more --build

author: netblue30 <netblue30@protonmail.com> 2021-05-06 15:39:36 -0400
committer: netblue30 <netblue30@protonmail.com> 2021-05-06 15:39:36 -0400
commit: 43e47483ff94753655ade1e633e973725d8fb505 (patch)
tree: f4f69043bcb37fd62c6d60da57cad5b6027f46c5
parent: some wireshark hardening (#4245) (diff)
download: firejail-43e47483ff94753655ade1e633e973725d8fb505.tar.gz
firejail-43e47483ff94753655ade1e633e973725d8fb505.tar.zst
firejail-43e47483ff94753655ade1e633e973725d8fb505.zip
6 files changed, 130 insertions, 153 deletions
diff --git a/src/fbuilder/build_bin.c b/src/fbuilder/build_bin.c
index 431aebee6..9577042c4 100644
--- a/src/fbuilder/build_bin.c
+++ b/src/fbuilder/build_bin.c
@@ -83,11 +83,9 @@ static void process_bin(const char *fname) {
                        continue;
                *ptr2 = '\0';
-                // skip strace
+                // skip strace and firejail (in case we hit a symlink in /usr/local/bin)
-                if (strcmp(ptr, "strace") == 0)
+                if (strcmp(ptr, "strace") && strcmp(ptr, "firejail"))
-                        continue;
+                        bin_out = filedb_add(bin_out, ptr);
-                bin_out = filedb_add(bin_out, ptr);
        }
        fclose(fp);
@@ -121,6 +119,5 @@ void build_bin(const char *fname, FILE *fp) {
                        ptr = ptr->next;
                }
                fprintf(fp, "\n");
-                fprintf(fp, "#private-lib\n");
        }
 }
diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c
index b35380b96..8700e0ba1 100644
--- a/src/fbuilder/build_fs.c
+++ b/src/fbuilder/build_fs.c
@@ -146,106 +146,57 @@ void build_etc(const char *fname, FILE *fp) {
 //*******************************************
 // var directory
 //*******************************************
+#if 0
+// todo: load the list from whitelist-var-common.inc
+static char *var_skip[] = {
+        "/var/lib/ca-certificates",
+        "/var/lib/dbus",
+        "/var/lib/menu-xdg",
+        "/var/lib/uim",
+        "/var/cache/fontconfig",
+        "/var/tmp",
+        "/var/run",
+        "/var/lock",
+        NULL
+};
+#endif
 static FileDB *var_out = NULL;
+static FileDB *var_skip = NULL;
 static void var_callback(char *ptr) {
-        if (strcmp(ptr, "/var/lib") == 0)
+        // extract the directory:
-                ;
+        assert(strncmp(ptr, "/var", 4) == 0);
-        else if (strcmp(ptr, "/var/cache") == 0)
+        char *p1 = ptr + 4;
-                ;
+        if (*p1 != '/')
-        else if (strncmp(ptr, "/var/lib/menu-xdg", 17) == 0)
+                return;
-                var_out = filedb_add(var_out, "/var/lib/menu-xdg");
+        p1++;
-        else if (strncmp(ptr, "/var/cache/fontconfig", 21) == 0)
-                var_out = filedb_add(var_out, "/var/cache/fontconfig");
+        if (*p1 == '/') // double '/'
-        else
+                p1++;
-                var_out = filedb_add(var_out, ptr);
+        if (*p1 == '\0')
+                return;
+        if (!filedb_find(var_skip, p1))
+                var_out = filedb_add(var_out, p1);
 }
 void build_var(const char *fname, FILE *fp) {
        assert(fname);
+        var_skip = filedb_load_whitelist(var_skip, "whitelist-var-common.inc", "whitelist /var/");
        process_files(fname, "/var", var_callback);
-        if (var_out == NULL) {
+        // always whitelist /var
-                fprintf(fp, "blacklist /var\n");
+        if (var_out)
-        } else {
+                filedb_print(var_out, "whitelist /var/", fp);
-                filedb_print(var_out, "whitelist ", fp);
+        fprintf(fp, "include whitelist-var-common.inc\n");
-                fprintf(fp, "include whitelist-var-common.inc\n");
-        }
 }
 //*******************************************
 // usr/share directory
 //*******************************************
-// todo: load the list from whitelist-usr-share-common.inc
-static char *share_skip[] = {
-        "/usr/share/alsa",
-        "/usr/share/applications",
-        "/usr/share/ca-certificates",
-        "/usr/share/crypto-policies",
-        "/usr/share/cursors",
-        "/usr/share/dconf",
-        "/usr/share/distro-info",
-        "/usr/share/drirc.d",
-        "/usr/share/enchant",
-        "/usr/share/enchant-2",
-        "/usr/share/file",
-        "/usr/share/fontconfig",
-        "/usr/share/fonts",
-        "/usr/share/fonts-config",
-        "/usr/share/gir-1.0",
-        "/usr/share/gjs-1.0",
-        "/usr/share/glib-2.0",
-        "/usr/share/glvnd",
-        "/usr/share/gtk-2.0",
-        "/usr/share/gtk-3.0",
-        "/usr/share/gtk-engines",
-        "/usr/share/gtksourceview-3.0",
-        "/usr/share/gtksourceview-4",
-        "/usr/share/hunspell",
-        "/usr/share/hwdata",
-        "/usr/share/icons",
-        "/usr/share/icu",
-        "/usr/share/knotifications5",
-        "/usr/share/kservices5",
-        "/usr/share/Kvantum",
-        "/usr/share/kxmlgui5",
-        "/usr/share/libdrm",
-        "/usr/share/libthai",
-        "/usr/share/locale",
-        "/usr/share/mime",
-        "/usr/share/misc",
-        "/usr/share/Modules",
-        "/usr/share/myspell",
-        "/usr/share/p11-kit",
-        "/usr/share/perl",
-        "/usr/share/perl5",
-        "/usr/share/pixmaps",
-        "/usr/share/pki",
-        "/usr/share/plasma",
-        "/usr/share/publicsuffix",
-        "/usr/share/qt",
-        "/usr/share/qt4",
-        "/usr/share/qt5",
-        "/usr/share/qt5ct",
-        "/usr/share/sounds",
-        "/usr/share/tcl8.6",
-        "/usr/share/tcltk",
-        "/usr/share/terminfo",
-        "/usr/share/texlive",
-        "/usr/share/texmf",
-        "/usr/share/themes",
-        "/usr/share/thumbnail.so",
-        "/usr/share/uim",
-        "/usr/share/vulkan",
-        "/usr/share/X11",
-        "/usr/share/xml",
-        "/usr/share/zenity",
-        "/usr/share/zoneinfo",
-        NULL
-};
 static FileDB *share_out = NULL;
+static FileDB *share_skip = NULL;
 static void share_callback(char *ptr) {
        // extract the directory:
        assert(strncmp(ptr, "/usr/share", 10) == 0);
@@ -263,30 +214,21 @@ static void share_callback(char *ptr) {
        if (p2)
                *p2 = '\0';
-        int i = 0;
-        int found = 0;
+        if (!filedb_find(share_skip, p1))
-        while (share_skip[i]) {
+                share_out = filedb_add(share_out, p1);
-                if (strncmp(ptr, share_skip[i], strlen(share_skip[i])) == 0) {
-                        found = 1;
-                        break;
-                }
-                i++;
-        }
-        if (!found)
-                share_out = filedb_add(share_out, ptr);
 }
 void build_share(const char *fname, FILE *fp) {
        assert(fname);
+        share_skip = filedb_load_whitelist(share_skip, "whitelist-usr-share-common.inc", "whitelist /usr/share/");
        process_files(fname, "/usr/share", share_callback);
-        if (share_out == NULL) {
+        // always whitelist /usr/share
-                fprintf(fp, "blacklist /usr/share\n");
+        if (share_out)
-        } else {
+                filedb_print(share_out, "whitelist /usr/share/", fp);
-                filedb_print(share_out, "whitelist ", fp);
+        fprintf(fp, "include whitelist-usr-share-common.inc\n");
-                fprintf(fp, "include whitelist-usr-share-common.inc\n");
-        }
 }
 //*******************************************
@@ -336,6 +278,7 @@ static char *dev_skip[] = {
        "/dev/null",
        "/dev/full",
        "/dev/random",
+        "/dev/srandom",
        "/dev/urandom",
        "/dev/sr0",
        "/dev/cdrom",
diff --git a/src/fbuilder/build_home.c b/src/fbuilder/build_home.c
index d7706282a..b3ec6cffd 100644
--- a/src/fbuilder/build_home.c
+++ b/src/fbuilder/build_home.c
@@ -23,30 +23,6 @@
 static FileDB *db_skip = NULL;
 static FileDB *db_out = NULL;
-static void load_whitelist_common(void) {
-        FILE *fp = fopen(SYSCONFDIR "/whitelist-common.inc", "r");
-        if (!fp) {
-                fprintf(stderr, "Error: cannot open whitelist-common.inc\n");
-                exit(1);
-        }
-        char buf[MAX_BUF];
-        while (fgets(buf, MAX_BUF, fp)) {
-                if (strncmp(buf, "whitelist ${HOME}/", 18) != 0)
-                        continue;
-                char *fn = buf + 18;
-                char *ptr = strchr(buf, '\n');
-                if (!ptr)
-                        continue;
-                *ptr = '\0';
-                // add the file to skip list
-                db_skip = filedb_add(db_skip, fn);
-        }
-        fclose(fp);
-}
 void process_home(const char *fname, char *home, int home_len) {
        assert(fname);
        assert(home);
@@ -162,7 +138,7 @@ void build_home(const char *fname, FILE *fp) {
        assert(fname);
        // load whitelist common
-        load_whitelist_common();
+        db_skip = filedb_load_whitelist(db_skip, "whitelist-common.inc", "whitelist ${HOME}/");
        // find user home directory
        struct passwd *pw = getpwuid(getuid());
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c
index 100630eb9..fb53f70a6 100644
--- a/src/fbuilder/build_profile.c
+++ b/src/fbuilder/build_profile.c
@@ -141,57 +141,70 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
        if (WIFEXITED(status) && WEXITSTATUS(status) == 0) {
                if (fp == stdout)
                        printf("--- Built profile beings after this line ---\n");
-                fprintf(fp, "# Firejail profile for %s\n", argv[index]);
+                fprintf(fp, "# Save this file as \"application.profile\" (change \"application\" with the\n");
+                fprintf(fp, "# program name) in ~/.config/firejail directory. Firejail will find it\n");
+                fprintf(fp, "# automatically every time you sandbox your application.\n#\n");
+                fprintf(fp, "# Run \"firejail application\" to test it. In the file there are\n");
+                fprintf(fp, "# some other commands you can try. Enable them by removing the \"#\".\n");
+                fprintf(fp, "\n# Firejail profile for %s\n", argv[index]);
                fprintf(fp, "# Persistent local customizations\n");
                fprintf(fp, "#include %s.local\n", argv[index]);
                fprintf(fp, "# Persistent global definitions\n");
                fprintf(fp, "#include globals.local\n");
                fprintf(fp, "\n");
-                fprintf(fp, "### basic blacklisting\n");
+                fprintf(fp, "### Basic Blacklisting ###\n");
+                fprintf(fp, "### Enable as many of them as you can! A very important one is\n");
+                fprintf(fp, "### \"disable-exec.inc\". This will make among other things your home\n");
+                fprintf(fp, "### and /tmp directories non-executable.\n");
                fprintf(fp, "include disable-common.inc\n");
                fprintf(fp, "#include disable-devel.inc\n");
                fprintf(fp, "#include disable-exec.inc\n");
                fprintf(fp, "#include disable-interpreters.inc\n");
                fprintf(fp, "include disable-passwdmgr.inc\n");
-                fprintf(fp, "#include disable-programs.inc\n");
+                fprintf(fp, "include disable-programs.inc\n");
                fprintf(fp, "#include disable-xdg.inc\n");
                fprintf(fp, "\n");
-                fprintf(fp, "### home directory whitelisting\n");
+                fprintf(fp, "### Home Directory Whitelisting ###\n");
+                fprintf(fp, "### If something goes wrong, this section is the first one to comment out.\n");
+                fprintf(fp, "### Instead, you'll have to relay on the basic blacklisting above.\n");
                build_home(trace_output, fp);
-                fprintf(fp, "\n### /usr/share:\n");
+                fprintf(fp, "\n### The Rest of the Filesystem ###\n");
                build_share(trace_output, fp);
-                fprintf(fp, "\n### /var:\n");
                build_var(trace_output, fp);
-                fprintf(fp, "\n### /bin:\n");
                build_bin(trace_output, fp);
-                fprintf(fp, "\n### /dev:\n");
                build_dev(trace_output, fp);
-                fprintf(fp, "\n### /etc:\n");
+                fprintf(fp, "#nodvd\n");
+                fprintf(fp, "#noinput\n");
+                fprintf(fp, "#notv\n");
+                fprintf(fp, "#nou2f\n");
+                fprintf(fp, "#novideo\n");
                build_etc(trace_output, fp);
-                fprintf(fp, "\n### /tmp:\n");
                build_tmp(trace_output, fp);
-                fprintf(fp, "\n### security filters\n");
+                fprintf(fp, "\n### Security Filters ###\n");
+                fprintf(fp, "#apparmor\n");
                fprintf(fp, "caps.drop all\n");
+                fprintf(fp, "netfilter\n");
+                fprintf(fp, "#nogroups\n");
+                fprintf(fp, "#noroot\n");
                fprintf(fp, "nonewprivs\n");
+                build_protocol(trace_output, fp);
                fprintf(fp, "seccomp\n");
                if (!have_strace) {
-                        fprintf(fp, "# If you install strace on your system, Firejail will also create a\n");
+                        fprintf(fp, "### If you install strace on your system, Firejail will also create a\n");
-                        fprintf(fp, "# whitelisted seccomp filter.\n");
+                        fprintf(fp, "### whitelisted seccomp filter.\n");
                }
                else if (!have_yama_permission)
-                        fprintf(fp, "# Yama security module prevents creation of a whitelisted seccomp filter\n");
+                        fprintf(fp, "### Yama security module prevents creation of a whitelisted seccomp filter\n");
                else
                        build_seccomp(strace_output, fp);
+                fprintf(fp, "#shell none\n");
-                fprintf(fp, "\n### network\n");
+                fprintf(fp, "#tracelog\n");
-                build_protocol(trace_output, fp);
-                fprintf(fp, "\n### environment\n");
-                fprintf(fp, "shell none\n");
                if (!arg_debug) {
                        unlink(trace_output);
diff --git a/src/fbuilder/fbuilder.h b/src/fbuilder/fbuilder.h
index 8d3621c02..08dd35e10 100644
--- a/src/fbuilder/fbuilder.h
+++ b/src/fbuilder/fbuilder.h
@@ -66,5 +66,6 @@ typedef struct filedb_t {
 FileDB *filedb_add(FileDB *head, const char *fname);
 FileDB *filedb_find(FileDB *head, const char *fname);
 void filedb_print(FileDB *head, const char *prefix, FILE *fp);
+FileDB *filedb_load_whitelist(FileDB *head, const char *fname, const char *prefix);
 #endif
diff --git a/src/fbuilder/filedb.c b/src/fbuilder/filedb.c
index 6e302a606..94a226cb7 100644
--- a/src/fbuilder/filedb.c
+++ b/src/fbuilder/filedb.c
@@ -20,7 +20,9 @@
 #include "fbuilder.h"
+// find exact name or an exact name in a parent directory
 FileDB *filedb_find(FileDB *head, const char *fname) {
+        assert(fname);
        FileDB *ptr = head;
        int found = 0;
        int len = strlen(fname);
@@ -52,6 +54,8 @@ FileDB *filedb_find(FileDB *head, const char *fname) {
 FileDB *filedb_add(FileDB *head, const char *fname) {
        assert(fname);
+        // todo: support fnames such as ${RUNUSER}/.mutter-Xwaylandauth.*
        // don't add it if it is already there or if the parent directory is already in the list
        if (filedb_find(head, fname))
                return head;
@@ -70,9 +74,52 @@ FileDB *filedb_add(FileDB *head, const char *fname) {
 };
 void filedb_print(FileDB *head, const char *prefix, FILE *fp) {
+        assert(head);
+        assert(prefix);
        FileDB *ptr = head;
        while (ptr) {
-                fprintf(fp, "%s%s\n", prefix, ptr->fname);
+                if (fp)
+                        fprintf(fp, "%s%s\n", prefix, ptr->fname);
+                else
+                        printf("%s%s\n", prefix, ptr->fname);
                ptr = ptr->next;
        }
 }
+FileDB *filedb_load_whitelist(FileDB *head, const char *fname, const char *prefix) {
+        assert(fname);
+        assert(prefix);
+        int len = strlen(prefix);
+        char *f;
+        if (asprintf(&f, "%s/%s", SYSCONFDIR, fname) == -1)
+                errExit("asprintf");
+        FILE *fp = fopen(f, "r");
+        if (!fp) {
+                fprintf(stderr, "Error: cannot open whitelist-common.inc\n");
+                free(f);
+                exit(1);
+        }
+        char buf[MAX_BUF];
+        while (fgets(buf, MAX_BUF, fp)) {
+                if (strncmp(buf, prefix, len) != 0)
+                        continue;
+                char *fn = buf + len;
+                char *ptr = strchr(buf, '\n');
+                if (!ptr)
+                        continue;
+                *ptr = '\0';
+                // add the file to skip list
+                head = filedb_add(head, fn);
+        }
+        fclose(fp);
+        free(f);
+//printf("***************************************************\n");
+//filedb_print(head, prefix, NULL);
+//printf("***************************************************\n");
+        return head;
+}
author	netblue30 <netblue30@protonmail.com>	2021-05-06 15:39:36 -0400
committer	netblue30 <netblue30@protonmail.com>	2021-05-06 15:39:36 -0400
commit	43e47483ff94753655ade1e633e973725d8fb505 (patch)
tree	f4f69043bcb37fd62c6d60da57cad5b6027f46c5
parent	some wireshark hardening (#4245) (diff)
download	firejail-43e47483ff94753655ade1e633e973725d8fb505.tar.gz firejail-43e47483ff94753655ade1e633e973725d8fb505.tar.zst firejail-43e47483ff94753655ade1e633e973725d8fb505.zip

diff --git a/src/fbuilder/build_bin.c b/src/fbuilder/build_bin.c index 431aebee6..9577042c4 100644 --- a/src/fbuilder/build_bin.c +++ b/src/fbuilder/build_bin.c
@@ -83,11 +83,9 @@ static void process_bin(const char *fname) {
83	continue;	83	continue;
84	*ptr2 = '\0';	84	*ptr2 = '\0';
85		85
86	// skip strace	86	// skip strace and firejail (in case we hit a symlink in /usr/local/bin)
87	if (strcmp(ptr, "strace") == 0)	87	if (strcmp(ptr, "strace") && strcmp(ptr, "firejail"))
88	continue;	88	bin_out = filedb_add(bin_out, ptr);
89
90	bin_out = filedb_add(bin_out, ptr);
91	}	89	}
92		90
93	fclose(fp);	91	fclose(fp);
@@ -121,6 +119,5 @@ void build_bin(const char fname, FILE fp) {
121	ptr = ptr->next;	119	ptr = ptr->next;
122	}	120	}
123	fprintf(fp, "\n");	121	fprintf(fp, "\n");
124	fprintf(fp, "#private-lib\n");
125	}	122	}
126	}	123	}


diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c index b35380b96..8700e0ba1 100644 --- a/src/fbuilder/build_fs.c +++ b/src/fbuilder/build_fs.c
@@ -146,106 +146,57 @@ void build_etc(const char fname, FILE fp) {
146	//*******************************************	146	//*******************************************
147	// var directory	147	// var directory
148	//*******************************************	148	//*******************************************
		149	#if 0
		150	// todo: load the list from whitelist-var-common.inc
		151	static char *var_skip[] = {
		152	"/var/lib/ca-certificates",
		153	"/var/lib/dbus",
		154	"/var/lib/menu-xdg",
		155	"/var/lib/uim",
		156	"/var/cache/fontconfig",
		157	"/var/tmp",
		158	"/var/run",
		159	"/var/lock",
		160	NULL
		161	};
		162	#endif
149	static FileDB *var_out = NULL;	163	static FileDB *var_out = NULL;
		164	static FileDB *var_skip = NULL;
150	static void var_callback(char *ptr) {	165	static void var_callback(char *ptr) {
151	if (strcmp(ptr, "/var/lib") == 0)	166	// extract the directory:
152	;	167	assert(strncmp(ptr, "/var", 4) == 0);
153	else if (strcmp(ptr, "/var/cache") == 0)	168	char *p1 = ptr + 4;
154	;	169	if (*p1 != '/')
155	else if (strncmp(ptr, "/var/lib/menu-xdg", 17) == 0)	170	return;
156	var_out = filedb_add(var_out, "/var/lib/menu-xdg");	171	p1++;
157	else if (strncmp(ptr, "/var/cache/fontconfig", 21) == 0)	172
158	var_out = filedb_add(var_out, "/var/cache/fontconfig");	173	if (*p1 == '/') // double '/'
159	else	174	p1++;
160	var_out = filedb_add(var_out, ptr);	175	if (*p1 == '\0')
		176	return;
		177
		178	if (!filedb_find(var_skip, p1))
		179	var_out = filedb_add(var_out, p1);
161	}	180	}
162		181
163	void build_var(const char fname, FILE fp) {	182	void build_var(const char fname, FILE fp) {
164	assert(fname);	183	assert(fname);
165		184
		185	var_skip = filedb_load_whitelist(var_skip, "whitelist-var-common.inc", "whitelist /var/");
166	process_files(fname, "/var", var_callback);	186	process_files(fname, "/var", var_callback);
167		187
168	if (var_out == NULL) {	188	// always whitelist /var
169	fprintf(fp, "blacklist /var\n");	189	if (var_out)
170	} else {	190	filedb_print(var_out, "whitelist /var/", fp);
171	filedb_print(var_out, "whitelist ", fp);	191	fprintf(fp, "include whitelist-var-common.inc\n");
172	fprintf(fp, "include whitelist-var-common.inc\n");
173	}
174	}	192	}
175		193
176		194
177	//*******************************************	195	//*******************************************
178	// usr/share directory	196	// usr/share directory
179	//*******************************************	197	//*******************************************
180	// todo: load the list from whitelist-usr-share-common.inc
181	static char *share_skip[] = {
182	"/usr/share/alsa",
183	"/usr/share/applications",
184	"/usr/share/ca-certificates",
185	"/usr/share/crypto-policies",
186	"/usr/share/cursors",
187	"/usr/share/dconf",
188	"/usr/share/distro-info",
189	"/usr/share/drirc.d",
190	"/usr/share/enchant",
191	"/usr/share/enchant-2",
192	"/usr/share/file",
193	"/usr/share/fontconfig",
194	"/usr/share/fonts",
195	"/usr/share/fonts-config",
196	"/usr/share/gir-1.0",
197	"/usr/share/gjs-1.0",
198	"/usr/share/glib-2.0",
199	"/usr/share/glvnd",
200	"/usr/share/gtk-2.0",
201	"/usr/share/gtk-3.0",
202	"/usr/share/gtk-engines",
203	"/usr/share/gtksourceview-3.0",
204	"/usr/share/gtksourceview-4",
205	"/usr/share/hunspell",
206	"/usr/share/hwdata",
207	"/usr/share/icons",
208	"/usr/share/icu",
209	"/usr/share/knotifications5",
210	"/usr/share/kservices5",
211	"/usr/share/Kvantum",
212	"/usr/share/kxmlgui5",
213	"/usr/share/libdrm",
214	"/usr/share/libthai",
215	"/usr/share/locale",
216	"/usr/share/mime",
217	"/usr/share/misc",
218	"/usr/share/Modules",
219	"/usr/share/myspell",
220	"/usr/share/p11-kit",
221	"/usr/share/perl",
222	"/usr/share/perl5",
223	"/usr/share/pixmaps",
224	"/usr/share/pki",
225	"/usr/share/plasma",
226	"/usr/share/publicsuffix",
227	"/usr/share/qt",
228	"/usr/share/qt4",
229	"/usr/share/qt5",
230	"/usr/share/qt5ct",
231	"/usr/share/sounds",
232	"/usr/share/tcl8.6",
233	"/usr/share/tcltk",
234	"/usr/share/terminfo",
235	"/usr/share/texlive",
236	"/usr/share/texmf",
237	"/usr/share/themes",
238	"/usr/share/thumbnail.so",
239	"/usr/share/uim",
240	"/usr/share/vulkan",
241	"/usr/share/X11",
242	"/usr/share/xml",
243	"/usr/share/zenity",
244	"/usr/share/zoneinfo",
245	NULL
246	};
247
248	static FileDB *share_out = NULL;	198	static FileDB *share_out = NULL;
		199	static FileDB *share_skip = NULL;
249	static void share_callback(char *ptr) {	200	static void share_callback(char *ptr) {
250	// extract the directory:	201	// extract the directory:
251	assert(strncmp(ptr, "/usr/share", 10) == 0);	202	assert(strncmp(ptr, "/usr/share", 10) == 0);
@@ -263,30 +214,21 @@ static void share_callback(char *ptr) {
263	if (p2)	214	if (p2)
264	*p2 = '\0';	215	*p2 = '\0';
265		216
266	int i = 0;	217
267	int found = 0;	218	if (!filedb_find(share_skip, p1))
268	while (share_skip[i]) {	219	share_out = filedb_add(share_out, p1);
269	if (strncmp(ptr, share_skip[i], strlen(share_skip[i])) == 0) {
270	found = 1;
271	break;
272	}
273	i++;
274	}
275	if (!found)
276	share_out = filedb_add(share_out, ptr);
277	}	220	}
278		221
279	void build_share(const char fname, FILE fp) {	222	void build_share(const char fname, FILE fp) {
280	assert(fname);	223	assert(fname);
281		224
		225	share_skip = filedb_load_whitelist(share_skip, "whitelist-usr-share-common.inc", "whitelist /usr/share/");
282	process_files(fname, "/usr/share", share_callback);	226	process_files(fname, "/usr/share", share_callback);
283		227
284	if (share_out == NULL) {	228	// always whitelist /usr/share
285	fprintf(fp, "blacklist /usr/share\n");	229	if (share_out)
286	} else {	230	filedb_print(share_out, "whitelist /usr/share/", fp);
287	filedb_print(share_out, "whitelist ", fp);	231	fprintf(fp, "include whitelist-usr-share-common.inc\n");
288	fprintf(fp, "include whitelist-usr-share-common.inc\n");
289	}
290	}	232	}
291		233
292	//*******************************************	234	//*******************************************
@@ -336,6 +278,7 @@ static char *dev_skip[] = {
336	"/dev/null",	278	"/dev/null",
337	"/dev/full",	279	"/dev/full",
338	"/dev/random",	280	"/dev/random",
		281	"/dev/srandom",
339	"/dev/urandom",	282	"/dev/urandom",
340	"/dev/sr0",	283	"/dev/sr0",
341	"/dev/cdrom",	284	"/dev/cdrom",


diff --git a/src/fbuilder/build_home.c b/src/fbuilder/build_home.c index d7706282a..b3ec6cffd 100644 --- a/src/fbuilder/build_home.c +++ b/src/fbuilder/build_home.c
@@ -23,30 +23,6 @@
23	static FileDB *db_skip = NULL;	23	static FileDB *db_skip = NULL;
24	static FileDB *db_out = NULL;	24	static FileDB *db_out = NULL;
25		25
26	static void load_whitelist_common(void) {
27	FILE *fp = fopen(SYSCONFDIR "/whitelist-common.inc", "r");
28	if (!fp) {
29	fprintf(stderr, "Error: cannot open whitelist-common.inc\n");
30	exit(1);
31	}
32
33	char buf[MAX_BUF];
34	while (fgets(buf, MAX_BUF, fp)) {
35	if (strncmp(buf, "whitelist ${HOME}/", 18) != 0)
36	continue;
37	char *fn = buf + 18;
38	char *ptr = strchr(buf, '\n');
39	if (!ptr)
40	continue;
41	*ptr = '\0';
42
43	// add the file to skip list
44	db_skip = filedb_add(db_skip, fn);
45	}
46
47	fclose(fp);
48	}
49
50	void process_home(const char fname, char home, int home_len) {	26	void process_home(const char fname, char home, int home_len) {
51	assert(fname);	27	assert(fname);
52	assert(home);	28	assert(home);
@@ -162,7 +138,7 @@ void build_home(const char fname, FILE fp) {
162	assert(fname);	138	assert(fname);
163		139
164	// load whitelist common	140	// load whitelist common
165	load_whitelist_common();	141	db_skip = filedb_load_whitelist(db_skip, "whitelist-common.inc", "whitelist ${HOME}/");
166		142
167	// find user home directory	143	// find user home directory
168	struct passwd *pw = getpwuid(getuid());	144	struct passwd *pw = getpwuid(getuid());


diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c index 100630eb9..fb53f70a6 100644 --- a/src/fbuilder/build_profile.c +++ b/src/fbuilder/build_profile.c
@@ -141,57 +141,70 @@ void build_profile(int argc, char *argv, int index, FILE fp) {
141	if (WIFEXITED(status) && WEXITSTATUS(status) == 0) {	141	if (WIFEXITED(status) && WEXITSTATUS(status) == 0) {
142	if (fp == stdout)	142	if (fp == stdout)
143	printf("--- Built profile beings after this line ---\n");	143	printf("--- Built profile beings after this line ---\n");
144	fprintf(fp, "# Firejail profile for %s\n", argv[index]);	144	fprintf(fp, "# Save this file as \"application.profile\" (change \"application\" with the\n");
		145	fprintf(fp, "# program name) in ~/.config/firejail directory. Firejail will find it\n");
		146	fprintf(fp, "# automatically every time you sandbox your application.\n#\n");
		147	fprintf(fp, "# Run \"firejail application\" to test it. In the file there are\n");
		148	fprintf(fp, "# some other commands you can try. Enable them by removing the \"#\".\n");
		149
		150	fprintf(fp, "\n# Firejail profile for %s\n", argv[index]);
145	fprintf(fp, "# Persistent local customizations\n");	151	fprintf(fp, "# Persistent local customizations\n");
146	fprintf(fp, "#include %s.local\n", argv[index]);	152	fprintf(fp, "#include %s.local\n", argv[index]);
147	fprintf(fp, "# Persistent global definitions\n");	153	fprintf(fp, "# Persistent global definitions\n");
148	fprintf(fp, "#include globals.local\n");	154	fprintf(fp, "#include globals.local\n");
149	fprintf(fp, "\n");	155	fprintf(fp, "\n");
150		156
151	fprintf(fp, "### basic blacklisting\n");	157	fprintf(fp, "### Basic Blacklisting ###\n");
		158	fprintf(fp, "### Enable as many of them as you can! A very important one is\n");
		159	fprintf(fp, "### \"disable-exec.inc\". This will make among other things your home\n");
		160	fprintf(fp, "### and /tmp directories non-executable.\n");
152	fprintf(fp, "include disable-common.inc\n");	161	fprintf(fp, "include disable-common.inc\n");
153	fprintf(fp, "#include disable-devel.inc\n");	162	fprintf(fp, "#include disable-devel.inc\n");
154	fprintf(fp, "#include disable-exec.inc\n");	163	fprintf(fp, "#include disable-exec.inc\n");
155	fprintf(fp, "#include disable-interpreters.inc\n");	164	fprintf(fp, "#include disable-interpreters.inc\n");
156	fprintf(fp, "include disable-passwdmgr.inc\n");	165	fprintf(fp, "include disable-passwdmgr.inc\n");
157	fprintf(fp, "#include disable-programs.inc\n");	166	fprintf(fp, "include disable-programs.inc\n");
158	fprintf(fp, "#include disable-xdg.inc\n");	167	fprintf(fp, "#include disable-xdg.inc\n");
159	fprintf(fp, "\n");	168	fprintf(fp, "\n");
160		169
161	fprintf(fp, "### home directory whitelisting\n");	170	fprintf(fp, "### Home Directory Whitelisting ###\n");
		171	fprintf(fp, "### If something goes wrong, this section is the first one to comment out.\n");
		172	fprintf(fp, "### Instead, you'll have to relay on the basic blacklisting above.\n");
162	build_home(trace_output, fp);	173	build_home(trace_output, fp);
163		174
164	fprintf(fp, "\n### /usr/share:\n");	175	fprintf(fp, "\n### The Rest of the Filesystem ###\n");
165	build_share(trace_output, fp);	176	build_share(trace_output, fp);
166	fprintf(fp, "\n### /var:\n");
167	build_var(trace_output, fp);	177	build_var(trace_output, fp);
168	fprintf(fp, "\n### /bin:\n");
169	build_bin(trace_output, fp);	178	build_bin(trace_output, fp);
170	fprintf(fp, "\n### /dev:\n");
171	build_dev(trace_output, fp);	179	build_dev(trace_output, fp);
172	fprintf(fp, "\n### /etc:\n");	180	fprintf(fp, "#nodvd\n");
		181	fprintf(fp, "#noinput\n");
		182	fprintf(fp, "#notv\n");
		183	fprintf(fp, "#nou2f\n");
		184	fprintf(fp, "#novideo\n");
173	build_etc(trace_output, fp);	185	build_etc(trace_output, fp);
174	fprintf(fp, "\n### /tmp:\n");
175	build_tmp(trace_output, fp);	186	build_tmp(trace_output, fp);
176		187
177	fprintf(fp, "\n### security filters\n");	188	fprintf(fp, "\n### Security Filters ###\n");
		189	fprintf(fp, "#apparmor\n");
178	fprintf(fp, "caps.drop all\n");	190	fprintf(fp, "caps.drop all\n");
		191	fprintf(fp, "netfilter\n");
		192	fprintf(fp, "#nogroups\n");
		193	fprintf(fp, "#noroot\n");
179	fprintf(fp, "nonewprivs\n");	194	fprintf(fp, "nonewprivs\n");
		195	build_protocol(trace_output, fp);
		196
180	fprintf(fp, "seccomp\n");	197	fprintf(fp, "seccomp\n");
181	if (!have_strace) {	198	if (!have_strace) {
182	fprintf(fp, "# If you install strace on your system, Firejail will also create a\n");	199	fprintf(fp, "### If you install strace on your system, Firejail will also create a\n");
183	fprintf(fp, "# whitelisted seccomp filter.\n");	200	fprintf(fp, "### whitelisted seccomp filter.\n");
184	}	201	}
185	else if (!have_yama_permission)	202	else if (!have_yama_permission)
186	fprintf(fp, "# Yama security module prevents creation of a whitelisted seccomp filter\n");	203	fprintf(fp, "### Yama security module prevents creation of a whitelisted seccomp filter\n");
187	else	204	else
188	build_seccomp(strace_output, fp);	205	build_seccomp(strace_output, fp);
189		206	fprintf(fp, "#shell none\n");
190	fprintf(fp, "\n### network\n");	207	fprintf(fp, "#tracelog\n");
191	build_protocol(trace_output, fp);
192
193	fprintf(fp, "\n### environment\n");
194	fprintf(fp, "shell none\n");
195		208
196	if (!arg_debug) {	209	if (!arg_debug) {
197	unlink(trace_output);	210	unlink(trace_output);


diff --git a/src/fbuilder/fbuilder.h b/src/fbuilder/fbuilder.h index 8d3621c02..08dd35e10 100644 --- a/src/fbuilder/fbuilder.h +++ b/src/fbuilder/fbuilder.h
@@ -66,5 +66,6 @@ typedef struct filedb_t {
66	FileDB filedb_add(FileDB head, const char *fname);	66	FileDB filedb_add(FileDB head, const char *fname);
67	FileDB filedb_find(FileDB head, const char *fname);	67	FileDB filedb_find(FileDB head, const char *fname);
68	void filedb_print(FileDB head, const char prefix, FILE *fp);	68	void filedb_print(FileDB head, const char prefix, FILE *fp);
		69	FileDB filedb_load_whitelist(FileDB head, const char fname, const char prefix);
69		70
70	#endif	71	#endif


diff --git a/src/fbuilder/filedb.c b/src/fbuilder/filedb.c index 6e302a606..94a226cb7 100644 --- a/src/fbuilder/filedb.c +++ b/src/fbuilder/filedb.c
@@ -20,7 +20,9 @@
20		20
21	#include "fbuilder.h"	21	#include "fbuilder.h"
22		22
		23	// find exact name or an exact name in a parent directory
23	FileDB filedb_find(FileDB head, const char *fname) {	24	FileDB filedb_find(FileDB head, const char *fname) {
		25	assert(fname);
24	FileDB *ptr = head;	26	FileDB *ptr = head;
25	int found = 0;	27	int found = 0;
26	int len = strlen(fname);	28	int len = strlen(fname);
@@ -52,6 +54,8 @@ FileDB filedb_find(FileDB head, const char *fname) {
52	FileDB filedb_add(FileDB head, const char *fname) {	54	FileDB filedb_add(FileDB head, const char *fname) {
53	assert(fname);	55	assert(fname);
54		56
		57	// todo: support fnames such as ${RUNUSER}/.mutter-Xwaylandauth.*
		58
55	// don't add it if it is already there or if the parent directory is already in the list	59	// don't add it if it is already there or if the parent directory is already in the list
56	if (filedb_find(head, fname))	60	if (filedb_find(head, fname))
57	return head;	61	return head;
@@ -70,9 +74,52 @@ FileDB filedb_add(FileDB head, const char *fname) {
70	};	74	};
71		75
72	void filedb_print(FileDB head, const char prefix, FILE *fp) {	76	void filedb_print(FileDB head, const char prefix, FILE *fp) {
		77	assert(head);
		78	assert(prefix);
		79
73	FileDB *ptr = head;	80	FileDB *ptr = head;
74	while (ptr) {	81	while (ptr) {
75	fprintf(fp, "%s%s\n", prefix, ptr->fname);	82	if (fp)
		83	fprintf(fp, "%s%s\n", prefix, ptr->fname);
		84	else
		85	printf("%s%s\n", prefix, ptr->fname);
76	ptr = ptr->next;	86	ptr = ptr->next;
77	}	87	}
78	}	88	}
		89
		90	FileDB filedb_load_whitelist(FileDB head, const char fname, const char prefix) {
		91	assert(fname);
		92	assert(prefix);
		93	int len = strlen(prefix);
		94	char *f;
		95	if (asprintf(&f, "%s/%s", SYSCONFDIR, fname) == -1)
		96	errExit("asprintf");
		97	FILE *fp = fopen(f, "r");
		98	if (!fp) {
		99	fprintf(stderr, "Error: cannot open whitelist-common.inc\n");
		100	free(f);
		101	exit(1);
		102	}
		103
		104	char buf[MAX_BUF];
		105	while (fgets(buf, MAX_BUF, fp)) {
		106	if (strncmp(buf, prefix, len) != 0)
		107	continue;
		108
		109	char *fn = buf + len;
		110	char *ptr = strchr(buf, '\n');
		111	if (!ptr)
		112	continue;
		113	*ptr = '\0';
		114
		115	// add the file to skip list
		116	head = filedb_add(head, fn);
		117	}
		118
		119	fclose(fp);
		120	free(f);
		121	//printf("***************************************************\n");
		122	//filedb_print(head, prefix, NULL);
		123	//printf("***************************************************\n");
		124	return head;
		125	}