diff options
author | Aleksey Manevich <manevich.aleksey@gmail.com> | 2016-08-25 01:01:06 +0300 |
---|---|---|
committer | Aleksey Manevich <manevich.aleksey@gmail.com> | 2016-08-25 01:05:40 +0300 |
commit | 51d69322896d0f622d77dc581c35876c1c937596 (patch) | |
tree | 88bf6dd701767267ac564c008335e728a9ab727d | |
parent | tighten security (diff) | |
download | firejail-51d69322896d0f622d77dc581c35876c1c937596.tar.gz firejail-51d69322896d0f622d77dc581c35876c1c937596.tar.zst firejail-51d69322896d0f622d77dc581c35876c1c937596.zip |
tighten security
-rw-r--r-- | src/firejail/fs_trace.c | 14 | ||||
-rw-r--r-- | src/firejail/fs_var.c | 23 | ||||
-rw-r--r-- | src/firejail/fs_whitelist.c | 8 | ||||
-rw-r--r-- | src/firejail/main.c | 20 | ||||
-rw-r--r-- | src/firejail/protocol.c | 8 | ||||
-rw-r--r-- | src/firejail/pulseaudio.c | 5 | ||||
-rw-r--r-- | src/firejail/restrict_users.c | 14 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 3 | ||||
-rw-r--r-- | src/firejail/seccomp.c | 3 | ||||
-rw-r--r-- | src/firejail/x11.c | 8 |
10 files changed, 26 insertions, 80 deletions
diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c index f6ca28227..bab117b7e 100644 --- a/src/firejail/fs_trace.c +++ b/src/firejail/fs_trace.c | |||
@@ -37,11 +37,8 @@ void fs_trace_preload(void) { | |||
37 | FILE *fp = fopen("/etc/ld.so.preload", "w"); | 37 | FILE *fp = fopen("/etc/ld.so.preload", "w"); |
38 | if (!fp) | 38 | if (!fp) |
39 | errExit("fopen"); | 39 | errExit("fopen"); |
40 | SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); | ||
40 | fclose(fp); | 41 | fclose(fp); |
41 | if (chown("/etc/ld.so.preload", 0, 0) < 0) | ||
42 | errExit("chown"); | ||
43 | if (chmod("/etc/ld.so.preload", S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0) | ||
44 | errExit("chmod"); | ||
45 | fs_logger("touch /etc/ld.so.preload"); | 42 | fs_logger("touch /etc/ld.so.preload"); |
46 | } | 43 | } |
47 | } | 44 | } |
@@ -66,12 +63,9 @@ void fs_trace(void) { | |||
66 | } | 63 | } |
67 | else | 64 | else |
68 | assert(0); | 65 | assert(0); |
69 | 66 | ||
67 | SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); | ||
70 | fclose(fp); | 68 | fclose(fp); |
71 | if (chown(RUN_LDPRELOAD_FILE, 0, 0) < 0) | ||
72 | errExit("chown"); | ||
73 | if (chmod(RUN_LDPRELOAD_FILE, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0) | ||
74 | errExit("chmod"); | ||
75 | 69 | ||
76 | // mount the new preload file | 70 | // mount the new preload file |
77 | if (arg_debug) | 71 | if (arg_debug) |
@@ -81,5 +75,3 @@ void fs_trace(void) { | |||
81 | fs_logger("create /etc/ld.so.preload"); | 75 | fs_logger("create /etc/ld.so.preload"); |
82 | } | 76 | } |
83 | 77 | ||
84 | |||
85 | \ No newline at end of file | ||
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c index 1516d684f..a578d04e6 100644 --- a/src/firejail/fs_var.c +++ b/src/firejail/fs_var.c | |||
@@ -131,22 +131,16 @@ void fs_var_log(void) { | |||
131 | // create an empty /var/log/wtmp file | 131 | // create an empty /var/log/wtmp file |
132 | /* coverity[toctou] */ | 132 | /* coverity[toctou] */ |
133 | FILE *fp = fopen("/var/log/wtmp", "w"); | 133 | FILE *fp = fopen("/var/log/wtmp", "w"); |
134 | SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH); | ||
134 | if (fp) | 135 | if (fp) |
135 | fclose(fp); | 136 | fclose(fp); |
136 | if (chown("/var/log/wtmp", 0, wtmp_group) < 0) | ||
137 | errExit("chown"); | ||
138 | if (chmod("/var/log/wtmp", S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH ) < 0) | ||
139 | errExit("chmod"); | ||
140 | fs_logger("touch /var/log/wtmp"); | 137 | fs_logger("touch /var/log/wtmp"); |
141 | 138 | ||
142 | // create an empty /var/log/btmp file | 139 | // create an empty /var/log/btmp file |
143 | fp = fopen("/var/log/btmp", "w"); | 140 | fp = fopen("/var/log/btmp", "w"); |
141 | SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP); | ||
144 | if (fp) | 142 | if (fp) |
145 | fclose(fp); | 143 | fclose(fp); |
146 | if (chown("/var/log/btmp", 0, wtmp_group) < 0) | ||
147 | errExit("chown"); | ||
148 | if (chmod("/var/log/btmp", S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP) < 0) | ||
149 | errExit("chmod"); | ||
150 | fs_logger("touch /var/log/btmp"); | 144 | fs_logger("touch /var/log/btmp"); |
151 | } | 145 | } |
152 | else | 146 | else |
@@ -169,11 +163,8 @@ void fs_var_lib(void) { | |||
169 | 163 | ||
170 | if (fp) { | 164 | if (fp) { |
171 | fprintf(fp, "\n"); | 165 | fprintf(fp, "\n"); |
166 | SET_PERMS_STREAM(fp, 0, 0, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); | ||
172 | fclose(fp); | 167 | fclose(fp); |
173 | if (chown("/var/lib/dhcp/dhcpd.leases", 0, 0) == -1) | ||
174 | errExit("chown"); | ||
175 | if (chmod("/var/lib/dhcp/dhcpd.leases", S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH)) | ||
176 | errExit("chmod"); | ||
177 | fs_logger("touch /var/lib/dhcp/dhcpd.leases"); | 168 | fs_logger("touch /var/lib/dhcp/dhcpd.leases"); |
178 | } | 169 | } |
179 | } | 170 | } |
@@ -279,10 +270,9 @@ void fs_var_lock(void) { | |||
279 | // create directory | 270 | // create directory |
280 | if (mkdir(lnk, S_IRWXU|S_IRWXG|S_IRWXO)) | 271 | if (mkdir(lnk, S_IRWXU|S_IRWXG|S_IRWXO)) |
281 | errExit("mkdir"); | 272 | errExit("mkdir"); |
282 | if (chown(lnk, 0, 0)) | ||
283 | errExit("chown"); | ||
284 | if (chmod(lnk, S_IRWXU|S_IRWXG|S_IRWXO)) | 273 | if (chmod(lnk, S_IRWXU|S_IRWXG|S_IRWXO)) |
285 | errExit("chmod"); | 274 | errExit("chmod"); |
275 | ASSERT_PERMS(lnk, 0, 0, S_IRWXU|S_IRWXG|S_IRWXO); | ||
286 | } | 276 | } |
287 | if (arg_debug) | 277 | if (arg_debug) |
288 | printf("Mounting tmpfs on %s on behalf of /var/lock\n", lnk); | 278 | printf("Mounting tmpfs on %s on behalf of /var/lock\n", lnk); |
@@ -353,11 +343,8 @@ void fs_var_utmp(void) { | |||
353 | 343 | ||
354 | // save new utmp file | 344 | // save new utmp file |
355 | fwrite(&u_boot, sizeof(u_boot), 1, fp); | 345 | fwrite(&u_boot, sizeof(u_boot), 1, fp); |
346 | SET_PERMS_STREAM(fp, 0, utmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH); | ||
356 | fclose(fp); | 347 | fclose(fp); |
357 | if (chown(RUN_UTMP_FILE, 0, utmp_group) < 0) | ||
358 | errExit("chown"); | ||
359 | if (chmod(RUN_UTMP_FILE, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH ) < 0) | ||
360 | errExit("chmod"); | ||
361 | 348 | ||
362 | // mount the new utmp file | 349 | // mount the new utmp file |
363 | if (arg_debug) | 350 | if (arg_debug) |
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 90b91f9dd..33037da29 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -275,18 +275,14 @@ static void whitelist_path(ProfileEntry *entry) { | |||
275 | fprintf(stderr, "Error: cannot create empty file in home directory\n"); | 275 | fprintf(stderr, "Error: cannot create empty file in home directory\n"); |
276 | exit(1); | 276 | exit(1); |
277 | } | 277 | } |
278 | // set file properties | ||
279 | SET_PERMS_STREAM(fp, s.st_uid, s.st_gid, s.st_mode); | ||
278 | fclose(fp); | 280 | fclose(fp); |
279 | } | 281 | } |
280 | else | 282 | else |
281 | return; // the file is already present | 283 | return; // the file is already present |
282 | } | 284 | } |
283 | 285 | ||
284 | // set file properties | ||
285 | if (chown(path, s.st_uid, s.st_gid) < 0) | ||
286 | errExit("chown"); | ||
287 | if (chmod(path, s.st_mode) < 0) | ||
288 | errExit("chmod"); | ||
289 | |||
290 | // mount | 286 | // mount |
291 | if (mount(wfile, path, NULL, MS_BIND|MS_REC, NULL) < 0) | 287 | if (mount(wfile, path, NULL, MS_BIND|MS_REC, NULL) < 0) |
292 | errExit("mount bind"); | 288 | errExit("mount bind"); |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 2181a274b..dbb92a899 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -663,14 +663,10 @@ static void set_name_file(pid_t pid) { | |||
663 | exit(1); | 663 | exit(1); |
664 | } | 664 | } |
665 | fprintf(fp, "%s\n", cfg.name); | 665 | fprintf(fp, "%s\n", cfg.name); |
666 | fclose(fp); | 666 | |
667 | |||
668 | // mode and ownership | 667 | // mode and ownership |
669 | if (chown(fname, 0, 0) == -1) | 668 | SET_PERMS_STREAM(fp, 0, 0, 0644); |
670 | errExit("chown"); | 669 | fclose(fp); |
671 | if (chmod(fname, 0644) == -1) | ||
672 | errExit("chmod"); | ||
673 | |||
674 | } | 670 | } |
675 | 671 | ||
676 | static void delete_name_file(pid_t pid) { | 672 | static void delete_name_file(pid_t pid) { |
@@ -694,14 +690,10 @@ static void set_x11_file(pid_t pid, int display) { | |||
694 | exit(1); | 690 | exit(1); |
695 | } | 691 | } |
696 | fprintf(fp, "%d\n", display); | 692 | fprintf(fp, "%d\n", display); |
697 | fclose(fp); | 693 | |
698 | |||
699 | // mode and ownership | 694 | // mode and ownership |
700 | if (chown(fname, 0, 0) == -1) | 695 | SET_PERMS_STREAM(fp, 0, 0, 0644); |
701 | errExit("chown"); | 696 | fclose(fp); |
702 | if (chmod(fname, 0644) == -1) | ||
703 | errExit("chmod"); | ||
704 | |||
705 | } | 697 | } |
706 | 698 | ||
707 | static void delete_x11_file(pid_t pid) { | 699 | static void delete_x11_file(pid_t pid) { |
diff --git a/src/firejail/protocol.c b/src/firejail/protocol.c index 7e5ab7dfb..1ef5bf13d 100644 --- a/src/firejail/protocol.c +++ b/src/firejail/protocol.c | |||
@@ -273,14 +273,8 @@ void protocol_filter_save(void) { | |||
273 | if (!fp) | 273 | if (!fp) |
274 | errExit("fopen"); | 274 | errExit("fopen"); |
275 | fprintf(fp, "%s\n", cfg.protocol); | 275 | fprintf(fp, "%s\n", cfg.protocol); |
276 | SET_PERMS_STREAM(fp, 0, 0, 0600); | ||
276 | fclose(fp); | 277 | fclose(fp); |
277 | |||
278 | if (chmod(RUN_PROTOCOL_CFG, 0600) < 0) | ||
279 | errExit("chmod"); | ||
280 | |||
281 | if (chown(RUN_PROTOCOL_CFG, 0, 0) < 0) | ||
282 | errExit("chown"); | ||
283 | |||
284 | } | 278 | } |
285 | 279 | ||
286 | void protocol_filter_load(const char *fname) { | 280 | void protocol_filter_load(const char *fname) { |
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c index dd26d219c..7db8d2c18 100644 --- a/src/firejail/pulseaudio.c +++ b/src/firejail/pulseaudio.c | |||
@@ -120,11 +120,8 @@ void pulseaudio_init(void) { | |||
120 | if (!fp) | 120 | if (!fp) |
121 | errExit("fopen"); | 121 | errExit("fopen"); |
122 | fprintf(fp, "%s", "\nenable-shm = no\n"); | 122 | fprintf(fp, "%s", "\nenable-shm = no\n"); |
123 | SET_PERMS_STREAM(fp, getuid(), getgid(), 0644); | ||
123 | fclose(fp); | 124 | fclose(fp); |
124 | if (chmod(pulsecfg, 0644) == -1) | ||
125 | errExit("chmod"); | ||
126 | if (chown(pulsecfg, getuid(), getgid()) == -1) | ||
127 | errExit("chown"); | ||
128 | 125 | ||
129 | // create ~/.config/pulse directory if not present | 126 | // create ~/.config/pulse directory if not present |
130 | char *dir1; | 127 | char *dir1; |
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index de798037f..cb999a4a6 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c | |||
@@ -187,12 +187,9 @@ static void sanitize_passwd(void) { | |||
187 | fprintf(fpout, "%s", buf); | 187 | fprintf(fpout, "%s", buf); |
188 | } | 188 | } |
189 | fclose(fpin); | 189 | fclose(fpin); |
190 | SET_PERMS_STREAM(fpout, 0, 0, 0644); | ||
190 | fclose(fpout); | 191 | fclose(fpout); |
191 | if (chown(RUN_PASSWD_FILE, 0, 0) == -1) | 192 | |
192 | errExit("chown"); | ||
193 | if (chmod(RUN_PASSWD_FILE, 0644) == -1) | ||
194 | errExit("chmod"); | ||
195 | |||
196 | // mount-bind tne new password file | 193 | // mount-bind tne new password file |
197 | if (mount(RUN_PASSWD_FILE, "/etc/passwd", "none", MS_BIND, "mode=400,gid=0") < 0) | 194 | if (mount(RUN_PASSWD_FILE, "/etc/passwd", "none", MS_BIND, "mode=400,gid=0") < 0) |
198 | errExit("mount"); | 195 | errExit("mount"); |
@@ -319,12 +316,9 @@ static void sanitize_group(void) { | |||
319 | goto errout; | 316 | goto errout; |
320 | } | 317 | } |
321 | fclose(fpin); | 318 | fclose(fpin); |
319 | SET_PERMS_STREAM(fpout, 0, 0, 0644); | ||
322 | fclose(fpout); | 320 | fclose(fpout); |
323 | if (chown(RUN_GROUP_FILE, 0, 0) == -1) | 321 | |
324 | errExit("chown"); | ||
325 | if (chmod(RUN_GROUP_FILE, 0644) == -1) | ||
326 | errExit("chmod"); | ||
327 | |||
328 | // mount-bind tne new group file | 322 | // mount-bind tne new group file |
329 | if (mount(RUN_GROUP_FILE, "/etc/group", "none", MS_BIND, "mode=400,gid=0") < 0) | 323 | if (mount(RUN_GROUP_FILE, "/etc/group", "none", MS_BIND, "mode=400,gid=0") < 0) |
330 | errExit("mount"); | 324 | errExit("mount"); |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 5f845fbd3..9423ae7e0 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -104,9 +104,8 @@ void save_nogroups(void) { | |||
104 | FILE *fp = fopen(RUN_GROUPS_CFG, "w"); | 104 | FILE *fp = fopen(RUN_GROUPS_CFG, "w"); |
105 | if (fp) { | 105 | if (fp) { |
106 | fprintf(fp, "\n"); | 106 | fprintf(fp, "\n"); |
107 | SET_PERMS_STREAM(fp, 0, 0, 0644); // assume mode 0644 | ||
107 | fclose(fp); | 108 | fclose(fp); |
108 | if (chown(RUN_GROUPS_CFG, 0, 0) < 0) | ||
109 | errExit("chown"); | ||
110 | } | 109 | } |
111 | else { | 110 | else { |
112 | fprintf(stderr, "Error: cannot save nogroups state\n"); | 111 | fprintf(stderr, "Error: cannot save nogroups state\n"); |
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 7aaf1a5cd..c2da1168a 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -290,9 +290,8 @@ static void write_seccomp_file(void) { | |||
290 | fprintf(stderr, "Error: cannot save seccomp filter\n"); | 290 | fprintf(stderr, "Error: cannot save seccomp filter\n"); |
291 | exit(1); | 291 | exit(1); |
292 | } | 292 | } |
293 | SET_PERMS_FD(fd, 0, 0, S_IRUSR | S_IWUSR); | ||
293 | close(fd); | 294 | close(fd); |
294 | if (chown(RUN_SECCOMP_CFG, 0, 0) < 0) | ||
295 | errExit("chown"); | ||
296 | } | 295 | } |
297 | 296 | ||
298 | // read seccomp filter from /run/firejail/mnt/seccomp | 297 | // read seccomp filter from /run/firejail/mnt/seccomp |
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 3d0918b2c..a68b54cdb 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
@@ -132,13 +132,9 @@ void fs_x11(void) { | |||
132 | fprintf(stderr, "Error: cannot create empty file in x11 directory\n"); | 132 | fprintf(stderr, "Error: cannot create empty file in x11 directory\n"); |
133 | exit(1); | 133 | exit(1); |
134 | } | 134 | } |
135 | fclose(fp); | ||
136 | |||
137 | // set file properties | 135 | // set file properties |
138 | if (chown(x11file, s.st_uid, s.st_gid) < 0) | 136 | SET_PERMS_STREAM(fp, s.st_uid, s.st_gid, s.st_mode); |
139 | errExit("chown"); | 137 | fclose(fp); |
140 | if (chmod(x11file, s.st_mode) < 0) | ||
141 | errExit("chmod"); | ||
142 | 138 | ||
143 | // mount | 139 | // mount |
144 | char *wx11file; | 140 | char *wx11file; |