | 139 | #ifdef HAVE_SECCOMP |
136 | if (checkcfg(CFG_SECCOMP)) | 140 | if (checkcfg(CFG_SECCOMP)) |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 109395b60..843c1efe5 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -750,11 +750,14 @@ int sandbox(void* sandbox_arg) { | |||
750 | //**************************************** | 750 | //**************************************** |
751 | // Set NO_NEW_PRIVS if desired | 751 | // Set NO_NEW_PRIVS if desired |
752 | //**************************************** | 752 | //**************************************** |
753 | int no_new_privs = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); | 753 | if (arg_nonewprivs) { |
754 | if(no_new_privs != 0) { | 754 | int no_new_privs = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); |
755 | errExit("NO_NEW_PRIVS"); | 755 | |
756 | } else | 756 | if(no_new_privs != 0) |
757 | printf("No new privileges from this point on\n"); | 757 | errExit("NO_NEW_PRIVS"); |
758 | else if (arg_debug) | ||
759 | printf("NO_NEW_PRIVS set\n"); | ||
760 | } | ||
758 | 761 | ||
759 | 762 | ||
760 | //**************************************** | 763 | //**************************************** |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index ef02c0d72..45bf2e3b1 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -157,6 +157,9 @@ void usage(void) { | |||
157 | printf("\tuser. root user does not exist in the new namespace. This option\n"); | 157 | printf("\tuser. root user does not exist in the new namespace. This option\n"); |
158 | printf("\tis not supported for --chroot and --overlay configurations.\n\n"); | 158 | printf("\tis not supported for --chroot and --overlay configurations.\n\n"); |
159 | #endif | 159 | #endif |
160 | printf(" --nonewprivs - sets the NO_NEW_PRIVS prctl - the child processes\n"); | ||
161 | printf("\tcannot gain privileges using execve(2); in particular, this prevents\n"); | ||
162 | printf("\tgaining privileges by calling a suid binary\n\n"); | ||
160 | printf(" --nosound - disable sound system.\n\n"); | 163 | printf(" --nosound - disable sound system.\n\n"); |
161 | 164 | ||
162 | printf(" --output=logfile - stdout logging and log rotation. Copy stdout and stderr\n"); | 165 | printf(" --output=logfile - stdout logging and log rotation. Copy stdout and stderr\n"); |