diff options
author | netblue30 <netblue30@yahoo.com> | 2016-06-09 08:42:59 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-06-09 08:42:59 -0400 |
commit | d073a425b3e3ed3829a0e042e8c41963f0f40f0e (patch) | |
tree | 3241c3053a4d3ccba63c633015fddb6e21c9cf74 /src | |
parent | fixes (diff) | |
download | firejail-d073a425b3e3ed3829a0e042e8c41963f0f40f0e.tar.gz firejail-d073a425b3e3ed3829a0e042e8c41963f0f40f0e.tar.zst firejail-d073a425b3e3ed3829a0e042e8c41963f0f40f0e.zip |
whitelist support in /etc/firejail/firejail.config
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/Makefile.in | 3 | ||||
-rw-r--r-- | src/firejail/checkcfg.c | 11 | ||||
-rw-r--r-- | src/firejail/firejail.h | 3 | ||||
-rw-r--r-- | src/firejail/main.c | 25 | ||||
-rw-r--r-- | src/firejail/profile.c | 12 | ||||
-rw-r--r-- | src/firejail/usage.c | 6 | ||||
-rw-r--r-- | src/man/firejail-config.txt | 19 |
7 files changed, 58 insertions, 21 deletions
diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in index 3ad4ba75e..a8af1a4e0 100644 --- a/src/firejail/Makefile.in +++ b/src/firejail/Makefile.in | |||
@@ -16,13 +16,14 @@ HAVE_NETWORK=@HAVE_NETWORK@ | |||
16 | HAVE_USERNS=@HAVE_USERNS@ | 16 | HAVE_USERNS=@HAVE_USERNS@ |
17 | HAVE_X11=@HAVE_X11@ | 17 | HAVE_X11=@HAVE_X11@ |
18 | HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@ | 18 | HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@ |
19 | HAVE_WHITELIST=@HAVE_WHITELIST@ | ||
19 | 20 | ||
20 | 21 | ||
21 | H_FILE_LIST = $(sort $(wildcard *.[h])) | 22 | H_FILE_LIST = $(sort $(wildcard *.[h])) |
22 | C_FILE_LIST = $(sort $(wildcard *.c)) | 23 | C_FILE_LIST = $(sort $(wildcard *.c)) |
23 | OBJS = $(C_FILE_LIST:.c=.o) | 24 | OBJS = $(C_FILE_LIST:.c=.o) |
24 | BINOBJS = $(foreach file, $(OBJS), $file) | 25 | BINOBJS = $(foreach file, $(OBJS), $file) |
25 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_SECCOMP) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security | 26 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_SECCOMP) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security |
26 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread | 27 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread |
27 | 28 | ||
28 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h | 29 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 3ea8caf5b..bf85436c3 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -38,7 +38,7 @@ int checkcfg(int val) { | |||
38 | cfg_val[i] = 1; // most of them are enabled by default | 38 | cfg_val[i] = 1; // most of them are enabled by default |
39 | 39 | ||
40 | cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default | 40 | cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default |
41 | cfg_val[CFG_FORCE_NONEWPRIVS ] = 0; // disabled by default | 41 | cfg_val[CFG_FORCE_NONEWPRIVS] = 0; // disabled by default |
42 | 42 | ||
43 | // open configuration file | 43 | // open configuration file |
44 | char *fname; | 44 | char *fname; |
@@ -126,6 +126,15 @@ int checkcfg(int val) { | |||
126 | else | 126 | else |
127 | goto errout; | 127 | goto errout; |
128 | } | 128 | } |
129 | // whitelist | ||
130 | else if (strncmp(ptr, "whitelist ", 10) == 0) { | ||
131 | if (strcmp(ptr + 10, "yes") == 0) | ||
132 | cfg_val[CFG_WHITELIST] = 1; | ||
133 | else if (strcmp(ptr + 10, "no") == 0) | ||
134 | cfg_val[CFG_WHITELIST] = 0; | ||
135 | else | ||
136 | goto errout; | ||
137 | } | ||
129 | // network | 138 | // network |
130 | else if (strncmp(ptr, "network ", 8) == 0) { | 139 | else if (strncmp(ptr, "network ", 8) == 0) { |
131 | if (strcmp(ptr + 8, "yes") == 0) | 140 | if (strcmp(ptr + 8, "yes") == 0) |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 2d5e05f79..026273aa3 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -568,7 +568,8 @@ void sandboxfs(int op, pid_t pid, const char *patqh); | |||
568 | #define CFG_NETWORK 6 | 568 | #define CFG_NETWORK 6 |
569 | #define CFG_RESTRICTED_NETWORK 7 | 569 | #define CFG_RESTRICTED_NETWORK 7 |
570 | #define CFG_FORCE_NONEWPRIVS 8 | 570 | #define CFG_FORCE_NONEWPRIVS 8 |
571 | #define CFG_MAX 9 // this should always be the last entry | 571 | #define CFG_WHITELIST 9 |
572 | #define CFG_MAX 10 // this should always be the last entry | ||
572 | int checkcfg(int val); | 573 | int checkcfg(int val); |
573 | 574 | ||
574 | // fs_rdwr.c | 575 | // fs_rdwr.c |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 1c2f021bb..1621d810f 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -277,6 +277,9 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
277 | #ifndef HAVE_FILE_TRANSFER | 277 | #ifndef HAVE_FILE_TRANSFER |
278 | printf("File transfer support is disabled.\n"); | 278 | printf("File transfer support is disabled.\n"); |
279 | #endif | 279 | #endif |
280 | #ifndef HAVE_WHITELIST | ||
281 | printf("whitelisting support is disabled.\n"); | ||
282 | #endif | ||
280 | exit(0); | 283 | exit(0); |
281 | } | 284 | } |
282 | #ifdef HAVE_X11 | 285 | #ifdef HAVE_X11 |
@@ -1114,14 +1117,24 @@ int main(int argc, char **argv) { | |||
1114 | profile_check_line(line, 0, NULL); // will exit if something wrong | 1117 | profile_check_line(line, 0, NULL); // will exit if something wrong |
1115 | profile_add(line); | 1118 | profile_add(line); |
1116 | } | 1119 | } |
1120 | |||
1121 | #ifdef HAVE_WHITELIST | ||
1117 | else if (strncmp(argv[i], "--whitelist=", 12) == 0) { | 1122 | else if (strncmp(argv[i], "--whitelist=", 12) == 0) { |
1118 | char *line; | 1123 | if (checkcfg(CFG_WHITELIST)) { |
1119 | if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1) | 1124 | char *line; |
1120 | errExit("asprintf"); | 1125 | if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1) |
1121 | 1126 | errExit("asprintf"); | |
1122 | profile_check_line(line, 0, NULL); // will exit if something wrong | 1127 | |
1123 | profile_add(line); | 1128 | profile_check_line(line, 0, NULL); // will exit if something wrong |
1129 | profile_add(line); | ||
1130 | } | ||
1131 | else { | ||
1132 | fprintf(stderr, "Error: whitelist feature is disabled in Firejail configuration file\n"); | ||
1133 | exit(1); | ||
1134 | } | ||
1124 | } | 1135 | } |
1136 | #endif | ||
1137 | |||
1125 | else if (strncmp(argv[i], "--read-only=", 12) == 0) { | 1138 | else if (strncmp(argv[i], "--read-only=", 12) == 0) { |
1126 | char *line; | 1139 | char *line; |
1127 | if (asprintf(&line, "read-only %s", argv[i] + 12) == -1) | 1140 | if (asprintf(&line, "read-only %s", argv[i] + 12) == -1) |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 192f36974..a64f28c9a 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -726,8 +726,16 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
726 | else if (strncmp(ptr, "noblacklist ", 12) == 0) | 726 | else if (strncmp(ptr, "noblacklist ", 12) == 0) |
727 | ptr += 12; | 727 | ptr += 12; |
728 | else if (strncmp(ptr, "whitelist ", 10) == 0) { | 728 | else if (strncmp(ptr, "whitelist ", 10) == 0) { |
729 | arg_whitelist = 1; | 729 | #ifdef HAVE_WHITELIST |
730 | ptr += 10; | 730 | if (checkcfg(CFG_WHITELIST)) { |
731 | arg_whitelist = 1; | ||
732 | ptr += 10; | ||
733 | } | ||
734 | else | ||
735 | return 0; | ||
736 | #else | ||
737 | return 0; | ||
738 | #endif | ||
731 | } | 739 | } |
732 | else if (strncmp(ptr, "read-only ", 10) == 0) | 740 | else if (strncmp(ptr, "read-only ", 10) == 0) |
733 | ptr += 10; | 741 | ptr += 10; |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index d2f7d9460..af1a30ac3 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -72,8 +72,9 @@ void usage(void) { | |||
72 | printf("\tsoftware build.\n\n"); | 72 | printf("\tsoftware build.\n\n"); |
73 | printf(" --debug-syscalls - print all recognized system calls in the current Firejail\n"); | 73 | printf(" --debug-syscalls - print all recognized system calls in the current Firejail\n"); |
74 | printf("\tsoftware build.\n\n"); | 74 | printf("\tsoftware build.\n\n"); |
75 | #ifdef HAVE_WHITELIST | ||
75 | printf(" --debug-whitelists - debug whitelisting.\n\n"); | 76 | printf(" --debug-whitelists - debug whitelisting.\n\n"); |
76 | 77 | #endif | |
77 | 78 | ||
78 | 79 | ||
79 | #ifdef HAVE_NETWORK | 80 | #ifdef HAVE_NETWORK |
@@ -250,8 +251,9 @@ void usage(void) { | |||
250 | printf(" --tree - print a tree of all sandboxed processes.\n\n"); | 251 | printf(" --tree - print a tree of all sandboxed processes.\n\n"); |
251 | printf(" --user=new_user - switch the user before starting the sandbox.\n\n"); | 252 | printf(" --user=new_user - switch the user before starting the sandbox.\n\n"); |
252 | printf(" --version - print program version and exit.\n\n"); | 253 | printf(" --version - print program version and exit.\n\n"); |
254 | #ifdef HAVE_WHITELIST | ||
253 | printf(" --whitelist=dirname_or_filename - whitelist directory or file.\n\n"); | 255 | printf(" --whitelist=dirname_or_filename - whitelist directory or file.\n\n"); |
254 | 256 | #endif | |
255 | printf(" --writable-etc - /etc directory is mounted read-write.\n\n"); | 257 | printf(" --writable-etc - /etc directory is mounted read-write.\n\n"); |
256 | printf(" --writable-var - /var directory is mounted read-write.\n\n"); | 258 | printf(" --writable-var - /var directory is mounted read-write.\n\n"); |
257 | 259 | ||
diff --git a/src/man/firejail-config.txt b/src/man/firejail-config.txt index 026765f1a..6a66c7f75 100644 --- a/src/man/firejail-config.txt +++ b/src/man/firejail-config.txt | |||
@@ -26,6 +26,13 @@ Enable or disable chroot support, default enabled. | |||
26 | Enable or disable file transfer support, default enabled. | 26 | Enable or disable file transfer support, default enabled. |
27 | 27 | ||
28 | .TP | 28 | .TP |
29 | \fBforce-nonewprivs | ||
30 | Force use of nonewprivs. This mitigates the possibility of | ||
31 | a user abusing firejail's features to trick a privileged (suid | ||
32 | or file capabilities) process into loading code or configuration | ||
33 | that is partially under their control. Default disabled. | ||
34 | |||
35 | .TP | ||
29 | \fBnetwork | 36 | \fBnetwork |
30 | Enable or disable networking features, default enabled. | 37 | Enable or disable networking features, default enabled. |
31 | 38 | ||
@@ -45,16 +52,12 @@ Enable or disable seccomp support, default enabled. | |||
45 | Enable or disable user namespace support, default enabled. | 52 | Enable or disable user namespace support, default enabled. |
46 | 53 | ||
47 | .TP | 54 | .TP |
48 | \fBx11 | 55 | \fBwhitelist |
49 | Enable or disable X11 sandboxing support, default enabled. | 56 | Enable or disable whitelisting support, default enabled. |
50 | 57 | ||
51 | .TP | 58 | .TP |
52 | \fBforce-nonewprivs | 59 | \fBx11 |
53 | Force use of nonewprivs. This mitigates the possibility of | 60 | Enable or disable X11 sandboxing support, default enabled. |
54 | a user abusing firejail's features to trick a privileged (suid | ||
55 | or file capabilities) process into loading code or configuration | ||
56 | that is partially under their control. Default disabled. | ||
57 | |||
58 | 61 | ||
59 | .TP | 62 | .TP |
60 | \fBxephyr-screen | 63 | \fBxephyr-screen |