diff options
author | netblue30 <netblue30@yahoo.com> | 2019-09-15 06:59:31 -0500 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-09-15 06:59:31 -0500 |
commit | 99da7745bfd2a7c3a8c982e15b7d9b38e4df9b4b (patch) | |
tree | aab0f8277a0ae1de922b8a9268b01428e8febd73 /src | |
parent | Make sure that we are unprivileged before creating the trace log file. (diff) | |
parent | Fix #2899 (diff) | |
download | firejail-99da7745bfd2a7c3a8c982e15b7d9b38e4df9b4b.tar.gz firejail-99da7745bfd2a7c3a8c982e15b7d9b38e4df9b4b.tar.zst firejail-99da7745bfd2a7c3a8c982e15b7d9b38e4df9b4b.zip |
Merge branch 'master' into fix-profile-builder
Diffstat (limited to 'src')
-rw-r--r-- | src/fcopy/main.c | 11 | ||||
-rw-r--r-- | src/firecfg/firecfg.config | 1 | ||||
-rw-r--r-- | src/fseccomp/syscall.c | 49 | ||||
-rw-r--r-- | src/libtrace/libtrace.c | 9 | ||||
-rw-r--r-- | src/man/firejail.txt | 43 |
5 files changed, 75 insertions, 38 deletions
diff --git a/src/fcopy/main.c b/src/fcopy/main.c index 3f507a361..a08cc66b3 100644 --- a/src/fcopy/main.c +++ b/src/fcopy/main.c | |||
@@ -28,11 +28,10 @@ int arg_quiet = 0; | |||
28 | int arg_debug = 0; | 28 | int arg_debug = 0; |
29 | static int arg_follow_link = 0; | 29 | static int arg_follow_link = 0; |
30 | 30 | ||
31 | static int copy_limit = 500 * 1024 *1024; // 500 MB | 31 | static unsigned long long copy_limit = 500 * 1024 * 1024; // 500 MB |
32 | #define COPY_LIMIT ( | 32 | static unsigned long long size_cnt = 0; |
33 | static int size_limit_reached = 0; | 33 | static int size_limit_reached = 0; |
34 | static unsigned file_cnt = 0; | 34 | static unsigned file_cnt = 0; |
35 | static unsigned size_cnt = 0; | ||
36 | 35 | ||
37 | static char *outpath = NULL; | 36 | static char *outpath = NULL; |
38 | static char *inpath = NULL; | 37 | static char *inpath = NULL; |
@@ -187,7 +186,7 @@ static int fs_copydir(const char *infname, const struct stat *st, int ftype, str | |||
187 | 186 | ||
188 | // recalculate size | 187 | // recalculate size |
189 | if ((s.st_size + size_cnt) > copy_limit) { | 188 | if ((s.st_size + size_cnt) > copy_limit) { |
190 | fprintf(stderr, "Error fcopy: size limit of %dMB reached\n", (copy_limit / 1024) / 1024); | 189 | fprintf(stderr, "Error fcopy: size limit of %lluMB reached\n", (copy_limit / 1024) / 1024); |
191 | size_limit_reached = 1; | 190 | size_limit_reached = 1; |
192 | free(outfname); | 191 | free(outfname); |
193 | return 0; | 192 | return 0; |
@@ -392,9 +391,9 @@ int main(int argc, char **argv) { | |||
392 | // extract copy limit size from env variable, if any | 391 | // extract copy limit size from env variable, if any |
393 | char *cl = getenv("FIREJAIL_FILE_COPY_LIMIT"); | 392 | char *cl = getenv("FIREJAIL_FILE_COPY_LIMIT"); |
394 | if (cl) { | 393 | if (cl) { |
395 | copy_limit = atoi(cl) * 1024 * 1024; | 394 | copy_limit = strtoul(cl, NULL, 10) * 1024 * 1024; |
396 | if (arg_debug) | 395 | if (arg_debug) |
397 | printf("file copy limit %d bytes\n", copy_limit); | 396 | printf("file copy limit %llu bytes\n", copy_limit); |
398 | } | 397 | } |
399 | 398 | ||
400 | // copy files | 399 | // copy files |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 6b2a92ad5..502449839 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -36,6 +36,7 @@ amule | |||
36 | android-studio | 36 | android-studio |
37 | anydesk | 37 | anydesk |
38 | apktool | 38 | apktool |
39 | ar | ||
39 | arch-audit | 40 | arch-audit |
40 | archaudit-report | 41 | archaudit-report |
41 | ardour4 | 42 | ardour4 |
diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c index 5d83786bb..1683d3140 100644 --- a/src/fseccomp/syscall.c +++ b/src/fseccomp/syscall.c | |||
@@ -201,11 +201,14 @@ static const SyscallGroupList sysgroups[] = { | |||
201 | #endif | 201 | #endif |
202 | }, | 202 | }, |
203 | { .name = "@default", .list = | 203 | { .name = "@default", .list = |
204 | "@clock," | ||
204 | "@cpu-emulation," | 205 | "@cpu-emulation," |
205 | "@debug," | 206 | "@debug," |
207 | "@module," | ||
206 | "@obsolete," | 208 | "@obsolete," |
207 | "@privileged," | 209 | "@raw-io," |
208 | "@resources," | 210 | "@reboot," |
211 | "@swap," | ||
209 | #ifdef SYS_open_by_handle_at | 212 | #ifdef SYS_open_by_handle_at |
210 | "open_by_handle_at," | 213 | "open_by_handle_at," |
211 | #endif | 214 | #endif |
@@ -233,6 +236,15 @@ static const SyscallGroupList sysgroups[] = { | |||
233 | #ifdef SYS_request_key | 236 | #ifdef SYS_request_key |
234 | "request_key," | 237 | "request_key," |
235 | #endif | 238 | #endif |
239 | #ifdef SYS_mbind | ||
240 | "mbind," | ||
241 | #endif | ||
242 | #ifdef SYS_migrate_pages | ||
243 | "migrate_pages," | ||
244 | #endif | ||
245 | #ifdef SYS_move_pages | ||
246 | "move_pages," | ||
247 | #endif | ||
236 | #ifdef SYS_keyctl | 248 | #ifdef SYS_keyctl |
237 | "keyctl," | 249 | "keyctl," |
238 | #endif | 250 | #endif |
@@ -254,6 +266,9 @@ static const SyscallGroupList sysgroups[] = { | |||
254 | #ifdef SYS_remap_file_pages | 266 | #ifdef SYS_remap_file_pages |
255 | "remap_file_pages," | 267 | "remap_file_pages," |
256 | #endif | 268 | #endif |
269 | #ifdef SYS_set_mempolicy | ||
270 | "set_mempolicy" | ||
271 | #endif | ||
257 | #ifdef SYS_vmsplice | 272 | #ifdef SYS_vmsplice |
258 | "vmsplice," | 273 | "vmsplice," |
259 | #endif | 274 | #endif |
@@ -263,6 +278,36 @@ static const SyscallGroupList sysgroups[] = { | |||
263 | #ifdef SYS_userfaultfd | 278 | #ifdef SYS_userfaultfd |
264 | "userfaultfd," | 279 | "userfaultfd," |
265 | #endif | 280 | #endif |
281 | #ifdef SYS_acct | ||
282 | "acct," | ||
283 | #endif | ||
284 | #ifdef SYS_bpf | ||
285 | "bpf," | ||
286 | #endif | ||
287 | #ifdef SYS_chroot | ||
288 | "chroot," | ||
289 | #endif | ||
290 | #ifdef SYS_mount | ||
291 | "mount," | ||
292 | #endif | ||
293 | #ifdef SYS_nfsservctl | ||
294 | "nfsservctl," | ||
295 | #endif | ||
296 | #ifdef SYS_pivot_root | ||
297 | "pivot_root," | ||
298 | #endif | ||
299 | #ifdef SYS_setdomainname | ||
300 | "setdomainname," | ||
301 | #endif | ||
302 | #ifdef SYS_sethostname | ||
303 | "sethostname," | ||
304 | #endif | ||
305 | #ifdef SYS_umount2 | ||
306 | "umount2," | ||
307 | #endif | ||
308 | #ifdef SYS_vhangup | ||
309 | "vhangup" | ||
310 | #endif | ||
266 | //#ifdef SYS_mincore // 0.9.57 - problem fixed in Linux kernel 5.0; on 4.x it will break kodi, mpv, totem | 311 | //#ifdef SYS_mincore // 0.9.57 - problem fixed in Linux kernel 5.0; on 4.x it will break kodi, mpv, totem |
267 | // "mincore" | 312 | // "mincore" |
268 | //#endif | 313 | //#endif |
diff --git a/src/libtrace/libtrace.c b/src/libtrace/libtrace.c index b3f040e8f..0c21b9b70 100644 --- a/src/libtrace/libtrace.c +++ b/src/libtrace/libtrace.c | |||
@@ -52,10 +52,7 @@ static orig_access_t orig_access = NULL; | |||
52 | // | 52 | // |
53 | // library constructor/destructor | 53 | // library constructor/destructor |
54 | // | 54 | // |
55 | // Replacing printf with fprintf to /dev/tty in order to fix #561 | 55 | // Using fprintf to /dev/tty instead of printf in order to fix #561 |
56 | // If you really want to turn it off, comment the following line, but its a | ||
57 | // really bad idea. | ||
58 | #define PRINTF_DEVTTY | ||
59 | static FILE *ftty = NULL; | 56 | static FILE *ftty = NULL; |
60 | static pid_t mypid = 0; | 57 | static pid_t mypid = 0; |
61 | #define MAXNAME 16 | 58 | #define MAXNAME 16 |
@@ -75,12 +72,8 @@ void init(void) { | |||
75 | // if exists, log to trace file | 72 | // if exists, log to trace file |
76 | logfile = RUN_TRACE_FILE; | 73 | logfile = RUN_TRACE_FILE; |
77 | if (orig_access(logfile, F_OK)) | 74 | if (orig_access(logfile, F_OK)) |
78 | #ifdef PRINTF_DEVTTY | ||
79 | // else log to associated tty | 75 | // else log to associated tty |
80 | logfile = "/dev/tty"; | 76 | logfile = "/dev/tty"; |
81 | #else | ||
82 | logfile = "/proc/self/fd/2"; | ||
83 | #endif | ||
84 | } | 77 | } |
85 | 78 | ||
86 | // logfile | 79 | // logfile |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 9f9d8e6ec..38bc0edc4 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1762,25 +1762,22 @@ Example: | |||
1762 | $ firejail \-\-net=eth0 \-\-scan | 1762 | $ firejail \-\-net=eth0 \-\-scan |
1763 | .TP | 1763 | .TP |
1764 | \fB\-\-seccomp | 1764 | \fB\-\-seccomp |
1765 | Enable seccomp filter and blacklist the syscalls in the default list (@default). The default list is as follows: | 1765 | Enable seccomp filter and blacklist the syscalls in the default list, |
1766 | _sysctl, acct, add_key, adjtimex, afs_syscall, bdflush, bpf, break, chroot, clock_adjtime, clock_settime, | 1766 | which is @default-nodebuggers unless allow-debuggers is specified, |
1767 | create_module, delete_module, fanotify_init, finit_module, ftime, get_kernel_syms, getpmsg, gtty, init_module, | 1767 | then it is @default. |
1768 | io_cancel, io_destroy, io_getevents, io_setup, io_submit, ioperm, iopl, ioprio_set, kcmp, kexec_file_load, | ||
1769 | kexec_load, keyctl, lock, lookup_dcookie, mbind, migrate_pages, modify_ldt, mount, move_pages, mpx, | ||
1770 | name_to_handle_at, nfsservctl, ni_syscall, open_by_handle_at, pciconfig_iobase, pciconfig_read, pciconfig_write, perf_event_open, | ||
1771 | personality, pivot_root, process_vm_readv, process_vm_writev, prof, profil, ptrace, putpmsg, | ||
1772 | query_module, reboot, remap_file_pages, request_key, rtas, s390_mmio_read, s390_mmio_write, s390_runtime_instr, | ||
1773 | security, set_mempolicy, setdomainname, sethostname, settimeofday, sgetmask, ssetmask, stime, stty, subpage_prot, | ||
1774 | swapoff, swapon, switch_endian, sys_debug_setcontext, sysfs, syslog, tuxcall, ulimit, umount, umount2, uselib, userfaultfd, ustat, vhangup, | ||
1775 | vm86, vm86old, vmsplice and vserver. | ||
1776 | 1768 | ||
1777 | .br | 1769 | .br |
1778 | To help creating useful seccomp filters more easily, the following | 1770 | To help creating useful seccomp filters more easily, the following |
1779 | system call groups are defined: @clock, @cpu-emulation, @debug, | 1771 | system call groups are defined: @aio, @basic-io, @chown, @clock, |
1780 | @default, @default-nodebuggers, @default-keep, @module, @obsolete, | 1772 | @cpu-emulation, @debug, @default, @default-nodebuggers, @default-keep, |
1781 | @privileged, @raw-io, @reboot, @resources and @swap. In addition, a | 1773 | @file-system, @io-event, @ipc, @keyring, @memlock, @module, @mount, |
1782 | system call can be specified by its number instead of name with prefix | 1774 | @network-io, @obsolete, @privileged, @process, @raw-io, @reboot, |
1783 | $, so for example $165 would be equal to mount on i386. | 1775 | @resources, @setuid, @swap, @sync, @system-service and @timer. |
1776 | More informations about groups can be found in /usr/share/doc/firejail/syscalls.txt | ||
1777 | |||
1778 | In addition, a system call can be specified by its number instead of | ||
1779 | name with prefix $, so for example $165 would be equal to mount on i386. | ||
1780 | Exceptions can be allowed with prefix !. | ||
1784 | 1781 | ||
1785 | .br | 1782 | .br |
1786 | System architecture is strictly imposed only if flag | 1783 | System architecture is strictly imposed only if flag |
@@ -1798,8 +1795,10 @@ Example: | |||
1798 | .br | 1795 | .br |
1799 | $ firejail \-\-seccomp | 1796 | $ firejail \-\-seccomp |
1800 | .TP | 1797 | .TP |
1801 | \fB\-\-seccomp=syscall,@group | 1798 | \fB\-\-seccomp=syscall,@group,!syscall2 |
1802 | Enable seccomp filter, blacklist the default list (@default) and the syscalls or syscall groups specified by the command. | 1799 | Enable seccomp filter, whitelist "syscall2", but blacklist the default |
1800 | list and the syscalls or syscall groups specified by the | ||
1801 | command. | ||
1803 | .br | 1802 | .br |
1804 | 1803 | ||
1805 | .br | 1804 | .br |
@@ -1899,10 +1898,10 @@ rm: cannot remove `testfile': Operation not permitted | |||
1899 | 1898 | ||
1900 | 1899 | ||
1901 | .TP | 1900 | .TP |
1902 | \fB\-\-seccomp.keep=syscall,syscall,syscall | 1901 | \fB\-\-seccomp.keep=syscall,@group,!syscall2 |
1903 | Enable seccomp filter, and whitelist the syscalls specified by the | 1902 | Enable seccomp filter, blacklist all syscall not listed and "syscall2". |
1904 | command. The system calls needed by Firejail (group @default-keep: | 1903 | The system calls needed by Firejail (group @default-keep: prctl, execve) |
1905 | prctl, execve) are handled with the preload library. | 1904 | are handled with the preload library. |
1906 | .br | 1905 | .br |
1907 | 1906 | ||
1908 | .br | 1907 | .br |