overlayfs fixes

author: netblue30 <netblue30@yahoo.com> 2016-08-23 07:01:46 -0400
committer: netblue30 <netblue30@yahoo.com> 2016-08-23 07:01:46 -0400
commit: 0c7a3b7269e481065bff70ecdf342de37039b602 (patch)
tree: 704c282247461350acb7793dccf9fac5d7bd93bd
parent: x11 command in profile files (diff)
download: firejail-0c7a3b7269e481065bff70ecdf342de37039b602.tar.gz
firejail-0c7a3b7269e481065bff70ecdf342de37039b602.tar.zst
firejail-0c7a3b7269e481065bff70ecdf342de37039b602.zip
6 files changed, 71 insertions, 48 deletions
diff --git a/RELNOTES b/RELNOTES
index 6d029d320..ee3d60230 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -16,7 +16,6 @@ firejail (0.9.42~rc2) baseline; urgency=low
  * noexec support (--noexec)
  * --overlay-clean option
  * --overlay-named=name option
-  * --overlay-path=path option
  * compile time and run time support to disable overlayfs
  * Ubuntu snap support
  * include /dev/snd in --private-dev
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index ddb25c2dd..c5ef27615 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -817,9 +817,10 @@ void fs_basic_fs(void) {
 #ifdef HAVE_OVERLAYFS
 char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) {
-        // create ~/.firejail directory
        struct stat s;
        char *dirname;
+        // create ~/.firejail directory
        if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1)
                errExit("asprintf");
        if (stat(dirname, &s) == -1) {
@@ -835,12 +836,15 @@ char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) {
                fprintf(stderr, "Error: invalid ~/.firejail directory\n");
                exit(1);
        }
        free(dirname);
        // check overlay directory
        if (asprintf(&dirname, "%s/.firejail/%s", cfg.homedir, subdirname) == -1)
                errExit("asprintf");
+        if (is_link(dirname)) {
+                fprintf(stderr, "Error: overlay directory is a symbolic link\n");
+                exit(1);
+        }
        if (allow_reuse == 0) {
                if (stat(dirname, &s) == 0) {
                        fprintf(stderr, "Error: overlay directory already exists: %s\n", dirname);
diff --git a/src/firejail/main.c b/src/firejail/main.c
index bdb8e0df5..27e2a7f1a 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1365,6 +1365,13 @@ int main(int argc, char **argv) {
                                        fprintf(stderr, "Error: invalid overlay option\n");
                                        exit(1);
                                }
+                                
+                                // check name
+                                invalid_filename(subdirname);
+                                if (strstr(subdirname, "..") || strstr(subdirname, "/")) {
+                                        fprintf(stderr, "Error: invalid overlay name\n");
+                                        exit(1);
+                                }
                                cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse);
                        }
                        else {
@@ -1373,6 +1380,7 @@ int main(int argc, char **argv) {
                        }
                }
+#if 0 // disabled for now, it could be used to overwrite system directories     
                else if (strncmp(argv[i], "--overlay-path=", 15) == 0) {
                        if (checkcfg(CFG_OVERLAYFS)) {
                                if (cfg.chrootdir) {
@@ -1400,6 +1408,7 @@ int main(int argc, char **argv) {
                                exit(1);
                        }
                }
+#endif
                else if (strcmp(argv[i], "--overlay-tmpfs") == 0) {
                        if (checkcfg(CFG_OVERLAYFS)) {
                                if (cfg.chrootdir) {
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 0818bf450..0851e71cd 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -378,7 +378,30 @@ void start_application(void) {
        exit(1); // it should never get here!!!
 }
+static void enforce_filters(void) {
+        // force default seccomp inside the chroot, no keep or drop list
+        // the list build on top of the default drop list is kept intact
+        arg_seccomp = 1;
+        if (cfg.seccomp_list_drop) {
+                free(cfg.seccomp_list_drop);
+                cfg.seccomp_list_drop = NULL;
+        }
+        if (cfg.seccomp_list_keep) {
+                free(cfg.seccomp_list_keep);
+                cfg.seccomp_list_keep = NULL;
+        }
+        
+        // disable all capabilities
+        if (arg_caps_default_filter || arg_caps_list)
+                fprintf(stderr, "Warning: all capabilities disabled for a regular user in chroot\n");
+        arg_caps_drop_all = 1;
+        
+        // drop all supplementary groups; /etc/group file inside chroot
+        // is controlled by a regular usr
+        arg_nogroups = 1;
+        if (!arg_quiet)
+                printf("Dropping all Linux capabilities and enforcing default seccomp filter\n");
+}
 int sandbox(void* sandbox_arg) {
        // Get rid of unused parameter warning
@@ -463,37 +486,13 @@ int sandbox(void* sandbox_arg) {
 #ifdef HAVE_CHROOT              
        if (cfg.chrootdir) {
                fs_chroot(cfg.chrootdir);
-//              // redo cp command
-//              fs_build_cp_command();
                
                // force caps and seccomp if not started as root
                if (getuid() != 0) {
-                        // force default seccomp inside the chroot, no keep or drop list
+                        enforce_filters();
-                        // the list build on top of the default drop list is kept intact
-                        arg_seccomp = 1;
 #ifdef HAVE_SECCOMP
                        enforce_seccomp = 1;
 #endif
-                        if (cfg.seccomp_list_drop) {
-                                free(cfg.seccomp_list_drop);
-                                cfg.seccomp_list_drop = NULL;
-                        }
-                        if (cfg.seccomp_list_keep) {
-                                free(cfg.seccomp_list_keep);
-                                cfg.seccomp_list_keep = NULL;
-                        }
-                        
-                        // disable all capabilities
-                        if (arg_caps_default_filter || arg_caps_list)
-                                fprintf(stderr, "Warning: all capabilities disabled for a regular user in chroot\n");
-                        arg_caps_drop_all = 1;
-                        
-                        // drop all supplementary groups; /etc/group file inside chroot
-                        // is controlled by a regular usr
-                        arg_nogroups = 1;
-                        if (!arg_quiet)
-                                printf("Dropping all Linux capabilities and enforcing default seccomp filter\n");
                }
                else
                        arg_seccomp = 1;
@@ -507,8 +506,18 @@ int sandbox(void* sandbox_arg) {
        else 
 #endif          
 #ifdef HAVE_OVERLAYFS
-        if (arg_overlay)        
+        if (arg_overlay)        {
                fs_overlayfs();
+                // force caps and seccomp if not started as root
+                if (getuid() != 0) {
+                        enforce_filters();
+#ifdef HAVE_SECCOMP
+                        enforce_seccomp = 1;
+#endif
+                }
+                else
+                        arg_seccomp = 1;
+        }
        else
 #endif
                fs_basic_fs();
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index ebe1c8830..d4eab7802 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -185,10 +185,30 @@ void usage(void) {
        printf("\t$HOME/.firejail/<NAME> directory. (OverlayFS support is required in\n");
        printf("\tLinux kernel for this option to work). \n\n");
+#if 0 // disabled for now, it could be used to overwrite system directories     
        printf("    --overlay-path=path - mount a filesystem overlay on top of the current\n");
        printf("\tfilesystem. The upper filesystem layer is persistent, and stored in\n");
        printf("\tthe specified path. (OverlayFS support is required in Linux kernel for\n");
        printf("\tthis option to work). \n\n");
+        
+.TP
+\fB\-\-overlay-path=path
+Mount a filesystem overlay on top of the current filesystem.  Unlike the regular filesystem container,
+the system directories are mounted read-write. All filesystem modifications go into the overlay.
+The overlay is stored in the specified path. The created overlay can be reused between multiple sessions.
+.br
+.br
+OverlayFS support is required in Linux kernel for this option to work.
+OverlayFS was officially introduced in Linux kernel version 3.18.
+This option is not available on Grsecurity systems.
+.br
+.br
+Example:
+.br
+$ firejail \-\-overlay-path=~/jails/jail1 firefox
+#endif
        printf("    --overlay-tmpfs - mount a filesystem overlay on top of the current\n");
        printf("\tfilesystem. The upper layer is stored in a tmpfs filesystem,\n");
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index b258c3d20..19fca9854 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1037,24 +1037,6 @@ Example:
 $ firejail \-\-overlay-named=jail1 firefox
 .TP
-\fB\-\-overlay-path=path
-Mount a filesystem overlay on top of the current filesystem.  Unlike the regular filesystem container,
-the system directories are mounted read-write. All filesystem modifications go into the overlay.
-The overlay is stored in the specified path. The created overlay can be reused between multiple sessions.
-.br
-.br
-OverlayFS support is required in Linux kernel for this option to work.
-OverlayFS was officially introduced in Linux kernel version 3.18.
-This option is not available on Grsecurity systems.
-.br
-.br
-Example:
-.br
-$ firejail \-\-overlay-path=~/jails/jail1 firefox
-.TP
 \fB\-\-overlay-tmpfs
 Mount a filesystem overlay on top of the current filesystem. All filesystem modifications go into the overlay,
 and are discarded when the sandbox is closed.
author	netblue30 <netblue30@yahoo.com>	2016-08-23 07:01:46 -0400
committer	netblue30 <netblue30@yahoo.com>	2016-08-23 07:01:46 -0400
commit	0c7a3b7269e481065bff70ecdf342de37039b602 (patch)
tree	704c282247461350acb7793dccf9fac5d7bd93bd
parent	x11 command in profile files (diff)
download	firejail-0c7a3b7269e481065bff70ecdf342de37039b602.tar.gz firejail-0c7a3b7269e481065bff70ecdf342de37039b602.tar.zst firejail-0c7a3b7269e481065bff70ecdf342de37039b602.zip

diff --git a/RELNOTES b/RELNOTES index 6d029d320..ee3d60230 100644 --- a/RELNOTES +++ b/RELNOTES
@@ -16,7 +16,6 @@ firejail (0.9.42~rc2) baseline; urgency=low
16	* noexec support (--noexec)	16	* noexec support (--noexec)
17	* --overlay-clean option	17	* --overlay-clean option
18	* --overlay-named=name option	18	* --overlay-named=name option
19	* --overlay-path=path option
20	* compile time and run time support to disable overlayfs	19	* compile time and run time support to disable overlayfs
21	* Ubuntu snap support	20	* Ubuntu snap support
22	* include /dev/snd in --private-dev	21	* include /dev/snd in --private-dev


diff --git a/src/firejail/fs.c b/src/firejail/fs.c index ddb25c2dd..c5ef27615 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c
@@ -817,9 +817,10 @@ void fs_basic_fs(void) {
817		817
818	#ifdef HAVE_OVERLAYFS	818	#ifdef HAVE_OVERLAYFS
819	char fs_check_overlay_dir(const char subdirname, int allow_reuse) {	819	char fs_check_overlay_dir(const char subdirname, int allow_reuse) {
820	// create ~/.firejail directory
821	struct stat s;	820	struct stat s;
822	char *dirname;	821	char *dirname;
		822
		823	// create ~/.firejail directory
823	if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1)	824	if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1)
824	errExit("asprintf");	825	errExit("asprintf");
825	if (stat(dirname, &s) == -1) {	826	if (stat(dirname, &s) == -1) {
@@ -835,12 +836,15 @@ char fs_check_overlay_dir(const char subdirname, int allow_reuse) {
835	fprintf(stderr, "Error: invalid ~/.firejail directory\n");	836	fprintf(stderr, "Error: invalid ~/.firejail directory\n");
836	exit(1);	837	exit(1);
837	}	838	}
838
839	free(dirname);	839	free(dirname);
840		840
841	// check overlay directory	841	// check overlay directory
842	if (asprintf(&dirname, "%s/.firejail/%s", cfg.homedir, subdirname) == -1)	842	if (asprintf(&dirname, "%s/.firejail/%s", cfg.homedir, subdirname) == -1)
843	errExit("asprintf");	843	errExit("asprintf");
		844	if (is_link(dirname)) {
		845	fprintf(stderr, "Error: overlay directory is a symbolic link\n");
		846	exit(1);
		847	}
844	if (allow_reuse == 0) {	848	if (allow_reuse == 0) {
845	if (stat(dirname, &s) == 0) {	849	if (stat(dirname, &s) == 0) {
846	fprintf(stderr, "Error: overlay directory already exists: %s\n", dirname);	850	fprintf(stderr, "Error: overlay directory already exists: %s\n", dirname);


diff --git a/src/firejail/main.c b/src/firejail/main.c index bdb8e0df5..27e2a7f1a 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -1365,6 +1365,13 @@ int main(int argc, char **argv) {
1365	fprintf(stderr, "Error: invalid overlay option\n");	1365	fprintf(stderr, "Error: invalid overlay option\n");
1366	exit(1);	1366	exit(1);
1367	}	1367	}
		1368
		1369	// check name
		1370	invalid_filename(subdirname);
		1371	if (strstr(subdirname, "..") \|\| strstr(subdirname, "/")) {
		1372	fprintf(stderr, "Error: invalid overlay name\n");
		1373	exit(1);
		1374	}
1368	cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse);	1375	cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse);
1369	}	1376	}
1370	else {	1377	else {
@@ -1373,6 +1380,7 @@ int main(int argc, char **argv) {
1373	}	1380	}
1374		1381
1375	}	1382	}
		1383	#if 0 // disabled for now, it could be used to overwrite system directories
1376	else if (strncmp(argv[i], "--overlay-path=", 15) == 0) {	1384	else if (strncmp(argv[i], "--overlay-path=", 15) == 0) {
1377	if (checkcfg(CFG_OVERLAYFS)) {	1385	if (checkcfg(CFG_OVERLAYFS)) {
1378	if (cfg.chrootdir) {	1386	if (cfg.chrootdir) {
@@ -1400,6 +1408,7 @@ int main(int argc, char **argv) {
1400	exit(1);	1408	exit(1);
1401	}	1409	}
1402	}	1410	}
		1411	#endif
1403	else if (strcmp(argv[i], "--overlay-tmpfs") == 0) {	1412	else if (strcmp(argv[i], "--overlay-tmpfs") == 0) {
1404	if (checkcfg(CFG_OVERLAYFS)) {	1413	if (checkcfg(CFG_OVERLAYFS)) {
1405	if (cfg.chrootdir) {	1414	if (cfg.chrootdir) {


diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 0818bf450..0851e71cd 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c
@@ -378,7 +378,30 @@ void start_application(void) {
378	exit(1); // it should never get here!!!	378	exit(1); // it should never get here!!!
379	}	379	}
380		380
381		381	static void enforce_filters(void) {
		382	// force default seccomp inside the chroot, no keep or drop list
		383	// the list build on top of the default drop list is kept intact
		384	arg_seccomp = 1;
		385	if (cfg.seccomp_list_drop) {
		386	free(cfg.seccomp_list_drop);
		387	cfg.seccomp_list_drop = NULL;
		388	}
		389	if (cfg.seccomp_list_keep) {
		390	free(cfg.seccomp_list_keep);
		391	cfg.seccomp_list_keep = NULL;
		392	}
		393
		394	// disable all capabilities
		395	if (arg_caps_default_filter \|\| arg_caps_list)
		396	fprintf(stderr, "Warning: all capabilities disabled for a regular user in chroot\n");
		397	arg_caps_drop_all = 1;
		398
		399	// drop all supplementary groups; /etc/group file inside chroot
		400	// is controlled by a regular usr
		401	arg_nogroups = 1;
		402	if (!arg_quiet)
		403	printf("Dropping all Linux capabilities and enforcing default seccomp filter\n");
		404	}
382		405
383	int sandbox(void* sandbox_arg) {	406	int sandbox(void* sandbox_arg) {
384	// Get rid of unused parameter warning	407	// Get rid of unused parameter warning
@@ -463,37 +486,13 @@ int sandbox(void* sandbox_arg) {
463	#ifdef HAVE_CHROOT	486	#ifdef HAVE_CHROOT
464	if (cfg.chrootdir) {	487	if (cfg.chrootdir) {
465	fs_chroot(cfg.chrootdir);	488	fs_chroot(cfg.chrootdir);
466
467	// // redo cp command
468	// fs_build_cp_command();
469		489
470	// force caps and seccomp if not started as root	490	// force caps and seccomp if not started as root
471	if (getuid() != 0) {	491	if (getuid() != 0) {
472	// force default seccomp inside the chroot, no keep or drop list	492	enforce_filters();
473	// the list build on top of the default drop list is kept intact
474	arg_seccomp = 1;
475	#ifdef HAVE_SECCOMP	493	#ifdef HAVE_SECCOMP
476	enforce_seccomp = 1;	494	enforce_seccomp = 1;
477	#endif	495	#endif
478	if (cfg.seccomp_list_drop) {
479	free(cfg.seccomp_list_drop);
480	cfg.seccomp_list_drop = NULL;
481	}
482	if (cfg.seccomp_list_keep) {
483	free(cfg.seccomp_list_keep);
484	cfg.seccomp_list_keep = NULL;
485	}
486
487	// disable all capabilities
488	if (arg_caps_default_filter \|\| arg_caps_list)
489	fprintf(stderr, "Warning: all capabilities disabled for a regular user in chroot\n");
490	arg_caps_drop_all = 1;
491
492	// drop all supplementary groups; /etc/group file inside chroot
493	// is controlled by a regular usr
494	arg_nogroups = 1;
495	if (!arg_quiet)
496	printf("Dropping all Linux capabilities and enforcing default seccomp filter\n");
497	}	496	}
498	else	497	else
499	arg_seccomp = 1;	498	arg_seccomp = 1;
@@ -507,8 +506,18 @@ int sandbox(void* sandbox_arg) {
507	else	506	else
508	#endif	507	#endif
509	#ifdef HAVE_OVERLAYFS	508	#ifdef HAVE_OVERLAYFS
510	if (arg_overlay)	509	if (arg_overlay) {
511	fs_overlayfs();	510	fs_overlayfs();
		511	// force caps and seccomp if not started as root
		512	if (getuid() != 0) {
		513	enforce_filters();
		514	#ifdef HAVE_SECCOMP
		515	enforce_seccomp = 1;
		516	#endif
		517	}
		518	else
		519	arg_seccomp = 1;
		520	}
512	else	521	else
513	#endif	522	#endif
514	fs_basic_fs();	523	fs_basic_fs();


diff --git a/src/firejail/usage.c b/src/firejail/usage.c index ebe1c8830..d4eab7802 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c
@@ -185,10 +185,30 @@ void usage(void) {
185	printf("\t$HOME/.firejail/<NAME> directory. (OverlayFS support is required in\n");	185	printf("\t$HOME/.firejail/<NAME> directory. (OverlayFS support is required in\n");
186	printf("\tLinux kernel for this option to work). \n\n");	186	printf("\tLinux kernel for this option to work). \n\n");
187		187
		188	#if 0 // disabled for now, it could be used to overwrite system directories
188	printf(" --overlay-path=path - mount a filesystem overlay on top of the current\n");	189	printf(" --overlay-path=path - mount a filesystem overlay on top of the current\n");
189	printf("\tfilesystem. The upper filesystem layer is persistent, and stored in\n");	190	printf("\tfilesystem. The upper filesystem layer is persistent, and stored in\n");
190	printf("\tthe specified path. (OverlayFS support is required in Linux kernel for\n");	191	printf("\tthe specified path. (OverlayFS support is required in Linux kernel for\n");
191	printf("\tthis option to work). \n\n");	192	printf("\tthis option to work). \n\n");
		193
		194	.TP
		195	\fB\-\-overlay-path=path
		196	Mount a filesystem overlay on top of the current filesystem. Unlike the regular filesystem container,
		197	the system directories are mounted read-write. All filesystem modifications go into the overlay.
		198	The overlay is stored in the specified path. The created overlay can be reused between multiple sessions.
		199	.br
		200
		201	.br
		202	OverlayFS support is required in Linux kernel for this option to work.
		203	OverlayFS was officially introduced in Linux kernel version 3.18.
		204	This option is not available on Grsecurity systems.
		205	.br
		206
		207	.br
		208	Example:
		209	.br
		210	$ firejail \-\-overlay-path=~/jails/jail1 firefox
		211	#endif
192		212
193	printf(" --overlay-tmpfs - mount a filesystem overlay on top of the current\n");	213	printf(" --overlay-tmpfs - mount a filesystem overlay on top of the current\n");
194	printf("\tfilesystem. The upper layer is stored in a tmpfs filesystem,\n");	214	printf("\tfilesystem. The upper layer is stored in a tmpfs filesystem,\n");


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index b258c3d20..19fca9854 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -1037,24 +1037,6 @@ Example:
1037	$ firejail \-\-overlay-named=jail1 firefox	1037	$ firejail \-\-overlay-named=jail1 firefox
1038		1038
1039	.TP	1039	.TP
1040	\fB\-\-overlay-path=path
1041	Mount a filesystem overlay on top of the current filesystem. Unlike the regular filesystem container,
1042	the system directories are mounted read-write. All filesystem modifications go into the overlay.
1043	The overlay is stored in the specified path. The created overlay can be reused between multiple sessions.
1044	.br
1045
1046	.br
1047	OverlayFS support is required in Linux kernel for this option to work.
1048	OverlayFS was officially introduced in Linux kernel version 3.18.
1049	This option is not available on Grsecurity systems.
1050	.br
1051
1052	.br
1053	Example:
1054	.br
1055	$ firejail \-\-overlay-path=~/jails/jail1 firefox
1056
1057	.TP
1058	\fB\-\-overlay-tmpfs	1040	\fB\-\-overlay-tmpfs
1059	Mount a filesystem overlay on top of the current filesystem. All filesystem modifications go into the overlay,	1041	Mount a filesystem overlay on top of the current filesystem. All filesystem modifications go into the overlay,
1060	and are discarded when the sandbox is closed.	1042	and are discarded when the sandbox is closed.