diff options
author | netblue30 <netblue30@protonmail.com> | 2021-07-29 18:20:35 -0400 |
---|---|---|
committer | netblue30 <netblue30@protonmail.com> | 2021-07-29 18:20:35 -0400 |
commit | a964e3b21e8d69142cc6f3c2275e59961a244a59 (patch) | |
tree | 8680b66a4f4f19ce9ac9ad2cf0541ca4f50d9983 /src | |
parent | fix deb package building (diff) | |
download | firejail-a964e3b21e8d69142cc6f3c2275e59961a244a59.tar.gz firejail-a964e3b21e8d69142cc6f3c2275e59961a244a59.tar.zst firejail-a964e3b21e8d69142cc6f3c2275e59961a244a59.zip |
removed dependency on strace for --build option; added seccomp by default for --build run
Diffstat (limited to 'src')
-rw-r--r-- | src/fbuilder/build_home.c | 2 | ||||
-rw-r--r-- | src/fbuilder/build_profile.c | 51 | ||||
-rw-r--r-- | src/fbuilder/build_seccomp.c | 2 | ||||
-rw-r--r-- | src/firecfg/firecfg.config | 1 |
4 files changed, 9 insertions, 47 deletions
diff --git a/src/fbuilder/build_home.c b/src/fbuilder/build_home.c index f283a0cce..c85474779 100644 --- a/src/fbuilder/build_home.c +++ b/src/fbuilder/build_home.c | |||
@@ -68,6 +68,8 @@ void process_home(const char *fname, char *home, int home_len) { | |||
68 | ptr += 7; | 68 | ptr += 7; |
69 | else if (strncmp(ptr, "open /home", 10) == 0) | 69 | else if (strncmp(ptr, "open /home", 10) == 0) |
70 | ptr += 5; | 70 | ptr += 5; |
71 | else if (strncmp(ptr, "opendir /home", 13) == 0) | ||
72 | ptr += 8; | ||
71 | else | 73 | else |
72 | continue; | 74 | continue; |
73 | 75 | ||
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c index 5df19f511..06a4d8517 100644 --- a/src/fbuilder/build_profile.c +++ b/src/fbuilder/build_profile.c | |||
@@ -32,53 +32,25 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
32 | } | 32 | } |
33 | 33 | ||
34 | char trace_output[] = "/tmp/firejail-trace.XXXXXX"; | 34 | char trace_output[] = "/tmp/firejail-trace.XXXXXX"; |
35 | char strace_output[] = "/tmp/firejail-strace.XXXXXX"; | ||
36 | |||
37 | int tfile = mkstemp(trace_output); | 35 | int tfile = mkstemp(trace_output); |
38 | int stfile = mkstemp(strace_output); | 36 | if(tfile == -1) |
39 | if(tfile == -1 || stfile == -1) | ||
40 | errExit("mkstemp"); | 37 | errExit("mkstemp"); |
41 | |||
42 | // close the files, firejail/strace will overwrite them! | ||
43 | close(tfile); | 38 | close(tfile); |
44 | close(stfile); | ||
45 | |||
46 | 39 | ||
47 | char *output; | 40 | char *output; |
48 | char *stroutput; | ||
49 | if(asprintf(&output,"--trace=%s",trace_output) == -1) | 41 | if(asprintf(&output,"--trace=%s",trace_output) == -1) |
50 | errExit("asprintf"); | 42 | errExit("asprintf"); |
51 | if(asprintf(&stroutput,"-o%s",strace_output) == -1) | ||
52 | errExit("asprintf"); | ||
53 | 43 | ||
54 | char *cmdlist[] = { | 44 | char *cmdlist[] = { |
55 | BINDIR "/firejail", | 45 | BINDIR "/firejail", |
56 | "--quiet", | 46 | "--quiet", |
57 | "--noprofile", | 47 | "--noprofile", |
58 | "--caps.drop=all", | 48 | "--caps.drop=all", |
59 | "--nonewprivs", | 49 | "--seccomp", |
60 | output, | 50 | output, |
61 | "--shell=none", | 51 | "--shell=none", |
62 | "/usr/bin/strace", // also used as a marker in build_profile() | ||
63 | "-c", | ||
64 | "-f", | ||
65 | stroutput, | ||
66 | }; | 52 | }; |
67 | 53 | ||
68 | // detect strace and check if Yama LSM allows us to use it | ||
69 | int have_strace = 0; | ||
70 | int have_yama_permission = 1; | ||
71 | if (access("/usr/bin/strace", X_OK) == 0) { | ||
72 | have_strace = 1; | ||
73 | FILE *ps = fopen("/proc/sys/kernel/yama/ptrace_scope", "r"); | ||
74 | if (ps) { | ||
75 | unsigned val; | ||
76 | if (fscanf(ps, "%u", &val) == 1) | ||
77 | have_yama_permission = (val < 2); | ||
78 | fclose(ps); | ||
79 | } | ||
80 | } | ||
81 | |||
82 | // calculate command length | 54 | // calculate command length |
83 | unsigned len = (int) sizeof(cmdlist) / sizeof(char*) + argc - index + 1; | 55 | unsigned len = (int) sizeof(cmdlist) / sizeof(char*) + argc - index + 1; |
84 | if (arg_debug) | 56 | if (arg_debug) |
@@ -87,14 +59,9 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
87 | cmd[0] = cmdlist[0]; // explicit assignment to clean scan-build error | 59 | cmd[0] = cmdlist[0]; // explicit assignment to clean scan-build error |
88 | 60 | ||
89 | // build command | 61 | // build command |
90 | // skip strace if not installed, or no permission to use it | ||
91 | int skip_strace = !(have_strace && have_yama_permission); | ||
92 | unsigned i = 0; | 62 | unsigned i = 0; |
93 | for (i = 0; i < (int) sizeof(cmdlist) / sizeof(char*); i++) { | 63 | for (i = 0; i < (int) sizeof(cmdlist) / sizeof(char*); i++) |
94 | if (skip_strace && strcmp(cmdlist[i], "/usr/bin/strace") == 0) | ||
95 | break; | ||
96 | cmd[i] = cmdlist[i]; | 64 | cmd[i] = cmdlist[i]; |
97 | } | ||
98 | 65 | ||
99 | int i2 = index; | 66 | int i2 = index; |
100 | for (; i < (len - 1); i++, i2++) | 67 | for (; i < (len - 1); i++, i2++) |
@@ -180,14 +147,6 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
180 | fprintf(fp, "#novideo\t# disable video capture devices\n"); | 147 | fprintf(fp, "#novideo\t# disable video capture devices\n"); |
181 | build_protocol(trace_output, fp); | 148 | build_protocol(trace_output, fp); |
182 | fprintf(fp, "seccomp\n"); | 149 | fprintf(fp, "seccomp\n"); |
183 | if (!have_strace) { | ||
184 | fprintf(fp, "### If you install strace on your system, Firejail will also create a\n"); | ||
185 | fprintf(fp, "### whitelisted seccomp filter.\n"); | ||
186 | } | ||
187 | else if (!have_yama_permission) | ||
188 | fprintf(fp, "### Yama security module prevents creation of a whitelisted seccomp filter\n"); | ||
189 | else | ||
190 | build_seccomp(strace_output, fp); | ||
191 | fprintf(fp, "shell none\n"); | 150 | fprintf(fp, "shell none\n"); |
192 | fprintf(fp, "tracelog\n"); | 151 | fprintf(fp, "tracelog\n"); |
193 | fprintf(fp, "\n"); | 152 | fprintf(fp, "\n"); |
@@ -206,10 +165,8 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
206 | fprintf(fp, "\n"); | 165 | fprintf(fp, "\n"); |
207 | fprintf(fp, "#memory-deny-write-execute\n"); | 166 | fprintf(fp, "#memory-deny-write-execute\n"); |
208 | 167 | ||
209 | if (!arg_debug) { | 168 | if (!arg_debug) |
210 | unlink(trace_output); | 169 | unlink(trace_output); |
211 | unlink(strace_output); | ||
212 | } | ||
213 | } | 170 | } |
214 | else { | 171 | else { |
215 | fprintf(stderr, "Error: cannot run the sandbox\n"); | 172 | fprintf(stderr, "Error: cannot run the sandbox\n"); |
diff --git a/src/fbuilder/build_seccomp.c b/src/fbuilder/build_seccomp.c index b3187227e..daf8d63ac 100644 --- a/src/fbuilder/build_seccomp.c +++ b/src/fbuilder/build_seccomp.c | |||
@@ -20,6 +20,7 @@ | |||
20 | 20 | ||
21 | #include "fbuilder.h" | 21 | #include "fbuilder.h" |
22 | 22 | ||
23 | #if 0 | ||
23 | void build_seccomp(const char *fname, FILE *fp) { | 24 | void build_seccomp(const char *fname, FILE *fp) { |
24 | assert(fname); | 25 | assert(fname); |
25 | assert(fp); | 26 | assert(fp); |
@@ -78,6 +79,7 @@ void build_seccomp(const char *fname, FILE *fp) { | |||
78 | 79 | ||
79 | fclose(fp2); | 80 | fclose(fp2); |
80 | } | 81 | } |
82 | #endif | ||
81 | 83 | ||
82 | //*************************************** | 84 | //*************************************** |
83 | // protocol | 85 | // protocol |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 046cb209a..3d05a86ef 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -94,6 +94,7 @@ bleachbit | |||
94 | blender | 94 | blender |
95 | blender-2.8 | 95 | blender-2.8 |
96 | bless | 96 | bless |
97 | blobby | ||
97 | blobwars | 98 | blobwars |
98 | bluefish | 99 | bluefish |
99 | bnox | 100 | bnox |