diff options
author | netblue30 <netblue30@yahoo.com> | 2017-06-04 11:48:27 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2017-06-04 11:48:27 -0400 |
commit | 881520edff69292ddbe05efada584f515ccadac4 (patch) | |
tree | a9e056d90d80464017f295b3fcd4ba6a69348a23 /src | |
parent | profile support in overlayfs mode (diff) | |
download | firejail-881520edff69292ddbe05efada584f515ccadac4.tar.gz firejail-881520edff69292ddbe05efada584f515ccadac4.tar.zst firejail-881520edff69292ddbe05efada584f515ccadac4.zip |
drop discretionary access control capabilities by default
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/caps.c | 11 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/join.c | 3 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 6 |
4 files changed, 17 insertions, 4 deletions
diff --git a/src/firejail/caps.c b/src/firejail/caps.c index d45ba20ce..883e8015e 100644 --- a/src/firejail/caps.c +++ b/src/firejail/caps.c | |||
@@ -248,10 +248,17 @@ void caps_print(void) { | |||
248 | } | 248 | } |
249 | } | 249 | } |
250 | 250 | ||
251 | // drop discretionary access control capabilities by default in all sandboxes | ||
252 | void caps_drop_dac_override(void) { | ||
253 | if (prctl(PR_CAPBSET_DROP, CAP_DAC_OVERRIDE, 0, 0, 0)); | ||
254 | else if (arg_debug) | ||
255 | printf("Drop CAP_DAC_OVERRIDE\n"); | ||
251 | 256 | ||
257 | if (prctl(PR_CAPBSET_DROP, CAP_DAC_READ_SEARCH, 0, 0, 0)); | ||
258 | else if (arg_debug) | ||
259 | printf("Drop CAP_DAC_READ_SEARCH\n"); | ||
260 | } | ||
252 | 261 | ||
253 | |||
254 | // enabled by default | ||
255 | int caps_default_filter(void) { | 262 | int caps_default_filter(void) { |
256 | // drop capabilities | 263 | // drop capabilities |
257 | if (prctl(PR_CAPBSET_DROP, CAP_SYS_MODULE, 0, 0, 0)) | 264 | if (prctl(PR_CAPBSET_DROP, CAP_SYS_MODULE, 0, 0, 0)) |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 6f0a5aa7b..8224b5012 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -533,6 +533,7 @@ void caps_check_list(const char *clist, void (*callback)(int)); | |||
533 | void caps_drop_list(const char *clist); | 533 | void caps_drop_list(const char *clist); |
534 | void caps_keep_list(const char *clist); | 534 | void caps_keep_list(const char *clist); |
535 | void caps_print_filter(pid_t pid); | 535 | void caps_print_filter(pid_t pid); |
536 | void caps_drop_dac_override(void); | ||
536 | 537 | ||
537 | // syscall.c | 538 | // syscall.c |
538 | const char *syscall_find_nr(int nr); | 539 | const char *syscall_find_nr(int nr); |
diff --git a/src/firejail/join.c b/src/firejail/join.c index b5b45a3bf..d7328a91b 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -242,6 +242,9 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
242 | if (child < 0) | 242 | if (child < 0) |
243 | errExit("fork"); | 243 | errExit("fork"); |
244 | if (child == 0) { | 244 | if (child == 0) { |
245 | // drop discretionary access control capabilities by default | ||
246 | caps_drop_dac_override(); | ||
247 | |||
245 | // chroot into /proc/PID/root directory | 248 | // chroot into /proc/PID/root directory |
246 | char *rootdir; | 249 | char *rootdir; |
247 | if (asprintf(&rootdir, "/proc/%d/root", pid) == -1) | 250 | if (asprintf(&rootdir, "/proc/%d/root", pid) == -1) |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index b22a4c651..0a32393a2 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -99,6 +99,9 @@ static void set_caps(void) { | |||
99 | caps_keep_list(arg_caps_list); | 99 | caps_keep_list(arg_caps_list); |
100 | else if (arg_caps_default_filter) | 100 | else if (arg_caps_default_filter) |
101 | caps_default_filter(); | 101 | caps_default_filter(); |
102 | |||
103 | // drop discretionary access control capabilities by default | ||
104 | caps_drop_dac_override(); | ||
102 | } | 105 | } |
103 | 106 | ||
104 | void save_nogroups(void) { | 107 | void save_nogroups(void) { |
@@ -896,8 +899,7 @@ int sandbox(void* sandbox_arg) { | |||
896 | // set security filters | 899 | // set security filters |
897 | //**************************** | 900 | //**************************** |
898 | // set capabilities | 901 | // set capabilities |
899 | // if (!arg_noroot) | 902 | set_caps(); |
900 | set_caps(); | ||
901 | 903 | ||
902 | // set rlimits | 904 | // set rlimits |
903 | set_rlimits(); | 905 | set_rlimits(); |