security: env variables

author: netblue30 <netblue30@yahoo.com> 2016-11-03 10:53:51 -0400
committer: netblue30 <netblue30@yahoo.com> 2016-11-03 10:53:51 -0400
commit: 3b81e1f2c331644ced87d26a943b22eed6242b8f (patch)
tree: 092f9d881ced236c86ba0baeabb32a955b4054a0
parent: fixed TOCTOU problem for --get and --put (diff)
download: firejail-3b81e1f2c331644ced87d26a943b22eed6242b8f.tar.gz
firejail-3b81e1f2c331644ced87d26a943b22eed6242b8f.tar.zst
firejail-3b81e1f2c331644ced87d26a943b22eed6242b8f.zip
9 files changed, 31 insertions, 10 deletions
diff --git a/RELNOTES b/RELNOTES
index 037f41a9b..3a9ccaa4b 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -2,8 +2,10 @@ firejail (0.9.45) baseline; urgency=low
  * development version, work in progress
  * security: overwrite /etc/resolv.conf found by Martin Carpenter
  * secuirty: TOCTOU exploit for --get and --put found by Daniel Hodson
+  * security: invalid environment exploit found by Martin Carpener
+  * security: split most of networking code in a separate executable
+  * security: split seccomp filter code code in a separate executable
  * feature: allow root user access to /dev/shm (--noblacklist=/dev/shm)
-  * feature: split most of networking code in a separate executable
  * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire
  * bugfixes
 -- netblue30 <netblue30@yahoo.com>  Sun, 23 Oct 2016 08:00:00 -0500
diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c
index 4a1df9c67..ab9714afe 100644
--- a/src/firejail/bandwidth.c
+++ b/src/firejail/bandwidth.c
@@ -462,6 +462,7 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in
        arg[1] = "-c";
        arg[2] = cmd;
        arg[3] = NULL;
+        assert(getenv("LD_PRELOAD") == NULL);   
        execvp(arg[0], arg);
        
        // it will never get here
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c
index f59944735..d6fee0608 100644
--- a/src/firejail/fs_bin.c
+++ b/src/firejail/fs_bin.c
@@ -191,6 +191,7 @@ static void duplicate(char *fname) {
                                char *f;
                                if (asprintf(&f, "%s/%s", RUN_BIN_DIR, fname) == -1)
                                        errExit("asprintf");
+                                assert(getenv("LD_PRELOAD") == NULL);   
                                execlp(RUN_CP_COMMAND, RUN_CP_COMMAND, "-a", actual_path, f, NULL);
                                perror("execlp");
                                _exit(1);
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c
index b86d5eb74..4f3417236 100644
--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@@ -105,6 +105,7 @@ static void duplicate(char *fname) {
                char *f;
                if (asprintf(&f, "/etc/%s", fname) == -1)
                        errExit("asprintf");
+                assert(getenv("LD_PRELOAD") == NULL);   
                execlp(RUN_CP_COMMAND, RUN_CP_COMMAND, "-a", "--parents", f, RUN_MNT_DIR, NULL);
                perror("execlp");
                _exit(1);
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c
index c1f9a2c37..efef45d90 100644
--- a/src/firejail/netfilter.c
+++ b/src/firejail/netfilter.c
@@ -144,6 +144,7 @@ void netfilter(const char *fname) {
                // wipe out environment variables
                environ = NULL;
+                assert(getenv("LD_PRELOAD") == NULL);   
                execl(iptables_restore, iptables_restore, NULL);
                perror("execl");
                _exit(1);
@@ -163,6 +164,7 @@ void netfilter(const char *fname) {
                        if (setregid(0, 0))
                                errExit("setregid");
                        environ = NULL;
+                        assert(getenv("LD_PRELOAD") == NULL);   
                        execl(iptables, iptables, "-vL", NULL);
                        perror("execl");
                        _exit(1);
@@ -257,6 +259,7 @@ void netfilter6(const char *fname) {
                // wipe out environment variables
                environ = NULL;
+                assert(getenv("LD_PRELOAD") == NULL);   
                execl(ip6tables_restore, ip6tables_restore, NULL);
                perror("execl");
                _exit(1);
diff --git a/src/firejail/run_symlink.c b/src/firejail/run_symlink.c
index 020e70b80..8aa2fe53f 100644
--- a/src/firejail/run_symlink.c
+++ b/src/firejail/run_symlink.c
@@ -106,6 +106,7 @@ void run_symlink(int argc, char **argv) {
                a[i + 2] = argv[i + 1];
        }
        a[i + 2] = NULL;
+        assert(getenv("LD_PRELOAD") == NULL);   
        execvp(a[0], a); 
        perror("execvp");
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 3942e4da6..e3c95283d 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -260,6 +260,7 @@ void start_audit(void) {
        char *audit_prog;
        if (asprintf(&audit_prog, "%s/firejail/faudit", LIBDIR) == -1)
                errExit("asprintf");
+        assert(getenv("LD_PRELOAD") == NULL);   
        execl(audit_prog, audit_prog, NULL);
        perror("execl");
        exit(1);
@@ -268,6 +269,15 @@ void start_audit(void) {
 void start_application(void) {
 //if (setsid() == -1)
 //errExit("setsid");
+        // set environment
+        env_defaults();
+        env_apply();
+        if (arg_debug) {
+                printf("starting application\n");
+                printf("LD_PRELOAD=%s\n", getenv("LD_PRELOAD"));
+        }
+        
        //****************************************
        // audit
        //****************************************
@@ -787,12 +797,6 @@ assert(0);
                }
        }
        
-        // set environment
-        env_defaults();
-        
-        // set user-supplied environment variables
-        env_apply();
        // set nice
        if (arg_nice) {
                errno = 0;
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c
index 6499b7005..a5a067090 100644
--- a/src/firejail/sbox.c
+++ b/src/firejail/sbox.c
@@ -165,6 +165,7 @@ int sbox_run(unsigned filter, int num, ...) {
                else if (filter & SBOX_USER)
                        drop_privs(1);
+                assert(getenv("LD_PRELOAD") == NULL);   
                if (arg[0])     // get rid of scan-build warning
                        execvp(arg[0], arg);
                else
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index c79f1a74e..6cba95501 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -311,7 +311,8 @@ void x11_start_xephyr(int argc, char **argv) {
        if (server == 0) {
                if (arg_debug)
                        printf("Starting xephyr...\n");
-        
+                assert(getenv("LD_PRELOAD") == NULL);   
                execvp(server_argv[0], server_argv);
                perror("execvp");
                _exit(1);
@@ -353,6 +354,7 @@ void x11_start_xephyr(int argc, char **argv) {
                if (!arg_quiet)
                        printf("\n*** Attaching to Xephyr display %d ***\n\n", display);
+                assert(getenv("LD_PRELOAD") == NULL);   
                execvp(jail_argv[0], jail_argv);
                perror("execvp");
                _exit(1);
@@ -432,6 +434,7 @@ void x11_start_xpra(int argc, char **argv) {
                        dup2(fd_null,2);
                }
        
+                assert(getenv("LD_PRELOAD") == NULL);   
                execvp(server_argv[0], server_argv);
                perror("execvp");
                _exit(1);
@@ -478,6 +481,7 @@ void x11_start_xpra(int argc, char **argv) {
                if (!arg_quiet)
                        printf("\n*** Attaching to xpra display %d ***\n\n", display);
+                assert(getenv("LD_PRELOAD") == NULL);   
                execvp(attach_argv[0], attach_argv);
                perror("execvp");
                _exit(1);
@@ -508,6 +512,7 @@ void x11_start_xpra(int argc, char **argv) {
        if (jail < 0)
                errExit("fork");
        if (jail == 0) {
+                assert(getenv("LD_PRELOAD") == NULL);   
                if (firejail_argv[0]) // shut up llvm scan-build
                        execvp(firejail_argv[0], firejail_argv);
                perror("execvp");
@@ -534,6 +539,7 @@ void x11_start_xpra(int argc, char **argv) {
                                        dup2(fd_null,1);
                                        dup2(fd_null,2);
                                }
+                                assert(getenv("LD_PRELOAD") == NULL);   
                                execvp(stop_argv[0], stop_argv);
                                perror("execvp");
                                _exit(1);
@@ -664,11 +670,12 @@ void x11_xorg(void) {
                        errExit("setreuid");
                if (setregid(0, 0) < 0)
                        errExit("setregid");
-                
                char *display = getenv("DISPLAY");
                if (!display)
                        display = ":0.0";
-                        
+                
+                assert(getenv("LD_PRELOAD") == NULL);   
                execlp("/usr/bin/xauth", "/usr/bin/xauth", "-f", RUN_XAUTHORITY_SEC_FILE,
                        "generate", display, "MIT-MAGIC-COOKIE-1", "untrusted", NULL);
author	netblue30 <netblue30@yahoo.com>	2016-11-03 10:53:51 -0400
committer	netblue30 <netblue30@yahoo.com>	2016-11-03 10:53:51 -0400
commit	3b81e1f2c331644ced87d26a943b22eed6242b8f (patch)
tree	092f9d881ced236c86ba0baeabb32a955b4054a0
parent	fixed TOCTOU problem for --get and --put (diff)
download	firejail-3b81e1f2c331644ced87d26a943b22eed6242b8f.tar.gz firejail-3b81e1f2c331644ced87d26a943b22eed6242b8f.tar.zst firejail-3b81e1f2c331644ced87d26a943b22eed6242b8f.zip