--writable-run-user, solving ssh/gnupg authentication problems for smarcards

author: netblue30 <netblue30@yahoo.com> 2017-09-14 08:50:01 -0400
committer: netblue30 <netblue30@yahoo.com> 2017-09-14 08:50:01 -0400
commit: 9d4f2784b33abae457731b43128cd8590d80b7cc (patch)
tree: 76f15369f49b95b34027136b1eb8037ec5d3875a
parent: fix Arch Linux /etc/resolv.conf symlink to /var/run/systemd/resolve/resolv.conf (diff)
download: firejail-9d4f2784b33abae457731b43128cd8590d80b7cc.tar.gz
firejail-9d4f2784b33abae457731b43128cd8590d80b7cc.tar.zst
firejail-9d4f2784b33abae457731b43128cd8590d80b7cc.zip
10 files changed, 65 insertions, 30 deletions
diff --git a/README.md b/README.md
index 26055300b..255384e2e 100644
--- a/README.md
+++ b/README.md
@@ -96,8 +96,14 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir
 `````
 `````
-# 0.9.50 release pending
+# Current development version: 0.9.51
-Development moved on  0.9.50-bugfixes branch: https://github.com/netblue30/firejail/tree/0.9.50-bugfixes
+## New command line options
+`````
+      --writable-run-user
+              This    options    disables   the   default   blacklisting   of
+              run/user/$UID/systemd and /run/user/$UID/gnupg.
-# Current development version: 0.9.51
+              Example:
+              $ sudo firejail --writable-run-user
+`````
diff --git a/RELNOTES b/RELNOTES
index eea0d4a3a..85c554b32 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,6 +1,7 @@
 firejail (0.9.51) baseline; urgency=low
  * work in progress!
- -- netblue30 <netblue30@yahoo.com>  Mon, 12 Jun 2017 20:00:00 -0500
+  * feature: --writable-run-user
+ -- netblue30 <netblue30@yahoo.com>  Thu, 14 Sep 2017 20:00:00 -0500
 firejail (0.9.50~rc1) baseline; urgency=low
  * release pending!
diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile
index ba5115521..7e9d34c92 100644
--- a/etc/ssh-agent.profile
+++ b/etc/ssh-agent.profile
@@ -25,3 +25,4 @@ noroot
 notv
 protocol unix,inet,inet6
 seccomp
+writable-run-user
diff --git a/etc/ssh.profile b/etc/ssh.profile
index 6cf33318a..7ac0b8417 100644
--- a/etc/ssh.profile
+++ b/etc/ssh.profile
@@ -35,3 +35,5 @@ private-dev
 memory-deny-write-execute
 noexec ${HOME}
 noexec /tmp
+writable-run-user
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 75450fe0f..0ab27e89b 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -353,6 +353,7 @@ extern int arg_nice;		// nice value configured
 extern int arg_ipc;             // enable ipc namespace
 extern int arg_writable_etc;    // writable etc
 extern int arg_writable_var;    // writable var
+extern int arg_writable_run_user;       // writable /run/user
 extern int arg_writable_var_log; // writable /var/log
 extern int arg_appimage;        // appimage
 extern int arg_audit;           // audit
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 6695fc6b4..0ea71e6ba 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -582,33 +582,35 @@ void fs_proc_sys_dev_boot(void) {
        // disable various ipc sockets in /run/user
-        struct stat s;
+        if (!arg_writable_run_user) {
+                struct stat s;
-        char *fname;
+        
-        if (asprintf(&fname, "/run/user/%d", getuid()) == -1)
+                char *fname;
-                errExit("asprintf");
+                if (asprintf(&fname, "/run/user/%d", getuid()) == -1)
-        if (is_dir(fname)) { // older distros don't have this directory
-                // disable /run/user/{uid}/gnupg
-                char *fnamegpg;
-                if (asprintf(&fnamegpg, "/run/user/%d/gnupg", getuid()) == -1)
-                        errExit("asprintf");
-                if (stat(fnamegpg, &s) == -1)
-                    mkdir_attr(fnamegpg, 0700, getuid(), getgid());
-                if (stat(fnamegpg, &s) == 0)
-                        disable_file(BLACKLIST_FILE, fnamegpg);
-                free(fnamegpg);
-                // disable /run/user/{uid}/systemd
-                char *fnamesysd;
-                if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1)
                        errExit("asprintf");
-                if (stat(fnamesysd, &s) == -1)
+                if (is_dir(fname)) { // older distros don't have this directory
-                        mkdir_attr(fnamesysd, 0755, getuid(), getgid());
+                        // disable /run/user/{uid}/gnupg
-                if (stat(fnamesysd, &s) == 0)
+                        char *fnamegpg;
-                        disable_file(BLACKLIST_FILE, fnamesysd);
+                        if (asprintf(&fnamegpg, "/run/user/%d/gnupg", getuid()) == -1)
-                free(fnamesysd);
+                                errExit("asprintf");
+                        if (stat(fnamegpg, &s) == -1)
+                            mkdir_attr(fnamegpg, 0700, getuid(), getgid());
+                        if (stat(fnamegpg, &s) == 0)
+                                disable_file(BLACKLIST_FILE, fnamegpg);
+                        free(fnamegpg);
+        
+                        // disable /run/user/{uid}/systemd
+                        char *fnamesysd;
+                        if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1)
+                                errExit("asprintf");
+                        if (stat(fnamesysd, &s) == -1)
+                                mkdir_attr(fnamesysd, 0755, getuid(), getgid());
+                        if (stat(fnamesysd, &s) == 0)
+                                disable_file(BLACKLIST_FILE, fnamesysd);
+                        free(fnamesysd);
+                }
+                free(fname);
        }
-        free(fname);
        if (getuid() != 0) {
                // disable /dev/kmsg and /proc/kmsg
diff --git a/src/firejail/main.c b/src/firejail/main.c
index c317aa477..399770142 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -100,6 +100,8 @@ int arg_nice = 0;				// nice value configured
 int arg_ipc = 0;                                        // enable ipc namespace
 int arg_writable_etc = 0;                       // writable etc
 int arg_writable_var = 0;                       // writable var
+int arg_writable_run_user = 0;                  // writable /run/user
+int arg_writable_var_log = 0;           // writable /var/log
 int arg_appimage = 0;                           // appimage
 int arg_audit = 0;                              // audit
 char *arg_audit_prog = NULL;                    // audit
@@ -110,7 +112,6 @@ int arg_x11_xorg = 0;				// use X11 security extention
 int arg_allusers = 0;                           // all user home directories visible
 int arg_machineid = 0;                          // preserve /etc/machine-id
 int arg_allow_private_blacklist = 0;            // blacklist things in private directories
-int arg_writable_var_log = 0;           // writable /var/log
 int arg_disable_mnt = 0;                        // disable /mnt and /media
 int arg_noprofile = 0; // use default.profile if none other found/specified
 int arg_memory_deny_write_execute = 0;          // block writable and executable memory
@@ -1560,6 +1561,9 @@ int main(int argc, char **argv) {
                else if (strcmp(argv[i], "--writable-var") == 0) {
                        arg_writable_var = 1;
                }
+                else if (strcmp(argv[i], "--writable-run-user") == 0) {
+                        arg_writable_run_user = 1;
+                }
                else if (strcmp(argv[i], "--writable-var-log") == 0) {
                        arg_writable_var_log = 1;
                }
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index e61f59f46..6880bcaa7 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -719,6 +719,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                arg_writable_var = 1;
                return 0;
        }
+        // writable-run-user
+        if (strcmp(ptr, "writable-run-user") == 0) {
+                arg_writable_run_user = 1;
+                return 0;
+        }
        if (strcmp(ptr, "writable-var-log") == 0) {
                arg_writable_var_log = 1;
                return 0;
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 050c3d7e5..14485d5c1 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -273,6 +273,9 @@ the same top directory. For user home, both the link and the real file should be
 \fBwritable-etc
 Mount /etc directory read-write.
 .TP
+\fBwritable-run-user
+Disable the default blacklisting of run/user/$UID/systemd and /run/user/$UID/gnupg.
+.TP
 \fBwritable-var
 Mount /var directory read-write.
 .TP
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index c9d57b87b..d317a3fa4 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1965,6 +1965,16 @@ Example:
 $ sudo firejail --writable-etc
 .TP
+\fB\-\-writable-run-user
+This options disables the default blacklisting of run/user/$UID/systemd and /run/user/$UID/gnupg.
+.br
+.br
+Example:
+.br
+$ sudo firejail --writable-run-user
+.TP
 \fB\-\-writable-var
 Mount /var directory read-write.
 .br
author	netblue30 <netblue30@yahoo.com>	2017-09-14 08:50:01 -0400
committer	netblue30 <netblue30@yahoo.com>	2017-09-14 08:50:01 -0400
commit	9d4f2784b33abae457731b43128cd8590d80b7cc (patch)
tree	76f15369f49b95b34027136b1eb8037ec5d3875a
parent	fix Arch Linux /etc/resolv.conf symlink to /var/run/systemd/resolve/resolv.conf (diff)
download	firejail-9d4f2784b33abae457731b43128cd8590d80b7cc.tar.gz firejail-9d4f2784b33abae457731b43128cd8590d80b7cc.tar.zst firejail-9d4f2784b33abae457731b43128cd8590d80b7cc.zip

diff --git a/README.md b/README.md index 26055300b..255384e2e 100644 --- a/README.md +++ b/README.md
@@ -96,8 +96,14 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir
96	`````	96	`````
97		97
98	`````	98	`````
99	# 0.9.50 release pending	99	# Current development version: 0.9.51
100		100
101	Development moved on 0.9.50-bugfixes branch: https://github.com/netblue30/firejail/tree/0.9.50-bugfixes	101	## New command line options
		102	`````
		103	--writable-run-user
		104	This options disables the default blacklisting of
		105	run/user/$UID/systemd and /run/user/$UID/gnupg.
102		106
103	# Current development version: 0.9.51	107	Example:
		108	$ sudo firejail --writable-run-user
		109	`````


diff --git a/RELNOTES b/RELNOTES index eea0d4a3a..85c554b32 100644 --- a/RELNOTES +++ b/RELNOTES
@@ -1,6 +1,7 @@
1	firejail (0.9.51) baseline; urgency=low	1	firejail (0.9.51) baseline; urgency=low
2	* work in progress!	2	* work in progress!
3	-- netblue30 <netblue30@yahoo.com> Mon, 12 Jun 2017 20:00:00 -0500	3	* feature: --writable-run-user
		4	-- netblue30 <netblue30@yahoo.com> Thu, 14 Sep 2017 20:00:00 -0500
4		5
5	firejail (0.9.50~rc1) baseline; urgency=low	6	firejail (0.9.50~rc1) baseline; urgency=low
6	* release pending!	7	* release pending!


diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile index ba5115521..7e9d34c92 100644 --- a/etc/ssh-agent.profile +++ b/etc/ssh-agent.profile
@@ -25,3 +25,4 @@ noroot
25	notv	25	notv
26	protocol unix,inet,inet6	26	protocol unix,inet,inet6
27	seccomp	27	seccomp
		28	writable-run-user


diff --git a/etc/ssh.profile b/etc/ssh.profile index 6cf33318a..7ac0b8417 100644 --- a/etc/ssh.profile +++ b/etc/ssh.profile
@@ -35,3 +35,5 @@ private-dev
35	memory-deny-write-execute	35	memory-deny-write-execute
36	noexec ${HOME}	36	noexec ${HOME}
37	noexec /tmp	37	noexec /tmp
		38	writable-run-user
		39


diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 75450fe0f..0ab27e89b 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -353,6 +353,7 @@ extern int arg_nice; // nice value configured
353	extern int arg_ipc; // enable ipc namespace	353	extern int arg_ipc; // enable ipc namespace
354	extern int arg_writable_etc; // writable etc	354	extern int arg_writable_etc; // writable etc
355	extern int arg_writable_var; // writable var	355	extern int arg_writable_var; // writable var
		356	extern int arg_writable_run_user; // writable /run/user
356	extern int arg_writable_var_log; // writable /var/log	357	extern int arg_writable_var_log; // writable /var/log
357	extern int arg_appimage; // appimage	358	extern int arg_appimage; // appimage
358	extern int arg_audit; // audit	359	extern int arg_audit; // audit


diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 6695fc6b4..0ea71e6ba 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c
@@ -582,33 +582,35 @@ void fs_proc_sys_dev_boot(void) {
582		582
583		583
584	// disable various ipc sockets in /run/user	584	// disable various ipc sockets in /run/user
585	struct stat s;	585	if (!arg_writable_run_user) {
586		586	struct stat s;
587	char *fname;	587
588	if (asprintf(&fname, "/run/user/%d", getuid()) == -1)	588	char *fname;
589	errExit("asprintf");	589	if (asprintf(&fname, "/run/user/%d", getuid()) == -1)
590	if (is_dir(fname)) { // older distros don't have this directory
591	// disable /run/user/{uid}/gnupg
592	char *fnamegpg;
593	if (asprintf(&fnamegpg, "/run/user/%d/gnupg", getuid()) == -1)
594	errExit("asprintf");
595	if (stat(fnamegpg, &s) == -1)
596	mkdir_attr(fnamegpg, 0700, getuid(), getgid());
597	if (stat(fnamegpg, &s) == 0)
598	disable_file(BLACKLIST_FILE, fnamegpg);
599	free(fnamegpg);
600
601	// disable /run/user/{uid}/systemd
602	char *fnamesysd;
603	if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1)
604	errExit("asprintf");	590	errExit("asprintf");
605	if (stat(fnamesysd, &s) == -1)	591	if (is_dir(fname)) { // older distros don't have this directory
606	mkdir_attr(fnamesysd, 0755, getuid(), getgid());	592	// disable /run/user/{uid}/gnupg
607	if (stat(fnamesysd, &s) == 0)	593	char *fnamegpg;
608	disable_file(BLACKLIST_FILE, fnamesysd);	594	if (asprintf(&fnamegpg, "/run/user/%d/gnupg", getuid()) == -1)
609	free(fnamesysd);	595	errExit("asprintf");
		596	if (stat(fnamegpg, &s) == -1)
		597	mkdir_attr(fnamegpg, 0700, getuid(), getgid());
		598	if (stat(fnamegpg, &s) == 0)
		599	disable_file(BLACKLIST_FILE, fnamegpg);
		600	free(fnamegpg);
		601
		602	// disable /run/user/{uid}/systemd
		603	char *fnamesysd;
		604	if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1)
		605	errExit("asprintf");
		606	if (stat(fnamesysd, &s) == -1)
		607	mkdir_attr(fnamesysd, 0755, getuid(), getgid());
		608	if (stat(fnamesysd, &s) == 0)
		609	disable_file(BLACKLIST_FILE, fnamesysd);
		610	free(fnamesysd);
		611	}
		612	free(fname);
610	}	613	}
611	free(fname);
612		614
613	if (getuid() != 0) {	615	if (getuid() != 0) {
614	// disable /dev/kmsg and /proc/kmsg	616	// disable /dev/kmsg and /proc/kmsg


diff --git a/src/firejail/main.c b/src/firejail/main.c index c317aa477..399770142 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -100,6 +100,8 @@ int arg_nice = 0; // nice value configured
100	int arg_ipc = 0; // enable ipc namespace	100	int arg_ipc = 0; // enable ipc namespace
101	int arg_writable_etc = 0; // writable etc	101	int arg_writable_etc = 0; // writable etc
102	int arg_writable_var = 0; // writable var	102	int arg_writable_var = 0; // writable var
		103	int arg_writable_run_user = 0; // writable /run/user
		104	int arg_writable_var_log = 0; // writable /var/log
103	int arg_appimage = 0; // appimage	105	int arg_appimage = 0; // appimage
104	int arg_audit = 0; // audit	106	int arg_audit = 0; // audit
105	char *arg_audit_prog = NULL; // audit	107	char *arg_audit_prog = NULL; // audit
@@ -110,7 +112,6 @@ int arg_x11_xorg = 0; // use X11 security extention
110	int arg_allusers = 0; // all user home directories visible	112	int arg_allusers = 0; // all user home directories visible
111	int arg_machineid = 0; // preserve /etc/machine-id	113	int arg_machineid = 0; // preserve /etc/machine-id
112	int arg_allow_private_blacklist = 0; // blacklist things in private directories	114	int arg_allow_private_blacklist = 0; // blacklist things in private directories
113	int arg_writable_var_log = 0; // writable /var/log
114	int arg_disable_mnt = 0; // disable /mnt and /media	115	int arg_disable_mnt = 0; // disable /mnt and /media
115	int arg_noprofile = 0; // use default.profile if none other found/specified	116	int arg_noprofile = 0; // use default.profile if none other found/specified
116	int arg_memory_deny_write_execute = 0; // block writable and executable memory	117	int arg_memory_deny_write_execute = 0; // block writable and executable memory
@@ -1560,6 +1561,9 @@ int main(int argc, char **argv) {
1560	else if (strcmp(argv[i], "--writable-var") == 0) {	1561	else if (strcmp(argv[i], "--writable-var") == 0) {
1561	arg_writable_var = 1;	1562	arg_writable_var = 1;
1562	}	1563	}
		1564	else if (strcmp(argv[i], "--writable-run-user") == 0) {
		1565	arg_writable_run_user = 1;
		1566	}
1563	else if (strcmp(argv[i], "--writable-var-log") == 0) {	1567	else if (strcmp(argv[i], "--writable-var-log") == 0) {
1564	arg_writable_var_log = 1;	1568	arg_writable_var_log = 1;
1565	}	1569	}


diff --git a/src/firejail/profile.c b/src/firejail/profile.c index e61f59f46..6880bcaa7 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c
@@ -719,6 +719,11 @@ int profile_check_line(char ptr, int lineno, const char fname) {
719	arg_writable_var = 1;	719	arg_writable_var = 1;
720	return 0;	720	return 0;
721	}	721	}
		722	// writable-run-user
		723	if (strcmp(ptr, "writable-run-user") == 0) {
		724	arg_writable_run_user = 1;
		725	return 0;
		726	}
722	if (strcmp(ptr, "writable-var-log") == 0) {	727	if (strcmp(ptr, "writable-var-log") == 0) {
723	arg_writable_var_log = 1;	728	arg_writable_var_log = 1;
724	return 0;	729	return 0;


diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 050c3d7e5..14485d5c1 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt
@@ -273,6 +273,9 @@ the same top directory. For user home, both the link and the real file should be
273	\fBwritable-etc	273	\fBwritable-etc
274	Mount /etc directory read-write.	274	Mount /etc directory read-write.
275	.TP	275	.TP
		276	\fBwritable-run-user
		277	Disable the default blacklisting of run/user/$UID/systemd and /run/user/$UID/gnupg.
		278	.TP
276	\fBwritable-var	279	\fBwritable-var
277	Mount /var directory read-write.	280	Mount /var directory read-write.
278	.TP	281	.TP


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index c9d57b87b..d317a3fa4 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -1965,6 +1965,16 @@ Example:
1965	$ sudo firejail --writable-etc	1965	$ sudo firejail --writable-etc
1966		1966
1967	.TP	1967	.TP
		1968	\fB\-\-writable-run-user
		1969	This options disables the default blacklisting of run/user/$UID/systemd and /run/user/$UID/gnupg.
		1970	.br
		1971
		1972	.br
		1973	Example:
		1974	.br
		1975	$ sudo firejail --writable-run-user
		1976
		1977	.TP
1968	\fB\-\-writable-var	1978	\fB\-\-writable-var
1969	Mount /var directory read-write.	1979	Mount /var directory read-write.
1970	.br	1980	.br