add explicit nonewprivs support to join option; accompanying small improvements

author: smitsohu <smitsohu@gmail.com> 2018-12-14 03:04:07 +0100
committer: smitsohu <smitsohu@gmail.com> 2018-12-14 03:04:07 +0100
commit: e56c09e19f34a0dd6d6d442cc0d2782409a0b53e (patch)
tree: 36d286616a0b9efe3beaec1d3ea3a10e70efa863
parent: firecfg: improve error string (diff)
download: firejail-e56c09e19f34a0dd6d6d442cc0d2782409a0b53e.tar.gz
firejail-e56c09e19f34a0dd6d6d442cc0d2782409a0b53e.tar.zst
firejail-e56c09e19f34a0dd6d6d442cc0d2782409a0b53e.zip
3 files changed, 68 insertions, 14 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index bd392846a..245ea5bde 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -46,6 +46,7 @@
 #define RUN_CPU_CFG     "/run/firejail/mnt/cpu"
 #define RUN_GROUPS_CFG  "/run/firejail/mnt/groups"
 #define RUN_PROTOCOL_CFG        "/run/firejail/mnt/protocol"
+#define RUN_NONEWPRIVS_CFG      "/run/firejail/mnt/nonewprivs"
 #define RUN_HOME_DIR    "/run/firejail/mnt/home"
 #define RUN_ETC_DIR     "/run/firejail/mnt/etc"
 #define RUN_OPT_DIR     "/run/firejail/mnt/opt"
diff --git a/src/firejail/join.c b/src/firejail/join.c
index c849b200c..50ef58f4b 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -100,21 +100,40 @@ static void extract_nogroups(pid_t pid) {
                errExit("asprintf");
        struct stat s;
-        if (stat(fname, &s) == -1)
+        if (stat(fname, &s) == -1) {
+                free(fname);
                return;
+        }
        arg_nogroups = 1;
        free(fname);
 }
+static void extract_nonewprivs(pid_t pid) {
+        char *fname;
+        if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_NONEWPRIVS_CFG) == -1)
+                errExit("asprintf");
+        struct stat s;
+        if (stat(fname, &s) == -1) {
+                free(fname);
+                return;
+        }
+        arg_nonewprivs = 1;
+        free(fname);
+}
 static void extract_cpu(pid_t pid) {
        char *fname;
        if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_CPU_CFG) == -1)
                errExit("asprintf");
        struct stat s;
-        if (stat(fname, &s) == -1)
+        if (stat(fname, &s) == -1) {
+                free(fname);
                return;
+        }
        // there is a CPU_CFG file, load it!
        load_cpu(fname);
@@ -127,8 +146,10 @@ static void extract_cgroup(pid_t pid) {
                errExit("asprintf");
        struct stat s;
-        if (stat(fname, &s) == -1)
+        if (stat(fname, &s) == -1) {
+                free(fname);
                return;
+        }
        // there is a cgroup file CGROUP_CFG, load it!
        load_cgroup(fname);
@@ -154,7 +175,10 @@ static void extract_caps_seccomp(pid_t pid) {
                if (strncmp(buf, "Seccomp:", 8) == 0) {
                        char *ptr = buf + 8;
                        int val;
-                        sscanf(ptr, "%d", &val);
+                        if (sscanf(ptr, "%d", &val) != 1) {
+                                fprintf(stderr, "Error: cannot read stat file for process %u\n", pid);
+                                exit(1);
+                        }
                        if (val == 2)
                                apply_seccomp = 1;
                        break;
@@ -162,7 +186,10 @@ static void extract_caps_seccomp(pid_t pid) {
                else if (strncmp(buf, "CapBnd:", 7) == 0) {
                        char *ptr = buf + 7;
                        unsigned long long val;
-                        sscanf(ptr, "%llx", &val);
+                        if (sscanf(ptr, "%llx", &val) != 1) {
+                                fprintf(stderr, "Error: cannot read stat file for process %u\n", pid);
+                                exit(1);
+                        }
                        apply_caps = 1;
                        caps = val;
                }
@@ -229,7 +256,7 @@ pid_t switch_to_child(pid_t pid) {
        char *comm = pid_proc_comm(pid);
        if (!comm) {
                if (errno == ENOENT) {
-                        fprintf(stderr, "Error: cannot find process with id %d\n", pid);
+                        fprintf(stderr, "Error: cannot find process with pid %d\n", pid);
                        exit(1);
                }
                else {
@@ -285,6 +312,7 @@ void join(pid_t pid, int argc, char **argv, int index) {
        EUID_ROOT();
        // in user mode set caps seccomp, cpu, cgroup, etc
        if (getuid() != 0) {
+                extract_nonewprivs(pid);
                extract_caps_seccomp(pid);
                extract_cpu(pid);
                extract_cgroup(pid);
@@ -296,7 +324,7 @@ void join(pid_t pid, int argc, char **argv, int index) {
        if (cfg.cgroup) // not available for uid 0
                set_cgroup(cfg.cgroup);
-        // get umask, it will be set by start_application()
+        // set umask, also uid 0
        extract_umask(pid);
        // join namespaces
@@ -383,6 +411,13 @@ void join(pid_t pid, int argc, char **argv, int index) {
                                caps_set(caps);
                }
+                // set nonewprivs
+                if (arg_nonewprivs == 1) {      // not available for uid 0
+                        prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
+                        if (arg_debug)
+                                printf("NO_NEW_PRIVS set\n");
+                }
                EUID_USER();
                // set nice
                if (arg_nice) {
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 95732b95e..2113ef70f 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -109,7 +109,7 @@ static void set_caps(void) {
                caps_drop_dac_override();
 }
-void save_nogroups(void) {
+static void save_nogroups(void) {
        if (arg_nogroups == 0)
                return;
@@ -126,7 +126,23 @@ void save_nogroups(void) {
 }
-void save_umask(void) {
+static void save_nonewprivs(void) {
+        if (arg_nonewprivs == 0)
+                return;
+        FILE *fp = fopen(RUN_NONEWPRIVS_CFG, "wxe");
+        if (fp) {
+                fprintf(fp, "\n");
+                SET_PERMS_STREAM(fp, 0, 0, 0644); // assume mode 0644
+                fclose(fp);
+        }
+        else {
+                fprintf(stderr, "Error: cannot save nonewprivs state\n");
+                exit(1);
+        }
+}
+static void save_umask(void) {
        FILE *fp = fopen(RUN_UMASK_FILE, "wxe");
        if (fp) {
                fprintf(fp, "%o\n", orig_umask);
@@ -597,11 +613,6 @@ int sandbox(void* sandbox_arg) {
        fs_logger("install mount namespace");
        //****************************
-        // save the umask
-        //****************************
-        save_umask();
-        //****************************
        // netfilter
        //****************************
        if (arg_netfilter && any_bridge_configured()) { // assuming by default the client filter
@@ -750,10 +761,17 @@ int sandbox(void* sandbox_arg) {
                need_preload = arg_trace || arg_tracelog;
                arg_seccomp = 1;
        }
        // trace pre-install
        if (need_preload)
                fs_trace_preload();
+        // state of nonewprivs
+        save_nonewprivs();
+        // save original umask
+        save_umask();
        // store hosts file
        if (cfg.hosts_file)
                fs_store_hosts_file();
author	smitsohu <smitsohu@gmail.com>	2018-12-14 03:04:07 +0100
committer	smitsohu <smitsohu@gmail.com>	2018-12-14 03:04:07 +0100
commit	e56c09e19f34a0dd6d6d442cc0d2782409a0b53e (patch)
tree	36d286616a0b9efe3beaec1d3ea3a10e70efa863
parent	firecfg: improve error string (diff)
download	firejail-e56c09e19f34a0dd6d6d442cc0d2782409a0b53e.tar.gz firejail-e56c09e19f34a0dd6d6d442cc0d2782409a0b53e.tar.zst firejail-e56c09e19f34a0dd6d6d442cc0d2782409a0b53e.zip