private-etc rework: remove hiding blacklisted files in private-etc directory feature

author: netblue30 <netblue30@protonmail.com> 2023-01-20 20:06:06 -0500
committer: netblue30 <netblue30@protonmail.com> 2023-01-20 20:06:06 -0500
commit: c2b6b6b1a348d70b776983051851e42ba66ab271 (patch)
tree: c4d2a98348bfdd32d4ee47b5d08a4fcaa8bf534c
parent: RELNOTES: add modif and docs items (diff)
download: firejail-c2b6b6b1a348d70b776983051851e42ba66ab271.tar.gz
firejail-c2b6b6b1a348d70b776983051851e42ba66ab271.tar.zst
firejail-c2b6b6b1a348d70b776983051851e42ba66ab271.zip
8 files changed, 45 insertions, 13 deletions
diff --git a/Makefile b/Makefile
index f2cd3aa75..b1f4a1fbc 100644
--- a/Makefile
+++ b/Makefile
@@ -276,7 +276,7 @@ $(TEST_TARGETS):
 # extract some data about the testing setup: kernel, network connectivity, user
-lab-setup:; uname -r; pwd; whoami; cat /etc/resolv.conf; cat /etc/hosts; dig dns.quad9.net;
+lab-setup:; uname -r; pwd; whoami; cat /etc/resolv.conf; cat /etc/hosts
 test: lab-setup test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters
        echo "TEST COMPLETE"
diff --git a/etc/firejail.config b/etc/firejail.config
index 13db32f1e..e8bf45751 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -78,10 +78,6 @@
 # Enable or disable overlayfs features, default enabled.
 # overlayfs yes
-# Hide blacklisted files in /etc directory (enabling this may break
-# /etc/resolv.conf; see #5010), default disabled.
-# etc-hide-blacklisted no
 # Set the limit for file copy in several --private-* options. The size is set
 # in megabytes. By default we allow up to 500MB.
 # Note: the files are copied in RAM.
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index ce8446cc8..62b8c4dc4 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -51,7 +51,6 @@ int checkcfg(int val) {
                        cfg_val[i] = 1; // most of them are enabled by default
                cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default
                cfg_val[CFG_FORCE_NONEWPRIVS] = 0;
-                cfg_val[CFG_ETC_HIDE_BLACKLISTED] = 0;
                cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 0;
                cfg_val[CFG_FIREJAIL_PROMPT] = 0;
                cfg_val[CFG_DISABLE_MNT] = 0;
@@ -116,7 +115,6 @@ int checkcfg(int val) {
                        PARSE_YESNO(CFG_TRACELOG, "tracelog")
                        PARSE_YESNO(CFG_XEPHYR_WINDOW_TITLE, "xephyr-window-title")
                        PARSE_YESNO(CFG_OVERLAYFS, "overlayfs")
-                        PARSE_YESNO(CFG_ETC_HIDE_BLACKLISTED, "etc-hide-blacklisted")
                        PARSE_YESNO(CFG_PRIVATE_BIN, "private-bin")
                        PARSE_YESNO(CFG_PRIVATE_BIN_NO_LOCAL, "private-bin-no-local")
                        PARSE_YESNO(CFG_PRIVATE_CACHE, "private-cache")
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 13ee573ad..4fe3a5974 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -811,7 +811,6 @@ enum {
        CFG_FORCE_NONEWPRIVS,
        CFG_XEPHYR_WINDOW_TITLE,
        CFG_OVERLAYFS,
-        CFG_ETC_HIDE_BLACKLISTED,
        CFG_PRIVATE_BIN,
        CFG_PRIVATE_BIN_NO_LOCAL,
        CFG_PRIVATE_CACHE,
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 74f7bddd9..89a67f686 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -67,7 +67,7 @@ static void disable_file(OPERATION op, const char *filename) {
                // they don't seem to like a uid of 0
                // force mounting
                int fd = open(filename, O_PATH|O_CLOEXEC);
-                if (fd < 0) 
+                if (fd < 0)
                        return;
                EUID_ROOT();
@@ -159,7 +159,7 @@ static void disable_file(OPERATION op, const char *filename) {
                                fs_logger2("blacklist-nolog", fname);
                        // files in /etc will be reprocessed during /etc rebuild
-                        if (checkcfg(CFG_ETC_HIDE_BLACKLISTED) && strncmp(fname, "/etc/", 5) == 0) {
+                        if (strncmp(fname, "/etc/", 5) == 0) {
                                ProfileEntry *prf = malloc(sizeof(ProfileEntry));
                                if (!prf)
                                        errExit("malloc");
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c
index aa4d76431..5eb3e34e0 100644
--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@@ -26,6 +26,41 @@
 #include <unistd.h>
 #include <dirent.h>
+void fs_resolvconf(void) {
+        if (arg_debug)
+                printf("Creating a new /etc/resolv.conf file\n");
+        FILE *fp = fopen(RUN_RESOLVCONF_FILE, "wxe");
+        if (!fp) {
+                fprintf(stderr, "Error: cannot create /etc/resolv.conf file\n");
+                exit(1);
+        }
+        if (cfg.dns1) {
+                if (any_dhcp())
+                        fwarning("network setup uses DHCP, nameservers will likely be overwritten\n");
+                fprintf(fp, "nameserver %s\n", cfg.dns1);
+        }
+        if (cfg.dns2)
+                fprintf(fp, "nameserver %s\n", cfg.dns2);
+        if (cfg.dns3)
+                fprintf(fp, "nameserver %s\n", cfg.dns3);
+        if (cfg.dns4)
+                fprintf(fp, "nameserver %s\n", cfg.dns4);
+        // mode and owner
+        SET_PERMS_STREAM(fp, 0, 0, 0644);
+        fclose(fp);
+        selinux_relabel_path(RUN_RESOLVCONF_FILE, "/etc/resolv.conf");
+        if (mount(RUN_RESOLVCONF_FILE, "/etc/resolv.conf", "none", MS_BIND, "mode=644,gid=0") < 0)
+                errExit("mount");
+        fs_logger("create /etc/resolv.conf");
+}
 // spoof /etc/machine_id
 void fs_machineid(void) {
        union machineid_t {
@@ -262,6 +297,7 @@ void fs_private_dir_list(const char *private_dir, const char *private_run_dir, c
        fmessage("Private %s installed in %0.2f ms\n", private_dir, timetrace_end());
 }
+#if 0
 void fs_rebuild_etc(void) {
        int have_dhcp = 1;
        if (cfg.dns1 == NULL && !any_dhcp()) {
@@ -392,3 +428,4 @@ void fs_rebuild_etc(void) {
        fs_logger("create /etc/resolv.conf");
 }
+#endif
+\ No newline at end of file
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 1afb3a293..3d0d43965 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -1096,10 +1096,10 @@ int sandbox(void* sandbox_arg) {
                fs_dev_disable_input();
        //****************************
-        // rebuild etc directory, set dns
+        // set DNS
        //****************************
-        if (!arg_writable_etc)
+        if (cfg.dns1 != NULL || any_dhcp())
-                fs_rebuild_etc();
+                fs_resolvconf();
        //****************************
        // start dhcp client
diff --git a/src/include/rundefs.h b/src/include/rundefs.h
index 079670f10..b3ad564ac 100644
--- a/src/include/rundefs.h
+++ b/src/include/rundefs.h
@@ -99,5 +99,7 @@
 #define RUN_UMASK_FILE                  RUN_MNT_DIR "/umask"
 #define RUN_JOIN_FILE                   RUN_MNT_DIR "/join"
 #define RUN_OVERLAY_ROOT                RUN_MNT_DIR "/oroot"
+#define RUN_RESOLVCONF_FILE             RUN_MNT_DIR "/resolv.conf"
 #endif
author	netblue30 <netblue30@protonmail.com>	2023-01-20 20:06:06 -0500
committer	netblue30 <netblue30@protonmail.com>	2023-01-20 20:06:06 -0500
commit	c2b6b6b1a348d70b776983051851e42ba66ab271 (patch)
tree	c4d2a98348bfdd32d4ee47b5d08a4fcaa8bf534c
parent	RELNOTES: add modif and docs items (diff)
download	firejail-c2b6b6b1a348d70b776983051851e42ba66ab271.tar.gz firejail-c2b6b6b1a348d70b776983051851e42ba66ab271.tar.zst firejail-c2b6b6b1a348d70b776983051851e42ba66ab271.zip