--chroot fixes (Debian problem)

author: netblue30 <netblue30@yahoo.com> 2018-09-01 07:59:40 -0400
committer: netblue30 <netblue30@yahoo.com> 2018-09-01 07:59:40 -0400
commit: 07384ab64a4a98ff920e7667795282ae9ad21322 (patch)
tree: 10a6408aca31a2f48ee254d577a2481507a67ef2
parent: error strings (diff)
download: firejail-07384ab64a4a98ff920e7667795282ae9ad21322.tar.gz
firejail-07384ab64a4a98ff920e7667795282ae9ad21322.tar.zst
firejail-07384ab64a4a98ff920e7667795282ae9ad21322.zip
2 files changed, 16 insertions, 22 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 5d9526b4c..0e719ceaf 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -543,7 +543,8 @@ static void enforce_filters(void) {
        // drop all supplementary groups; /etc/group file inside chroot
        // is controlled by a regular usr
        arg_nogroups = 1;
-        fmessage("Dropping all Linux capabilities and enforcing default seccomp filter\n");
+        fmessage("\n** Warning: dropping all Linux capabilities and enforcing  **\n");
+        fmessage("**                  default seccomp filter                 **\n\n");
 }
 int sandbox(void* sandbox_arg) {
@@ -744,7 +745,13 @@ int sandbox(void* sandbox_arg) {
        // need ld.so.preload if tracing or seccomp with any non-default lists
        bool need_preload = arg_trace || arg_tracelog || arg_seccomp_postexec;
+        // for --appimage, --chroot and --overlay* we replace the seccomp filter with the default one
+        // we also drop all capabilities
+        if (getuid() != 0 && (arg_appimage || cfg.chrootdir || arg_overlay)) {
+                enforce_filters();
+                need_preload = arg_trace || arg_tracelog;
+                arg_seccomp = 1;
+        }
        // trace pre-install
        if (need_preload)
                fs_trace_preload();
@@ -756,19 +763,10 @@ int sandbox(void* sandbox_arg) {
        //****************************
        // configure filesystem
        //****************************
-        if (arg_appimage)
-                enforce_filters();
 #ifdef HAVE_CHROOT
        if (cfg.chrootdir) {
                fs_chroot(cfg.chrootdir);
-                // force caps and seccomp if not started as root
-                if (getuid() != 0)
-                        enforce_filters();
-                else
-                        arg_seccomp = 1;
                //****************************
                // trace pre-install, this time inside chroot
                //****************************
@@ -778,14 +776,8 @@ int sandbox(void* sandbox_arg) {
        else
 #endif
 #ifdef HAVE_OVERLAYFS
-        if (arg_overlay)        {
+        if (arg_overlay)
                fs_overlayfs();
-                // force caps and seccomp if not started as root
-                if (getuid() != 0)
-                        enforce_filters();
-                else
-                        arg_seccomp = 1;
-        }
        else
 #endif
                fs_basic_fs();
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index d7e402e31..c09684596 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -100,7 +100,8 @@ $ firejail --allusers
 Enable AppArmor confinement. For more information, please see \fBAPPARMOR\fR section below.
 .TP
 \fB\-\-appimage
-Sandbox an AppImage (https://appimage.org/) application.
+Sandbox an AppImage (https://appimage.org/) application. If the sandbox is started as a
+regular user, default seccomp and capabilities filters are enabled.
 .br
 .br
@@ -272,8 +273,7 @@ Example:
 \fB\-\-chroot=dirname
 Chroot the sandbox into a root filesystem. Unlike the regular filesystem container,
 the system directories are mounted read-write. If the sandbox is started as a
-regular user, default seccomp and capabilities filters are enabled. This
+regular user, default seccomp and capabilities filters are enabled.
-option is not available on Grsecurity systems.
 .br
 .br
@@ -1268,6 +1268,7 @@ Similar to \-\-output, but stderr is also stored.
 Mount a filesystem overlay on top of the current filesystem.  Unlike the regular filesystem container,
 the system directories are mounted read-write. All filesystem modifications go into the overlay.
 Directories /run, /tmp and /dev are not covered by the overlay. The overlay is stored in $HOME/.firejail/<PID> directory.
+If the sandbox is started as a regular user, default seccomp and capabilities filters are enabled.
 .br
 .br
@@ -1287,6 +1288,7 @@ Mount a filesystem overlay on top of the current filesystem.  Unlike the regular
 the system directories are mounted read-write. All filesystem modifications go into the overlay.
 Directories /run, /tmp and /dev are not covered by the overlay. The overlay is stored in $HOME/.firejail/<NAME> directory.
 The created overlay can be reused between multiple sessions.
+If the sandbox is started as a regular user, default seccomp and capabilities filters are enabled.
 .br
 .br
@@ -1304,7 +1306,7 @@ $ firejail \-\-overlay-named=jail1 firefox
 \fB\-\-overlay-tmpfs
 Mount a filesystem overlay on top of the current filesystem. All filesystem modifications
 are discarded when the sandbox is closed. Directories /run, /tmp and /dev are not covered by the overlay.
+If the sandbox is started as a regular user, default seccomp and capabilities filters are enabled.
 .br
 .br
author	netblue30 <netblue30@yahoo.com>	2018-09-01 07:59:40 -0400
committer	netblue30 <netblue30@yahoo.com>	2018-09-01 07:59:40 -0400
commit	07384ab64a4a98ff920e7667795282ae9ad21322 (patch)
tree	10a6408aca31a2f48ee254d577a2481507a67ef2
parent	error strings (diff)
download	firejail-07384ab64a4a98ff920e7667795282ae9ad21322.tar.gz firejail-07384ab64a4a98ff920e7667795282ae9ad21322.tar.zst firejail-07384ab64a4a98ff920e7667795282ae9ad21322.zip

diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 5d9526b4c..0e719ceaf 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c
@@ -543,7 +543,8 @@ static void enforce_filters(void) {
543	// drop all supplementary groups; /etc/group file inside chroot	543	// drop all supplementary groups; /etc/group file inside chroot
544	// is controlled by a regular usr	544	// is controlled by a regular usr
545	arg_nogroups = 1;	545	arg_nogroups = 1;
546	fmessage("Dropping all Linux capabilities and enforcing default seccomp filter\n");	546	fmessage("\n Warning: dropping all Linux capabilities and enforcing \n");
		547	fmessage(" default seccomp filter \n\n");
547	}	548	}
548		549
549	int sandbox(void* sandbox_arg) {	550	int sandbox(void* sandbox_arg) {
@@ -744,7 +745,13 @@ int sandbox(void* sandbox_arg) {
744		745
745	// need ld.so.preload if tracing or seccomp with any non-default lists	746	// need ld.so.preload if tracing or seccomp with any non-default lists
746	bool need_preload = arg_trace \|\| arg_tracelog \|\| arg_seccomp_postexec;	747	bool need_preload = arg_trace \|\| arg_tracelog \|\| arg_seccomp_postexec;
747		748	// for --appimage, --chroot and --overlay* we replace the seccomp filter with the default one
		749	// we also drop all capabilities
		750	if (getuid() != 0 && (arg_appimage \|\| cfg.chrootdir \|\| arg_overlay)) {
		751	enforce_filters();
		752	need_preload = arg_trace \|\| arg_tracelog;
		753	arg_seccomp = 1;
		754	}
748	// trace pre-install	755	// trace pre-install
749	if (need_preload)	756	if (need_preload)
750	fs_trace_preload();	757	fs_trace_preload();
@@ -756,19 +763,10 @@ int sandbox(void* sandbox_arg) {
756	//****************************	763	//****************************
757	// configure filesystem	764	// configure filesystem
758	//****************************	765	//****************************
759	if (arg_appimage)
760	enforce_filters();
761
762	#ifdef HAVE_CHROOT	766	#ifdef HAVE_CHROOT
763	if (cfg.chrootdir) {	767	if (cfg.chrootdir) {
764	fs_chroot(cfg.chrootdir);	768	fs_chroot(cfg.chrootdir);
765		769
766	// force caps and seccomp if not started as root
767	if (getuid() != 0)
768	enforce_filters();
769	else
770	arg_seccomp = 1;
771
772	//****************************	770	//****************************
773	// trace pre-install, this time inside chroot	771	// trace pre-install, this time inside chroot
774	//****************************	772	//****************************
@@ -778,14 +776,8 @@ int sandbox(void* sandbox_arg) {
778	else	776	else
779	#endif	777	#endif
780	#ifdef HAVE_OVERLAYFS	778	#ifdef HAVE_OVERLAYFS
781	if (arg_overlay) {	779	if (arg_overlay)
782	fs_overlayfs();	780	fs_overlayfs();
783	// force caps and seccomp if not started as root
784	if (getuid() != 0)
785	enforce_filters();
786	else
787	arg_seccomp = 1;
788	}
789	else	781	else
790	#endif	782	#endif
791	fs_basic_fs();	783	fs_basic_fs();


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index d7e402e31..c09684596 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -100,7 +100,8 @@ $ firejail --allusers
100	Enable AppArmor confinement. For more information, please see \fBAPPARMOR\fR section below.	100	Enable AppArmor confinement. For more information, please see \fBAPPARMOR\fR section below.
101	.TP	101	.TP
102	\fB\-\-appimage	102	\fB\-\-appimage
103	Sandbox an AppImage (https://appimage.org/) application.	103	Sandbox an AppImage (https://appimage.org/) application. If the sandbox is started as a
		104	regular user, default seccomp and capabilities filters are enabled.
104	.br	105	.br
105		106
106	.br	107	.br
@@ -272,8 +273,7 @@ Example:
272	\fB\-\-chroot=dirname	273	\fB\-\-chroot=dirname
273	Chroot the sandbox into a root filesystem. Unlike the regular filesystem container,	274	Chroot the sandbox into a root filesystem. Unlike the regular filesystem container,
274	the system directories are mounted read-write. If the sandbox is started as a	275	the system directories are mounted read-write. If the sandbox is started as a
275	regular user, default seccomp and capabilities filters are enabled. This	276	regular user, default seccomp and capabilities filters are enabled.
276	option is not available on Grsecurity systems.
277	.br	277	.br
278		278
279	.br	279	.br
@@ -1268,6 +1268,7 @@ Similar to \-\-output, but stderr is also stored.
1268	Mount a filesystem overlay on top of the current filesystem. Unlike the regular filesystem container,	1268	Mount a filesystem overlay on top of the current filesystem. Unlike the regular filesystem container,
1269	the system directories are mounted read-write. All filesystem modifications go into the overlay.	1269	the system directories are mounted read-write. All filesystem modifications go into the overlay.
1270	Directories /run, /tmp and /dev are not covered by the overlay. The overlay is stored in $HOME/.firejail/<PID> directory.	1270	Directories /run, /tmp and /dev are not covered by the overlay. The overlay is stored in $HOME/.firejail/<PID> directory.
		1271	If the sandbox is started as a regular user, default seccomp and capabilities filters are enabled.
1271	.br	1272	.br
1272		1273
1273	.br	1274	.br
@@ -1287,6 +1288,7 @@ Mount a filesystem overlay on top of the current filesystem. Unlike the regular
1287	the system directories are mounted read-write. All filesystem modifications go into the overlay.	1288	the system directories are mounted read-write. All filesystem modifications go into the overlay.
1288	Directories /run, /tmp and /dev are not covered by the overlay. The overlay is stored in $HOME/.firejail/<NAME> directory.	1289	Directories /run, /tmp and /dev are not covered by the overlay. The overlay is stored in $HOME/.firejail/<NAME> directory.
1289	The created overlay can be reused between multiple sessions.	1290	The created overlay can be reused between multiple sessions.
		1291	If the sandbox is started as a regular user, default seccomp and capabilities filters are enabled.
1290	.br	1292	.br
1291		1293
1292	.br	1294	.br
@@ -1304,7 +1306,7 @@ $ firejail \-\-overlay-named=jail1 firefox
1304	\fB\-\-overlay-tmpfs	1306	\fB\-\-overlay-tmpfs
1305	Mount a filesystem overlay on top of the current filesystem. All filesystem modifications	1307	Mount a filesystem overlay on top of the current filesystem. All filesystem modifications
1306	are discarded when the sandbox is closed. Directories /run, /tmp and /dev are not covered by the overlay.	1308	are discarded when the sandbox is closed. Directories /run, /tmp and /dev are not covered by the overlay.
1307		1309	If the sandbox is started as a regular user, default seccomp and capabilities filters are enabled.
1308	.br	1310	.br
1309		1311
1310	.br	1312	.br