diff options
author | netblue30 <netblue30@protonmail.com> | 2021-02-23 08:40:02 -0500 |
---|---|---|
committer | netblue30 <netblue30@protonmail.com> | 2021-02-23 08:40:02 -0500 |
commit | 80868ffa70784fae2642c3d9219e08a17822bc86 (patch) | |
tree | 430b0a9c90e9adad7b18f601e3fc5ba1d92bebe2 /src | |
parent | hardening ssh, tor (diff) | |
download | firejail-80868ffa70784fae2642c3d9219e08a17822bc86.tar.gz firejail-80868ffa70784fae2642c3d9219e08a17822bc86.tar.zst firejail-80868ffa70784fae2642c3d9219e08a17822bc86.zip |
jailtest
Diffstat (limited to 'src')
-rw-r--r-- | src/jailtest/access.c | 19 | ||||
-rw-r--r-- | src/jailtest/apparmor.c | 40 | ||||
-rw-r--r-- | src/jailtest/jailtest.h | 28 | ||||
-rw-r--r-- | src/jailtest/main.c | 35 | ||||
-rw-r--r-- | src/jailtest/noexec.c | 19 | ||||
-rw-r--r-- | src/jailtest/seccomp.c | 47 | ||||
-rw-r--r-- | src/jailtest/utils.c | 130 | ||||
-rw-r--r-- | src/jailtest/virtual.c | 34 | ||||
-rw-r--r-- | src/man/firecfg.txt | 11 | ||||
-rw-r--r-- | src/man/firejail-login.txt | 11 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 12 | ||||
-rw-r--r-- | src/man/firejail-users.txt | 11 | ||||
-rw-r--r-- | src/man/firejail.txt | 12 | ||||
-rw-r--r-- | src/man/firemon.txt | 11 | ||||
-rw-r--r-- | src/man/jailtest.txt | 58 |
15 files changed, 349 insertions, 129 deletions
diff --git a/src/jailtest/access.c b/src/jailtest/access.c index e68227bd2..4e737dc7a 100644 --- a/src/jailtest/access.c +++ b/src/jailtest/access.c | |||
@@ -1,3 +1,22 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2021 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
1 | #include "jailtest.h" | 20 | #include "jailtest.h" |
2 | #include <dirent.h> | 21 | #include <dirent.h> |
3 | #include <sys/wait.h> | 22 | #include <sys/wait.h> |
diff --git a/src/jailtest/apparmor.c b/src/jailtest/apparmor.c new file mode 100644 index 000000000..43ab8fad0 --- /dev/null +++ b/src/jailtest/apparmor.c | |||
@@ -0,0 +1,40 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2021 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "jailtest.h" | ||
21 | |||
22 | #ifdef HAVE_APPARMOR | ||
23 | #include <sys/apparmor.h> | ||
24 | |||
25 | void apparmor_test(pid_t pid) { | ||
26 | char *label = NULL; | ||
27 | char *mode = NULL; | ||
28 | int rv = aa_gettaskcon(pid, &label, &mode); | ||
29 | if (rv == -1 || mode == NULL) | ||
30 | printf(" Warning: AppArmor not enabled\n"); | ||
31 | } | ||
32 | |||
33 | |||
34 | #else | ||
35 | void apparmor_test(uid_t pid) { | ||
36 | (void) pid; | ||
37 | return; | ||
38 | } | ||
39 | #endif | ||
40 | |||
diff --git a/src/jailtest/jailtest.h b/src/jailtest/jailtest.h index 678f94bef..10174cc9a 100644 --- a/src/jailtest/jailtest.h +++ b/src/jailtest/jailtest.h | |||
@@ -1,3 +1,22 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2021 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
1 | #ifndef JAILTEST_H | 20 | #ifndef JAILTEST_H |
2 | #define JAILTEST_H | 21 | #define JAILTEST_H |
3 | 22 | ||
@@ -8,6 +27,7 @@ extern uid_t user_uid; | |||
8 | extern gid_t user_gid; | 27 | extern gid_t user_gid; |
9 | extern char *user_name; | 28 | extern char *user_name; |
10 | extern char *user_home_dir; | 29 | extern char *user_home_dir; |
30 | extern char *user_run_dir; | ||
11 | 31 | ||
12 | // access.c | 32 | // access.c |
13 | void access_setup(const char *directory); | 33 | void access_setup(const char *directory); |
@@ -23,10 +43,16 @@ void virtual_setup(const char *directory); | |||
23 | void virtual_destroy(void); | 43 | void virtual_destroy(void); |
24 | void virtual_test(void); | 44 | void virtual_test(void); |
25 | 45 | ||
46 | // apparmor.c | ||
47 | void apparmor_test(pid_t pid); | ||
48 | |||
49 | // seccomp.c | ||
50 | void seccomp_test(pid_t pid); | ||
51 | |||
26 | // utils.c | 52 | // utils.c |
27 | char *get_sudo_user(void); | 53 | char *get_sudo_user(void); |
28 | char *get_homedir(const char *user, uid_t *uid, gid_t *gid); | 54 | char *get_homedir(const char *user, uid_t *uid, gid_t *gid); |
29 | int find_child(pid_t parent, pid_t *child); | 55 | int find_child(pid_t pid); |
30 | pid_t switch_to_child(pid_t pid); | 56 | pid_t switch_to_child(pid_t pid); |
31 | 57 | ||
32 | #endif \ No newline at end of file | 58 | #endif \ No newline at end of file |
diff --git a/src/jailtest/main.c b/src/jailtest/main.c index 78f162706..850277bc5 100644 --- a/src/jailtest/main.c +++ b/src/jailtest/main.c | |||
@@ -1,3 +1,22 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2021 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
1 | #include "jailtest.h" | 20 | #include "jailtest.h" |
2 | #include "../include/firejail_user.h" | 21 | #include "../include/firejail_user.h" |
3 | #include "../include/pid.h" | 22 | #include "../include/pid.h" |
@@ -7,6 +26,7 @@ uid_t user_uid = 0; | |||
7 | gid_t user_gid = 0; | 26 | gid_t user_gid = 0; |
8 | char *user_name = NULL; | 27 | char *user_name = NULL; |
9 | char *user_home_dir = NULL; | 28 | char *user_home_dir = NULL; |
29 | char *user_run_dir = NULL; | ||
10 | int arg_debug = 0; | 30 | int arg_debug = 0; |
11 | 31 | ||
12 | static char *usage_str = | 32 | static char *usage_str = |
@@ -73,9 +93,13 @@ int main(int argc, char **argv) { | |||
73 | fprintf(stderr, "Error: root user not supported\n"); | 93 | fprintf(stderr, "Error: root user not supported\n"); |
74 | exit(1); | 94 | exit(1); |
75 | } | 95 | } |
96 | if (asprintf(&user_run_dir, "/run/user/%d", user_uid) == -1) | ||
97 | errExit("asprintf"); | ||
76 | 98 | ||
77 | // test setup | 99 | // test setup |
78 | atexit(cleanup); | 100 | atexit(cleanup); |
101 | access_setup("~/.ssh"); | ||
102 | access_setup("~/.gnupg"); | ||
79 | if (findex > 0) { | 103 | if (findex > 0) { |
80 | for (i = findex; i < argc; i++) | 104 | for (i = findex; i < argc; i++) |
81 | access_setup(argv[i]); | 105 | access_setup(argv[i]); |
@@ -88,6 +112,10 @@ int main(int argc, char **argv) { | |||
88 | virtual_setup("/dev"); | 112 | virtual_setup("/dev"); |
89 | virtual_setup("/etc"); | 113 | virtual_setup("/etc"); |
90 | virtual_setup("/bin"); | 114 | virtual_setup("/bin"); |
115 | virtual_setup("/usr/share"); | ||
116 | virtual_setup(user_run_dir); | ||
117 | |||
118 | |||
91 | 119 | ||
92 | // print processes | 120 | // print processes |
93 | pid_read(0); | 121 | pid_read(0); |
@@ -98,8 +126,12 @@ int main(int argc, char **argv) { | |||
98 | continue; | 126 | continue; |
99 | 127 | ||
100 | // in case the pid is that of a firejail process, use the pid of the first child process | 128 | // in case the pid is that of a firejail process, use the pid of the first child process |
101 | uid_t pid = switch_to_child(i); | 129 | uid_t pid = find_child(i); |
130 | printf("\n"); | ||
102 | pid_print_list(i, 0); // no wrapping | 131 | pid_print_list(i, 0); // no wrapping |
132 | apparmor_test(pid); | ||
133 | seccomp_test(pid); | ||
134 | fflush(0); | ||
103 | 135 | ||
104 | pid_t child = fork(); | 136 | pid_t child = fork(); |
105 | if (child == -1) | 137 | if (child == -1) |
@@ -111,6 +143,7 @@ int main(int argc, char **argv) { | |||
111 | noexec_test(user_home_dir); | 143 | noexec_test(user_home_dir); |
112 | noexec_test("/tmp"); | 144 | noexec_test("/tmp"); |
113 | noexec_test("/var/tmp"); | 145 | noexec_test("/var/tmp"); |
146 | noexec_test(user_run_dir); | ||
114 | access_test(); | 147 | access_test(); |
115 | } | 148 | } |
116 | else { | 149 | else { |
diff --git a/src/jailtest/noexec.c b/src/jailtest/noexec.c index d2f85514a..4347b7eef 100644 --- a/src/jailtest/noexec.c +++ b/src/jailtest/noexec.c | |||
@@ -1,3 +1,22 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2021 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
1 | #include "jailtest.h" | 20 | #include "jailtest.h" |
2 | #include <sys/wait.h> | 21 | #include <sys/wait.h> |
3 | #include <sys/stat.h> | 22 | #include <sys/stat.h> |
diff --git a/src/jailtest/seccomp.c b/src/jailtest/seccomp.c new file mode 100644 index 000000000..2cecb4b4d --- /dev/null +++ b/src/jailtest/seccomp.c | |||
@@ -0,0 +1,47 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2021 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "jailtest.h" | ||
21 | #define MAXBUF 4096 | ||
22 | |||
23 | void seccomp_test(pid_t pid) { | ||
24 | char *file; | ||
25 | if (asprintf(&file, "/proc/%d/status", pid) == -1) | ||
26 | errExit("asprintf"); | ||
27 | |||
28 | FILE *fp = fopen(file, "r"); | ||
29 | if (!fp) { | ||
30 | printf(" Error: cannot open %s\n", file); | ||
31 | free(file); | ||
32 | return; | ||
33 | } | ||
34 | |||
35 | char buf[MAXBUF]; | ||
36 | while (fgets(buf, MAXBUF, fp)) { | ||
37 | if (strncmp(buf, "Seccomp:", 8) == 0) { | ||
38 | int val = -1; | ||
39 | int rv = sscanf(buf + 8, "\t%d", &val); | ||
40 | if (rv != 1 || val == 0) | ||
41 | printf(" Warning: seccomp not enabled\n"); | ||
42 | break; | ||
43 | } | ||
44 | } | ||
45 | fclose(fp); | ||
46 | free(file); | ||
47 | } | ||
diff --git a/src/jailtest/utils.c b/src/jailtest/utils.c index b24783355..41c21b753 100644 --- a/src/jailtest/utils.c +++ b/src/jailtest/utils.c | |||
@@ -1,4 +1,24 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2021 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
1 | #include "jailtest.h" | 20 | #include "jailtest.h" |
21 | #include "../include/pid.h" | ||
2 | #include <errno.h> | 22 | #include <errno.h> |
3 | #include <pwd.h> | 23 | #include <pwd.h> |
4 | #include <dirent.h> | 24 | #include <dirent.h> |
@@ -38,87 +58,45 @@ errexit: | |||
38 | exit(1); | 58 | exit(1); |
39 | } | 59 | } |
40 | 60 | ||
41 | int find_child(pid_t parent, pid_t *child) { | 61 | // find the second child process for the specified pid |
42 | *child = 0; // use it to flag a found child | 62 | // return -1 if not found |
63 | // | ||
64 | // Example: | ||
65 | //14776:netblue:/usr/bin/firejail /usr/bin/transmission-qt | ||
66 | // 14777:netblue:/usr/bin/firejail /usr/bin/transmission-qt | ||
67 | // 14792:netblue:/usr/bin/transmission-qt | ||
68 | // We need 14792, the first real sandboxed process | ||
69 | // duplicate from src/firemon/main.c | ||
70 | int find_child(int id) { | ||
71 | int i; | ||
72 | int first_child = -1; | ||
43 | 73 | ||
44 | DIR *dir; | 74 | // find the first child |
45 | if (!(dir = opendir("/proc"))) { | 75 | for (i = 0; i < max_pids; i++) { |
46 | // sleep 2 seconds and try again | 76 | if (pids[i].level == 2 && pids[i].parent == id) { |
47 | sleep(2); | 77 | // skip /usr/bin/xdg-dbus-proxy (started by firejail for dbus filtering) |
48 | if (!(dir = opendir("/proc"))) { | 78 | char *cmdline = pid_proc_cmdline(i); |
49 | fprintf(stderr, "Error: cannot open /proc directory\n"); | 79 | if (strncmp(cmdline, XDG_DBUS_PROXY_PATH, strlen(XDG_DBUS_PROXY_PATH)) == 0) { |
50 | exit(1); | 80 | free(cmdline); |
51 | } | 81 | continue; |
52 | } | ||
53 | |||
54 | struct dirent *entry; | ||
55 | char *end; | ||
56 | while (*child == 0 && (entry = readdir(dir))) { | ||
57 | pid_t pid = strtol(entry->d_name, &end, 10); | ||
58 | if (end == entry->d_name || *end) | ||
59 | continue; | ||
60 | if (pid == parent) | ||
61 | continue; | ||
62 | |||
63 | // open stat file | ||
64 | char *file; | ||
65 | if (asprintf(&file, "/proc/%u/status", pid) == -1) { | ||
66 | perror("asprintf"); | ||
67 | exit(1); | ||
68 | } | ||
69 | FILE *fp = fopen(file, "r"); | ||
70 | if (!fp) { | ||
71 | free(file); | ||
72 | continue; | ||
73 | } | ||
74 | |||
75 | // look for firejail executable name | ||
76 | char buf[BUFLEN]; | ||
77 | while (fgets(buf, BUFLEN - 1, fp)) { | ||
78 | if (strncmp(buf, "PPid:", 5) == 0) { | ||
79 | char *ptr = buf + 5; | ||
80 | while (*ptr != '\0' && (*ptr == ' ' || *ptr == '\t')) { | ||
81 | ptr++; | ||
82 | } | ||
83 | if (*ptr == '\0') { | ||
84 | fprintf(stderr, "Error: cannot read /proc file\n"); | ||
85 | exit(1); | ||
86 | } | ||
87 | if (parent == atoi(ptr)) { | ||
88 | // we don't want /usr/bin/xdg-dbus-proxy! | ||
89 | char *cmdline = pid_proc_cmdline(pid); | ||
90 | if (strncmp(cmdline, XDG_DBUS_PROXY_PATH, strlen(XDG_DBUS_PROXY_PATH)) != 0) | ||
91 | *child = pid; | ||
92 | free(cmdline); | ||
93 | } | ||
94 | break; // stop reading the file | ||
95 | } | 82 | } |
83 | free(cmdline); | ||
84 | first_child = i; | ||
85 | break; | ||
96 | } | 86 | } |
97 | fclose(fp); | ||
98 | free(file); | ||
99 | } | 87 | } |
100 | closedir(dir); | ||
101 | return (*child)? 0:1; // 0 = found, 1 = not found | ||
102 | } | ||
103 | 88 | ||
104 | pid_t switch_to_child(pid_t pid) { | 89 | if (first_child == -1) |
105 | pid_t rv = pid; | 90 | return -1; |
106 | errno = 0; | ||
107 | char *comm = pid_proc_comm(pid); | ||
108 | if (!comm) { | ||
109 | if (errno == ENOENT) | ||
110 | fprintf(stderr, "Error: cannot find process with pid %d\n", pid); | ||
111 | else | ||
112 | fprintf(stderr, "Error: cannot read /proc file\n"); | ||
113 | exit(1); | ||
114 | } | ||
115 | 91 | ||
116 | if (strcmp(comm, "firejail") == 0) { | 92 | // find the second-level child |
117 | if (find_child(pid, &rv) == 1) { | 93 | for (i = 0; i < max_pids; i++) { |
118 | fprintf(stderr, "Error: no valid sandbox\n"); | 94 | if (pids[i].level == 3 && pids[i].parent == first_child) |
119 | exit(1); | 95 | return i; |
120 | } | ||
121 | } | 96 | } |
122 | free(comm); | 97 | |
123 | return rv; | 98 | // if a second child is not found, return the first child pid |
99 | // this happens for processes sandboxed with --join | ||
100 | return first_child; | ||
124 | } | 101 | } |
102 | |||
diff --git a/src/jailtest/virtual.c b/src/jailtest/virtual.c index 48296fdb1..fcdcf9720 100644 --- a/src/jailtest/virtual.c +++ b/src/jailtest/virtual.c | |||
@@ -1,3 +1,22 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2021 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
1 | #include "jailtest.h" | 20 | #include "jailtest.h" |
2 | #include <dirent.h> | 21 | #include <dirent.h> |
3 | #include <sys/wait.h> | 22 | #include <sys/wait.h> |
@@ -64,7 +83,8 @@ void virtual_test(void) { | |||
64 | assert(user_uid); | 83 | assert(user_uid); |
65 | int i; | 84 | int i; |
66 | 85 | ||
67 | printf(" Virtual dirs: "); fflush(0); | 86 | int cnt = 0; |
87 | cnt += printf(" Virtual dirs: "); fflush(0); | ||
68 | 88 | ||
69 | for (i = 0; i < files_cnt; i++) { | 89 | for (i = 0; i < files_cnt; i++) { |
70 | assert(files[i]); | 90 | assert(files[i]); |
@@ -85,15 +105,21 @@ void virtual_test(void) { | |||
85 | FILE *fp = fopen(files[i], "r"); | 105 | FILE *fp = fopen(files[i], "r"); |
86 | if (fp) | 106 | if (fp) |
87 | fclose(fp); | 107 | fclose(fp); |
88 | else | 108 | else { |
89 | printf("%s, ", dirs[i]); | 109 | if (cnt == 0) |
110 | cnt += printf("\n "); | ||
111 | cnt += printf("%s, ", dirs[i]); | ||
112 | if (cnt > 60) | ||
113 | cnt = 0; | ||
114 | } | ||
90 | fflush(0); | 115 | fflush(0); |
91 | exit(0); | 116 | exit(cnt); |
92 | } | 117 | } |
93 | 118 | ||
94 | // wait for the child to finish | 119 | // wait for the child to finish |
95 | int status; | 120 | int status; |
96 | wait(&status); | 121 | wait(&status); |
122 | cnt = WEXITSTATUS(status); | ||
97 | } | 123 | } |
98 | printf("\n"); | 124 | printf("\n"); |
99 | } | 125 | } |
diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt index 2c02aee47..dbb9397c6 100644 --- a/src/man/firecfg.txt +++ b/src/man/firecfg.txt | |||
@@ -130,8 +130,9 @@ This program is free software; you can redistribute it and/or modify it under th | |||
130 | .PP | 130 | .PP |
131 | Homepage: https://firejail.wordpress.com | 131 | Homepage: https://firejail.wordpress.com |
132 | .SH SEE ALSO | 132 | .SH SEE ALSO |
133 | \&\flfirejail\fR\|(1), | 133 | .BR firejail (1), |
134 | \&\flfiremon\fR\|(1), | 134 | .BR firemon (1), |
135 | \&\flfirejail-profile\fR\|(5), | 135 | .BR firejail-profile (5), |
136 | \&\flfirejail-login\fR\|(5) | 136 | .BR firejail-login (5), |
137 | \&\flfirejail-users\fR\|(5) | 137 | .BR firejail-users (5), |
138 | .BR jailtest (1) | ||
diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.txt index 430e86cc8..ce27729b7 100644 --- a/src/man/firejail-login.txt +++ b/src/man/firejail-login.txt | |||
@@ -34,8 +34,9 @@ Firejail is free software; you can redistribute it and/or modify it under the te | |||
34 | .PP | 34 | .PP |
35 | Homepage: https://firejail.wordpress.com | 35 | Homepage: https://firejail.wordpress.com |
36 | .SH SEE ALSO | 36 | .SH SEE ALSO |
37 | \&\flfirejail\fR\|(1), | 37 | .BR firejail (1), |
38 | \&\flfiremon\fR\|(1), | 38 | .BR firemon (1), |
39 | \&\flfirecfg\fR\|(1), | 39 | .BR firecfg (1), |
40 | \&\flfirejail-profile\fR\|(5) | 40 | .BR firejail-profile (5), |
41 | \&\flfirejail-users\fR\|(5) | 41 | .BR firejail-users (5), |
42 | .BR jailtest (1) | ||
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 5e77b5f70..c7dc4c434 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -889,10 +889,12 @@ Firejail is free software; you can redistribute it and/or modify it under the te | |||
889 | .PP | 889 | .PP |
890 | Homepage: https://firejail.wordpress.com | 890 | Homepage: https://firejail.wordpress.com |
891 | .SH SEE ALSO | 891 | .SH SEE ALSO |
892 | \&\flfirejail\fR\|(1), | 892 | .BR firejail (1), |
893 | \&\flfiremon\fR\|(1), | 893 | .BR firemon (1), |
894 | \&\flfirecfg\fR\|(1), | 894 | .BR firecfg (1), |
895 | \&\flfirejail-login\fR\|(5), | 895 | .BR firejail-login (5), |
896 | \&\flfirejail-users\fR\|(5), | 896 | .BR firejail-users (5), |
897 | .BR jailtest (1) | ||
898 | |||
897 | .UR https://github.com/netblue30/firejail/wiki/Creating-Profiles | 899 | .UR https://github.com/netblue30/firejail/wiki/Creating-Profiles |
898 | .UE | 900 | .UE |
diff --git a/src/man/firejail-users.txt b/src/man/firejail-users.txt index 6fa09e05e..c5a9c1848 100644 --- a/src/man/firejail-users.txt +++ b/src/man/firejail-users.txt | |||
@@ -54,8 +54,9 @@ as published by the Free Software Foundation; either version 2 of the License, o | |||
54 | .PP | 54 | .PP |
55 | Homepage: https://firejail.wordpress.com | 55 | Homepage: https://firejail.wordpress.com |
56 | .SH SEE ALSO | 56 | .SH SEE ALSO |
57 | \&\flfirejail\fR\|(1), | 57 | .BR firejail (1), |
58 | \&\flfiremon\fR\|(1), | 58 | .BR firemon (1), |
59 | \&\flfirecfg\fR\|(1), | 59 | .BR firecfg (1), |
60 | \&\flfirejail-profile\fR\|(5) | 60 | .BR firejail-profile (5), |
61 | \&\flfirejail-login\fR\|(5) | 61 | .BR firejail-login (5), |
62 | .BR jailtest (1) | ||
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index e85a02ee8..9e89d4e79 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -3332,11 +3332,13 @@ This program is free software; you can redistribute it and/or modify it under th | |||
3332 | .PP | 3332 | .PP |
3333 | Homepage: https://firejail.wordpress.com | 3333 | Homepage: https://firejail.wordpress.com |
3334 | .SH SEE ALSO | 3334 | .SH SEE ALSO |
3335 | \&\flfiremon\fR\|(1), | 3335 | .BR firemon (1), |
3336 | \&\flfirecfg\fR\|(1), | 3336 | .BR firecfg (1), |
3337 | \&\flfirejail-profile\fR\|(5), | 3337 | .BR firejail-profile (5), |
3338 | \&\flfirejail-login\fR\|(5), | 3338 | .BR firejail-login (5), |
3339 | \&\flfirejail-users\fR\|(5), | 3339 | .BR firejail-users (5), |
3340 | .BR jailtest (1) | ||
3341 | |||
3340 | .UR https://github.com/netblue30/firejail/wiki | 3342 | .UR https://github.com/netblue30/firejail/wiki |
3341 | .UE , | 3343 | .UE , |
3342 | .UR https://github.com/netblue30/firejail | 3344 | .UR https://github.com/netblue30/firejail |
diff --git a/src/man/firemon.txt b/src/man/firemon.txt index cea6c0265..64f15a1f0 100644 --- a/src/man/firemon.txt +++ b/src/man/firemon.txt | |||
@@ -115,8 +115,9 @@ This program is free software; you can redistribute it and/or modify it under th | |||
115 | .PP | 115 | .PP |
116 | Homepage: https://firejail.wordpress.com | 116 | Homepage: https://firejail.wordpress.com |
117 | .SH SEE ALSO | 117 | .SH SEE ALSO |
118 | \&\flfirejail\fR\|(1), | 118 | .BR firejail (1), |
119 | \&\flfirecfg\fR\|(1), | 119 | .BR firecfg (1), |
120 | \&\flfirejail-profile\fR\|(5), | 120 | .BR firejail-profile (5), |
121 | \&\flfirejail-login\fR\|(5) | 121 | .BR firejail-login (5), |
122 | \&\flfirejail-users\fR\|(5) | 122 | .BR firejail-users (5), |
123 | .BR jailtest (1) | ||
diff --git a/src/man/jailtest.txt b/src/man/jailtest.txt index bc1999163..1b64097ea 100644 --- a/src/man/jailtest.txt +++ b/src/man/jailtest.txt | |||
@@ -19,9 +19,12 @@ and tries to run them form inside the sandbox, thus testing if the directory is | |||
19 | \fB3. Read access test | 19 | \fB3. Read access test |
20 | jailtest creates test files in the directories specified by the user and tries to read | 20 | jailtest creates test files in the directories specified by the user and tries to read |
21 | them from inside the sandbox. | 21 | them from inside the sandbox. |
22 | |||
23 | .TP | 22 | .TP |
24 | The program is running as root exclusively under sudo. | 23 | \fB4. AppArmor test |
24 | .TP | ||
25 | \fB5. Seccomp test | ||
26 | .TP | ||
27 | The program is started as root using sudo. | ||
25 | 28 | ||
26 | .SH OPTIONS | 29 | .SH OPTIONS |
27 | .TP | 30 | .TP |
@@ -35,7 +38,7 @@ Print options end exit. | |||
35 | Print program version and exit. | 38 | Print program version and exit. |
36 | .TP | 39 | .TP |
37 | \fB[directory] | 40 | \fB[directory] |
38 | One or more directories in user home to test for read access. | 41 | One or more directories in user home to test for read access. ~/.ssh and ~/.gnupg are tested by default. |
39 | 42 | ||
40 | .SH OUTPUT | 43 | .SH OUTPUT |
41 | For each sandbox detected we print the following line: | 44 | For each sandbox detected we print the following line: |
@@ -46,37 +49,58 @@ It is followed by relevant sandbox information, such as the virtual directories | |||
46 | 49 | ||
47 | .SH EXAMPLE | 50 | .SH EXAMPLE |
48 | 51 | ||
52 | $ sudo jailtest | ||
49 | .br | 53 | .br |
50 | $ sudo jailtest ~/.ssh ~/.gnupg | 54 | 2014:netblue::firejail /usr/bin/gimp |
51 | .br | 55 | .br |
52 | 1429:netblue::/usr/bin/firejail /opt/firefox/firefox | 56 | Virtual dirs: /tmp, /var/tmp, /dev, /usr/share, |
53 | .br | 57 | .br |
54 | Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, | 58 | Warning: I can run programs in /home/netblue |
59 | .br | ||
60 | |||
55 | .br | 61 | .br |
56 | 5602:netblue::/usr/bin/firejail /usr/bin/ssh netblue@x.y.z.net | 62 | 2055:netblue::firejail /usr/bin/ssh -X netblue@x.y.z.net |
57 | .br | 63 | .br |
58 | Virtual dirs: /var/tmp, /dev, | 64 | Virtual dirs: /var/tmp, /dev, /usr/share, /run/user/1000, |
59 | .br | 65 | .br |
60 | Warning: I can read ~/.ssh | 66 | Warning: I can read ~/.ssh |
61 | .br | 67 | .br |
62 | 5926:netblue::/usr/bin/firejail /usr/bin/gimp-2.10 | 68 | |
69 | .br | ||
70 | 2186:netblue:libreoffice:firejail --appimage /opt/LibreOffice-fresh.appimage | ||
63 | .br | 71 | .br |
64 | Virtual dirs: /tmp, /var/tmp, /dev, | 72 | Virtual dirs: /tmp, /var/tmp, /dev, |
65 | .br | 73 | .br |
66 | Warning: I can run programs in /home/netblue | 74 | |
67 | .br | 75 | .br |
68 | 6394:netblue:libreoffice:/usr/bin/firejail libreoffice | 76 | 26090:netblue::/usr/bin/firejail /opt/firefox/firefox |
69 | .br | 77 | .br |
70 | Virtual dirs: /tmp, /var/tmp, /dev, | 78 | Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /usr/share, |
71 | .br | 79 | .br |
80 | /run/user/1000, | ||
81 | .br | ||
82 | |||
83 | .br | ||
84 | 26160:netblue:tor:firejail --private=~/tor-browser_en-US ./start-tor | ||
85 | .br | ||
86 | Warning: AppArmor not enabled | ||
87 | .br | ||
88 | Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /bin, | ||
89 | .br | ||
90 | /usr/share, /run/user/1000, | ||
91 | .br | ||
92 | Warning: I can run programs in /home/netblue | ||
93 | .br | ||
94 | |||
72 | 95 | ||
73 | .SH LICENSE | 96 | .SH LICENSE |
74 | This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. | 97 | This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. |
75 | .PP | 98 | .PP |
76 | Homepage: https://firejail.wordpress.com | 99 | Homepage: https://firejail.wordpress.com |
77 | .SH SEE ALSO | 100 | .SH SEE ALSO |
78 | \&\flfirejail\fR\|(1), | 101 | .BR firejail (1), |
79 | \&\flfirecfg\fR\|(1), | 102 | .BR firemon (1), |
80 | \&\flfirejail-profile\fR\|(5), | 103 | .BR firecfg (1), |
81 | \&\flfirejail-login\fR\|(5) | 104 | .BR firejail-profile (5), |
82 | \&\flfirejail-users\fR\|(5) | 105 | .BR firejail-login (5), |
106 | .BR firejail-users (5), | ||