diff options
| author |  netblue30 <netblue30@protonmail.com> | 2021-06-19 10:34:03 -0400 |
|---|---|---|
| committer | netblue30 <netblue30@protonmail.com> | 2021-06-19 10:34:03 -0400 |
| commit | 7b78bf75c7bcf49e91065ff3013f3e8908c3a9ff (patch) | |
| tree | 2ab8509348d1cfa623cc513ff3097f054fe1ddbc | |
| parent | Merge pull request #4360 from kmk3/gcov-add-missing-includes (diff) | |
| download | firejail-7b78bf75c7bcf49e91065ff3013f3e8908c3a9ff.tar.gz firejail-7b78bf75c7bcf49e91065ff3013f3e8908c3a9ff.tar.zst firejail-7b78bf75c7bcf49e91065ff3013f3e8908c3a9ff.zip | |
jailcheck: networking support
| -rw-r--r-- | src/jailcheck/jailcheck.h | 2 | ||||
| -rw-r--r-- | src/jailcheck/main.c | 23 | ||||
| -rw-r--r-- | src/man/jailcheck.txt | 12 |
3 files changed, 37 insertions, 0 deletions
diff --git a/src/jailcheck/jailcheck.h b/src/jailcheck/jailcheck.h index 32be1c978..be3104da3 100644 --- a/src/jailcheck/jailcheck.h +++ b/src/jailcheck/jailcheck.h | |||
| @@ -53,6 +53,8 @@ void apparmor_test(pid_t pid); | |||
| 53 | // seccomp.c | 53 | // seccomp.c |
| 54 | void seccomp_test(pid_t pid); | 54 | void seccomp_test(pid_t pid); |
| 55 | 55 | ||
| 56 | // network.c | ||
| 57 | void network_test(void); | ||
| 56 | // utils.c | 58 | // utils.c |
| 57 | char *get_sudo_user(void); | 59 | char *get_sudo_user(void); |
| 58 | char *get_homedir(const char *user, uid_t *uid, gid_t *gid); | 60 | char *get_homedir(const char *user, uid_t *uid, gid_t *gid); |
diff --git a/src/jailcheck/main.c b/src/jailcheck/main.c index 4d642bf96..812ac5808 100644 --- a/src/jailcheck/main.c +++ b/src/jailcheck/main.c | |||
| @@ -157,6 +157,7 @@ int main(int argc, char **argv) { | |||
| 157 | seccomp_test(pid); | 157 | seccomp_test(pid); |
| 158 | fflush(0); | 158 | fflush(0); |
| 159 | 159 | ||
| 160 | // filesystem tests | ||
| 160 | pid_t child = fork(); | 161 | pid_t child = fork(); |
| 161 | if (child == -1) | 162 | if (child == -1) |
| 162 | errExit("fork"); | 163 | errExit("fork"); |
| @@ -185,6 +186,28 @@ int main(int argc, char **argv) { | |||
| 185 | } | 186 | } |
| 186 | int status; | 187 | int status; |
| 187 | wait(&status); | 188 | wait(&status); |
| 189 | |||
| 190 | // network test | ||
| 191 | child = fork(); | ||
| 192 | if (child == -1) | ||
| 193 | errExit("fork"); | ||
| 194 | if (child == 0) { | ||
| 195 | int rv = join_namespace(pid, "net"); | ||
| 196 | if (rv == 0) | ||
| 197 | network_test(); | ||
| 198 | else { | ||
| 199 | printf(" Error: I cannot join the process network stack\n"); | ||
| 200 | exit(1); | ||
| 201 | } | ||
| 202 | |||
| 203 | // drop privileges in order not to trigger cleanup() | ||
| 204 | if (setgid(user_gid) != 0) | ||
| 205 | errExit("setgid"); | ||
| 206 | if (setuid(user_uid) != 0) | ||
| 207 | errExit("setuid"); | ||
| 208 | return 0; | ||
| 209 | } | ||
| 210 | wait(&status); | ||
| 188 | } | 211 | } |
| 189 | } | 212 | } |
| 190 | 213 | ||
diff --git a/src/man/jailcheck.txt b/src/man/jailcheck.txt index c80e305cc..483f47fb9 100644 --- a/src/man/jailcheck.txt +++ b/src/man/jailcheck.txt | |||
| @@ -23,6 +23,8 @@ them from inside the sandbox. | |||
| 23 | .TP | 23 | .TP |
| 24 | \fB5. Seccomp test | 24 | \fB5. Seccomp test |
| 25 | .TP | 25 | .TP |
| 26 | \fB6. Networking test | ||
| 27 | .TP | ||
| 26 | The program is started as root using sudo. | 28 | The program is started as root using sudo. |
| 27 | 29 | ||
| 28 | .SH OPTIONS | 30 | .SH OPTIONS |
| @@ -56,6 +58,8 @@ $ sudo jailcheck | |||
| 56 | .br | 58 | .br |
| 57 | Warning: I can run programs in /home/netblue | 59 | Warning: I can run programs in /home/netblue |
| 58 | .br | 60 | .br |
| 61 | Networking: disabled | ||
| 62 | .br | ||
| 59 | 63 | ||
| 60 | .br | 64 | .br |
| 61 | 2055:netblue::firejail /usr/bin/ssh -X netblue@x.y.z.net | 65 | 2055:netblue::firejail /usr/bin/ssh -X netblue@x.y.z.net |
| @@ -64,12 +68,16 @@ $ sudo jailcheck | |||
| 64 | .br | 68 | .br |
| 65 | Warning: I can read ~/.ssh | 69 | Warning: I can read ~/.ssh |
| 66 | .br | 70 | .br |
| 71 | Networking: enabled | ||
| 72 | .br | ||
| 67 | 73 | ||
| 68 | .br | 74 | .br |
| 69 | 2186:netblue:libreoffice:firejail --appimage /opt/LibreOffice-fresh.appimage | 75 | 2186:netblue:libreoffice:firejail --appimage /opt/LibreOffice-fresh.appimage |
| 70 | .br | 76 | .br |
| 71 | Virtual dirs: /tmp, /var/tmp, /dev, | 77 | Virtual dirs: /tmp, /var/tmp, /dev, |
| 72 | .br | 78 | .br |
| 79 | Networking: enabled | ||
| 80 | .br | ||
| 73 | 81 | ||
| 74 | .br | 82 | .br |
| 75 | 26090:netblue::/usr/bin/firejail /opt/firefox/firefox | 83 | 26090:netblue::/usr/bin/firejail /opt/firefox/firefox |
| @@ -78,6 +86,8 @@ $ sudo jailcheck | |||
| 78 | .br | 86 | .br |
| 79 | /run/user/1000, | 87 | /run/user/1000, |
| 80 | .br | 88 | .br |
| 89 | Networking: enabled | ||
| 90 | .br | ||
| 81 | 91 | ||
| 82 | .br | 92 | .br |
| 83 | 26160:netblue:tor:firejail --private=~/tor-browser_en-US ./start-tor | 93 | 26160:netblue:tor:firejail --private=~/tor-browser_en-US ./start-tor |
| @@ -90,6 +100,8 @@ $ sudo jailcheck | |||
| 90 | .br | 100 | .br |
| 91 | Warning: I can run programs in /home/netblue | 101 | Warning: I can run programs in /home/netblue |
| 92 | .br | 102 | .br |
| 103 | Networking: enabled | ||
| 104 | .br | ||
| 93 | 105 | ||
| 94 | 106 | ||
| 95 | .SH LICENSE | 107 | .SH LICENSE |