whitelist support in /etc/firejail/firejail.config

author: netblue30 <netblue30@yahoo.com> 2016-06-09 08:42:59 -0400
committer: netblue30 <netblue30@yahoo.com> 2016-06-09 08:42:59 -0400
commit: d073a425b3e3ed3829a0e042e8c41963f0f40f0e (patch)
tree: 3241c3053a4d3ccba63c633015fddb6e21c9cf74
parent: fixes (diff)
download: firejail-d073a425b3e3ed3829a0e042e8c41963f0f40f0e.tar.gz
firejail-d073a425b3e3ed3829a0e042e8c41963f0f40f0e.tar.zst
firejail-d073a425b3e3ed3829a0e042e8c41963f0f40f0e.zip
10 files changed, 93 insertions, 27 deletions
diff --git a/configure b/configure
index 66b1663f9..da7d370d3 100755
--- a/configure
+++ b/configure
@@ -629,6 +629,7 @@ EGREP
 GREP
 CPP
 HAVE_FATAL_WARNINGS
+HAVE_WHITELIST
 HAVE_FILE_TRANSFER
 HAVE_X11
 HAVE_USERNS
@@ -695,6 +696,7 @@ enable_network
 enable_userns
 enable_x11
 enable_file_transfer
+enable_whitelist
 enable_fatal_warnings
 '
      ac_precious_vars='build_alias
@@ -1324,6 +1326,7 @@ Optional Features:
  --disable-userns        disable user namespace
  --disable-x11           disable X11 sandboxing support
  --disable-file-transfer disable file transfer
+  --disable-whitelist     disable whitelist
  --enable-fatal-warnings -W -Wall -Werror
 Some influential environment variables:
@@ -3163,6 +3166,19 @@ if test "x$enable_file_transfer" != "xno"; then :
 fi
+HAVE_WHITELIST=""
+# Check whether --enable-whitelist was given.
+if test "${enable_whitelist+set}" = set; then :
+  enableval=$enable_whitelist;
+fi
+if test "x$enable_whitelist" != "xno"; then :
+        HAVE_WHITELIST="-DHAVE_WHITELIST"
+fi
 HAVE_FATAL_WARNINGS=""
 # Check whether --enable-fatal_warnings was given.
 if test "${enable_fatal_warnings+set}" = set; then :
@@ -4823,6 +4839,7 @@ echo "   bind: $HAVE_BIND"
 echo "   network: $HAVE_NETWORK"
 echo "   user namespace: $HAVE_USERNS"
 echo "   X11 sandboxing support: $HAVE_X11"
+echo "   whitelisting: $HAVE_WHITELIST"
 echo "   file transfer support: $HAVE_FILE_TRANSFER"
 echo "   fatal warnings: $HAVE_FATAL_WARNINGS"
 echo
diff --git a/configure.ac b/configure.ac
index ef6a11af5..c9061f219 100644
--- a/configure.ac
+++ b/configure.ac
@@ -70,6 +70,14 @@ AS_IF([test "x$enable_file_transfer" != "xno"], [
        AC_SUBST(HAVE_FILE_TRANSFER)
 ])
+HAVE_WHITELIST=""
+AC_ARG_ENABLE([whitelist],
+    AS_HELP_STRING([--disable-whitelist], [disable whitelist]))
+AS_IF([test "x$enable_whitelist" != "xno"], [
+        HAVE_WHITELIST="-DHAVE_WHITELIST"
+        AC_SUBST(HAVE_WHITELIST)
+])
 HAVE_FATAL_WARNINGS=""
 AC_ARG_ENABLE([fatal_warnings],
    AS_HELP_STRING([--enable-fatal-warnings], [-W -Wall -Werror]))
@@ -103,6 +111,7 @@ echo "   bind: $HAVE_BIND"
 echo "   network: $HAVE_NETWORK"
 echo "   user namespace: $HAVE_USERNS"
 echo "   X11 sandboxing support: $HAVE_X11"
+echo "   whitelisting: $HAVE_WHITELIST"
 echo "   file transfer support: $HAVE_FILE_TRANSFER"
 echo "   fatal warnings: $HAVE_FATAL_WARNINGS"
 echo
diff --git a/etc/firejail.config b/etc/firejail.config
index 55d2faa9f..4fcaee213 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -12,6 +12,12 @@
 # Enable or disable file transfer support, default enabled.
 # file-transfer yes
+# Force use of nonewprivs.  This mitigates the possibility of
+# a user abusing firejail's features to trick a privileged (suid
+# or file capabilities) process into loading code or configuration
+# that is partially under their control.  Default disabled
+# force-nonewprivs no
 # Enable or disable networking features, default enabled.
 # network yes
@@ -27,15 +33,12 @@
 # Enable or disable user namespace support, default enabled.
 # userns yes
+# Enable or disable whitelisting support, default enabled
+# whitelist yes
 # Enable or disable X11 sandboxing support, default enabled.
 # x11 yes
-# Force use of nonewprivs.  This mitigates the possibility of
-# a user abusing firejail's features to trick a privileged (suid
-# or file capabilities) process into loading code or configuration
-# that is partially under their control.  Default disabled
-# force-nonewprivs no
 # Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for
 # a full list of resolutions available on your specific setup.
 # xephyr-screen 640x480
diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in
index 3ad4ba75e..a8af1a4e0 100644
--- a/src/firejail/Makefile.in
+++ b/src/firejail/Makefile.in
@@ -16,13 +16,14 @@ HAVE_NETWORK=@HAVE_NETWORK@
 HAVE_USERNS=@HAVE_USERNS@
 HAVE_X11=@HAVE_X11@
 HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
+HAVE_WHITELIST=@HAVE_WHITELIST@
 H_FILE_LIST       = $(sort $(wildcard *.[h]))
 C_FILE_LIST       = $(sort $(wildcard *.c))
 OBJS = $(C_FILE_LIST:.c=.o)
 BINOBJS =  $(foreach file, $(OBJS), $file)
-CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_SECCOMP) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
+CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_SECCOMP) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
 LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
 %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 3ea8caf5b..bf85436c3 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -38,7 +38,7 @@ int checkcfg(int val) {
                        cfg_val[i] = 1; // most of them are enabled by default
                cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default
-                cfg_val[CFG_FORCE_NONEWPRIVS  ] = 0; // disabled by default
+                cfg_val[CFG_FORCE_NONEWPRIVS] = 0; // disabled by default
                
                // open configuration file
                char *fname;
@@ -126,6 +126,15 @@ int checkcfg(int val) {
                                else
                                        goto errout;
                        }
+                        // whitelist
+                        else if (strncmp(ptr, "whitelist ", 10) == 0) {
+                                if (strcmp(ptr + 10, "yes") == 0)
+                                        cfg_val[CFG_WHITELIST] = 1;
+                                else if (strcmp(ptr + 10, "no") == 0)
+                                        cfg_val[CFG_WHITELIST] = 0;
+                                else
+                                        goto errout;
+                        }
                        // network
                        else if (strncmp(ptr, "network ", 8) == 0) {
                                if (strcmp(ptr + 8, "yes") == 0)
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 2d5e05f79..026273aa3 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -568,7 +568,8 @@ void sandboxfs(int op, pid_t pid, const char *patqh);
 #define CFG_NETWORK 6
 #define CFG_RESTRICTED_NETWORK 7
 #define CFG_FORCE_NONEWPRIVS 8
-#define CFG_MAX 9 // this should always be the last entry
+#define CFG_WHITELIST 9
+#define CFG_MAX 10 // this should always be the last entry
 int checkcfg(int val);
 // fs_rdwr.c
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 1c2f021bb..1621d810f 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -277,6 +277,9 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
 #ifndef HAVE_FILE_TRANSFER
                printf("File transfer support is disabled.\n");
 #endif
+#ifndef HAVE_WHITELIST
+                printf("whitelisting support is disabled.\n");
+#endif
                exit(0);
        }
 #ifdef HAVE_X11
@@ -1114,14 +1117,24 @@ int main(int argc, char **argv) {
                        profile_check_line(line, 0, NULL);      // will exit if something wrong
                        profile_add(line);
                }
+#ifdef HAVE_WHITELIST
                else if (strncmp(argv[i], "--whitelist=", 12) == 0) {
-                        char *line;
+                        if (checkcfg(CFG_WHITELIST)) {
-                        if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1)
+                                char *line;
-                                errExit("asprintf");
+                                if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1)
-                        
+                                        errExit("asprintf");
-                        profile_check_line(line, 0, NULL);      // will exit if something wrong
+                                
-                        profile_add(line);
+                                profile_check_line(line, 0, NULL);      // will exit if something wrong
+                                profile_add(line);
+                        }
+                        else {
+                                fprintf(stderr, "Error: whitelist feature is disabled in Firejail configuration file\n");
+                                exit(1);
+                        }
                }
+#endif          
                else if (strncmp(argv[i], "--read-only=", 12) == 0) {
                        char *line;
                        if (asprintf(&line, "read-only %s", argv[i] + 12) == -1)
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 192f36974..a64f28c9a 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -726,8 +726,16 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
        else if (strncmp(ptr, "noblacklist ", 12) == 0)
                ptr += 12;
        else if (strncmp(ptr, "whitelist ", 10) == 0) {
-                arg_whitelist = 1;
+#ifdef HAVE_WHITELIST           
-                ptr += 10;
+                if (checkcfg(CFG_WHITELIST)) {
+                        arg_whitelist = 1;
+                        ptr += 10;
+                }
+                else
+                        return 0;
+#else           
+                return 0;
+#endif
        }
        else if (strncmp(ptr, "read-only ", 10) == 0)
                ptr += 10;
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index d2f7d9460..af1a30ac3 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -72,8 +72,9 @@ void usage(void) {
        printf("\tsoftware build.\n\n");
        printf("    --debug-syscalls - print all recognized system calls in the current Firejail\n");
        printf("\tsoftware build.\n\n");
+#ifdef HAVE_WHITELIST   
        printf("    --debug-whitelists - debug whitelisting.\n\n");
+#endif
 #ifdef HAVE_NETWORK     
@@ -250,8 +251,9 @@ void usage(void) {
        printf("    --tree - print a tree of all sandboxed processes.\n\n");
        printf("    --user=new_user - switch the user before starting the sandbox.\n\n");
        printf("    --version - print program version and exit.\n\n");
+#ifdef HAVE_WHITELIST   
        printf("    --whitelist=dirname_or_filename - whitelist directory or file.\n\n");
-        
+#endif  
        printf("    --writable-etc - /etc directory is mounted read-write.\n\n");
        printf("    --writable-var - /var directory is mounted read-write.\n\n");
        
diff --git a/src/man/firejail-config.txt b/src/man/firejail-config.txt
index 026765f1a..6a66c7f75 100644
--- a/src/man/firejail-config.txt
+++ b/src/man/firejail-config.txt
@@ -26,6 +26,13 @@ Enable or disable chroot support, default enabled.
 Enable or disable file transfer support, default enabled.
 .TP
+\fBforce-nonewprivs
+Force use of nonewprivs.  This mitigates the possibility of
+a user abusing firejail's features to trick a privileged (suid
+or file capabilities) process into loading code or configuration
+that is partially under their control.  Default disabled.
+.TP
 \fBnetwork
 Enable or disable networking features, default enabled.
@@ -45,16 +52,12 @@ Enable or disable seccomp support, default enabled.
 Enable or disable user namespace support, default enabled.
 .TP
-\fBx11
+\fBwhitelist
-Enable or disable X11 sandboxing support, default enabled.
+Enable or disable whitelisting support, default enabled.
 .TP
-\fBforce-nonewprivs
+\fBx11
-Force use of nonewprivs.  This mitigates the possibility of
+Enable or disable X11 sandboxing support, default enabled.
-a user abusing firejail's features to trick a privileged (suid
-or file capabilities) process into loading code or configuration
-that is partially under their control.  Default disabled.
 .TP
 \fBxephyr-screen
author	netblue30 <netblue30@yahoo.com>	2016-06-09 08:42:59 -0400
committer	netblue30 <netblue30@yahoo.com>	2016-06-09 08:42:59 -0400
commit	d073a425b3e3ed3829a0e042e8c41963f0f40f0e (patch)
tree	3241c3053a4d3ccba63c633015fddb6e21c9cf74
parent	fixes (diff)
download	firejail-d073a425b3e3ed3829a0e042e8c41963f0f40f0e.tar.gz firejail-d073a425b3e3ed3829a0e042e8c41963f0f40f0e.tar.zst firejail-d073a425b3e3ed3829a0e042e8c41963f0f40f0e.zip

diff --git a/configure b/configure index 66b1663f9..da7d370d3 100755 --- a/configure +++ b/configure
@@ -629,6 +629,7 @@ EGREP
629	GREP	629	GREP
630	CPP	630	CPP
631	HAVE_FATAL_WARNINGS	631	HAVE_FATAL_WARNINGS
		632	HAVE_WHITELIST
632	HAVE_FILE_TRANSFER	633	HAVE_FILE_TRANSFER
633	HAVE_X11	634	HAVE_X11
634	HAVE_USERNS	635	HAVE_USERNS
@@ -695,6 +696,7 @@ enable_network
695	enable_userns	696	enable_userns
696	enable_x11	697	enable_x11
697	enable_file_transfer	698	enable_file_transfer
		699	enable_whitelist
698	enable_fatal_warnings	700	enable_fatal_warnings
699	'	701	'
700	ac_precious_vars='build_alias	702	ac_precious_vars='build_alias
@@ -1324,6 +1326,7 @@ Optional Features:
1324	--disable-userns disable user namespace	1326	--disable-userns disable user namespace
1325	--disable-x11 disable X11 sandboxing support	1327	--disable-x11 disable X11 sandboxing support
1326	--disable-file-transfer disable file transfer	1328	--disable-file-transfer disable file transfer
		1329	--disable-whitelist disable whitelist
1327	--enable-fatal-warnings -W -Wall -Werror	1330	--enable-fatal-warnings -W -Wall -Werror
1328		1331
1329	Some influential environment variables:	1332	Some influential environment variables:
@@ -3163,6 +3166,19 @@ if test "x$enable_file_transfer" != "xno"; then :
3163		3166
3164	fi	3167	fi
3165		3168
		3169	HAVE_WHITELIST=""
		3170	# Check whether --enable-whitelist was given.
		3171	if test "${enable_whitelist+set}" = set; then :
		3172	enableval=$enable_whitelist;
		3173	fi
		3174
		3175	if test "x$enable_whitelist" != "xno"; then :
		3176
		3177	HAVE_WHITELIST="-DHAVE_WHITELIST"
		3178
		3179
		3180	fi
		3181
3166	HAVE_FATAL_WARNINGS=""	3182	HAVE_FATAL_WARNINGS=""
3167	# Check whether --enable-fatal_warnings was given.	3183	# Check whether --enable-fatal_warnings was given.
3168	if test "${enable_fatal_warnings+set}" = set; then :	3184	if test "${enable_fatal_warnings+set}" = set; then :
@@ -4823,6 +4839,7 @@ echo " bind: $HAVE_BIND"
4823	echo " network: $HAVE_NETWORK"	4839	echo " network: $HAVE_NETWORK"
4824	echo " user namespace: $HAVE_USERNS"	4840	echo " user namespace: $HAVE_USERNS"
4825	echo " X11 sandboxing support: $HAVE_X11"	4841	echo " X11 sandboxing support: $HAVE_X11"
		4842	echo " whitelisting: $HAVE_WHITELIST"
4826	echo " file transfer support: $HAVE_FILE_TRANSFER"	4843	echo " file transfer support: $HAVE_FILE_TRANSFER"
4827	echo " fatal warnings: $HAVE_FATAL_WARNINGS"	4844	echo " fatal warnings: $HAVE_FATAL_WARNINGS"
4828	echo	4845	echo


diff --git a/configure.ac b/configure.ac index ef6a11af5..c9061f219 100644 --- a/configure.ac +++ b/configure.ac
@@ -70,6 +70,14 @@ AS_IF([test "x$enable_file_transfer" != "xno"], [
70	AC_SUBST(HAVE_FILE_TRANSFER)	70	AC_SUBST(HAVE_FILE_TRANSFER)
71	])	71	])
72		72
		73	HAVE_WHITELIST=""
		74	AC_ARG_ENABLE([whitelist],
		75	AS_HELP_STRING([--disable-whitelist], [disable whitelist]))
		76	AS_IF([test "x$enable_whitelist" != "xno"], [
		77	HAVE_WHITELIST="-DHAVE_WHITELIST"
		78	AC_SUBST(HAVE_WHITELIST)
		79	])
		80
73	HAVE_FATAL_WARNINGS=""	81	HAVE_FATAL_WARNINGS=""
74	AC_ARG_ENABLE([fatal_warnings],	82	AC_ARG_ENABLE([fatal_warnings],
75	AS_HELP_STRING([--enable-fatal-warnings], [-W -Wall -Werror]))	83	AS_HELP_STRING([--enable-fatal-warnings], [-W -Wall -Werror]))
@@ -103,6 +111,7 @@ echo " bind: $HAVE_BIND"
103	echo " network: $HAVE_NETWORK"	111	echo " network: $HAVE_NETWORK"
104	echo " user namespace: $HAVE_USERNS"	112	echo " user namespace: $HAVE_USERNS"
105	echo " X11 sandboxing support: $HAVE_X11"	113	echo " X11 sandboxing support: $HAVE_X11"
		114	echo " whitelisting: $HAVE_WHITELIST"
106	echo " file transfer support: $HAVE_FILE_TRANSFER"	115	echo " file transfer support: $HAVE_FILE_TRANSFER"
107	echo " fatal warnings: $HAVE_FATAL_WARNINGS"	116	echo " fatal warnings: $HAVE_FATAL_WARNINGS"
108	echo	117	echo


diff --git a/etc/firejail.config b/etc/firejail.config index 55d2faa9f..4fcaee213 100644 --- a/etc/firejail.config +++ b/etc/firejail.config
@@ -12,6 +12,12 @@
12	# Enable or disable file transfer support, default enabled.	12	# Enable or disable file transfer support, default enabled.
13	# file-transfer yes	13	# file-transfer yes
14		14
		15	# Force use of nonewprivs. This mitigates the possibility of
		16	# a user abusing firejail's features to trick a privileged (suid
		17	# or file capabilities) process into loading code or configuration
		18	# that is partially under their control. Default disabled
		19	# force-nonewprivs no
		20
15	# Enable or disable networking features, default enabled.	21	# Enable or disable networking features, default enabled.
16	# network yes	22	# network yes
17		23
@@ -27,15 +33,12 @@
27	# Enable or disable user namespace support, default enabled.	33	# Enable or disable user namespace support, default enabled.
28	# userns yes	34	# userns yes
29		35
		36	# Enable or disable whitelisting support, default enabled
		37	# whitelist yes
		38
30	# Enable or disable X11 sandboxing support, default enabled.	39	# Enable or disable X11 sandboxing support, default enabled.
31	# x11 yes	40	# x11 yes
32		41
33	# Force use of nonewprivs. This mitigates the possibility of
34	# a user abusing firejail's features to trick a privileged (suid
35	# or file capabilities) process into loading code or configuration
36	# that is partially under their control. Default disabled
37	# force-nonewprivs no
38
39	# Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for	42	# Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for
40	# a full list of resolutions available on your specific setup.	43	# a full list of resolutions available on your specific setup.
41	# xephyr-screen 640x480	44	# xephyr-screen 640x480


diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in index 3ad4ba75e..a8af1a4e0 100644 --- a/src/firejail/Makefile.in +++ b/src/firejail/Makefile.in
@@ -16,13 +16,14 @@ HAVE_NETWORK=@HAVE_NETWORK@
16	HAVE_USERNS=@HAVE_USERNS@	16	HAVE_USERNS=@HAVE_USERNS@
17	HAVE_X11=@HAVE_X11@	17	HAVE_X11=@HAVE_X11@
18	HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@	18	HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
		19	HAVE_WHITELIST=@HAVE_WHITELIST@
19		20
20		21
21	H_FILE_LIST = $(sort $(wildcard *.[h]))	22	H_FILE_LIST = $(sort $(wildcard *.[h]))
22	C_FILE_LIST = $(sort $(wildcard *.c))	23	C_FILE_LIST = $(sort $(wildcard *.c))
23	OBJS = $(C_FILE_LIST:.c=.o)	24	OBJS = $(C_FILE_LIST:.c=.o)
24	BINOBJS = $(foreach file, $(OBJS), $file)	25	BINOBJS = $(foreach file, $(OBJS), $file)
25	CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_SECCOMP) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security	26	CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_SECCOMP) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
26	LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread	27	LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
27		28
28	%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h	29	%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h


diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 3ea8caf5b..bf85436c3 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c
@@ -38,7 +38,7 @@ int checkcfg(int val) {
38	cfg_val[i] = 1; // most of them are enabled by default	38	cfg_val[i] = 1; // most of them are enabled by default
39		39
40	cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default	40	cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default
41	cfg_val[CFG_FORCE_NONEWPRIVS ] = 0; // disabled by default	41	cfg_val[CFG_FORCE_NONEWPRIVS] = 0; // disabled by default
42		42
43	// open configuration file	43	// open configuration file
44	char *fname;	44	char *fname;
@@ -126,6 +126,15 @@ int checkcfg(int val) {
126	else	126	else
127	goto errout;	127	goto errout;
128	}	128	}
		129	// whitelist
		130	else if (strncmp(ptr, "whitelist ", 10) == 0) {
		131	if (strcmp(ptr + 10, "yes") == 0)
		132	cfg_val[CFG_WHITELIST] = 1;
		133	else if (strcmp(ptr + 10, "no") == 0)
		134	cfg_val[CFG_WHITELIST] = 0;
		135	else
		136	goto errout;
		137	}
129	// network	138	// network
130	else if (strncmp(ptr, "network ", 8) == 0) {	139	else if (strncmp(ptr, "network ", 8) == 0) {
131	if (strcmp(ptr + 8, "yes") == 0)	140	if (strcmp(ptr + 8, "yes") == 0)


diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 2d5e05f79..026273aa3 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -568,7 +568,8 @@ void sandboxfs(int op, pid_t pid, const char *patqh);
568	#define CFG_NETWORK 6	568	#define CFG_NETWORK 6
569	#define CFG_RESTRICTED_NETWORK 7	569	#define CFG_RESTRICTED_NETWORK 7
570	#define CFG_FORCE_NONEWPRIVS 8	570	#define CFG_FORCE_NONEWPRIVS 8
571	#define CFG_MAX 9 // this should always be the last entry	571	#define CFG_WHITELIST 9
		572	#define CFG_MAX 10 // this should always be the last entry
572	int checkcfg(int val);	573	int checkcfg(int val);
573		574
574	// fs_rdwr.c	575	// fs_rdwr.c


diff --git a/src/firejail/main.c b/src/firejail/main.c index 1c2f021bb..1621d810f 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -277,6 +277,9 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
277	#ifndef HAVE_FILE_TRANSFER	277	#ifndef HAVE_FILE_TRANSFER
278	printf("File transfer support is disabled.\n");	278	printf("File transfer support is disabled.\n");
279	#endif	279	#endif
		280	#ifndef HAVE_WHITELIST
		281	printf("whitelisting support is disabled.\n");
		282	#endif
280	exit(0);	283	exit(0);
281	}	284	}
282	#ifdef HAVE_X11	285	#ifdef HAVE_X11
@@ -1114,14 +1117,24 @@ int main(int argc, char **argv) {
1114	profile_check_line(line, 0, NULL); // will exit if something wrong	1117	profile_check_line(line, 0, NULL); // will exit if something wrong
1115	profile_add(line);	1118	profile_add(line);
1116	}	1119	}
		1120
		1121	#ifdef HAVE_WHITELIST
1117	else if (strncmp(argv[i], "--whitelist=", 12) == 0) {	1122	else if (strncmp(argv[i], "--whitelist=", 12) == 0) {
1118	char *line;	1123	if (checkcfg(CFG_WHITELIST)) {
1119	if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1)	1124	char *line;
1120	errExit("asprintf");	1125	if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1)
1121		1126	errExit("asprintf");
1122	profile_check_line(line, 0, NULL); // will exit if something wrong	1127
1123	profile_add(line);	1128	profile_check_line(line, 0, NULL); // will exit if something wrong
		1129	profile_add(line);
		1130	}
		1131	else {
		1132	fprintf(stderr, "Error: whitelist feature is disabled in Firejail configuration file\n");
		1133	exit(1);
		1134	}
1124	}	1135	}
		1136	#endif
		1137
1125	else if (strncmp(argv[i], "--read-only=", 12) == 0) {	1138	else if (strncmp(argv[i], "--read-only=", 12) == 0) {
1126	char *line;	1139	char *line;
1127	if (asprintf(&line, "read-only %s", argv[i] + 12) == -1)	1140	if (asprintf(&line, "read-only %s", argv[i] + 12) == -1)


diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 192f36974..a64f28c9a 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c
@@ -726,8 +726,16 @@ int profile_check_line(char ptr, int lineno, const char fname) {
726	else if (strncmp(ptr, "noblacklist ", 12) == 0)	726	else if (strncmp(ptr, "noblacklist ", 12) == 0)
727	ptr += 12;	727	ptr += 12;
728	else if (strncmp(ptr, "whitelist ", 10) == 0) {	728	else if (strncmp(ptr, "whitelist ", 10) == 0) {
729	arg_whitelist = 1;	729	#ifdef HAVE_WHITELIST
730	ptr += 10;	730	if (checkcfg(CFG_WHITELIST)) {
		731	arg_whitelist = 1;
		732	ptr += 10;
		733	}
		734	else
		735	return 0;
		736	#else
		737	return 0;
		738	#endif
731	}	739	}
732	else if (strncmp(ptr, "read-only ", 10) == 0)	740	else if (strncmp(ptr, "read-only ", 10) == 0)
733	ptr += 10;	741	ptr += 10;


diff --git a/src/firejail/usage.c b/src/firejail/usage.c index d2f7d9460..af1a30ac3 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c
@@ -72,8 +72,9 @@ void usage(void) {
72	printf("\tsoftware build.\n\n");	72	printf("\tsoftware build.\n\n");
73	printf(" --debug-syscalls - print all recognized system calls in the current Firejail\n");	73	printf(" --debug-syscalls - print all recognized system calls in the current Firejail\n");
74	printf("\tsoftware build.\n\n");	74	printf("\tsoftware build.\n\n");
		75	#ifdef HAVE_WHITELIST
75	printf(" --debug-whitelists - debug whitelisting.\n\n");	76	printf(" --debug-whitelists - debug whitelisting.\n\n");
76		77	#endif
77		78
78		79
79	#ifdef HAVE_NETWORK	80	#ifdef HAVE_NETWORK
@@ -250,8 +251,9 @@ void usage(void) {
250	printf(" --tree - print a tree of all sandboxed processes.\n\n");	251	printf(" --tree - print a tree of all sandboxed processes.\n\n");
251	printf(" --user=new_user - switch the user before starting the sandbox.\n\n");	252	printf(" --user=new_user - switch the user before starting the sandbox.\n\n");
252	printf(" --version - print program version and exit.\n\n");	253	printf(" --version - print program version and exit.\n\n");
		254	#ifdef HAVE_WHITELIST
253	printf(" --whitelist=dirname_or_filename - whitelist directory or file.\n\n");	255	printf(" --whitelist=dirname_or_filename - whitelist directory or file.\n\n");
254		256	#endif
255	printf(" --writable-etc - /etc directory is mounted read-write.\n\n");	257	printf(" --writable-etc - /etc directory is mounted read-write.\n\n");
256	printf(" --writable-var - /var directory is mounted read-write.\n\n");	258	printf(" --writable-var - /var directory is mounted read-write.\n\n");
257		259


diff --git a/src/man/firejail-config.txt b/src/man/firejail-config.txt index 026765f1a..6a66c7f75 100644 --- a/src/man/firejail-config.txt +++ b/src/man/firejail-config.txt
@@ -26,6 +26,13 @@ Enable or disable chroot support, default enabled.
26	Enable or disable file transfer support, default enabled.	26	Enable or disable file transfer support, default enabled.
27		27
28	.TP	28	.TP
		29	\fBforce-nonewprivs
		30	Force use of nonewprivs. This mitigates the possibility of
		31	a user abusing firejail's features to trick a privileged (suid
		32	or file capabilities) process into loading code or configuration
		33	that is partially under their control. Default disabled.
		34
		35	.TP
29	\fBnetwork	36	\fBnetwork
30	Enable or disable networking features, default enabled.	37	Enable or disable networking features, default enabled.
31		38
@@ -45,16 +52,12 @@ Enable or disable seccomp support, default enabled.
45	Enable or disable user namespace support, default enabled.	52	Enable or disable user namespace support, default enabled.
46		53
47	.TP	54	.TP
48	\fBx11	55	\fBwhitelist
49	Enable or disable X11 sandboxing support, default enabled.	56	Enable or disable whitelisting support, default enabled.
50		57
51	.TP	58	.TP
52	\fBforce-nonewprivs	59	\fBx11
53	Force use of nonewprivs. This mitigates the possibility of	60	Enable or disable X11 sandboxing support, default enabled.
54	a user abusing firejail's features to trick a privileged (suid
55	or file capabilities) process into loading code or configuration
56	that is partially under their control. Default disabled.
57
58		61
59	.TP	62	.TP
60	\fBxephyr-screen	63	\fBxephyr-screen