diff options
author | netblue30 <netblue30@yahoo.com> | 2018-05-12 08:37:44 -0500 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-05-12 08:37:44 -0500 |
commit | e596d5f9f297d88d8fb7ad18beefeb201b3013b1 (patch) | |
tree | 94a040300a901a3194086f3f736e194f79300e22 /src | |
parent | update README.md (diff) | |
parent | Allow AMD GPU usage by Blender (diff) | |
download | firejail-e596d5f9f297d88d8fb7ad18beefeb201b3013b1.tar.gz firejail-e596d5f9f297d88d8fb7ad18beefeb201b3013b1.tar.zst firejail-e596d5f9f297d88d8fb7ad18beefeb201b3013b1.zip |
Merge pull request #1932 from RDProjekt/modules
Fixes to make Blender with AMD GPU work under firejail (#1931)
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/firejail.h | 2 | ||||
-rw-r--r-- | src/firejail/fs.c | 4 | ||||
-rw-r--r-- | src/firejail/fs_whitelist.c | 46 |
3 files changed, 50 insertions, 2 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index ec227340b..d873a36f5 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -85,6 +85,7 @@ | |||
85 | #define RUN_WHITELIST_SRV_DIR "/run/firejail/mnt/orig-srv" | 85 | #define RUN_WHITELIST_SRV_DIR "/run/firejail/mnt/orig-srv" |
86 | #define RUN_WHITELIST_ETC_DIR "/run/firejail/mnt/orig-etc" | 86 | #define RUN_WHITELIST_ETC_DIR "/run/firejail/mnt/orig-etc" |
87 | #define RUN_WHITELIST_SHARE_DIR "/run/firejail/mnt/orig-share" | 87 | #define RUN_WHITELIST_SHARE_DIR "/run/firejail/mnt/orig-share" |
88 | #define RUN_WHITELIST_MODULE_DIR "/run/firejail/mnt/orig-module" | ||
88 | 89 | ||
89 | #define RUN_XAUTHORITY_FILE "/run/firejail/mnt/.Xauthority" | 90 | #define RUN_XAUTHORITY_FILE "/run/firejail/mnt/.Xauthority" |
90 | #define RUN_XAUTHORITY_SEC_FILE "/run/firejail/mnt/sec.Xauthority" | 91 | #define RUN_XAUTHORITY_SEC_FILE "/run/firejail/mnt/sec.Xauthority" |
@@ -204,6 +205,7 @@ typedef struct profile_entry_t { | |||
204 | unsigned srv_dir:1; // whitelist in /srv directory | 205 | unsigned srv_dir:1; // whitelist in /srv directory |
205 | unsigned etc_dir:1; // whitelist in /etc directory | 206 | unsigned etc_dir:1; // whitelist in /etc directory |
206 | unsigned share_dir:1; // whitelist in /usr/share directory | 207 | unsigned share_dir:1; // whitelist in /usr/share directory |
208 | unsigned module_dir:1; // whitelist in /sys/module directory | ||
207 | }ProfileEntry; | 209 | }ProfileEntry; |
208 | 210 | ||
209 | typedef struct config_t { | 211 | typedef struct config_t { |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index f3ed67928..0562c7424 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -580,12 +580,12 @@ void fs_proc_sys_dev_boot(void) { | |||
580 | 580 | ||
581 | disable_file(BLACKLIST_FILE, "/sys/firmware"); | 581 | disable_file(BLACKLIST_FILE, "/sys/firmware"); |
582 | disable_file(BLACKLIST_FILE, "/sys/hypervisor"); | 582 | disable_file(BLACKLIST_FILE, "/sys/hypervisor"); |
583 | { // allow user access to /sys/fs if "--noblacklist=/sys/fs" is present on the command line | 583 | { // allow user access to some directories in /sys/ by specifying 'noblacklist' option |
584 | EUID_USER(); | 584 | EUID_USER(); |
585 | profile_add("blacklist /sys/fs"); | 585 | profile_add("blacklist /sys/fs"); |
586 | profile_add("blacklist /sys/module"); | ||
586 | EUID_ROOT(); | 587 | EUID_ROOT(); |
587 | } | 588 | } |
588 | disable_file(BLACKLIST_FILE, "/sys/module"); | ||
589 | disable_file(BLACKLIST_FILE, "/sys/power"); | 589 | disable_file(BLACKLIST_FILE, "/sys/power"); |
590 | disable_file(BLACKLIST_FILE, "/sys/kernel/debug"); | 590 | disable_file(BLACKLIST_FILE, "/sys/kernel/debug"); |
591 | disable_file(BLACKLIST_FILE, "/sys/kernel/vmcoreinfo"); | 591 | disable_file(BLACKLIST_FILE, "/sys/kernel/vmcoreinfo"); |
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index b1b30cd5e..9ef80e5c3 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -283,6 +283,14 @@ static void whitelist_path(ProfileEntry *entry) { | |||
283 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_SHARE_DIR, fname) == -1) | 283 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_SHARE_DIR, fname) == -1) |
284 | errExit("asprintf"); | 284 | errExit("asprintf"); |
285 | } | 285 | } |
286 | else if (entry->module_dir) { | ||
287 | fname = path + 12; // strlen("/sys/module/") | ||
288 | if (*fname == '\0') | ||
289 | goto errexit; | ||
290 | |||
291 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MODULE_DIR, fname) == -1) | ||
292 | errExit("asprintf"); | ||
293 | } | ||
286 | 294 | ||
287 | // check if the file exists | 295 | // check if the file exists |
288 | assert(wfile); | 296 | assert(wfile); |
@@ -365,6 +373,7 @@ void fs_whitelist(void) { | |||
365 | int srv_dir = 0; // /srv directory flag | 373 | int srv_dir = 0; // /srv directory flag |
366 | int etc_dir = 0; // /etc directory flag | 374 | int etc_dir = 0; // /etc directory flag |
367 | int share_dir = 0; // /usr/share directory flag | 375 | int share_dir = 0; // /usr/share directory flag |
376 | int module_dir = 0; // /sys/module directory flag | ||
368 | 377 | ||
369 | size_t nowhitelist_c = 0; | 378 | size_t nowhitelist_c = 0; |
370 | size_t nowhitelist_m = 32; | 379 | size_t nowhitelist_m = 32; |
@@ -471,6 +480,8 @@ void fs_whitelist(void) { | |||
471 | etc_dir = 1; | 480 | etc_dir = 1; |
472 | else if (strncmp(new_name, "/usr/share/", 11) == 0) | 481 | else if (strncmp(new_name, "/usr/share/", 11) == 0) |
473 | share_dir = 1; | 482 | share_dir = 1; |
483 | else if (strncmp(new_name, "/sys/module/", 12) == 0) | ||
484 | module_dir = 1; | ||
474 | } | 485 | } |
475 | 486 | ||
476 | entry->data = EMPTY_STRING; | 487 | entry->data = EMPTY_STRING; |
@@ -618,6 +629,13 @@ void fs_whitelist(void) { | |||
618 | if (strncmp(fname, "/usr/share/", 11) != 0) | 629 | if (strncmp(fname, "/usr/share/", 11) != 0) |
619 | goto errexit; | 630 | goto errexit; |
620 | } | 631 | } |
632 | else if (strncmp(new_name, "/sys/module/", 12) == 0) { | ||
633 | entry->module_dir = 1; | ||
634 | module_dir = 1; | ||
635 | // both path and absolute path are under /sys/module | ||
636 | if (strncmp(fname, "/sys/module/", 12) != 0) | ||
637 | goto errexit; | ||
638 | } | ||
621 | else { | 639 | else { |
622 | goto errexit; | 640 | goto errexit; |
623 | } | 641 | } |
@@ -846,6 +864,27 @@ void fs_whitelist(void) { | |||
846 | share_dir = 0; | 864 | share_dir = 0; |
847 | } | 865 | } |
848 | 866 | ||
867 | // /sys/module mountpoint | ||
868 | if (module_dir) { | ||
869 | // check if /sys/module directory exists | ||
870 | struct stat s; | ||
871 | if (stat("/sys/module", &s) == 0) { | ||
872 | // keep a copy of real /sys/module directory in RUN_WHITELIST_MODULE_DIR | ||
873 | mkdir_attr(RUN_WHITELIST_MODULE_DIR, 0755, 0, 0); | ||
874 | if (mount("/sys/module", RUN_WHITELIST_MODULE_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
875 | errExit("mount bind"); | ||
876 | |||
877 | // mount tmpfs on /sys/module | ||
878 | if (arg_debug || arg_debug_whitelists) | ||
879 | printf("Mounting tmpfs on /sys/module directory\n"); | ||
880 | if (mount("tmpfs", "/sys/module", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | ||
881 | errExit("mounting tmpfs on /sys/module"); | ||
882 | fs_logger("tmpfs /sys/module"); | ||
883 | } | ||
884 | else | ||
885 | module_dir = 0; | ||
886 | } | ||
887 | |||
849 | 888 | ||
850 | // go through profile rules again, and interpret whitelist commands | 889 | // go through profile rules again, and interpret whitelist commands |
851 | entry = cfg.profile; | 890 | entry = cfg.profile; |
@@ -967,6 +1006,13 @@ void fs_whitelist(void) { | |||
967 | fs_logger2("tmpfs", RUN_WHITELIST_SHARE_DIR); | 1006 | fs_logger2("tmpfs", RUN_WHITELIST_SHARE_DIR); |
968 | } | 1007 | } |
969 | 1008 | ||
1009 | // mask the real /sys/module directory, currently mounted on RUN_WHITELIST_MODULE_DIR | ||
1010 | if (module_dir) { | ||
1011 | if (mount("tmpfs", RUN_WHITELIST_MODULE_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | ||
1012 | errExit("mount tmpfs"); | ||
1013 | fs_logger2("tmpfs", RUN_WHITELIST_MODULE_DIR); | ||
1014 | } | ||
1015 | |||
970 | if (new_name) | 1016 | if (new_name) |
971 | free(new_name); | 1017 | free(new_name); |
972 | 1018 | ||