diff options
| author |  startx2017 <vradu.startx@yandex.com> | 2018-05-09 19:40:29 -0400 |
|---|---|---|
| committer | startx2017 <vradu.startx@yandex.com> | 2018-05-09 19:40:29 -0400 |
| commit | 694e2027c5b6d03919bac4b5b305f6d3d834786c (patch) | |
| tree | 545d1817d90f7b3b867f79d110f8497670ac054c /src | |
| parent | firemon/prctl enhancements (diff) | |
| parent | merges (diff) | |
| download | firejail-694e2027c5b6d03919bac4b5b305f6d3d834786c.tar.gz firejail-694e2027c5b6d03919bac4b5b305f6d3d834786c.tar.zst firejail-694e2027c5b6d03919bac4b5b305f6d3d834786c.zip | |
Merge branch 'master' of https://github.com/netblue30/firejail
Diffstat (limited to 'src')
| -rw-r--r-- | src/firejail/firejail.h | 1 | ||||
| -rw-r--r-- | src/firejail/fs_whitelist.c | 6 | ||||
| -rw-r--r-- | src/firejail/main.c | 8 | ||||
| -rw-r--r-- | src/firejail/sbox.c | 7 |
4 files changed, 17 insertions, 5 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 8c0b3ba4e..ec227340b 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
| @@ -792,6 +792,7 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc, | |||
| 792 | #define SBOX_CAPS_NETWORK (1 << 4) // caps filter for programs running network programs | 792 | #define SBOX_CAPS_NETWORK (1 << 4) // caps filter for programs running network programs |
| 793 | #define SBOX_ALLOW_STDIN (1 << 5) // don't close stdin | 793 | #define SBOX_ALLOW_STDIN (1 << 5) // don't close stdin |
| 794 | #define SBOX_STDIN_FROM_FILE (1 << 6) // open file and redirect it to stdin | 794 | #define SBOX_STDIN_FROM_FILE (1 << 6) // open file and redirect it to stdin |
| 795 | #define SBOX_CAPS_HIDEPID (1 << 7) // hidepid caps filter for running firemon | ||
| 795 | 796 | ||
| 796 | // run sbox | 797 | // run sbox |
| 797 | int sbox_run(unsigned filter, int num, ...); | 798 | int sbox_run(unsigned filter, int num, ...); |
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index a765be1b6..b1b30cd5e 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
| @@ -196,6 +196,7 @@ static void whitelist_path(ProfileEntry *entry) { | |||
| 196 | const char *fname; | 196 | const char *fname; |
| 197 | char *wfile = NULL; | 197 | char *wfile = NULL; |
| 198 | 198 | ||
| 199 | EUID_USER(); | ||
| 199 | if (entry->home_dir) { | 200 | if (entry->home_dir) { |
| 200 | if (strncmp(path, cfg.homedir, strlen(cfg.homedir)) == 0) { | 201 | if (strncmp(path, cfg.homedir, strlen(cfg.homedir)) == 0) { |
| 201 | fname = path + strlen(cfg.homedir); | 202 | fname = path + strlen(cfg.homedir); |
| @@ -290,9 +291,12 @@ static void whitelist_path(ProfileEntry *entry) { | |||
| 290 | if (arg_debug || arg_debug_whitelists) | 291 | if (arg_debug || arg_debug_whitelists) |
| 291 | printf("Whitelisting %s\n", path); | 292 | printf("Whitelisting %s\n", path); |
| 292 | } | 293 | } |
| 293 | else | 294 | else { |
| 295 | EUID_ROOT(); | ||
| 294 | return; | 296 | return; |
| 297 | } | ||
| 295 | 298 | ||
| 299 | EUID_ROOT(); | ||
| 296 | // create the path if necessary | 300 | // create the path if necessary |
| 297 | mkpath(path, s.st_mode); | 301 | mkpath(path, s.st_mode); |
| 298 | fs_logger2("whitelist", path); | 302 | fs_logger2("whitelist", path); |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 2e47dd938..9d28f3352 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
| @@ -551,21 +551,21 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
| 551 | } | 551 | } |
| 552 | else if (strcmp(argv[i], "--list") == 0) { | 552 | else if (strcmp(argv[i], "--list") == 0) { |
| 553 | if (pid_hidepid()) | 553 | if (pid_hidepid()) |
| 554 | sbox_run(SBOX_ROOT| SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--list"); | 554 | sbox_run(SBOX_ROOT| SBOX_CAPS_HIDEPID | SBOX_SECCOMP, 2, PATH_FIREMON, "--list"); |
| 555 | else | 555 | else |
| 556 | sbox_run(SBOX_USER| SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--list"); | 556 | sbox_run(SBOX_USER| SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--list"); |
| 557 | exit(0); | 557 | exit(0); |
| 558 | } | 558 | } |
| 559 | else if (strcmp(argv[i], "--tree") == 0) { | 559 | else if (strcmp(argv[i], "--tree") == 0) { |
| 560 | if (pid_hidepid()) | 560 | if (pid_hidepid()) |
| 561 | sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--tree"); | 561 | sbox_run(SBOX_ROOT | SBOX_CAPS_HIDEPID | SBOX_SECCOMP, 2, PATH_FIREMON, "--tree"); |
| 562 | else | 562 | else |
| 563 | sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--tree"); | 563 | sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--tree"); |
| 564 | exit(0); | 564 | exit(0); |
| 565 | } | 565 | } |
| 566 | else if (strcmp(argv[i], "--top") == 0) { | 566 | else if (strcmp(argv[i], "--top") == 0) { |
| 567 | if (pid_hidepid()) | 567 | if (pid_hidepid()) |
| 568 | sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN, | 568 | sbox_run(SBOX_ROOT | SBOX_CAPS_HIDEPID | SBOX_SECCOMP | SBOX_ALLOW_STDIN, |
| 569 | 2, PATH_FIREMON, "--top"); | 569 | 2, PATH_FIREMON, "--top"); |
| 570 | else | 570 | else |
| 571 | sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN, | 571 | sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN, |
| @@ -577,7 +577,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
| 577 | if (checkcfg(CFG_NETWORK)) { | 577 | if (checkcfg(CFG_NETWORK)) { |
| 578 | struct stat s; | 578 | struct stat s; |
| 579 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0 || pid_hidepid()) | 579 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0 || pid_hidepid()) |
| 580 | sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN, | 580 | sbox_run(SBOX_ROOT | SBOX_CAPS_HIDEPID | SBOX_SECCOMP | SBOX_ALLOW_STDIN, |
| 581 | 2, PATH_FIREMON, "--netstats"); | 581 | 2, PATH_FIREMON, "--netstats"); |
| 582 | else | 582 | else |
| 583 | sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN, | 583 | sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN, |
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index 53df20a54..c11daad58 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c | |||
| @@ -166,6 +166,13 @@ int sbox_run(unsigned filter, int num, ...) { | |||
| 166 | caps_set(set); | 166 | caps_set(set); |
| 167 | #endif | 167 | #endif |
| 168 | } | 168 | } |
| 169 | else if (filter & SBOX_CAPS_HIDEPID) { | ||
| 170 | #ifndef HAVE_GCOV // the following filter will prevent GCOV from saving info in .gcda files | ||
| 171 | uint64_t set = ((uint64_t) 1) << CAP_SYS_PTRACE; | ||
| 172 | set |= ((uint64_t) 1) << CAP_SYS_PACCT; | ||
| 173 | caps_set(set); | ||
| 174 | #endif | ||
| 175 | } | ||
| 169 | 176 | ||
| 170 | if (filter & SBOX_SECCOMP) { | 177 | if (filter & SBOX_SECCOMP) { |
| 171 | if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { | 178 | if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { |