diff options
| author |  smitsohu <smitsohu@gmail.com> | 2020-08-17 16:38:47 +0200 |
|---|---|---|
| committer | smitsohu <smitsohu@gmail.com> | 2020-08-17 16:38:47 +0200 |
| commit | 515f3440439fa8c70e5e517b529cdc994845f6ec (patch) | |
| tree | e6f59a204b6f700dfd2445a0b5adc76ad7894de0 | |
| parent | firejail: don't pass command line through shell when redirecting output (diff) | |
| download | firejail-515f3440439fa8c70e5e517b529cdc994845f6ec.tar.gz firejail-515f3440439fa8c70e5e517b529cdc994845f6ec.tar.zst firejail-515f3440439fa8c70e5e517b529cdc994845f6ec.zip | |
hardening: run plugins with dumpable flag cleared
the kernel clears the dumpable flag if a user has no read permission on an
executable and it is owned by another user; I omitted faudit, fbuilder and
ftee for now as they are not used to configure the sandbox itself, and as
this commit is going to complicate debugging efforts to some extent
| -rw-r--r-- | Makefile.in | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/Makefile.in b/Makefile.in index 8cbba12e9..f3d1b3ad0 100644 --- a/Makefile.in +++ b/Makefile.in | |||
| @@ -18,15 +18,16 @@ HAVE_SUID=@HAVE_SUID@ | |||
| 18 | 18 | ||
| 19 | all: all_items man filters | 19 | all: all_items man filters |
| 20 | APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats | 20 | APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats |
| 21 | SBOX_APPS = src/faudit/faudit src/fbuilder/fbuilder src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter src/ftee/ftee | 21 | SBOX_APPS = src/faudit/faudit src/fbuilder/fbuilder src/ftee/ftee |
| 22 | SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter | ||
| 22 | MYDIRS = src/lib | 23 | MYDIRS = src/lib |
| 23 | MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so | 24 | MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so |
| 24 | MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 | 25 | MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 |
| 25 | ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP) | 26 | ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP) |
| 26 | SBOX_APPS += src/fsec-optimize/fsec-optimize src/fsec-print/fsec-print src/fseccomp/fseccomp | 27 | SBOX_APPS_NON_DUMPABLE += src/fsec-optimize/fsec-optimize src/fsec-print/fsec-print src/fseccomp/fseccomp |
| 27 | SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32 | 28 | SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32 |
| 28 | endif | 29 | endif |
| 29 | ALL_ITEMS = $(APPS) $(SBOX_APPS) $(MYLIBS) | 30 | ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS) |
| 30 | 31 | ||
| 31 | .PHONY: all_items $(ALL_ITEMS) | 32 | .PHONY: all_items $(ALL_ITEMS) |
| 32 | all_items: $(ALL_ITEMS) | 33 | all_items: $(ALL_ITEMS) |
| @@ -43,7 +44,7 @@ $(MANPAGES): $(wildcard src/man/*.txt) | |||
| 43 | 44 | ||
| 44 | man: $(MANPAGES) | 45 | man: $(MANPAGES) |
| 45 | 46 | ||
| 46 | filters: $(SECCOMP_FILTERS) $(SBOX_APPS) | 47 | filters: $(SECCOMP_FILTERS) $(SBOX_APPS_NON_DUMPABLE) |
| 47 | ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP) | 48 | ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP) |
| 48 | seccomp: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize | 49 | seccomp: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize |
| 49 | src/fseccomp/fseccomp default seccomp | 50 | src/fseccomp/fseccomp default seccomp |
| @@ -106,7 +107,10 @@ endif | |||
| 106 | install -m 0755 -d $(DESTDIR)$(libdir)/firejail | 107 | install -m 0755 -d $(DESTDIR)$(libdir)/firejail |
| 107 | install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS) src/firecfg/firecfg.config | 108 | install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS) src/firecfg/firecfg.config |
| 108 | install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS) | 109 | install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS) |
| 110 | # non-dumpable plugins | ||
| 111 | install -m 0711 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS_NON_DUMPABLE) | ||
| 109 | ifeq ($(HAVE_CONTRIB_INSTALL),yes) | 112 | ifeq ($(HAVE_CONTRIB_INSTALL),yes) |
| 113 | # contrib scripts | ||
| 110 | install -m 0755 -t $(DESTDIR)$(libdir)/firejail contrib/*.py contrib/*.sh | 114 | install -m 0755 -t $(DESTDIR)$(libdir)/firejail contrib/*.py contrib/*.sh |
| 111 | # vim syntax | 115 | # vim syntax |
| 112 | install -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect | 116 | install -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect |