diff options
| author |  netblue30 <netblue30@yahoo.com> | 2017-03-10 09:00:38 -0500 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2017-03-10 09:00:38 -0500 |
| commit | 4f455f7f7bbc821ea459143e661f3b8e43e82d0d (patch) | |
| tree | fbb04e0e85bd8428d22f0c06378cac72c4c98e5b | |
| parent | --nowhitelist (diff) | |
| download | firejail-4f455f7f7bbc821ea459143e661f3b8e43e82d0d.tar.gz firejail-4f455f7f7bbc821ea459143e661f3b8e43e82d0d.tar.zst firejail-4f455f7f7bbc821ea459143e661f3b8e43e82d0d.zip | |
config support to disable access to /mnt and /media
| -rw-r--r-- | RELNOTES | 3 | ||||
| -rw-r--r-- | etc/firejail.config | 4 | ||||
| -rw-r--r-- | src/firejail/checkcfg.c | 17 | ||||
| -rw-r--r-- | src/firejail/firejail.h | 2 | ||||
| -rw-r--r-- | src/firejail/fs.c | 8 | ||||
| -rw-r--r-- | src/firejail/sandbox.c | 8 |
6 files changed, 35 insertions, 7 deletions
| @@ -32,7 +32,8 @@ firejail (0.9.45) baseline; urgency=low | |||
| 32 | * feature: follow-symlink-private-bin option in /etc/firejail/firejail.config | 32 | * feature: follow-symlink-private-bin option in /etc/firejail/firejail.config |
| 33 | * feature: xvfb X11 server support (--x11=xvfb) | 33 | * feature: xvfb X11 server support (--x11=xvfb) |
| 34 | * feature: allow /tmp directory in mkdir and mkfile profile commands | 34 | * feature: allow /tmp directory in mkdir and mkfile profile commands |
| 35 | * feature: implemented --noblacklist command | 35 | * feature: implemented --noblacklist command, profile support |
| 36 | * feature: config support to disable access to /mnt and /media (disable-mnt) | ||
| 36 | * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire, | 37 | * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire, |
| 37 | * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma, | 38 | * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma, |
| 38 | * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator, | 39 | * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator, |
diff --git a/etc/firejail.config b/etc/firejail.config index 858ac4ec1..af190cb3c 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
| @@ -14,6 +14,10 @@ | |||
| 14 | # and it will harden the rest of the chroot tree. | 14 | # and it will harden the rest of the chroot tree. |
| 15 | # chroot-desktop yes | 15 | # chroot-desktop yes |
| 16 | 16 | ||
| 17 | # Disable /mnt, /media, /run/mount and /run/media access. By default access | ||
| 18 | # to these directories is enabled. | ||
| 19 | # disable-mnt no | ||
| 20 | |||
| 17 | # Enable or disable file transfer support, default enabled. | 21 | # Enable or disable file transfer support, default enabled. |
| 18 | # file-transfer yes | 22 | # file-transfer yes |
| 19 | 23 | ||
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 02bff2bfa..2aa7e7373 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
| @@ -43,10 +43,11 @@ int checkcfg(int val) { | |||
| 43 | for (i = 0; i < CFG_MAX; i++) | 43 | for (i = 0; i < CFG_MAX; i++) |
| 44 | cfg_val[i] = 1; // most of them are enabled by default | 44 | cfg_val[i] = 1; // most of them are enabled by default |
| 45 | cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default | 45 | cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default |
| 46 | cfg_val[CFG_FORCE_NONEWPRIVS] = 0; // disabled by default | 46 | cfg_val[CFG_FORCE_NONEWPRIVS] = 0; |
| 47 | cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 0; // disabled by default | 47 | cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 0; |
| 48 | cfg_val[CFG_FIREJAIL_PROMPT] = 0; // disabled by default | 48 | cfg_val[CFG_FIREJAIL_PROMPT] = 0; |
| 49 | cfg_val[CFG_FOLLOW_SYMLINK_PRIVATE_BIN] = 0; // disabled by default | 49 | cfg_val[CFG_FOLLOW_SYMLINK_PRIVATE_BIN] = 0; |
| 50 | cfg_val[CFG_DISABLE_MNT] = 0; | ||
| 50 | 51 | ||
| 51 | // open configuration file | 52 | // open configuration file |
| 52 | const char *fname = SYSCONFDIR "/firejail.config"; | 53 | const char *fname = SYSCONFDIR "/firejail.config"; |
| @@ -314,6 +315,14 @@ int checkcfg(int val) { | |||
| 314 | else | 315 | else |
| 315 | goto errout; | 316 | goto errout; |
| 316 | } | 317 | } |
| 318 | else if (strncmp(ptr, "disable-mnt ", 12) == 0) { | ||
| 319 | if (strcmp(ptr + 12, "yes") == 0) | ||
| 320 | cfg_val[CFG_DISABLE_MNT] = 1; | ||
| 321 | else if (strcmp(ptr + 12, "no") == 0) | ||
| 322 | cfg_val[CFG_DISABLE_MNT] = 0; | ||
| 323 | else | ||
| 324 | goto errout; | ||
| 325 | } | ||
| 317 | else | 326 | else |
| 318 | goto errout; | 327 | goto errout; |
| 319 | 328 | ||
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 74e5b2c6b..f4d24ffa5 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
| @@ -419,6 +419,7 @@ void profile_read(const char *fname); | |||
| 419 | int profile_check_line(char *ptr, int lineno, const char *fname); | 419 | int profile_check_line(char *ptr, int lineno, const char *fname); |
| 420 | // add a profile entry in cfg.profile list; use str to populate the list | 420 | // add a profile entry in cfg.profile list; use str to populate the list |
| 421 | void profile_add(char *str); | 421 | void profile_add(char *str); |
| 422 | void fs_mnt(void); | ||
| 422 | 423 | ||
| 423 | // list.c | 424 | // list.c |
| 424 | void list(void); | 425 | void list(void); |
| @@ -682,6 +683,7 @@ enum { | |||
| 682 | CFG_FIREJAIL_PROMPT, | 683 | CFG_FIREJAIL_PROMPT, |
| 683 | CFG_FOLLOW_SYMLINK_AS_USER, | 684 | CFG_FOLLOW_SYMLINK_AS_USER, |
| 684 | CFG_FOLLOW_SYMLINK_PRIVATE_BIN, | 685 | CFG_FOLLOW_SYMLINK_PRIVATE_BIN, |
| 686 | CFG_DISABLE_MNT, | ||
| 685 | CFG_MAX // this should always be the last entry | 687 | CFG_MAX // this should always be the last entry |
| 686 | }; | 688 | }; |
| 687 | extern char *xephyr_screen; | 689 | extern char *xephyr_screen; |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 712e5fb0a..801bde57c 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
| @@ -471,7 +471,13 @@ void fs_noexec(const char *dir) { | |||
| 471 | } | 471 | } |
| 472 | } | 472 | } |
| 473 | 473 | ||
| 474 | 474 | // Disable /mnt, /media, /run/mount and /run/media access | |
| 475 | void fs_mnt(void) { | ||
| 476 | disable_file(BLACKLIST_FILE, "/mnt"); | ||
| 477 | disable_file(BLACKLIST_FILE, "/media"); | ||
| 478 | disable_file(BLACKLIST_FILE, "/run/mount"); | ||
| 479 | disable_file(BLACKLIST_FILE, "//run/media"); | ||
| 480 | } | ||
| 475 | 481 | ||
| 476 | // mount /proc and /sys directories | 482 | // mount /proc and /sys directories |
| 477 | void fs_proc_sys_dev_boot(void) { | 483 | void fs_proc_sys_dev_boot(void) { |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 84ee5ee11..83afff516 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
| @@ -759,12 +759,18 @@ int sandbox(void* sandbox_arg) { | |||
| 759 | netns_mounts(arg_netns); | 759 | netns_mounts(arg_netns); |
| 760 | 760 | ||
| 761 | //**************************** | 761 | //**************************** |
| 762 | // update /proc, /sys, /dev, /boot directorymy | 762 | // update /proc, /sys, /dev, /boot directory |
| 763 | //**************************** | 763 | //**************************** |
| 764 | if (checkcfg(CFG_REMOUNT_PROC_SYS)) | 764 | if (checkcfg(CFG_REMOUNT_PROC_SYS)) |
| 765 | fs_proc_sys_dev_boot(); | 765 | fs_proc_sys_dev_boot(); |
| 766 | 766 | ||
| 767 | //**************************** | 767 | //**************************** |
| 768 | // handle /mnt and /media | ||
| 769 | //**************************** | ||
| 770 | if (checkcfg(CFG_DISABLE_MNT)) | ||
| 771 | fs_mnt(); | ||
| 772 | |||
| 773 | //**************************** | ||
| 768 | // apply the profile file | 774 | // apply the profile file |
| 769 | //**************************** | 775 | //**************************** |
| 770 | // apply all whitelist commands ... | 776 | // apply all whitelist commands ... |