whitelist support in /etc/firejail/firejail.config

author: netblue30 <netblue30@yahoo.com> 2016-06-09 08:42:59 -0400
committer: netblue30 <netblue30@yahoo.com> 2016-06-09 08:42:59 -0400
commit: d073a425b3e3ed3829a0e042e8c41963f0f40f0e (patch)
tree: 3241c3053a4d3ccba63c633015fddb6e21c9cf74 /src
parent: fixes (diff)
download: firejail-d073a425b3e3ed3829a0e042e8c41963f0f40f0e.tar.gz
firejail-d073a425b3e3ed3829a0e042e8c41963f0f40f0e.tar.zst
firejail-d073a425b3e3ed3829a0e042e8c41963f0f40f0e.zip
7 files changed, 58 insertions, 21 deletions
diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in
index 3ad4ba75e..a8af1a4e0 100644
--- a/src/firejail/Makefile.in
+++ b/src/firejail/Makefile.in
@@ -16,13 +16,14 @@ HAVE_NETWORK=@HAVE_NETWORK@
 HAVE_USERNS=@HAVE_USERNS@
 HAVE_X11=@HAVE_X11@
 HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
+HAVE_WHITELIST=@HAVE_WHITELIST@
 H_FILE_LIST       = $(sort $(wildcard *.[h]))
 C_FILE_LIST       = $(sort $(wildcard *.c))
 OBJS = $(C_FILE_LIST:.c=.o)
 BINOBJS =  $(foreach file, $(OBJS), $file)
-CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_SECCOMP) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
+CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_SECCOMP) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
 LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
 %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 3ea8caf5b..bf85436c3 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -38,7 +38,7 @@ int checkcfg(int val) {
                        cfg_val[i] = 1; // most of them are enabled by default
                cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default
-                cfg_val[CFG_FORCE_NONEWPRIVS  ] = 0; // disabled by default
+                cfg_val[CFG_FORCE_NONEWPRIVS] = 0; // disabled by default
                
                // open configuration file
                char *fname;
@@ -126,6 +126,15 @@ int checkcfg(int val) {
                                else
                                        goto errout;
                        }
+                        // whitelist
+                        else if (strncmp(ptr, "whitelist ", 10) == 0) {
+                                if (strcmp(ptr + 10, "yes") == 0)
+                                        cfg_val[CFG_WHITELIST] = 1;
+                                else if (strcmp(ptr + 10, "no") == 0)
+                                        cfg_val[CFG_WHITELIST] = 0;
+                                else
+                                        goto errout;
+                        }
                        // network
                        else if (strncmp(ptr, "network ", 8) == 0) {
                                if (strcmp(ptr + 8, "yes") == 0)
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 2d5e05f79..026273aa3 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -568,7 +568,8 @@ void sandboxfs(int op, pid_t pid, const char *patqh);
 #define CFG_NETWORK 6
 #define CFG_RESTRICTED_NETWORK 7
 #define CFG_FORCE_NONEWPRIVS 8
-#define CFG_MAX 9 // this should always be the last entry
+#define CFG_WHITELIST 9
+#define CFG_MAX 10 // this should always be the last entry
 int checkcfg(int val);
 // fs_rdwr.c
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 1c2f021bb..1621d810f 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -277,6 +277,9 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
 #ifndef HAVE_FILE_TRANSFER
                printf("File transfer support is disabled.\n");
 #endif
+#ifndef HAVE_WHITELIST
+                printf("whitelisting support is disabled.\n");
+#endif
                exit(0);
        }
 #ifdef HAVE_X11
@@ -1114,14 +1117,24 @@ int main(int argc, char **argv) {
                        profile_check_line(line, 0, NULL);      // will exit if something wrong
                        profile_add(line);
                }
+#ifdef HAVE_WHITELIST
                else if (strncmp(argv[i], "--whitelist=", 12) == 0) {
-                        char *line;
+                        if (checkcfg(CFG_WHITELIST)) {
-                        if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1)
+                                char *line;
-                                errExit("asprintf");
+                                if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1)
-                        
+                                        errExit("asprintf");
-                        profile_check_line(line, 0, NULL);      // will exit if something wrong
+                                
-                        profile_add(line);
+                                profile_check_line(line, 0, NULL);      // will exit if something wrong
+                                profile_add(line);
+                        }
+                        else {
+                                fprintf(stderr, "Error: whitelist feature is disabled in Firejail configuration file\n");
+                                exit(1);
+                        }
                }
+#endif          
                else if (strncmp(argv[i], "--read-only=", 12) == 0) {
                        char *line;
                        if (asprintf(&line, "read-only %s", argv[i] + 12) == -1)
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 192f36974..a64f28c9a 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -726,8 +726,16 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
        else if (strncmp(ptr, "noblacklist ", 12) == 0)
                ptr += 12;
        else if (strncmp(ptr, "whitelist ", 10) == 0) {
-                arg_whitelist = 1;
+#ifdef HAVE_WHITELIST           
-                ptr += 10;
+                if (checkcfg(CFG_WHITELIST)) {
+                        arg_whitelist = 1;
+                        ptr += 10;
+                }
+                else
+                        return 0;
+#else           
+                return 0;
+#endif
        }
        else if (strncmp(ptr, "read-only ", 10) == 0)
                ptr += 10;
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index d2f7d9460..af1a30ac3 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -72,8 +72,9 @@ void usage(void) {
        printf("\tsoftware build.\n\n");
        printf("    --debug-syscalls - print all recognized system calls in the current Firejail\n");
        printf("\tsoftware build.\n\n");
+#ifdef HAVE_WHITELIST   
        printf("    --debug-whitelists - debug whitelisting.\n\n");
+#endif
 #ifdef HAVE_NETWORK     
@@ -250,8 +251,9 @@ void usage(void) {
        printf("    --tree - print a tree of all sandboxed processes.\n\n");
        printf("    --user=new_user - switch the user before starting the sandbox.\n\n");
        printf("    --version - print program version and exit.\n\n");
+#ifdef HAVE_WHITELIST   
        printf("    --whitelist=dirname_or_filename - whitelist directory or file.\n\n");
-        
+#endif  
        printf("    --writable-etc - /etc directory is mounted read-write.\n\n");
        printf("    --writable-var - /var directory is mounted read-write.\n\n");
        
diff --git a/src/man/firejail-config.txt b/src/man/firejail-config.txt
index 026765f1a..6a66c7f75 100644
--- a/src/man/firejail-config.txt
+++ b/src/man/firejail-config.txt
@@ -26,6 +26,13 @@ Enable or disable chroot support, default enabled.
 Enable or disable file transfer support, default enabled.
 .TP
+\fBforce-nonewprivs
+Force use of nonewprivs.  This mitigates the possibility of
+a user abusing firejail's features to trick a privileged (suid
+or file capabilities) process into loading code or configuration
+that is partially under their control.  Default disabled.
+.TP
 \fBnetwork
 Enable or disable networking features, default enabled.
@@ -45,16 +52,12 @@ Enable or disable seccomp support, default enabled.
 Enable or disable user namespace support, default enabled.
 .TP
-\fBx11
+\fBwhitelist
-Enable or disable X11 sandboxing support, default enabled.
+Enable or disable whitelisting support, default enabled.
 .TP
-\fBforce-nonewprivs
+\fBx11
-Force use of nonewprivs.  This mitigates the possibility of
+Enable or disable X11 sandboxing support, default enabled.
-a user abusing firejail's features to trick a privileged (suid
-or file capabilities) process into loading code or configuration
-that is partially under their control.  Default disabled.
 .TP
 \fBxephyr-screen
author	netblue30 <netblue30@yahoo.com>	2016-06-09 08:42:59 -0400
committer	netblue30 <netblue30@yahoo.com>	2016-06-09 08:42:59 -0400
commit	d073a425b3e3ed3829a0e042e8c41963f0f40f0e (patch)
tree	3241c3053a4d3ccba63c633015fddb6e21c9cf74 /src
parent	fixes (diff)
download	firejail-d073a425b3e3ed3829a0e042e8c41963f0f40f0e.tar.gz firejail-d073a425b3e3ed3829a0e042e8c41963f0f40f0e.tar.zst firejail-d073a425b3e3ed3829a0e042e8c41963f0f40f0e.zip

diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in index 3ad4ba75e..a8af1a4e0 100644 --- a/src/firejail/Makefile.in +++ b/src/firejail/Makefile.in
@@ -16,13 +16,14 @@ HAVE_NETWORK=@HAVE_NETWORK@
16	HAVE_USERNS=@HAVE_USERNS@	16	HAVE_USERNS=@HAVE_USERNS@
17	HAVE_X11=@HAVE_X11@	17	HAVE_X11=@HAVE_X11@
18	HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@	18	HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
		19	HAVE_WHITELIST=@HAVE_WHITELIST@
19		20
20		21
21	H_FILE_LIST = $(sort $(wildcard *.[h]))	22	H_FILE_LIST = $(sort $(wildcard *.[h]))
22	C_FILE_LIST = $(sort $(wildcard *.c))	23	C_FILE_LIST = $(sort $(wildcard *.c))
23	OBJS = $(C_FILE_LIST:.c=.o)	24	OBJS = $(C_FILE_LIST:.c=.o)
24	BINOBJS = $(foreach file, $(OBJS), $file)	25	BINOBJS = $(foreach file, $(OBJS), $file)
25	CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_SECCOMP) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security	26	CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_SECCOMP) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
26	LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread	27	LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
27		28
28	%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h	29	%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h


diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 3ea8caf5b..bf85436c3 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c
@@ -38,7 +38,7 @@ int checkcfg(int val) {
38	cfg_val[i] = 1; // most of them are enabled by default	38	cfg_val[i] = 1; // most of them are enabled by default
39		39
40	cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default	40	cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default
41	cfg_val[CFG_FORCE_NONEWPRIVS ] = 0; // disabled by default	41	cfg_val[CFG_FORCE_NONEWPRIVS] = 0; // disabled by default
42		42
43	// open configuration file	43	// open configuration file
44	char *fname;	44	char *fname;
@@ -126,6 +126,15 @@ int checkcfg(int val) {
126	else	126	else
127	goto errout;	127	goto errout;
128	}	128	}
		129	// whitelist
		130	else if (strncmp(ptr, "whitelist ", 10) == 0) {
		131	if (strcmp(ptr + 10, "yes") == 0)
		132	cfg_val[CFG_WHITELIST] = 1;
		133	else if (strcmp(ptr + 10, "no") == 0)
		134	cfg_val[CFG_WHITELIST] = 0;
		135	else
		136	goto errout;
		137	}
129	// network	138	// network
130	else if (strncmp(ptr, "network ", 8) == 0) {	139	else if (strncmp(ptr, "network ", 8) == 0) {
131	if (strcmp(ptr + 8, "yes") == 0)	140	if (strcmp(ptr + 8, "yes") == 0)


diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 2d5e05f79..026273aa3 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -568,7 +568,8 @@ void sandboxfs(int op, pid_t pid, const char *patqh);
568	#define CFG_NETWORK 6	568	#define CFG_NETWORK 6
569	#define CFG_RESTRICTED_NETWORK 7	569	#define CFG_RESTRICTED_NETWORK 7
570	#define CFG_FORCE_NONEWPRIVS 8	570	#define CFG_FORCE_NONEWPRIVS 8
571	#define CFG_MAX 9 // this should always be the last entry	571	#define CFG_WHITELIST 9
		572	#define CFG_MAX 10 // this should always be the last entry
572	int checkcfg(int val);	573	int checkcfg(int val);
573		574
574	// fs_rdwr.c	575	// fs_rdwr.c


diff --git a/src/firejail/main.c b/src/firejail/main.c index 1c2f021bb..1621d810f 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -277,6 +277,9 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
277	#ifndef HAVE_FILE_TRANSFER	277	#ifndef HAVE_FILE_TRANSFER
278	printf("File transfer support is disabled.\n");	278	printf("File transfer support is disabled.\n");
279	#endif	279	#endif
		280	#ifndef HAVE_WHITELIST
		281	printf("whitelisting support is disabled.\n");
		282	#endif
280	exit(0);	283	exit(0);
281	}	284	}
282	#ifdef HAVE_X11	285	#ifdef HAVE_X11
@@ -1114,14 +1117,24 @@ int main(int argc, char **argv) {
1114	profile_check_line(line, 0, NULL); // will exit if something wrong	1117	profile_check_line(line, 0, NULL); // will exit if something wrong
1115	profile_add(line);	1118	profile_add(line);
1116	}	1119	}
		1120
		1121	#ifdef HAVE_WHITELIST
1117	else if (strncmp(argv[i], "--whitelist=", 12) == 0) {	1122	else if (strncmp(argv[i], "--whitelist=", 12) == 0) {
1118	char *line;	1123	if (checkcfg(CFG_WHITELIST)) {
1119	if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1)	1124	char *line;
1120	errExit("asprintf");	1125	if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1)
1121		1126	errExit("asprintf");
1122	profile_check_line(line, 0, NULL); // will exit if something wrong	1127
1123	profile_add(line);	1128	profile_check_line(line, 0, NULL); // will exit if something wrong
		1129	profile_add(line);
		1130	}
		1131	else {
		1132	fprintf(stderr, "Error: whitelist feature is disabled in Firejail configuration file\n");
		1133	exit(1);
		1134	}
1124	}	1135	}
		1136	#endif
		1137
1125	else if (strncmp(argv[i], "--read-only=", 12) == 0) {	1138	else if (strncmp(argv[i], "--read-only=", 12) == 0) {
1126	char *line;	1139	char *line;
1127	if (asprintf(&line, "read-only %s", argv[i] + 12) == -1)	1140	if (asprintf(&line, "read-only %s", argv[i] + 12) == -1)


diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 192f36974..a64f28c9a 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c
@@ -726,8 +726,16 @@ int profile_check_line(char ptr, int lineno, const char fname) {
726	else if (strncmp(ptr, "noblacklist ", 12) == 0)	726	else if (strncmp(ptr, "noblacklist ", 12) == 0)
727	ptr += 12;	727	ptr += 12;
728	else if (strncmp(ptr, "whitelist ", 10) == 0) {	728	else if (strncmp(ptr, "whitelist ", 10) == 0) {
729	arg_whitelist = 1;	729	#ifdef HAVE_WHITELIST
730	ptr += 10;	730	if (checkcfg(CFG_WHITELIST)) {
		731	arg_whitelist = 1;
		732	ptr += 10;
		733	}
		734	else
		735	return 0;
		736	#else
		737	return 0;
		738	#endif
731	}	739	}
732	else if (strncmp(ptr, "read-only ", 10) == 0)	740	else if (strncmp(ptr, "read-only ", 10) == 0)
733	ptr += 10;	741	ptr += 10;


diff --git a/src/firejail/usage.c b/src/firejail/usage.c index d2f7d9460..af1a30ac3 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c
@@ -72,8 +72,9 @@ void usage(void) {
72	printf("\tsoftware build.\n\n");	72	printf("\tsoftware build.\n\n");
73	printf(" --debug-syscalls - print all recognized system calls in the current Firejail\n");	73	printf(" --debug-syscalls - print all recognized system calls in the current Firejail\n");
74	printf("\tsoftware build.\n\n");	74	printf("\tsoftware build.\n\n");
		75	#ifdef HAVE_WHITELIST
75	printf(" --debug-whitelists - debug whitelisting.\n\n");	76	printf(" --debug-whitelists - debug whitelisting.\n\n");
76		77	#endif
77		78
78		79
79	#ifdef HAVE_NETWORK	80	#ifdef HAVE_NETWORK
@@ -250,8 +251,9 @@ void usage(void) {
250	printf(" --tree - print a tree of all sandboxed processes.\n\n");	251	printf(" --tree - print a tree of all sandboxed processes.\n\n");
251	printf(" --user=new_user - switch the user before starting the sandbox.\n\n");	252	printf(" --user=new_user - switch the user before starting the sandbox.\n\n");
252	printf(" --version - print program version and exit.\n\n");	253	printf(" --version - print program version and exit.\n\n");
		254	#ifdef HAVE_WHITELIST
253	printf(" --whitelist=dirname_or_filename - whitelist directory or file.\n\n");	255	printf(" --whitelist=dirname_or_filename - whitelist directory or file.\n\n");
254		256	#endif
255	printf(" --writable-etc - /etc directory is mounted read-write.\n\n");	257	printf(" --writable-etc - /etc directory is mounted read-write.\n\n");
256	printf(" --writable-var - /var directory is mounted read-write.\n\n");	258	printf(" --writable-var - /var directory is mounted read-write.\n\n");
257		259


diff --git a/src/man/firejail-config.txt b/src/man/firejail-config.txt index 026765f1a..6a66c7f75 100644 --- a/src/man/firejail-config.txt +++ b/src/man/firejail-config.txt
@@ -26,6 +26,13 @@ Enable or disable chroot support, default enabled.
26	Enable or disable file transfer support, default enabled.	26	Enable or disable file transfer support, default enabled.
27		27
28	.TP	28	.TP
		29	\fBforce-nonewprivs
		30	Force use of nonewprivs. This mitigates the possibility of
		31	a user abusing firejail's features to trick a privileged (suid
		32	or file capabilities) process into loading code or configuration
		33	that is partially under their control. Default disabled.
		34
		35	.TP
29	\fBnetwork	36	\fBnetwork
30	Enable or disable networking features, default enabled.	37	Enable or disable networking features, default enabled.
31		38
@@ -45,16 +52,12 @@ Enable or disable seccomp support, default enabled.
45	Enable or disable user namespace support, default enabled.	52	Enable or disable user namespace support, default enabled.
46		53
47	.TP	54	.TP
48	\fBx11	55	\fBwhitelist
49	Enable or disable X11 sandboxing support, default enabled.	56	Enable or disable whitelisting support, default enabled.
50		57
51	.TP	58	.TP
52	\fBforce-nonewprivs	59	\fBx11
53	Force use of nonewprivs. This mitigates the possibility of	60	Enable or disable X11 sandboxing support, default enabled.
54	a user abusing firejail's features to trick a privileged (suid
55	or file capabilities) process into loading code or configuration
56	that is partially under their control. Default disabled.
57
58		61
59	.TP	62	.TP
60	\fBxephyr-screen	63	\fBxephyr-screen