various fixes

author: netblue30 <netblue30@yahoo.com> 2016-08-09 07:46:28 -0400
committer: netblue30 <netblue30@yahoo.com> 2016-08-09 07:46:28 -0400
commit: c22f9de02db17cb10b08f3d4893987228799ca89 (patch)
tree: 592437e48f29b98a18fefc7f60e2cc7abf0b7c04 /src
parent: --private-bin and --private-etc fix (diff)
download: firejail-c22f9de02db17cb10b08f3d4893987228799ca89.tar.gz
firejail-c22f9de02db17cb10b08f3d4893987228799ca89.tar.zst
firejail-c22f9de02db17cb10b08f3d4893987228799ca89.zip
2 files changed, 30 insertions, 9 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index f37605e20..a131d9e91 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -460,8 +460,9 @@ int sandbox(void* sandbox_arg) {
 #ifdef HAVE_CHROOT              
        if (cfg.chrootdir) {
                fs_chroot(cfg.chrootdir);
-                // redo cp command
-                fs_build_cp_command();
+//              // redo cp command
+//              fs_build_cp_command();
                
                // force caps and seccomp if not started as root
                if (getuid() != 0) {
@@ -482,7 +483,7 @@ int sandbox(void* sandbox_arg) {
                        
                        // disable all capabilities
                        if (arg_caps_default_filter || arg_caps_list)
-                                fprintf(stderr, "Warning: all capabilities disabled for a regular user during chroot\n");
+                                fprintf(stderr, "Warning: all capabilities disabled for a regular user in chroot\n");
                        arg_caps_drop_all = 1;
                        
                        // drop all supplementary groups; /etc/group file inside chroot
@@ -530,13 +531,21 @@ int sandbox(void* sandbox_arg) {
        if (arg_private_dev)
                fs_private_dev();
        if (arg_private_etc) {
-                fs_private_etc_list();
+                if (cfg.chrootdir)
-                // create /etc/ld.so.preload file again
+                        fprintf(stderr, "Warning: private-etc feature is disabled in chroot\n");
-                if (arg_trace || arg_tracelog)
+                else {
-                        fs_trace_preload();
+                        fs_private_etc_list();
+                        // create /etc/ld.so.preload file again
+                        if (arg_trace || arg_tracelog)
+                                fs_trace_preload();
+                }
+        }
+        if (arg_private_bin) {
+                if (cfg.chrootdir)
+                        fprintf(stderr, "Warning: private-bin feature is disabled in chroot\n");
+                else
+                        fs_private_bin_list();
        }
-        if (arg_private_bin)
-                fs_private_bin_list();
        if (arg_private_tmp)
                fs_private_tmp();
        
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index efe24a211..88620d1dd 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -101,10 +101,22 @@ static void filter_init(void) {
        sfilter_alloc_size = SECSIZE;
        
        // copy the start entries
+#if defined(__x86_64__)
+#define X32_SYSCALL_BIT 0x40000000
+        struct sock_filter filter[] = {
+                VALIDATE_ARCHITECTURE,
+                EXAMINE_SYSCALL,
+                // handle X32 ABI
+                BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, X32_SYSCALL_BIT, 1, 0),
+                BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, 0, 1, 0),
+                RETURN_ERRNO(EPERM)
+        };
+#else
        struct sock_filter filter[] = {
                VALIDATE_ARCHITECTURE,
                EXAMINE_SYSCALL
        };
+#endif
        sfilter_index = sizeof(filter) / sizeof(struct sock_filter);    
        memcpy(sfilter, filter, sizeof(filter));
 }
author	netblue30 <netblue30@yahoo.com>	2016-08-09 07:46:28 -0400
committer	netblue30 <netblue30@yahoo.com>	2016-08-09 07:46:28 -0400
commit	c22f9de02db17cb10b08f3d4893987228799ca89 (patch)
tree	592437e48f29b98a18fefc7f60e2cc7abf0b7c04 /src
parent	--private-bin and --private-etc fix (diff)
download	firejail-c22f9de02db17cb10b08f3d4893987228799ca89.tar.gz firejail-c22f9de02db17cb10b08f3d4893987228799ca89.tar.zst firejail-c22f9de02db17cb10b08f3d4893987228799ca89.zip

diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index f37605e20..a131d9e91 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c
@@ -460,8 +460,9 @@ int sandbox(void* sandbox_arg) {
460	#ifdef HAVE_CHROOT	460	#ifdef HAVE_CHROOT
461	if (cfg.chrootdir) {	461	if (cfg.chrootdir) {
462	fs_chroot(cfg.chrootdir);	462	fs_chroot(cfg.chrootdir);
463	// redo cp command	463
464	fs_build_cp_command();	464	// // redo cp command
		465	// fs_build_cp_command();
465		466
466	// force caps and seccomp if not started as root	467	// force caps and seccomp if not started as root
467	if (getuid() != 0) {	468	if (getuid() != 0) {
@@ -482,7 +483,7 @@ int sandbox(void* sandbox_arg) {
482		483
483	// disable all capabilities	484	// disable all capabilities
484	if (arg_caps_default_filter \|\| arg_caps_list)	485	if (arg_caps_default_filter \|\| arg_caps_list)
485	fprintf(stderr, "Warning: all capabilities disabled for a regular user during chroot\n");	486	fprintf(stderr, "Warning: all capabilities disabled for a regular user in chroot\n");
486	arg_caps_drop_all = 1;	487	arg_caps_drop_all = 1;
487		488
488	// drop all supplementary groups; /etc/group file inside chroot	489	// drop all supplementary groups; /etc/group file inside chroot
@@ -530,13 +531,21 @@ int sandbox(void* sandbox_arg) {
530	if (arg_private_dev)	531	if (arg_private_dev)
531	fs_private_dev();	532	fs_private_dev();
532	if (arg_private_etc) {	533	if (arg_private_etc) {
533	fs_private_etc_list();	534	if (cfg.chrootdir)
534	// create /etc/ld.so.preload file again	535	fprintf(stderr, "Warning: private-etc feature is disabled in chroot\n");
535	if (arg_trace \|\| arg_tracelog)	536	else {
536	fs_trace_preload();	537	fs_private_etc_list();
		538	// create /etc/ld.so.preload file again
		539	if (arg_trace \|\| arg_tracelog)
		540	fs_trace_preload();
		541	}
		542	}
		543	if (arg_private_bin) {
		544	if (cfg.chrootdir)
		545	fprintf(stderr, "Warning: private-bin feature is disabled in chroot\n");
		546	else
		547	fs_private_bin_list();
537	}	548	}
538	if (arg_private_bin)
539	fs_private_bin_list();
540	if (arg_private_tmp)	549	if (arg_private_tmp)
541	fs_private_tmp();	550	fs_private_tmp();
542		551


diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index efe24a211..88620d1dd 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c
@@ -101,10 +101,22 @@ static void filter_init(void) {
101	sfilter_alloc_size = SECSIZE;	101	sfilter_alloc_size = SECSIZE;
102		102
103	// copy the start entries	103	// copy the start entries
		104	#if defined(__x86_64__)
		105	#define X32_SYSCALL_BIT 0x40000000
		106	struct sock_filter filter[] = {
		107	VALIDATE_ARCHITECTURE,
		108	EXAMINE_SYSCALL,
		109	// handle X32 ABI
		110	BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, X32_SYSCALL_BIT, 1, 0),
		111	BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, 0, 1, 0),
		112	RETURN_ERRNO(EPERM)
		113	};
		114	#else
104	struct sock_filter filter[] = {	115	struct sock_filter filter[] = {
105	VALIDATE_ARCHITECTURE,	116	VALIDATE_ARCHITECTURE,
106	EXAMINE_SYSCALL	117	EXAMINE_SYSCALL
107	};	118	};
		119	#endif
108	sfilter_index = sizeof(filter) / sizeof(struct sock_filter);	120	sfilter_index = sizeof(filter) / sizeof(struct sock_filter);
109	memcpy(sfilter, filter, sizeof(filter));	121	memcpy(sfilter, filter, sizeof(filter));
110	}	122	}