netfilter split

author: netblue30 <netblue30@yahoo.com> 2017-11-13 10:53:04 -0500
committer: netblue30 <netblue30@yahoo.com> 2017-11-13 10:53:04 -0500
commit: b24e0e4049229c7772b067c97b439622804112bb (patch)
tree: 6c20752432721277c94f4fd9b7b2fb3ec89786d9 /src
parent: cleanup (diff)
download: firejail-b24e0e4049229c7772b067c97b439622804112bb.tar.gz
firejail-b24e0e4049229c7772b067c97b439622804112bb.tar.zst
firejail-b24e0e4049229c7772b067c97b439622804112bb.zip
3 files changed, 22 insertions, 45 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 59bd4b959..ade23d89e 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -766,6 +766,7 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc,
 // sbox.c
 // programs
 #define PATH_FNET (LIBDIR "/firejail/fnet")
+#define PATH_FNETFILTER (LIBDIR "/firejail/fnetfilter")
 #define PATH_FIREMON (PREFIX "/bin/firemon")
 #define PATH_FIREJAIL (PREFIX "/bin/firejail")
 #define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp")
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c
index 23fdb8a6a..46ee22bf3 100644
--- a/src/firejail/fs_lib.c
+++ b/src/firejail/fs_lib.c
@@ -387,6 +387,7 @@ void fs_private_lib(void) {
        fslib_copy_libs(LIBDIR "/firejail/fcopy");
        fslib_copy_libs(LIBDIR "/firejail/fldd");
        fslib_copy_libs(LIBDIR "/firejail/fnet");
+        fslib_copy_libs(LIBDIR "/firejail/fnetfilter");
        fslib_copy_libs(LIBDIR "/firejail/fseccomp");
        fslib_copy_libs(LIBDIR "/firejail/ftee");
        // mount lib filesystem
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c
index 7246be8cf..517d0462f 100644
--- a/src/firejail/netfilter.c
+++ b/src/firejail/netfilter.c
@@ -24,33 +24,24 @@
 #include <sys/wait.h>
 #include <fcntl.h>
-static char *client_filter =
-"*filter\n"
-":INPUT DROP [0:0]\n"
-":FORWARD DROP [0:0]\n"
-":OUTPUT ACCEPT [0:0]\n"
-"-A INPUT -i lo -j ACCEPT\n"
-"-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n"
-"# echo replay is handled by -m state RELATED/ESTABLISHED below\n"
-"#-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT\n"
-"-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT\n"
-"-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT\n"
-"-A INPUT -p icmp --icmp-type echo-request -j ACCEPT \n"
-"# disable STUN\n"
-"-A OUTPUT -p udp --dport 3478 -j DROP\n"
-"-A OUTPUT -p udp --dport 3479 -j DROP\n"
-"-A OUTPUT -p tcp --dport 3478 -j DROP\n"
-"-A OUTPUT -p tcp --dport 3479 -j DROP\n"
-"COMMIT\n";
 void check_netfilter_file(const char *fname) {
        EUID_ASSERT();
-        invalid_filename(fname, 0); // no globbing
-        if (is_dir(fname) || is_link(fname) || strstr(fname, "..") || access(fname, R_OK )) {
+        char *tmp = strdup(fname);
-                fprintf(stderr, "Error: invalid network filter file %s\n", fname);
+        if (!tmp)
+                errExit("strdup");
+        char *ptr = strchr(tmp, ',');
+        if (ptr)
+                *ptr = '\0';
+        invalid_filename(tmp, 0); // no globbing
+        if (is_dir(tmp) || is_link(tmp) || strstr(tmp, "..") || access(tmp, R_OK )) {
+                fprintf(stderr, "Error: invalid network filter file %s\n", tmp);
                exit(1);
        }
+        free(tmp);
 }
@@ -72,29 +63,15 @@ void netfilter(const char *fname) {
                return;
        }
-        // read filter
+        // create an empty user-owned SBOX_STDIN_FILE
-        char *filter = client_filter;
+        create_empty_file_as_root(SBOX_STDIN_FILE, 0644);
-        int allocated = 0;
+        if (set_perms(SBOX_STDIN_FILE, getuid(), getgid(), 0644))
-        if (netfilter_default)
+                errExit("set_perms");
-                fname = netfilter_default;
-        if (fname) {
-                filter = read_text_file_or_exit(fname);
-                allocated = 1;
-        }
-        // create the filter file
+        if (fname == NULL)
-        FILE *fp = fopen(SBOX_STDIN_FILE, "w");
+                sbox_run(SBOX_USER| SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FNETFILTER, SBOX_STDIN_FILE);
-        if (!fp) {
+        else
-                fprintf(stderr, "Error: cannot open %s\n", SBOX_STDIN_FILE);
+                sbox_run(SBOX_USER| SBOX_CAPS_NONE | SBOX_SECCOMP, 3, PATH_FNETFILTER, fname, SBOX_STDIN_FILE);
-                exit(1);
-        }
-        fprintf(fp, "%s\n", filter);
-        fclose(fp);
-        // push filter
-        if (arg_debug)
-                printf("Installing network filter:\n%s\n", filter);
        // first run of iptables on this platform installs a number of kernel modules such as ip_tables, x_tables, iptable_filter
        // we run this command with caps and seccomp disabled in order to allow the loading of these modules
@@ -105,8 +82,6 @@ void netfilter(const char *fname) {
        if (arg_debug)
                sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 2, iptables, "-vL");
-        if (allocated)
-                free(filter);
        return;
 }
author	netblue30 <netblue30@yahoo.com>	2017-11-13 10:53:04 -0500
committer	netblue30 <netblue30@yahoo.com>	2017-11-13 10:53:04 -0500
commit	b24e0e4049229c7772b067c97b439622804112bb (patch)
tree	6c20752432721277c94f4fd9b7b2fb3ec89786d9 /src
parent	cleanup (diff)
download	firejail-b24e0e4049229c7772b067c97b439622804112bb.tar.gz firejail-b24e0e4049229c7772b067c97b439622804112bb.tar.zst firejail-b24e0e4049229c7772b067c97b439622804112bb.zip