Merge branch 'master' of https://github.com/netblue30/firejail

13 files changed, 200 insertions, 37 deletions

diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index f8e0f3bc7..e34ac786c 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -431,6 +431,8 @@ xonotic-glx
 xonotic-sdl
 xpdf
 xplayer
+xplayer-audio-preview
+xplayer-video-thumbnailer
 xpra
 xreader
 xreader-previewer
diff --git a/src/firecfg/main.c b/src/firecfg/main.c
index a54607aec..b79053d3e 100644
--- a/src/firecfg/main.c
+++ b/src/firecfg/main.c
@@ -30,7 +30,7 @@ static char *usage_str =
         "The symbolic links are placed in /usr/local/bin. For more information, see\n"
         "DESKTOP INTEGRATION section in man 1 firejail.\n\n"
         "Usage: firecfg [OPTIONS]\n\n"
-        "   --add-users user [user] - add the users to Firejail access database\n"
+        "   --add-users user [user] - add the users to Firejail user access database.\n\n"
         "   --clean - remove all firejail symbolic links.\n\n"
         "   --debug - print debug messages.\n\n"
         "   --fix - fix .desktop files.\n\n"
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index d6c39260b..4fd11ab4f 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -778,6 +778,7 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc,
 #define PATH_FIREJAIL (PREFIX "/bin/firejail")
 #define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp")
 #define PATH_FSEC_PRINT (LIBDIR "/firejail/fsec-print")
+#define PATH_FSEC_OPTIMIZE (LIBDIR "/firejail/fsec-optimize")
 #define PATH_FCOPY (LIBDIR "/firejail/fcopy")
 #define SBOX_STDIN_FILE "/run/firejail/mnt/sbox_stdin"
 #define PATH_FLDD (LIBDIR "/firejail/fldd")
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 1e60b6477..709ce96b6 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -1022,19 +1022,17 @@ int sandbox(void* sandbox_arg) {
 #endif
 
         //****************************************
-        // drop privileges or create a new user namespace
+        // create a new user namespace
+        //     - too early to drop privileges
         //****************************************
         save_nogroups();
         if (arg_noroot) {
                 int rv = unshare(CLONE_NEWUSER);
                 if (rv == -1) {
                         fwarning("cannot create a new user namespace, going forward without it...\n");
-                        drop_privs(arg_nogroups);
                         arg_noroot = 0;
                 }
         }
-        else
-                drop_privs(arg_nogroups);
 
         // notify parent that new user namespace has been created so a proper
         // UID/GID map can be setup
@@ -1066,8 +1064,9 @@ int sandbox(void* sandbox_arg) {
         }
 
         //****************************************
-        // fork the application and monitor it
+        // drop privileges, fork the application and monitor it
         //****************************************
+        drop_privs(arg_nogroups);
         pid_t app_pid = fork();
         if (app_pid == -1)
                 errExit("fork");
@@ -1085,6 +1084,7 @@ int sandbox(void* sandbox_arg) {
                                 printf("AppArmor enabled\n");
                 }
 #endif
+
                 prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died
                 start_application(0);   // start app
         }
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 0184db65c..1ee6256d4 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -210,6 +210,11 @@ int seccomp_filter_drop(void) {
                                               PATH_FSECCOMP, "default", "drop", RUN_SECCOMP_CFG, RUN_SECCOMP_POSTEXEC, cfg.seccomp_list);
                         if (rv)
                                 exit(rv);
+
+                        // optimize the new filter
+                        rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSEC_OPTIMIZE, RUN_SECCOMP_CFG);
+                        if (rv)
+                                exit(rv);
                 }
         }
 
@@ -232,6 +237,11 @@ int seccomp_filter_drop(void) {
 
                 if (rv)
                         exit(rv);
+
+                // optimize the drop filter
+                rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSEC_OPTIMIZE, RUN_SECCOMP_CFG);
+                if (rv)
+                        exit(rv);
         }
 
         // load the filter
diff --git a/src/firejail/util.c b/src/firejail/util.c
index c644f83a8..14e9f6440 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -32,6 +32,61 @@
 #include <sys/wait.h>
 
 #define MAX_GROUPS 1024
+
+static void clean_supplementary_groups(gid_t gid) {
+        assert(cfg.username);
+        gid_t groups[MAX_GROUPS];
+        int ngroups = MAX_GROUPS;
+
+        int rv = getgrouplist(cfg.username, gid, groups, &ngroups);
+        if (rv == -1)
+                goto clean_all;
+
+        // clean supplementary group list
+        // allow only tty, audio, video, games
+        gid_t new_groups[MAX_GROUPS];
+        int new_ngroups = 0;
+        char *allowed[] = {
+                "tty",
+                "audio",
+                "video",
+                "games",
+                NULL
+        };
+
+        int i = 0;
+        while (allowed[i]) {
+                gid_t g = get_group_id(allowed[i]);
+                if (g) {
+                        int j;
+                        for (j = 0; j < ngroups; j++) {
+                                if (g == groups[j]) {
+                                        new_groups[new_ngroups] = g;
+                                        new_ngroups++;
+                                        break;
+                                }
+                        }
+                }
+                i++;
+        }
+
+        if (new_ngroups) {
+                rv = setgroups(new_ngroups, new_groups);
+                if (rv)
+                        goto clean_all;
+        }
+        else
+                goto clean_all;
+
+        return;
+
+clean_all:
+        fwarning("cleaning all supplementary groups\n");
+        if (setgroups(0, NULL) < 0)
+                errExit("setgroups");
+}
+
+
 // drop privileges
 // - for root group or if nogroups is set, supplementary groups are not configured
 void drop_privs(int nogroups) {
@@ -45,34 +100,8 @@ void drop_privs(int nogroups) {
                 if (arg_debug)
                         printf("Username %s, no supplementary groups\n", cfg.username);
         }
-        else {
-                assert(cfg.username);
-                gid_t groups[MAX_GROUPS];
-                int ngroups = MAX_GROUPS;
-                int rv = getgrouplist(cfg.username, gid, groups, &ngroups);
-
-                if (arg_debug && rv) {
-                        printf("Username %s, groups ", cfg.username);
-                        int i;
-                        for (i = 0; i < ngroups; i++)
-                                printf("%u, ", groups[i]);
-                        printf("\n");
-                }
-
-                if (rv == -1) {
-                        fwarning("cannot extract supplementary group list, dropping them\n");
-                        if (setgroups(0, NULL) < 0)
-                                errExit("setgroups");
-                }
-                else {
-                        rv = setgroups(ngroups, groups);
-                        if (rv) {
-                                fwarning("cannot set supplementary group list, dropping them\n");
-                                if (setgroups(0, NULL) < 0)
-                                        errExit("setgroups");
-                        }
-                }
-        }
+        else if (arg_noroot)
+                clean_supplementary_groups(gid);
 
         // set uid/gid
         if (setgid(getgid()) < 0)
diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt
index e7a7ef6d9..80cb201d9 100644
--- a/src/man/firecfg.txt
+++ b/src/man/firecfg.txt
@@ -30,9 +30,31 @@ installing new programs. If the program is supported by Firejail, the symbolic l
 will be created. For a full list of programs supported by default run "cat /usr/lib/firejail/firecfg.config".
 
 For user-driven manual integration, see \fBDESKTOP INTEGRATION\fR section in \fBman 1 firejail\fR.
+.SH DEFAULT ACTIONS
+The following actions are implemented by default by running sudo firecfg:
+
+.RS
+- set or update the symbolic links for desktop integration;
+.br
+
+.br
+- add the current user to Firejail user access database (firecfg --add-users);
+.br
+
+.br
+-fix desktop files in $HOME/.local/share/applications/ (firecfg --fix).
+.RE
 
 .SH OPTIONS
 .TP
+\fB\-\-add-users user [user]
+Add the list of users to Firejail user access database.
+
+Example:
+.br
+$ sudo firecfg --add-users dustin lucas mike eleven
+
+.TP
 \fB\-\-clean
 Remove all firejail symbolic links.
 
@@ -102,3 +124,4 @@ Homepage: https://firejail.wordpress.com
 \&\flfiremon\fR\|(1),
 \&\flfirejail-profile\fR\|(5),
 \&\flfirejail-login\fR\|(5)
+\&\flfirejail-users\fR\|(5)
diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.txt
index 29030ba45..c2fa63dc4 100644
--- a/src/man/firejail-login.txt
+++ b/src/man/firejail-login.txt
@@ -1,4 +1,4 @@
-.TH FIREJAIL-LOGIN 5 "MONTH YEAR" "VERSION" "firejail login.users man page"
+.TH FIREJAIL-LOGIN 5 "MONTH YEAR" "VERSION" "login.users man page"
 .SH NAME
 login.users \- Login file syntax for Firejail
 
@@ -38,3 +38,4 @@ Homepage: https://firejail.wordpress.com
 \&\flfiremon\fR\|(1),
 \&\flfirecfg\fR\|(1),
 \&\flfirejail-profile\fR\|(5)
+\&\flfirejail-users\fR\|(5)
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 4b6e9766f..b529f63e3 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -232,7 +232,7 @@ All modifications are discarded when the sandbox is closed.
 .TP
 \fBprivate-lib file,directory
 Build a new /lib directory and bring in the libraries required by the application to run.
-This feature is still under development, see man 1 firejail for some examples.
+This feature is still under development, see \fBman 1 firejail\fR for some examples.
 .TP
 \fBprivate-opt file,directory
 Build a new /optin a temporary
@@ -610,3 +610,4 @@ Homepage: https://firejail.wordpress.com
 \&\flfiremon\fR\|(1),
 \&\flfirecfg\fR\|(1),
 \&\flfirejail-login\fR\|(5)
+\&\flfirejail-users\fR\|(5)
diff --git a/src/man/firejail-users.txt b/src/man/firejail-users.txt
new file mode 100644
index 000000000..fcc0f914b
--- /dev/null
+++ b/src/man/firejail-users.txt
@@ -0,0 +1,45 @@
+.TH FIREJAIL-USERS 5 "MONTH YEAR" "VERSION" "firejail.users man page"
+.SH NAME
+firejail.users \- Firejail user access database
+
+.SH DESCRIPTION
+/etc/firejail/firejail.users lists the users allowed to run firejail SUID executable.
+If the file is not present in the system, all users are allowed to use the sandbox.
+root user is allowed by default.
+
+Example:
+
+        $ cat /etc/firejail/firejail.users
+.br
+        dustin
+.br
+        lucas
+.br
+        mike
+.br
+        eleven
+
+Use a text editor to add or remove users from the list. You can also use firecfg \-\-add-users
+command. Example:
+
+        $ sudo firecfg --add-users dustin lucas mike eleven
+
+By default, running firecfg creates the file and adds the current user to the list. Example:
+
+        $ sudo firecfg
+
+See \fBman 1 firecfg\fR for details.
+
+.SH FILES
+/etc/firejail/firejail.users
+
+.SH LICENSE
+Firejail is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
+.PP
+Homepage: https://firejail.wordpress.com
+.SH SEE ALSO
+\&\flfirejail\fR\|(1),
+\&\flfiremon\fR\|(1),
+\&\flfirecfg\fR\|(1),
+\&\flfirejail-profile\fR\|(5)
+\&\flfirejail-login\fR\|(5)
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index e55d01253..6e8e4eb2c 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -2691,7 +2691,7 @@ Child process initialized
 [...]
 .RE
 
-See man 5 firejail-profile for profile file syntax information.
+See \fBman 5 firejail-profile\fR for profile file syntax information.
 
 .SH RESTRICTED SHELL
 To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in
@@ -2739,3 +2739,4 @@ Homepage: https://firejail.wordpress.com
 \&\flfirecfg\fR\|(1),
 \&\flfirejail-profile\fR\|(5),
 \&\flfirejail-login\fR\|(5)
+\&\flfirejail-users\fR\|(5)
diff --git a/src/man/firemon.txt b/src/man/firemon.txt
index 91c59af4d..9cae72b54 100644
--- a/src/man/firemon.txt
+++ b/src/man/firemon.txt
@@ -111,3 +111,4 @@ Homepage: http://firejail.wordpress.com
 \&\flfirecfg\fR\|(1),
 \&\flfirejail-profile\fR\|(5),
 \&\flfirejail-login\fR\|(5)
+\&\flfirejail-users\fR\|(5)
diff --git a/src/tools/testuid.c b/src/tools/testuid.c
new file mode 100644
index 000000000..633b9773e
--- /dev/null
+++ b/src/tools/testuid.c
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2014-2018 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+
+// compile: gcc -o testuid testuid.c
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+
+
+static void print_status(void) {
+        FILE *fp = fopen("/proc/self/status", "r");
+        if (!fp) {
+                fprintf(stderr, "Error, cannot open staus file\n");
+                exit(1);
+        }
+
+        char buf[4096];
+        while (fgets(buf, 4096, fp)) {
+                if (strncmp(buf, "Uid", 3) == 0 || strncmp(buf, "Gid", 3) == 0)
+                        printf("%s", buf);
+        }
+
+        fclose(fp);
+}
+
+int main(void) {
+        print_status();
+        return 0;
+}