added bluetooth to the list of protocols allowed by seccomp

author: netblue30 <netblue30@yahoo.com> 2020-10-28 09:18:18 -0400
committer: netblue30 <netblue30@yahoo.com> 2020-10-28 09:18:18 -0400
commit: 65911742d70fbe287fc9d0e6f2c9a92e2b6657de (patch)
tree: 3e896a6d85513059c3c6322865e3f0200b28613b
parent: profile fixes (diff)
download: firejail-65911742d70fbe287fc9d0e6f2c9a92e2b6657de.tar.gz
firejail-65911742d70fbe287fc9d0e6f2c9a92e2b6657de.tar.zst
firejail-65911742d70fbe287fc9d0e6f2c9a92e2b6657de.zip
7 files changed, 12 insertions, 94 deletions
diff --git a/etc/apparmor/firejail-default b/etc/apparmor/firejail-default
index e396ae7d9..ec87f1d2d 100644
--- a/etc/apparmor/firejail-default
+++ b/etc/apparmor/firejail-default
@@ -112,7 +112,8 @@ network inet6,
 network unix,
 network netlink,
 network raw,
-# needed for wireshark
+# needed for wireshark, tcpdump etc
+network bluetooth,
 network packet,
 ##########
diff --git a/etc/profile-m-z/tcpdump.profile b/etc/profile-m-z/tcpdump.profile
index 881fbf49e..7984702f3 100644
--- a/etc/profile-m-z/tcpdump.profile
+++ b/etc/profile-m-z/tcpdump.profile
@@ -33,7 +33,7 @@ nosound
 notv
 nou2f
 novideo
-protocol unix,inet,inet6,netlink,packet
+protocol unix,inet,inet6,netlink,packet,bluetooth
 seccomp
 disable-mnt
diff --git a/etc/profile-m-z/tshark.profile b/etc/profile-m-z/tshark.profile
index 684a9491d..a5cefb47a 100644
--- a/etc/profile-m-z/tshark.profile
+++ b/etc/profile-m-z/tshark.profile
@@ -1,46 +1,6 @@
 # Firejail profile for tshark
 # This file is overwritten after every install/update
 quiet
-# Persistent local customizations
-include tshark.local
-# Persistent global definitions
-include globals.local
-include disable-common.inc
+# Redirect
-include disable-devel.inc
+include wireshark.profile
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-include disable-xdg.inc
-whitelist /usr/share/wireshark
-include whitelist-common.inc
-include whitelist-runuser-common.inc
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
-apparmor
-#caps.keep net_raw
-caps.keep dac_override,net_admin,net_raw
-ipc-namespace
-#net tun0
-netfilter
-no3d
-nodvd
-# nogroups - breaks network traffic capture for unprivileged users
-# nonewprivs - breaks network traffic capture for unprivileged users
-# noroot
-nosound
-notv
-nou2f
-novideo
-#protocol unix,inet,inet6,netlink,packet
-#seccomp
-disable-mnt
-#private
-private-cache
-#private-bin tshark
-private-dev
-private-tmp
diff --git a/etc/profile-m-z/wireshark.profile b/etc/profile-m-z/wireshark.profile
index a30cb43d5..6a84246e1 100644
--- a/etc/profile-m-z/wireshark.profile
+++ b/etc/profile-m-z/wireshark.profile
@@ -38,8 +38,8 @@ nosound
 notv
 nou2f
 novideo
-# protocol unix,inet,inet6,netlink
+# protocol unix,inet,inet6,netlink,packet,bluetooth - commented out in case they bring in new protocols
-# seccomp - breaks network traffic capture for unprivileged users
+seccomp
 shell none
 tracelog
diff --git a/src/firejail/main.c b/src/firejail/main.c
index b4c9ee294..676d04895 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1283,7 +1283,7 @@ int main(int argc, char **argv, char **envp) {
                else if (strncmp(argv[i], "--protocol=", 11) == 0) {
                        if (checkcfg(CFG_SECCOMP)) {
                                if (cfg.protocol) {
-                                        fwarning("two protocol lists are present, \"%s\" will be installed\n", cfg.protocol);
+                                        fwarning("more than one protocol list is present, \"%s\" will be installed\n", cfg.protocol);
                                }
                                else {
                                        // store list
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 11a74ddd3..5ddf6fdbb 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -895,7 +895,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
        if (strncmp(ptr, "protocol ", 9) == 0) {
                if (checkcfg(CFG_SECCOMP)) {
                        if (cfg.protocol) {
-                                fwarning("two protocol lists are present, \"%s\" will be installed\n", cfg.protocol);
+                                fwarning("more than one protocol list is present, \"%s\" will be installed\n", cfg.protocol);
                                return 0;
                        }
diff --git a/src/fseccomp/protocol.c b/src/fseccomp/protocol.c
index b8b30f488..4d261f9e5 100644
--- a/src/fseccomp/protocol.c
+++ b/src/fseccomp/protocol.c
@@ -57,6 +57,7 @@ static char *protocol[] = {
        "inet6",
        "netlink",
        "packet",
+        "bluetooth",
        NULL
 };
@@ -66,7 +67,8 @@ static struct sock_filter protocol_filter_command[] = {
        WHITELIST(AF_INET),
        WHITELIST(AF_INET6),
        WHITELIST(AF_NETLINK),
-        WHITELIST(AF_PACKET)
+        WHITELIST(AF_PACKET),
+        WHITELIST(AF_BLUETOOTH)
 };
 #endif
 // Note: protocol[] and protocol_filter_command are synchronized
@@ -143,22 +145,6 @@ void protocol_build_filter(const char *prlist, const char *fname) {
        memcpy(ptr, &filter_start[0], sizeof(filter_start));
        ptr += sizeof(filter_start);
-#if 0
-printf("entries %u\n", (unsigned) (sizeof(filter_start) / sizeof(struct sock_filter)));
-{
-        unsigned j;
-        unsigned char *ptr2 = (unsigned char *) &filter[0];
-        for (j = 0; j < sizeof(filter); j++, ptr2++) {
-                if ((j % (sizeof(struct sock_filter))) == 0)
-                        printf("\n%u: ", 1 + (unsigned) (j / (sizeof(struct sock_filter))));
-                printf("%02x, ", (*ptr2) & 0xff);
-        }
-        printf("\n");
-}
-printf("whitelist_len %u, struct sock_filter len %u\n", whitelist_len, (unsigned) sizeof(struct sock_filter));
-#endif
        // parse list and add commands
        char *tmplist = strdup(prlist);
        if (!tmplist)
@@ -176,22 +162,6 @@ printf("whitelist_len %u, struct sock_filter len %u\n", whitelist_len, (unsigned
                memcpy(ptr, domain, whitelist_len * sizeof(struct sock_filter));
                ptr += whitelist_len * sizeof(struct sock_filter);
                token = strtok(NULL, ",");
-#if 0
-printf("entries %u\n",  (unsigned) ((uint64_t) ptr - (uint64_t) (filter)) / (unsigned) sizeof(struct sock_filter));
-{
-        unsigned j;
-        unsigned char *ptr2 = (unsigned char *) &filter[0];
-        for (j = 0; j < sizeof(filter); j++, ptr2++) {
-                if ((j % (sizeof(struct sock_filter))) == 0)
-                        printf("\n%u: ", 1 + (unsigned) (j / (sizeof(struct sock_filter))));
-                printf("%02x, ", (*ptr2) & 0xff);
-        }
-        printf("\n");
-}
-#endif
        }
        free(tmplist);
@@ -202,19 +172,6 @@ printf("entries %u\n",  (unsigned) ((uint64_t) ptr - (uint64_t) (filter)) / (uns
        memcpy(ptr, &filter_end[0], sizeof(filter_end));
        ptr += sizeof(filter_end);
-#if 0
-printf("entries %u\n",  (unsigned) ((uint64_t) ptr - (uint64_t) (filter)) / (unsigned) sizeof(struct sock_filter));
-{
-        unsigned j;
-        unsigned char *ptr2 = (unsigned char *) &filter[0];
-        for (j = 0; j < sizeof(filter); j++, ptr2++) {
-                if ((j % (sizeof(struct sock_filter))) == 0)
-                        printf("\n%u: ", 1 + (unsigned) (j / (sizeof(struct sock_filter))));
-                printf("%02x, ", (*ptr2) & 0xff);
-        }
-        printf("\n");
-}
-#endif
        // save filter to file
        int dst = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
        if (dst < 0) {
author	netblue30 <netblue30@yahoo.com>	2020-10-28 09:18:18 -0400
committer	netblue30 <netblue30@yahoo.com>	2020-10-28 09:18:18 -0400
commit	65911742d70fbe287fc9d0e6f2c9a92e2b6657de (patch)
tree	3e896a6d85513059c3c6322865e3f0200b28613b
parent	profile fixes (diff)
download	firejail-65911742d70fbe287fc9d0e6f2c9a92e2b6657de.tar.gz firejail-65911742d70fbe287fc9d0e6f2c9a92e2b6657de.tar.zst firejail-65911742d70fbe287fc9d0e6f2c9a92e2b6657de.zip

diff --git a/etc/apparmor/firejail-default b/etc/apparmor/firejail-default index e396ae7d9..ec87f1d2d 100644 --- a/etc/apparmor/firejail-default +++ b/etc/apparmor/firejail-default
@@ -112,7 +112,8 @@ network inet6,
112	network unix,	112	network unix,
113	network netlink,	113	network netlink,
114	network raw,	114	network raw,
115	# needed for wireshark	115	# needed for wireshark, tcpdump etc
		116	network bluetooth,
116	network packet,	117	network packet,
117		118
118	##########	119	##########


diff --git a/etc/profile-m-z/tcpdump.profile b/etc/profile-m-z/tcpdump.profile index 881fbf49e..7984702f3 100644 --- a/etc/profile-m-z/tcpdump.profile +++ b/etc/profile-m-z/tcpdump.profile
@@ -33,7 +33,7 @@ nosound
33	notv	33	notv
34	nou2f	34	nou2f
35	novideo	35	novideo
36	protocol unix,inet,inet6,netlink,packet	36	protocol unix,inet,inet6,netlink,packet,bluetooth
37	seccomp	37	seccomp
38		38
39	disable-mnt	39	disable-mnt


diff --git a/etc/profile-m-z/tshark.profile b/etc/profile-m-z/tshark.profile index 684a9491d..a5cefb47a 100644 --- a/etc/profile-m-z/tshark.profile +++ b/etc/profile-m-z/tshark.profile
@@ -1,46 +1,6 @@
1	# Firejail profile for tshark	1	# Firejail profile for tshark
2	# This file is overwritten after every install/update	2	# This file is overwritten after every install/update
3	quiet	3	quiet
4	# Persistent local customizations
5	include tshark.local
6	# Persistent global definitions
7	include globals.local
8		4
9	include disable-common.inc	5	# Redirect
10	include disable-devel.inc	6	include wireshark.profile
11	include disable-exec.inc
12	include disable-interpreters.inc
13	include disable-passwdmgr.inc
14	include disable-programs.inc
15	include disable-xdg.inc
16
17	whitelist /usr/share/wireshark
18	include whitelist-common.inc
19	include whitelist-runuser-common.inc
20	include whitelist-usr-share-common.inc
21	include whitelist-var-common.inc
22
23	apparmor
24	#caps.keep net_raw
25	caps.keep dac_override,net_admin,net_raw
26	ipc-namespace
27	#net tun0
28	netfilter
29	no3d
30	nodvd
31	# nogroups - breaks network traffic capture for unprivileged users
32	# nonewprivs - breaks network traffic capture for unprivileged users
33	# noroot
34	nosound
35	notv
36	nou2f
37	novideo
38	#protocol unix,inet,inet6,netlink,packet
39	#seccomp
40
41	disable-mnt
42	#private
43	private-cache
44	#private-bin tshark
45	private-dev
46	private-tmp


diff --git a/etc/profile-m-z/wireshark.profile b/etc/profile-m-z/wireshark.profile index a30cb43d5..6a84246e1 100644 --- a/etc/profile-m-z/wireshark.profile +++ b/etc/profile-m-z/wireshark.profile
@@ -38,8 +38,8 @@ nosound
38	notv	38	notv
39	nou2f	39	nou2f
40	novideo	40	novideo
41	# protocol unix,inet,inet6,netlink	41	# protocol unix,inet,inet6,netlink,packet,bluetooth - commented out in case they bring in new protocols
42	# seccomp - breaks network traffic capture for unprivileged users	42	seccomp
43	shell none	43	shell none
44	tracelog	44	tracelog
45		45


diff --git a/src/firejail/main.c b/src/firejail/main.c index b4c9ee294..676d04895 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -1283,7 +1283,7 @@ int main(int argc, char argv, char envp) {
1283	else if (strncmp(argv[i], "--protocol=", 11) == 0) {	1283	else if (strncmp(argv[i], "--protocol=", 11) == 0) {
1284	if (checkcfg(CFG_SECCOMP)) {	1284	if (checkcfg(CFG_SECCOMP)) {
1285	if (cfg.protocol) {	1285	if (cfg.protocol) {
1286	fwarning("two protocol lists are present, \"%s\" will be installed\n", cfg.protocol);	1286	fwarning("more than one protocol list is present, \"%s\" will be installed\n", cfg.protocol);
1287	}	1287	}
1288	else {	1288	else {
1289	// store list	1289	// store list


diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 11a74ddd3..5ddf6fdbb 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c
@@ -895,7 +895,7 @@ int profile_check_line(char ptr, int lineno, const char fname) {
895	if (strncmp(ptr, "protocol ", 9) == 0) {	895	if (strncmp(ptr, "protocol ", 9) == 0) {
896	if (checkcfg(CFG_SECCOMP)) {	896	if (checkcfg(CFG_SECCOMP)) {
897	if (cfg.protocol) {	897	if (cfg.protocol) {
898	fwarning("two protocol lists are present, \"%s\" will be installed\n", cfg.protocol);	898	fwarning("more than one protocol list is present, \"%s\" will be installed\n", cfg.protocol);
899	return 0;	899	return 0;
900	}	900	}
901		901


diff --git a/src/fseccomp/protocol.c b/src/fseccomp/protocol.c index b8b30f488..4d261f9e5 100644 --- a/src/fseccomp/protocol.c +++ b/src/fseccomp/protocol.c
@@ -57,6 +57,7 @@ static char *protocol[] = {
57	"inet6",	57	"inet6",
58	"netlink",	58	"netlink",
59	"packet",	59	"packet",
		60	"bluetooth",
60	NULL	61	NULL
61	};	62	};
62		63
@@ -66,7 +67,8 @@ static struct sock_filter protocol_filter_command[] = {
66	WHITELIST(AF_INET),	67	WHITELIST(AF_INET),
67	WHITELIST(AF_INET6),	68	WHITELIST(AF_INET6),
68	WHITELIST(AF_NETLINK),	69	WHITELIST(AF_NETLINK),
69	WHITELIST(AF_PACKET)	70	WHITELIST(AF_PACKET),
		71	WHITELIST(AF_BLUETOOTH)
70	};	72	};
71	#endif	73	#endif
72	// Note: protocol[] and protocol_filter_command are synchronized	74	// Note: protocol[] and protocol_filter_command are synchronized
@@ -143,22 +145,6 @@ void protocol_build_filter(const char prlist, const char fname) {
143	memcpy(ptr, &filter_start[0], sizeof(filter_start));	145	memcpy(ptr, &filter_start[0], sizeof(filter_start));
144	ptr += sizeof(filter_start);	146	ptr += sizeof(filter_start);
145		147
146	#if 0
147	printf("entries %u\n", (unsigned) (sizeof(filter_start) / sizeof(struct sock_filter)));
148	{
149	unsigned j;
150	unsigned char ptr2 = (unsigned char ) &filter[0];
151	for (j = 0; j < sizeof(filter); j++, ptr2++) {
152	if ((j % (sizeof(struct sock_filter))) == 0)
153	printf("\n%u: ", 1 + (unsigned) (j / (sizeof(struct sock_filter))));
154	printf("%02x, ", (*ptr2) & 0xff);
155	}
156	printf("\n");
157	}
158	printf("whitelist_len %u, struct sock_filter len %u\n", whitelist_len, (unsigned) sizeof(struct sock_filter));
159	#endif
160
161
162	// parse list and add commands	148	// parse list and add commands
163	char *tmplist = strdup(prlist);	149	char *tmplist = strdup(prlist);
164	if (!tmplist)	150	if (!tmplist)
@@ -176,22 +162,6 @@ printf("whitelist_len %u, struct sock_filter len %u\n", whitelist_len, (unsigned
176	memcpy(ptr, domain, whitelist_len * sizeof(struct sock_filter));	162	memcpy(ptr, domain, whitelist_len * sizeof(struct sock_filter));
177	ptr += whitelist_len * sizeof(struct sock_filter);	163	ptr += whitelist_len * sizeof(struct sock_filter);
178	token = strtok(NULL, ",");	164	token = strtok(NULL, ",");
179
180	#if 0
181	printf("entries %u\n", (unsigned) ((uint64_t) ptr - (uint64_t) (filter)) / (unsigned) sizeof(struct sock_filter));
182	{
183	unsigned j;
184	unsigned char ptr2 = (unsigned char ) &filter[0];
185	for (j = 0; j < sizeof(filter); j++, ptr2++) {
186	if ((j % (sizeof(struct sock_filter))) == 0)
187	printf("\n%u: ", 1 + (unsigned) (j / (sizeof(struct sock_filter))));
188	printf("%02x, ", (*ptr2) & 0xff);
189	}
190	printf("\n");
191	}
192	#endif
193
194
195	}	165	}
196	free(tmplist);	166	free(tmplist);
197		167
@@ -202,19 +172,6 @@ printf("entries %u\n", (unsigned) ((uint64_t) ptr - (uint64_t) (filter)) / (uns
202	memcpy(ptr, &filter_end[0], sizeof(filter_end));	172	memcpy(ptr, &filter_end[0], sizeof(filter_end));
203	ptr += sizeof(filter_end);	173	ptr += sizeof(filter_end);
204		174
205	#if 0
206	printf("entries %u\n", (unsigned) ((uint64_t) ptr - (uint64_t) (filter)) / (unsigned) sizeof(struct sock_filter));
207	{
208	unsigned j;
209	unsigned char ptr2 = (unsigned char ) &filter[0];
210	for (j = 0; j < sizeof(filter); j++, ptr2++) {
211	if ((j % (sizeof(struct sock_filter))) == 0)
212	printf("\n%u: ", 1 + (unsigned) (j / (sizeof(struct sock_filter))));
213	printf("%02x, ", (*ptr2) & 0xff);
214	}
215	printf("\n");
216	}
217	#endif
218	// save filter to file	175	// save filter to file
219	int dst = open(fname, O_CREAT\|O_WRONLY\|O_TRUNC, S_IRUSR \| S_IWUSR \| S_IRGRP \| S_IROTH);	176	int dst = open(fname, O_CREAT\|O_WRONLY\|O_TRUNC, S_IRUSR \| S_IWUSR \| S_IRGRP \| S_IROTH);
220	if (dst < 0) {	177	if (dst < 0) {