aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLibravatar netblue30 <netblue30@yahoo.com>2016-07-10 08:40:32 -0400
committerLibravatar netblue30 <netblue30@yahoo.com>2016-07-10 08:40:32 -0400
commit18217e0feb2116534dcb9812dc75556a5cb5d41f (patch)
tree47b7f58ddd826f49190a4ee8e35d55c0aa7e8623
parentadding nodev, nosuid, and noexec (diff)
downloadfirejail-18217e0feb2116534dcb9812dc75556a5cb5d41f.tar.gz
firejail-18217e0feb2116534dcb9812dc75556a5cb5d41f.tar.zst
firejail-18217e0feb2116534dcb9812dc75556a5cb5d41f.zip
--noexec
Diffstat
-rw-r--r--src/firejail/firejail.h2
-rw-r--r--src/firejail/fs.c30
-rw-r--r--src/firejail/main.c8
-rw-r--r--src/firejail/profile.c2
4 files changed, 42 insertions, 0 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index c18dacbbb..8856986e6 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -313,6 +313,8 @@ void fs_delete_cp_command(void) ;
313void fs_blacklist(void); 313void fs_blacklist(void);
314// remount a directory read-only 314// remount a directory read-only
315void fs_rdonly(const char *dir); 315void fs_rdonly(const char *dir);
316// remount a directory noexec, nodev and nosuid
317void fs_noexec(const char *dir);
316// mount /proc and /sys directories 318// mount /proc and /sys directories
317void fs_proc_sys_dev_boot(void); 319void fs_proc_sys_dev_boot(void);
318// build a basic read-only filesystem 320// build a basic read-only filesystem
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 5665ab456..de59b6676 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -228,6 +228,7 @@ typedef enum {
228 BLACKLIST_NOLOG, 228 BLACKLIST_NOLOG,
229 MOUNT_READONLY, 229 MOUNT_READONLY,
230 MOUNT_TMPFS, 230 MOUNT_TMPFS,
231 MOUNT_NOEXEC,
231 OPERATION_MAX 232 OPERATION_MAX
232} OPERATION; 233} OPERATION;
233 234
@@ -330,6 +331,12 @@ static void disable_file(OPERATION op, const char *filename) {
330 fs_rdonly(fname); 331 fs_rdonly(fname);
331// todo: last_disable = SUCCESSFUL; 332// todo: last_disable = SUCCESSFUL;
332 } 333 }
334 else if (op == MOUNT_NOEXEC) {
335 if (arg_debug)
336 printf("Mounting noexec %s\n", fname);
337 fs_noexec(fname);
338// todo: last_disable = SUCCESSFUL;
339 }
333 else if (op == MOUNT_TMPFS) { 340 else if (op == MOUNT_TMPFS) {
334 if (S_ISDIR(s.st_mode)) { 341 if (S_ISDIR(s.st_mode)) {
335 if (arg_debug) 342 if (arg_debug)
@@ -485,6 +492,10 @@ void fs_blacklist(void) {
485 ptr = entry->data + 10; 492 ptr = entry->data + 10;
486 op = MOUNT_READONLY; 493 op = MOUNT_READONLY;
487 } 494 }
495 else if (strncmp(entry->data, "noexec ", 7) == 0) {
496 ptr = entry->data + 7;
497 op = MOUNT_NOEXEC;
498 }
488 else if (strncmp(entry->data, "tmpfs ", 6) == 0) { 499 else if (strncmp(entry->data, "tmpfs ", 6) == 0) {
489 ptr = entry->data + 6; 500 ptr = entry->data + 6;
490 op = MOUNT_TMPFS; 501 op = MOUNT_TMPFS;
@@ -548,6 +559,25 @@ void fs_rdonly(const char *dir) {
548 fs_logger2("read-only", dir); 559 fs_logger2("read-only", dir);
549 } 560 }
550} 561}
562
563void fs_noexec(const char *dir) {
564 assert(dir);
565 // check directory exists
566 struct stat s;
567 int rv = stat(dir, &s);
568 if (rv == 0) {
569 // mount --bind /bin /bin
570 if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0)
571 errExit("mount noexec");
572 // mount --bind -o remount,ro /bin
573 if (mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_NOEXEC|MS_NODEV|MS_NOSUID|MS_REC, NULL) < 0)
574 errExit("mount read-only");
575 fs_logger2("noexec", dir);
576 }
577}
578
579
580
551void fs_rdonly_noexit(const char *dir) { 581void fs_rdonly_noexit(const char *dir) {
552 assert(dir); 582 assert(dir);
553 // check directory exists 583 // check directory exists
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 35f825a07..232a57499 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1192,6 +1192,14 @@ int main(int argc, char **argv) {
1192 profile_check_line(line, 0, NULL); // will exit if something wrong 1192 profile_check_line(line, 0, NULL); // will exit if something wrong
1193 profile_add(line); 1193 profile_add(line);
1194 } 1194 }
1195 else if (strncmp(argv[i], "--noexec=", 9) == 0) {
1196 char *line;
1197 if (asprintf(&line, "noexec %s", argv[i] + 9) == -1)
1198 errExit("asprintf");
1199
1200 profile_check_line(line, 0, NULL); // will exit if something wrong
1201 profile_add(line);
1202 }
1195 else if (strncmp(argv[i], "--read-write=", 13) == 0) { 1203 else if (strncmp(argv[i], "--read-write=", 13) == 0) {
1196 char *line; 1204 char *line;
1197 if (asprintf(&line, "read-write %s", argv[i] + 13) == -1) 1205 if (asprintf(&line, "read-write %s", argv[i] + 13) == -1)
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 1106ed84e..40e2e4330 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -747,6 +747,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
747 } 747 }
748 else if (strncmp(ptr, "read-only ", 10) == 0) 748 else if (strncmp(ptr, "read-only ", 10) == 0)
749 ptr += 10; 749 ptr += 10;
750 else if (strncmp(ptr, "noexec ", 7) == 0)
751 ptr += 7;
750 else if (strncmp(ptr, "tmpfs ", 6) == 0) { 752 else if (strncmp(ptr, "tmpfs ", 6) == 0) {
751 if (getuid() != 0) { 753 if (getuid() != 0) {
752 fprintf(stderr, "Error: tmpfs available only when running the sandbox as root\n"); 754 fprintf(stderr, "Error: tmpfs available only when running the sandbox as root\n");
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-08 22:25:46 +0000