diff options
author | smitsohu <smitsohu@gmail.com> | 2020-08-17 16:38:47 +0200 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2020-08-17 16:38:47 +0200 |
commit | 515f3440439fa8c70e5e517b529cdc994845f6ec (patch) | |
tree | e6f59a204b6f700dfd2445a0b5adc76ad7894de0 /Makefile.in | |
parent | firejail: don't pass command line through shell when redirecting output (diff) | |
download | firejail-515f3440439fa8c70e5e517b529cdc994845f6ec.tar.gz firejail-515f3440439fa8c70e5e517b529cdc994845f6ec.tar.zst firejail-515f3440439fa8c70e5e517b529cdc994845f6ec.zip |
hardening: run plugins with dumpable flag cleared
the kernel clears the dumpable flag if a user has no read permission on an
executable and it is owned by another user; I omitted faudit, fbuilder and
ftee for now as they are not used to configure the sandbox itself, and as
this commit is going to complicate debugging efforts to some extent
Diffstat (limited to 'Makefile.in')
-rw-r--r-- | Makefile.in | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/Makefile.in b/Makefile.in index 8cbba12e9..f3d1b3ad0 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -18,15 +18,16 @@ HAVE_SUID=@HAVE_SUID@ | |||
18 | 18 | ||
19 | all: all_items man filters | 19 | all: all_items man filters |
20 | APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats | 20 | APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats |
21 | SBOX_APPS = src/faudit/faudit src/fbuilder/fbuilder src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter src/ftee/ftee | 21 | SBOX_APPS = src/faudit/faudit src/fbuilder/fbuilder src/ftee/ftee |
22 | SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter | ||
22 | MYDIRS = src/lib | 23 | MYDIRS = src/lib |
23 | MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so | 24 | MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so |
24 | MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 | 25 | MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 |
25 | ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP) | 26 | ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP) |
26 | SBOX_APPS += src/fsec-optimize/fsec-optimize src/fsec-print/fsec-print src/fseccomp/fseccomp | 27 | SBOX_APPS_NON_DUMPABLE += src/fsec-optimize/fsec-optimize src/fsec-print/fsec-print src/fseccomp/fseccomp |
27 | SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32 | 28 | SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32 |
28 | endif | 29 | endif |
29 | ALL_ITEMS = $(APPS) $(SBOX_APPS) $(MYLIBS) | 30 | ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS) |
30 | 31 | ||
31 | .PHONY: all_items $(ALL_ITEMS) | 32 | .PHONY: all_items $(ALL_ITEMS) |
32 | all_items: $(ALL_ITEMS) | 33 | all_items: $(ALL_ITEMS) |
@@ -43,7 +44,7 @@ $(MANPAGES): $(wildcard src/man/*.txt) | |||
43 | 44 | ||
44 | man: $(MANPAGES) | 45 | man: $(MANPAGES) |
45 | 46 | ||
46 | filters: $(SECCOMP_FILTERS) $(SBOX_APPS) | 47 | filters: $(SECCOMP_FILTERS) $(SBOX_APPS_NON_DUMPABLE) |
47 | ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP) | 48 | ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP) |
48 | seccomp: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize | 49 | seccomp: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize |
49 | src/fseccomp/fseccomp default seccomp | 50 | src/fseccomp/fseccomp default seccomp |
@@ -106,7 +107,10 @@ endif | |||
106 | install -m 0755 -d $(DESTDIR)$(libdir)/firejail | 107 | install -m 0755 -d $(DESTDIR)$(libdir)/firejail |
107 | install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS) src/firecfg/firecfg.config | 108 | install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS) src/firecfg/firecfg.config |
108 | install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS) | 109 | install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS) |
110 | # non-dumpable plugins | ||
111 | install -m 0711 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS_NON_DUMPABLE) | ||
109 | ifeq ($(HAVE_CONTRIB_INSTALL),yes) | 112 | ifeq ($(HAVE_CONTRIB_INSTALL),yes) |
113 | # contrib scripts | ||
110 | install -m 0755 -t $(DESTDIR)$(libdir)/firejail contrib/*.py contrib/*.sh | 114 | install -m 0755 -t $(DESTDIR)$(libdir)/firejail contrib/*.py contrib/*.sh |
111 | # vim syntax | 115 | # vim syntax |
112 | install -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect | 116 | install -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect |