diff options
author | netblue30 <netblue30@yahoo.com> | 2020-10-28 09:18:18 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2020-10-28 09:18:18 -0400 |
commit | 65911742d70fbe287fc9d0e6f2c9a92e2b6657de (patch) | |
tree | 3e896a6d85513059c3c6322865e3f0200b28613b | |
parent | profile fixes (diff) | |
download | firejail-65911742d70fbe287fc9d0e6f2c9a92e2b6657de.tar.gz firejail-65911742d70fbe287fc9d0e6f2c9a92e2b6657de.tar.zst firejail-65911742d70fbe287fc9d0e6f2c9a92e2b6657de.zip |
added bluetooth to the list of protocols allowed by seccomp
-rw-r--r-- | etc/apparmor/firejail-default | 3 | ||||
-rw-r--r-- | etc/profile-m-z/tcpdump.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/tshark.profile | 44 | ||||
-rw-r--r-- | etc/profile-m-z/wireshark.profile | 4 | ||||
-rw-r--r-- | src/firejail/main.c | 2 | ||||
-rw-r--r-- | src/firejail/profile.c | 2 | ||||
-rw-r--r-- | src/fseccomp/protocol.c | 49 |
7 files changed, 12 insertions, 94 deletions
diff --git a/etc/apparmor/firejail-default b/etc/apparmor/firejail-default index e396ae7d9..ec87f1d2d 100644 --- a/etc/apparmor/firejail-default +++ b/etc/apparmor/firejail-default | |||
@@ -112,7 +112,8 @@ network inet6, | |||
112 | network unix, | 112 | network unix, |
113 | network netlink, | 113 | network netlink, |
114 | network raw, | 114 | network raw, |
115 | # needed for wireshark | 115 | # needed for wireshark, tcpdump etc |
116 | network bluetooth, | ||
116 | network packet, | 117 | network packet, |
117 | 118 | ||
118 | ########## | 119 | ########## |
diff --git a/etc/profile-m-z/tcpdump.profile b/etc/profile-m-z/tcpdump.profile index 881fbf49e..7984702f3 100644 --- a/etc/profile-m-z/tcpdump.profile +++ b/etc/profile-m-z/tcpdump.profile | |||
@@ -33,7 +33,7 @@ nosound | |||
33 | notv | 33 | notv |
34 | nou2f | 34 | nou2f |
35 | novideo | 35 | novideo |
36 | protocol unix,inet,inet6,netlink,packet | 36 | protocol unix,inet,inet6,netlink,packet,bluetooth |
37 | seccomp | 37 | seccomp |
38 | 38 | ||
39 | disable-mnt | 39 | disable-mnt |
diff --git a/etc/profile-m-z/tshark.profile b/etc/profile-m-z/tshark.profile index 684a9491d..a5cefb47a 100644 --- a/etc/profile-m-z/tshark.profile +++ b/etc/profile-m-z/tshark.profile | |||
@@ -1,46 +1,6 @@ | |||
1 | # Firejail profile for tshark | 1 | # Firejail profile for tshark |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | quiet | 3 | quiet |
4 | # Persistent local customizations | ||
5 | include tshark.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | 4 | ||
9 | include disable-common.inc | 5 | # Redirect |
10 | include disable-devel.inc | 6 | include wireshark.profile |
11 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | ||
13 | include disable-passwdmgr.inc | ||
14 | include disable-programs.inc | ||
15 | include disable-xdg.inc | ||
16 | |||
17 | whitelist /usr/share/wireshark | ||
18 | include whitelist-common.inc | ||
19 | include whitelist-runuser-common.inc | ||
20 | include whitelist-usr-share-common.inc | ||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | apparmor | ||
24 | #caps.keep net_raw | ||
25 | caps.keep dac_override,net_admin,net_raw | ||
26 | ipc-namespace | ||
27 | #net tun0 | ||
28 | netfilter | ||
29 | no3d | ||
30 | nodvd | ||
31 | # nogroups - breaks network traffic capture for unprivileged users | ||
32 | # nonewprivs - breaks network traffic capture for unprivileged users | ||
33 | # noroot | ||
34 | nosound | ||
35 | notv | ||
36 | nou2f | ||
37 | novideo | ||
38 | #protocol unix,inet,inet6,netlink,packet | ||
39 | #seccomp | ||
40 | |||
41 | disable-mnt | ||
42 | #private | ||
43 | private-cache | ||
44 | #private-bin tshark | ||
45 | private-dev | ||
46 | private-tmp | ||
diff --git a/etc/profile-m-z/wireshark.profile b/etc/profile-m-z/wireshark.profile index a30cb43d5..6a84246e1 100644 --- a/etc/profile-m-z/wireshark.profile +++ b/etc/profile-m-z/wireshark.profile | |||
@@ -38,8 +38,8 @@ nosound | |||
38 | notv | 38 | notv |
39 | nou2f | 39 | nou2f |
40 | novideo | 40 | novideo |
41 | # protocol unix,inet,inet6,netlink | 41 | # protocol unix,inet,inet6,netlink,packet,bluetooth - commented out in case they bring in new protocols |
42 | # seccomp - breaks network traffic capture for unprivileged users | 42 | seccomp |
43 | shell none | 43 | shell none |
44 | tracelog | 44 | tracelog |
45 | 45 | ||
diff --git a/src/firejail/main.c b/src/firejail/main.c index b4c9ee294..676d04895 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1283,7 +1283,7 @@ int main(int argc, char **argv, char **envp) { | |||
1283 | else if (strncmp(argv[i], "--protocol=", 11) == 0) { | 1283 | else if (strncmp(argv[i], "--protocol=", 11) == 0) { |
1284 | if (checkcfg(CFG_SECCOMP)) { | 1284 | if (checkcfg(CFG_SECCOMP)) { |
1285 | if (cfg.protocol) { | 1285 | if (cfg.protocol) { |
1286 | fwarning("two protocol lists are present, \"%s\" will be installed\n", cfg.protocol); | 1286 | fwarning("more than one protocol list is present, \"%s\" will be installed\n", cfg.protocol); |
1287 | } | 1287 | } |
1288 | else { | 1288 | else { |
1289 | // store list | 1289 | // store list |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 11a74ddd3..5ddf6fdbb 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -895,7 +895,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
895 | if (strncmp(ptr, "protocol ", 9) == 0) { | 895 | if (strncmp(ptr, "protocol ", 9) == 0) { |
896 | if (checkcfg(CFG_SECCOMP)) { | 896 | if (checkcfg(CFG_SECCOMP)) { |
897 | if (cfg.protocol) { | 897 | if (cfg.protocol) { |
898 | fwarning("two protocol lists are present, \"%s\" will be installed\n", cfg.protocol); | 898 | fwarning("more than one protocol list is present, \"%s\" will be installed\n", cfg.protocol); |
899 | return 0; | 899 | return 0; |
900 | } | 900 | } |
901 | 901 | ||
diff --git a/src/fseccomp/protocol.c b/src/fseccomp/protocol.c index b8b30f488..4d261f9e5 100644 --- a/src/fseccomp/protocol.c +++ b/src/fseccomp/protocol.c | |||
@@ -57,6 +57,7 @@ static char *protocol[] = { | |||
57 | "inet6", | 57 | "inet6", |
58 | "netlink", | 58 | "netlink", |
59 | "packet", | 59 | "packet", |
60 | "bluetooth", | ||
60 | NULL | 61 | NULL |
61 | }; | 62 | }; |
62 | 63 | ||
@@ -66,7 +67,8 @@ static struct sock_filter protocol_filter_command[] = { | |||
66 | WHITELIST(AF_INET), | 67 | WHITELIST(AF_INET), |
67 | WHITELIST(AF_INET6), | 68 | WHITELIST(AF_INET6), |
68 | WHITELIST(AF_NETLINK), | 69 | WHITELIST(AF_NETLINK), |
69 | WHITELIST(AF_PACKET) | 70 | WHITELIST(AF_PACKET), |
71 | WHITELIST(AF_BLUETOOTH) | ||
70 | }; | 72 | }; |
71 | #endif | 73 | #endif |
72 | // Note: protocol[] and protocol_filter_command are synchronized | 74 | // Note: protocol[] and protocol_filter_command are synchronized |
@@ -143,22 +145,6 @@ void protocol_build_filter(const char *prlist, const char *fname) { | |||
143 | memcpy(ptr, &filter_start[0], sizeof(filter_start)); | 145 | memcpy(ptr, &filter_start[0], sizeof(filter_start)); |
144 | ptr += sizeof(filter_start); | 146 | ptr += sizeof(filter_start); |
145 | 147 | ||
146 | #if 0 | ||
147 | printf("entries %u\n", (unsigned) (sizeof(filter_start) / sizeof(struct sock_filter))); | ||
148 | { | ||
149 | unsigned j; | ||
150 | unsigned char *ptr2 = (unsigned char *) &filter[0]; | ||
151 | for (j = 0; j < sizeof(filter); j++, ptr2++) { | ||
152 | if ((j % (sizeof(struct sock_filter))) == 0) | ||
153 | printf("\n%u: ", 1 + (unsigned) (j / (sizeof(struct sock_filter)))); | ||
154 | printf("%02x, ", (*ptr2) & 0xff); | ||
155 | } | ||
156 | printf("\n"); | ||
157 | } | ||
158 | printf("whitelist_len %u, struct sock_filter len %u\n", whitelist_len, (unsigned) sizeof(struct sock_filter)); | ||
159 | #endif | ||
160 | |||
161 | |||
162 | // parse list and add commands | 148 | // parse list and add commands |
163 | char *tmplist = strdup(prlist); | 149 | char *tmplist = strdup(prlist); |
164 | if (!tmplist) | 150 | if (!tmplist) |
@@ -176,22 +162,6 @@ printf("whitelist_len %u, struct sock_filter len %u\n", whitelist_len, (unsigned | |||
176 | memcpy(ptr, domain, whitelist_len * sizeof(struct sock_filter)); | 162 | memcpy(ptr, domain, whitelist_len * sizeof(struct sock_filter)); |
177 | ptr += whitelist_len * sizeof(struct sock_filter); | 163 | ptr += whitelist_len * sizeof(struct sock_filter); |
178 | token = strtok(NULL, ","); | 164 | token = strtok(NULL, ","); |
179 | |||
180 | #if 0 | ||
181 | printf("entries %u\n", (unsigned) ((uint64_t) ptr - (uint64_t) (filter)) / (unsigned) sizeof(struct sock_filter)); | ||
182 | { | ||
183 | unsigned j; | ||
184 | unsigned char *ptr2 = (unsigned char *) &filter[0]; | ||
185 | for (j = 0; j < sizeof(filter); j++, ptr2++) { | ||
186 | if ((j % (sizeof(struct sock_filter))) == 0) | ||
187 | printf("\n%u: ", 1 + (unsigned) (j / (sizeof(struct sock_filter)))); | ||
188 | printf("%02x, ", (*ptr2) & 0xff); | ||
189 | } | ||
190 | printf("\n"); | ||
191 | } | ||
192 | #endif | ||
193 | |||
194 | |||
195 | } | 165 | } |
196 | free(tmplist); | 166 | free(tmplist); |
197 | 167 | ||
@@ -202,19 +172,6 @@ printf("entries %u\n", (unsigned) ((uint64_t) ptr - (uint64_t) (filter)) / (uns | |||
202 | memcpy(ptr, &filter_end[0], sizeof(filter_end)); | 172 | memcpy(ptr, &filter_end[0], sizeof(filter_end)); |
203 | ptr += sizeof(filter_end); | 173 | ptr += sizeof(filter_end); |
204 | 174 | ||
205 | #if 0 | ||
206 | printf("entries %u\n", (unsigned) ((uint64_t) ptr - (uint64_t) (filter)) / (unsigned) sizeof(struct sock_filter)); | ||
207 | { | ||
208 | unsigned j; | ||
209 | unsigned char *ptr2 = (unsigned char *) &filter[0]; | ||
210 | for (j = 0; j < sizeof(filter); j++, ptr2++) { | ||
211 | if ((j % (sizeof(struct sock_filter))) == 0) | ||
212 | printf("\n%u: ", 1 + (unsigned) (j / (sizeof(struct sock_filter)))); | ||
213 | printf("%02x, ", (*ptr2) & 0xff); | ||
214 | } | ||
215 | printf("\n"); | ||
216 | } | ||
217 | #endif | ||
218 | // save filter to file | 175 | // save filter to file |
219 | int dst = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); | 176 | int dst = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); |
220 | if (dst < 0) { | 177 | if (dst < 0) { |