diff options
author | netblue30 <netblue30@yahoo.com> | 2017-09-14 08:50:01 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2017-09-14 08:50:01 -0400 |
commit | 9d4f2784b33abae457731b43128cd8590d80b7cc (patch) | |
tree | 76f15369f49b95b34027136b1eb8037ec5d3875a | |
parent | fix Arch Linux /etc/resolv.conf symlink to /var/run/systemd/resolve/resolv.conf (diff) | |
download | firejail-9d4f2784b33abae457731b43128cd8590d80b7cc.tar.gz firejail-9d4f2784b33abae457731b43128cd8590d80b7cc.tar.zst firejail-9d4f2784b33abae457731b43128cd8590d80b7cc.zip |
--writable-run-user, solving ssh/gnupg authentication problems for smarcards
-rw-r--r-- | README.md | 12 | ||||
-rw-r--r-- | RELNOTES | 3 | ||||
-rw-r--r-- | etc/ssh-agent.profile | 1 | ||||
-rw-r--r-- | etc/ssh.profile | 2 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/fs.c | 52 | ||||
-rw-r--r-- | src/firejail/main.c | 6 | ||||
-rw-r--r-- | src/firejail/profile.c | 5 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 3 | ||||
-rw-r--r-- | src/man/firejail.txt | 10 |
10 files changed, 65 insertions, 30 deletions
@@ -96,8 +96,14 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir | |||
96 | ````` | 96 | ````` |
97 | 97 | ||
98 | ````` | 98 | ````` |
99 | # 0.9.50 release pending | 99 | # Current development version: 0.9.51 |
100 | 100 | ||
101 | Development moved on 0.9.50-bugfixes branch: https://github.com/netblue30/firejail/tree/0.9.50-bugfixes | 101 | ## New command line options |
102 | ````` | ||
103 | --writable-run-user | ||
104 | This options disables the default blacklisting of | ||
105 | run/user/$UID/systemd and /run/user/$UID/gnupg. | ||
102 | 106 | ||
103 | # Current development version: 0.9.51 | 107 | Example: |
108 | $ sudo firejail --writable-run-user | ||
109 | ````` | ||
@@ -1,6 +1,7 @@ | |||
1 | firejail (0.9.51) baseline; urgency=low | 1 | firejail (0.9.51) baseline; urgency=low |
2 | * work in progress! | 2 | * work in progress! |
3 | -- netblue30 <netblue30@yahoo.com> Mon, 12 Jun 2017 20:00:00 -0500 | 3 | * feature: --writable-run-user |
4 | -- netblue30 <netblue30@yahoo.com> Thu, 14 Sep 2017 20:00:00 -0500 | ||
4 | 5 | ||
5 | firejail (0.9.50~rc1) baseline; urgency=low | 6 | firejail (0.9.50~rc1) baseline; urgency=low |
6 | * release pending! | 7 | * release pending! |
diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile index ba5115521..7e9d34c92 100644 --- a/etc/ssh-agent.profile +++ b/etc/ssh-agent.profile | |||
@@ -25,3 +25,4 @@ noroot | |||
25 | notv | 25 | notv |
26 | protocol unix,inet,inet6 | 26 | protocol unix,inet,inet6 |
27 | seccomp | 27 | seccomp |
28 | writable-run-user | ||
diff --git a/etc/ssh.profile b/etc/ssh.profile index 6cf33318a..7ac0b8417 100644 --- a/etc/ssh.profile +++ b/etc/ssh.profile | |||
@@ -35,3 +35,5 @@ private-dev | |||
35 | memory-deny-write-execute | 35 | memory-deny-write-execute |
36 | noexec ${HOME} | 36 | noexec ${HOME} |
37 | noexec /tmp | 37 | noexec /tmp |
38 | writable-run-user | ||
39 | |||
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 75450fe0f..0ab27e89b 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -353,6 +353,7 @@ extern int arg_nice; // nice value configured | |||
353 | extern int arg_ipc; // enable ipc namespace | 353 | extern int arg_ipc; // enable ipc namespace |
354 | extern int arg_writable_etc; // writable etc | 354 | extern int arg_writable_etc; // writable etc |
355 | extern int arg_writable_var; // writable var | 355 | extern int arg_writable_var; // writable var |
356 | extern int arg_writable_run_user; // writable /run/user | ||
356 | extern int arg_writable_var_log; // writable /var/log | 357 | extern int arg_writable_var_log; // writable /var/log |
357 | extern int arg_appimage; // appimage | 358 | extern int arg_appimage; // appimage |
358 | extern int arg_audit; // audit | 359 | extern int arg_audit; // audit |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 6695fc6b4..0ea71e6ba 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -582,33 +582,35 @@ void fs_proc_sys_dev_boot(void) { | |||
582 | 582 | ||
583 | 583 | ||
584 | // disable various ipc sockets in /run/user | 584 | // disable various ipc sockets in /run/user |
585 | struct stat s; | 585 | if (!arg_writable_run_user) { |
586 | 586 | struct stat s; | |
587 | char *fname; | 587 | |
588 | if (asprintf(&fname, "/run/user/%d", getuid()) == -1) | 588 | char *fname; |
589 | errExit("asprintf"); | 589 | if (asprintf(&fname, "/run/user/%d", getuid()) == -1) |
590 | if (is_dir(fname)) { // older distros don't have this directory | ||
591 | // disable /run/user/{uid}/gnupg | ||
592 | char *fnamegpg; | ||
593 | if (asprintf(&fnamegpg, "/run/user/%d/gnupg", getuid()) == -1) | ||
594 | errExit("asprintf"); | ||
595 | if (stat(fnamegpg, &s) == -1) | ||
596 | mkdir_attr(fnamegpg, 0700, getuid(), getgid()); | ||
597 | if (stat(fnamegpg, &s) == 0) | ||
598 | disable_file(BLACKLIST_FILE, fnamegpg); | ||
599 | free(fnamegpg); | ||
600 | |||
601 | // disable /run/user/{uid}/systemd | ||
602 | char *fnamesysd; | ||
603 | if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1) | ||
604 | errExit("asprintf"); | 590 | errExit("asprintf"); |
605 | if (stat(fnamesysd, &s) == -1) | 591 | if (is_dir(fname)) { // older distros don't have this directory |
606 | mkdir_attr(fnamesysd, 0755, getuid(), getgid()); | 592 | // disable /run/user/{uid}/gnupg |
607 | if (stat(fnamesysd, &s) == 0) | 593 | char *fnamegpg; |
608 | disable_file(BLACKLIST_FILE, fnamesysd); | 594 | if (asprintf(&fnamegpg, "/run/user/%d/gnupg", getuid()) == -1) |
609 | free(fnamesysd); | 595 | errExit("asprintf"); |
596 | if (stat(fnamegpg, &s) == -1) | ||
597 | mkdir_attr(fnamegpg, 0700, getuid(), getgid()); | ||
598 | if (stat(fnamegpg, &s) == 0) | ||
599 | disable_file(BLACKLIST_FILE, fnamegpg); | ||
600 | free(fnamegpg); | ||
601 | |||
602 | // disable /run/user/{uid}/systemd | ||
603 | char *fnamesysd; | ||
604 | if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1) | ||
605 | errExit("asprintf"); | ||
606 | if (stat(fnamesysd, &s) == -1) | ||
607 | mkdir_attr(fnamesysd, 0755, getuid(), getgid()); | ||
608 | if (stat(fnamesysd, &s) == 0) | ||
609 | disable_file(BLACKLIST_FILE, fnamesysd); | ||
610 | free(fnamesysd); | ||
611 | } | ||
612 | free(fname); | ||
610 | } | 613 | } |
611 | free(fname); | ||
612 | 614 | ||
613 | if (getuid() != 0) { | 615 | if (getuid() != 0) { |
614 | // disable /dev/kmsg and /proc/kmsg | 616 | // disable /dev/kmsg and /proc/kmsg |
diff --git a/src/firejail/main.c b/src/firejail/main.c index c317aa477..399770142 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -100,6 +100,8 @@ int arg_nice = 0; // nice value configured | |||
100 | int arg_ipc = 0; // enable ipc namespace | 100 | int arg_ipc = 0; // enable ipc namespace |
101 | int arg_writable_etc = 0; // writable etc | 101 | int arg_writable_etc = 0; // writable etc |
102 | int arg_writable_var = 0; // writable var | 102 | int arg_writable_var = 0; // writable var |
103 | int arg_writable_run_user = 0; // writable /run/user | ||
104 | int arg_writable_var_log = 0; // writable /var/log | ||
103 | int arg_appimage = 0; // appimage | 105 | int arg_appimage = 0; // appimage |
104 | int arg_audit = 0; // audit | 106 | int arg_audit = 0; // audit |
105 | char *arg_audit_prog = NULL; // audit | 107 | char *arg_audit_prog = NULL; // audit |
@@ -110,7 +112,6 @@ int arg_x11_xorg = 0; // use X11 security extention | |||
110 | int arg_allusers = 0; // all user home directories visible | 112 | int arg_allusers = 0; // all user home directories visible |
111 | int arg_machineid = 0; // preserve /etc/machine-id | 113 | int arg_machineid = 0; // preserve /etc/machine-id |
112 | int arg_allow_private_blacklist = 0; // blacklist things in private directories | 114 | int arg_allow_private_blacklist = 0; // blacklist things in private directories |
113 | int arg_writable_var_log = 0; // writable /var/log | ||
114 | int arg_disable_mnt = 0; // disable /mnt and /media | 115 | int arg_disable_mnt = 0; // disable /mnt and /media |
115 | int arg_noprofile = 0; // use default.profile if none other found/specified | 116 | int arg_noprofile = 0; // use default.profile if none other found/specified |
116 | int arg_memory_deny_write_execute = 0; // block writable and executable memory | 117 | int arg_memory_deny_write_execute = 0; // block writable and executable memory |
@@ -1560,6 +1561,9 @@ int main(int argc, char **argv) { | |||
1560 | else if (strcmp(argv[i], "--writable-var") == 0) { | 1561 | else if (strcmp(argv[i], "--writable-var") == 0) { |
1561 | arg_writable_var = 1; | 1562 | arg_writable_var = 1; |
1562 | } | 1563 | } |
1564 | else if (strcmp(argv[i], "--writable-run-user") == 0) { | ||
1565 | arg_writable_run_user = 1; | ||
1566 | } | ||
1563 | else if (strcmp(argv[i], "--writable-var-log") == 0) { | 1567 | else if (strcmp(argv[i], "--writable-var-log") == 0) { |
1564 | arg_writable_var_log = 1; | 1568 | arg_writable_var_log = 1; |
1565 | } | 1569 | } |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index e61f59f46..6880bcaa7 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -719,6 +719,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
719 | arg_writable_var = 1; | 719 | arg_writable_var = 1; |
720 | return 0; | 720 | return 0; |
721 | } | 721 | } |
722 | // writable-run-user | ||
723 | if (strcmp(ptr, "writable-run-user") == 0) { | ||
724 | arg_writable_run_user = 1; | ||
725 | return 0; | ||
726 | } | ||
722 | if (strcmp(ptr, "writable-var-log") == 0) { | 727 | if (strcmp(ptr, "writable-var-log") == 0) { |
723 | arg_writable_var_log = 1; | 728 | arg_writable_var_log = 1; |
724 | return 0; | 729 | return 0; |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 050c3d7e5..14485d5c1 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -273,6 +273,9 @@ the same top directory. For user home, both the link and the real file should be | |||
273 | \fBwritable-etc | 273 | \fBwritable-etc |
274 | Mount /etc directory read-write. | 274 | Mount /etc directory read-write. |
275 | .TP | 275 | .TP |
276 | \fBwritable-run-user | ||
277 | Disable the default blacklisting of run/user/$UID/systemd and /run/user/$UID/gnupg. | ||
278 | .TP | ||
276 | \fBwritable-var | 279 | \fBwritable-var |
277 | Mount /var directory read-write. | 280 | Mount /var directory read-write. |
278 | .TP | 281 | .TP |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index c9d57b87b..d317a3fa4 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1965,6 +1965,16 @@ Example: | |||
1965 | $ sudo firejail --writable-etc | 1965 | $ sudo firejail --writable-etc |
1966 | 1966 | ||
1967 | .TP | 1967 | .TP |
1968 | \fB\-\-writable-run-user | ||
1969 | This options disables the default blacklisting of run/user/$UID/systemd and /run/user/$UID/gnupg. | ||
1970 | .br | ||
1971 | |||
1972 | .br | ||
1973 | Example: | ||
1974 | .br | ||
1975 | $ sudo firejail --writable-run-user | ||
1976 | |||
1977 | .TP | ||
1968 | \fB\-\-writable-var | 1978 | \fB\-\-writable-var |
1969 | Mount /var directory read-write. | 1979 | Mount /var directory read-write. |
1970 | .br | 1980 | .br |