Make NO_NEW_PRIVS configurable

author: The Fox in the Shell <KellerFuchs@hashbang.sh> 2016-05-25 02:19:02 +0200
committer: The Fox in the Shell <KellerFuchs@hashbang.sh> 2016-05-25 15:01:13 +0200
commit: 0688847fa8287752e2bdd209bde37029dff48dc5 (patch)
tree: c71776187e4b3a9c6250281701511f706aaaf3cd /src
parent: sandbox: Add NO_NEW_PRIVS inconditionally (diff)
download: firejail-0688847fa8287752e2bdd209bde37029dff48dc5.tar.gz
firejail-0688847fa8287752e2bdd209bde37029dff48dc5.tar.zst
firejail-0688847fa8287752e2bdd209bde37029dff48dc5.zip
5 files changed, 20 insertions, 5 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index f4a176caf..c9c090a97 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -237,6 +237,7 @@ extern int arg_rlimit_nproc;	// rlimit nproc
 extern int arg_rlimit_fsize;    // rlimit fsize
 extern int arg_rlimit_sigpending;// rlimit sigpending
 extern int arg_nogroups;        // disable supplementary groups
+extern int arg_nonewprivs;      // set the NO_NEW_PRIVS prctl
 extern int arg_noroot;          // create a new user namespace and disable root user
 extern int arg_netfilter;       // enable netfilter
 extern int arg_netfilter6;      // enable netfilter6
diff --git a/src/firejail/main.c b/src/firejail/main.c
index a540d468b..2f4a78d4b 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -77,6 +77,7 @@ int arg_rlimit_nproc = 0;			// rlimit nproc
 int arg_rlimit_fsize = 0;                               // rlimit fsize
 int arg_rlimit_sigpending = 0;                  // rlimit fsize
 int arg_nogroups = 0;                           // disable supplementary groups
+int arg_nonewprivs = 0;                 // set the NO_NEW_PRIVS prctl
 int arg_noroot = 0;                             // create a new user namespace and disable root user
 int arg_netfilter;                              // enable netfilter
 int arg_netfilter6;                             // enable netfilter6
@@ -1367,6 +1368,9 @@ int main(int argc, char **argv) {
                        }
                }
 #endif
+                else if (strcmp(argv[i], "--nonewprivs") == 0) {
+                        arg_nonewprivs = 1;
+                }
                else if (strncmp(argv[i], "--env=", 6) == 0)
                        env_store(argv[i] + 6);
                else if (strncmp(argv[i], "--nosound", 9) == 0) {
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 3bf294e00..192f36974 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -131,6 +131,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                return 0;
        }
+        else if (strcmp(ptr, "nonewprivs") == 0) {
+                arg_nonewprivs = 1;
+                return 0;
+        }
        else if (strcmp(ptr, "seccomp") == 0) {
 #ifdef HAVE_SECCOMP
                if (checkcfg(CFG_SECCOMP))
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 109395b60..843c1efe5 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -750,11 +750,14 @@ int sandbox(void* sandbox_arg) {
        //****************************************
        // Set NO_NEW_PRIVS if desired
        //****************************************
-        int no_new_privs = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
+        if (arg_nonewprivs) {
-        if(no_new_privs != 0) {
+                int no_new_privs = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
-          errExit("NO_NEW_PRIVS");
-        } else
+                if(no_new_privs != 0)
-          printf("No new privileges from this point on\n");
+                        errExit("NO_NEW_PRIVS");
+                else if (arg_debug)
+                        printf("NO_NEW_PRIVS set\n");
+        }
        //****************************************
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index ef02c0d72..45bf2e3b1 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -157,6 +157,9 @@ void usage(void) {
        printf("\tuser. root user does not exist in the new namespace. This option\n");
        printf("\tis not supported for --chroot and --overlay configurations.\n\n");
 #endif
+        printf("    --nonewprivs - sets the NO_NEW_PRIVS prctl - the child processes\n");
+        printf("\tcannot gain privileges using execve(2); in particular, this prevents\n");
+        printf("\tgaining privileges by calling a suid binary\n\n");
        printf("    --nosound - disable sound system.\n\n");
                
        printf("    --output=logfile - stdout logging and log rotation. Copy stdout and stderr\n");
author	The Fox in the Shell <KellerFuchs@hashbang.sh>	2016-05-25 02:19:02 +0200
committer	The Fox in the Shell <KellerFuchs@hashbang.sh>	2016-05-25 15:01:13 +0200
commit	0688847fa8287752e2bdd209bde37029dff48dc5 (patch)
tree	c71776187e4b3a9c6250281701511f706aaaf3cd /src
parent	sandbox: Add NO_NEW_PRIVS inconditionally (diff)
download	firejail-0688847fa8287752e2bdd209bde37029dff48dc5.tar.gz firejail-0688847fa8287752e2bdd209bde37029dff48dc5.tar.zst firejail-0688847fa8287752e2bdd209bde37029dff48dc5.zip

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index f4a176caf..c9c090a97 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -237,6 +237,7 @@ extern int arg_rlimit_nproc; // rlimit nproc
237	extern int arg_rlimit_fsize; // rlimit fsize	237	extern int arg_rlimit_fsize; // rlimit fsize
238	extern int arg_rlimit_sigpending;// rlimit sigpending	238	extern int arg_rlimit_sigpending;// rlimit sigpending
239	extern int arg_nogroups; // disable supplementary groups	239	extern int arg_nogroups; // disable supplementary groups
		240	extern int arg_nonewprivs; // set the NO_NEW_PRIVS prctl
240	extern int arg_noroot; // create a new user namespace and disable root user	241	extern int arg_noroot; // create a new user namespace and disable root user
241	extern int arg_netfilter; // enable netfilter	242	extern int arg_netfilter; // enable netfilter
242	extern int arg_netfilter6; // enable netfilter6	243	extern int arg_netfilter6; // enable netfilter6


diff --git a/src/firejail/main.c b/src/firejail/main.c index a540d468b..2f4a78d4b 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -77,6 +77,7 @@ int arg_rlimit_nproc = 0; // rlimit nproc
77	int arg_rlimit_fsize = 0; // rlimit fsize	77	int arg_rlimit_fsize = 0; // rlimit fsize
78	int arg_rlimit_sigpending = 0; // rlimit fsize	78	int arg_rlimit_sigpending = 0; // rlimit fsize
79	int arg_nogroups = 0; // disable supplementary groups	79	int arg_nogroups = 0; // disable supplementary groups
		80	int arg_nonewprivs = 0; // set the NO_NEW_PRIVS prctl
80	int arg_noroot = 0; // create a new user namespace and disable root user	81	int arg_noroot = 0; // create a new user namespace and disable root user
81	int arg_netfilter; // enable netfilter	82	int arg_netfilter; // enable netfilter
82	int arg_netfilter6; // enable netfilter6	83	int arg_netfilter6; // enable netfilter6
@@ -1367,6 +1368,9 @@ int main(int argc, char **argv) {
1367	}	1368	}
1368	}	1369	}
1369	#endif	1370	#endif
		1371	else if (strcmp(argv[i], "--nonewprivs") == 0) {
		1372	arg_nonewprivs = 1;
		1373	}
1370	else if (strncmp(argv[i], "--env=", 6) == 0)	1374	else if (strncmp(argv[i], "--env=", 6) == 0)
1371	env_store(argv[i] + 6);	1375	env_store(argv[i] + 6);
1372	else if (strncmp(argv[i], "--nosound", 9) == 0) {	1376	else if (strncmp(argv[i], "--nosound", 9) == 0) {


diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 3bf294e00..192f36974 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c
@@ -131,6 +131,10 @@ int profile_check_line(char ptr, int lineno, const char fname) {
131		131
132	return 0;	132	return 0;
133	}	133	}
		134	else if (strcmp(ptr, "nonewprivs") == 0) {
		135	arg_nonewprivs = 1;
		136	return 0;
		137	}
134	else if (strcmp(ptr, "seccomp") == 0) {	138	else if (strcmp(ptr, "seccomp") == 0) {
135	#ifdef HAVE_SECCOMP	139	#ifdef HAVE_SECCOMP
136	if (checkcfg(CFG_SECCOMP))	140	if (checkcfg(CFG_SECCOMP))


diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 109395b60..843c1efe5 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c
@@ -750,11 +750,14 @@ int sandbox(void* sandbox_arg) {
750	//****************************************	750	//****************************************
751	// Set NO_NEW_PRIVS if desired	751	// Set NO_NEW_PRIVS if desired
752	//****************************************	752	//****************************************
753	int no_new_privs = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);	753	if (arg_nonewprivs) {
754	if(no_new_privs != 0) {	754	int no_new_privs = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
755	errExit("NO_NEW_PRIVS");	755
756	} else	756	if(no_new_privs != 0)
757	printf("No new privileges from this point on\n");	757	errExit("NO_NEW_PRIVS");
		758	else if (arg_debug)
		759	printf("NO_NEW_PRIVS set\n");
		760	}
758		761
759		762
760	//****************************************	763	//****************************************


diff --git a/src/firejail/usage.c b/src/firejail/usage.c index ef02c0d72..45bf2e3b1 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c
@@ -157,6 +157,9 @@ void usage(void) {
157	printf("\tuser. root user does not exist in the new namespace. This option\n");	157	printf("\tuser. root user does not exist in the new namespace. This option\n");
158	printf("\tis not supported for --chroot and --overlay configurations.\n\n");	158	printf("\tis not supported for --chroot and --overlay configurations.\n\n");
159	#endif	159	#endif
		160	printf(" --nonewprivs - sets the NO_NEW_PRIVS prctl - the child processes\n");
		161	printf("\tcannot gain privileges using execve(2); in particular, this prevents\n");
		162	printf("\tgaining privileges by calling a suid binary\n\n");
160	printf(" --nosound - disable sound system.\n\n");	163	printf(" --nosound - disable sound system.\n\n");
161		164
162	printf(" --output=logfile - stdout logging and log rotation. Copy stdout and stderr\n");	165	printf(" --output=logfile - stdout logging and log rotation. Copy stdout and stderr\n");