diff options
author | 2016-08-23 13:33:30 -0400 | |
---|---|---|
committer | 2016-08-23 13:33:30 -0400 | |
commit | d8815360af1031f23f9abaad461e2c235cf15260 (patch) | |
tree | 47c43b99098b3d6d945b71afa34eb15c97507a73 | |
parent | terminal sandbox escape (diff) | |
download | firejail-d8815360af1031f23f9abaad461e2c235cf15260.tar.gz firejail-d8815360af1031f23f9abaad461e2c235cf15260.tar.zst firejail-d8815360af1031f23f9abaad461e2c235cf15260.zip |
clean local overlay storage directory (--overlay-clean)
-rw-r--r-- | RELNOTES | 1 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/main.c | 15 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 3 | ||||
-rw-r--r-- | src/firejail/util.c | 19 | ||||
-rw-r--r-- | src/man/firejail.txt | 11 |
6 files changed, 47 insertions, 3 deletions
@@ -4,6 +4,7 @@ firejail (0.9.38.1) baseline; urgency=low | |||
4 | * security: disable x32 ABI, submitted by Jann Horn | 4 | * security: disable x32 ABI, submitted by Jann Horn |
5 | * security: tighten --chroot, submitted by Jann Horn | 5 | * security: tighten --chroot, submitted by Jann Horn |
6 | * security: terminal sandbox escape, submitted by Stephan Sokolow | 6 | * security: terminal sandbox escape, submitted by Stephan Sokolow |
7 | * feature: clean local overlay storage directory (--overlay-clean) | ||
7 | -- netblue30 <netblue30@yahoo.com> Fri, 12 Aug 2016 10:00:00 -0500 | 8 | -- netblue30 <netblue30@yahoo.com> Fri, 12 Aug 2016 10:00:00 -0500 |
8 | 9 | ||
9 | firejail (0.9.38) baseline; urgency=low | 10 | firejail (0.9.38) baseline; urgency=low |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 39bc2beeb..5104bd688 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -357,6 +357,7 @@ char *expand_home(const char *path, const char* homedir); | |||
357 | const char *gnu_basename(const char *path); | 357 | const char *gnu_basename(const char *path); |
358 | uid_t pid_get_uid(pid_t pid); | 358 | uid_t pid_get_uid(pid_t pid); |
359 | void invalid_filename(const char *fname); | 359 | void invalid_filename(const char *fname); |
360 | int remove_directory(const char *path); | ||
360 | 361 | ||
361 | // fs_var.c | 362 | // fs_var.c |
362 | void fs_var_log(void); // mounting /var/log | 363 | void fs_var_log(void); // mounting /var/log |
diff --git a/src/firejail/main.c b/src/firejail/main.c index bcddaf7ab..c28dba16b 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -245,6 +245,21 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
245 | printf("firejail version %s\n", VERSION); | 245 | printf("firejail version %s\n", VERSION); |
246 | exit(0); | 246 | exit(0); |
247 | } | 247 | } |
248 | else if (strcmp(argv[i], "--overlay-clean") == 0) { | ||
249 | char *path; | ||
250 | if (asprintf(&path, "%s/.firejail", cfg.homedir) == -1) | ||
251 | errExit("asprintf"); | ||
252 | if (setreuid(0, 0) < 0) | ||
253 | errExit("setreuid"); | ||
254 | if (setregid(0, 0) < 0) | ||
255 | errExit("setregid"); | ||
256 | errno = 0; | ||
257 | int rv = remove_directory(path); | ||
258 | if (rv) { | ||
259 | fprintf(stderr, "Error: cannot removed overlays stored in ~/.firejail directory, errno %d\n", errno); | ||
260 | exit(1); | ||
261 | } | ||
262 | } | ||
248 | #ifdef HAVE_NETWORK | 263 | #ifdef HAVE_NETWORK |
249 | else if (strncmp(argv[i], "--bandwidth=", 12) == 0) { | 264 | else if (strncmp(argv[i], "--bandwidth=", 12) == 0) { |
250 | logargs(argc, argv); | 265 | logargs(argc, argv); |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 323884c89..9cb97187e 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -355,9 +355,6 @@ int sandbox(void* sandbox_arg) { | |||
355 | #ifdef HAVE_CHROOT | 355 | #ifdef HAVE_CHROOT |
356 | if (cfg.chrootdir) { | 356 | if (cfg.chrootdir) { |
357 | fs_chroot(cfg.chrootdir); | 357 | fs_chroot(cfg.chrootdir); |
358 | // redo cp command | ||
359 | // fs_build_cp_command(); | ||
360 | |||
361 | // force caps and seccomp if not started as root | 358 | // force caps and seccomp if not started as root |
362 | if (getuid() != 0) { | 359 | if (getuid() != 0) { |
363 | // force default seccomp inside the chroot, no keep or drop list | 360 | // force default seccomp inside the chroot, no keep or drop list |
diff --git a/src/firejail/util.c b/src/firejail/util.c index d7964ccb8..f72df9fc6 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -24,6 +24,7 @@ | |||
24 | #include <errno.h> | 24 | #include <errno.h> |
25 | #include <dirent.h> | 25 | #include <dirent.h> |
26 | #include <grp.h> | 26 | #include <grp.h> |
27 | #include <ftw.h> | ||
27 | 28 | ||
28 | #define MAX_GROUPS 1024 | 29 | #define MAX_GROUPS 1024 |
29 | // drop privileges | 30 | // drop privileges |
@@ -615,3 +616,21 @@ void invalid_filename(const char *fname) { | |||
615 | exit(1); | 616 | exit(1); |
616 | } | 617 | } |
617 | } | 618 | } |
619 | |||
620 | static int remove_callback(const char *fpath, const struct stat *sb, int typeflag, struct FTW *ftwbuf) { | ||
621 | (void) sb; | ||
622 | (void) typeflag; | ||
623 | (void) ftwbuf; | ||
624 | |||
625 | int rv = remove(fpath); | ||
626 | if (rv) | ||
627 | perror(fpath); | ||
628 | |||
629 | return rv; | ||
630 | } | ||
631 | |||
632 | |||
633 | int remove_directory(const char *path) { | ||
634 | // FTW_PHYS - do not follow symbolic links | ||
635 | return nftw(path, remove_callback, 64, FTW_DEPTH | FTW_PHYS); | ||
636 | } | ||
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index ee019a24f..0adb72151 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -921,6 +921,17 @@ Example: | |||
921 | $ firejail \-\-overlay-tmpfs firefox | 921 | $ firejail \-\-overlay-tmpfs firefox |
922 | 922 | ||
923 | .TP | 923 | .TP |
924 | \fB\-\-overlay-clean | ||
925 | Clean all overlays stored in $HOME/.firejail directory. Overlays created with --overlay-path=path | ||
926 | outside $HOME/.firejail will not be deleted. | ||
927 | .br | ||
928 | |||
929 | .br | ||
930 | Example: | ||
931 | .br | ||
932 | $ firejail \-\-overlay-clean | ||
933 | |||
934 | .TP | ||
924 | \fB\-\-private | 935 | \fB\-\-private |
925 | Mount new /root and /home/user directories in temporary | 936 | Mount new /root and /home/user directories in temporary |
926 | filesystems. All modifications are discarded when the sandbox is | 937 | filesystems. All modifications are discarded when the sandbox is |