diff options
author | netblue30 <netblue30@yahoo.com> | 2016-08-22 08:59:00 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-08-22 08:59:00 -0400 |
commit | 2b76cea1106462268b975ee68480796ba900d37f (patch) | |
tree | 6e5f058f8cff1eede40d5aac393475e04480e4c1 /src | |
parent | fixed whitelist description in man pages (diff) | |
download | firejail-2b76cea1106462268b975ee68480796ba900d37f.tar.gz firejail-2b76cea1106462268b975ee68480796ba900d37f.tar.zst firejail-2b76cea1106462268b975ee68480796ba900d37f.zip |
--allow-debuggers
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/main.c | 35 | ||||
-rw-r--r-- | src/firejail/profile.c | 10 | ||||
-rw-r--r-- | src/firejail/seccomp.c | 13 | ||||
-rw-r--r-- | src/firejail/usage.c | 1 | ||||
-rw-r--r-- | src/man/firejail.txt | 9 |
6 files changed, 65 insertions, 4 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 98ba8ee3b..8e30e929a 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -267,6 +267,7 @@ extern int arg_appimage; // appimage | |||
267 | extern int arg_audit; // audit | 267 | extern int arg_audit; // audit |
268 | extern char *arg_audit_prog; // audit | 268 | extern char *arg_audit_prog; // audit |
269 | extern int arg_apparmor; // apparmor | 269 | extern int arg_apparmor; // apparmor |
270 | extern int arg_allow_debuggers; // allow debuggers | ||
270 | 271 | ||
271 | extern int login_shell; | 272 | extern int login_shell; |
272 | extern int parent_to_child_fds[2]; | 273 | extern int parent_to_child_fds[2]; |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 1824765eb..bdb8e0df5 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -101,8 +101,9 @@ int arg_writable_etc = 0; // writable etc | |||
101 | int arg_writable_var = 0; // writable var | 101 | int arg_writable_var = 0; // writable var |
102 | int arg_appimage = 0; // appimage | 102 | int arg_appimage = 0; // appimage |
103 | int arg_audit = 0; // audit | 103 | int arg_audit = 0; // audit |
104 | char *arg_audit_prog; // audit | 104 | char *arg_audit_prog = NULL; // audit |
105 | int arg_apparmor; // apparmor | 105 | int arg_apparmor = 0; // apparmor |
106 | int arg_allow_debuggers = 0; // allow debuggers | ||
106 | int login_shell = 0; | 107 | int login_shell = 0; |
107 | 108 | ||
108 | int parent_to_child_fds[2]; | 109 | int parent_to_child_fds[2]; |
@@ -730,6 +731,24 @@ static void detect_quiet(int argc, char **argv) { | |||
730 | } | 731 | } |
731 | } | 732 | } |
732 | 733 | ||
734 | static void detect_allow_debuggers(int argc, char **argv) { | ||
735 | int i; | ||
736 | |||
737 | // detect --allow-debuggers | ||
738 | for (i = 1; i < argc; i++) { | ||
739 | if (strcmp(argv[i], "--allow-debuggers") == 0) { | ||
740 | arg_allow_debuggers = 1; | ||
741 | break; | ||
742 | } | ||
743 | |||
744 | // detect end of firejail params | ||
745 | if (strcmp(argv[i], "--") == 0) | ||
746 | break; | ||
747 | if (strncmp(argv[i], "--", 2) != 0) | ||
748 | break; | ||
749 | } | ||
750 | } | ||
751 | |||
733 | char *guess_shell(void) { | 752 | char *guess_shell(void) { |
734 | char *shell = NULL; | 753 | char *shell = NULL; |
735 | // shells in order of preference | 754 | // shells in order of preference |
@@ -766,11 +785,13 @@ int main(int argc, char **argv) { | |||
766 | #endif | 785 | #endif |
767 | 786 | ||
768 | detect_quiet(argc, argv); | 787 | detect_quiet(argc, argv); |
788 | detect_allow_debuggers(argc, argv); | ||
769 | 789 | ||
770 | // drop permissions by default and rise them when required | 790 | // drop permissions by default and rise them when required |
771 | EUID_INIT(); | 791 | EUID_INIT(); |
772 | EUID_USER(); | 792 | EUID_USER(); |
773 | 793 | ||
794 | |||
774 | // check argv[0] symlink wrapper if this is not a login shell | 795 | // check argv[0] symlink wrapper if this is not a login shell |
775 | if (*argv[0] != '-') | 796 | if (*argv[0] != '-') |
776 | run_symlink(argc, argv); | 797 | run_symlink(argc, argv); |
@@ -982,6 +1003,13 @@ int main(int argc, char **argv) { | |||
982 | if (checkcfg(CFG_FORCE_NONEWPRIVS)) | 1003 | if (checkcfg(CFG_FORCE_NONEWPRIVS)) |
983 | arg_nonewprivs = 1; | 1004 | arg_nonewprivs = 1; |
984 | 1005 | ||
1006 | if (arg_allow_debuggers) { | ||
1007 | char *cmd = strdup("noblacklist ${PATH}/strace"); | ||
1008 | if (!cmd) | ||
1009 | errExit("strdup"); | ||
1010 | profile_add(cmd); | ||
1011 | } | ||
1012 | |||
985 | // parse arguments | 1013 | // parse arguments |
986 | for (i = 1; i < argc; i++) { | 1014 | for (i = 1; i < argc; i++) { |
987 | run_cmd_and_exit(i, argc, argv); // will exit if the command is recognized | 1015 | run_cmd_and_exit(i, argc, argv); // will exit if the command is recognized |
@@ -1005,6 +1033,9 @@ int main(int argc, char **argv) { | |||
1005 | } | 1033 | } |
1006 | else if (strcmp(argv[i], "--force") == 0) | 1034 | else if (strcmp(argv[i], "--force") == 0) |
1007 | ; | 1035 | ; |
1036 | else if (strcmp(argv[i], "--allow-debuggers") == 0) { | ||
1037 | // already handled | ||
1038 | } | ||
1008 | 1039 | ||
1009 | //************************************* | 1040 | //************************************* |
1010 | // filtering | 1041 | // filtering |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 1403db704..26f434f3b 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -828,6 +828,16 @@ void profile_read(const char *fname) { | |||
828 | exit(1); | 828 | exit(1); |
829 | } | 829 | } |
830 | 830 | ||
831 | // allow debuggers | ||
832 | if (arg_allow_debuggers) { | ||
833 | char *tmp = strrchr(fname, '/'); | ||
834 | if (tmp && *(tmp + 1) != '\0') { | ||
835 | tmp++; | ||
836 | if (strcmp(tmp, "disable-devel.inc") == 0) | ||
837 | return; | ||
838 | } | ||
839 | } | ||
840 | |||
831 | // open profile file: | 841 | // open profile file: |
832 | FILE *fp = fopen(fname, "r"); | 842 | FILE *fp = fopen(fname, "r"); |
833 | if (fp == NULL) { | 843 | if (fp == NULL) { |
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 88620d1dd..7aaf1a5cd 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -344,6 +344,7 @@ void seccomp_filter_32(void) { | |||
344 | EXAMINE_SYSCALL, | 344 | EXAMINE_SYSCALL, |
345 | BLACKLIST(21), // mount | 345 | BLACKLIST(21), // mount |
346 | BLACKLIST(52), // umount2 | 346 | BLACKLIST(52), // umount2 |
347 | // todo: implement --allow-debuggers | ||
347 | BLACKLIST(26), // ptrace | 348 | BLACKLIST(26), // ptrace |
348 | BLACKLIST(283), // kexec_load | 349 | BLACKLIST(283), // kexec_load |
349 | BLACKLIST(341), // name_to_handle_at | 350 | BLACKLIST(341), // name_to_handle_at |
@@ -416,6 +417,7 @@ void seccomp_filter_64(void) { | |||
416 | EXAMINE_SYSCALL, | 417 | EXAMINE_SYSCALL, |
417 | BLACKLIST(165), // mount | 418 | BLACKLIST(165), // mount |
418 | BLACKLIST(166), // umount2 | 419 | BLACKLIST(166), // umount2 |
420 | // todo: implement --allow-debuggers | ||
419 | BLACKLIST(101), // ptrace | 421 | BLACKLIST(101), // ptrace |
420 | BLACKLIST(246), // kexec_load | 422 | BLACKLIST(246), // kexec_load |
421 | BLACKLIST(304), // open_by_handle_at | 423 | BLACKLIST(304), // open_by_handle_at |
@@ -501,9 +503,13 @@ int seccomp_filter_drop(int enforce_seccomp) { | |||
501 | #ifdef SYS_umount2 | 503 | #ifdef SYS_umount2 |
502 | filter_add_blacklist(SYS_umount2, 0); | 504 | filter_add_blacklist(SYS_umount2, 0); |
503 | #endif | 505 | #endif |
506 | |||
507 | if (!arg_allow_debuggers) { | ||
504 | #ifdef SYS_ptrace | 508 | #ifdef SYS_ptrace |
505 | filter_add_blacklist(SYS_ptrace, 0); | 509 | filter_add_blacklist(SYS_ptrace, 0); |
506 | #endif | 510 | #endif |
511 | } | ||
512 | |||
507 | #ifdef SYS_kexec_load | 513 | #ifdef SYS_kexec_load |
508 | filter_add_blacklist(SYS_kexec_load, 0); | 514 | filter_add_blacklist(SYS_kexec_load, 0); |
509 | #endif | 515 | #endif |
@@ -549,9 +555,12 @@ int seccomp_filter_drop(int enforce_seccomp) { | |||
549 | #ifdef SYS_syslog | 555 | #ifdef SYS_syslog |
550 | filter_add_blacklist(SYS_syslog, 0); | 556 | filter_add_blacklist(SYS_syslog, 0); |
551 | #endif | 557 | #endif |
558 | if (!arg_allow_debuggers) { | ||
552 | #ifdef SYS_process_vm_readv | 559 | #ifdef SYS_process_vm_readv |
553 | filter_add_blacklist(SYS_process_vm_readv, 0); | 560 | filter_add_blacklist(SYS_process_vm_readv, 0); |
554 | #endif | 561 | #endif |
562 | } | ||
563 | |||
555 | #ifdef SYS_process_vm_writev | 564 | #ifdef SYS_process_vm_writev |
556 | filter_add_blacklist(SYS_process_vm_writev, 0); | 565 | filter_add_blacklist(SYS_process_vm_writev, 0); |
557 | #endif | 566 | #endif |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index ed6d22e69..ebe1c8830 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -34,6 +34,7 @@ void usage(void) { | |||
34 | printf("\n"); | 34 | printf("\n"); |
35 | printf("Options:\n\n"); | 35 | printf("Options:\n\n"); |
36 | printf(" -- - signal the end of options and disables further option processing.\n\n"); | 36 | printf(" -- - signal the end of options and disables further option processing.\n\n"); |
37 | printf(" --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n\n"); | ||
37 | printf(" --apparmor - enable AppArmor confinement\n\n"); | 38 | printf(" --apparmor - enable AppArmor confinement\n\n"); |
38 | printf(" --appimage - sandbox an AppImage application\n\n"); | 39 | printf(" --appimage - sandbox an AppImage application\n\n"); |
39 | printf(" --audit - audit the sandbox, see Audit section for more details\n\n"); | 40 | printf(" --audit - audit the sandbox, see Audit section for more details\n\n"); |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index d08b244f7..cc47e3dc6 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -75,6 +75,15 @@ $ firejail [OPTIONS] firefox # starting Mozilla Firefox | |||
75 | \fB\-\- | 75 | \fB\-\- |
76 | Signal the end of options and disables further option processing. | 76 | Signal the end of options and disables further option processing. |
77 | .TP | 77 | .TP |
78 | \fB\-\-allow-debuggers | ||
79 | Allow tools such as strace and gdb inside the sandbox. | ||
80 | .br | ||
81 | |||
82 | .br | ||
83 | Example: | ||
84 | .br | ||
85 | $ firejail --allow-debuggers --profile=/etc/firejail/firefox.profile --allow-debuggers strace -f firefox | ||
86 | .TP | ||
78 | \fB\-\-apparmor | 87 | \fB\-\-apparmor |
79 | Enable AppArmor confinement. Formore information, please see \fBAPPARMOR\fR section below. | 88 | Enable AppArmor confinement. Formore information, please see \fBAPPARMOR\fR section below. |
80 | .TP | 89 | .TP |