more on firecfg --guide

author: netblue30 <netblue30@protonmail.com> 2022-04-21 11:41:40 -0400
committer: netblue30 <netblue30@protonmail.com> 2022-04-21 11:41:40 -0400
commit: 62e33cfc37635d985c186c8e5aaf1101070f9ccf (patch)
tree: c65e64d5b425c2689446d583fc531f27a0b4701d /src/firecfg
parent: firecfg --guide (diff)
download: firejail-62e33cfc37635d985c186c8e5aaf1101070f9ccf.tar.gz
firejail-62e33cfc37635d985c186c8e5aaf1101070f9ccf.tar.zst
firejail-62e33cfc37635d985c186c8e5aaf1101070f9ccf.zip
2 files changed, 162 insertions, 74 deletions
diff --git a/src/firecfg/firejail-welcome.sh b/src/firecfg/firejail-welcome.sh
index c9b6c450b..a3e9713e4 100755
--- a/src/firecfg/firejail-welcome.sh
+++ b/src/firecfg/firejail-welcome.sh
@@ -3,126 +3,203 @@
 # This file is part of Firejail project
 # Copyright (C) 2020-2022 Firejail Authors
 # License GPL v2
+#
-if ! command -v zenity >/dev/null; then
+# Usage: firejail-welcome PROGRAM SYSCONFDIR
-        echo "Please install zenity."
+# where PROGRAM is detected and driven by firecfg.
-        exit 1
+# SYSCONFDIR is most of the time /etc/firejail.
-fi
+#
-if ! command -v sudo >/dev/null; then
+# The plan is to go with zenity by default. If zenity is not installed
-        echo "Please install sudo."
+# we will provide a console-only replacement in /usr/lib/firejail/fzenity
+#
+PROGRAM=$1
+SYSCONFDIR=$2
+if ! command -v $PROGRAM >/dev/null; then
+        echo "Please install $PROGRAM."
        exit 1
 fi
 export LANG=en_US.UTF8
-zenity --title=firejail-welcome.sh --text-info --width=750 --height=500 <<EOM
+TITLE="Firejail Configuration Guide"
-Welcome to firejail!
+sed_scripts=()
+run_firecfg=false
+enable_u2f=false
+enable_drm=false
+enable_seccomp_kill=false
+enable_restricted_net=false
+enable_nonewprivs=false
-This is a quick setup guide for newbies.
+#******************************************************
+# Intro
+#******************************************************
+read -r -d $'\0' MSG_INTRO <<EOM
+<big><b>Welcome to Firejail!</b></big>
-Profiles for programs can be found in /etc/firejail. Own customizations should go in a file named
-<profile-name>.local in ~/.config/firejal.
-Firejail's own configuration can be found at /etc/firejail/firejail.config.
+This guide will walk you through some of the most common sandbox customizations. At the end of the guide you'll have the option to save your changes in Firejail's global config file at <b>/etc/firejail/firejail.config</b>. A copy of the original file is stored as <b>/etc/firejal/firejail.config-</b>.
-Please note that running this script a second time can set new options, but does not unset options
+Please note that running this script a second time can set new options, but does not clear options set in a previous run.
-set in a previous run.
-Website: https://firejail.wordpress.com
+Press OK to continue, or close this window to stop the program.
-Bug-Tracker: https://github.com/netblue30/firejail/issues
-Documentation:
- https://github.com/netblue30/firejail/wiki
- https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions
- https://firejail.wordpress.com/documentation-2
- man:firejail(1) and man:firejail-profile(5)
-PS: If you have any improvements for this script, open an issue or pull request.
 EOM
+$PROGRAM --title="$TITLE" --info --width=600 --height=40 --text="$MSG_INTRO"
 [[ $? -eq 1 ]] && exit 0
-sed_scripts=()
+#******************************************************
+# symlinks
+#******************************************************
+read -r -d $'\0' MSG_Q_RUN_FIRECFG <<EOM
+<big><b>Should most programs be sandboxed by default?</b></big>
+Currently, Firejail recognizes more than 1000 regular desktop programs. These programs
+can be sandboxed automatically when you start them.
+EOM
+if $PROGRAM --title="$TITLE" --question --ellipsize --text="$MSG_Q_RUN_FIRECFG"; then
+        run_firecfg=true
+fi
+[[ $? -eq 1 ]] && exit 0
+#******************************************************
+# U2F
+#******************************************************
 read -r -d $'\0' MSG_Q_BROWSER_DISABLE_U2F <<EOM
 <big><b>Should browsers be allowed to access u2f hardware?</b></big>
+Universal Two-Factor (U2F) devices are used as a password store for online
+accounts. These devices usually come in a form of a USB key.
 EOM
+if $PROGRAM --title="$TITLE" --question --ellipsize --text="$MSG_Q_BROWSER_DISABLE_U2F"; then
+        enable_u2f=true
+        sed_scripts+=("-e s/# browser-disable-u2f yes/browser-disable-u2f no/")
+fi
+#******************************************************
+# DRM
+#******************************************************
 read -r -d $'\0' MSG_Q_BROWSER_ALLOW_DRM <<EOM
 <big><b>Should browsers be able to play DRM content?</b></big>
-\$HOME is noexec,nodev,nosuid by default for the most sandboxes. This means that executing programs which are located in \$HOME,
+The home directory is <tt>noexec,nodev,nosuid</tt> by default for most applications.
-is forbidden, the setuid attribute on files is ignored and device files inside \$HOME don't work. Browsers install proprietary
+This means that executing programs located in your home directory is forbidden.
-DRM plug-ins such as Widevine under \$HOME by default. In order to use them, \$HOME must be mounted exec inside the sandbox to
-allow their execution. Clearly, this may help an attacker to start malicious code.
+Browsers install proprietary DRM plug-ins such as Widevine in your home directory.
+In order to use them, your home must be mounted <tt>exec</tt> inside the sandbox. This
+may give the people developing and distributing the plug-in access to your private
+data.
-NOTE: Other software written in an interpreter language such as bash, python or java can always be started from \$HOME.
+NOTE: Software written in an interpreted language such as bash, python or java can
+always be started from home directory.
 HINT: If <tt>/home</tt> has its own partition, you can mount it <tt>nodev,nosuid</tt> for all programs.
-EOM
-read -r -d $'\0' MSG_L_ADVANCED_OPTIONS <<EOM
-You maybe want to set some of these advanced options.
 EOM
-read -r -d $'\0' MSG_Q_RUN_FIRECFG <<EOM
+if $PROGRAM --title="$TITLE" --question --ellipsize --text="$MSG_Q_BROWSER_ALLOW_DRM"; then
-<big><b>Should most programs be started in firejail by default?</b></big>
+        enable_drm=true
-EOM
+        sed_scripts+=("-e s/# browser-allow-drm no/browser-allow-drm yes/")
+fi
+#******************************************************
+# nonewprivs
+#******************************************************
+read -r -d $'\0' MSG_Q_NONEWPRIVS <<EOM
+<big><b>Should we force nonweprivs by default?</b></big>
+nonewprivs is a Linux kernel feature that prevents programs from rising privileges.
+It is also a strong mitigation against exploits in Firejail. However, some programs
+like chromium, wireshark, or even ping might not work.
+NOTE: seccomp enables nonewprivs automatically. Most applications supported by
+default by Firejail are using seccomp.
-read -r -d $'\0' MSG_I_ROOT_REQUIRED <<EOM
-In order to apply these changes, root privileges are required.
-You will now be asked to enter your password.
 EOM
-read -r -d $'\0' MSG_I_FINISH <<EOM
+if $PROGRAM --title="$TITLE" --question --ellipsize --text="$MSG_Q_NONEWPRIVS"; then
-🥳
+        enable_nonewprivs=true
+        sed_scripts+=("-e s/# force-nonewprivs no/force-nonewprivs yes/")
+fi
+#******************************************************
+# restricted network
+#******************************************************
+read -r -d $'\0' MSG_Q_NETWORK <<EOM
+<big><b>Should we restrict network functionality?</b></big>
+Restrict all network related commands except '<tt>net none</tt>' to root only.
 EOM
-if zenity --title=firejail-welcome.sh --question --ellipsize --text="$MSG_Q_BROWSER_DISABLE_U2F"; then
+if $PROGRAM --title="$TITLE" --question --ellipsize --text="$MSG_Q_NETWORK"; then
-        sed_scripts+=("-e s/# browser-disable-u2f yes/browser-disable-u2f no/")
+        enable_restricted_net=true
+        sed_scripts+=("-e s/# restricted-network no/restricted-network yes/")
 fi
-if zenity --title=firejail-welcome.sh --question --ellipsize --text="$MSG_Q_BROWSER_ALLOW_DRM"; then
+#******************************************************
-        sed_scripts+=("-e s/# browser-allow-drm no/browser-allow-drm yes/")
+# seccomp kill
+#******************************************************
+read -r -d $'\0' MSG_Q_SECCOMP <<EOM
+<big><b>Should we kill programs that violate seccomp rules?</b></big>
+By default seccomp prevents the program from running the syscall and returns an error.
+EOM
+if $PROGRAM --title="$TITLE" --question --ellipsize --text="$MSG_Q_SECCOMP"; then
+        enable_seccomp_kill=true
+        sed_scripts+=("-e s/# seccomp-error-action EPERM/seccomp-error-action kill/")
 fi
-advanced_options=$(zenity --title=firejail-welcome.sh --list --width=800 --height=200 \
-        --text="$MSG_L_ADVANCED_OPTIONS" --multiple --checklist --separator=" " \
-        --column="" --column=Option --column=Description <<EOM
-force-nonewprivs
-Always set nonewprivs, this is a strong mitigation against exploits in firejail. However some programs like chromium or wireshark maybe don't work anymore.
-restricted-network
-Restrict all network related commands except 'net none' to root only.
-seccomp-error-action=kill
+#******************************************************
-Kill programs which violate seccomp rules (default: return a error).
+# root
+#******************************************************
+read -r -d $'\0' MSG_RUN <<EOM
+Now, I will apply the changes. This is what I will do:
 EOM
-)
-if [[ $advanced_options == *force-nonewprivs* ]]; then
+MSG_RUN+="\\n\\n"
-        sed_scripts+=("-e s/# force-nonewprivs no/force-nonewprivs yes/")
+if [[ "$run_firecfg" == "true" ]]; then
+        MSG_RUN+="     * enable Firejail for all recognized programs\\n"
 fi
-if [[ $advanced_options == *restricted-network* ]]; then
+if [[ "$enable_u2f" == "true" ]]; then
-        sed_scripts+=("-e s/# restricted-network no/restricted-network yes/")
+        MSG_RUN+="     * allow browsers to access U2F devices\\n"
 fi
-if [[ $advanced_options == *seccomp-error-action=kill* ]]; then
+if [[ "$enable_drm" == "true" ]]; then
-        sed_scripts+=("-e s/# seccomp-error-action EPERM/seccomp-error-action kill/")
+        MSG_RUN+="     * allow browsers to play DRM content\\n"
 fi
+if [[ "$enable_nonewprivs" == "true" ]]; then
-if zenity --title=firejail-welcome.sh --question --ellipsize --text="$MSG_Q_RUN_FIRECFG"; then
+        MSG_RUN+="     * enable nonewprivs globally\\n"
-        run_firecfg=true
 fi
+if [[ "$enable_restricted_net" == "true" ]]; then
+        MSG_RUN+="     * restrict networking features\\n"
+fi
+if [[ "$enable_seccomp_kill" == "true" ]]; then
+        MSG_RUN+="     * enable seccomp kill\\n"
+fi
+MSG_RUN+="\\n\\nPress OK to continue, or close this window to stop the program."
-zenity --title=firejail-welcome.sh --info --ellipsize --text="$MSG_I_ROOT_REQUIRED"
+$PROGRAM --title="$TITLE" --info --width=600 --height=40 --text="$MSG_RUN"
+[[ $? -eq 1 ]] && exit 0
-passwd=$(zenity --title=firejail-welcome.sh --password --cancel-label=OK)
 if [[ -n "${sed_scripts[*]}" ]]; then
-        sudo -S -p "" -- sed -i "${sed_scripts[@]}" /etc/firejail/firejail.config <<<"$passwd" || { zenity --title=firejail-welcome.sh --error; exit 1; };
+        cp $SYSCONFDIR/firejail.config $SYSCONFDIR/firejail.config-
+        sed -i "${sed_scripts[@]}" $SYSCONFDIR/firejail.config
 fi
 if [[ "$run_firecfg" == "true" ]]; then
-        sudo -S -p "" -- firecfg <<<"$passwd" || { zenity --title=firejail-welcome.sh --error; exit 1; };
+        # return 55 to inform firecfg symlinks are desired
+        exit 55
 fi
-sudo -k
-unset passwd
-zenity --title=firejail-welcome.sh --info --icon-name=security-medium-symbolic --text="$MSG_I_FINISH"
+#******************************************************
+# all done
+#******************************************************
+exit 0
diff --git a/src/firecfg/main.c b/src/firecfg/main.c
index 0072c2768..19f2573f3 100644
--- a/src/firecfg/main.c
+++ b/src/firecfg/main.c
@@ -22,6 +22,7 @@
 #include "../include/firejail_user.h"
 int arg_debug = 0;
 char *arg_bindir = "/usr/local/bin";
+int arg_guide = 0;
 static char *usage_str =
        "Firecfg is the desktop configuration utility for Firejail software. The utility\n"
@@ -375,8 +376,7 @@ int main(int argc, char **argv) {
                        return 0;
                }
                else if (strcmp(argv[i], "--guide") == 0) {
-                        return system(LIBDIR "/firejail/firejail-welcome.sh");
+                        arg_guide = 1;
-                        return 0;
                }
                else if (strcmp(argv[i], "--list") == 0) {
                        list();
@@ -442,6 +442,19 @@ int main(int argc, char **argv) {
                umask(orig_umask);
        }
+        if (arg_guide) {
+                int status = system("sudo "LIBDIR "/firejail/firejail-welcome.sh zenity " SYSCONFDIR);
+                if (status == -1) {
+                        fprintf(stderr, "Error: cannot run firejail-welcome.sh\n");
+                        exit(1);
+                }
+                // the last 8 bits of the status is the return value of the command executed by system()
+                // firejail-welcome.sh returns 55 if setting sysmlinks is required
+                if (WEXITSTATUS(status)  != 55)
+                        return 0;
+        }
        // clear all symlinks
        clean();
@@ -473,8 +486,6 @@ int main(int argc, char **argv) {
 #endif
        }
        // set new symlinks based on ~/.config/firejail directory
        set_links_homedir(home);
author	netblue30 <netblue30@protonmail.com>	2022-04-21 11:41:40 -0400
committer	netblue30 <netblue30@protonmail.com>	2022-04-21 11:41:40 -0400
commit	62e33cfc37635d985c186c8e5aaf1101070f9ccf (patch)
tree	c65e64d5b425c2689446d583fc531f27a0b4701d /src/firecfg
parent	firecfg --guide (diff)
download	firejail-62e33cfc37635d985c186c8e5aaf1101070f9ccf.tar.gz firejail-62e33cfc37635d985c186c8e5aaf1101070f9ccf.tar.zst firejail-62e33cfc37635d985c186c8e5aaf1101070f9ccf.zip

diff --git a/src/firecfg/firejail-welcome.sh b/src/firecfg/firejail-welcome.sh index c9b6c450b..a3e9713e4 100755 --- a/src/firecfg/firejail-welcome.sh +++ b/src/firecfg/firejail-welcome.sh
@@ -3,126 +3,203 @@
3	# This file is part of Firejail project	3	# This file is part of Firejail project
4	# Copyright (C) 2020-2022 Firejail Authors	4	# Copyright (C) 2020-2022 Firejail Authors
5	# License GPL v2	5	# License GPL v2
6		6	#
7	if ! command -v zenity >/dev/null; then	7	# Usage: firejail-welcome PROGRAM SYSCONFDIR
8	echo "Please install zenity."	8	# where PROGRAM is detected and driven by firecfg.
9	exit 1	9	# SYSCONFDIR is most of the time /etc/firejail.
10	fi	10	#
11	if ! command -v sudo >/dev/null; then	11	# The plan is to go with zenity by default. If zenity is not installed
12	echo "Please install sudo."	12	# we will provide a console-only replacement in /usr/lib/firejail/fzenity
		13	#
		14
		15	PROGRAM=$1
		16	SYSCONFDIR=$2
		17
		18	if ! command -v $PROGRAM >/dev/null; then
		19	echo "Please install $PROGRAM."
13	exit 1	20	exit 1
14	fi	21	fi
15		22
16	export LANG=en_US.UTF8	23	export LANG=en_US.UTF8
17		24
18	zenity --title=firejail-welcome.sh --text-info --width=750 --height=500 <<EOM	25	TITLE="Firejail Configuration Guide"
19	Welcome to firejail!	26	sed_scripts=()
		27	run_firecfg=false
		28	enable_u2f=false
		29	enable_drm=false
		30	enable_seccomp_kill=false
		31	enable_restricted_net=false
		32	enable_nonewprivs=false
20		33
21	This is a quick setup guide for newbies.	34	#******************************************************
		35	# Intro
		36	#******************************************************
		37	read -r -d $'\0' MSG_INTRO <<EOM
		38	<big><b>Welcome to Firejail!</b></big>
22		39
23	Profiles for programs can be found in /etc/firejail. Own customizations should go in a file named
24	<profile-name>.local in ~/.config/firejal.
25		40
26	Firejail's own configuration can be found at /etc/firejail/firejail.config.	41	This guide will walk you through some of the most common sandbox customizations. At the end of the guide you'll have the option to save your changes in Firejail's global config file at <b>/etc/firejail/firejail.config</b>. A copy of the original file is stored as <b>/etc/firejal/firejail.config-</b>.
27		42
28	Please note that running this script a second time can set new options, but does not unset options	43	Please note that running this script a second time can set new options, but does not clear options set in a previous run.
29	set in a previous run.
30		44
31	Website: https://firejail.wordpress.com	45	Press OK to continue, or close this window to stop the program.
32	Bug-Tracker: https://github.com/netblue30/firejail/issues
33	Documentation:
34	- https://github.com/netblue30/firejail/wiki
35	- https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions
36	- https://firejail.wordpress.com/documentation-2
37	- man:firejail(1) and man:firejail-profile(5)
38		46
39	PS: If you have any improvements for this script, open an issue or pull request.
40	EOM	47	EOM
		48	$PROGRAM --title="$TITLE" --info --width=600 --height=40 --text="$MSG_INTRO"
41	[[ $? -eq 1 ]] && exit 0	49	[[ $? -eq 1 ]] && exit 0
42		50
43	sed_scripts=()	51	#******************************************************
		52	# symlinks
		53	#******************************************************
		54	read -r -d $'\0' MSG_Q_RUN_FIRECFG <<EOM
		55	<big><b>Should most programs be sandboxed by default?</b></big>
		56
		57	Currently, Firejail recognizes more than 1000 regular desktop programs. These programs
		58	can be sandboxed automatically when you start them.
		59
		60	EOM
		61
		62	if $PROGRAM --title="$TITLE" --question --ellipsize --text="$MSG_Q_RUN_FIRECFG"; then
		63	run_firecfg=true
		64	fi
		65	[[ $? -eq 1 ]] && exit 0
44		66
		67	#******************************************************
		68	# U2F
		69	#******************************************************
45	read -r -d $'\0' MSG_Q_BROWSER_DISABLE_U2F <<EOM	70	read -r -d $'\0' MSG_Q_BROWSER_DISABLE_U2F <<EOM
46	<big><b>Should browsers be allowed to access u2f hardware?</b></big>	71	<big><b>Should browsers be allowed to access u2f hardware?</b></big>
		72
		73	Universal Two-Factor (U2F) devices are used as a password store for online
		74	accounts. These devices usually come in a form of a USB key.
		75
47	EOM	76	EOM
48		77
		78	if $PROGRAM --title="$TITLE" --question --ellipsize --text="$MSG_Q_BROWSER_DISABLE_U2F"; then
		79	enable_u2f=true
		80	sed_scripts+=("-e s/# browser-disable-u2f yes/browser-disable-u2f no/")
		81	fi
		82
		83	#******************************************************
		84	# DRM
		85	#******************************************************
49	read -r -d $'\0' MSG_Q_BROWSER_ALLOW_DRM <<EOM	86	read -r -d $'\0' MSG_Q_BROWSER_ALLOW_DRM <<EOM
50	<big><b>Should browsers be able to play DRM content?</b></big>	87	<big><b>Should browsers be able to play DRM content?</b></big>
51		88
52	\$HOME is noexec,nodev,nosuid by default for the most sandboxes. This means that executing programs which are located in \$HOME,	89	The home directory is <tt>noexec,nodev,nosuid</tt> by default for most applications.
53	is forbidden, the setuid attribute on files is ignored and device files inside \$HOME don't work. Browsers install proprietary	90	This means that executing programs located in your home directory is forbidden.
54	DRM plug-ins such as Widevine under \$HOME by default. In order to use them, \$HOME must be mounted exec inside the sandbox to	91
55	allow their execution. Clearly, this may help an attacker to start malicious code.	92	Browsers install proprietary DRM plug-ins such as Widevine in your home directory.
		93	In order to use them, your home must be mounted <tt>exec</tt> inside the sandbox. This
		94	may give the people developing and distributing the plug-in access to your private
		95	data.
56		96
57	NOTE: Other software written in an interpreter language such as bash, python or java can always be started from \$HOME.	97	NOTE: Software written in an interpreted language such as bash, python or java can
		98	always be started from home directory.
58		99
59	HINT: If <tt>/home</tt> has its own partition, you can mount it <tt>nodev,nosuid</tt> for all programs.	100	HINT: If <tt>/home</tt> has its own partition, you can mount it <tt>nodev,nosuid</tt> for all programs.
60	EOM
61		101
62	read -r -d $'\0' MSG_L_ADVANCED_OPTIONS <<EOM
63	You maybe want to set some of these advanced options.
64	EOM	102	EOM
65		103
66	read -r -d $'\0' MSG_Q_RUN_FIRECFG <<EOM	104	if $PROGRAM --title="$TITLE" --question --ellipsize --text="$MSG_Q_BROWSER_ALLOW_DRM"; then
67	<big><b>Should most programs be started in firejail by default?</b></big>	105	enable_drm=true
68	EOM	106	sed_scripts+=("-e s/# browser-allow-drm no/browser-allow-drm yes/")
		107	fi
		108
		109	#******************************************************
		110	# nonewprivs
		111	#******************************************************
		112	read -r -d $'\0' MSG_Q_NONEWPRIVS <<EOM
		113	<big><b>Should we force nonweprivs by default?</b></big>
		114
		115	nonewprivs is a Linux kernel feature that prevents programs from rising privileges.
		116	It is also a strong mitigation against exploits in Firejail. However, some programs
		117	like chromium, wireshark, or even ping might not work.
		118
		119	NOTE: seccomp enables nonewprivs automatically. Most applications supported by
		120	default by Firejail are using seccomp.
69		121
70	read -r -d $'\0' MSG_I_ROOT_REQUIRED <<EOM
71	In order to apply these changes, root privileges are required.
72	You will now be asked to enter your password.
73	EOM	122	EOM
74		123
75	read -r -d $'\0' MSG_I_FINISH <<EOM	124	if $PROGRAM --title="$TITLE" --question --ellipsize --text="$MSG_Q_NONEWPRIVS"; then
76	🥳	125	enable_nonewprivs=true
		126	sed_scripts+=("-e s/# force-nonewprivs no/force-nonewprivs yes/")
		127	fi
		128
		129	#******************************************************
		130	# restricted network
		131	#******************************************************
		132	read -r -d $'\0' MSG_Q_NETWORK <<EOM
		133	<big><b>Should we restrict network functionality?</b></big>
		134
		135	Restrict all network related commands except '<tt>net none</tt>' to root only.
		136
77	EOM	137	EOM
78		138
79	if zenity --title=firejail-welcome.sh --question --ellipsize --text="$MSG_Q_BROWSER_DISABLE_U2F"; then	139	if $PROGRAM --title="$TITLE" --question --ellipsize --text="$MSG_Q_NETWORK"; then
80	sed_scripts+=("-e s/# browser-disable-u2f yes/browser-disable-u2f no/")	140	enable_restricted_net=true
		141	sed_scripts+=("-e s/# restricted-network no/restricted-network yes/")
81	fi	142	fi
82		143
83	if zenity --title=firejail-welcome.sh --question --ellipsize --text="$MSG_Q_BROWSER_ALLOW_DRM"; then	144	#******************************************************
84	sed_scripts+=("-e s/# browser-allow-drm no/browser-allow-drm yes/")	145	# seccomp kill
		146	#******************************************************
		147	read -r -d $'\0' MSG_Q_SECCOMP <<EOM
		148	<big><b>Should we kill programs that violate seccomp rules?</b></big>
		149
		150	By default seccomp prevents the program from running the syscall and returns an error.
		151
		152	EOM
		153
		154	if $PROGRAM --title="$TITLE" --question --ellipsize --text="$MSG_Q_SECCOMP"; then
		155	enable_seccomp_kill=true
		156	sed_scripts+=("-e s/# seccomp-error-action EPERM/seccomp-error-action kill/")
85	fi	157	fi
86		158
87	advanced_options=$(zenity --title=firejail-welcome.sh --list --width=800 --height=200 \
88	--text="$MSG_L_ADVANCED_OPTIONS" --multiple --checklist --separator=" " \
89	--column="" --column=Option --column=Description <<EOM
90		159
91	force-nonewprivs
92	Always set nonewprivs, this is a strong mitigation against exploits in firejail. However some programs like chromium or wireshark maybe don't work anymore.
93		160
94	restricted-network
95	Restrict all network related commands except 'net none' to root only.
96		161
97	seccomp-error-action=kill	162	#******************************************************
98	Kill programs which violate seccomp rules (default: return a error).	163	# root
		164	#******************************************************
		165	read -r -d $'\0' MSG_RUN <<EOM
		166	Now, I will apply the changes. This is what I will do:
99	EOM	167	EOM
100	)
101		168
102	if [[ $advanced_options == force-nonewprivs ]]; then	169	MSG_RUN+="\\n\\n"
103	sed_scripts+=("-e s/# force-nonewprivs no/force-nonewprivs yes/")	170	if [[ "$run_firecfg" == "true" ]]; then
		171	MSG_RUN+=" * enable Firejail for all recognized programs\\n"
104	fi	172	fi
105	if [[ $advanced_options == restricted-network ]]; then	173	if [[ "$enable_u2f" == "true" ]]; then
106	sed_scripts+=("-e s/# restricted-network no/restricted-network yes/")	174	MSG_RUN+=" * allow browsers to access U2F devices\\n"
107	fi	175	fi
108	if [[ $advanced_options == seccomp-error-action=kill ]]; then	176	if [[ "$enable_drm" == "true" ]]; then
109	sed_scripts+=("-e s/# seccomp-error-action EPERM/seccomp-error-action kill/")	177	MSG_RUN+=" * allow browsers to play DRM content\\n"
110	fi	178	fi
111		179	if [[ "$enable_nonewprivs" == "true" ]]; then
112	if zenity --title=firejail-welcome.sh --question --ellipsize --text="$MSG_Q_RUN_FIRECFG"; then	180	MSG_RUN+=" * enable nonewprivs globally\\n"
113	run_firecfg=true
114	fi	181	fi
		182	if [[ "$enable_restricted_net" == "true" ]]; then
		183	MSG_RUN+=" * restrict networking features\\n"
		184	fi
		185	if [[ "$enable_seccomp_kill" == "true" ]]; then
		186	MSG_RUN+=" * enable seccomp kill\\n"
		187	fi
		188	MSG_RUN+="\\n\\nPress OK to continue, or close this window to stop the program."
115		189
116	zenity --title=firejail-welcome.sh --info --ellipsize --text="$MSG_I_ROOT_REQUIRED"	190	$PROGRAM --title="$TITLE" --info --width=600 --height=40 --text="$MSG_RUN"
		191	[[ $? -eq 1 ]] && exit 0
117		192
118	passwd=$(zenity --title=firejail-welcome.sh --password --cancel-label=OK)
119	if [[ -n "${sed_scripts[*]}" ]]; then	193	if [[ -n "${sed_scripts[*]}" ]]; then
120	sudo -S -p "" -- sed -i "${sed_scripts[@]}" /etc/firejail/firejail.config <<<"$passwd" \|\| { zenity --title=firejail-welcome.sh --error; exit 1; };	194	cp $SYSCONFDIR/firejail.config $SYSCONFDIR/firejail.config-
		195	sed -i "${sed_scripts[@]}" $SYSCONFDIR/firejail.config
121	fi	196	fi
122	if [[ "$run_firecfg" == "true" ]]; then	197	if [[ "$run_firecfg" == "true" ]]; then
123	sudo -S -p "" -- firecfg <<<"$passwd" \|\| { zenity --title=firejail-welcome.sh --error; exit 1; };	198	# return 55 to inform firecfg symlinks are desired
		199	exit 55
124	fi	200	fi
125	sudo -k
126	unset passwd
127		201
128	zenity --title=firejail-welcome.sh --info --icon-name=security-medium-symbolic --text="$MSG_I_FINISH"	202	#******************************************************
		203	# all done
		204	#******************************************************
		205	exit 0


diff --git a/src/firecfg/main.c b/src/firecfg/main.c index 0072c2768..19f2573f3 100644 --- a/src/firecfg/main.c +++ b/src/firecfg/main.c
@@ -22,6 +22,7 @@
22	#include "../include/firejail_user.h"	22	#include "../include/firejail_user.h"
23	int arg_debug = 0;	23	int arg_debug = 0;
24	char *arg_bindir = "/usr/local/bin";	24	char *arg_bindir = "/usr/local/bin";
		25	int arg_guide = 0;
25		26
26	static char *usage_str =	27	static char *usage_str =
27	"Firecfg is the desktop configuration utility for Firejail software. The utility\n"	28	"Firecfg is the desktop configuration utility for Firejail software. The utility\n"
@@ -375,8 +376,7 @@ int main(int argc, char **argv) {
375	return 0;	376	return 0;
376	}	377	}
377	else if (strcmp(argv[i], "--guide") == 0) {	378	else if (strcmp(argv[i], "--guide") == 0) {
378	return system(LIBDIR "/firejail/firejail-welcome.sh");	379	arg_guide = 1;
379	return 0;
380	}	380	}
381	else if (strcmp(argv[i], "--list") == 0) {	381	else if (strcmp(argv[i], "--list") == 0) {
382	list();	382	list();
@@ -442,6 +442,19 @@ int main(int argc, char **argv) {
442	umask(orig_umask);	442	umask(orig_umask);
443	}	443	}
444		444
		445	if (arg_guide) {
		446	int status = system("sudo "LIBDIR "/firejail/firejail-welcome.sh zenity " SYSCONFDIR);
		447	if (status == -1) {
		448	fprintf(stderr, "Error: cannot run firejail-welcome.sh\n");
		449	exit(1);
		450	}
		451
		452	// the last 8 bits of the status is the return value of the command executed by system()
		453	// firejail-welcome.sh returns 55 if setting sysmlinks is required
		454	if (WEXITSTATUS(status) != 55)
		455	return 0;
		456	}
		457
445	// clear all symlinks	458	// clear all symlinks
446	clean();	459	clean();
447		460
@@ -473,8 +486,6 @@ int main(int argc, char **argv) {
473	#endif	486	#endif
474	}	487	}
475		488
476
477
478	// set new symlinks based on ~/.config/firejail directory	489	// set new symlinks based on ~/.config/firejail directory
479	set_links_homedir(home);	490	set_links_homedir(home);
480		491