Merge branch 'master' into fix-profile-builder

author: netblue30 <netblue30@yahoo.com> 2019-09-15 06:59:31 -0500
committer: GitHub <noreply@github.com> 2019-09-15 06:59:31 -0500
commit: 99da7745bfd2a7c3a8c982e15b7d9b38e4df9b4b (patch)
tree: aab0f8277a0ae1de922b8a9268b01428e8febd73 /src
parent: Make sure that we are unprivileged before creating the trace log file. (diff)
parent: Fix #2899 (diff)
download: firejail-99da7745bfd2a7c3a8c982e15b7d9b38e4df9b4b.tar.gz
firejail-99da7745bfd2a7c3a8c982e15b7d9b38e4df9b4b.tar.zst
firejail-99da7745bfd2a7c3a8c982e15b7d9b38e4df9b4b.zip
5 files changed, 75 insertions, 38 deletions
diff --git a/src/fcopy/main.c b/src/fcopy/main.c
index 3f507a361..a08cc66b3 100644
--- a/src/fcopy/main.c
+++ b/src/fcopy/main.c
@@ -28,11 +28,10 @@ int arg_quiet = 0;
 int arg_debug = 0;
 static int arg_follow_link = 0;
-static int copy_limit = 500 * 1024 *1024; // 500 MB
+static unsigned long long copy_limit = 500 * 1024 * 1024; // 500 MB
-#define COPY_LIMIT (
+static unsigned long long size_cnt = 0;
 static int size_limit_reached = 0;
 static unsigned file_cnt = 0;
-static unsigned size_cnt = 0;
 static char *outpath = NULL;
 static char *inpath = NULL;
@@ -187,7 +186,7 @@ static int fs_copydir(const char *infname, const struct stat *st, int ftype, str
        // recalculate size
        if ((s.st_size + size_cnt) > copy_limit) {
-                fprintf(stderr, "Error fcopy: size limit of %dMB reached\n", (copy_limit / 1024) / 1024);
+                fprintf(stderr, "Error fcopy: size limit of %lluMB reached\n", (copy_limit / 1024) / 1024);
                size_limit_reached = 1;
                free(outfname);
                return 0;
@@ -392,9 +391,9 @@ int main(int argc, char **argv) {
        // extract copy limit size from env variable, if any
        char *cl = getenv("FIREJAIL_FILE_COPY_LIMIT");
        if (cl) {
-                copy_limit = atoi(cl) * 1024 * 1024;
+                copy_limit = strtoul(cl, NULL, 10) * 1024 * 1024;
                if (arg_debug)
-                        printf("file copy limit %d bytes\n", copy_limit);
+                        printf("file copy limit %llu bytes\n", copy_limit);
        }
        // copy files
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 6b2a92ad5..502449839 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -36,6 +36,7 @@ amule
 android-studio
 anydesk
 apktool
+ar
 arch-audit
 archaudit-report
 ardour4
diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c
index 5d83786bb..1683d3140 100644
--- a/src/fseccomp/syscall.c
+++ b/src/fseccomp/syscall.c
@@ -201,11 +201,14 @@ static const SyscallGroupList sysgroups[] = {
 #endif
        },
        { .name = "@default", .list =
+          "@clock,"
          "@cpu-emulation,"
          "@debug,"
+          "@module,"
          "@obsolete,"
-          "@privileged,"
+          "@raw-io,"
-          "@resources,"
+          "@reboot,"
+          "@swap,"
 #ifdef SYS_open_by_handle_at
          "open_by_handle_at,"
 #endif
@@ -233,6 +236,15 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_request_key
          "request_key,"
 #endif
+#ifdef SYS_mbind
+          "mbind,"
+#endif
+#ifdef SYS_migrate_pages
+          "migrate_pages,"
+#endif
+#ifdef SYS_move_pages
+          "move_pages,"
+#endif
 #ifdef SYS_keyctl
          "keyctl,"
 #endif
@@ -254,6 +266,9 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_remap_file_pages
          "remap_file_pages,"
 #endif
+#ifdef SYS_set_mempolicy
+          "set_mempolicy"
+#endif
 #ifdef SYS_vmsplice
          "vmsplice,"
 #endif
@@ -263,6 +278,36 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_userfaultfd
          "userfaultfd,"
 #endif
+#ifdef SYS_acct
+          "acct,"
+#endif
+#ifdef SYS_bpf
+          "bpf,"
+#endif
+#ifdef SYS_chroot
+          "chroot,"
+#endif
+#ifdef SYS_mount
+          "mount,"
+#endif
+#ifdef SYS_nfsservctl
+          "nfsservctl,"
+#endif
+#ifdef SYS_pivot_root
+          "pivot_root,"
+#endif
+#ifdef SYS_setdomainname
+          "setdomainname,"
+#endif
+#ifdef SYS_sethostname
+          "sethostname,"
+#endif
+#ifdef SYS_umount2
+          "umount2,"
+#endif
+#ifdef SYS_vhangup
+          "vhangup"
+#endif
 //#ifdef SYS_mincore    // 0.9.57 - problem fixed in Linux kernel 5.0; on 4.x it will break kodi, mpv, totem
 //        "mincore"
 //#endif
diff --git a/src/libtrace/libtrace.c b/src/libtrace/libtrace.c
index b3f040e8f..0c21b9b70 100644
--- a/src/libtrace/libtrace.c
+++ b/src/libtrace/libtrace.c
@@ -52,10 +52,7 @@ static orig_access_t orig_access = NULL;
 //
 // library constructor/destructor
 //
-// Replacing printf with fprintf to /dev/tty in order to fix #561
+// Using fprintf to /dev/tty instead of printf in order to fix #561
-// If you really want to turn it off, comment the following line, but its a
-// really bad idea.
-#define PRINTF_DEVTTY
 static FILE *ftty = NULL;
 static pid_t mypid = 0;
 #define MAXNAME 16
@@ -75,12 +72,8 @@ void init(void) {
                // if exists, log to trace file
                logfile = RUN_TRACE_FILE;
                if (orig_access(logfile, F_OK))
-#ifdef PRINTF_DEVTTY
                        // else log to associated tty
                        logfile = "/dev/tty";
-#else
-                        logfile = "/proc/self/fd/2";
-#endif
        }
        
        // logfile
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 9f9d8e6ec..38bc0edc4 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1762,25 +1762,22 @@ Example:
 $ firejail \-\-net=eth0 \-\-scan
 .TP
 \fB\-\-seccomp
-Enable seccomp filter and blacklist the syscalls in the default list (@default). The default list is as follows:
+Enable seccomp filter and blacklist the syscalls in the default list,
-_sysctl, acct, add_key, adjtimex, afs_syscall, bdflush, bpf, break, chroot, clock_adjtime, clock_settime,
+which is  @default-nodebuggers unless allow-debuggers is specified,
-create_module, delete_module, fanotify_init, finit_module, ftime, get_kernel_syms, getpmsg, gtty, init_module,
+then it is @default.
-io_cancel, io_destroy, io_getevents, io_setup, io_submit, ioperm, iopl, ioprio_set, kcmp, kexec_file_load,
-kexec_load, keyctl, lock, lookup_dcookie, mbind, migrate_pages, modify_ldt, mount, move_pages, mpx,
-name_to_handle_at, nfsservctl, ni_syscall, open_by_handle_at, pciconfig_iobase, pciconfig_read, pciconfig_write, perf_event_open,
-personality, pivot_root, process_vm_readv, process_vm_writev, prof, profil, ptrace, putpmsg,
-query_module, reboot, remap_file_pages, request_key, rtas, s390_mmio_read, s390_mmio_write, s390_runtime_instr,
-security, set_mempolicy, setdomainname, sethostname, settimeofday, sgetmask, ssetmask, stime, stty, subpage_prot,
-swapoff, swapon, switch_endian, sys_debug_setcontext, sysfs, syslog, tuxcall, ulimit, umount, umount2, uselib, userfaultfd, ustat, vhangup,
-vm86, vm86old, vmsplice and vserver.
 .br
 To help creating useful seccomp filters more easily, the following
-system call groups are defined: @clock, @cpu-emulation, @debug,
+system call groups are defined: @aio, @basic-io, @chown, @clock,
-@default, @default-nodebuggers, @default-keep, @module, @obsolete,
+@cpu-emulation, @debug, @default, @default-nodebuggers, @default-keep,
-@privileged, @raw-io, @reboot, @resources and @swap. In addition, a
+@file-system, @io-event, @ipc, @keyring, @memlock, @module, @mount,
-system call can be specified by its number instead of name with prefix
+@network-io, @obsolete, @privileged, @process, @raw-io, @reboot,
-$, so for example $165 would be equal to mount on i386.
+@resources, @setuid, @swap, @sync, @system-service and @timer.
+More informations about groups can be found in /usr/share/doc/firejail/syscalls.txt
+In addition, a system call can be specified by its number instead of
+name with prefix $, so for example $165 would be equal to mount on i386.
+Exceptions can be allowed with prefix !.
 .br
 System architecture is strictly imposed only if flag
@@ -1798,8 +1795,10 @@ Example:
 .br
 $ firejail \-\-seccomp
 .TP
-\fB\-\-seccomp=syscall,@group
+\fB\-\-seccomp=syscall,@group,!syscall2
-Enable seccomp filter, blacklist the default list (@default) and the syscalls or syscall groups specified by the command.
+Enable seccomp filter, whitelist "syscall2", but blacklist the default
+list and the syscalls or syscall groups specified by the
+command.
 .br
 .br
@@ -1899,10 +1898,10 @@ rm: cannot remove `testfile': Operation not permitted
 .TP
-\fB\-\-seccomp.keep=syscall,syscall,syscall
+\fB\-\-seccomp.keep=syscall,@group,!syscall2
-Enable seccomp filter, and whitelist the syscalls specified by the
+Enable seccomp filter, blacklist all syscall not listed and "syscall2".
-command. The system calls needed by Firejail (group @default-keep:
+The system calls needed by Firejail (group @default-keep: prctl, execve)
-prctl, execve) are handled with the preload library.
+are handled with the preload library.
 .br
 .br
author	netblue30 <netblue30@yahoo.com>	2019-09-15 06:59:31 -0500
committer	GitHub <noreply@github.com>	2019-09-15 06:59:31 -0500
commit	99da7745bfd2a7c3a8c982e15b7d9b38e4df9b4b (patch)
tree	aab0f8277a0ae1de922b8a9268b01428e8febd73 /src
parent	Make sure that we are unprivileged before creating the trace log file. (diff)
parent	Fix #2899 (diff)
download	firejail-99da7745bfd2a7c3a8c982e15b7d9b38e4df9b4b.tar.gz firejail-99da7745bfd2a7c3a8c982e15b7d9b38e4df9b4b.tar.zst firejail-99da7745bfd2a7c3a8c982e15b7d9b38e4df9b4b.zip