diff options
| author |  netblue30 <netblue30@protonmail.com> | 2021-05-20 21:38:01 -0400 |
|---|---|---|
| committer | netblue30 <netblue30@protonmail.com> | 2021-05-20 21:38:01 -0400 |
| commit | 4222217198ceedc3e5fd7c356bcd798548eb94ff (patch) | |
| tree | e48e5c450c41cb67b9a33a77afa891c5fa9363cf /src/fbuilder | |
| parent | add support for cargo toml/non-toml files (#4286) (diff) | |
| download | firejail-4222217198ceedc3e5fd7c356bcd798548eb94ff.tar.gz firejail-4222217198ceedc3e5fd7c356bcd798548eb94ff.tar.zst firejail-4222217198ceedc3e5fd7c356bcd798548eb94ff.zip | |
--buid fixes
Diffstat (limited to 'src/fbuilder')
| -rw-r--r-- | src/fbuilder/build_profile.c | 54 | ||||
| -rw-r--r-- | src/fbuilder/build_seccomp.c | 29 |
2 files changed, 37 insertions, 46 deletions
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c index 1726b4dbb..5df19f511 100644 --- a/src/fbuilder/build_profile.c +++ b/src/fbuilder/build_profile.c | |||
| @@ -24,21 +24,6 @@ | |||
| 24 | #define TRACE_OUTPUT "/tmp/firejail-trace.XXXXXX" | 24 | #define TRACE_OUTPUT "/tmp/firejail-trace.XXXXXX" |
| 25 | #define STRACE_OUTPUT "/tmp/firejail-strace.XXXXXX" | 25 | #define STRACE_OUTPUT "/tmp/firejail-strace.XXXXXX" |
| 26 | 26 | ||
| 27 | /* static char *cmdlist[] = { */ | ||
| 28 | /* "/usr/bin/firejail", */ | ||
| 29 | /* "--quiet", */ | ||
| 30 | /* "--output=" TRACE_OUTPUT, */ | ||
| 31 | /* "--noprofile", */ | ||
| 32 | /* "--caps.drop=all", */ | ||
| 33 | /* "--nonewprivs", */ | ||
| 34 | /* "--trace", */ | ||
| 35 | /* "--shell=none", */ | ||
| 36 | /* "/usr/bin/strace", // also used as a marker in build_profile() */ | ||
| 37 | /* "-c", */ | ||
| 38 | /* "-f", */ | ||
| 39 | /* "-o" STRACE_OUTPUT, */ | ||
| 40 | /* }; */ | ||
| 41 | |||
| 42 | void build_profile(int argc, char **argv, int index, FILE *fp) { | 27 | void build_profile(int argc, char **argv, int index, FILE *fp) { |
| 43 | // next index is the application name | 28 | // next index is the application name |
| 44 | if (index >= argc) { | 29 | if (index >= argc) { |
| @@ -158,14 +143,14 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
| 158 | fprintf(fp, "### Enable as many of them as you can! A very important one is\n"); | 143 | fprintf(fp, "### Enable as many of them as you can! A very important one is\n"); |
| 159 | fprintf(fp, "### \"disable-exec.inc\". This will make among other things your home\n"); | 144 | fprintf(fp, "### \"disable-exec.inc\". This will make among other things your home\n"); |
| 160 | fprintf(fp, "### and /tmp directories non-executable.\n"); | 145 | fprintf(fp, "### and /tmp directories non-executable.\n"); |
| 161 | fprintf(fp, "include disable-common.inc\n"); | 146 | fprintf(fp, "include disable-common.inc\t# dangerous directories like ~/.ssh and ~/.gnupg\n"); |
| 162 | fprintf(fp, "#include disable-devel.inc\n"); | 147 | fprintf(fp, "#include disable-devel.inc\t# development tools such as gcc and gdb\n"); |
| 163 | fprintf(fp, "#include disable-exec.inc\n"); | 148 | fprintf(fp, "#include disable-exec.inc\t# non-executable directories such as /var, /tmp, and /home\n"); |
| 164 | fprintf(fp, "#include disable-interpreters.inc\n"); | 149 | fprintf(fp, "#include disable-interpreters.inc\t# perl, python, lua etc.\n"); |
| 165 | fprintf(fp, "include disable-passwdmgr.inc\n"); | 150 | fprintf(fp, "include disable-passwdmgr.inc\t# password managers\n"); |
| 166 | fprintf(fp, "include disable-programs.inc\n"); | 151 | fprintf(fp, "include disable-programs.inc\t# user configuration for programs such as firefox, vlc etc.\n"); |
| 167 | fprintf(fp, "#include disable-shell.inc\n"); | 152 | fprintf(fp, "#include disable-shell.inc\t# sh, bash, zsh etc.\n"); |
| 168 | fprintf(fp, "#include disable-xdg.inc\n"); | 153 | fprintf(fp, "#include disable-xdg.inc\t# standard user directories: Documents, Pictures, Videos, Music\n"); |
| 169 | fprintf(fp, "\n"); | 154 | fprintf(fp, "\n"); |
| 170 | 155 | ||
| 171 | fprintf(fp, "### Home Directory Whitelisting ###\n"); | 156 | fprintf(fp, "### Home Directory Whitelisting ###\n"); |
| @@ -180,18 +165,19 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
| 180 | build_var(trace_output, fp); | 165 | build_var(trace_output, fp); |
| 181 | fprintf(fp, "\n"); | 166 | fprintf(fp, "\n"); |
| 182 | 167 | ||
| 183 | fprintf(fp, "#apparmor\n"); | 168 | fprintf(fp, "#apparmor\t# if you have AppArmor running, try this one!\n"); |
| 184 | fprintf(fp, "caps.drop all\n"); | 169 | fprintf(fp, "caps.drop all\n"); |
| 185 | fprintf(fp, "ipc-namespace\n"); | 170 | fprintf(fp, "ipc-namespace\n"); |
| 186 | fprintf(fp, "netfilter\n"); | 171 | fprintf(fp, "netfilter\n"); |
| 187 | fprintf(fp, "#nodvd\n"); | 172 | fprintf(fp, "#no3d\t# disable 3D acceleration\n"); |
| 188 | fprintf(fp, "#nogroups\n"); | 173 | fprintf(fp, "#nodvd\t# disable DVD and CD devices\n"); |
| 189 | fprintf(fp, "#noinput\n"); | 174 | fprintf(fp, "#nogroups\t# disable supplementary user groups\n"); |
| 175 | fprintf(fp, "#noinput\t# disable input devices\n"); | ||
| 190 | fprintf(fp, "nonewprivs\n"); | 176 | fprintf(fp, "nonewprivs\n"); |
| 191 | fprintf(fp, "noroot\n"); | 177 | fprintf(fp, "noroot\n"); |
| 192 | fprintf(fp, "#notv\n"); | 178 | fprintf(fp, "#notv\t# disable DVB TV devices\n"); |
| 193 | fprintf(fp, "#nou2f\n"); | 179 | fprintf(fp, "#nou2f\t# disable U2F devices\n"); |
| 194 | fprintf(fp, "#novideo\n"); | 180 | fprintf(fp, "#novideo\t# disable video capture devices\n"); |
| 195 | build_protocol(trace_output, fp); | 181 | build_protocol(trace_output, fp); |
| 196 | fprintf(fp, "seccomp\n"); | 182 | fprintf(fp, "seccomp\n"); |
| 197 | if (!have_strace) { | 183 | if (!have_strace) { |
| @@ -203,19 +189,21 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
| 203 | else | 189 | else |
| 204 | build_seccomp(strace_output, fp); | 190 | build_seccomp(strace_output, fp); |
| 205 | fprintf(fp, "shell none\n"); | 191 | fprintf(fp, "shell none\n"); |
| 206 | fprintf(fp, "#tracelog\n"); | 192 | fprintf(fp, "tracelog\n"); |
| 207 | fprintf(fp, "\n"); | 193 | fprintf(fp, "\n"); |
| 208 | 194 | ||
| 209 | fprintf(fp, "#disable-mnt\n"); | 195 | fprintf(fp, "#disable-mnt\t# no access to /mnt, /media, /run/mount and /run/media\n"); |
| 210 | build_bin(trace_output, fp); | 196 | build_bin(trace_output, fp); |
| 211 | fprintf(fp, "#private-lib\n"); | 197 | fprintf(fp, "#private-cache\t# run with an empty ~/.cache directory\n"); |
| 212 | build_dev(trace_output, fp); | 198 | build_dev(trace_output, fp); |
| 213 | build_etc(trace_output, fp); | 199 | build_etc(trace_output, fp); |
| 200 | fprintf(fp, "#private-lib\n"); | ||
| 214 | build_tmp(trace_output, fp); | 201 | build_tmp(trace_output, fp); |
| 215 | fprintf(fp, "\n"); | 202 | fprintf(fp, "\n"); |
| 216 | 203 | ||
| 217 | fprintf(fp, "#dbus-user none\n"); | 204 | fprintf(fp, "#dbus-user none\n"); |
| 218 | fprintf(fp, "#dbus-system none\n"); | 205 | fprintf(fp, "#dbus-system none\n"); |
| 206 | fprintf(fp, "\n"); | ||
| 219 | fprintf(fp, "#memory-deny-write-execute\n"); | 207 | fprintf(fp, "#memory-deny-write-execute\n"); |
| 220 | 208 | ||
| 221 | if (!arg_debug) { | 209 | if (!arg_debug) { |
diff --git a/src/fbuilder/build_seccomp.c b/src/fbuilder/build_seccomp.c index dc3cce456..b3187227e 100644 --- a/src/fbuilder/build_seccomp.c +++ b/src/fbuilder/build_seccomp.c | |||
| @@ -82,11 +82,12 @@ void build_seccomp(const char *fname, FILE *fp) { | |||
| 82 | //*************************************** | 82 | //*************************************** |
| 83 | // protocol | 83 | // protocol |
| 84 | //*************************************** | 84 | //*************************************** |
| 85 | int unix_s = 0; | 85 | static int unix_s = 0; |
| 86 | int inet = 0; | 86 | static int inet = 0; |
| 87 | int inet6 = 0; | 87 | static int inet6 = 0; |
| 88 | int netlink = 0; | 88 | static int netlink = 0; |
| 89 | int packet = 0; | 89 | static int packet = 0; |
| 90 | static int bluetooth = 0; | ||
| 90 | static void process_protocol(const char *fname) { | 91 | static void process_protocol(const char *fname) { |
| 91 | assert(fname); | 92 | assert(fname); |
| 92 | 93 | ||
| @@ -135,6 +136,8 @@ static void process_protocol(const char *fname) { | |||
| 135 | netlink = 1; | 136 | netlink = 1; |
| 136 | else if (strncmp(ptr, "AF_PACKET ", 10) == 0) | 137 | else if (strncmp(ptr, "AF_PACKET ", 10) == 0) |
| 137 | packet = 1; | 138 | packet = 1; |
| 139 | else if (strncmp(ptr, "AF_BLUETOOTH ", 13) == 0) | ||
| 140 | bluetooth = 1; | ||
| 138 | } | 141 | } |
| 139 | 142 | ||
| 140 | fclose(fp); | 143 | fclose(fp); |
| @@ -161,22 +164,22 @@ void build_protocol(const char *fname, FILE *fp) { | |||
| 161 | } | 164 | } |
| 162 | 165 | ||
| 163 | int net = 0; | 166 | int net = 0; |
| 164 | if (unix_s || inet || inet6 || netlink || packet) { | 167 | if (unix_s || inet || inet6 || netlink || packet || bluetooth) { |
| 165 | fprintf(fp, "protocol "); | 168 | fprintf(fp, "protocol "); |
| 166 | if (unix_s) | 169 | if (unix_s) |
| 167 | fprintf(fp, "unix,"); | 170 | fprintf(fp, "unix,"); |
| 168 | if (inet) { | 171 | if (inet || inet6) { |
| 169 | fprintf(fp, "inet,"); | 172 | fprintf(fp, "inet,inet6,"); |
| 170 | net = 1; | ||
| 171 | } | ||
| 172 | if (inet6) { | ||
| 173 | fprintf(fp, "inet6,"); | ||
| 174 | net = 1; | 173 | net = 1; |
| 175 | } | 174 | } |
| 176 | if (netlink) | 175 | if (netlink) |
| 177 | fprintf(fp, "netlink,"); | 176 | fprintf(fp, "netlink,"); |
| 178 | if (packet) { | 177 | if (packet) { |
| 179 | fprintf(fp, "packet"); | 178 | fprintf(fp, "packet,"); |
| 179 | net = 1; | ||
| 180 | } | ||
| 181 | if (bluetooth) { | ||
| 182 | fprintf(fp, "bluetooth"); | ||
| 180 | net = 1; | 183 | net = 1; |
| 181 | } | 184 | } |
| 182 | fprintf(fp, "\n"); | 185 | fprintf(fp, "\n"); |