diff options
author | startx2017 <vradu.startx@yandex.com> | 2019-06-03 11:53:52 -0400 |
---|---|---|
committer | startx2017 <vradu.startx@yandex.com> | 2019-06-03 11:53:52 -0400 |
commit | 1f206ab956324b18fd19f5bf8716c2b5a011b935 (patch) | |
tree | 33e499c597361c2f780aed5124e0848105705a5b /src | |
parent | fix firemon reporting for processes started with --join (diff) | |
download | firejail-1f206ab956324b18fd19f5bf8716c2b5a011b935.tar.gz firejail-1f206ab956324b18fd19f5bf8716c2b5a011b935.tar.zst firejail-1f206ab956324b18fd19f5bf8716c2b5a011b935.zip |
merge: mount runtime seccomp files read-only
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/firejail.h | 16 | ||||
-rw-r--r-- | src/firejail/preproc.c | 2 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 7 |
3 files changed, 15 insertions, 10 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index f52ab6706..690d2d4bc 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -59,13 +59,14 @@ | |||
59 | #define RUN_LIB_FILE "/run/firejail/mnt/libfiles" | 59 | #define RUN_LIB_FILE "/run/firejail/mnt/libfiles" |
60 | #define RUN_DNS_ETC "/run/firejail/mnt/dns-etc" | 60 | #define RUN_DNS_ETC "/run/firejail/mnt/dns-etc" |
61 | 61 | ||
62 | #define RUN_SECCOMP_LIST "/run/firejail/mnt/seccomp.list" // list of seccomp files installed | 62 | #define RUN_SECCOMP_DIR "/run/firejail/mnt/seccomp" |
63 | #define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp.protocol" // protocol filter | 63 | #define RUN_SECCOMP_LIST "/run/firejail/mnt/seccomp/seccomp.list" // list of seccomp files installed |
64 | #define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp" // configured filter | 64 | #define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp/seccomp.protocol" // protocol filter |
65 | #define RUN_SECCOMP_32 "/run/firejail/mnt/seccomp.32" // 32bit arch filter installed on 64bit architectures | 65 | #define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp/seccomp" // configured filter |
66 | #define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp.mdwx" // filter for memory-deny-write-execute | 66 | #define RUN_SECCOMP_32 "/run/firejail/mnt/seccomp/seccomp.32" // 32bit arch filter installed on 64bit architectures |
67 | #define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp.block_secondary" // secondary arch blocking filter | 67 | #define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp/seccomp.mdwx" // filter for memory-deny-write-execute |
68 | #define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp.postexec" // filter for post-exec library | 68 | #define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp/seccomp.block_secondary" // secondary arch blocking filter |
69 | #define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp/seccomp.postexec" // filter for post-exec library | ||
69 | #define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make | 70 | #define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make |
70 | #define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make | 71 | #define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make |
71 | #define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32") // 32bit arch filter built during make | 72 | #define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32") // 32bit arch filter built during make |
@@ -96,7 +97,6 @@ | |||
96 | #define RUN_ASOUNDRC_FILE "/run/firejail/mnt/.asoundrc" | 97 | #define RUN_ASOUNDRC_FILE "/run/firejail/mnt/.asoundrc" |
97 | #define RUN_HOSTNAME_FILE "/run/firejail/mnt/hostname" | 98 | #define RUN_HOSTNAME_FILE "/run/firejail/mnt/hostname" |
98 | #define RUN_HOSTS_FILE "/run/firejail/mnt/hosts" | 99 | #define RUN_HOSTS_FILE "/run/firejail/mnt/hosts" |
99 | #define RUN_RESOLVCONF_FILE "/run/firejail/mnt/resolv.conf" | ||
100 | #define RUN_MACHINEID "/run/firejail/mnt/machine-id" | 100 | #define RUN_MACHINEID "/run/firejail/mnt/machine-id" |
101 | #define RUN_LDPRELOAD_FILE "/run/firejail/mnt/ld.so.preload" | 101 | #define RUN_LDPRELOAD_FILE "/run/firejail/mnt/ld.so.preload" |
102 | #define RUN_UTMP_FILE "/run/firejail/mnt/utmp" | 102 | #define RUN_UTMP_FILE "/run/firejail/mnt/utmp" |
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index f519ed85f..423119a37 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c | |||
@@ -82,6 +82,8 @@ void preproc_mount_mnt_dir(void) { | |||
82 | fs_logger2("tmpfs", RUN_MNT_DIR); | 82 | fs_logger2("tmpfs", RUN_MNT_DIR); |
83 | 83 | ||
84 | #ifdef HAVE_SECCOMP | 84 | #ifdef HAVE_SECCOMP |
85 | create_empty_dir_as_root(RUN_SECCOMP_DIR, 0755); | ||
86 | |||
85 | if (arg_seccomp_block_secondary) | 87 | if (arg_seccomp_block_secondary) |
86 | copy_file(PATH_SECCOMP_BLOCK_SECONDARY, RUN_SECCOMP_BLOCK_SECONDARY, getuid(), getgid(), 0644); // root needed | 88 | copy_file(PATH_SECCOMP_BLOCK_SECONDARY, RUN_SECCOMP_BLOCK_SECONDARY, getuid(), getgid(), 0644); // root needed |
87 | else { | 89 | else { |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 2ac4952b7..5996433a9 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -898,8 +898,6 @@ int sandbox(void* sandbox_arg) { | |||
898 | //**************************** | 898 | //**************************** |
899 | // set security filters | 899 | // set security filters |
900 | //**************************** | 900 | //**************************** |
901 | // set capabilities | ||
902 | set_caps(); | ||
903 | // set cpu affinity | 901 | // set cpu affinity |
904 | if (cfg.cpus) { | 902 | if (cfg.cpus) { |
905 | save_cpu(); // save cpu affinity mask to CPU_CFG file | 903 | save_cpu(); // save cpu affinity mask to CPU_CFG file |
@@ -947,7 +945,12 @@ int sandbox(void* sandbox_arg) { | |||
947 | int rv = unlink(RUN_SECCOMP_MDWX); | 945 | int rv = unlink(RUN_SECCOMP_MDWX); |
948 | (void) rv; | 946 | (void) rv; |
949 | } | 947 | } |
948 | |||
949 | // make seccomp filters read-only | ||
950 | fs_rdonly(RUN_SECCOMP_DIR); | ||
950 | #endif | 951 | #endif |
952 | // set capabilities | ||
953 | set_caps(); | ||
951 | 954 | ||
952 | //**************************************** | 955 | //**************************************** |
953 | // communicate progress of sandbox set up | 956 | // communicate progress of sandbox set up |