cfg chroot, seccomp

author: netblue30 <netblue30@yahoo.com> 2016-03-13 10:49:44 -0400
committer: netblue30 <netblue30@yahoo.com> 2016-03-13 10:49:44 -0400
commit: 33e2ed2d854373567f0eb49d017e511376100a0b (patch)
tree: 77db568e6ff634d67d6aef2dedcac74be8e123f6 /src
parent: cfg userns (diff)
download: firejail-33e2ed2d854373567f0eb49d017e511376100a0b.tar.gz
firejail-33e2ed2d854373567f0eb49d017e511376100a0b.tar.zst
firejail-33e2ed2d854373567f0eb49d017e511376100a0b.zip
4 files changed, 213 insertions, 104 deletions
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 670fdc502..8376cd9af 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -86,7 +86,7 @@ int checkcfg(int val) {
                                else
                                        goto errout;
                        }
-                        // bind
+                        // user namespace
                        else if (strncmp(ptr, "userns ", 7) == 0) {
                                if (strcmp(ptr + 7, "yes") == 0)
                                        cfg_val[CFG_USERNS] = 1;
@@ -95,6 +95,24 @@ int checkcfg(int val) {
                                else
                                        goto errout;
                        }
+                        // chroot
+                        else if (strncmp(ptr, "chroot ", 7) == 0) {
+                                if (strcmp(ptr + 7, "yes") == 0)
+                                        cfg_val[CFG_CHROOT] = 1;
+                                else if (strcmp(ptr + 7, "no") == 0)
+                                        cfg_val[CFG_CHROOT] = 0;
+                                else
+                                        goto errout;
+                        }
+                        // seccomp
+                        else if (strncmp(ptr, "seccomp ", 8) == 0) {
+                                if (strcmp(ptr + 8, "yes") == 0)
+                                        cfg_val[CFG_SECCOMP] = 1;
+                                else if (strcmp(ptr + 8, "no") == 0)
+                                        cfg_val[CFG_SECCOMP] = 0;
+                                else
+                                        goto errout;
+                        }
                        else
                                goto errout;
                        free(ptr);
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index ed9343345..2b2912b3e 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -542,7 +542,9 @@ void sandboxfs(int op, pid_t pid, const char *patqh);
 #define CFG_X11 1
 #define CFG_BIND 2
 #define CFG_USERNS 3
-#define CFG_MAX 4 // this should always be the last entry
+#define CFG_CHROOT 4
+#define CFG_SECCOMP 5
+#define CFG_MAX 6 // this should always be the last entry
 int checkcfg(int val);
 #endif
diff --git a/src/firejail/main.c b/src/firejail/main.c
index df625a7ba..8f89a804f 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -356,20 +356,38 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
        //*************************************
 #ifdef HAVE_SECCOMP
        else if (strcmp(argv[i], "--debug-syscalls") == 0) {
-                syscall_print();
+                if (checkcfg(CFG_SECCOMP)) {
-                exit(0);
+                        syscall_print();
+                        exit(0);
+                }
+                else {
+                        fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n");
+                        exit(1);
+                }
        }
        else if (strcmp(argv[i], "--debug-errnos") == 0) {
-                errno_print();
+                if (checkcfg(CFG_SECCOMP)) {
+                        errno_print();
+                }
+                else {
+                        fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n");
+                        exit(1);
+                }
                exit(0);
        }
        else if (strncmp(argv[i], "--seccomp.print=", 16) == 0) {
-                // print seccomp filter for a sandbox specified by pid or by name
+                if (checkcfg(CFG_SECCOMP)) {
-                pid_t pid;
+                        // print seccomp filter for a sandbox specified by pid or by name
-                if (read_pid(argv[i] + 16, &pid) == 0)          
+                        pid_t pid;
-                        seccomp_print_filter(pid);
+                        if (read_pid(argv[i] + 16, &pid) == 0)          
-                else
+                                seccomp_print_filter(pid);
-                        seccomp_print_filter_name(argv[i] + 16);
+                        else
+                                seccomp_print_filter_name(argv[i] + 16);
+                }
+                else {
+                        fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n");
+                        exit(1);
+                }
                exit(0);
        }
        else if (strcmp(argv[i], "--debug-protocols") == 0) {
@@ -377,12 +395,18 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                exit(0);
        }
        else if (strncmp(argv[i], "--protocol.print=", 17) == 0) {
-                // print seccomp filter for a sandbox specified by pid or by name
+                if (checkcfg(CFG_SECCOMP)) {
-                pid_t pid;
+                        // print seccomp filter for a sandbox specified by pid or by name
-                if (read_pid(argv[i] + 17, &pid) == 0)          
+                        pid_t pid;
-                        protocol_print_filter(pid);
+                        if (read_pid(argv[i] + 17, &pid) == 0)          
-                else
+                                protocol_print_filter(pid);
-                        protocol_print_filter_name(argv[i] + 17);
+                        else
+                                protocol_print_filter_name(argv[i] + 17);
+                }
+                else {
+                        fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n");
+                        exit(1);
+                }
                exit(0);
        }
 #endif
@@ -733,72 +757,109 @@ int main(int argc, char **argv) {
                // filtering
                //*************************************
 #ifdef HAVE_SECCOMP
-                else if (strncmp(argv[i], "--protocol=", 11) == 0) 
+                else if (strncmp(argv[i], "--protocol=", 11) == 0) {
-                        protocol_store(argv[i] + 11);
+                        if (checkcfg(CFG_SECCOMP)) {
+                                protocol_store(argv[i] + 11);
+                        }
+                        else {
+                                fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n");
+                                exit(1);
+                        }
+                }
                else if (strcmp(argv[i], "--seccomp") == 0) {
-                        if (arg_seccomp) {
+                        if (checkcfg(CFG_SECCOMP)) {
-                                fprintf(stderr, "Error: seccomp already enabled\n");
+                                if (arg_seccomp) {
+                                        fprintf(stderr, "Error: seccomp already enabled\n");
+                                        exit(1);
+                                }
+                                arg_seccomp = 1;
+                        }
+                        else {
+                                fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n");
                                exit(1);
                        }
-                        arg_seccomp = 1;
                }
                else if (strncmp(argv[i], "--seccomp=", 10) == 0) {
-                        if (arg_seccomp) {
+                        if (checkcfg(CFG_SECCOMP)) {
-                                fprintf(stderr, "Error: seccomp already enabled\n");
+                                if (arg_seccomp) {
+                                        fprintf(stderr, "Error: seccomp already enabled\n");
+                                        exit(1);
+                                }
+                                arg_seccomp = 1;
+                                cfg.seccomp_list = strdup(argv[i] + 10);
+                                if (!cfg.seccomp_list)
+                                        errExit("strdup");
+                        }
+                        else {
+                                fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n");
                                exit(1);
                        }
-                        arg_seccomp = 1;
-                        cfg.seccomp_list = strdup(argv[i] + 10);
-                        if (!cfg.seccomp_list)
-                                errExit("strdup");
                }
                else if (strncmp(argv[i], "--seccomp.drop=", 15) == 0) {
-                        if (arg_seccomp) {
+                        if (checkcfg(CFG_SECCOMP)) {
-                                fprintf(stderr, "Error: seccomp already enabled\n");
+                                if (arg_seccomp) {
+                                        fprintf(stderr, "Error: seccomp already enabled\n");
+                                        exit(1);
+                                }
+                                arg_seccomp = 1;
+                                cfg.seccomp_list_drop = strdup(argv[i] + 15);
+                                if (!cfg.seccomp_list_drop)
+                                        errExit("strdup");
+                        }
+                        else {
+                                fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n");
                                exit(1);
                        }
-                        arg_seccomp = 1;
-                        cfg.seccomp_list_drop = strdup(argv[i] + 15);
-                        if (!cfg.seccomp_list_drop)
-                                errExit("strdup");
                }
                else if (strncmp(argv[i], "--seccomp.keep=", 15) == 0) {
-                        if (arg_seccomp) {
+                        if (checkcfg(CFG_SECCOMP)) {
-                                fprintf(stderr, "Error: seccomp already enabled\n");
+                                if (arg_seccomp) {
+                                        fprintf(stderr, "Error: seccomp already enabled\n");
+                                        exit(1);
+                                }
+                                arg_seccomp = 1;
+                                cfg.seccomp_list_keep = strdup(argv[i] + 15);
+                                if (!cfg.seccomp_list_keep)
+                                        errExit("strdup");
+                        }
+                        else {
+                                fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n");
                                exit(1);
                        }
-                        arg_seccomp = 1;
-                        cfg.seccomp_list_keep = strdup(argv[i] + 15);
-                        if (!cfg.seccomp_list_keep)
-                                errExit("strdup");
                }
                else if (strncmp(argv[i], "--seccomp.e", 11) == 0 && strchr(argv[i], '=')) {
-                        if (arg_seccomp && !cfg.seccomp_list_errno) {
+                        if (checkcfg(CFG_SECCOMP)) {
-                                fprintf(stderr, "Error: seccomp already enabled\n");
+                                if (arg_seccomp && !cfg.seccomp_list_errno) {
-                                exit(1);
+                                        fprintf(stderr, "Error: seccomp already enabled\n");
-                        }
+                                        exit(1);
-                        char *eq = strchr(argv[i], '=');
+                                }
-                        char *errnoname = strndup(argv[i] + 10, eq - (argv[i] + 10));
+                                char *eq = strchr(argv[i], '=');
-                        int nr = errno_find_name(errnoname);
+                                char *errnoname = strndup(argv[i] + 10, eq - (argv[i] + 10));
-                        if (nr == -1) {
+                                int nr = errno_find_name(errnoname);
-                                fprintf(stderr, "Error: unknown errno %s\n", errnoname);
+                                if (nr == -1) {
+                                        fprintf(stderr, "Error: unknown errno %s\n", errnoname);
+                                        free(errnoname);
+                                        exit(1);
+                                }
+        
+                                if (!cfg.seccomp_list_errno)
+                                        cfg.seccomp_list_errno = calloc(highest_errno+1, sizeof(cfg.seccomp_list_errno[0]));
+        
+                                if (cfg.seccomp_list_errno[nr]) {
+                                        fprintf(stderr, "Error: errno %s already configured\n", errnoname);
+                                        free(errnoname);
+                                        exit(1);
+                                }
+                                arg_seccomp = 1;
+                                cfg.seccomp_list_errno[nr] = strdup(eq+1);
+                                if (!cfg.seccomp_list_errno[nr])
+                                        errExit("strdup");
                                free(errnoname);
-                                exit(1);
                        }
+                        else {
-                        if (!cfg.seccomp_list_errno)
+                                fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n");
-                                cfg.seccomp_list_errno = calloc(highest_errno+1, sizeof(cfg.seccomp_list_errno[0]));
-                        if (cfg.seccomp_list_errno[nr]) {
-                                fprintf(stderr, "Error: errno %s already configured\n", errnoname);
-                                free(errnoname);
                                exit(1);
                        }
-                        arg_seccomp = 1;
-                        cfg.seccomp_list_errno[nr] = strdup(eq+1);
-                        if (!cfg.seccomp_list_errno[nr])
-                                errExit("strdup");
-                        free(errnoname);
                }
 #endif          
                else if (strcmp(argv[i], "--caps") == 0)
@@ -1061,33 +1122,40 @@ int main(int argc, char **argv) {
                }
 #ifdef HAVE_CHROOT              
                else if (strncmp(argv[i], "--chroot=", 9) == 0) {
-                        if (arg_overlay) {
+                        if (checkcfg(CFG_CHROOT)) {
-                                fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
+                                if (arg_overlay) {
-                                exit(1);
+                                        fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
-                        }
+                                        exit(1);
-                        invalid_filename(argv[i] + 9);
+                                }
-                        
+                                invalid_filename(argv[i] + 9);
-                        // extract chroot dirname
+                                
-                        cfg.chrootdir = argv[i] + 9;
+                                // extract chroot dirname
-                        // if the directory starts with ~, expand the home directory
+                                cfg.chrootdir = argv[i] + 9;
-                        if (*cfg.chrootdir == '~') {
+                                // if the directory starts with ~, expand the home directory
-                                char *tmp;
+                                if (*cfg.chrootdir == '~') {
-                                if (asprintf(&tmp, "%s%s", cfg.homedir, cfg.chrootdir + 1) == -1)
+                                        char *tmp;
-                                        errExit("asprintf");
+                                        if (asprintf(&tmp, "%s%s", cfg.homedir, cfg.chrootdir + 1) == -1)
-                                cfg.chrootdir = tmp;
+                                                errExit("asprintf");
-                        }
+                                        cfg.chrootdir = tmp;
-                        
+                                }
-                        // check chroot dirname exists
+                                
-                        if (strstr(cfg.chrootdir, "..") || !is_dir(cfg.chrootdir) || is_link(cfg.chrootdir)) {
+                                // check chroot dirname exists
-                                fprintf(stderr, "Error: invalid directory %s\n", cfg.chrootdir);
+                                if (strstr(cfg.chrootdir, "..") || !is_dir(cfg.chrootdir) || is_link(cfg.chrootdir)) {
-                                return 1;
+                                        fprintf(stderr, "Error: invalid directory %s\n", cfg.chrootdir);
+                                        return 1;
+                                }
+                                
+                                // check chroot directory structure
+                                if (fs_check_chroot_dir(cfg.chrootdir)) {
+                                        fprintf(stderr, "Error: invalid chroot\n");
+                                        exit(1);
+                                }
                        }
-                        
+                        else {
-                        // check chroot directory structure
+                                fprintf(stderr, "Error: --chroot feature is disabled in Firejail configuration file\n");
-                        if (fs_check_chroot_dir(cfg.chrootdir)) {
-                                fprintf(stderr, "Error: invalid chroot\n");
                                exit(1);
                        }
                }
 #endif
                else if (strcmp(argv[i], "--private") == 0)
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 1c843a460..723889dd2 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -132,7 +132,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                return 0;
        }
        else if (strcmp(ptr, "seccomp") == 0) {
-                arg_seccomp = 1;
+#ifdef HAVE_SECCOMP
+                if (checkcfg(CFG_SECCOMP))
+                        arg_seccomp = 1;
+                else
+                        fprintf(stderr, "Warning: user seccomp feature is disabled in Firejail configuration file\n");
+#endif
                return 0;
        }
        else if (strcmp(ptr, "caps") == 0) {
@@ -209,12 +214,15 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                return 0;
        }
        
-#ifdef HAVE_SECCOMP
        if (strncmp(ptr, "protocol ", 9) == 0) {
-                protocol_store(ptr + 9);
+#ifdef HAVE_SECCOMP
+                if (checkcfg(CFG_SECCOMP))
+                        protocol_store(ptr + 9);
+                else
+                        fprintf(stderr, "Warning: user seccomp feature is disabled in Firejail configuration file\n");
+#endif
                return 0;
        }
-#endif
        
        if (strncmp(ptr, "env ", 4) == 0) {
                env_store(ptr + 4);
@@ -223,34 +231,47 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
        
        // seccomp drop list on top of default list
        if (strncmp(ptr, "seccomp ", 8) == 0) {
-                arg_seccomp = 1;
 #ifdef HAVE_SECCOMP
-                cfg.seccomp_list = strdup(ptr + 8);
+                if (checkcfg(CFG_SECCOMP)) {
-                if (!cfg.seccomp_list)
+                        arg_seccomp = 1;
-                        errExit("strdup");
+                        cfg.seccomp_list = strdup(ptr + 8);
+                        if (!cfg.seccomp_list)
+                                errExit("strdup");
+                }
+                else
+                        fprintf(stderr, "Warning: user seccomp feature is disabled in Firejail configuration file\n");
 #endif
                return 0;
        }
        
        // seccomp drop list without default list
        if (strncmp(ptr, "seccomp.drop ", 13) == 0) {
-                arg_seccomp = 1;
 #ifdef HAVE_SECCOMP
-                cfg.seccomp_list_drop = strdup(ptr + 13);
+                if (checkcfg(CFG_SECCOMP)) {
-                if (!cfg.seccomp_list_drop)
+                        arg_seccomp = 1;
-                        errExit("strdup");
+                        cfg.seccomp_list_drop = strdup(ptr + 13);
-#endif
+                        if (!cfg.seccomp_list_drop)
+                                errExit("strdup");
+                }
+                else
+                        fprintf(stderr, "Warning: user seccomp feature is disabled in Firejail configuration file\n");
+#endif          
                return 0;
        }
        // seccomp keep list
        if (strncmp(ptr, "seccomp.keep ", 13) == 0) {
-                arg_seccomp = 1;
 #ifdef HAVE_SECCOMP
-                cfg.seccomp_list_keep= strdup(ptr + 13);
+                if (checkcfg(CFG_SECCOMP)) {
-                if (!cfg.seccomp_list_keep)
+                        arg_seccomp = 1;
-                        errExit("strdup");
+                        cfg.seccomp_list_keep= strdup(ptr + 13);
-#endif
+                        if (!cfg.seccomp_list_keep)
+                                errExit("strdup");
+                }
+                else
+                        fprintf(stderr, "Warning: user seccomp feature is disabled in Firejail configuration file\n");
+#endif          
                return 0;
        }
author	netblue30 <netblue30@yahoo.com>	2016-03-13 10:49:44 -0400
committer	netblue30 <netblue30@yahoo.com>	2016-03-13 10:49:44 -0400
commit	33e2ed2d854373567f0eb49d017e511376100a0b (patch)
tree	77db568e6ff634d67d6aef2dedcac74be8e123f6 /src
parent	cfg userns (diff)
download	firejail-33e2ed2d854373567f0eb49d017e511376100a0b.tar.gz firejail-33e2ed2d854373567f0eb49d017e511376100a0b.tar.zst firejail-33e2ed2d854373567f0eb49d017e511376100a0b.zip

diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 670fdc502..8376cd9af 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c
@@ -86,7 +86,7 @@ int checkcfg(int val) {
86	else	86	else
87	goto errout;	87	goto errout;
88	}	88	}
89	// bind	89	// user namespace
90	else if (strncmp(ptr, "userns ", 7) == 0) {	90	else if (strncmp(ptr, "userns ", 7) == 0) {
91	if (strcmp(ptr + 7, "yes") == 0)	91	if (strcmp(ptr + 7, "yes") == 0)
92	cfg_val[CFG_USERNS] = 1;	92	cfg_val[CFG_USERNS] = 1;
@@ -95,6 +95,24 @@ int checkcfg(int val) {
95	else	95	else
96	goto errout;	96	goto errout;
97	}	97	}
		98	// chroot
		99	else if (strncmp(ptr, "chroot ", 7) == 0) {
		100	if (strcmp(ptr + 7, "yes") == 0)
		101	cfg_val[CFG_CHROOT] = 1;
		102	else if (strcmp(ptr + 7, "no") == 0)
		103	cfg_val[CFG_CHROOT] = 0;
		104	else
		105	goto errout;
		106	}
		107	// seccomp
		108	else if (strncmp(ptr, "seccomp ", 8) == 0) {
		109	if (strcmp(ptr + 8, "yes") == 0)
		110	cfg_val[CFG_SECCOMP] = 1;
		111	else if (strcmp(ptr + 8, "no") == 0)
		112	cfg_val[CFG_SECCOMP] = 0;
		113	else
		114	goto errout;
		115	}
98	else	116	else
99	goto errout;	117	goto errout;
100	free(ptr);	118	free(ptr);


diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index ed9343345..2b2912b3e 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -542,7 +542,9 @@ void sandboxfs(int op, pid_t pid, const char *patqh);
542	#define CFG_X11 1	542	#define CFG_X11 1
543	#define CFG_BIND 2	543	#define CFG_BIND 2
544	#define CFG_USERNS 3	544	#define CFG_USERNS 3
545	#define CFG_MAX 4 // this should always be the last entry	545	#define CFG_CHROOT 4
		546	#define CFG_SECCOMP 5
		547	#define CFG_MAX 6 // this should always be the last entry
546	int checkcfg(int val);	548	int checkcfg(int val);
547		549
548	#endif	550	#endif


diff --git a/src/firejail/main.c b/src/firejail/main.c index df625a7ba..8f89a804f 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -356,20 +356,38 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
356	//*************************************	356	//*************************************
357	#ifdef HAVE_SECCOMP	357	#ifdef HAVE_SECCOMP
358	else if (strcmp(argv[i], "--debug-syscalls") == 0) {	358	else if (strcmp(argv[i], "--debug-syscalls") == 0) {
359	syscall_print();	359	if (checkcfg(CFG_SECCOMP)) {
360	exit(0);	360	syscall_print();
		361	exit(0);
		362	}
		363	else {
		364	fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n");
		365	exit(1);
		366	}
361	}	367	}
362	else if (strcmp(argv[i], "--debug-errnos") == 0) {	368	else if (strcmp(argv[i], "--debug-errnos") == 0) {
363	errno_print();	369	if (checkcfg(CFG_SECCOMP)) {
		370	errno_print();
		371	}
		372	else {
		373	fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n");
		374	exit(1);
		375	}
364	exit(0);	376	exit(0);
365	}	377	}
366	else if (strncmp(argv[i], "--seccomp.print=", 16) == 0) {	378	else if (strncmp(argv[i], "--seccomp.print=", 16) == 0) {
367	// print seccomp filter for a sandbox specified by pid or by name	379	if (checkcfg(CFG_SECCOMP)) {
368	pid_t pid;	380	// print seccomp filter for a sandbox specified by pid or by name
369	if (read_pid(argv[i] + 16, &pid) == 0)	381	pid_t pid;
370	seccomp_print_filter(pid);	382	if (read_pid(argv[i] + 16, &pid) == 0)
371	else	383	seccomp_print_filter(pid);
372	seccomp_print_filter_name(argv[i] + 16);	384	else
		385	seccomp_print_filter_name(argv[i] + 16);
		386	}
		387	else {
		388	fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n");
		389	exit(1);
		390	}
373	exit(0);	391	exit(0);
374	}	392	}
375	else if (strcmp(argv[i], "--debug-protocols") == 0) {	393	else if (strcmp(argv[i], "--debug-protocols") == 0) {
@@ -377,12 +395,18 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
377	exit(0);	395	exit(0);
378	}	396	}
379	else if (strncmp(argv[i], "--protocol.print=", 17) == 0) {	397	else if (strncmp(argv[i], "--protocol.print=", 17) == 0) {
380	// print seccomp filter for a sandbox specified by pid or by name	398	if (checkcfg(CFG_SECCOMP)) {
381	pid_t pid;	399	// print seccomp filter for a sandbox specified by pid or by name
382	if (read_pid(argv[i] + 17, &pid) == 0)	400	pid_t pid;
383	protocol_print_filter(pid);	401	if (read_pid(argv[i] + 17, &pid) == 0)
384	else	402	protocol_print_filter(pid);
385	protocol_print_filter_name(argv[i] + 17);	403	else
		404	protocol_print_filter_name(argv[i] + 17);
		405	}
		406	else {
		407	fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n");
		408	exit(1);
		409	}
386	exit(0);	410	exit(0);
387	}	411	}
388	#endif	412	#endif
@@ -733,72 +757,109 @@ int main(int argc, char **argv) {
733	// filtering	757	// filtering
734	//*************************************	758	//*************************************
735	#ifdef HAVE_SECCOMP	759	#ifdef HAVE_SECCOMP
736	else if (strncmp(argv[i], "--protocol=", 11) == 0)	760	else if (strncmp(argv[i], "--protocol=", 11) == 0) {
737	protocol_store(argv[i] + 11);	761	if (checkcfg(CFG_SECCOMP)) {
		762	protocol_store(argv[i] + 11);
		763	}
		764	else {
		765	fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n");
		766	exit(1);
		767	}
		768	}
738	else if (strcmp(argv[i], "--seccomp") == 0) {	769	else if (strcmp(argv[i], "--seccomp") == 0) {
739	if (arg_seccomp) {	770	if (checkcfg(CFG_SECCOMP)) {
740	fprintf(stderr, "Error: seccomp already enabled\n");	771	if (arg_seccomp) {
		772	fprintf(stderr, "Error: seccomp already enabled\n");
		773	exit(1);
		774	}
		775	arg_seccomp = 1;
		776	}
		777	else {
		778	fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n");
741	exit(1);	779	exit(1);
742	}	780	}
743	arg_seccomp = 1;
744	}	781	}
745	else if (strncmp(argv[i], "--seccomp=", 10) == 0) {	782	else if (strncmp(argv[i], "--seccomp=", 10) == 0) {
746	if (arg_seccomp) {	783	if (checkcfg(CFG_SECCOMP)) {
747	fprintf(stderr, "Error: seccomp already enabled\n");	784	if (arg_seccomp) {
		785	fprintf(stderr, "Error: seccomp already enabled\n");
		786	exit(1);
		787	}
		788	arg_seccomp = 1;
		789	cfg.seccomp_list = strdup(argv[i] + 10);
		790	if (!cfg.seccomp_list)
		791	errExit("strdup");
		792	}
		793	else {
		794	fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n");
748	exit(1);	795	exit(1);
749	}	796	}
750	arg_seccomp = 1;
751	cfg.seccomp_list = strdup(argv[i] + 10);
752	if (!cfg.seccomp_list)
753	errExit("strdup");
754	}	797	}
755	else if (strncmp(argv[i], "--seccomp.drop=", 15) == 0) {	798	else if (strncmp(argv[i], "--seccomp.drop=", 15) == 0) {
756	if (arg_seccomp) {	799	if (checkcfg(CFG_SECCOMP)) {
757	fprintf(stderr, "Error: seccomp already enabled\n");	800	if (arg_seccomp) {
		801	fprintf(stderr, "Error: seccomp already enabled\n");
		802	exit(1);
		803	}
		804	arg_seccomp = 1;
		805	cfg.seccomp_list_drop = strdup(argv[i] + 15);
		806	if (!cfg.seccomp_list_drop)
		807	errExit("strdup");
		808	}
		809	else {
		810	fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n");
758	exit(1);	811	exit(1);
759	}	812	}
760	arg_seccomp = 1;
761	cfg.seccomp_list_drop = strdup(argv[i] + 15);
762	if (!cfg.seccomp_list_drop)
763	errExit("strdup");
764	}	813	}
765	else if (strncmp(argv[i], "--seccomp.keep=", 15) == 0) {	814	else if (strncmp(argv[i], "--seccomp.keep=", 15) == 0) {
766	if (arg_seccomp) {	815	if (checkcfg(CFG_SECCOMP)) {
767	fprintf(stderr, "Error: seccomp already enabled\n");	816	if (arg_seccomp) {
		817	fprintf(stderr, "Error: seccomp already enabled\n");
		818	exit(1);
		819	}
		820	arg_seccomp = 1;
		821	cfg.seccomp_list_keep = strdup(argv[i] + 15);
		822	if (!cfg.seccomp_list_keep)
		823	errExit("strdup");
		824	}
		825	else {
		826	fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n");
768	exit(1);	827	exit(1);
769	}	828	}
770	arg_seccomp = 1;
771	cfg.seccomp_list_keep = strdup(argv[i] + 15);
772	if (!cfg.seccomp_list_keep)
773	errExit("strdup");
774	}	829	}
775	else if (strncmp(argv[i], "--seccomp.e", 11) == 0 && strchr(argv[i], '=')) {	830	else if (strncmp(argv[i], "--seccomp.e", 11) == 0 && strchr(argv[i], '=')) {
776	if (arg_seccomp && !cfg.seccomp_list_errno) {	831	if (checkcfg(CFG_SECCOMP)) {
777	fprintf(stderr, "Error: seccomp already enabled\n");	832	if (arg_seccomp && !cfg.seccomp_list_errno) {
778	exit(1);	833	fprintf(stderr, "Error: seccomp already enabled\n");
779	}	834	exit(1);
780	char *eq = strchr(argv[i], '=');	835	}
781	char *errnoname = strndup(argv[i] + 10, eq - (argv[i] + 10));	836	char *eq = strchr(argv[i], '=');
782	int nr = errno_find_name(errnoname);	837	char *errnoname = strndup(argv[i] + 10, eq - (argv[i] + 10));
783	if (nr == -1) {	838	int nr = errno_find_name(errnoname);
784	fprintf(stderr, "Error: unknown errno %s\n", errnoname);	839	if (nr == -1) {
		840	fprintf(stderr, "Error: unknown errno %s\n", errnoname);
		841	free(errnoname);
		842	exit(1);
		843	}
		844
		845	if (!cfg.seccomp_list_errno)
		846	cfg.seccomp_list_errno = calloc(highest_errno+1, sizeof(cfg.seccomp_list_errno[0]));
		847
		848	if (cfg.seccomp_list_errno[nr]) {
		849	fprintf(stderr, "Error: errno %s already configured\n", errnoname);
		850	free(errnoname);
		851	exit(1);
		852	}
		853	arg_seccomp = 1;
		854	cfg.seccomp_list_errno[nr] = strdup(eq+1);
		855	if (!cfg.seccomp_list_errno[nr])
		856	errExit("strdup");
785	free(errnoname);	857	free(errnoname);
786	exit(1);
787	}	858	}
788		859	else {
789	if (!cfg.seccomp_list_errno)	860	fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n");
790	cfg.seccomp_list_errno = calloc(highest_errno+1, sizeof(cfg.seccomp_list_errno[0]));
791
792	if (cfg.seccomp_list_errno[nr]) {
793	fprintf(stderr, "Error: errno %s already configured\n", errnoname);
794	free(errnoname);
795	exit(1);	861	exit(1);
796	}	862	}
797	arg_seccomp = 1;
798	cfg.seccomp_list_errno[nr] = strdup(eq+1);
799	if (!cfg.seccomp_list_errno[nr])
800	errExit("strdup");
801	free(errnoname);
802	}	863	}
803	#endif	864	#endif
804	else if (strcmp(argv[i], "--caps") == 0)	865	else if (strcmp(argv[i], "--caps") == 0)
@@ -1061,33 +1122,40 @@ int main(int argc, char **argv) {
1061	}	1122	}
1062	#ifdef HAVE_CHROOT	1123	#ifdef HAVE_CHROOT
1063	else if (strncmp(argv[i], "--chroot=", 9) == 0) {	1124	else if (strncmp(argv[i], "--chroot=", 9) == 0) {
1064	if (arg_overlay) {	1125	if (checkcfg(CFG_CHROOT)) {
1065	fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");	1126	if (arg_overlay) {
1066	exit(1);	1127	fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
1067	}	1128	exit(1);
1068	invalid_filename(argv[i] + 9);	1129	}
1069		1130	invalid_filename(argv[i] + 9);
1070	// extract chroot dirname	1131
1071	cfg.chrootdir = argv[i] + 9;	1132	// extract chroot dirname
1072	// if the directory starts with ~, expand the home directory	1133	cfg.chrootdir = argv[i] + 9;
1073	if (*cfg.chrootdir == '~') {	1134	// if the directory starts with ~, expand the home directory
1074	char *tmp;	1135	if (*cfg.chrootdir == '~') {
1075	if (asprintf(&tmp, "%s%s", cfg.homedir, cfg.chrootdir + 1) == -1)	1136	char *tmp;
1076	errExit("asprintf");	1137	if (asprintf(&tmp, "%s%s", cfg.homedir, cfg.chrootdir + 1) == -1)
1077	cfg.chrootdir = tmp;	1138	errExit("asprintf");
1078	}	1139	cfg.chrootdir = tmp;
1079		1140	}
1080	// check chroot dirname exists	1141
1081	if (strstr(cfg.chrootdir, "..") \|\| !is_dir(cfg.chrootdir) \|\| is_link(cfg.chrootdir)) {	1142	// check chroot dirname exists
1082	fprintf(stderr, "Error: invalid directory %s\n", cfg.chrootdir);	1143	if (strstr(cfg.chrootdir, "..") \|\| !is_dir(cfg.chrootdir) \|\| is_link(cfg.chrootdir)) {
1083	return 1;	1144	fprintf(stderr, "Error: invalid directory %s\n", cfg.chrootdir);
		1145	return 1;
		1146	}
		1147
		1148	// check chroot directory structure
		1149	if (fs_check_chroot_dir(cfg.chrootdir)) {
		1150	fprintf(stderr, "Error: invalid chroot\n");
		1151	exit(1);
		1152	}
1084	}	1153	}
1085		1154	else {
1086	// check chroot directory structure	1155	fprintf(stderr, "Error: --chroot feature is disabled in Firejail configuration file\n");
1087	if (fs_check_chroot_dir(cfg.chrootdir)) {
1088	fprintf(stderr, "Error: invalid chroot\n");
1089	exit(1);	1156	exit(1);
1090	}	1157	}
		1158
1091	}	1159	}
1092	#endif	1160	#endif
1093	else if (strcmp(argv[i], "--private") == 0)	1161	else if (strcmp(argv[i], "--private") == 0)


diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 1c843a460..723889dd2 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c
@@ -132,7 +132,12 @@ int profile_check_line(char ptr, int lineno, const char fname) {
132	return 0;	132	return 0;
133	}	133	}
134	else if (strcmp(ptr, "seccomp") == 0) {	134	else if (strcmp(ptr, "seccomp") == 0) {
135	arg_seccomp = 1;	135	#ifdef HAVE_SECCOMP
		136	if (checkcfg(CFG_SECCOMP))
		137	arg_seccomp = 1;
		138	else
		139	fprintf(stderr, "Warning: user seccomp feature is disabled in Firejail configuration file\n");
		140	#endif
136	return 0;	141	return 0;
137	}	142	}
138	else if (strcmp(ptr, "caps") == 0) {	143	else if (strcmp(ptr, "caps") == 0) {
@@ -209,12 +214,15 @@ int profile_check_line(char ptr, int lineno, const char fname) {
209	return 0;	214	return 0;
210	}	215	}
211		216
212	#ifdef HAVE_SECCOMP
213	if (strncmp(ptr, "protocol ", 9) == 0) {	217	if (strncmp(ptr, "protocol ", 9) == 0) {
214	protocol_store(ptr + 9);	218	#ifdef HAVE_SECCOMP
		219	if (checkcfg(CFG_SECCOMP))
		220	protocol_store(ptr + 9);
		221	else
		222	fprintf(stderr, "Warning: user seccomp feature is disabled in Firejail configuration file\n");
		223	#endif
215	return 0;	224	return 0;
216	}	225	}
217	#endif
218		226
219	if (strncmp(ptr, "env ", 4) == 0) {	227	if (strncmp(ptr, "env ", 4) == 0) {
220	env_store(ptr + 4);	228	env_store(ptr + 4);
@@ -223,34 +231,47 @@ int profile_check_line(char ptr, int lineno, const char fname) {
223		231
224	// seccomp drop list on top of default list	232	// seccomp drop list on top of default list
225	if (strncmp(ptr, "seccomp ", 8) == 0) {	233	if (strncmp(ptr, "seccomp ", 8) == 0) {
226	arg_seccomp = 1;
227	#ifdef HAVE_SECCOMP	234	#ifdef HAVE_SECCOMP
228	cfg.seccomp_list = strdup(ptr + 8);	235	if (checkcfg(CFG_SECCOMP)) {
229	if (!cfg.seccomp_list)	236	arg_seccomp = 1;
230	errExit("strdup");	237	cfg.seccomp_list = strdup(ptr + 8);
		238	if (!cfg.seccomp_list)
		239	errExit("strdup");
		240	}
		241	else
		242	fprintf(stderr, "Warning: user seccomp feature is disabled in Firejail configuration file\n");
231	#endif	243	#endif
		244
232	return 0;	245	return 0;
233	}	246	}
234		247
235	// seccomp drop list without default list	248	// seccomp drop list without default list
236	if (strncmp(ptr, "seccomp.drop ", 13) == 0) {	249	if (strncmp(ptr, "seccomp.drop ", 13) == 0) {
237	arg_seccomp = 1;
238	#ifdef HAVE_SECCOMP	250	#ifdef HAVE_SECCOMP
239	cfg.seccomp_list_drop = strdup(ptr + 13);	251	if (checkcfg(CFG_SECCOMP)) {
240	if (!cfg.seccomp_list_drop)	252	arg_seccomp = 1;
241	errExit("strdup");	253	cfg.seccomp_list_drop = strdup(ptr + 13);
242	#endif	254	if (!cfg.seccomp_list_drop)
		255	errExit("strdup");
		256	}
		257	else
		258	fprintf(stderr, "Warning: user seccomp feature is disabled in Firejail configuration file\n");
		259	#endif
243	return 0;	260	return 0;
244	}	261	}
245		262
246	// seccomp keep list	263	// seccomp keep list
247	if (strncmp(ptr, "seccomp.keep ", 13) == 0) {	264	if (strncmp(ptr, "seccomp.keep ", 13) == 0) {
248	arg_seccomp = 1;
249	#ifdef HAVE_SECCOMP	265	#ifdef HAVE_SECCOMP
250	cfg.seccomp_list_keep= strdup(ptr + 13);	266	if (checkcfg(CFG_SECCOMP)) {
251	if (!cfg.seccomp_list_keep)	267	arg_seccomp = 1;
252	errExit("strdup");	268	cfg.seccomp_list_keep= strdup(ptr + 13);
253	#endif	269	if (!cfg.seccomp_list_keep)
		270	errExit("strdup");
		271	}
		272	else
		273	fprintf(stderr, "Warning: user seccomp feature is disabled in Firejail configuration file\n");
		274	#endif
254	return 0;	275	return 0;
255	}	276	}
256		277