diff options
author | netblue30 <netblue30@yahoo.com> | 2017-11-13 10:53:04 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2017-11-13 10:53:04 -0500 |
commit | b24e0e4049229c7772b067c97b439622804112bb (patch) | |
tree | 6c20752432721277c94f4fd9b7b2fb3ec89786d9 /src | |
parent | cleanup (diff) | |
download | firejail-b24e0e4049229c7772b067c97b439622804112bb.tar.gz firejail-b24e0e4049229c7772b067c97b439622804112bb.tar.zst firejail-b24e0e4049229c7772b067c97b439622804112bb.zip |
netfilter split
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/fs_lib.c | 1 | ||||
-rw-r--r-- | src/firejail/netfilter.c | 65 |
3 files changed, 22 insertions, 45 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 59bd4b959..ade23d89e 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -766,6 +766,7 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc, | |||
766 | // sbox.c | 766 | // sbox.c |
767 | // programs | 767 | // programs |
768 | #define PATH_FNET (LIBDIR "/firejail/fnet") | 768 | #define PATH_FNET (LIBDIR "/firejail/fnet") |
769 | #define PATH_FNETFILTER (LIBDIR "/firejail/fnetfilter") | ||
769 | #define PATH_FIREMON (PREFIX "/bin/firemon") | 770 | #define PATH_FIREMON (PREFIX "/bin/firemon") |
770 | #define PATH_FIREJAIL (PREFIX "/bin/firejail") | 771 | #define PATH_FIREJAIL (PREFIX "/bin/firejail") |
771 | #define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp") | 772 | #define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp") |
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c index 23fdb8a6a..46ee22bf3 100644 --- a/src/firejail/fs_lib.c +++ b/src/firejail/fs_lib.c | |||
@@ -387,6 +387,7 @@ void fs_private_lib(void) { | |||
387 | fslib_copy_libs(LIBDIR "/firejail/fcopy"); | 387 | fslib_copy_libs(LIBDIR "/firejail/fcopy"); |
388 | fslib_copy_libs(LIBDIR "/firejail/fldd"); | 388 | fslib_copy_libs(LIBDIR "/firejail/fldd"); |
389 | fslib_copy_libs(LIBDIR "/firejail/fnet"); | 389 | fslib_copy_libs(LIBDIR "/firejail/fnet"); |
390 | fslib_copy_libs(LIBDIR "/firejail/fnetfilter"); | ||
390 | fslib_copy_libs(LIBDIR "/firejail/fseccomp"); | 391 | fslib_copy_libs(LIBDIR "/firejail/fseccomp"); |
391 | fslib_copy_libs(LIBDIR "/firejail/ftee"); | 392 | fslib_copy_libs(LIBDIR "/firejail/ftee"); |
392 | // mount lib filesystem | 393 | // mount lib filesystem |
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c index 7246be8cf..517d0462f 100644 --- a/src/firejail/netfilter.c +++ b/src/firejail/netfilter.c | |||
@@ -24,33 +24,24 @@ | |||
24 | #include <sys/wait.h> | 24 | #include <sys/wait.h> |
25 | #include <fcntl.h> | 25 | #include <fcntl.h> |
26 | 26 | ||
27 | static char *client_filter = | ||
28 | "*filter\n" | ||
29 | ":INPUT DROP [0:0]\n" | ||
30 | ":FORWARD DROP [0:0]\n" | ||
31 | ":OUTPUT ACCEPT [0:0]\n" | ||
32 | "-A INPUT -i lo -j ACCEPT\n" | ||
33 | "-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n" | ||
34 | "# echo replay is handled by -m state RELATED/ESTABLISHED below\n" | ||
35 | "#-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT\n" | ||
36 | "-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT\n" | ||
37 | "-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT\n" | ||
38 | "-A INPUT -p icmp --icmp-type echo-request -j ACCEPT \n" | ||
39 | "# disable STUN\n" | ||
40 | "-A OUTPUT -p udp --dport 3478 -j DROP\n" | ||
41 | "-A OUTPUT -p udp --dport 3479 -j DROP\n" | ||
42 | "-A OUTPUT -p tcp --dport 3478 -j DROP\n" | ||
43 | "-A OUTPUT -p tcp --dport 3479 -j DROP\n" | ||
44 | "COMMIT\n"; | ||
45 | 27 | ||
46 | void check_netfilter_file(const char *fname) { | 28 | void check_netfilter_file(const char *fname) { |
47 | EUID_ASSERT(); | 29 | EUID_ASSERT(); |
48 | invalid_filename(fname, 0); // no globbing | ||
49 | 30 | ||
50 | if (is_dir(fname) || is_link(fname) || strstr(fname, "..") || access(fname, R_OK )) { | 31 | char *tmp = strdup(fname); |
51 | fprintf(stderr, "Error: invalid network filter file %s\n", fname); | 32 | if (!tmp) |
33 | errExit("strdup"); | ||
34 | char *ptr = strchr(tmp, ','); | ||
35 | if (ptr) | ||
36 | *ptr = '\0'; | ||
37 | |||
38 | invalid_filename(tmp, 0); // no globbing | ||
39 | |||
40 | if (is_dir(tmp) || is_link(tmp) || strstr(tmp, "..") || access(tmp, R_OK )) { | ||
41 | fprintf(stderr, "Error: invalid network filter file %s\n", tmp); | ||
52 | exit(1); | 42 | exit(1); |
53 | } | 43 | } |
44 | free(tmp); | ||
54 | } | 45 | } |
55 | 46 | ||
56 | 47 | ||
@@ -72,29 +63,15 @@ void netfilter(const char *fname) { | |||
72 | return; | 63 | return; |
73 | } | 64 | } |
74 | 65 | ||
75 | // read filter | 66 | // create an empty user-owned SBOX_STDIN_FILE |
76 | char *filter = client_filter; | 67 | create_empty_file_as_root(SBOX_STDIN_FILE, 0644); |
77 | int allocated = 0; | 68 | if (set_perms(SBOX_STDIN_FILE, getuid(), getgid(), 0644)) |
78 | if (netfilter_default) | 69 | errExit("set_perms"); |
79 | fname = netfilter_default; | ||
80 | if (fname) { | ||
81 | filter = read_text_file_or_exit(fname); | ||
82 | allocated = 1; | ||
83 | } | ||
84 | 70 | ||
85 | // create the filter file | 71 | if (fname == NULL) |
86 | FILE *fp = fopen(SBOX_STDIN_FILE, "w"); | 72 | sbox_run(SBOX_USER| SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FNETFILTER, SBOX_STDIN_FILE); |
87 | if (!fp) { | 73 | else |
88 | fprintf(stderr, "Error: cannot open %s\n", SBOX_STDIN_FILE); | 74 | sbox_run(SBOX_USER| SBOX_CAPS_NONE | SBOX_SECCOMP, 3, PATH_FNETFILTER, fname, SBOX_STDIN_FILE); |
89 | exit(1); | ||
90 | } | ||
91 | fprintf(fp, "%s\n", filter); | ||
92 | fclose(fp); | ||
93 | |||
94 | |||
95 | // push filter | ||
96 | if (arg_debug) | ||
97 | printf("Installing network filter:\n%s\n", filter); | ||
98 | 75 | ||
99 | // first run of iptables on this platform installs a number of kernel modules such as ip_tables, x_tables, iptable_filter | 76 | // first run of iptables on this platform installs a number of kernel modules such as ip_tables, x_tables, iptable_filter |
100 | // we run this command with caps and seccomp disabled in order to allow the loading of these modules | 77 | // we run this command with caps and seccomp disabled in order to allow the loading of these modules |
@@ -105,8 +82,6 @@ void netfilter(const char *fname) { | |||
105 | if (arg_debug) | 82 | if (arg_debug) |
106 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 2, iptables, "-vL"); | 83 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 2, iptables, "-vL"); |
107 | 84 | ||
108 | if (allocated) | ||
109 | free(filter); | ||
110 | return; | 85 | return; |
111 | } | 86 | } |
112 | 87 | ||