diff options
| author |  Kristóf Marussy <kris7topher@gmail.com> | 2019-12-29 23:19:15 +0100 |
|---|---|---|
| committer | Kristóf Marussy <kris7topher@gmail.com> | 2019-12-30 16:49:51 +0100 |
| commit | 02d09e86293be87768e6f93560e012e4a02e8666 (patch) | |
| tree | 4161dd6af9ba076f846b5586d384614179904e2d /src | |
| parent | Add sbox_run_v to run programs with explicit argument lists (diff) | |
| download | firejail-02d09e86293be87768e6f93560e012e4a02e8666.tar.gz firejail-02d09e86293be87768e6f93560e012e4a02e8666.tar.zst firejail-02d09e86293be87768e6f93560e012e4a02e8666.zip | |
Add capability filter for network services, additive filter
The new capability filter SBOX_CAPS_NET_SERVICE allows forked processes
to bind to low ports (privileged network services).
Because dhcp clients require both low ports and network administration
privileges, this patch also allows (bitwise) combination of capability filters
(except SBOX_CAPS_NONE, which completely drops any capabilities)
to grant both SBOX_CAPS_NETWORK and SBOX_CAPS_NET_SERVICE to a dhcp client.
This way, fnet and fnetfilter calls still do not get CAP_NET_BIND_SERVICE.
Diffstat (limited to 'src')
| -rw-r--r-- | src/firejail/sbox.c | 35 |
1 files changed, 23 insertions, 12 deletions
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index a90cb7668..a1e65cd3c 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c | |||
| @@ -190,23 +190,34 @@ int sbox_run_v(unsigned filtermask, char * const arg[]) { | |||
| 190 | // apply filters | 190 | // apply filters |
| 191 | if (filtermask & SBOX_CAPS_NONE) { | 191 | if (filtermask & SBOX_CAPS_NONE) { |
| 192 | caps_drop_all(); | 192 | caps_drop_all(); |
| 193 | } | 193 | } else { |
| 194 | else if (filtermask & SBOX_CAPS_NETWORK) { | 194 | uint64_t set = 0; |
| 195 | if (filtermask & SBOX_CAPS_NETWORK) { | ||
| 195 | #ifndef HAVE_GCOV // the following filter will prevent GCOV from saving info in .gcda files | 196 | #ifndef HAVE_GCOV // the following filter will prevent GCOV from saving info in .gcda files |
| 196 | uint64_t set = ((uint64_t) 1) << CAP_NET_ADMIN; | 197 | set |= ((uint64_t) 1) << CAP_NET_ADMIN; |
| 197 | set |= ((uint64_t) 1) << CAP_NET_RAW; | 198 | set |= ((uint64_t) 1) << CAP_NET_RAW; |
| 198 | caps_set(set); | ||
| 199 | #endif | 199 | #endif |
| 200 | } | 200 | } |
| 201 | else if (filtermask & SBOX_CAPS_HIDEPID) { | 201 | if (filtermask & SBOX_CAPS_HIDEPID) { |
| 202 | #ifndef HAVE_GCOV // the following filter will prevent GCOV from saving info in .gcda files | 202 | #ifndef HAVE_GCOV // the following filter will prevent GCOV from saving info in .gcda files |
| 203 | uint64_t set = ((uint64_t) 1) << CAP_SYS_PTRACE; | 203 | set |= ((uint64_t) 1) << CAP_SYS_PTRACE; |
| 204 | set |= ((uint64_t) 1) << CAP_SYS_PACCT; | 204 | set |= ((uint64_t) 1) << CAP_SYS_PACCT; |
| 205 | caps_set(set); | ||
| 206 | #endif | 205 | #endif |
| 207 | } | 206 | } |
| 207 | if (filtermask & SBOX_CAPS_NET_SERVICE) { | ||
| 208 | #ifndef HAVE_GCOV // the following filter will prevent GCOV from saving info in .gcda files | ||
| 209 | set |= ((uint64_t) 1) << CAP_NET_BIND_SERVICE; | ||
| 210 | set |= ((uint64_t) 1) << CAP_NET_BROADCAST; | ||
| 211 | #endif | ||
| 212 | } | ||
| 213 | if (set != 0) { // some SBOX_CAPS_ flag was specified, drop all other capabilities | ||
| 214 | #ifndef HAVE_GCOV // the following filter will prevent GCOV from saving info in .gcda files | ||
| 215 | caps_set(set); | ||
| 216 | #endif | ||
| 217 | } | ||
| 218 | } | ||
| 208 | 219 | ||
| 209 | if (filtermask & SBOX_SECCOMP) { | 220 | if (filtermask & SBOX_SECCOMP) { |
| 210 | if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { | 221 | if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { |
| 211 | perror("prctl(NO_NEW_PRIVS)"); | 222 | perror("prctl(NO_NEW_PRIVS)"); |
| 212 | } | 223 | } |