/proc cleanup

author: netblue30 <netblue30@yahoo.com> 2016-06-05 18:47:26 -0400
committer: netblue30 <netblue30@yahoo.com> 2016-06-05 18:47:26 -0400
commit: d7b05860cfe2e2f9a0e4efd1eb56000437f8f371 (patch)
tree: 8a50955c03c37bbcd4b1fa1cce6f0cb6f7b1bb5e
parent: spelling (diff)
download: firejail-d7b05860cfe2e2f9a0e4efd1eb56000437f8f371.tar.gz
firejail-d7b05860cfe2e2f9a0e4efd1eb56000437f8f371.tar.zst
firejail-d7b05860cfe2e2f9a0e4efd1eb56000437f8f371.zip
1 files changed, 35 insertions, 71 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index c38a9a32e..984d413a3 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -248,8 +248,6 @@ static void disable_file(OPERATION op, const char *filename) {
        // Resolve all symlinks
        char* fname = realpath(filename, NULL);
        if (fname == NULL && errno != EACCES) {
-                if (arg_debug)
-                        printf("Warning (realpath): %s is an invalid file, skipping...\n", filename);
                return;
        }
        if (fname == NULL && errno == EACCES) {
@@ -601,89 +599,55 @@ void fs_proc_sys_dev_boot(void) {
                        fs_logger("remount /sys");
        }
                
-        if (stat("/sys/firmware", &s) == 0) {
+        disable_file(BLACKLIST_FILE, "/sys/firmware");
-                disable_file(BLACKLIST_FILE, "/sys/firmware");
+        disable_file(BLACKLIST_FILE, "/sys/hypervisor");
-        }
+        disable_file(BLACKLIST_FILE, "/sys/fs");
-                
+        disable_file(BLACKLIST_FILE, "/sys/module");
-        if (stat("/sys/hypervisor", &s) == 0) {
+        disable_file(BLACKLIST_FILE, "/sys/power");
-                disable_file(BLACKLIST_FILE, "/sys/hypervisor");
+        disable_file(BLACKLIST_FILE, "/sys/kernel/debug");
-        }
+        disable_file(BLACKLIST_FILE, "/sys/kernel/vmcoreinfo");
+        disable_file(BLACKLIST_FILE, "/sys/kernel/uevent_helper");
-        if (stat("/sys/fs", &s) == 0) {
-                disable_file(BLACKLIST_FILE, "/sys/fs");
-        }
-        if (stat("/sys/module", &s) == 0) {
-                disable_file(BLACKLIST_FILE, "/sys/module");
-        }
-        if (stat("/sys/power", &s) == 0) {
-                disable_file(BLACKLIST_FILE, "/sys/power");
-        }
 //      if (mount("sysfs", "/sys", "sysfs", MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REC, NULL) < 0)
 //              errExit("mounting /sys");
-        // Disable SysRq
-        // a linux box can be shut down easily using the following commands (as root):
-        // # echo 1 > /proc/sys/kernel/sysrq
-        // #echo b > /proc/sysrq-trigger
-        // for more information see https://www.kernel.org/doc/Documentation/sysrq.txt
-        if (arg_debug)
-                printf("Disable /proc/sysrq-trigger\n");
-        fs_rdonly_noexit("/proc/sysrq-trigger");
-        
-        // disable hotplug and uevent_helper
-        if (arg_debug)
-                printf("Disable /proc/sys/kernel/hotplug\n");
-        fs_rdonly_noexit("/proc/sys/kernel/hotplug");
-        if (arg_debug)
-                printf("Disable /sys/kernel/uevent_helper\n");
-        fs_rdonly_noexit("/sys/kernel/uevent_helper");
-        
-        // read-only /proc/irq and /proc/bus
-        if (arg_debug)
-                printf("Disable /proc/irq\n");
-        fs_rdonly_noexit("/proc/irq");
-        if (arg_debug)
-                printf("Disable /proc/bus\n");
-        fs_rdonly_noexit("/proc/bus");
-        
-        // disable /proc/kcore
-        disable_file(BLACKLIST_FILE, "/proc/kcore");
-        // disable /proc/kallsyms
+        // various /proc/sys files
+        disable_file(BLACKLIST_FILE, "/proc/sys/security");     
+        disable_file(BLACKLIST_FILE, "/proc/sys/efi/vars");     
+        disable_file(BLACKLIST_FILE, "/proc/sys/fs/binfmt_misc");       
+        disable_file(BLACKLIST_FILE, "/proc/sys/kernel/core_pattern");  
+        disable_file(BLACKLIST_FILE, "/proc/sys/kernel/modprobe");      
+        disable_file(BLACKLIST_FILE, "/proc/sysrq-trigger");
+        disable_file(BLACKLIST_FILE, "/proc/sys/kernel/hotplug");
+        disable_file(BLACKLIST_FILE, "/proc/sys/vm/panic_on_oom");
+        // various /proc files
+        disable_file(BLACKLIST_FILE, "/proc/irq");
+        disable_file(BLACKLIST_FILE, "/proc/bus");
+        disable_file(BLACKLIST_FILE, "/proc/config.gz");        
+        disable_file(BLACKLIST_FILE, "/proc/sched_debug");      
+        disable_file(BLACKLIST_FILE, "/proc/timer_list");       
+        disable_file(BLACKLIST_FILE, "/proc/timer_stats");      
+        disable_file(BLACKLIST_FILE, "/proc/kcore");
        disable_file(BLACKLIST_FILE, "/proc/kallsyms");
+        disable_file(BLACKLIST_FILE, "/proc/mem");
+        disable_file(BLACKLIST_FILE, "/proc/kmem");
        
        // disable /boot
-        if (stat("/boot", &s) == 0) {
+        disable_file(BLACKLIST_FILE, "/boot");
-                if (arg_debug)
-                        printf("Disable /boot directory\n");
-                disable_file(BLACKLIST_FILE, "/boot");
-        }
        
        // disable /selinux
-        if (stat("/selinux", &s) == 0) {
+        disable_file(BLACKLIST_FILE, "/selinux");
-                if (arg_debug)
-                        printf("Disable /selinux directory\n");
-                disable_file(BLACKLIST_FILE, "/selinux");
-        }
        
        // disable /dev/port
-        if (stat("/dev/port", &s) == 0) {
+        disable_file(BLACKLIST_FILE, "/dev/port");
-                disable_file(BLACKLIST_FILE, "/dev/port");
-        }
        
        if (getuid() != 0) {
-                // disable /dev/kmsg
+                // disable /dev/kmsg and /proc/kmsg
-                if (stat("/dev/kmsg", &s) == 0) {
+                disable_file(BLACKLIST_FILE, "/dev/kmsg");
-                        disable_file(BLACKLIST_FILE, "/dev/kmsg");
+                disable_file(BLACKLIST_FILE, "/proc/kmsg");
-                }
-                
-                // disable /proc/kmsg
-                if (stat("/proc/kmsg", &s) == 0) {
-                        disable_file(BLACKLIST_FILE, "/proc/kmsg");
-                }
        }
 }
author	netblue30 <netblue30@yahoo.com>	2016-06-05 18:47:26 -0400
committer	netblue30 <netblue30@yahoo.com>	2016-06-05 18:47:26 -0400
commit	d7b05860cfe2e2f9a0e4efd1eb56000437f8f371 (patch)
tree	8a50955c03c37bbcd4b1fa1cce6f0cb6f7b1bb5e
parent	spelling (diff)
download	firejail-d7b05860cfe2e2f9a0e4efd1eb56000437f8f371.tar.gz firejail-d7b05860cfe2e2f9a0e4efd1eb56000437f8f371.tar.zst firejail-d7b05860cfe2e2f9a0e4efd1eb56000437f8f371.zip

diff --git a/src/firejail/fs.c b/src/firejail/fs.c index c38a9a32e..984d413a3 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c
@@ -248,8 +248,6 @@ static void disable_file(OPERATION op, const char *filename) {
248	// Resolve all symlinks	248	// Resolve all symlinks
249	char* fname = realpath(filename, NULL);	249	char* fname = realpath(filename, NULL);
250	if (fname == NULL && errno != EACCES) {	250	if (fname == NULL && errno != EACCES) {
251	if (arg_debug)
252	printf("Warning (realpath): %s is an invalid file, skipping...\n", filename);
253	return;	251	return;
254	}	252	}
255	if (fname == NULL && errno == EACCES) {	253	if (fname == NULL && errno == EACCES) {
@@ -601,89 +599,55 @@ void fs_proc_sys_dev_boot(void) {
601	fs_logger("remount /sys");	599	fs_logger("remount /sys");
602	}	600	}
603		601
604	if (stat("/sys/firmware", &s) == 0) {	602	disable_file(BLACKLIST_FILE, "/sys/firmware");
605	disable_file(BLACKLIST_FILE, "/sys/firmware");	603	disable_file(BLACKLIST_FILE, "/sys/hypervisor");
606	}	604	disable_file(BLACKLIST_FILE, "/sys/fs");
607		605	disable_file(BLACKLIST_FILE, "/sys/module");
608	if (stat("/sys/hypervisor", &s) == 0) {	606	disable_file(BLACKLIST_FILE, "/sys/power");
609	disable_file(BLACKLIST_FILE, "/sys/hypervisor");	607	disable_file(BLACKLIST_FILE, "/sys/kernel/debug");
610	}	608	disable_file(BLACKLIST_FILE, "/sys/kernel/vmcoreinfo");
611		609	disable_file(BLACKLIST_FILE, "/sys/kernel/uevent_helper");
612	if (stat("/sys/fs", &s) == 0) {
613	disable_file(BLACKLIST_FILE, "/sys/fs");
614	}
615
616	if (stat("/sys/module", &s) == 0) {
617	disable_file(BLACKLIST_FILE, "/sys/module");
618	}
619
620	if (stat("/sys/power", &s) == 0) {
621	disable_file(BLACKLIST_FILE, "/sys/power");
622	}
623		610
624	// if (mount("sysfs", "/sys", "sysfs", MS_RDONLY\|MS_NOSUID\|MS_NOEXEC\|MS_NODEV\|MS_REC, NULL) < 0)	611	// if (mount("sysfs", "/sys", "sysfs", MS_RDONLY\|MS_NOSUID\|MS_NOEXEC\|MS_NODEV\|MS_REC, NULL) < 0)
625	// errExit("mounting /sys");	612	// errExit("mounting /sys");
626		613
627	// Disable SysRq
628	// a linux box can be shut down easily using the following commands (as root):
629	// # echo 1 > /proc/sys/kernel/sysrq
630	// #echo b > /proc/sysrq-trigger
631	// for more information see https://www.kernel.org/doc/Documentation/sysrq.txt
632	if (arg_debug)
633	printf("Disable /proc/sysrq-trigger\n");
634	fs_rdonly_noexit("/proc/sysrq-trigger");
635
636	// disable hotplug and uevent_helper
637	if (arg_debug)
638	printf("Disable /proc/sys/kernel/hotplug\n");
639	fs_rdonly_noexit("/proc/sys/kernel/hotplug");
640	if (arg_debug)
641	printf("Disable /sys/kernel/uevent_helper\n");
642	fs_rdonly_noexit("/sys/kernel/uevent_helper");
643
644	// read-only /proc/irq and /proc/bus
645	if (arg_debug)
646	printf("Disable /proc/irq\n");
647	fs_rdonly_noexit("/proc/irq");
648	if (arg_debug)
649	printf("Disable /proc/bus\n");
650	fs_rdonly_noexit("/proc/bus");
651
652	// disable /proc/kcore
653	disable_file(BLACKLIST_FILE, "/proc/kcore");
654		614
655	// disable /proc/kallsyms	615	// various /proc/sys files
		616	disable_file(BLACKLIST_FILE, "/proc/sys/security");
		617	disable_file(BLACKLIST_FILE, "/proc/sys/efi/vars");
		618	disable_file(BLACKLIST_FILE, "/proc/sys/fs/binfmt_misc");
		619	disable_file(BLACKLIST_FILE, "/proc/sys/kernel/core_pattern");
		620	disable_file(BLACKLIST_FILE, "/proc/sys/kernel/modprobe");
		621	disable_file(BLACKLIST_FILE, "/proc/sysrq-trigger");
		622	disable_file(BLACKLIST_FILE, "/proc/sys/kernel/hotplug");
		623	disable_file(BLACKLIST_FILE, "/proc/sys/vm/panic_on_oom");
		624
		625
		626	// various /proc files
		627	disable_file(BLACKLIST_FILE, "/proc/irq");
		628	disable_file(BLACKLIST_FILE, "/proc/bus");
		629	disable_file(BLACKLIST_FILE, "/proc/config.gz");
		630	disable_file(BLACKLIST_FILE, "/proc/sched_debug");
		631	disable_file(BLACKLIST_FILE, "/proc/timer_list");
		632	disable_file(BLACKLIST_FILE, "/proc/timer_stats");
		633	disable_file(BLACKLIST_FILE, "/proc/kcore");
656	disable_file(BLACKLIST_FILE, "/proc/kallsyms");	634	disable_file(BLACKLIST_FILE, "/proc/kallsyms");
		635	disable_file(BLACKLIST_FILE, "/proc/mem");
		636	disable_file(BLACKLIST_FILE, "/proc/kmem");
657		637
658	// disable /boot	638	// disable /boot
659	if (stat("/boot", &s) == 0) {	639	disable_file(BLACKLIST_FILE, "/boot");
660	if (arg_debug)
661	printf("Disable /boot directory\n");
662	disable_file(BLACKLIST_FILE, "/boot");
663	}
664		640
665	// disable /selinux	641	// disable /selinux
666	if (stat("/selinux", &s) == 0) {	642	disable_file(BLACKLIST_FILE, "/selinux");
667	if (arg_debug)
668	printf("Disable /selinux directory\n");
669	disable_file(BLACKLIST_FILE, "/selinux");
670	}
671		643
672	// disable /dev/port	644	// disable /dev/port
673	if (stat("/dev/port", &s) == 0) {	645	disable_file(BLACKLIST_FILE, "/dev/port");
674	disable_file(BLACKLIST_FILE, "/dev/port");
675	}
676		646
677	if (getuid() != 0) {	647	if (getuid() != 0) {
678	// disable /dev/kmsg	648	// disable /dev/kmsg and /proc/kmsg
679	if (stat("/dev/kmsg", &s) == 0) {	649	disable_file(BLACKLIST_FILE, "/dev/kmsg");
680	disable_file(BLACKLIST_FILE, "/dev/kmsg");	650	disable_file(BLACKLIST_FILE, "/proc/kmsg");
681	}
682
683	// disable /proc/kmsg
684	if (stat("/proc/kmsg", &s) == 0) {
685	disable_file(BLACKLIST_FILE, "/proc/kmsg");
686	}
687	}	651	}
688	}	652	}
689		653