diff options
author | smitsohu <smitsohu@gmail.com> | 2019-03-23 22:32:30 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-03-23 22:32:30 +0000 |
commit | eecf35c2f8249489a1d3e512bb07f0d427183134 (patch) | |
tree | daa2959c75d282672d9a4bb7469a21b99f9ed809 /src | |
parent | Add kid3, kid3-cli, kid3-qt (#2614) (diff) | |
download | firejail-eecf35c2f8249489a1d3e512bb07f0d427183134.tar.gz firejail-eecf35c2f8249489a1d3e512bb07f0d427183134.tar.zst firejail-eecf35c2f8249489a1d3e512bb07f0d427183134.zip |
mount runtime seccomp files read-only (#2602)
avoid creating locations in the file system that are both writable and
executable (in this case for processes with euid of the user).
for the same reason also remove user owned libfiles
when it is not needed any more
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/firejail.h | 16 | ||||
-rw-r--r-- | src/firejail/fs_lib.c | 1 | ||||
-rw-r--r-- | src/firejail/preproc.c | 2 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 8 |
4 files changed, 16 insertions, 11 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 5291361c8..4cb10c875 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -57,13 +57,14 @@ | |||
57 | #define RUN_LIB_FILE "/run/firejail/mnt/libfiles" | 57 | #define RUN_LIB_FILE "/run/firejail/mnt/libfiles" |
58 | #define RUN_DNS_ETC "/run/firejail/mnt/dns-etc" | 58 | #define RUN_DNS_ETC "/run/firejail/mnt/dns-etc" |
59 | 59 | ||
60 | #define RUN_SECCOMP_LIST "/run/firejail/mnt/seccomp.list" // list of seccomp files installed | 60 | #define RUN_SECCOMP_DIR "/run/firejail/mnt/seccomp" |
61 | #define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp.protocol" // protocol filter | 61 | #define RUN_SECCOMP_LIST "/run/firejail/mnt/seccomp/seccomp.list" // list of seccomp files installed |
62 | #define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp" // configured filter | 62 | #define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp/seccomp.protocol" // protocol filter |
63 | #define RUN_SECCOMP_32 "/run/firejail/mnt/seccomp.32" // 32bit arch filter installed on 64bit architectures | 63 | #define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp/seccomp" // configured filter |
64 | #define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp.mdwx" // filter for memory-deny-write-execute | 64 | #define RUN_SECCOMP_32 "/run/firejail/mnt/seccomp/seccomp.32" // 32bit arch filter installed on 64bit architectures |
65 | #define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp.block_secondary" // secondary arch blocking filter | 65 | #define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp/seccomp.mdwx" // filter for memory-deny-write-execute |
66 | #define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp.postexec" // filter for post-exec library | 66 | #define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp/seccomp.block_secondary" // secondary arch blocking filter |
67 | #define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp/seccomp.postexec" // filter for post-exec library | ||
67 | #define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make | 68 | #define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make |
68 | #define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make | 69 | #define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make |
69 | #define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32") // 32bit arch filter built during make | 70 | #define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32") // 32bit arch filter built during make |
@@ -95,7 +96,6 @@ | |||
95 | #define RUN_ASOUNDRC_FILE "/run/firejail/mnt/.asoundrc" | 96 | #define RUN_ASOUNDRC_FILE "/run/firejail/mnt/.asoundrc" |
96 | #define RUN_HOSTNAME_FILE "/run/firejail/mnt/hostname" | 97 | #define RUN_HOSTNAME_FILE "/run/firejail/mnt/hostname" |
97 | #define RUN_HOSTS_FILE "/run/firejail/mnt/hosts" | 98 | #define RUN_HOSTS_FILE "/run/firejail/mnt/hosts" |
98 | #define RUN_RESOLVCONF_FILE "/run/firejail/mnt/resolv.conf" | ||
99 | #define RUN_MACHINEID "/run/firejail/mnt/machine-id" | 99 | #define RUN_MACHINEID "/run/firejail/mnt/machine-id" |
100 | #define RUN_LDPRELOAD_FILE "/run/firejail/mnt/ld.so.preload" | 100 | #define RUN_LDPRELOAD_FILE "/run/firejail/mnt/ld.so.preload" |
101 | #define RUN_UTMP_FILE "/run/firejail/mnt/utmp" | 101 | #define RUN_UTMP_FILE "/run/firejail/mnt/utmp" |
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c index 808ead240..70c6ac88a 100644 --- a/src/firejail/fs_lib.c +++ b/src/firejail/fs_lib.c | |||
@@ -133,6 +133,7 @@ void fslib_copy_libs(const char *full_path) { | |||
133 | fslib_duplicate(buf); | 133 | fslib_duplicate(buf); |
134 | } | 134 | } |
135 | fclose(fp); | 135 | fclose(fp); |
136 | unlink(RUN_LIB_FILE); | ||
136 | } | 137 | } |
137 | 138 | ||
138 | 139 | ||
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index 2effebbaa..a7af4b127 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c | |||
@@ -86,6 +86,8 @@ void preproc_mount_mnt_dir(void) { | |||
86 | fs_logger2("tmpfs", RUN_MNT_DIR); | 86 | fs_logger2("tmpfs", RUN_MNT_DIR); |
87 | 87 | ||
88 | #ifdef HAVE_SECCOMP | 88 | #ifdef HAVE_SECCOMP |
89 | create_empty_dir_as_root(RUN_SECCOMP_DIR, 0755); | ||
90 | |||
89 | if (arg_seccomp_block_secondary) | 91 | if (arg_seccomp_block_secondary) |
90 | copy_file(PATH_SECCOMP_BLOCK_SECONDARY, RUN_SECCOMP_BLOCK_SECONDARY, getuid(), getgid(), 0644); // root needed | 92 | copy_file(PATH_SECCOMP_BLOCK_SECONDARY, RUN_SECCOMP_BLOCK_SECONDARY, getuid(), getgid(), 0644); // root needed |
91 | else { | 93 | else { |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 2b5d30158..101a16d00 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -1053,9 +1053,6 @@ int sandbox(void* sandbox_arg) { | |||
1053 | // save state of nonewprivs | 1053 | // save state of nonewprivs |
1054 | save_nonewprivs(); | 1054 | save_nonewprivs(); |
1055 | 1055 | ||
1056 | // set capabilities | ||
1057 | set_caps(); | ||
1058 | |||
1059 | // save cpu affinity mask to CPU_CFG file | 1056 | // save cpu affinity mask to CPU_CFG file |
1060 | save_cpu(); | 1057 | save_cpu(); |
1061 | 1058 | ||
@@ -1101,8 +1098,13 @@ int sandbox(void* sandbox_arg) { | |||
1101 | int rv = unlink(RUN_SECCOMP_MDWX); | 1098 | int rv = unlink(RUN_SECCOMP_MDWX); |
1102 | (void) rv; | 1099 | (void) rv; |
1103 | } | 1100 | } |
1101 | // make seccomp filters read-only | ||
1102 | fs_rdonly(RUN_SECCOMP_DIR); | ||
1104 | #endif | 1103 | #endif |
1105 | 1104 | ||
1105 | // set capabilities | ||
1106 | set_caps(); | ||
1107 | |||
1106 | //**************************************** | 1108 | //**************************************** |
1107 | // communicate progress of sandbox set up | 1109 | // communicate progress of sandbox set up |
1108 | // to --join | 1110 | // to --join |