diff options
author | startx2017 <vradu.startx@yandex.com> | 2018-05-09 19:40:29 -0400 |
---|---|---|
committer | startx2017 <vradu.startx@yandex.com> | 2018-05-09 19:40:29 -0400 |
commit | 694e2027c5b6d03919bac4b5b305f6d3d834786c (patch) | |
tree | 545d1817d90f7b3b867f79d110f8497670ac054c | |
parent | firemon/prctl enhancements (diff) | |
parent | merges (diff) | |
download | firejail-694e2027c5b6d03919bac4b5b305f6d3d834786c.tar.gz firejail-694e2027c5b6d03919bac4b5b305f6d3d834786c.tar.zst firejail-694e2027c5b6d03919bac4b5b305f6d3d834786c.zip |
Merge branch 'master' of https://github.com/netblue30/firejail
-rw-r--r-- | README | 1 | ||||
-rw-r--r-- | README.md | 2 | ||||
-rw-r--r-- | RELNOTES | 3 | ||||
-rw-r--r-- | etc/disable-programs.inc | 2 | ||||
-rw-r--r-- | etc/qmmp.profile | 34 | ||||
-rw-r--r-- | etc/sayonara.profile | 33 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/fs_whitelist.c | 6 | ||||
-rw-r--r-- | src/firejail/main.c | 8 | ||||
-rw-r--r-- | src/firejail/sbox.c | 7 | ||||
-rw-r--r-- | test/hidepid-howto | 27 |
11 files changed, 117 insertions, 7 deletions
@@ -435,6 +435,7 @@ Pixel Fairy (https://github.com/xahare) | |||
435 | PizzaDude (https://github.com/pizzadude) | 435 | PizzaDude (https://github.com/pizzadude) |
436 | - add mpv support to smplayer | 436 | - add mpv support to smplayer |
437 | - added profile for torbrowser-launcher | 437 | - added profile for torbrowser-launcher |
438 | - added profile for sayonara and qmmp | ||
438 | probonopd (https://github.com/probonopd) | 439 | probonopd (https://github.com/probonopd) |
439 | - automatic build on Travis CI | 440 | - automatic build on Travis CI |
440 | pshpsh (https://github.com/pshpsh) | 441 | pshpsh (https://github.com/pshpsh) |
@@ -376,4 +376,4 @@ gnome-recipes, akonadi_control, evince-previewer, evince-thumbnailer, blender-2. | |||
376 | thunderbird-beta, ncdu, gnome-logs, gcloud, musixmatch, gunzip, bunzip2, enchant, | 376 | thunderbird-beta, ncdu, gnome-logs, gcloud, musixmatch, gunzip, bunzip2, enchant, |
377 | enchant-2, enchant-lsmod, enchant-lsmod-2, Discord, acat, adiff, als, apack, arepack, | 377 | enchant-2, enchant-lsmod, enchant-lsmod-2, Discord, acat, adiff, als, apack, arepack, |
378 | aunpack profiles, ppsspp, scallion, clion, baloo_filemetadata_temp_extractor, | 378 | aunpack profiles, ppsspp, scallion, clion, baloo_filemetadata_temp_extractor, |
379 | AnyDesk, webstorm, xmind | 379 | AnyDesk, webstorm, xmind, qmmp, sayonara |
@@ -44,7 +44,8 @@ firejail (0.9.54~rc1) baseline; urgency=low | |||
44 | * new profiles: musixmatch, gunzip, bunzip2, enchant-lsmod, enchant-lsmod-2, | 44 | * new profiles: musixmatch, gunzip, bunzip2, enchant-lsmod, enchant-lsmod-2, |
45 | * new profiles: enchant, enchant-2, Discord, acat, adiff, als, apack, | 45 | * new profiles: enchant, enchant-2, Discord, acat, adiff, als, apack, |
46 | * new profiles: arepack, aunpack profiles, ppsspp, scallion, clion, | 46 | * new profiles: arepack, aunpack profiles, ppsspp, scallion, clion, |
47 | * new profiles: baloo_filemetadata_temp_extractor, AnyDesk, webstorm, xmind | 47 | * new profiles: baloo_filemetadata_temp_extractor, AnyDesk, webstorm, xmind, |
48 | * new profiles: qmmp, sayonara | ||
48 | -- netblue30 <netblue30@yahoo.com> Sun, 6 May 2018 08:00:00 -0500 | 49 | -- netblue30 <netblue30@yahoo.com> Sun, 6 May 2018 08:00:00 -0500 |
49 | 50 | ||
50 | firejail (0.9.52) baseline; urgency=low | 51 | firejail (0.9.52) baseline; urgency=low |
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index ea334c289..c7605d660 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -16,6 +16,7 @@ blacklist ${HOME}/.LuminanceHDR | |||
16 | blacklist ${HOME}/.Mathematica | 16 | blacklist ${HOME}/.Mathematica |
17 | blacklist ${HOME}/.Natron | 17 | blacklist ${HOME}/.Natron |
18 | blacklist ${HOME}/.PyCharm* | 18 | blacklist ${HOME}/.PyCharm* |
19 | blacklist ${HOME}/.Sayonara | ||
19 | blacklist ${HOME}/.Skype | 20 | blacklist ${HOME}/.Skype |
20 | blacklist ${HOME}/.Steam | 21 | blacklist ${HOME}/.Steam |
21 | blacklist ${HOME}/.Steampath | 22 | blacklist ${HOME}/.Steampath |
@@ -465,6 +466,7 @@ blacklist ${HOME}/.passwd-s3fs | |||
465 | blacklist ${HOME}/.pingus | 466 | blacklist ${HOME}/.pingus |
466 | blacklist ${HOME}/.purple | 467 | blacklist ${HOME}/.purple |
467 | blacklist ${HOME}/.qemu-launcher | 468 | blacklist ${HOME}/.qemu-launcher |
469 | blacklist ${HOME}/.qmmp | ||
468 | blacklist ${HOME}/.redeclipse | 470 | blacklist ${HOME}/.redeclipse |
469 | blacklist ${HOME}/.remmina | 471 | blacklist ${HOME}/.remmina |
470 | blacklist ${HOME}/.repo_.gitconfig.json | 472 | blacklist ${HOME}/.repo_.gitconfig.json |
diff --git a/etc/qmmp.profile b/etc/qmmp.profile new file mode 100644 index 000000000..d785ddbbe --- /dev/null +++ b/etc/qmmp.profile | |||
@@ -0,0 +1,34 @@ | |||
1 | # Firejail profile for qmmp | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/qmmp.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.qmmp | ||
9 | |||
10 | include /etc/firejail/disable-common.inc | ||
11 | include /etc/firejail/disable-devel.inc | ||
12 | include /etc/firejail/disable-passwdmgr.inc | ||
13 | include /etc/firejail/disable-programs.inc | ||
14 | |||
15 | caps.drop all | ||
16 | netfilter | ||
17 | # no3d | ||
18 | nodbus | ||
19 | nogroups | ||
20 | nonewprivs | ||
21 | noroot | ||
22 | notv | ||
23 | novideo | ||
24 | protocol unix,inet,inet6 | ||
25 | seccomp | ||
26 | shell none | ||
27 | tracelog | ||
28 | |||
29 | private-bin qmmp | ||
30 | private-dev | ||
31 | private-tmp | ||
32 | |||
33 | noexec ${HOME} | ||
34 | noexec /tmp | ||
diff --git a/etc/sayonara.profile b/etc/sayonara.profile new file mode 100644 index 000000000..756bd99eb --- /dev/null +++ b/etc/sayonara.profile | |||
@@ -0,0 +1,33 @@ | |||
1 | # Firejail profile for sayonara player | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/sayonara.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.Sayonara | ||
9 | |||
10 | include /etc/firejail/disable-common.inc | ||
11 | include /etc/firejail/disable-devel.inc | ||
12 | include /etc/firejail/disable-passwdmgr.inc | ||
13 | include /etc/firejail/disable-programs.inc | ||
14 | |||
15 | caps.drop all | ||
16 | netfilter | ||
17 | no3d | ||
18 | nogroups | ||
19 | nonewprivs | ||
20 | noroot | ||
21 | notv | ||
22 | novideo | ||
23 | protocol unix,inet,inet6 | ||
24 | seccomp | ||
25 | shell none | ||
26 | tracelog | ||
27 | |||
28 | private-bin sayonara | ||
29 | private-dev | ||
30 | private-tmp | ||
31 | |||
32 | noexec ${HOME} | ||
33 | noexec /tmp | ||
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 8c0b3ba4e..ec227340b 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -792,6 +792,7 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc, | |||
792 | #define SBOX_CAPS_NETWORK (1 << 4) // caps filter for programs running network programs | 792 | #define SBOX_CAPS_NETWORK (1 << 4) // caps filter for programs running network programs |
793 | #define SBOX_ALLOW_STDIN (1 << 5) // don't close stdin | 793 | #define SBOX_ALLOW_STDIN (1 << 5) // don't close stdin |
794 | #define SBOX_STDIN_FROM_FILE (1 << 6) // open file and redirect it to stdin | 794 | #define SBOX_STDIN_FROM_FILE (1 << 6) // open file and redirect it to stdin |
795 | #define SBOX_CAPS_HIDEPID (1 << 7) // hidepid caps filter for running firemon | ||
795 | 796 | ||
796 | // run sbox | 797 | // run sbox |
797 | int sbox_run(unsigned filter, int num, ...); | 798 | int sbox_run(unsigned filter, int num, ...); |
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index a765be1b6..b1b30cd5e 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -196,6 +196,7 @@ static void whitelist_path(ProfileEntry *entry) { | |||
196 | const char *fname; | 196 | const char *fname; |
197 | char *wfile = NULL; | 197 | char *wfile = NULL; |
198 | 198 | ||
199 | EUID_USER(); | ||
199 | if (entry->home_dir) { | 200 | if (entry->home_dir) { |
200 | if (strncmp(path, cfg.homedir, strlen(cfg.homedir)) == 0) { | 201 | if (strncmp(path, cfg.homedir, strlen(cfg.homedir)) == 0) { |
201 | fname = path + strlen(cfg.homedir); | 202 | fname = path + strlen(cfg.homedir); |
@@ -290,9 +291,12 @@ static void whitelist_path(ProfileEntry *entry) { | |||
290 | if (arg_debug || arg_debug_whitelists) | 291 | if (arg_debug || arg_debug_whitelists) |
291 | printf("Whitelisting %s\n", path); | 292 | printf("Whitelisting %s\n", path); |
292 | } | 293 | } |
293 | else | 294 | else { |
295 | EUID_ROOT(); | ||
294 | return; | 296 | return; |
297 | } | ||
295 | 298 | ||
299 | EUID_ROOT(); | ||
296 | // create the path if necessary | 300 | // create the path if necessary |
297 | mkpath(path, s.st_mode); | 301 | mkpath(path, s.st_mode); |
298 | fs_logger2("whitelist", path); | 302 | fs_logger2("whitelist", path); |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 2e47dd938..9d28f3352 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -551,21 +551,21 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
551 | } | 551 | } |
552 | else if (strcmp(argv[i], "--list") == 0) { | 552 | else if (strcmp(argv[i], "--list") == 0) { |
553 | if (pid_hidepid()) | 553 | if (pid_hidepid()) |
554 | sbox_run(SBOX_ROOT| SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--list"); | 554 | sbox_run(SBOX_ROOT| SBOX_CAPS_HIDEPID | SBOX_SECCOMP, 2, PATH_FIREMON, "--list"); |
555 | else | 555 | else |
556 | sbox_run(SBOX_USER| SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--list"); | 556 | sbox_run(SBOX_USER| SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--list"); |
557 | exit(0); | 557 | exit(0); |
558 | } | 558 | } |
559 | else if (strcmp(argv[i], "--tree") == 0) { | 559 | else if (strcmp(argv[i], "--tree") == 0) { |
560 | if (pid_hidepid()) | 560 | if (pid_hidepid()) |
561 | sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--tree"); | 561 | sbox_run(SBOX_ROOT | SBOX_CAPS_HIDEPID | SBOX_SECCOMP, 2, PATH_FIREMON, "--tree"); |
562 | else | 562 | else |
563 | sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--tree"); | 563 | sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--tree"); |
564 | exit(0); | 564 | exit(0); |
565 | } | 565 | } |
566 | else if (strcmp(argv[i], "--top") == 0) { | 566 | else if (strcmp(argv[i], "--top") == 0) { |
567 | if (pid_hidepid()) | 567 | if (pid_hidepid()) |
568 | sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN, | 568 | sbox_run(SBOX_ROOT | SBOX_CAPS_HIDEPID | SBOX_SECCOMP | SBOX_ALLOW_STDIN, |
569 | 2, PATH_FIREMON, "--top"); | 569 | 2, PATH_FIREMON, "--top"); |
570 | else | 570 | else |
571 | sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN, | 571 | sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN, |
@@ -577,7 +577,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
577 | if (checkcfg(CFG_NETWORK)) { | 577 | if (checkcfg(CFG_NETWORK)) { |
578 | struct stat s; | 578 | struct stat s; |
579 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0 || pid_hidepid()) | 579 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0 || pid_hidepid()) |
580 | sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN, | 580 | sbox_run(SBOX_ROOT | SBOX_CAPS_HIDEPID | SBOX_SECCOMP | SBOX_ALLOW_STDIN, |
581 | 2, PATH_FIREMON, "--netstats"); | 581 | 2, PATH_FIREMON, "--netstats"); |
582 | else | 582 | else |
583 | sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN, | 583 | sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN, |
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index 53df20a54..c11daad58 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c | |||
@@ -166,6 +166,13 @@ int sbox_run(unsigned filter, int num, ...) { | |||
166 | caps_set(set); | 166 | caps_set(set); |
167 | #endif | 167 | #endif |
168 | } | 168 | } |
169 | else if (filter & SBOX_CAPS_HIDEPID) { | ||
170 | #ifndef HAVE_GCOV // the following filter will prevent GCOV from saving info in .gcda files | ||
171 | uint64_t set = ((uint64_t) 1) << CAP_SYS_PTRACE; | ||
172 | set |= ((uint64_t) 1) << CAP_SYS_PACCT; | ||
173 | caps_set(set); | ||
174 | #endif | ||
175 | } | ||
169 | 176 | ||
170 | if (filter & SBOX_SECCOMP) { | 177 | if (filter & SBOX_SECCOMP) { |
171 | if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { | 178 | if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { |
diff --git a/test/hidepid-howto b/test/hidepid-howto new file mode 100644 index 000000000..f207c9109 --- /dev/null +++ b/test/hidepid-howto | |||
@@ -0,0 +1,27 @@ | |||
1 | 1. Find an unused user group for hidepid exception: | ||
2 | |||
3 | $ id | ||
4 | uid=1000(netblue) gid=100(users) groups=100(users),10(wheel),90(network), | ||
5 | 92(audio),93(optical),95(storage),98(power) | ||
6 | |||
7 | From /etc/group I pick up a group I am not part of: | ||
8 | |||
9 | $ cat /etc/group | ||
10 | [...] | ||
11 | xmms2:x:618: | ||
12 | rtkit:x:133: | ||
13 | vboxsf:x:109: | ||
14 | git:x:617: | ||
15 | [...] | ||
16 | |||
17 | I'll use group 618 (xmms2) | ||
18 | |||
19 | 2. Set hidepid and allow xmms2 users to bypass hidepid | ||
20 | |||
21 | $ sudo mount -o remount,rw,hidepid=2,gid=618 /proc | ||
22 | $ cat /proc/mounts | grep proc | ||
23 | proc /proc proc rw,nosuid,nodev,noexec,relatime,gid=618,hidepid=2 0 0 | ||
24 | |||
25 | 3. Test "firejail --list", "firejail --top", "firejail --tree", "firejail --netstats" | ||
26 | |||
27 | |||