diff options
| author |  netblue30 <netblue30@yahoo.com> | 2017-11-13 07:55:29 -0500 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2017-11-13 07:55:29 -0500 |
| commit | 39a175d692bfa8514a649449c938afbc2c12dc6f (patch) | |
| tree | 54796c70ee3cdcca3a0607e5c1d74269bd27913a | |
| parent | Add private-dev to qtox (diff) | |
| download | firejail-39a175d692bfa8514a649449c938afbc2c12dc6f.tar.gz firejail-39a175d692bfa8514a649449c938afbc2c12dc6f.tar.zst firejail-39a175d692bfa8514a649449c938afbc2c12dc6f.zip | |
cleanup
| -rw-r--r-- | etc/nolocal.net | 12 | ||||
| -rw-r--r-- | src/firejail/netfilter.c | 4 | ||||
| -rw-r--r-- | src/firejail/sbox.c | 9 |
3 files changed, 14 insertions, 11 deletions
diff --git a/etc/nolocal.net b/etc/nolocal.net index 9fa785450..8955f740d 100644 --- a/etc/nolocal.net +++ b/etc/nolocal.net | |||
| @@ -12,15 +12,25 @@ | |||
| 12 | # | 12 | # |
| 13 | ################################################################### | 13 | ################################################################### |
| 14 | 14 | ||
| 15 | 15 | #allow all loopback traffic | |
| 16 | -A INPUT -i lo -j ACCEPT | 16 | -A INPUT -i lo -j ACCEPT |
| 17 | |||
| 18 | # no incoming connections | ||
| 17 | -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | 19 | -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT |
| 20 | |||
| 21 | # allow ping etc. | ||
| 18 | -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT | 22 | -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT |
| 19 | -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT | 23 | -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT |
| 20 | -A INPUT -p icmp --icmp-type echo-request -j ACCEPT | 24 | -A INPUT -p icmp --icmp-type echo-request -j ACCEPT |
| 21 | 25 | ||
| 26 | # accept dns requests going out to a server on the local network | ||
| 22 | -A OUTPUT -p udp --dport 53 -j ACCEPT | 27 | -A OUTPUT -p udp --dport 53 -j ACCEPT |
| 28 | |||
| 29 | # drop all local network traffic | ||
| 23 | -A OUTPUT -d 192.168.0.0/16 -j DROP | 30 | -A OUTPUT -d 192.168.0.0/16 -j DROP |
| 24 | -A OUTPUT -d 10.0.0.0/8 -j DROP | 31 | -A OUTPUT -d 10.0.0.0/8 -j DROP |
| 25 | -A OUTPUT -d 172.16.0.0/12 -j DROP | 32 | -A OUTPUT -d 172.16.0.0/12 -j DROP |
| 33 | |||
| 34 | # drop multicast traffic | ||
| 35 | -A OUTPUT -d 244.0.0.0/4 -j DROP | ||
| 26 | COMMIT | 36 | COMMIT |
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c index cb0d9d7af..7246be8cf 100644 --- a/src/firejail/netfilter.c +++ b/src/firejail/netfilter.c | |||
| @@ -98,7 +98,7 @@ void netfilter(const char *fname) { | |||
| 98 | 98 | ||
| 99 | // first run of iptables on this platform installs a number of kernel modules such as ip_tables, x_tables, iptable_filter | 99 | // first run of iptables on this platform installs a number of kernel modules such as ip_tables, x_tables, iptable_filter |
| 100 | // we run this command with caps and seccomp disabled in order to allow the loading of these modules | 100 | // we run this command with caps and seccomp disabled in order to allow the loading of these modules |
| 101 | sbox_run(SBOX_ROOT /* | SBOX_CAPS_NETWORK | SBOX_SECCOMP*/ | SBOX_STDIN_FROM_FILE, 1, iptables_restore); | 101 | sbox_run(SBOX_ROOT | SBOX_STDIN_FROM_FILE, 1, iptables_restore); |
| 102 | unlink(SBOX_STDIN_FILE); | 102 | unlink(SBOX_STDIN_FILE); |
| 103 | 103 | ||
| 104 | // debug | 104 | // debug |
| @@ -147,7 +147,7 @@ void netfilter6(const char *fname) { | |||
| 147 | 147 | ||
| 148 | // first run of iptables on this platform installs a number of kernel modules such as ip_tables, x_tables, iptable_filter | 148 | // first run of iptables on this platform installs a number of kernel modules such as ip_tables, x_tables, iptable_filter |
| 149 | // we run this command with caps and seccomp disabled in order to allow the loading of these modules | 149 | // we run this command with caps and seccomp disabled in order to allow the loading of these modules |
| 150 | sbox_run(SBOX_ROOT | /* SBOX_CAPS_NETWORK | SBOX_SECCOMP | */ SBOX_STDIN_FROM_FILE, 1, ip6tables_restore); | 150 | sbox_run(SBOX_ROOT | SBOX_STDIN_FROM_FILE, 1, ip6tables_restore); |
| 151 | unlink(SBOX_STDIN_FILE); | 151 | unlink(SBOX_STDIN_FILE); |
| 152 | 152 | ||
| 153 | // debug | 153 | // debug |
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index 1d6cc2353..274a4353f 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c | |||
| @@ -104,13 +104,6 @@ static struct sock_fprog prog = { | |||
| 104 | .filter = filter, | 104 | .filter = filter, |
| 105 | }; | 105 | }; |
| 106 | 106 | ||
| 107 | typedef struct sbox_config { | ||
| 108 | char *name; | ||
| 109 | char *path; | ||
| 110 | unsigned filters; | ||
| 111 | } SboxConfig; | ||
| 112 | |||
| 113 | |||
| 114 | int sbox_run(unsigned filter, int num, ...) { | 107 | int sbox_run(unsigned filter, int num, ...) { |
| 115 | EUID_ROOT(); | 108 | EUID_ROOT(); |
| 116 | 109 | ||
| @@ -142,7 +135,7 @@ int sbox_run(unsigned filter, int num, ...) { | |||
| 142 | if (filter & SBOX_STDIN_FROM_FILE) { | 135 | if (filter & SBOX_STDIN_FROM_FILE) { |
| 143 | int fd; | 136 | int fd; |
| 144 | if((fd = open(SBOX_STDIN_FILE, O_RDONLY)) == -1) { | 137 | if((fd = open(SBOX_STDIN_FILE, O_RDONLY)) == -1) { |
| 145 | fprintf(stderr,"Error: cannot open /tmp/netfilter\n"); | 138 | fprintf(stderr,"Error: cannot open %s\n", SBOX_STDIN_FILE); |
| 146 | exit(1); | 139 | exit(1); |
| 147 | } | 140 | } |
| 148 | dup2(fd,STDIN_FILENO); | 141 | dup2(fd,STDIN_FILENO); |