diff options
author | netblue30 <netblue30@yahoo.com> | 2017-09-19 09:47:26 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2017-09-19 09:47:26 -0400 |
commit | cbbc90381b41156c16bcb30934a10c843c8298c0 (patch) | |
tree | e21319a023b5883eb3aa5a50b4bd27e19e047a49 | |
parent | update KDE whitelist (diff) | |
download | firejail-cbbc90381b41156c16bcb30934a10c843c8298c0.tar.gz firejail-cbbc90381b41156c16bcb30934a10c843c8298c0.tar.zst firejail-cbbc90381b41156c16bcb30934a10c843c8298c0.zip |
add private-bin support to profile builder
-rw-r--r-- | README.md | 9 | ||||
-rw-r--r-- | etc/whitelist-var-common.inc | 1 | ||||
-rw-r--r-- | smtube.profile | 37 | ||||
-rw-r--r-- | src/fbuilder/build_bin.c | 121 | ||||
-rw-r--r-- | src/fbuilder/build_profile.c | 4 | ||||
-rw-r--r-- | src/fbuilder/fbuilder.h | 3 | ||||
-rw-r--r-- | src/libtrace/libtrace.c | 12 |
7 files changed, 144 insertions, 43 deletions
@@ -114,12 +114,12 @@ in order to allow strace to run. Chromium and Chromium-based browsers will not w | |||
114 | 114 | ||
115 | Example: | 115 | Example: |
116 | ````` | 116 | ````` |
117 | $ firejail --build vlc ~/Videos/test.mp4 | 117 | $ firejail --build /usr/bin/vlc ~/Videos/test.mp4 |
118 | 118 | ||
119 | [...] | 119 | [...] |
120 | 120 | ||
121 | ############################################ | 121 | ############################################ |
122 | # vlc profile | 122 | # /usr/bin/vlc profile |
123 | ############################################ | 123 | ############################################ |
124 | # Persistent global definitions | 124 | # Persistent global definitions |
125 | # include /etc/firejail/globals.local | 125 | # include /etc/firejail/globals.local |
@@ -141,13 +141,14 @@ private-tmp | |||
141 | private-dev | 141 | private-dev |
142 | private-etc vdpau_wrapper.cfg,udev,drirc,fonts,xdg,gtk-3.0,machine-id,selinux, | 142 | private-etc vdpau_wrapper.cfg,udev,drirc,fonts,xdg,gtk-3.0,machine-id,selinux, |
143 | whitelist /var/lib/menu-xdg | 143 | whitelist /var/lib/menu-xdg |
144 | # private-bin vlc, | ||
144 | 145 | ||
145 | ### security filters | 146 | ### security filters |
146 | caps.drop all | 147 | caps.drop all |
147 | nonewprivs | 148 | nonewprivs |
148 | seccomp | 149 | seccomp |
149 | # seccomp.keep futex,poll,rt_sigtimedwait,ioctl,fdatasync,stat,writev,read,recvmsg,mprotect,write,sendto,clock_nanosleep,open,dup3,mmap,rt_sigprocmask,close,fstat,lstat,lseek,munmap,brk,rt_sigaction,rt_sigreturn,access,madvise,shmget,shmat,shmctl,alarm,getpid,socket,connect,recvfrom,sendmsg,shutdown,getsockname,getpeername,setsockopt,getsockopt,clone,execve,uname,shmdt,fcntl,flock,ftruncate,getdents,rename,mkdir,unlink,readlink,chmod,getrlimit,sysinfo,getuid,getgid,setuid,setgid,geteuid,getegid,getppid,getpgrp,setresuid,getresuid,setresgid,getresgid,statfs,fstatfs,prctl,arch_prctl,sched_getaffinity,set_tid_address,fadvise64,clock_getres,tgkill,set_robust_list,eventfd2,pipe2,getrandom,memfd_create | 150 | # seccomp.keep futex,poll,rt_sigtimedwait,ioctl,fdatasync,read,writev,sendmsg,sendto,write,recvmsg,mmap,mprotect,getpid,stat,clock_nanosleep,munmap,close,access,lseek,fcntl,open,fstat,lstat,brk,rt_sigaction,rt_sigprocmask,rt_sigreturn,madvise,shmget,shmat,shmctl,alarm,socket,connect,recvfrom,shutdown,getsockname,getpeername,setsockopt,getsockopt,clone,execve,uname,shmdt,flock,ftruncate,getdents,rename,mkdir,unlink,readlink,chmod,getrlimit,sysinfo,getuid,getgid,geteuid,getegid,getresuid,getresgid,statfs,fstatfs,prctl,arch_prctl,sched_getaffinity,set_tid_address,fadvise64,clock_getres,tgkill,set_robust_list,eventfd2,dup3,pipe2,getrandom,memfd_create |
150 | # 82 syscalls total | 151 | # 76 syscalls total |
151 | # Probably you will need to add more syscalls to seccomp.keep. Look for | 152 | # Probably you will need to add more syscalls to seccomp.keep. Look for |
152 | # seccomp errors in /var/log/syslog or /var/log/audit/audit.log while | 153 | # seccomp errors in /var/log/syslog or /var/log/audit/audit.log while |
153 | # running your sandbox. | 154 | # running your sandbox. |
diff --git a/etc/whitelist-var-common.inc b/etc/whitelist-var-common.inc index bd3473acc..024995f20 100644 --- a/etc/whitelist-var-common.inc +++ b/etc/whitelist-var-common.inc | |||
@@ -8,3 +8,4 @@ whitelist /var/lib/menu-xdg | |||
8 | whitelist /var/cache/fontconfig | 8 | whitelist /var/cache/fontconfig |
9 | whitelist /var/tmp | 9 | whitelist /var/tmp |
10 | whitelist /var/run | 10 | whitelist /var/run |
11 | whitelist /var/lock | ||
diff --git a/smtube.profile b/smtube.profile deleted file mode 100644 index 2694dd5b0..000000000 --- a/smtube.profile +++ /dev/null | |||
@@ -1,37 +0,0 @@ | |||
1 | # Firejail profile for smtube | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/smtube.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.config/smplayer | ||
9 | noblacklist ${HOME}/.config/smtube | ||
10 | noblacklist ${HOME}/.config/mpv | ||
11 | noblacklist ${HOME}/.mplayer | ||
12 | noblacklist ${HOME}/.config/vlc | ||
13 | noblacklist ${HOME}/.local/share/vlc | ||
14 | |||
15 | include /etc/firejail/disable-common.inc | ||
16 | include /etc/firejail/disable-devel.inc | ||
17 | include /etc/firejail/disable-passwdmgr.inc | ||
18 | include /etc/firejail/disable-programs.inc | ||
19 | |||
20 | caps.drop all | ||
21 | netfilter | ||
22 | nodvd | ||
23 | notv | ||
24 | novideo | ||
25 | nogroups | ||
26 | nonewprivs | ||
27 | noroot | ||
28 | protocol unix,inet,inet6,netlink | ||
29 | seccomp | ||
30 | shell none | ||
31 | |||
32 | #no private-bin because users can add their own players to smtube and that would prevent that | ||
33 | private-dev | ||
34 | private-tmp | ||
35 | |||
36 | noexec ${HOME} | ||
37 | noexec /tmp | ||
diff --git a/src/fbuilder/build_bin.c b/src/fbuilder/build_bin.c new file mode 100644 index 000000000..7d0e2cb7c --- /dev/null +++ b/src/fbuilder/build_bin.c | |||
@@ -0,0 +1,121 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2017 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "fbuilder.h" | ||
21 | |||
22 | static FileDB *bin_out = NULL; | ||
23 | |||
24 | static void process_bin(const char *fname) { | ||
25 | assert(fname); | ||
26 | |||
27 | // process trace file | ||
28 | FILE *fp = fopen(fname, "r"); | ||
29 | if (!fp) { | ||
30 | fprintf(stderr, "Error: cannot open %s\n", fname); | ||
31 | exit(1); | ||
32 | } | ||
33 | |||
34 | char buf[MAX_BUF]; | ||
35 | while (fgets(buf, MAX_BUF, fp)) { | ||
36 | // remove \n | ||
37 | char *ptr = strchr(buf, '\n'); | ||
38 | if (ptr) | ||
39 | *ptr = '\0'; | ||
40 | |||
41 | // parse line: 4:galculator:access /etc/fonts/conf.d:0 | ||
42 | // number followed by : | ||
43 | ptr = buf; | ||
44 | if (!isdigit(*ptr)) | ||
45 | continue; | ||
46 | while (isdigit(*ptr)) | ||
47 | ptr++; | ||
48 | if (*ptr != ':') | ||
49 | continue; | ||
50 | ptr++; | ||
51 | |||
52 | // next : | ||
53 | ptr = strchr(ptr, ':'); | ||
54 | if (!ptr) | ||
55 | continue; | ||
56 | ptr++; | ||
57 | if (strncmp(ptr, "exec ", 5) == 0) | ||
58 | ptr += 5; | ||
59 | else | ||
60 | continue; | ||
61 | if (strncmp(ptr, "/bin/", 5) == 0) | ||
62 | ptr += 5; | ||
63 | else if (strncmp(ptr, "/sbin/", 6) == 0) | ||
64 | ptr += 6; | ||
65 | else if (strncmp(ptr, "/usr/bin/", 9) == 0) | ||
66 | ptr += 9; | ||
67 | else if (strncmp(ptr, "/usr/sbin/", 10) == 0) | ||
68 | ptr += 10; | ||
69 | else if (strncmp(ptr, "/usr/local/bin/", 15) == 0) | ||
70 | ptr += 15; | ||
71 | else if (strncmp(ptr, "/usr/local/sbin/", 16) == 0) | ||
72 | ptr += 16; | ||
73 | else if (strncmp(ptr, "/usr/games/", 11) == 0) | ||
74 | ptr += 12; | ||
75 | else if (strncmp(ptr, "/usr/local/games/", 17) == 0) | ||
76 | ptr += 17; | ||
77 | else | ||
78 | continue; | ||
79 | |||
80 | // end of filename | ||
81 | char *ptr2 = strchr(ptr, ':'); | ||
82 | if (!ptr2) | ||
83 | continue; | ||
84 | *ptr2 = '\0'; | ||
85 | |||
86 | bin_out = filedb_add(bin_out, ptr); | ||
87 | } | ||
88 | |||
89 | fclose(fp); | ||
90 | } | ||
91 | |||
92 | |||
93 | // process fname, fname.1, fname.2, fname.3, fname.4, fname.5 | ||
94 | void build_bin(const char *fname) { | ||
95 | assert(fname); | ||
96 | |||
97 | // run fname | ||
98 | process_bin(fname); | ||
99 | |||
100 | // run all the rest | ||
101 | struct stat s; | ||
102 | int i; | ||
103 | for (i = 1; i <= 5; i++) { | ||
104 | char *newname; | ||
105 | if (asprintf(&newname, "%s.%d", fname, i) == -1) | ||
106 | errExit("asprintf"); | ||
107 | if (stat(newname, &s) == 0) | ||
108 | process_bin(newname); | ||
109 | free(newname); | ||
110 | } | ||
111 | |||
112 | if (bin_out) { | ||
113 | printf("# private-bin "); | ||
114 | FileDB *ptr = bin_out; | ||
115 | while (ptr) { | ||
116 | printf("%s,", ptr->fname); | ||
117 | ptr = ptr->next; | ||
118 | } | ||
119 | printf("\n"); | ||
120 | } | ||
121 | } | ||
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c index 5fca22648..3f5fe48ca 100644 --- a/src/fbuilder/build_profile.c +++ b/src/fbuilder/build_profile.c | |||
@@ -33,6 +33,7 @@ static char *cmdlist[] = { | |||
33 | "--caps.drop=all", | 33 | "--caps.drop=all", |
34 | "--nonewprivs", | 34 | "--nonewprivs", |
35 | "--trace", | 35 | "--trace", |
36 | "--shell=none", | ||
36 | "/usr/bin/strace", // also used as a marker in build_profile() | 37 | "/usr/bin/strace", // also used as a marker in build_profile() |
37 | "-c", | 38 | "-c", |
38 | "-f", | 39 | "-f", |
@@ -56,8 +57,6 @@ static void clear_tmp_files(void) { | |||
56 | } | 57 | } |
57 | 58 | ||
58 | void build_profile(int argc, char **argv, int index) { | 59 | void build_profile(int argc, char **argv, int index) { |
59 | unlink("/tmp/strace-output"); | ||
60 | |||
61 | // next index is the application name | 60 | // next index is the application name |
62 | if (index >= argc) { | 61 | if (index >= argc) { |
63 | fprintf(stderr, "Error: application name missing\n"); | 62 | fprintf(stderr, "Error: application name missing\n"); |
@@ -136,6 +135,7 @@ void build_profile(int argc, char **argv, int index) { | |||
136 | build_dev(TRACE_OUTPUT); | 135 | build_dev(TRACE_OUTPUT); |
137 | build_etc(TRACE_OUTPUT); | 136 | build_etc(TRACE_OUTPUT); |
138 | build_var(TRACE_OUTPUT); | 137 | build_var(TRACE_OUTPUT); |
138 | build_bin(TRACE_OUTPUT); | ||
139 | printf("\n"); | 139 | printf("\n"); |
140 | 140 | ||
141 | printf("### security filters\n"); | 141 | printf("### security filters\n"); |
diff --git a/src/fbuilder/fbuilder.h b/src/fbuilder/fbuilder.h index a9049ea2d..c448f3e06 100644 --- a/src/fbuilder/fbuilder.h +++ b/src/fbuilder/fbuilder.h | |||
@@ -44,6 +44,9 @@ void build_var(const char *fname); | |||
44 | void build_tmp(const char *fname); | 44 | void build_tmp(const char *fname); |
45 | void build_dev(const char *fname); | 45 | void build_dev(const char *fname); |
46 | 46 | ||
47 | // build_bin.c | ||
48 | void build_bin(const char *fname); | ||
49 | |||
47 | // build_home.c | 50 | // build_home.c |
48 | void build_home(const char *fname); | 51 | void build_home(const char *fname); |
49 | 52 | ||
diff --git a/src/libtrace/libtrace.c b/src/libtrace/libtrace.c index 5cdb254a3..04cf64997 100644 --- a/src/libtrace/libtrace.c +++ b/src/libtrace/libtrace.c | |||
@@ -673,3 +673,15 @@ int setresgid(gid_t rgid, gid_t egid, gid_t sgid) { | |||
673 | 673 | ||
674 | return rv; | 674 | return rv; |
675 | } | 675 | } |
676 | |||
677 | // every time a new process is started, this gets called | ||
678 | // it can be used to build things like private-bin | ||
679 | __attribute__((constructor)) | ||
680 | static void log_exec(int argc, char** argv) { | ||
681 | static char buf[PATH_MAX + 1]; | ||
682 | int rv = readlink("/proc/self/exe", buf, PATH_MAX); | ||
683 | if (rv != -1) { | ||
684 | buf[rv] = '\0'; // readlink does not add a '\0' at the end | ||
685 | printf("%u:%s:exec %s:0\n", pid(), name(), buf); | ||
686 | } | ||
687 | } | ||