diff options
author | netblue30 <netblue30@yahoo.com> | 2015-11-03 08:55:40 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2015-11-03 08:55:40 -0500 |
commit | dbb15d0067f1fce7478ff4059a5e1d78dec37804 (patch) | |
tree | fb9d4cc6902c65d69df90e8a2fc108b58c4d6afa /src | |
parent | cleanup (diff) | |
download | firejail-dbb15d0067f1fce7478ff4059a5e1d78dec37804.tar.gz firejail-dbb15d0067f1fce7478ff4059a5e1d78dec37804.tar.zst firejail-dbb15d0067f1fce7478ff4059a5e1d78dec37804.zip |
--private.print option
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/cpu.c | 4 | ||||
-rw-r--r-- | src/firejail/firejail.h | 3 | ||||
-rw-r--r-- | src/firejail/join.c | 9 | ||||
-rw-r--r-- | src/firejail/protocol.c | 145 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 3 | ||||
-rw-r--r-- | src/firejail/seccomp.c | 5 |
6 files changed, 138 insertions, 31 deletions
diff --git a/src/firejail/cpu.c b/src/firejail/cpu.c index 6dcbbd07b..807dc55a4 100644 --- a/src/firejail/cpu.c +++ b/src/firejail/cpu.c | |||
@@ -75,6 +75,8 @@ void save_cpu(void) { | |||
75 | if (fp) { | 75 | if (fp) { |
76 | fprintf(fp, "%x\n", cfg.cpus); | 76 | fprintf(fp, "%x\n", cfg.cpus); |
77 | fclose(fp); | 77 | fclose(fp); |
78 | if (chmod(CPU_CFG, 0600) < 0) | ||
79 | errExit("chmod"); | ||
78 | if (chown(CPU_CFG, 0, 0) < 0) | 80 | if (chown(CPU_CFG, 0, 0) < 0) |
79 | errExit("chown"); | 81 | errExit("chown"); |
80 | } | 82 | } |
@@ -126,7 +128,7 @@ void set_cpu_affinity(void) { | |||
126 | fprintf(stderr, " "); | 128 | fprintf(stderr, " "); |
127 | perror("sched_getaffinity"); | 129 | perror("sched_getaffinity"); |
128 | } | 130 | } |
129 | else { | 131 | else if (arg_debug) { |
130 | if (CPU_EQUAL(&mask, &mask2)) | 132 | if (CPU_EQUAL(&mask, &mask2)) |
131 | printf("CPU affinity set\n"); | 133 | printf("CPU affinity set\n"); |
132 | else | 134 | else |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 1068485ff..29ce77ca4 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -31,6 +31,7 @@ | |||
31 | #define CGROUP_CFG "/tmp/firejail/mnt/cgroup" | 31 | #define CGROUP_CFG "/tmp/firejail/mnt/cgroup" |
32 | #define CPU_CFG "/tmp/firejail/mnt/cpu" | 32 | #define CPU_CFG "/tmp/firejail/mnt/cpu" |
33 | #define GROUPS_CFG "/tmp/firejail/mnt/groups" | 33 | #define GROUPS_CFG "/tmp/firejail/mnt/groups" |
34 | #define PROTOCOL_CFG "/tmp/firejail/mnt/protocol" | ||
34 | #define CP_COMMAND "/tmp/firejail/mnt/cp" | 35 | #define CP_COMMAND "/tmp/firejail/mnt/cp" |
35 | #define HOME_DIR "/tmp/firejail/mnt/home" | 36 | #define HOME_DIR "/tmp/firejail/mnt/home" |
36 | #define ETC_DIR "/tmp/firejail/mnt/etc" | 37 | #define ETC_DIR "/tmp/firejail/mnt/etc" |
@@ -447,5 +448,7 @@ void protocol_print_filter_name(const char *name); | |||
447 | void protocol_print_filter(pid_t pid); | 448 | void protocol_print_filter(pid_t pid); |
448 | void protocol_store(const char *prlist); | 449 | void protocol_store(const char *prlist); |
449 | void protocol_filter(void); | 450 | void protocol_filter(void); |
451 | void protocol_filter_save(void); | ||
452 | void protocol_filter_load(const char *fname); | ||
450 | #endif | 453 | #endif |
451 | 454 | ||
diff --git a/src/firejail/join.c b/src/firejail/join.c index 91dad420a..64e092197 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -144,7 +144,7 @@ static void extract_caps_seccomp(pid_t pid) { | |||
144 | free(file); | 144 | free(file); |
145 | } | 145 | } |
146 | 146 | ||
147 | void extract_user_namespace(pid_t pid) { | 147 | static void extract_user_namespace(pid_t pid) { |
148 | // test user namespaces available in the kernel | 148 | // test user namespaces available in the kernel |
149 | struct stat s1; | 149 | struct stat s1; |
150 | struct stat s2; | 150 | struct stat s2; |
@@ -280,9 +280,16 @@ void join(pid_t pid, const char *homedir, int argc, char **argv, int index) { | |||
280 | if (apply_caps == 1) | 280 | if (apply_caps == 1) |
281 | caps_set(caps); | 281 | caps_set(caps); |
282 | #ifdef HAVE_SECCOMP | 282 | #ifdef HAVE_SECCOMP |
283 | // set protocol filter | ||
284 | protocol_filter_load(PROTOCOL_CFG); | ||
285 | if (cfg.protocol) { | ||
286 | protocol_filter(); | ||
287 | } | ||
288 | |||
283 | // set seccomp filter | 289 | // set seccomp filter |
284 | if (apply_seccomp == 1) | 290 | if (apply_seccomp == 1) |
285 | seccomp_set(); | 291 | seccomp_set(); |
292 | |||
286 | #endif | 293 | #endif |
287 | 294 | ||
288 | // fix qt 4.8 | 295 | // fix qt 4.8 |
diff --git a/src/firejail/protocol.c b/src/firejail/protocol.c index e71daaad8..8ee5fd3b8 100644 --- a/src/firejail/protocol.c +++ b/src/firejail/protocol.c | |||
@@ -114,27 +114,6 @@ void protocol_list(void) { | |||
114 | printf("\n"); | 114 | printf("\n"); |
115 | } | 115 | } |
116 | 116 | ||
117 | // --protocol.print | ||
118 | void protocol_print_filter_name(const char *name) { | ||
119 | (void) name; | ||
120 | #ifdef SYS_socket | ||
121 | //todo | ||
122 | #else | ||
123 | fprintf(stderr, "Warning: --protocol not supported on this platform\n"); | ||
124 | return; | ||
125 | #endif | ||
126 | } | ||
127 | |||
128 | // --protocol.print | ||
129 | void protocol_print_filter(pid_t pid) { | ||
130 | (void) pid; | ||
131 | #ifdef SYS_socket | ||
132 | //todo | ||
133 | #else | ||
134 | fprintf(stderr, "Warning: --protocol not supported on this platform\n"); | ||
135 | return; | ||
136 | #endif | ||
137 | } | ||
138 | 117 | ||
139 | // check protocol list and store it in cfg structure | 118 | // check protocol list and store it in cfg structure |
140 | void protocol_store(const char *prlist) { | 119 | void protocol_store(const char *prlist) { |
@@ -171,6 +150,8 @@ errout: | |||
171 | // install protocol filter | 150 | // install protocol filter |
172 | void protocol_filter(void) { | 151 | void protocol_filter(void) { |
173 | assert(cfg.protocol); | 152 | assert(cfg.protocol); |
153 | if (arg_debug) | ||
154 | printf("Set protocol filter: %s\n", cfg.protocol); | ||
174 | 155 | ||
175 | #ifndef SYS_socket | 156 | #ifndef SYS_socket |
176 | (void) find_protocol_domain; | 157 | (void) find_protocol_domain; |
@@ -273,10 +254,126 @@ printf("entries %u\n", (unsigned) ((uint64_t) ptr - (uint64_t) (filter)) / (uns | |||
273 | fprintf(stderr, "Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n"); | 254 | fprintf(stderr, "Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n"); |
274 | return; | 255 | return; |
275 | } | 256 | } |
276 | else if (arg_debug) { | ||
277 | printf("seccomp protocol filter enabled\n"); | ||
278 | } | ||
279 | #endif // SYS_socket | 257 | #endif // SYS_socket |
280 | } | 258 | } |
281 | 259 | ||
260 | void protocol_filter_save(void) { | ||
261 | // save protocol filter configuration in PROTOCOL_CFG | ||
262 | fs_build_mnt_dir(); | ||
263 | |||
264 | FILE *fp = fopen(PROTOCOL_CFG, "w"); | ||
265 | if (!fp) | ||
266 | errExit("fopen"); | ||
267 | fprintf(fp, "%s\n", cfg.protocol); | ||
268 | fclose(fp); | ||
269 | |||
270 | if (chmod(PROTOCOL_CFG, 0600) < 0) | ||
271 | errExit("chmod"); | ||
272 | |||
273 | if (chown(PROTOCOL_CFG, 0, 0) < 0) | ||
274 | errExit("chown"); | ||
275 | |||
276 | } | ||
277 | |||
278 | void protocol_filter_load(const char *fname) { | ||
279 | assert(fname); | ||
280 | |||
281 | // read protocol filter configuration from PROTOCOL_CFG | ||
282 | FILE *fp = fopen(fname, "r"); | ||
283 | if (!fp) | ||
284 | return; | ||
285 | |||
286 | const int MAXBUF = 4098; | ||
287 | char buf[MAXBUF]; | ||
288 | if (fgets(buf, MAXBUF, fp) == NULL) { | ||
289 | // empty file | ||
290 | fclose(fp); | ||
291 | return; | ||
292 | } | ||
293 | fclose(fp); | ||
294 | |||
295 | char *ptr = strchr(buf, '\n'); | ||
296 | if (ptr) | ||
297 | *ptr = '\0'; | ||
298 | cfg.protocol = strdup(buf); | ||
299 | if (!cfg.protocol) | ||
300 | errExit("strdup"); | ||
301 | } | ||
302 | |||
303 | |||
304 | // --protocol.print | ||
305 | void protocol_print_filter_name(const char *name) { | ||
306 | (void) name; | ||
307 | #ifdef SYS_socket | ||
308 | if (!name || strlen(name) == 0) { | ||
309 | fprintf(stderr, "Error: invalid sandbox name\n"); | ||
310 | exit(1); | ||
311 | } | ||
312 | pid_t pid; | ||
313 | if (name2pid(name, &pid)) { | ||
314 | fprintf(stderr, "Error: cannot find sandbox %s\n", name); | ||
315 | exit(1); | ||
316 | } | ||
317 | |||
318 | protocol_print_filter(pid); | ||
319 | #else | ||
320 | fprintf(stderr, "Warning: --protocol not supported on this platform\n"); | ||
321 | return; | ||
322 | #endif | ||
323 | } | ||
324 | |||
325 | // --protocol.print | ||
326 | void protocol_print_filter(pid_t pid) { | ||
327 | (void) pid; | ||
328 | #ifdef SYS_socket | ||
329 | // if the pid is that of a firejail process, use the pid of the first child process | ||
330 | char *comm = pid_proc_comm(pid); | ||
331 | if (comm) { | ||
332 | // remove \n | ||
333 | char *ptr = strchr(comm, '\n'); | ||
334 | if (ptr) | ||
335 | *ptr = '\0'; | ||
336 | if (strcmp(comm, "firejail") == 0) { | ||
337 | pid_t child; | ||
338 | if (find_child(pid, &child) == 0) { | ||
339 | pid = child; | ||
340 | } | ||
341 | } | ||
342 | free(comm); | ||
343 | } | ||
344 | |||
345 | // check privileges for non-root users | ||
346 | uid_t uid = getuid(); | ||
347 | if (uid != 0) { | ||
348 | uid_t sandbox_uid = pid_get_uid(pid); | ||
349 | if (uid != sandbox_uid) { | ||
350 | fprintf(stderr, "Error: permission denied.\n"); | ||
351 | exit(1); | ||
352 | } | ||
353 | } | ||
354 | |||
355 | // find the seccomp filter | ||
356 | char *fname; | ||
357 | if (asprintf(&fname, "/proc/%d/root%s", pid, PROTOCOL_CFG) == -1) | ||
358 | errExit("asprintf"); | ||
359 | |||
360 | struct stat s; | ||
361 | if (stat(fname, &s) == -1) { | ||
362 | printf("Cannot access seccomp filter.\n"); | ||
363 | exit(1); | ||
364 | } | ||
365 | |||
366 | // read and print the filter | ||
367 | protocol_filter_load(fname); | ||
368 | free(fname); | ||
369 | if (cfg.protocol) | ||
370 | printf("%s\n", cfg.protocol); | ||
371 | exit(0); | ||
372 | #else | ||
373 | fprintf(stderr, "Warning: --protocol not supported on this platform\n"); | ||
374 | return; | ||
375 | #endif | ||
376 | } | ||
377 | |||
378 | |||
282 | #endif // HAVE_SECCOMP | 379 | #endif // HAVE_SECCOMP |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index d9ce717e0..79ed473c0 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -425,7 +425,8 @@ int sandbox(void* sandbox_arg) { | |||
425 | #ifdef HAVE_SECCOMP | 425 | #ifdef HAVE_SECCOMP |
426 | // install protocol filter | 426 | // install protocol filter |
427 | if (cfg.protocol) { | 427 | if (cfg.protocol) { |
428 | protocol_filter(); | 428 | protocol_filter(); // install filter |
429 | protocol_filter_save(); // save filter in PROTOCOL_CFG | ||
429 | } | 430 | } |
430 | 431 | ||
431 | // if a keep list is available, disregard the drop list | 432 | // if a keep list is available, disregard the drop list |
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index f8053d698..a3efa54df 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -385,7 +385,7 @@ void seccomp_filter_32(void) { | |||
385 | ; | 385 | ; |
386 | } | 386 | } |
387 | else if (arg_debug) { | 387 | else if (arg_debug) { |
388 | printf("dual i386/amd64 seccomp filter\n"); | 388 | printf("Dual i386/amd64 seccomp filter configured\n"); |
389 | } | 389 | } |
390 | } | 390 | } |
391 | 391 | ||
@@ -598,9 +598,6 @@ int seccomp_filter_drop(void) { | |||
598 | fprintf(stderr, "Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n"); | 598 | fprintf(stderr, "Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n"); |
599 | return 1; | 599 | return 1; |
600 | } | 600 | } |
601 | else if (arg_debug) { | ||
602 | printf("seccomp enabled\n"); | ||
603 | } | ||
604 | 601 | ||
605 | return 0; | 602 | return 0; |
606 | } | 603 | } |