diff options
author | netblue30 <netblue30@yahoo.com> | 2016-06-05 18:47:26 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-06-05 18:47:26 -0400 |
commit | d7b05860cfe2e2f9a0e4efd1eb56000437f8f371 (patch) | |
tree | 8a50955c03c37bbcd4b1fa1cce6f0cb6f7b1bb5e /src | |
parent | spelling (diff) | |
download | firejail-d7b05860cfe2e2f9a0e4efd1eb56000437f8f371.tar.gz firejail-d7b05860cfe2e2f9a0e4efd1eb56000437f8f371.tar.zst firejail-d7b05860cfe2e2f9a0e4efd1eb56000437f8f371.zip |
/proc cleanup
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/fs.c | 106 |
1 files changed, 35 insertions, 71 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index c38a9a32e..984d413a3 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -248,8 +248,6 @@ static void disable_file(OPERATION op, const char *filename) { | |||
248 | // Resolve all symlinks | 248 | // Resolve all symlinks |
249 | char* fname = realpath(filename, NULL); | 249 | char* fname = realpath(filename, NULL); |
250 | if (fname == NULL && errno != EACCES) { | 250 | if (fname == NULL && errno != EACCES) { |
251 | if (arg_debug) | ||
252 | printf("Warning (realpath): %s is an invalid file, skipping...\n", filename); | ||
253 | return; | 251 | return; |
254 | } | 252 | } |
255 | if (fname == NULL && errno == EACCES) { | 253 | if (fname == NULL && errno == EACCES) { |
@@ -601,89 +599,55 @@ void fs_proc_sys_dev_boot(void) { | |||
601 | fs_logger("remount /sys"); | 599 | fs_logger("remount /sys"); |
602 | } | 600 | } |
603 | 601 | ||
604 | if (stat("/sys/firmware", &s) == 0) { | 602 | disable_file(BLACKLIST_FILE, "/sys/firmware"); |
605 | disable_file(BLACKLIST_FILE, "/sys/firmware"); | 603 | disable_file(BLACKLIST_FILE, "/sys/hypervisor"); |
606 | } | 604 | disable_file(BLACKLIST_FILE, "/sys/fs"); |
607 | 605 | disable_file(BLACKLIST_FILE, "/sys/module"); | |
608 | if (stat("/sys/hypervisor", &s) == 0) { | 606 | disable_file(BLACKLIST_FILE, "/sys/power"); |
609 | disable_file(BLACKLIST_FILE, "/sys/hypervisor"); | 607 | disable_file(BLACKLIST_FILE, "/sys/kernel/debug"); |
610 | } | 608 | disable_file(BLACKLIST_FILE, "/sys/kernel/vmcoreinfo"); |
611 | 609 | disable_file(BLACKLIST_FILE, "/sys/kernel/uevent_helper"); | |
612 | if (stat("/sys/fs", &s) == 0) { | ||
613 | disable_file(BLACKLIST_FILE, "/sys/fs"); | ||
614 | } | ||
615 | |||
616 | if (stat("/sys/module", &s) == 0) { | ||
617 | disable_file(BLACKLIST_FILE, "/sys/module"); | ||
618 | } | ||
619 | |||
620 | if (stat("/sys/power", &s) == 0) { | ||
621 | disable_file(BLACKLIST_FILE, "/sys/power"); | ||
622 | } | ||
623 | 610 | ||
624 | // if (mount("sysfs", "/sys", "sysfs", MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REC, NULL) < 0) | 611 | // if (mount("sysfs", "/sys", "sysfs", MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REC, NULL) < 0) |
625 | // errExit("mounting /sys"); | 612 | // errExit("mounting /sys"); |
626 | 613 | ||
627 | // Disable SysRq | ||
628 | // a linux box can be shut down easily using the following commands (as root): | ||
629 | // # echo 1 > /proc/sys/kernel/sysrq | ||
630 | // #echo b > /proc/sysrq-trigger | ||
631 | // for more information see https://www.kernel.org/doc/Documentation/sysrq.txt | ||
632 | if (arg_debug) | ||
633 | printf("Disable /proc/sysrq-trigger\n"); | ||
634 | fs_rdonly_noexit("/proc/sysrq-trigger"); | ||
635 | |||
636 | // disable hotplug and uevent_helper | ||
637 | if (arg_debug) | ||
638 | printf("Disable /proc/sys/kernel/hotplug\n"); | ||
639 | fs_rdonly_noexit("/proc/sys/kernel/hotplug"); | ||
640 | if (arg_debug) | ||
641 | printf("Disable /sys/kernel/uevent_helper\n"); | ||
642 | fs_rdonly_noexit("/sys/kernel/uevent_helper"); | ||
643 | |||
644 | // read-only /proc/irq and /proc/bus | ||
645 | if (arg_debug) | ||
646 | printf("Disable /proc/irq\n"); | ||
647 | fs_rdonly_noexit("/proc/irq"); | ||
648 | if (arg_debug) | ||
649 | printf("Disable /proc/bus\n"); | ||
650 | fs_rdonly_noexit("/proc/bus"); | ||
651 | |||
652 | // disable /proc/kcore | ||
653 | disable_file(BLACKLIST_FILE, "/proc/kcore"); | ||
654 | 614 | ||
655 | // disable /proc/kallsyms | 615 | // various /proc/sys files |
616 | disable_file(BLACKLIST_FILE, "/proc/sys/security"); | ||
617 | disable_file(BLACKLIST_FILE, "/proc/sys/efi/vars"); | ||
618 | disable_file(BLACKLIST_FILE, "/proc/sys/fs/binfmt_misc"); | ||
619 | disable_file(BLACKLIST_FILE, "/proc/sys/kernel/core_pattern"); | ||
620 | disable_file(BLACKLIST_FILE, "/proc/sys/kernel/modprobe"); | ||
621 | disable_file(BLACKLIST_FILE, "/proc/sysrq-trigger"); | ||
622 | disable_file(BLACKLIST_FILE, "/proc/sys/kernel/hotplug"); | ||
623 | disable_file(BLACKLIST_FILE, "/proc/sys/vm/panic_on_oom"); | ||
624 | |||
625 | |||
626 | // various /proc files | ||
627 | disable_file(BLACKLIST_FILE, "/proc/irq"); | ||
628 | disable_file(BLACKLIST_FILE, "/proc/bus"); | ||
629 | disable_file(BLACKLIST_FILE, "/proc/config.gz"); | ||
630 | disable_file(BLACKLIST_FILE, "/proc/sched_debug"); | ||
631 | disable_file(BLACKLIST_FILE, "/proc/timer_list"); | ||
632 | disable_file(BLACKLIST_FILE, "/proc/timer_stats"); | ||
633 | disable_file(BLACKLIST_FILE, "/proc/kcore"); | ||
656 | disable_file(BLACKLIST_FILE, "/proc/kallsyms"); | 634 | disable_file(BLACKLIST_FILE, "/proc/kallsyms"); |
635 | disable_file(BLACKLIST_FILE, "/proc/mem"); | ||
636 | disable_file(BLACKLIST_FILE, "/proc/kmem"); | ||
657 | 637 | ||
658 | // disable /boot | 638 | // disable /boot |
659 | if (stat("/boot", &s) == 0) { | 639 | disable_file(BLACKLIST_FILE, "/boot"); |
660 | if (arg_debug) | ||
661 | printf("Disable /boot directory\n"); | ||
662 | disable_file(BLACKLIST_FILE, "/boot"); | ||
663 | } | ||
664 | 640 | ||
665 | // disable /selinux | 641 | // disable /selinux |
666 | if (stat("/selinux", &s) == 0) { | 642 | disable_file(BLACKLIST_FILE, "/selinux"); |
667 | if (arg_debug) | ||
668 | printf("Disable /selinux directory\n"); | ||
669 | disable_file(BLACKLIST_FILE, "/selinux"); | ||
670 | } | ||
671 | 643 | ||
672 | // disable /dev/port | 644 | // disable /dev/port |
673 | if (stat("/dev/port", &s) == 0) { | 645 | disable_file(BLACKLIST_FILE, "/dev/port"); |
674 | disable_file(BLACKLIST_FILE, "/dev/port"); | ||
675 | } | ||
676 | 646 | ||
677 | if (getuid() != 0) { | 647 | if (getuid() != 0) { |
678 | // disable /dev/kmsg | 648 | // disable /dev/kmsg and /proc/kmsg |
679 | if (stat("/dev/kmsg", &s) == 0) { | 649 | disable_file(BLACKLIST_FILE, "/dev/kmsg"); |
680 | disable_file(BLACKLIST_FILE, "/dev/kmsg"); | 650 | disable_file(BLACKLIST_FILE, "/proc/kmsg"); |
681 | } | ||
682 | |||
683 | // disable /proc/kmsg | ||
684 | if (stat("/proc/kmsg", &s) == 0) { | ||
685 | disable_file(BLACKLIST_FILE, "/proc/kmsg"); | ||
686 | } | ||
687 | } | 651 | } |
688 | } | 652 | } |
689 | 653 | ||