diff options
author | netblue30 <netblue30@yahoo.com> | 2018-11-07 08:04:49 -0500 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-11-07 08:04:49 -0500 |
commit | 0fc095bf36dcab5810d111f2e12f52c0ed8c7f2e (patch) | |
tree | 090581f58608418ec301e9414b5679f3713f7ead | |
parent | Fixes for brave browser (diff) | |
parent | Add new config option to disable U2F in browsers, enabled by default (diff) | |
download | firejail-0fc095bf36dcab5810d111f2e12f52c0ed8c7f2e.tar.gz firejail-0fc095bf36dcab5810d111f2e12f52c0ed8c7f2e.tar.zst firejail-0fc095bf36dcab5810d111f2e12f52c0ed8c7f2e.zip |
Merge pull request #2247 from SkewedZeppelin/u2f_cond
Add new config option to disable U2F in browsers, enabled by default
-rw-r--r-- | etc/chromium-common.profile | 2 | ||||
-rw-r--r-- | etc/firefox-common.profile | 2 | ||||
-rw-r--r-- | etc/firejail.config | 3 | ||||
-rw-r--r-- | src/firejail/checkcfg.c | 9 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/profile.c | 1 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 2 |
7 files changed, 17 insertions, 3 deletions
diff --git a/etc/chromium-common.profile b/etc/chromium-common.profile index e7062c5b8..13ed13058 100644 --- a/etc/chromium-common.profile +++ b/etc/chromium-common.profile | |||
@@ -27,7 +27,7 @@ nodbus | |||
27 | nodvd | 27 | nodvd |
28 | nogroups | 28 | nogroups |
29 | notv | 29 | notv |
30 | nou2f | 30 | ?BROWSER_DISABLE_U2F: nou2f |
31 | shell none | 31 | shell none |
32 | 32 | ||
33 | disable-mnt | 33 | disable-mnt |
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile index 31b071fe1..722a398cb 100644 --- a/etc/firefox-common.profile +++ b/etc/firefox-common.profile | |||
@@ -37,7 +37,7 @@ nogroups | |||
37 | nonewprivs | 37 | nonewprivs |
38 | noroot | 38 | noroot |
39 | notv | 39 | notv |
40 | nou2f | 40 | ?BROWSER_DISABLE_U2F: nou2f |
41 | protocol unix,inet,inet6,netlink | 41 | protocol unix,inet,inet6,netlink |
42 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 42 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice |
43 | shell none | 43 | shell none |
diff --git a/etc/firejail.config b/etc/firejail.config index d7106e76c..00f2c1b5d 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
@@ -5,6 +5,9 @@ | |||
5 | # Enable AppArmor functionality, default enabled. | 5 | # Enable AppArmor functionality, default enabled. |
6 | # apparmor yes | 6 | # apparmor yes |
7 | 7 | ||
8 | # Disable U2F in browsers, default enabled. | ||
9 | # browser-disable-u2f yes | ||
10 | |||
8 | # Number of ARP probes sent when assigning an IP address for --net option, | 11 | # Number of ARP probes sent when assigning an IP address for --net option, |
9 | # default 2. This is a partial implementation of RFC 5227. A 0.5 seconds | 12 | # default 2. This is a partial implementation of RFC 5227. A 0.5 seconds |
10 | # timeout is implemented for each probe. Increase this number to 4 if your | 13 | # timeout is implemented for each probe. Increase this number to 4 if your |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 50f952e91..45e28fe40 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -371,6 +371,15 @@ int checkcfg(int val) { | |||
371 | else | 371 | else |
372 | goto errout; | 372 | goto errout; |
373 | } | 373 | } |
374 | // browser-disable-u2f | ||
375 | else if (strncmp(ptr, "browser-disable-u2f ", 20) == 0) { | ||
376 | if (strcmp(ptr + 20, "yes") == 0) | ||
377 | cfg_val[CFG_BROWSER_DISABLE_U2F] = 1; | ||
378 | else if (strcmp(ptr + 20, "no") == 0) | ||
379 | cfg_val[CFG_BROWSER_DISABLE_U2F] = 0; | ||
380 | else | ||
381 | goto errout; | ||
382 | } | ||
374 | else | 383 | else |
375 | goto errout; | 384 | goto errout; |
376 | 385 | ||
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 7f6ed2586..d996e1dac 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -771,6 +771,7 @@ enum { | |||
771 | CFG_JOIN, | 771 | CFG_JOIN, |
772 | CFG_ARP_PROBES, | 772 | CFG_ARP_PROBES, |
773 | CFG_XPRA_ATTACH, | 773 | CFG_XPRA_ATTACH, |
774 | CFG_BROWSER_DISABLE_U2F, | ||
774 | CFG_PRIVATE_LIB, | 775 | CFG_PRIVATE_LIB, |
775 | CFG_APPARMOR, | 776 | CFG_APPARMOR, |
776 | CFG_DBUS, | 777 | CFG_DBUS, |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index c7c8fd9fa..a85c8f815 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -139,6 +139,7 @@ int profile_check_conditional(char *ptr, int lineno, const char *fname) { | |||
139 | bool value; // true if set | 139 | bool value; // true if set |
140 | } conditionals[] = { | 140 | } conditionals[] = { |
141 | {"HAS_APPIMAGE", strlen("HAS_APPIMAGE"), arg_appimage!=0}, | 141 | {"HAS_APPIMAGE", strlen("HAS_APPIMAGE"), arg_appimage!=0}, |
142 | {"BROWSER_DISABLE_U2F", strlen("BROWSER_DISABLE_U2F"), checkcfg(CFG_BROWSER_DISABLE_U2F)!=0}, | ||
142 | NULL | 143 | NULL |
143 | }, *cond = conditionals; | 144 | }, *cond = conditionals; |
144 | char *tmp = ptr, *msg = NULL; | 145 | char *tmp = ptr, *msg = NULL; |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index e26b5f989..251346bd5 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -94,7 +94,7 @@ Example: "?HAS_APPIMAGE: whitelist ${HOME}/special/appimage/dir" | |||
94 | 94 | ||
95 | This example will load the whitelist profile line only if the \-\-appimage option has been specified on the command line. | 95 | This example will load the whitelist profile line only if the \-\-appimage option has been specified on the command line. |
96 | 96 | ||
97 | Currently the only conditional supported is HAS_APPIMAGE. | 97 | Currently the only conditionals supported are HAS_APPIMAGE and BROWSER_DISABLE_U2F. |
98 | 98 | ||
99 | The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines. | 99 | The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines. |
100 | 100 | ||