aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLibravatar Tad <tad@spotco.us>2018-11-05 18:32:22 -0500
committerLibravatar Tad <tad@spotco.us>2018-11-05 18:38:16 -0500
commit1a03225b4407f1cf88410573c8fc67031de511c1 (patch)
tree2009560b8baf536c96a6f36087a6c490a9bc8b04
parentMerge pull request #2246 from glitsj16/dig (diff)
downloadfirejail-1a03225b4407f1cf88410573c8fc67031de511c1.tar.gz
firejail-1a03225b4407f1cf88410573c8fc67031de511c1.tar.zst
firejail-1a03225b4407f1cf88410573c8fc67031de511c1.zip
Add new config option to disable U2F in browsers, enabled by default
Diffstat
-rw-r--r--etc/chromium-common.profile2
-rw-r--r--etc/firefox-common.profile2
-rw-r--r--etc/firejail.config3
-rw-r--r--src/firejail/checkcfg.c9
-rw-r--r--src/firejail/firejail.h1
-rw-r--r--src/firejail/profile.c1
-rw-r--r--src/man/firejail-profile.txt2
7 files changed, 17 insertions, 3 deletions
diff --git a/etc/chromium-common.profile b/etc/chromium-common.profile
index e7062c5b8..13ed13058 100644
--- a/etc/chromium-common.profile
+++ b/etc/chromium-common.profile
@@ -27,7 +27,7 @@ nodbus
27nodvd 27nodvd
28nogroups 28nogroups
29notv 29notv
30nou2f 30?BROWSER_DISABLE_U2F: nou2f
31shell none 31shell none
32 32
33disable-mnt 33disable-mnt
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile
index 31b071fe1..722a398cb 100644
--- a/etc/firefox-common.profile
+++ b/etc/firefox-common.profile
@@ -37,7 +37,7 @@ nogroups
37nonewprivs 37nonewprivs
38noroot 38noroot
39notv 39notv
40nou2f 40?BROWSER_DISABLE_U2F: nou2f
41protocol unix,inet,inet6,netlink 41protocol unix,inet,inet6,netlink
42seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice 42seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
43shell none 43shell none
diff --git a/etc/firejail.config b/etc/firejail.config
index d7106e76c..00f2c1b5d 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -5,6 +5,9 @@
5# Enable AppArmor functionality, default enabled. 5# Enable AppArmor functionality, default enabled.
6# apparmor yes 6# apparmor yes
7 7
8# Disable U2F in browsers, default enabled.
9# browser-disable-u2f yes
10
8# Number of ARP probes sent when assigning an IP address for --net option, 11# Number of ARP probes sent when assigning an IP address for --net option,
9# default 2. This is a partial implementation of RFC 5227. A 0.5 seconds 12# default 2. This is a partial implementation of RFC 5227. A 0.5 seconds
10# timeout is implemented for each probe. Increase this number to 4 if your 13# timeout is implemented for each probe. Increase this number to 4 if your
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 50f952e91..45e28fe40 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -371,6 +371,15 @@ int checkcfg(int val) {
371 else 371 else
372 goto errout; 372 goto errout;
373 } 373 }
374 // browser-disable-u2f
375 else if (strncmp(ptr, "browser-disable-u2f ", 20) == 0) {
376 if (strcmp(ptr + 20, "yes") == 0)
377 cfg_val[CFG_BROWSER_DISABLE_U2F] = 1;
378 else if (strcmp(ptr + 20, "no") == 0)
379 cfg_val[CFG_BROWSER_DISABLE_U2F] = 0;
380 else
381 goto errout;
382 }
374 else 383 else
375 goto errout; 384 goto errout;
376 385
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 7f6ed2586..d996e1dac 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -771,6 +771,7 @@ enum {
771 CFG_JOIN, 771 CFG_JOIN,
772 CFG_ARP_PROBES, 772 CFG_ARP_PROBES,
773 CFG_XPRA_ATTACH, 773 CFG_XPRA_ATTACH,
774 CFG_BROWSER_DISABLE_U2F,
774 CFG_PRIVATE_LIB, 775 CFG_PRIVATE_LIB,
775 CFG_APPARMOR, 776 CFG_APPARMOR,
776 CFG_DBUS, 777 CFG_DBUS,
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index c7c8fd9fa..a85c8f815 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -139,6 +139,7 @@ int profile_check_conditional(char *ptr, int lineno, const char *fname) {
139 bool value; // true if set 139 bool value; // true if set
140 } conditionals[] = { 140 } conditionals[] = {
141 {"HAS_APPIMAGE", strlen("HAS_APPIMAGE"), arg_appimage!=0}, 141 {"HAS_APPIMAGE", strlen("HAS_APPIMAGE"), arg_appimage!=0},
142 {"BROWSER_DISABLE_U2F", strlen("BROWSER_DISABLE_U2F"), checkcfg(CFG_BROWSER_DISABLE_U2F)!=0},
142 NULL 143 NULL
143 }, *cond = conditionals; 144 }, *cond = conditionals;
144 char *tmp = ptr, *msg = NULL; 145 char *tmp = ptr, *msg = NULL;
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index e26b5f989..251346bd5 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -94,7 +94,7 @@ Example: "?HAS_APPIMAGE: whitelist ${HOME}/special/appimage/dir"
94 94
95This example will load the whitelist profile line only if the \-\-appimage option has been specified on the command line. 95This example will load the whitelist profile line only if the \-\-appimage option has been specified on the command line.
96 96
97Currently the only conditional supported is HAS_APPIMAGE. 97Currently the only conditionals supported are HAS_APPIMAGE and BROWSER_DISABLE_U2F.
98 98
99The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines. 99The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines.
100 100
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-06-26 08:51:07 +0000