diff options
| author |  Aleksey Manevich <manevich.aleksey@gmail.com> | 2016-08-24 13:04:15 +0300 |
|---|---|---|
| committer | Aleksey Manevich <manevich.aleksey@gmail.com> | 2016-08-24 13:04:15 +0300 |
| commit | 096f01e99775e2ccea623e4058b3d7f8090bb6d3 (patch) | |
| tree | 5c4fe391b1b25dc6f2298d18c2f4e2f9b7f51af7 /src | |
| parent | ASSERT_PERMS macros (diff) | |
| parent | Firejail prompt is enabled by env variable FIREJAIL_PROMPT=yes (diff) | |
| download | firejail-096f01e99775e2ccea623e4058b3d7f8090bb6d3.tar.gz firejail-096f01e99775e2ccea623e4058b3d7f8090bb6d3.tar.zst firejail-096f01e99775e2ccea623e4058b3d7f8090bb6d3.zip | |
Merge branch 'master' into security
Diffstat (limited to 'src')
| -rw-r--r-- | src/firejail/checkcfg.c | 8 | ||||
| -rw-r--r-- | src/firejail/env.c | 10 | ||||
| -rw-r--r-- | src/firejail/firejail.h | 3 | ||||
| -rw-r--r-- | src/firejail/fs.c | 140 | ||||
| -rw-r--r-- | src/firejail/main.c | 9 | ||||
| -rw-r--r-- | src/firejail/sandbox.c | 107 | ||||
| -rw-r--r-- | src/firejail/usage.c | 20 | ||||
| -rw-r--r-- | src/man/firejail.txt | 18 |
8 files changed, 193 insertions, 122 deletions
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index fed934434..5bc859f8d 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
| @@ -241,6 +241,14 @@ int checkcfg(int val) { | |||
| 241 | else | 241 | else |
| 242 | goto errout; | 242 | goto errout; |
| 243 | } | 243 | } |
| 244 | else if (strncmp(ptr, "chroot-desktop ", 15) == 0) { | ||
| 245 | if (strcmp(ptr + 15, "yes") == 0) | ||
| 246 | cfg_val[CFG_CHROOT_DESKTOP] = 1; | ||
| 247 | else if (strcmp(ptr + 15, "no") == 0) | ||
| 248 | cfg_val[CFG_CHROOT_DESKTOP] = 0; | ||
| 249 | else | ||
| 250 | goto errout; | ||
| 251 | } | ||
| 244 | else | 252 | else |
| 245 | goto errout; | 253 | goto errout; |
| 246 | 254 | ||
diff --git a/src/firejail/env.c b/src/firejail/env.c index c05abadca..2c8be3852 100644 --- a/src/firejail/env.c +++ b/src/firejail/env.c | |||
| @@ -123,10 +123,14 @@ void env_defaults(void) { | |||
| 123 | errExit("setenv"); | 123 | errExit("setenv"); |
| 124 | if (cfg.shell && setenv("SHELL", cfg.shell, 1) < 0) | 124 | if (cfg.shell && setenv("SHELL", cfg.shell, 1) < 0) |
| 125 | errExit("setenv"); | 125 | errExit("setenv"); |
| 126 | |||
| 126 | // set prompt color to green | 127 | // set prompt color to green |
| 127 | //export PS1='\[\e[1;32m\][\u@\h \W]\$\[\e[0m\] ' | 128 | char *prompt = getenv("FIREJAIL_PROMPT"); |
| 128 | // if (setenv("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", 1) < 0) | 129 | if (prompt && strcmp(prompt, "yes") == 0) { |
| 129 | // errExit("setenv"); | 130 | //export PS1='\[\e[1;32m\][\u@\h \W]\$\[\e[0m\] ' |
| 131 | if (setenv("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", 1) < 0) | ||
| 132 | errExit("setenv"); | ||
| 133 | } | ||
| 130 | 134 | ||
| 131 | // set the window title | 135 | // set the window title |
| 132 | printf("\033]0;firejail %s\007", cfg.window_title); | 136 | printf("\033]0;firejail %s\007", cfg.window_title); |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 4bc953e24..a3b573acc 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
| @@ -614,7 +614,8 @@ void sandboxfs(int op, pid_t pid, const char *patqh); | |||
| 614 | #define CFG_XEPHYR_WINDOW_TITLE 10 | 614 | #define CFG_XEPHYR_WINDOW_TITLE 10 |
| 615 | #define CFG_REMOUNT_PROC_SYS 11 | 615 | #define CFG_REMOUNT_PROC_SYS 11 |
| 616 | #define CFG_OVERLAYFS 12 | 616 | #define CFG_OVERLAYFS 12 |
| 617 | #define CFG_MAX 13 // this should always be the last entry | 617 | #define CFG_CHROOT_DESKTOP 13 |
| 618 | #define CFG_MAX 14 // this should always be the last entry | ||
| 618 | extern char *xephyr_screen; | 619 | extern char *xephyr_screen; |
| 619 | extern char *xephyr_extra_params; | 620 | extern char *xephyr_extra_params; |
| 620 | extern char *netfilter_default; | 621 | extern char *netfilter_default; |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index ddb25c2dd..6c87df1e9 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
| @@ -817,9 +817,10 @@ void fs_basic_fs(void) { | |||
| 817 | 817 | ||
| 818 | #ifdef HAVE_OVERLAYFS | 818 | #ifdef HAVE_OVERLAYFS |
| 819 | char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) { | 819 | char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) { |
| 820 | // create ~/.firejail directory | ||
| 821 | struct stat s; | 820 | struct stat s; |
| 822 | char *dirname; | 821 | char *dirname; |
| 822 | |||
| 823 | // create ~/.firejail directory | ||
| 823 | if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1) | 824 | if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1) |
| 824 | errExit("asprintf"); | 825 | errExit("asprintf"); |
| 825 | if (stat(dirname, &s) == -1) { | 826 | if (stat(dirname, &s) == -1) { |
| @@ -835,12 +836,15 @@ char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) { | |||
| 835 | fprintf(stderr, "Error: invalid ~/.firejail directory\n"); | 836 | fprintf(stderr, "Error: invalid ~/.firejail directory\n"); |
| 836 | exit(1); | 837 | exit(1); |
| 837 | } | 838 | } |
| 838 | |||
| 839 | free(dirname); | 839 | free(dirname); |
| 840 | 840 | ||
| 841 | // check overlay directory | 841 | // check overlay directory |
| 842 | if (asprintf(&dirname, "%s/.firejail/%s", cfg.homedir, subdirname) == -1) | 842 | if (asprintf(&dirname, "%s/.firejail/%s", cfg.homedir, subdirname) == -1) |
| 843 | errExit("asprintf"); | 843 | errExit("asprintf"); |
| 844 | if (is_link(dirname)) { | ||
| 845 | fprintf(stderr, "Error: overlay directory is a symbolic link\n"); | ||
| 846 | exit(1); | ||
| 847 | } | ||
| 844 | if (allow_reuse == 0) { | 848 | if (allow_reuse == 0) { |
| 845 | if (stat(dirname, &s) == 0) { | 849 | if (stat(dirname, &s) == 0) { |
| 846 | fprintf(stderr, "Error: overlay directory already exists: %s\n", dirname); | 850 | fprintf(stderr, "Error: overlay directory already exists: %s\n", dirname); |
| @@ -1207,56 +1211,58 @@ int fs_check_chroot_dir(const char *rootdir) { | |||
| 1207 | void fs_chroot(const char *rootdir) { | 1211 | void fs_chroot(const char *rootdir) { |
| 1208 | assert(rootdir); | 1212 | assert(rootdir); |
| 1209 | 1213 | ||
| 1210 | // mount-bind a /dev in rootdir | 1214 | if (checkcfg(CFG_CHROOT_DESKTOP)) { |
| 1211 | char *newdev; | 1215 | // mount-bind a /dev in rootdir |
| 1212 | if (asprintf(&newdev, "%s/dev", rootdir) == -1) | 1216 | char *newdev; |
| 1213 | errExit("asprintf"); | 1217 | if (asprintf(&newdev, "%s/dev", rootdir) == -1) |
| 1214 | if (arg_debug) | ||
| 1215 | printf("Mounting /dev on %s\n", newdev); | ||
| 1216 | if (mount("/dev", newdev, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
| 1217 | errExit("mounting /dev"); | ||
| 1218 | free(newdev); | ||
| 1219 | |||
| 1220 | // x11 | ||
| 1221 | if (getenv("FIREJAIL_X11")) { | ||
| 1222 | char *newx11; | ||
| 1223 | if (asprintf(&newx11, "%s/tmp/.X11-unix", rootdir) == -1) | ||
| 1224 | errExit("asprintf"); | 1218 | errExit("asprintf"); |
| 1225 | if (arg_debug) | 1219 | if (arg_debug) |
| 1226 | printf("Mounting /tmp/.X11-unix on %s\n", newx11); | 1220 | printf("Mounting /dev on %s\n", newdev); |
| 1227 | if (mount("/tmp/.X11-unix", newx11, NULL, MS_BIND|MS_REC, NULL) < 0) | 1221 | if (mount("/dev", newdev, NULL, MS_BIND|MS_REC, NULL) < 0) |
| 1228 | errExit("mounting /tmp/.X11-unix"); | 1222 | errExit("mounting /dev"); |
| 1229 | free(newx11); | 1223 | free(newdev); |
| 1230 | } | 1224 | |
| 1231 | 1225 | // x11 | |
| 1232 | // some older distros don't have a /run directory | 1226 | if (getenv("FIREJAIL_X11")) { |
| 1233 | // create one by default | 1227 | char *newx11; |
| 1234 | // no exit on error, let the user deal with any problems | 1228 | if (asprintf(&newx11, "%s/tmp/.X11-unix", rootdir) == -1) |
| 1235 | char *rundir; | 1229 | errExit("asprintf"); |
| 1236 | if (asprintf(&rundir, "%s/run", rootdir) == -1) | 1230 | if (arg_debug) |
| 1237 | errExit("asprintf"); | 1231 | printf("Mounting /tmp/.X11-unix on %s\n", newx11); |
| 1238 | if (!is_dir(rundir)) { | 1232 | if (mount("/tmp/.X11-unix", newx11, NULL, MS_BIND|MS_REC, NULL) < 0) |
| 1239 | int rv = mkdir(rundir, 0755); | 1233 | errExit("mounting /tmp/.X11-unix"); |
| 1240 | (void) rv; | 1234 | free(newx11); |
| 1241 | rv = chown(rundir, 0, 0); | 1235 | } |
| 1242 | (void) rv; | 1236 | |
| 1237 | // some older distros don't have a /run directory | ||
| 1238 | // create one by default | ||
| 1239 | // no exit on error, let the user deal with any problems | ||
| 1240 | char *rundir; | ||
| 1241 | if (asprintf(&rundir, "%s/run", rootdir) == -1) | ||
| 1242 | errExit("asprintf"); | ||
| 1243 | if (!is_dir(rundir)) { | ||
| 1244 | int rv = mkdir(rundir, 0755); | ||
| 1245 | (void) rv; | ||
| 1246 | rv = chown(rundir, 0, 0); | ||
| 1247 | (void) rv; | ||
| 1248 | } | ||
| 1249 | |||
| 1250 | // copy /etc/resolv.conf in chroot directory | ||
| 1251 | // if resolv.conf in chroot is a symbolic link, this will fail | ||
| 1252 | // no exit on error, let the user deal with the problem | ||
| 1253 | char *fname; | ||
| 1254 | if (asprintf(&fname, "%s/etc/resolv.conf", rootdir) == -1) | ||
| 1255 | errExit("asprintf"); | ||
| 1256 | if (arg_debug) | ||
| 1257 | printf("Updating /etc/resolv.conf in %s\n", fname); | ||
| 1258 | if (is_link(fname)) { | ||
| 1259 | fprintf(stderr, "Error: invalid %s file\n", fname); | ||
| 1260 | exit(1); | ||
| 1261 | } | ||
| 1262 | if (copy_file("/etc/resolv.conf", fname) == -1) | ||
| 1263 | fprintf(stderr, "Warning: /etc/resolv.conf not initialized\n"); | ||
| 1243 | } | 1264 | } |
| 1244 | 1265 | ||
| 1245 | // copy /etc/resolv.conf in chroot directory | ||
| 1246 | // if resolv.conf in chroot is a symbolic link, this will fail | ||
| 1247 | // no exit on error, let the user deal with the problem | ||
| 1248 | char *fname; | ||
| 1249 | if (asprintf(&fname, "%s/etc/resolv.conf", rootdir) == -1) | ||
| 1250 | errExit("asprintf"); | ||
| 1251 | if (arg_debug) | ||
| 1252 | printf("Updating /etc/resolv.conf in %s\n", fname); | ||
| 1253 | if (is_link(fname)) { | ||
| 1254 | fprintf(stderr, "Error: invalid %s file\n", fname); | ||
| 1255 | exit(1); | ||
| 1256 | } | ||
| 1257 | if (copy_file("/etc/resolv.conf", fname) == -1) | ||
| 1258 | fprintf(stderr, "Warning: /etc/resolv.conf not initialized\n"); | ||
| 1259 | |||
| 1260 | // chroot into the new directory | 1266 | // chroot into the new directory |
| 1261 | if (arg_debug) | 1267 | if (arg_debug) |
| 1262 | printf("Chrooting into %s\n", rootdir); | 1268 | printf("Chrooting into %s\n", rootdir); |
| @@ -1265,24 +1271,26 @@ void fs_chroot(const char *rootdir) { | |||
| 1265 | // mount a new tmpfs in /run/firejail/mnt - the old one was lost in chroot | 1271 | // mount a new tmpfs in /run/firejail/mnt - the old one was lost in chroot |
| 1266 | fs_build_remount_mnt_dir(); | 1272 | fs_build_remount_mnt_dir(); |
| 1267 | 1273 | ||
| 1268 | // update /var directory in order to support multiple sandboxes running on the same root directory | 1274 | if (checkcfg(CFG_CHROOT_DESKTOP)) { |
| 1269 | if (!arg_private_dev) | 1275 | // update /var directory in order to support multiple sandboxes running on the same root directory |
| 1270 | fs_dev_shm(); | 1276 | if (!arg_private_dev) |
| 1271 | fs_var_lock(); | 1277 | fs_dev_shm(); |
| 1272 | fs_var_tmp(); | 1278 | fs_var_lock(); |
| 1273 | fs_var_log(); | 1279 | fs_var_tmp(); |
| 1274 | fs_var_lib(); | 1280 | fs_var_log(); |
| 1275 | fs_var_cache(); | 1281 | fs_var_lib(); |
| 1276 | fs_var_utmp(); | 1282 | fs_var_cache(); |
| 1277 | 1283 | fs_var_utmp(); | |
| 1278 | // don't leak user information | 1284 | |
| 1279 | restrict_users(); | 1285 | // don't leak user information |
| 1280 | 1286 | restrict_users(); | |
| 1281 | // when starting as root, firejail config is not disabled; | 1287 | |
| 1282 | // this mode could be used to install and test new software by chaining | 1288 | // when starting as root, firejail config is not disabled; |
| 1283 | // firejail sandboxes (firejail --force) | 1289 | // this mode could be used to install and test new software by chaining |
| 1284 | if (getuid() != 0) | 1290 | // firejail sandboxes (firejail --force) |
| 1285 | disable_config(); | 1291 | if (getuid() != 0) |
| 1292 | disable_config(); | ||
| 1293 | } | ||
| 1286 | } | 1294 | } |
| 1287 | #endif | 1295 | #endif |
| 1288 | 1296 | ||
diff --git a/src/firejail/main.c b/src/firejail/main.c index bdb8e0df5..27e2a7f1a 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
| @@ -1365,6 +1365,13 @@ int main(int argc, char **argv) { | |||
| 1365 | fprintf(stderr, "Error: invalid overlay option\n"); | 1365 | fprintf(stderr, "Error: invalid overlay option\n"); |
| 1366 | exit(1); | 1366 | exit(1); |
| 1367 | } | 1367 | } |
| 1368 | |||
| 1369 | // check name | ||
| 1370 | invalid_filename(subdirname); | ||
| 1371 | if (strstr(subdirname, "..") || strstr(subdirname, "/")) { | ||
| 1372 | fprintf(stderr, "Error: invalid overlay name\n"); | ||
| 1373 | exit(1); | ||
| 1374 | } | ||
| 1368 | cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse); | 1375 | cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse); |
| 1369 | } | 1376 | } |
| 1370 | else { | 1377 | else { |
| @@ -1373,6 +1380,7 @@ int main(int argc, char **argv) { | |||
| 1373 | } | 1380 | } |
| 1374 | 1381 | ||
| 1375 | } | 1382 | } |
| 1383 | #if 0 // disabled for now, it could be used to overwrite system directories | ||
| 1376 | else if (strncmp(argv[i], "--overlay-path=", 15) == 0) { | 1384 | else if (strncmp(argv[i], "--overlay-path=", 15) == 0) { |
| 1377 | if (checkcfg(CFG_OVERLAYFS)) { | 1385 | if (checkcfg(CFG_OVERLAYFS)) { |
| 1378 | if (cfg.chrootdir) { | 1386 | if (cfg.chrootdir) { |
| @@ -1400,6 +1408,7 @@ int main(int argc, char **argv) { | |||
| 1400 | exit(1); | 1408 | exit(1); |
| 1401 | } | 1409 | } |
| 1402 | } | 1410 | } |
| 1411 | #endif | ||
| 1403 | else if (strcmp(argv[i], "--overlay-tmpfs") == 0) { | 1412 | else if (strcmp(argv[i], "--overlay-tmpfs") == 0) { |
| 1404 | if (checkcfg(CFG_OVERLAYFS)) { | 1413 | if (checkcfg(CFG_OVERLAYFS)) { |
| 1405 | if (cfg.chrootdir) { | 1414 | if (cfg.chrootdir) { |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 0818bf450..40df00a98 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
| @@ -378,7 +378,30 @@ void start_application(void) { | |||
| 378 | exit(1); // it should never get here!!! | 378 | exit(1); // it should never get here!!! |
| 379 | } | 379 | } |
| 380 | 380 | ||
| 381 | 381 | static void enforce_filters(void) { | |
| 382 | // force default seccomp inside the chroot, no keep or drop list | ||
| 383 | // the list build on top of the default drop list is kept intact | ||
| 384 | arg_seccomp = 1; | ||
| 385 | if (cfg.seccomp_list_drop) { | ||
| 386 | free(cfg.seccomp_list_drop); | ||
| 387 | cfg.seccomp_list_drop = NULL; | ||
| 388 | } | ||
| 389 | if (cfg.seccomp_list_keep) { | ||
| 390 | free(cfg.seccomp_list_keep); | ||
| 391 | cfg.seccomp_list_keep = NULL; | ||
| 392 | } | ||
| 393 | |||
| 394 | // disable all capabilities | ||
| 395 | if (arg_caps_default_filter || arg_caps_list) | ||
| 396 | fprintf(stderr, "Warning: all capabilities disabled for a regular user in chroot\n"); | ||
| 397 | arg_caps_drop_all = 1; | ||
| 398 | |||
| 399 | // drop all supplementary groups; /etc/group file inside chroot | ||
| 400 | // is controlled by a regular usr | ||
| 401 | arg_nogroups = 1; | ||
| 402 | if (!arg_quiet) | ||
| 403 | printf("Dropping all Linux capabilities and enforcing default seccomp filter\n"); | ||
| 404 | } | ||
| 382 | 405 | ||
| 383 | int sandbox(void* sandbox_arg) { | 406 | int sandbox(void* sandbox_arg) { |
| 384 | // Get rid of unused parameter warning | 407 | // Get rid of unused parameter warning |
| @@ -463,37 +486,13 @@ int sandbox(void* sandbox_arg) { | |||
| 463 | #ifdef HAVE_CHROOT | 486 | #ifdef HAVE_CHROOT |
| 464 | if (cfg.chrootdir) { | 487 | if (cfg.chrootdir) { |
| 465 | fs_chroot(cfg.chrootdir); | 488 | fs_chroot(cfg.chrootdir); |
| 466 | |||
| 467 | // // redo cp command | ||
| 468 | // fs_build_cp_command(); | ||
| 469 | 489 | ||
| 470 | // force caps and seccomp if not started as root | 490 | // force caps and seccomp if not started as root |
| 471 | if (getuid() != 0) { | 491 | if (getuid() != 0) { |
| 472 | // force default seccomp inside the chroot, no keep or drop list | 492 | enforce_filters(); |
| 473 | // the list build on top of the default drop list is kept intact | ||
| 474 | arg_seccomp = 1; | ||
| 475 | #ifdef HAVE_SECCOMP | 493 | #ifdef HAVE_SECCOMP |
| 476 | enforce_seccomp = 1; | 494 | enforce_seccomp = 1; |
| 477 | #endif | 495 | #endif |
| 478 | if (cfg.seccomp_list_drop) { | ||
| 479 | free(cfg.seccomp_list_drop); | ||
| 480 | cfg.seccomp_list_drop = NULL; | ||
| 481 | } | ||
| 482 | if (cfg.seccomp_list_keep) { | ||
| 483 | free(cfg.seccomp_list_keep); | ||
| 484 | cfg.seccomp_list_keep = NULL; | ||
| 485 | } | ||
| 486 | |||
| 487 | // disable all capabilities | ||
| 488 | if (arg_caps_default_filter || arg_caps_list) | ||
| 489 | fprintf(stderr, "Warning: all capabilities disabled for a regular user in chroot\n"); | ||
| 490 | arg_caps_drop_all = 1; | ||
| 491 | |||
| 492 | // drop all supplementary groups; /etc/group file inside chroot | ||
| 493 | // is controlled by a regular usr | ||
| 494 | arg_nogroups = 1; | ||
| 495 | if (!arg_quiet) | ||
| 496 | printf("Dropping all Linux capabilities and enforcing default seccomp filter\n"); | ||
| 497 | } | 496 | } |
| 498 | else | 497 | else |
| 499 | arg_seccomp = 1; | 498 | arg_seccomp = 1; |
| @@ -507,8 +506,18 @@ int sandbox(void* sandbox_arg) { | |||
| 507 | else | 506 | else |
| 508 | #endif | 507 | #endif |
| 509 | #ifdef HAVE_OVERLAYFS | 508 | #ifdef HAVE_OVERLAYFS |
| 510 | if (arg_overlay) | 509 | if (arg_overlay) { |
| 511 | fs_overlayfs(); | 510 | fs_overlayfs(); |
| 511 | // force caps and seccomp if not started as root | ||
| 512 | if (getuid() != 0) { | ||
| 513 | enforce_filters(); | ||
| 514 | #ifdef HAVE_SECCOMP | ||
| 515 | enforce_seccomp = 1; | ||
| 516 | #endif | ||
| 517 | } | ||
| 518 | else | ||
| 519 | arg_seccomp = 1; | ||
| 520 | } | ||
| 512 | else | 521 | else |
| 513 | #endif | 522 | #endif |
| 514 | fs_basic_fs(); | 523 | fs_basic_fs(); |
| @@ -524,8 +533,14 @@ int sandbox(void* sandbox_arg) { | |||
| 524 | // private mode | 533 | // private mode |
| 525 | //**************************** | 534 | //**************************** |
| 526 | if (arg_private) { | 535 | if (arg_private) { |
| 527 | if (cfg.home_private) // --private= | 536 | if (cfg.home_private) { // --private= |
| 528 | fs_private_homedir(); | 537 | if (cfg.chrootdir) |
| 538 | fprintf(stderr, "Warning: private=directory feature is disabled in chroot\n"); | ||
| 539 | else if (arg_overlay) | ||
| 540 | fprintf(stderr, "Warning: private=directory feature is disabled in overlay\n"); | ||
| 541 | else | ||
| 542 | fs_private_homedir(); | ||
| 543 | } | ||
| 529 | else // --private | 544 | else // --private |
| 530 | fs_private(); | 545 | fs_private(); |
| 531 | } | 546 | } |
| @@ -533,11 +548,20 @@ int sandbox(void* sandbox_arg) { | |||
| 533 | if (arg_private_template) | 548 | if (arg_private_template) |
| 534 | fs_private_template(); | 549 | fs_private_template(); |
| 535 | 550 | ||
| 536 | if (arg_private_dev) | 551 | if (arg_private_dev) { |
| 537 | fs_private_dev(); | 552 | if (cfg.chrootdir) |
| 553 | fprintf(stderr, "Warning: private-dev feature is disabled in chroot\n"); | ||
| 554 | else if (arg_overlay) | ||
| 555 | fprintf(stderr, "Warning: private-dev feature is disabled in overlay\n"); | ||
| 556 | else | ||
| 557 | fs_private_dev(); | ||
| 558 | } | ||
| 559 | |||
| 538 | if (arg_private_etc) { | 560 | if (arg_private_etc) { |
| 539 | if (cfg.chrootdir) | 561 | if (cfg.chrootdir) |
| 540 | fprintf(stderr, "Warning: private-etc feature is disabled in chroot\n"); | 562 | fprintf(stderr, "Warning: private-etc feature is disabled in chroot\n"); |
| 563 | else if (arg_overlay) | ||
| 564 | fprintf(stderr, "Warning: private-etc feature is disabled in overlay\n"); | ||
| 541 | else { | 565 | else { |
| 542 | fs_private_etc_list(); | 566 | fs_private_etc_list(); |
| 543 | // create /etc/ld.so.preload file again | 567 | // create /etc/ld.so.preload file again |
| @@ -545,14 +569,24 @@ int sandbox(void* sandbox_arg) { | |||
| 545 | fs_trace_preload(); | 569 | fs_trace_preload(); |
| 546 | } | 570 | } |
| 547 | } | 571 | } |
| 572 | |||
| 548 | if (arg_private_bin) { | 573 | if (arg_private_bin) { |
| 549 | if (cfg.chrootdir) | 574 | if (cfg.chrootdir) |
| 550 | fprintf(stderr, "Warning: private-bin feature is disabled in chroot\n"); | 575 | fprintf(stderr, "Warning: private-bin feature is disabled in chroot\n"); |
| 576 | else if (arg_overlay) | ||
| 577 | fprintf(stderr, "Warning: private-bin feature is disabled in overlay\n"); | ||
| 551 | else | 578 | else |
| 552 | fs_private_bin_list(); | 579 | fs_private_bin_list(); |
| 553 | } | 580 | } |
| 554 | if (arg_private_tmp) | 581 | |
| 555 | fs_private_tmp(); | 582 | if (arg_private_tmp) { |
| 583 | if (cfg.chrootdir) | ||
| 584 | fprintf(stderr, "Warning: private-tmp feature is disabled in chroot\n"); | ||
| 585 | else if (arg_overlay) | ||
| 586 | fprintf(stderr, "Warning: private-tmp feature is disabled in overlay\n"); | ||
| 587 | else | ||
| 588 | fs_private_tmp(); | ||
| 589 | } | ||
| 556 | 590 | ||
| 557 | //**************************** | 591 | //**************************** |
| 558 | // update /proc, /sys, /dev, /boot directorymy | 592 | // update /proc, /sys, /dev, /boot directorymy |
| @@ -565,7 +599,12 @@ int sandbox(void* sandbox_arg) { | |||
| 565 | //**************************** | 599 | //**************************** |
| 566 | if (cfg.profile) { | 600 | if (cfg.profile) { |
| 567 | // apply all whitelist commands ... | 601 | // apply all whitelist commands ... |
| 568 | fs_whitelist(); | 602 | if (cfg.chrootdir) |
| 603 | fprintf(stderr, "Warning: whitelist feature is disabled in chroot\n"); | ||
| 604 | else if (arg_overlay) | ||
| 605 | fprintf(stderr, "Warning: whitelist feature is disabled in overlay\n"); | ||
| 606 | else | ||
| 607 | fs_whitelist(); | ||
| 569 | 608 | ||
| 570 | // ... followed by blacklist commands | 609 | // ... followed by blacklist commands |
| 571 | fs_blacklist(); | 610 | fs_blacklist(); |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index ebe1c8830..d4eab7802 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
| @@ -185,10 +185,30 @@ void usage(void) { | |||
| 185 | printf("\t$HOME/.firejail/<NAME> directory. (OverlayFS support is required in\n"); | 185 | printf("\t$HOME/.firejail/<NAME> directory. (OverlayFS support is required in\n"); |
| 186 | printf("\tLinux kernel for this option to work). \n\n"); | 186 | printf("\tLinux kernel for this option to work). \n\n"); |
| 187 | 187 | ||
| 188 | #if 0 // disabled for now, it could be used to overwrite system directories | ||
| 188 | printf(" --overlay-path=path - mount a filesystem overlay on top of the current\n"); | 189 | printf(" --overlay-path=path - mount a filesystem overlay on top of the current\n"); |
| 189 | printf("\tfilesystem. The upper filesystem layer is persistent, and stored in\n"); | 190 | printf("\tfilesystem. The upper filesystem layer is persistent, and stored in\n"); |
| 190 | printf("\tthe specified path. (OverlayFS support is required in Linux kernel for\n"); | 191 | printf("\tthe specified path. (OverlayFS support is required in Linux kernel for\n"); |
| 191 | printf("\tthis option to work). \n\n"); | 192 | printf("\tthis option to work). \n\n"); |
| 193 | |||
| 194 | .TP | ||
| 195 | \fB\-\-overlay-path=path | ||
| 196 | Mount a filesystem overlay on top of the current filesystem. Unlike the regular filesystem container, | ||
| 197 | the system directories are mounted read-write. All filesystem modifications go into the overlay. | ||
| 198 | The overlay is stored in the specified path. The created overlay can be reused between multiple sessions. | ||
| 199 | .br | ||
| 200 | |||
| 201 | .br | ||
| 202 | OverlayFS support is required in Linux kernel for this option to work. | ||
| 203 | OverlayFS was officially introduced in Linux kernel version 3.18. | ||
| 204 | This option is not available on Grsecurity systems. | ||
| 205 | .br | ||
| 206 | |||
| 207 | .br | ||
| 208 | Example: | ||
| 209 | .br | ||
| 210 | $ firejail \-\-overlay-path=~/jails/jail1 firefox | ||
| 211 | #endif | ||
| 192 | 212 | ||
| 193 | printf(" --overlay-tmpfs - mount a filesystem overlay on top of the current\n"); | 213 | printf(" --overlay-tmpfs - mount a filesystem overlay on top of the current\n"); |
| 194 | printf("\tfilesystem. The upper layer is stored in a tmpfs filesystem,\n"); | 214 | printf("\tfilesystem. The upper layer is stored in a tmpfs filesystem,\n"); |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index b258c3d20..19fca9854 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
| @@ -1037,24 +1037,6 @@ Example: | |||
| 1037 | $ firejail \-\-overlay-named=jail1 firefox | 1037 | $ firejail \-\-overlay-named=jail1 firefox |
| 1038 | 1038 | ||
| 1039 | .TP | 1039 | .TP |
| 1040 | \fB\-\-overlay-path=path | ||
| 1041 | Mount a filesystem overlay on top of the current filesystem. Unlike the regular filesystem container, | ||
| 1042 | the system directories are mounted read-write. All filesystem modifications go into the overlay. | ||
| 1043 | The overlay is stored in the specified path. The created overlay can be reused between multiple sessions. | ||
| 1044 | .br | ||
| 1045 | |||
| 1046 | .br | ||
| 1047 | OverlayFS support is required in Linux kernel for this option to work. | ||
| 1048 | OverlayFS was officially introduced in Linux kernel version 3.18. | ||
| 1049 | This option is not available on Grsecurity systems. | ||
| 1050 | .br | ||
| 1051 | |||
| 1052 | .br | ||
| 1053 | Example: | ||
| 1054 | .br | ||
| 1055 | $ firejail \-\-overlay-path=~/jails/jail1 firefox | ||
| 1056 | |||
| 1057 | .TP | ||
| 1058 | \fB\-\-overlay-tmpfs | 1040 | \fB\-\-overlay-tmpfs |
| 1059 | Mount a filesystem overlay on top of the current filesystem. All filesystem modifications go into the overlay, | 1041 | Mount a filesystem overlay on top of the current filesystem. All filesystem modifications go into the overlay, |
| 1060 | and are discarded when the sandbox is closed. | 1042 | and are discarded when the sandbox is closed. |