fixed ipc blacklist

author: valoq <valoq@mailbox.org> 2016-12-11 19:06:18 +0100
committer: valoq <valoq@mailbox.org> 2016-12-11 19:06:18 +0100
commit: bbb098e082e4d7493733b49c610859ac93ede8a5 (patch)
tree: 9da7b982e9f57e6a14cd2549567c14f720b7b83c /src
parent: config support for firejail prompt in terminals (diff)
download: firejail-bbb098e082e4d7493733b49c610859ac93ede8a5.tar.gz
firejail-bbb098e082e4d7493733b49c610859ac93ede8a5.tar.zst
firejail-bbb098e082e4d7493733b49c610859ac93ede8a5.zip
2 files changed, 21 insertions, 8 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 84dc9046c..f469cba0a 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -531,17 +531,16 @@ void fs_proc_sys_dev_boot(void) {
        // disable /dev/port
        disable_file(BLACKLIST_FILE, "/dev/port");
-        // WARNING: this is not reliable. When services like gpg-agent are started after the jail, the sockets are not blacklisted
        
-        // disable various ipc sockets
+        /* // disable various ipc sockets */
-        struct stat s;
+        struct stat s; 
        // disable /run/user/{uid}/gnupg
        char *fnamegpg;
        if (asprintf(&fnamegpg, "/run/user/%d/gnupg", getuid()) == -1)
                errExit("asprintf");
+        if (stat(fnamegpg, &s) == -1) 
+            mkdir_attr(fnamegpg, 0700, getuid(), getgid());
        if (stat(fnamegpg, &s) == 0)
                disable_file(BLACKLIST_FILE, fnamegpg);
        free(fnamegpg);
@@ -550,10 +549,13 @@ void fs_proc_sys_dev_boot(void) {
        char *fnamesysd;
        if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1)
                errExit("asprintf");
+        if (stat(fnamesysd, &s) == -1) 
+                mkdir_attr(fnamesysd, 0755, getuid(), getgid());
        if (stat(fnamesysd, &s) == 0)
                disable_file(BLACKLIST_FILE, fnamesysd);
        free(fnamesysd);
+        
 // todo: investigate
 #if 0
        // breaks too many applications, option needed
@@ -591,12 +593,21 @@ void fs_proc_sys_dev_boot(void) {
        /*     disable_file(BLACKLIST_FILE, fnamedconf); */
        /* free(fnamedconf); */
-        
+        // dirs in /run/user/{uid}/
+        // using gnome:
+        // bus, dconf, gdm, gnome-shell, gnupg, gvfs, keyring, pulse, systemd
+        // using kde:
+        // kdeinit__0, ...
+                
        //more files with sockets to be blacklisted
        //  /run/dbus /run/systemd /run/udev /run/lvm
-#endif
-        
+        // /run/user/{uid} does not exist on some systems, usually used and created by desktop applications
        
+#endif
        if (getuid() != 0) {
                // disable /dev/kmsg and /proc/kmsg
                disable_file(BLACKLIST_FILE, "/dev/kmsg");
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c
index bdc5ecaf3..86122e1c0 100644
--- a/src/firejail/fs_var.c
+++ b/src/firejail/fs_var.c
@@ -106,6 +106,8 @@ static void build_dirs(void) {
 void fs_var_log(void) {
        build_list("/var/log");
        
+        // note: /var/log is not created here, if it does not exist, this section fails. Intended?
        // create /var/log if it doesn't exit
        if (is_dir("/var/log")) {
                // extract group id for /var/log/wtmp
author	valoq <valoq@mailbox.org>	2016-12-11 19:06:18 +0100
committer	valoq <valoq@mailbox.org>	2016-12-11 19:06:18 +0100
commit	bbb098e082e4d7493733b49c610859ac93ede8a5 (patch)
tree	9da7b982e9f57e6a14cd2549567c14f720b7b83c /src
parent	config support for firejail prompt in terminals (diff)
download	firejail-bbb098e082e4d7493733b49c610859ac93ede8a5.tar.gz firejail-bbb098e082e4d7493733b49c610859ac93ede8a5.tar.zst firejail-bbb098e082e4d7493733b49c610859ac93ede8a5.zip

diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 84dc9046c..f469cba0a 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c
@@ -531,17 +531,16 @@ void fs_proc_sys_dev_boot(void) {
531	// disable /dev/port	531	// disable /dev/port
532	disable_file(BLACKLIST_FILE, "/dev/port");	532	disable_file(BLACKLIST_FILE, "/dev/port");
533		533
534
535	// WARNING: this is not reliable. When services like gpg-agent are started after the jail, the sockets are not blacklisted
536		534
537	// disable various ipc sockets	535	/* // disable various ipc sockets */
538	struct stat s;	536	struct stat s;
539
540		537
541	// disable /run/user/{uid}/gnupg	538	// disable /run/user/{uid}/gnupg
542	char *fnamegpg;	539	char *fnamegpg;
543	if (asprintf(&fnamegpg, "/run/user/%d/gnupg", getuid()) == -1)	540	if (asprintf(&fnamegpg, "/run/user/%d/gnupg", getuid()) == -1)
544	errExit("asprintf");	541	errExit("asprintf");
		542	if (stat(fnamegpg, &s) == -1)
		543	mkdir_attr(fnamegpg, 0700, getuid(), getgid());
545	if (stat(fnamegpg, &s) == 0)	544	if (stat(fnamegpg, &s) == 0)
546	disable_file(BLACKLIST_FILE, fnamegpg);	545	disable_file(BLACKLIST_FILE, fnamegpg);
547	free(fnamegpg);	546	free(fnamegpg);
@@ -550,10 +549,13 @@ void fs_proc_sys_dev_boot(void) {
550	char *fnamesysd;	549	char *fnamesysd;
551	if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1)	550	if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1)
552	errExit("asprintf");	551	errExit("asprintf");
		552	if (stat(fnamesysd, &s) == -1)
		553	mkdir_attr(fnamesysd, 0755, getuid(), getgid());
553	if (stat(fnamesysd, &s) == 0)	554	if (stat(fnamesysd, &s) == 0)
554	disable_file(BLACKLIST_FILE, fnamesysd);	555	disable_file(BLACKLIST_FILE, fnamesysd);
555	free(fnamesysd);	556	free(fnamesysd);
556		557
		558
557	// todo: investigate	559	// todo: investigate
558	#if 0	560	#if 0
559	// breaks too many applications, option needed	561	// breaks too many applications, option needed
@@ -591,12 +593,21 @@ void fs_proc_sys_dev_boot(void) {
591	/* disable_file(BLACKLIST_FILE, fnamedconf); */	593	/* disable_file(BLACKLIST_FILE, fnamedconf); */
592	/* free(fnamedconf); */	594	/* free(fnamedconf); */
593		595
594		596
		597	// dirs in /run/user/{uid}/
		598	// using gnome:
		599	// bus, dconf, gdm, gnome-shell, gnupg, gvfs, keyring, pulse, systemd
		600
		601	// using kde:
		602	// kdeinit__0, ...
		603
595	//more files with sockets to be blacklisted	604	//more files with sockets to be blacklisted
596	// /run/dbus /run/systemd /run/udev /run/lvm	605	// /run/dbus /run/systemd /run/udev /run/lvm
597	#endif	606
598		607	// /run/user/{uid} does not exist on some systems, usually used and created by desktop applications
599		608
		609	#endif
		610
600	if (getuid() != 0) {	611	if (getuid() != 0) {
601	// disable /dev/kmsg and /proc/kmsg	612	// disable /dev/kmsg and /proc/kmsg
602	disable_file(BLACKLIST_FILE, "/dev/kmsg");	613	disable_file(BLACKLIST_FILE, "/dev/kmsg");


diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c index bdc5ecaf3..86122e1c0 100644 --- a/src/firejail/fs_var.c +++ b/src/firejail/fs_var.c
@@ -106,6 +106,8 @@ static void build_dirs(void) {
106	void fs_var_log(void) {	106	void fs_var_log(void) {
107	build_list("/var/log");	107	build_list("/var/log");
108		108
		109	// note: /var/log is not created here, if it does not exist, this section fails. Intended?
		110
109	// create /var/log if it doesn't exit	111	// create /var/log if it doesn't exit
110	if (is_dir("/var/log")) {	112	if (is_dir("/var/log")) {
111	// extract group id for /var/log/wtmp	113	// extract group id for /var/log/wtmp