diff options
| author |  netblue30 <netblue30@protonmail.com> | 2021-07-29 18:20:35 -0400 |
|---|---|---|
| committer | netblue30 <netblue30@protonmail.com> | 2021-07-29 18:20:35 -0400 |
| commit | a964e3b21e8d69142cc6f3c2275e59961a244a59 (patch) | |
| tree | 8680b66a4f4f19ce9ac9ad2cf0541ca4f50d9983 /src | |
| parent | fix deb package building (diff) | |
| download | firejail-a964e3b21e8d69142cc6f3c2275e59961a244a59.tar.gz firejail-a964e3b21e8d69142cc6f3c2275e59961a244a59.tar.zst firejail-a964e3b21e8d69142cc6f3c2275e59961a244a59.zip | |
removed dependency on strace for --build option; added seccomp by default for --build run
Diffstat (limited to 'src')
| -rw-r--r-- | src/fbuilder/build_home.c | 2 | ||||
| -rw-r--r-- | src/fbuilder/build_profile.c | 51 | ||||
| -rw-r--r-- | src/fbuilder/build_seccomp.c | 2 | ||||
| -rw-r--r-- | src/firecfg/firecfg.config | 1 |
4 files changed, 9 insertions, 47 deletions
diff --git a/src/fbuilder/build_home.c b/src/fbuilder/build_home.c index f283a0cce..c85474779 100644 --- a/src/fbuilder/build_home.c +++ b/src/fbuilder/build_home.c | |||
| @@ -68,6 +68,8 @@ void process_home(const char *fname, char *home, int home_len) { | |||
| 68 | ptr += 7; | 68 | ptr += 7; |
| 69 | else if (strncmp(ptr, "open /home", 10) == 0) | 69 | else if (strncmp(ptr, "open /home", 10) == 0) |
| 70 | ptr += 5; | 70 | ptr += 5; |
| 71 | else if (strncmp(ptr, "opendir /home", 13) == 0) | ||
| 72 | ptr += 8; | ||
| 71 | else | 73 | else |
| 72 | continue; | 74 | continue; |
| 73 | 75 | ||
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c index 5df19f511..06a4d8517 100644 --- a/src/fbuilder/build_profile.c +++ b/src/fbuilder/build_profile.c | |||
| @@ -32,53 +32,25 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
| 32 | } | 32 | } |
| 33 | 33 | ||
| 34 | char trace_output[] = "/tmp/firejail-trace.XXXXXX"; | 34 | char trace_output[] = "/tmp/firejail-trace.XXXXXX"; |
| 35 | char strace_output[] = "/tmp/firejail-strace.XXXXXX"; | ||
| 36 | |||
| 37 | int tfile = mkstemp(trace_output); | 35 | int tfile = mkstemp(trace_output); |
| 38 | int stfile = mkstemp(strace_output); | 36 | if(tfile == -1) |
| 39 | if(tfile == -1 || stfile == -1) | ||
| 40 | errExit("mkstemp"); | 37 | errExit("mkstemp"); |
| 41 | |||
| 42 | // close the files, firejail/strace will overwrite them! | ||
| 43 | close(tfile); | 38 | close(tfile); |
| 44 | close(stfile); | ||
| 45 | |||
| 46 | 39 | ||
| 47 | char *output; | 40 | char *output; |
| 48 | char *stroutput; | ||
| 49 | if(asprintf(&output,"--trace=%s",trace_output) == -1) | 41 | if(asprintf(&output,"--trace=%s",trace_output) == -1) |
| 50 | errExit("asprintf"); | 42 | errExit("asprintf"); |
| 51 | if(asprintf(&stroutput,"-o%s",strace_output) == -1) | ||
| 52 | errExit("asprintf"); | ||
| 53 | 43 | ||
| 54 | char *cmdlist[] = { | 44 | char *cmdlist[] = { |
| 55 | BINDIR "/firejail", | 45 | BINDIR "/firejail", |
| 56 | "--quiet", | 46 | "--quiet", |
| 57 | "--noprofile", | 47 | "--noprofile", |
| 58 | "--caps.drop=all", | 48 | "--caps.drop=all", |
| 59 | "--nonewprivs", | 49 | "--seccomp", |
| 60 | output, | 50 | output, |
| 61 | "--shell=none", | 51 | "--shell=none", |
| 62 | "/usr/bin/strace", // also used as a marker in build_profile() | ||
| 63 | "-c", | ||
| 64 | "-f", | ||
| 65 | stroutput, | ||
| 66 | }; | 52 | }; |
| 67 | 53 | ||
| 68 | // detect strace and check if Yama LSM allows us to use it | ||
| 69 | int have_strace = 0; | ||
| 70 | int have_yama_permission = 1; | ||
| 71 | if (access("/usr/bin/strace", X_OK) == 0) { | ||
| 72 | have_strace = 1; | ||
| 73 | FILE *ps = fopen("/proc/sys/kernel/yama/ptrace_scope", "r"); | ||
| 74 | if (ps) { | ||
| 75 | unsigned val; | ||
| 76 | if (fscanf(ps, "%u", &val) == 1) | ||
| 77 | have_yama_permission = (val < 2); | ||
| 78 | fclose(ps); | ||
| 79 | } | ||
| 80 | } | ||
| 81 | |||
| 82 | // calculate command length | 54 | // calculate command length |
| 83 | unsigned len = (int) sizeof(cmdlist) / sizeof(char*) + argc - index + 1; | 55 | unsigned len = (int) sizeof(cmdlist) / sizeof(char*) + argc - index + 1; |
| 84 | if (arg_debug) | 56 | if (arg_debug) |
| @@ -87,14 +59,9 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
| 87 | cmd[0] = cmdlist[0]; // explicit assignment to clean scan-build error | 59 | cmd[0] = cmdlist[0]; // explicit assignment to clean scan-build error |
| 88 | 60 | ||
| 89 | // build command | 61 | // build command |
| 90 | // skip strace if not installed, or no permission to use it | ||
| 91 | int skip_strace = !(have_strace && have_yama_permission); | ||
| 92 | unsigned i = 0; | 62 | unsigned i = 0; |
| 93 | for (i = 0; i < (int) sizeof(cmdlist) / sizeof(char*); i++) { | 63 | for (i = 0; i < (int) sizeof(cmdlist) / sizeof(char*); i++) |
| 94 | if (skip_strace && strcmp(cmdlist[i], "/usr/bin/strace") == 0) | ||
| 95 | break; | ||
| 96 | cmd[i] = cmdlist[i]; | 64 | cmd[i] = cmdlist[i]; |
| 97 | } | ||
| 98 | 65 | ||
| 99 | int i2 = index; | 66 | int i2 = index; |
| 100 | for (; i < (len - 1); i++, i2++) | 67 | for (; i < (len - 1); i++, i2++) |
| @@ -180,14 +147,6 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
| 180 | fprintf(fp, "#novideo\t# disable video capture devices\n"); | 147 | fprintf(fp, "#novideo\t# disable video capture devices\n"); |
| 181 | build_protocol(trace_output, fp); | 148 | build_protocol(trace_output, fp); |
| 182 | fprintf(fp, "seccomp\n"); | 149 | fprintf(fp, "seccomp\n"); |
| 183 | if (!have_strace) { | ||
| 184 | fprintf(fp, "### If you install strace on your system, Firejail will also create a\n"); | ||
| 185 | fprintf(fp, "### whitelisted seccomp filter.\n"); | ||
| 186 | } | ||
| 187 | else if (!have_yama_permission) | ||
| 188 | fprintf(fp, "### Yama security module prevents creation of a whitelisted seccomp filter\n"); | ||
| 189 | else | ||
| 190 | build_seccomp(strace_output, fp); | ||
| 191 | fprintf(fp, "shell none\n"); | 150 | fprintf(fp, "shell none\n"); |
| 192 | fprintf(fp, "tracelog\n"); | 151 | fprintf(fp, "tracelog\n"); |
| 193 | fprintf(fp, "\n"); | 152 | fprintf(fp, "\n"); |
| @@ -206,10 +165,8 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
| 206 | fprintf(fp, "\n"); | 165 | fprintf(fp, "\n"); |
| 207 | fprintf(fp, "#memory-deny-write-execute\n"); | 166 | fprintf(fp, "#memory-deny-write-execute\n"); |
| 208 | 167 | ||
| 209 | if (!arg_debug) { | 168 | if (!arg_debug) |
| 210 | unlink(trace_output); | 169 | unlink(trace_output); |
| 211 | unlink(strace_output); | ||
| 212 | } | ||
| 213 | } | 170 | } |
| 214 | else { | 171 | else { |
| 215 | fprintf(stderr, "Error: cannot run the sandbox\n"); | 172 | fprintf(stderr, "Error: cannot run the sandbox\n"); |
diff --git a/src/fbuilder/build_seccomp.c b/src/fbuilder/build_seccomp.c index b3187227e..daf8d63ac 100644 --- a/src/fbuilder/build_seccomp.c +++ b/src/fbuilder/build_seccomp.c | |||
| @@ -20,6 +20,7 @@ | |||
| 20 | 20 | ||
| 21 | #include "fbuilder.h" | 21 | #include "fbuilder.h" |
| 22 | 22 | ||
| 23 | #if 0 | ||
| 23 | void build_seccomp(const char *fname, FILE *fp) { | 24 | void build_seccomp(const char *fname, FILE *fp) { |
| 24 | assert(fname); | 25 | assert(fname); |
| 25 | assert(fp); | 26 | assert(fp); |
| @@ -78,6 +79,7 @@ void build_seccomp(const char *fname, FILE *fp) { | |||
| 78 | 79 | ||
| 79 | fclose(fp2); | 80 | fclose(fp2); |
| 80 | } | 81 | } |
| 82 | #endif | ||
| 81 | 83 | ||
| 82 | //*************************************** | 84 | //*************************************** |
| 83 | // protocol | 85 | // protocol |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 046cb209a..3d05a86ef 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
| @@ -94,6 +94,7 @@ bleachbit | |||
| 94 | blender | 94 | blender |
| 95 | blender-2.8 | 95 | blender-2.8 |
| 96 | bless | 96 | bless |
| 97 | blobby | ||
| 97 | blobwars | 98 | blobwars |
| 98 | bluefish | 99 | bluefish |
| 99 | bnox | 100 | bnox |