diff options
author | netblue30 <netblue30@yahoo.com> | 2018-10-13 09:38:38 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2018-10-13 09:38:38 -0400 |
commit | 16587f6d2bb6273ba3f519eeab867175948e388f (patch) | |
tree | b15791a194f9cfebd729bb4f8eae3d36f51422a3 /src | |
parent | Merge pull request #2185 from glitsj16/masterpdfeditor (diff) | |
download | firejail-16587f6d2bb6273ba3f519eeab867175948e388f.tar.gz firejail-16587f6d2bb6273ba3f519eeab867175948e388f.tar.zst firejail-16587f6d2bb6273ba3f519eeab867175948e388f.zip |
Revert "Fix issue #2148: Make sure firejail can find helper programs in sandbox regardless of options."
This reverts commit 4017e8a1359208e149b2eac10900987acd4a6f9e.
I am running into some problems with the initial unshare/mount in main.c.
I'll bring in the files one by one.
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/bandwidth.c | 6 | ||||
-rw-r--r-- | src/firejail/firejail.h | 27 | ||||
-rw-r--r-- | src/firejail/fs_trace.c | 2 | ||||
-rw-r--r-- | src/firejail/main.c | 11 | ||||
-rw-r--r-- | src/firejail/output.c | 6 | ||||
-rw-r--r-- | src/firejail/preproc.c | 8 |
6 files changed, 22 insertions, 38 deletions
diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c index c3f2b3390..d0487d49a 100644 --- a/src/firejail/bandwidth.c +++ b/src/firejail/bandwidth.c | |||
@@ -406,17 +406,17 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in | |||
406 | if (devname) { | 406 | if (devname) { |
407 | if (strcmp(command, "set") == 0) { | 407 | if (strcmp(command, "set") == 0) { |
408 | if (asprintf(&cmd, "%s/firejail/fshaper.sh --%s %s %d %d", | 408 | if (asprintf(&cmd, "%s/firejail/fshaper.sh --%s %s %d %d", |
409 | RUN_FIREJAIL_LIB_DIR, command, devname, down, up) == -1) | 409 | LIBDIR, command, devname, down, up) == -1) |
410 | errExit("asprintf"); | 410 | errExit("asprintf"); |
411 | } | 411 | } |
412 | else { | 412 | else { |
413 | if (asprintf(&cmd, "%s/firejail/fshaper.sh --%s %s", | 413 | if (asprintf(&cmd, "%s/firejail/fshaper.sh --%s %s", |
414 | RUN_FIREJAIL_LIB_DIR, command, devname) == -1) | 414 | LIBDIR, command, devname) == -1) |
415 | errExit("asprintf"); | 415 | errExit("asprintf"); |
416 | } | 416 | } |
417 | } | 417 | } |
418 | else { | 418 | else { |
419 | if (asprintf(&cmd, "%s/firejail/fshaper.sh --%s", RUN_FIREJAIL_LIB_DIR, command) == -1) | 419 | if (asprintf(&cmd, "%s/firejail/fshaper.sh --%s", LIBDIR, command) == -1) |
420 | errExit("asprintf"); | 420 | errExit("asprintf"); |
421 | } | 421 | } |
422 | assert(cmd); | 422 | assert(cmd); |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 63d71799a..cae767667 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -32,7 +32,6 @@ | |||
32 | #define RUN_FIREJAIL_DIR "/run/firejail" | 32 | #define RUN_FIREJAIL_DIR "/run/firejail" |
33 | #define RUN_FIREJAIL_APPIMAGE_DIR "/run/firejail/appimage" | 33 | #define RUN_FIREJAIL_APPIMAGE_DIR "/run/firejail/appimage" |
34 | #define RUN_FIREJAIL_NAME_DIR "/run/firejail/name" // also used in src/lib/pid.c - todo: move it in a common place | 34 | #define RUN_FIREJAIL_NAME_DIR "/run/firejail/name" // also used in src/lib/pid.c - todo: move it in a common place |
35 | #define RUN_FIREJAIL_LIB_DIR "/run/firejail/lib" | ||
36 | #define RUN_FIREJAIL_X11_DIR "/run/firejail/x11" | 35 | #define RUN_FIREJAIL_X11_DIR "/run/firejail/x11" |
37 | #define RUN_FIREJAIL_NETWORK_DIR "/run/firejail/network" | 36 | #define RUN_FIREJAIL_NETWORK_DIR "/run/firejail/network" |
38 | #define RUN_FIREJAIL_BANDWIDTH_DIR "/run/firejail/bandwidth" | 37 | #define RUN_FIREJAIL_BANDWIDTH_DIR "/run/firejail/bandwidth" |
@@ -63,11 +62,11 @@ | |||
63 | #define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp.mdwx" // filter for memory-deny-write-execute | 62 | #define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp.mdwx" // filter for memory-deny-write-execute |
64 | #define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp.block_secondary" // secondary arch blocking filter | 63 | #define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp.block_secondary" // secondary arch blocking filter |
65 | #define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp.postexec" // filter for post-exec library | 64 | #define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp.postexec" // filter for post-exec library |
66 | #define PATH_SECCOMP_DEFAULT (RUN_FIREJAIL_LIB_DIR "/firejail/seccomp") // default filter built during make | 65 | #define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make |
67 | #define PATH_SECCOMP_DEFAULT_DEBUG (RUN_FIREJAIL_LIB_DIR "/firejail/seccomp.debug") // default filter built during make | 66 | #define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make |
68 | #define PATH_SECCOMP_32 (RUN_FIREJAIL_LIB_DIR "/firejail/seccomp.32") // 32bit arch filter built during make | 67 | #define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32") // 32bit arch filter built during make |
69 | #define PATH_SECCOMP_MDWX (RUN_FIREJAIL_LIB_DIR "/firejail/seccomp.mdwx") // filter for memory-deny-write-execute built during make | 68 | #define PATH_SECCOMP_MDWX (LIBDIR "/firejail/seccomp.mdwx") // filter for memory-deny-write-execute built during make |
70 | #define PATH_SECCOMP_BLOCK_SECONDARY (RUN_FIREJAIL_LIB_DIR "/firejail/seccomp.block_secondary") // secondary arch blocking filter built during make | 69 | #define PATH_SECCOMP_BLOCK_SECONDARY (LIBDIR "/firejail/seccomp.block_secondary") // secondary arch blocking filter built during make |
71 | 70 | ||
72 | 71 | ||
73 | #define RUN_DEV_DIR "/run/firejail/mnt/dev" | 72 | #define RUN_DEV_DIR "/run/firejail/mnt/dev" |
@@ -791,16 +790,16 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc, | |||
791 | 790 | ||
792 | // sbox.c | 791 | // sbox.c |
793 | // programs | 792 | // programs |
794 | #define PATH_FNET (RUN_FIREJAIL_LIB_DIR "/firejail/fnet") | 793 | #define PATH_FNET (LIBDIR "/firejail/fnet") |
795 | #define PATH_FNETFILTER (RUN_FIREJAIL_LIB_DIR "/firejail/fnetfilter") | 794 | #define PATH_FNETFILTER (LIBDIR "/firejail/fnetfilter") |
796 | #define PATH_FIREMON (PREFIX "/bin/firemon") | 795 | #define PATH_FIREMON (PREFIX "/bin/firemon") |
797 | #define PATH_FIREJAIL (PREFIX "/bin/firejail") | 796 | #define PATH_FIREJAIL (PREFIX "/bin/firejail") |
798 | #define PATH_FSECCOMP (RUN_FIREJAIL_LIB_DIR "/firejail/fseccomp") | 797 | #define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp") |
799 | #define PATH_FSEC_PRINT (RUN_FIREJAIL_LIB_DIR "/firejail/fsec-print") | 798 | #define PATH_FSEC_PRINT (LIBDIR "/firejail/fsec-print") |
800 | #define PATH_FSEC_OPTIMIZE (RUN_FIREJAIL_LIB_DIR "/firejail/fsec-optimize") | 799 | #define PATH_FSEC_OPTIMIZE (LIBDIR "/firejail/fsec-optimize") |
801 | #define PATH_FCOPY (RUN_FIREJAIL_LIB_DIR "/firejail/fcopy") | 800 | #define PATH_FCOPY (LIBDIR "/firejail/fcopy") |
802 | #define SBOX_STDIN_FILE (RUN_MNT_DIR "/sbox_stdin") | 801 | #define SBOX_STDIN_FILE "/run/firejail/mnt/sbox_stdin" |
803 | #define PATH_FLDD (RUN_FIREJAIL_LIB_DIR "/firejail/fldd") | 802 | #define PATH_FLDD (LIBDIR "/firejail/fldd") |
804 | 803 | ||
805 | // bitmapped filters for sbox_run | 804 | // bitmapped filters for sbox_run |
806 | #define SBOX_ROOT (1 << 0) // run the sandbox as root | 805 | #define SBOX_ROOT (1 << 0) // run the sandbox as root |
diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c index 00c1e3d15..38ab7e2f8 100644 --- a/src/firejail/fs_trace.c +++ b/src/firejail/fs_trace.c | |||
@@ -51,7 +51,7 @@ void fs_trace(void) { | |||
51 | FILE *fp = fopen(RUN_LDPRELOAD_FILE, "w"); | 51 | FILE *fp = fopen(RUN_LDPRELOAD_FILE, "w"); |
52 | if (!fp) | 52 | if (!fp) |
53 | errExit("fopen"); | 53 | errExit("fopen"); |
54 | const char *prefix = RUN_FIREJAIL_LIB_DIR "/firejail"; | 54 | const char *prefix = LIBDIR "/firejail"; |
55 | 55 | ||
56 | if (arg_trace) { | 56 | if (arg_trace) { |
57 | fprintf(fp, "%s/libtrace.so\n", prefix); | 57 | fprintf(fp, "%s/libtrace.so\n", prefix); |
diff --git a/src/firejail/main.c b/src/firejail/main.c index a2287cb55..315a7260a 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -838,7 +838,7 @@ static void run_builder(int argc, char **argv) { | |||
838 | assert(getenv("LD_PRELOAD") == NULL); | 838 | assert(getenv("LD_PRELOAD") == NULL); |
839 | umask(orig_umask); | 839 | umask(orig_umask); |
840 | 840 | ||
841 | argv[0] = RUN_FIREJAIL_LIB_DIR "/firejail/fbuilder"; | 841 | argv[0] = LIBDIR "/firejail/fbuilder"; |
842 | execvp(argv[0], argv); | 842 | execvp(argv[0], argv); |
843 | 843 | ||
844 | perror("execvp"); | 844 | perror("execvp"); |
@@ -878,13 +878,6 @@ int main(int argc, char **argv) { | |||
878 | EUID_ROOT(); | 878 | EUID_ROOT(); |
879 | atexit(clear_atexit); | 879 | atexit(clear_atexit); |
880 | 880 | ||
881 | // make private copy of mount namespace so that mounts in firejail do not | ||
882 | // propagate up to host | ||
883 | if (unshare(CLONE_NEWNS) != 0) | ||
884 | errExit("unshare"); | ||
885 | if (mount(NULL, "/", NULL, MS_PRIVATE | MS_REC, NULL) != 0) | ||
886 | errExit("mount: make all mounts private"); | ||
887 | |||
888 | // build /run/firejail directory structure | 881 | // build /run/firejail directory structure |
889 | preproc_build_firejail_dir(); | 882 | preproc_build_firejail_dir(); |
890 | char *container_name = getenv("container"); | 883 | char *container_name = getenv("container"); |
@@ -2123,7 +2116,7 @@ int main(int argc, char **argv) { | |||
2123 | else if (strncmp(argv[i], "--timeout=", 10) == 0) | 2116 | else if (strncmp(argv[i], "--timeout=", 10) == 0) |
2124 | cfg.timeout = extract_timeout(argv[i] + 10); | 2117 | cfg.timeout = extract_timeout(argv[i] + 10); |
2125 | else if (strcmp(argv[i], "--audit") == 0) { | 2118 | else if (strcmp(argv[i], "--audit") == 0) { |
2126 | arg_audit_prog = RUN_FIREJAIL_LIB_DIR "/firejail/faudit"; | 2119 | arg_audit_prog = LIBDIR "/firejail/faudit"; |
2127 | arg_audit = 1; | 2120 | arg_audit = 1; |
2128 | } | 2121 | } |
2129 | else if (strncmp(argv[i], "--audit=", 8) == 0) { | 2122 | else if (strncmp(argv[i], "--audit=", 8) == 0) { |
diff --git a/src/firejail/output.c b/src/firejail/output.c index b5329d2ec..61c89992d 100644 --- a/src/firejail/output.c +++ b/src/firejail/output.c | |||
@@ -76,7 +76,7 @@ void check_output(int argc, char **argv) { | |||
76 | for (i = 0; i < argc; i++) { | 76 | for (i = 0; i < argc; i++) { |
77 | len += strlen(argv[i]) + 1; // + ' ' | 77 | len += strlen(argv[i]) + 1; // + ' ' |
78 | } | 78 | } |
79 | len += 100 + strlen(RUN_FIREJAIL_LIB_DIR) + strlen(outfile); // tee command | 79 | len += 100 + strlen(LIBDIR) + strlen(outfile); // tee command |
80 | 80 | ||
81 | char *cmd = malloc(len + 1); // + '\0' | 81 | char *cmd = malloc(len + 1); // + '\0' |
82 | if (!cmd) | 82 | if (!cmd) |
@@ -92,9 +92,9 @@ void check_output(int argc, char **argv) { | |||
92 | } | 92 | } |
93 | 93 | ||
94 | if (enable_stderr) | 94 | if (enable_stderr) |
95 | sprintf(ptr, "2>&1 | %s/firejail/ftee %s", RUN_FIREJAIL_LIB_DIR, outfile); | 95 | sprintf(ptr, "2>&1 | %s/firejail/ftee %s", LIBDIR, outfile); |
96 | else | 96 | else |
97 | sprintf(ptr, " | %s/firejail/ftee %s", RUN_FIREJAIL_LIB_DIR, outfile); | 97 | sprintf(ptr, " | %s/firejail/ftee %s", LIBDIR, outfile); |
98 | 98 | ||
99 | // run command | 99 | // run command |
100 | char *a[4]; | 100 | char *a[4]; |
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index cc72cfef9..f519ed85f 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c | |||
@@ -62,20 +62,12 @@ void preproc_build_firejail_dir(void) { | |||
62 | create_empty_dir_as_root(RUN_FIREJAIL_APPIMAGE_DIR, 0755); | 62 | create_empty_dir_as_root(RUN_FIREJAIL_APPIMAGE_DIR, 0755); |
63 | } | 63 | } |
64 | 64 | ||
65 | if (stat(RUN_FIREJAIL_LIB_DIR, &s)) { | ||
66 | create_empty_dir_as_root(RUN_FIREJAIL_LIB_DIR, 0755); | ||
67 | } | ||
68 | |||
69 | if (stat(RUN_MNT_DIR, &s)) { | 65 | if (stat(RUN_MNT_DIR, &s)) { |
70 | create_empty_dir_as_root(RUN_MNT_DIR, 0755); | 66 | create_empty_dir_as_root(RUN_MNT_DIR, 0755); |
71 | } | 67 | } |
72 | 68 | ||
73 | create_empty_file_as_root(RUN_RO_FILE, S_IRUSR); | 69 | create_empty_file_as_root(RUN_RO_FILE, S_IRUSR); |
74 | create_empty_dir_as_root(RUN_RO_DIR, S_IRUSR); | 70 | create_empty_dir_as_root(RUN_RO_DIR, S_IRUSR); |
75 | |||
76 | // bind-mount firejail binaries and helper programs | ||
77 | if (mount(LIBDIR, RUN_FIREJAIL_LIB_DIR, "none", MS_BIND, NULL) < 0) | ||
78 | errExit("mounting " RUN_FIREJAIL_LIB_DIR); | ||
79 | } | 71 | } |
80 | 72 | ||
81 | // build /run/firejail/mnt directory | 73 | // build /run/firejail/mnt directory |