diff options
author | netblue30 <netblue30@yahoo.com> | 2016-08-21 15:01:10 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-08-21 15:01:10 -0400 |
commit | e6ee65a48c1d17da1cd2058b1e61dc838513a49e (patch) | |
tree | e7c3522225a3baa19e016d18c44e7f5cf376dc50 /src | |
parent | run time support to disable remounting of /proc and /sys (diff) | |
download | firejail-e6ee65a48c1d17da1cd2058b1e61dc838513a49e.tar.gz firejail-e6ee65a48c1d17da1cd2058b1e61dc838513a49e.tar.zst firejail-e6ee65a48c1d17da1cd2058b1e61dc838513a49e.zip |
run time support to disable overlayfs
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/checkcfg.c | 8 | ||||
-rw-r--r-- | src/firejail/firejail.h | 3 | ||||
-rw-r--r-- | src/firejail/main.c | 168 |
3 files changed, 109 insertions, 70 deletions
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index c4a6888a9..fed934434 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -233,6 +233,14 @@ int checkcfg(int val) { | |||
233 | else | 233 | else |
234 | goto errout; | 234 | goto errout; |
235 | } | 235 | } |
236 | else if (strncmp(ptr, "overlayfs ", 10) == 0) { | ||
237 | if (strcmp(ptr + 10, "yes") == 0) | ||
238 | cfg_val[CFG_OVERLAYFS] = 1; | ||
239 | else if (strcmp(ptr + 10, "no") == 0) | ||
240 | cfg_val[CFG_OVERLAYFS] = 0; | ||
241 | else | ||
242 | goto errout; | ||
243 | } | ||
236 | else | 244 | else |
237 | goto errout; | 245 | goto errout; |
238 | 246 | ||
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 067d788a6..98ba8ee3b 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -591,7 +591,8 @@ void sandboxfs(int op, pid_t pid, const char *patqh); | |||
591 | #define CFG_WHITELIST 9 | 591 | #define CFG_WHITELIST 9 |
592 | #define CFG_XEPHYR_WINDOW_TITLE 10 | 592 | #define CFG_XEPHYR_WINDOW_TITLE 10 |
593 | #define CFG_REMOUNT_PROC_SYS 11 | 593 | #define CFG_REMOUNT_PROC_SYS 11 |
594 | #define CFG_MAX 12 // this should always be the last entry | 594 | #define CFG_OVERLAYFS 12 |
595 | #define CFG_MAX 13 // this should always be the last entry | ||
595 | extern char *xephyr_screen; | 596 | extern char *xephyr_screen; |
596 | extern char *xephyr_extra_params; | 597 | extern char *xephyr_extra_params; |
597 | extern char *netfilter_default; | 598 | extern char *netfilter_default; |
diff --git a/src/firejail/main.c b/src/firejail/main.c index c366390cc..1824765eb 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -266,18 +266,24 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
266 | } | 266 | } |
267 | #ifdef HAVE_OVERLAYFS | 267 | #ifdef HAVE_OVERLAYFS |
268 | else if (strcmp(argv[i], "--overlay-clean") == 0) { | 268 | else if (strcmp(argv[i], "--overlay-clean") == 0) { |
269 | char *path; | 269 | if (checkcfg(CFG_OVERLAYFS)) { |
270 | if (asprintf(&path, "%s/.firejail", cfg.homedir) == -1) | 270 | char *path; |
271 | errExit("asprintf"); | 271 | if (asprintf(&path, "%s/.firejail", cfg.homedir) == -1) |
272 | EUID_ROOT(); | 272 | errExit("asprintf"); |
273 | if (setreuid(0, 0) < 0) | 273 | EUID_ROOT(); |
274 | errExit("setreuid"); | 274 | if (setreuid(0, 0) < 0) |
275 | if (setregid(0, 0) < 0) | 275 | errExit("setreuid"); |
276 | errExit("setregid"); | 276 | if (setregid(0, 0) < 0) |
277 | errno = 0; | 277 | errExit("setregid"); |
278 | int rv = remove_directory(path); | 278 | errno = 0; |
279 | if (rv) { | 279 | int rv = remove_directory(path); |
280 | fprintf(stderr, "Error: cannot removed overlays stored in ~/.firejail directory, errno %d\n", errno); | 280 | if (rv) { |
281 | fprintf(stderr, "Error: cannot removed overlays stored in ~/.firejail directory, errno %d\n", errno); | ||
282 | exit(1); | ||
283 | } | ||
284 | } | ||
285 | else { | ||
286 | fprintf(stderr, "Error: overlayfs feature is disabled in Firejail configuration file\n"); | ||
281 | exit(1); | 287 | exit(1); |
282 | } | 288 | } |
283 | exit(0); | 289 | exit(0); |
@@ -1283,78 +1289,103 @@ int main(int argc, char **argv) { | |||
1283 | } | 1289 | } |
1284 | #ifdef HAVE_OVERLAYFS | 1290 | #ifdef HAVE_OVERLAYFS |
1285 | else if (strcmp(argv[i], "--overlay") == 0) { | 1291 | else if (strcmp(argv[i], "--overlay") == 0) { |
1286 | if (cfg.chrootdir) { | 1292 | if (checkcfg(CFG_OVERLAYFS)) { |
1287 | fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); | 1293 | if (cfg.chrootdir) { |
1288 | exit(1); | 1294 | fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); |
1295 | exit(1); | ||
1296 | } | ||
1297 | struct stat s; | ||
1298 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { | ||
1299 | fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n"); | ||
1300 | exit(1); | ||
1301 | } | ||
1302 | arg_overlay = 1; | ||
1303 | arg_overlay_keep = 1; | ||
1304 | |||
1305 | char *subdirname; | ||
1306 | if (asprintf(&subdirname, "%d", getpid()) == -1) | ||
1307 | errExit("asprintf"); | ||
1308 | cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse); | ||
1309 | |||
1310 | free(subdirname); | ||
1289 | } | 1311 | } |
1290 | struct stat s; | 1312 | else { |
1291 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { | 1313 | fprintf(stderr, "Error: overlayfs feature is disabled in Firejail configuration file\n"); |
1292 | fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n"); | 1314 | exit(1); |
1293 | exit(1); | ||
1294 | } | 1315 | } |
1295 | arg_overlay = 1; | ||
1296 | arg_overlay_keep = 1; | ||
1297 | |||
1298 | char *subdirname; | ||
1299 | if (asprintf(&subdirname, "%d", getpid()) == -1) | ||
1300 | errExit("asprintf"); | ||
1301 | cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse); | ||
1302 | |||
1303 | free(subdirname); | ||
1304 | } | 1316 | } |
1305 | else if (strncmp(argv[i], "--overlay-named=", 16) == 0) { | 1317 | else if (strncmp(argv[i], "--overlay-named=", 16) == 0) { |
1306 | if (cfg.chrootdir) { | 1318 | if (checkcfg(CFG_OVERLAYFS)) { |
1307 | fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); | 1319 | if (cfg.chrootdir) { |
1308 | exit(1); | 1320 | fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); |
1309 | } | 1321 | exit(1); |
1310 | struct stat s; | 1322 | } |
1311 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { | 1323 | struct stat s; |
1312 | fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n"); | 1324 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { |
1313 | exit(1); | 1325 | fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n"); |
1326 | exit(1); | ||
1327 | } | ||
1328 | arg_overlay = 1; | ||
1329 | arg_overlay_keep = 1; | ||
1330 | arg_overlay_reuse = 1; | ||
1331 | |||
1332 | char *subdirname = argv[i] + 16; | ||
1333 | if (subdirname == '\0') { | ||
1334 | fprintf(stderr, "Error: invalid overlay option\n"); | ||
1335 | exit(1); | ||
1336 | } | ||
1337 | cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse); | ||
1314 | } | 1338 | } |
1315 | arg_overlay = 1; | 1339 | else { |
1316 | arg_overlay_keep = 1; | 1340 | fprintf(stderr, "Error: overlayfs feature is disabled in Firejail configuration file\n"); |
1317 | arg_overlay_reuse = 1; | ||
1318 | |||
1319 | char *subdirname = argv[i] + 16; | ||
1320 | if (subdirname == '\0') { | ||
1321 | fprintf(stderr, "Error: invalid overlay option\n"); | ||
1322 | exit(1); | 1341 | exit(1); |
1323 | } | 1342 | } |
1324 | cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse); | 1343 | |
1325 | } | 1344 | } |
1326 | else if (strncmp(argv[i], "--overlay-path=", 15) == 0) { | 1345 | else if (strncmp(argv[i], "--overlay-path=", 15) == 0) { |
1327 | if (cfg.chrootdir) { | 1346 | if (checkcfg(CFG_OVERLAYFS)) { |
1328 | fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); | 1347 | if (cfg.chrootdir) { |
1329 | exit(1); | 1348 | fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); |
1330 | } | 1349 | exit(1); |
1331 | struct stat s; | 1350 | } |
1332 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { | 1351 | struct stat s; |
1333 | fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n"); | 1352 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { |
1334 | exit(1); | 1353 | fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n"); |
1354 | exit(1); | ||
1355 | } | ||
1356 | arg_overlay = 1; | ||
1357 | arg_overlay_keep = 1; | ||
1358 | arg_overlay_reuse = 1; | ||
1359 | |||
1360 | char *dirname = argv[i] + 15; | ||
1361 | if (dirname == '\0') { | ||
1362 | fprintf(stderr, "Error: invalid overlay option\n"); | ||
1363 | exit(1); | ||
1364 | } | ||
1365 | cfg.overlay_dir = expand_home(dirname, cfg.homedir); | ||
1335 | } | 1366 | } |
1336 | arg_overlay = 1; | 1367 | else { |
1337 | arg_overlay_keep = 1; | 1368 | fprintf(stderr, "Error: overlayfs feature is disabled in Firejail configuration file\n"); |
1338 | arg_overlay_reuse = 1; | ||
1339 | |||
1340 | char *dirname = argv[i] + 15; | ||
1341 | if (dirname == '\0') { | ||
1342 | fprintf(stderr, "Error: invalid overlay option\n"); | ||
1343 | exit(1); | 1369 | exit(1); |
1344 | } | 1370 | } |
1345 | cfg.overlay_dir = expand_home(dirname, cfg.homedir); | ||
1346 | } | 1371 | } |
1347 | else if (strcmp(argv[i], "--overlay-tmpfs") == 0) { | 1372 | else if (strcmp(argv[i], "--overlay-tmpfs") == 0) { |
1348 | if (cfg.chrootdir) { | 1373 | if (checkcfg(CFG_OVERLAYFS)) { |
1349 | fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); | 1374 | if (cfg.chrootdir) { |
1350 | exit(1); | 1375 | fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); |
1376 | exit(1); | ||
1377 | } | ||
1378 | struct stat s; | ||
1379 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { | ||
1380 | fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n"); | ||
1381 | exit(1); | ||
1382 | } | ||
1383 | arg_overlay = 1; | ||
1351 | } | 1384 | } |
1352 | struct stat s; | 1385 | else { |
1353 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { | 1386 | fprintf(stderr, "Error: overlayfs feature is disabled in Firejail configuration file\n"); |
1354 | fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n"); | 1387 | exit(1); |
1355 | exit(1); | ||
1356 | } | 1388 | } |
1357 | arg_overlay = 1; | ||
1358 | } | 1389 | } |
1359 | #endif | 1390 | #endif |
1360 | else if (strncmp(argv[i], "--profile=", 10) == 0) { | 1391 | else if (strncmp(argv[i], "--profile=", 10) == 0) { |
@@ -1477,7 +1508,6 @@ int main(int argc, char **argv) { | |||
1477 | fprintf(stderr, "Error: --chroot feature is disabled in Firejail configuration file\n"); | 1508 | fprintf(stderr, "Error: --chroot feature is disabled in Firejail configuration file\n"); |
1478 | exit(1); | 1509 | exit(1); |
1479 | } | 1510 | } |
1480 | |||
1481 | } | 1511 | } |
1482 | #endif | 1512 | #endif |
1483 | else if (strcmp(argv[i], "--writable-etc") == 0) { | 1513 | else if (strcmp(argv[i], "--writable-etc") == 0) { |