disable firejail configuration by default

author: netblue30 <netblue30@yahoo.com> 2015-11-22 13:37:36 -0500
committer: netblue30 <netblue30@yahoo.com> 2015-11-22 13:37:36 -0500
commit: 0f1a12da2881727a2e1c214e0d48aa10b546f5fc (patch)
tree: 418bb92e04af2099f7164be370715ce16587d0da
parent: feature test (diff)
download: firejail-0f1a12da2881727a2e1c214e0d48aa10b546f5fc.tar.gz
firejail-0f1a12da2881727a2e1c214e0d48aa10b546f5fc.tar.zst
firejail-0f1a12da2881727a2e1c214e0d48aa10b546f5fc.zip
10 files changed, 63 insertions, 27 deletions
diff --git a/RELNOTES b/RELNOTES
index d8dec685e..a093df2e5 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -6,6 +6,8 @@ firejail (0.9.35) baseline; urgency=low
          /etc/passwd and /etc/group
  * added /etc/firejail/nolocal.net network filter
  * added /etc/firejail/webserver.net network filter
+  * manipulation of firejail configuration disabled by default
+  * added automated feature testing framework
  * bugfixes
 -- netblue30 <netblue30@yahoo.com>  ongoing development
diff --git a/etc/disable-mgmt.inc b/etc/disable-mgmt.inc
index ab9fe3cb1..4a8994a03 100644
--- a/etc/disable-mgmt.inc
+++ b/etc/disable-mgmt.inc
@@ -14,6 +14,3 @@ blacklist ${PATH}/xev
 blacklist ${PATH}/strace
 blacklist ${PATH}/nc
-# Prevent manipulation of firejail configuration
-blacklist /etc/firejail
-blacklist ${HOME}/.config/firejail
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index c6dfdec30..a0a7d9342 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -552,6 +552,19 @@ void fs_proc_sys_dev_boot(void) {
        }
 }
+// disable firejail configuration in /etc/firejail and in ~/.config/firejail
+static void disable_firejail_config(void) {
+        struct stat s;
+        if (stat("/etc/firejail", &s) == 0)
+                disable_file(BLACKLIST_FILE, "/etc/firejail");
+        
+        char *fname;
+        if (asprintf(&fname, "%s/.config/firejail", cfg.homedir) == -1)
+                errExit("asprintf");
+        disable_file(BLACKLIST_FILE, fname);
+        free(fname);
+}
 // build a basic read-only filesystem
 void fs_basic_fs(void) {
@@ -577,6 +590,8 @@ void fs_basic_fs(void) {
        // don't leak user information
        restrict_users();
+        
+        disable_firejail_config();
 }
@@ -723,6 +738,8 @@ void fs_overlayfs(void) {
        // don't leak user information
        restrict_users();
+        disable_firejail_config();
        // cleanup and exit
        free(option);
        free(oroot);
@@ -846,6 +863,8 @@ void fs_chroot(const char *rootdir) {
        // don't leak user information
        restrict_users();
+        disable_firejail_config();
 }
 #endif
diff --git a/test/configure b/test/configure
index 21844bb7e..b46b97985 100755
--- a/test/configure
+++ b/test/configure
@@ -26,6 +26,8 @@ DEFAULT_FILES+=" /bin/cp /bin/ls /bin/cat /bin/ps /bin/grep /usr/bin/id /usr/bin
 rm -fr $ROOTDIR
 mkdir -p $ROOTDIR/{root,bin,lib,lib64,usr,home,etc,dev/shm,tmp,var/run,var/tmp,var/lock,var/log,proc}
+mkdir -p $ROOTDIR/etc/firejail
+mkdir -p $ROOTDIR/home/netblue/.config/firejail
 touch $ROOTDIR/var/log/syslog
 touch $ROOTDIR/var/tmp/somefile
 SORTED=`for FILE in $* $DEFAULT_FILES; do echo " $FILE "; ldd $FILE | grep -v dynamic | cut -d " " -f 3; done | sort -u`
diff --git a/test/features/1.1.exp b/test/features/1.1.exp
index 41443a080..5ba123107 100755
--- a/test/features/1.1.exp
+++ b/test/features/1.1.exp
@@ -51,14 +51,14 @@ sleep 1
 #
 send -- "firejail --noprofile --chroot=/tmp/chroot\r"
 expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
+        timeout {puts "TESTING ERROR 4\n";exit}
        "Child process initialized"
 }
 sleep 1
 send -- "ls -l /boot | wc -l\r"
 expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
+        timeout {puts "TESTING ERROR 5\n";exit}
        "1"
 }
 after 100
diff --git a/test/features/1.5.exp b/test/features/1.5.exp
index d722c5811..84c00937f 100755
--- a/test/features/1.5.exp
+++ b/test/features/1.5.exp
@@ -51,14 +51,14 @@ sleep 1
 #
 send -- "firejail --noprofile --chroot=/tmp/chroot\r"
 expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
+        timeout {puts "TESTING ERROR 4\n";exit}
        "Child process initialized"
 }
 sleep 1
 send -- "ps aux | wc -l \r"
 expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
+        timeout {puts "TESTING ERROR 5\n";exit}
        "5"
 }
 after 100
diff --git a/test/features/1.6.exp b/test/features/1.6.exp
index a9c8f2a19..0a4b788b8 100755
--- a/test/features/1.6.exp
+++ b/test/features/1.6.exp
@@ -51,14 +51,14 @@ sleep 1
 #
 send -- "firejail --noprofile --chroot=/tmp/chroot\r"
 expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
+        timeout {puts "TESTING ERROR 4\n";exit}
        "Child process initialized"
 }
 sleep 1
 send -- "ls -l /var/log/syslog | wc -l\r"
 expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
+        timeout {puts "TESTING ERROR 5\n";exit}
        "0"
 }
 after 100
diff --git a/test/features/1.7.exp b/test/features/1.7.exp
index 0de3e224d..c95184fd1 100755
--- a/test/features/1.7.exp
+++ b/test/features/1.7.exp
@@ -53,14 +53,14 @@ sleep 1
 #
 send -- "firejail --noprofile --chroot=/tmp/chroot\r"
 expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
+        timeout {puts "TESTING ERROR 4\n";exit}
        "Child process initialized"
 }
 sleep 1
 send -- "ls -l /var/tmp/somefile | wc -l\r"
 expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
+        timeout {puts "TESTING ERROR 5\n";exit}
        "0"
 }
 after 100
diff --git a/test/features/1.8.exp b/test/features/1.8.exp
index 514dd3b81..aefe9d8c5 100755
--- a/test/features/1.8.exp
+++ b/test/features/1.8.exp
@@ -10,7 +10,6 @@ match_max 100000
 #
 # N
 #
-send -- "touch /var/tmp/somefile\r"
 sleep 1
 send -- "firejail --noprofile\r"
 expect {
@@ -19,10 +18,16 @@ expect {
 }
 sleep 1
-send -- "ls -l /var/tmp/somefile | wc -l\r"
+send -- "ls /etc/firejail\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
-        "0"
+        "Permission denied"
+}
+after 100
+send -- "ls ~/.config/firejail\r"
+expect {
+        timeout {puts "TESTING ERROR 1.1\n";exit}
+        "Permission denied"
 }
 after 100
 send -- "exit\r"
@@ -38,13 +43,19 @@ expect {
        "Child process initialized"
 }
 sleep 1
+send -- "ls /etc/firejail\r"
-send -- "ls -l /var/tmp/somefile | wc -l\r"
 expect {
        timeout {puts "TESTING ERROR 3\n";exit}
-        "0"
+        "Permission denied"
 }
 after 100
+send -- "ls ~/.config/firejail\r"
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "Permission denied"
+}
+after 100
 send -- "exit\r"
 sleep 1
@@ -53,15 +64,20 @@ sleep 1
 #
 send -- "firejail --noprofile --chroot=/tmp/chroot\r"
 expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
+        timeout {puts "TESTING ERROR 4\n";exit}
        "Child process initialized"
 }
 sleep 1
+send -- "ls /etc/firejail\r"
-send -- "ls -l /var/tmp/somefile | wc -l\r"
 expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
+        timeout {puts "TESTING ERROR 5\n";exit}
-        "0"
+        "Permission denied"
+}
+after 100
+send -- "ls ~/.config/firejail\r"
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "Permission denied"
 }
 after 100
 send -- "exit\r"
diff --git a/test/features/test.sh b/test/features/test.sh
index b4ef6503a..1fb7557c8 100755
--- a/test/features/test.sh
+++ b/test/features/test.sh
@@ -4,13 +4,13 @@
 # Feature testing
 #
-echo "TESTING: 1.1. new /boot"
+echo "TESTING: 1.1 new /boot"
 ./1.1.exp
-echo "TESTING: 1.2. new /proc"
+echo "TESTING: 1.2 new /proc"
 ./1.2.exp
-echo "TESTING: 1.5. PID namespace"
+echo "TESTING: 1.5 PID namespace"
 ./1.5.exp
 echo "TESTING: 1.6 new /var/log"
@@ -19,6 +19,6 @@ echo "TESTING: 1.6 new /var/log"
 echo "TESTING: 1.7 new /var/tmp"
 ./1.7.exp
-#echo "TESTING: "
+echo "TESTING: 1.8 disable /etc/firejail and ~/.config/firejail"
-#./1..exp
+./1.8.exp
author	netblue30 <netblue30@yahoo.com>	2015-11-22 13:37:36 -0500
committer	netblue30 <netblue30@yahoo.com>	2015-11-22 13:37:36 -0500
commit	0f1a12da2881727a2e1c214e0d48aa10b546f5fc (patch)
tree	418bb92e04af2099f7164be370715ce16587d0da
parent	feature test (diff)
download	firejail-0f1a12da2881727a2e1c214e0d48aa10b546f5fc.tar.gz firejail-0f1a12da2881727a2e1c214e0d48aa10b546f5fc.tar.zst firejail-0f1a12da2881727a2e1c214e0d48aa10b546f5fc.zip

diff --git a/RELNOTES b/RELNOTES index d8dec685e..a093df2e5 100644 --- a/RELNOTES +++ b/RELNOTES
@@ -6,6 +6,8 @@ firejail (0.9.35) baseline; urgency=low
6	/etc/passwd and /etc/group	6	/etc/passwd and /etc/group
7	* added /etc/firejail/nolocal.net network filter	7	* added /etc/firejail/nolocal.net network filter
8	* added /etc/firejail/webserver.net network filter	8	* added /etc/firejail/webserver.net network filter
		9	* manipulation of firejail configuration disabled by default
		10	* added automated feature testing framework
9	* bugfixes	11	* bugfixes
10	-- netblue30 <netblue30@yahoo.com> ongoing development	12	-- netblue30 <netblue30@yahoo.com> ongoing development
11		13


diff --git a/etc/disable-mgmt.inc b/etc/disable-mgmt.inc index ab9fe3cb1..4a8994a03 100644 --- a/etc/disable-mgmt.inc +++ b/etc/disable-mgmt.inc
@@ -14,6 +14,3 @@ blacklist ${PATH}/xev
14	blacklist ${PATH}/strace	14	blacklist ${PATH}/strace
15	blacklist ${PATH}/nc	15	blacklist ${PATH}/nc
16		16
17	# Prevent manipulation of firejail configuration
18	blacklist /etc/firejail
19	blacklist ${HOME}/.config/firejail


diff --git a/src/firejail/fs.c b/src/firejail/fs.c index c6dfdec30..a0a7d9342 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c
@@ -552,6 +552,19 @@ void fs_proc_sys_dev_boot(void) {
552	}	552	}
553	}	553	}
554		554
		555	// disable firejail configuration in /etc/firejail and in ~/.config/firejail
		556	static void disable_firejail_config(void) {
		557	struct stat s;
		558	if (stat("/etc/firejail", &s) == 0)
		559	disable_file(BLACKLIST_FILE, "/etc/firejail");
		560
		561	char *fname;
		562	if (asprintf(&fname, "%s/.config/firejail", cfg.homedir) == -1)
		563	errExit("asprintf");
		564	disable_file(BLACKLIST_FILE, fname);
		565	free(fname);
		566	}
		567
555		568
556	// build a basic read-only filesystem	569	// build a basic read-only filesystem
557	void fs_basic_fs(void) {	570	void fs_basic_fs(void) {
@@ -577,6 +590,8 @@ void fs_basic_fs(void) {
577		590
578	// don't leak user information	591	// don't leak user information
579	restrict_users();	592	restrict_users();
		593
		594	disable_firejail_config();
580	}	595	}
581		596
582		597
@@ -723,6 +738,8 @@ void fs_overlayfs(void) {
723	// don't leak user information	738	// don't leak user information
724	restrict_users();	739	restrict_users();
725		740
		741	disable_firejail_config();
		742
726	// cleanup and exit	743	// cleanup and exit
727	free(option);	744	free(option);
728	free(oroot);	745	free(oroot);
@@ -846,6 +863,8 @@ void fs_chroot(const char *rootdir) {
846		863
847	// don't leak user information	864	// don't leak user information
848	restrict_users();	865	restrict_users();
		866
		867	disable_firejail_config();
849	}	868	}
850	#endif	869	#endif
851		870


diff --git a/test/configure b/test/configure index 21844bb7e..b46b97985 100755 --- a/test/configure +++ b/test/configure
@@ -26,6 +26,8 @@ DEFAULT_FILES+=" /bin/cp /bin/ls /bin/cat /bin/ps /bin/grep /usr/bin/id /usr/bin
26		26
27	rm -fr $ROOTDIR	27	rm -fr $ROOTDIR
28	mkdir -p $ROOTDIR/{root,bin,lib,lib64,usr,home,etc,dev/shm,tmp,var/run,var/tmp,var/lock,var/log,proc}	28	mkdir -p $ROOTDIR/{root,bin,lib,lib64,usr,home,etc,dev/shm,tmp,var/run,var/tmp,var/lock,var/log,proc}
		29	mkdir -p $ROOTDIR/etc/firejail
		30	mkdir -p $ROOTDIR/home/netblue/.config/firejail
29	touch $ROOTDIR/var/log/syslog	31	touch $ROOTDIR/var/log/syslog
30	touch $ROOTDIR/var/tmp/somefile	32	touch $ROOTDIR/var/tmp/somefile
31	SORTED=`for FILE in $* $DEFAULT_FILES; do echo " $FILE "; ldd $FILE \| grep -v dynamic \| cut -d " " -f 3; done \| sort -u`	33	SORTED=`for FILE in $* $DEFAULT_FILES; do echo " $FILE "; ldd $FILE \| grep -v dynamic \| cut -d " " -f 3; done \| sort -u`


diff --git a/test/features/1.1.exp b/test/features/1.1.exp index 41443a080..5ba123107 100755 --- a/test/features/1.1.exp +++ b/test/features/1.1.exp
@@ -51,14 +51,14 @@ sleep 1
51	#	51	#
52	send -- "firejail --noprofile --chroot=/tmp/chroot\r"	52	send -- "firejail --noprofile --chroot=/tmp/chroot\r"
53	expect {	53	expect {
54	timeout {puts "TESTING ERROR 3\n";exit}	54	timeout {puts "TESTING ERROR 4\n";exit}
55	"Child process initialized"	55	"Child process initialized"
56	}	56	}
57	sleep 1	57	sleep 1
58		58
59	send -- "ls -l /boot \| wc -l\r"	59	send -- "ls -l /boot \| wc -l\r"
60	expect {	60	expect {
61	timeout {puts "TESTING ERROR 4\n";exit}	61	timeout {puts "TESTING ERROR 5\n";exit}
62	"1"	62	"1"
63	}	63	}
64	after 100	64	after 100


diff --git a/test/features/1.5.exp b/test/features/1.5.exp index d722c5811..84c00937f 100755 --- a/test/features/1.5.exp +++ b/test/features/1.5.exp
@@ -51,14 +51,14 @@ sleep 1
51	#	51	#
52	send -- "firejail --noprofile --chroot=/tmp/chroot\r"	52	send -- "firejail --noprofile --chroot=/tmp/chroot\r"
53	expect {	53	expect {
54	timeout {puts "TESTING ERROR 3\n";exit}	54	timeout {puts "TESTING ERROR 4\n";exit}
55	"Child process initialized"	55	"Child process initialized"
56	}	56	}
57	sleep 1	57	sleep 1
58		58
59	send -- "ps aux \| wc -l \r"	59	send -- "ps aux \| wc -l \r"
60	expect {	60	expect {
61	timeout {puts "TESTING ERROR 4\n";exit}	61	timeout {puts "TESTING ERROR 5\n";exit}
62	"5"	62	"5"
63	}	63	}
64	after 100	64	after 100


diff --git a/test/features/1.6.exp b/test/features/1.6.exp index a9c8f2a19..0a4b788b8 100755 --- a/test/features/1.6.exp +++ b/test/features/1.6.exp
@@ -51,14 +51,14 @@ sleep 1
51	#	51	#
52	send -- "firejail --noprofile --chroot=/tmp/chroot\r"	52	send -- "firejail --noprofile --chroot=/tmp/chroot\r"
53	expect {	53	expect {
54	timeout {puts "TESTING ERROR 3\n";exit}	54	timeout {puts "TESTING ERROR 4\n";exit}
55	"Child process initialized"	55	"Child process initialized"
56	}	56	}
57	sleep 1	57	sleep 1
58		58
59	send -- "ls -l /var/log/syslog \| wc -l\r"	59	send -- "ls -l /var/log/syslog \| wc -l\r"
60	expect {	60	expect {
61	timeout {puts "TESTING ERROR 4\n";exit}	61	timeout {puts "TESTING ERROR 5\n";exit}
62	"0"	62	"0"
63	}	63	}
64	after 100	64	after 100


diff --git a/test/features/1.7.exp b/test/features/1.7.exp index 0de3e224d..c95184fd1 100755 --- a/test/features/1.7.exp +++ b/test/features/1.7.exp
@@ -53,14 +53,14 @@ sleep 1
53	#	53	#
54	send -- "firejail --noprofile --chroot=/tmp/chroot\r"	54	send -- "firejail --noprofile --chroot=/tmp/chroot\r"
55	expect {	55	expect {
56	timeout {puts "TESTING ERROR 3\n";exit}	56	timeout {puts "TESTING ERROR 4\n";exit}
57	"Child process initialized"	57	"Child process initialized"
58	}	58	}
59	sleep 1	59	sleep 1
60		60
61	send -- "ls -l /var/tmp/somefile \| wc -l\r"	61	send -- "ls -l /var/tmp/somefile \| wc -l\r"
62	expect {	62	expect {
63	timeout {puts "TESTING ERROR 4\n";exit}	63	timeout {puts "TESTING ERROR 5\n";exit}
64	"0"	64	"0"
65	}	65	}
66	after 100	66	after 100


diff --git a/test/features/1.8.exp b/test/features/1.8.exp index 514dd3b81..aefe9d8c5 100755 --- a/test/features/1.8.exp +++ b/test/features/1.8.exp
@@ -10,7 +10,6 @@ match_max 100000
10	#	10	#
11	# N	11	# N
12	#	12	#
13	send -- "touch /var/tmp/somefile\r"
14	sleep 1	13	sleep 1
15	send -- "firejail --noprofile\r"	14	send -- "firejail --noprofile\r"
16	expect {	15	expect {
@@ -19,10 +18,16 @@ expect {
19	}	18	}
20	sleep 1	19	sleep 1
21		20
22	send -- "ls -l /var/tmp/somefile \| wc -l\r"	21	send -- "ls /etc/firejail\r"
23	expect {	22	expect {
24	timeout {puts "TESTING ERROR 1\n";exit}	23	timeout {puts "TESTING ERROR 1\n";exit}
25	"0"	24	"Permission denied"
		25	}
		26	after 100
		27	send -- "ls ~/.config/firejail\r"
		28	expect {
		29	timeout {puts "TESTING ERROR 1.1\n";exit}
		30	"Permission denied"
26	}	31	}
27	after 100	32	after 100
28	send -- "exit\r"	33	send -- "exit\r"
@@ -38,13 +43,19 @@ expect {
38	"Child process initialized"	43	"Child process initialized"
39	}	44	}
40	sleep 1	45	sleep 1
41		46	send -- "ls /etc/firejail\r"
42	send -- "ls -l /var/tmp/somefile \| wc -l\r"
43	expect {	47	expect {
44	timeout {puts "TESTING ERROR 3\n";exit}	48	timeout {puts "TESTING ERROR 3\n";exit}
45	"0"	49	"Permission denied"
46	}	50	}
47	after 100	51	after 100
		52	send -- "ls ~/.config/firejail\r"
		53	expect {
		54	timeout {puts "TESTING ERROR 3.1\n";exit}
		55	"Permission denied"
		56	}
		57	after 100
		58
48	send -- "exit\r"	59	send -- "exit\r"
49	sleep 1	60	sleep 1
50		61
@@ -53,15 +64,20 @@ sleep 1
53	#	64	#
54	send -- "firejail --noprofile --chroot=/tmp/chroot\r"	65	send -- "firejail --noprofile --chroot=/tmp/chroot\r"
55	expect {	66	expect {
56	timeout {puts "TESTING ERROR 3\n";exit}	67	timeout {puts "TESTING ERROR 4\n";exit}
57	"Child process initialized"	68	"Child process initialized"
58	}	69	}
59	sleep 1	70	sleep 1
60		71	send -- "ls /etc/firejail\r"
61	send -- "ls -l /var/tmp/somefile \| wc -l\r"
62	expect {	72	expect {
63	timeout {puts "TESTING ERROR 4\n";exit}	73	timeout {puts "TESTING ERROR 5\n";exit}
64	"0"	74	"Permission denied"
		75	}
		76	after 100
		77	send -- "ls ~/.config/firejail\r"
		78	expect {
		79	timeout {puts "TESTING ERROR 5.1\n";exit}
		80	"Permission denied"
65	}	81	}
66	after 100	82	after 100
67	send -- "exit\r"	83	send -- "exit\r"


diff --git a/test/features/test.sh b/test/features/test.sh index b4ef6503a..1fb7557c8 100755 --- a/test/features/test.sh +++ b/test/features/test.sh
@@ -4,13 +4,13 @@
4	# Feature testing	4	# Feature testing
5	#	5	#
6		6
7	echo "TESTING: 1.1. new /boot"	7	echo "TESTING: 1.1 new /boot"
8	./1.1.exp	8	./1.1.exp
9		9
10	echo "TESTING: 1.2. new /proc"	10	echo "TESTING: 1.2 new /proc"
11	./1.2.exp	11	./1.2.exp
12		12
13	echo "TESTING: 1.5. PID namespace"	13	echo "TESTING: 1.5 PID namespace"
14	./1.5.exp	14	./1.5.exp
15		15
16	echo "TESTING: 1.6 new /var/log"	16	echo "TESTING: 1.6 new /var/log"
@@ -19,6 +19,6 @@ echo "TESTING: 1.6 new /var/log"
19	echo "TESTING: 1.7 new /var/tmp"	19	echo "TESTING: 1.7 new /var/tmp"
20	./1.7.exp	20	./1.7.exp
21		21
22	#echo "TESTING: "	22	echo "TESTING: 1.8 disable /etc/firejail and ~/.config/firejail"
23	#./1..exp	23	./1.8.exp
24		24