diff options
author | qdii <victor.lavaud@gmail.com> | 2024-07-09 03:43:55 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-07-09 01:43:55 +0000 |
commit | 001320226ccb4f2ad913ee3af9932be807d80818 (patch) | |
tree | 1dd6db5a62c7f16a25e691c4910ff91e1747d6dc /src | |
parent | docs: man: format and sort some private- items (#6398) (diff) | |
download | firejail-001320226ccb4f2ad913ee3af9932be807d80818.tar.gz firejail-001320226ccb4f2ad913ee3af9932be807d80818.tar.zst firejail-001320226ccb4f2ad913ee3af9932be807d80818.zip |
feature: add notpm command & keep tpm devices in private-dev (#6390)
An ssh private key may be stored in a Trusted Platform Module (TPM)
device and `private-dev` in ssh.profile currently breaks this use-case,
as it does not keep tpm devices (see #6379).
So add a new `notpm` command and keep tpm devices in /dev by default
with `private-dev` unless `notpm` is used.
Diffstat (limited to 'src')
-rw-r--r-- | src/fbuilder/build_profile.c | 1 | ||||
-rw-r--r-- | src/firejail/firejail.h | 2 | ||||
-rw-r--r-- | src/firejail/fs_dev.c | 17 | ||||
-rw-r--r-- | src/firejail/main.c | 3 | ||||
-rw-r--r-- | src/firejail/profile.c | 4 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 3 | ||||
-rw-r--r-- | src/firejail/usage.c | 1 | ||||
-rw-r--r-- | src/man/firejail-profile.5.in | 11 | ||||
-rw-r--r-- | src/man/firejail.1.in | 18 | ||||
-rw-r--r-- | src/zsh_completion/_firejail.in | 1 |
10 files changed, 53 insertions, 8 deletions
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c index ab6eaf1dd..089dff663 100644 --- a/src/fbuilder/build_profile.c +++ b/src/fbuilder/build_profile.c | |||
@@ -138,6 +138,7 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
138 | fprintf(fp, "#noinput\t# disable input devices\n"); | 138 | fprintf(fp, "#noinput\t# disable input devices\n"); |
139 | fprintf(fp, "nonewprivs\n"); | 139 | fprintf(fp, "nonewprivs\n"); |
140 | fprintf(fp, "noroot\n"); | 140 | fprintf(fp, "noroot\n"); |
141 | fprintf(fp, "#notpm\t# disable TPM devices\n"); | ||
141 | fprintf(fp, "#notv\t# disable DVB TV devices\n"); | 142 | fprintf(fp, "#notv\t# disable DVB TV devices\n"); |
142 | fprintf(fp, "#nou2f\t# disable U2F devices\n"); | 143 | fprintf(fp, "#nou2f\t# disable U2F devices\n"); |
143 | fprintf(fp, "#novideo\t# disable video capture devices\n"); | 144 | fprintf(fp, "#novideo\t# disable video capture devices\n"); |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 736af018d..8683e0f77 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -368,6 +368,7 @@ extern int arg_noprofile; // use default.profile if none other found/specified | |||
368 | extern int arg_memory_deny_write_execute; // block writable and executable memory | 368 | extern int arg_memory_deny_write_execute; // block writable and executable memory |
369 | extern int arg_notv; // --notv | 369 | extern int arg_notv; // --notv |
370 | extern int arg_nodvd; // --nodvd | 370 | extern int arg_nodvd; // --nodvd |
371 | extern int arg_notpm; // --notpm | ||
371 | extern int arg_nou2f; // --nou2f | 372 | extern int arg_nou2f; // --nou2f |
372 | extern int arg_noinput; // --noinput | 373 | extern int arg_noinput; // --noinput |
373 | extern int arg_deterministic_exit_code; // always exit with first child's exit status | 374 | extern int arg_deterministic_exit_code; // always exit with first child's exit status |
@@ -646,6 +647,7 @@ void fs_dev_disable_3d(void); | |||
646 | void fs_dev_disable_video(void); | 647 | void fs_dev_disable_video(void); |
647 | void fs_dev_disable_tv(void); | 648 | void fs_dev_disable_tv(void); |
648 | void fs_dev_disable_dvd(void); | 649 | void fs_dev_disable_dvd(void); |
650 | void fs_dev_disable_tpm(void); | ||
649 | void fs_dev_disable_u2f(void); | 651 | void fs_dev_disable_u2f(void); |
650 | void fs_dev_disable_input(void); | 652 | void fs_dev_disable_input(void); |
651 | 653 | ||
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index e8e486f12..34a26464a 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c | |||
@@ -39,6 +39,7 @@ typedef enum { | |||
39 | DEV_VIDEO, | 39 | DEV_VIDEO, |
40 | DEV_TV, | 40 | DEV_TV, |
41 | DEV_DVD, | 41 | DEV_DVD, |
42 | DEV_TPM, | ||
42 | DEV_U2F, | 43 | DEV_U2F, |
43 | DEV_INPUT | 44 | DEV_INPUT |
44 | } DEV_TYPE; | 45 | } DEV_TYPE; |
@@ -79,6 +80,12 @@ static DevEntry dev[] = { | |||
79 | {"/dev/video9", RUN_DEV_DIR "/video9", DEV_VIDEO}, | 80 | {"/dev/video9", RUN_DEV_DIR "/video9", DEV_VIDEO}, |
80 | {"/dev/dvb", RUN_DEV_DIR "/dvb", DEV_TV}, // DVB (Digital Video Broadcasting) - TV device | 81 | {"/dev/dvb", RUN_DEV_DIR "/dvb", DEV_TV}, // DVB (Digital Video Broadcasting) - TV device |
81 | {"/dev/sr0", RUN_DEV_DIR "/sr0", DEV_DVD}, // for DVD and audio CD players | 82 | {"/dev/sr0", RUN_DEV_DIR "/sr0", DEV_DVD}, // for DVD and audio CD players |
83 | {"/dev/tpm0", RUN_DEV_DIR "/tpm0", DEV_TPM}, // TPM (Trusted Platform Module) devices | ||
84 | {"/dev/tpm1", RUN_DEV_DIR "/tpm1", DEV_TPM}, | ||
85 | {"/dev/tpm2", RUN_DEV_DIR "/tpm2", DEV_TPM}, | ||
86 | {"/dev/tpm3", RUN_DEV_DIR "/tpm3", DEV_TPM}, | ||
87 | {"/dev/tpm4", RUN_DEV_DIR "/tpm4", DEV_TPM}, | ||
88 | {"/dev/tpm5", RUN_DEV_DIR "/tpm5", DEV_TPM}, | ||
82 | {"/dev/hidraw0", RUN_DEV_DIR "/hidraw0", DEV_U2F}, | 89 | {"/dev/hidraw0", RUN_DEV_DIR "/hidraw0", DEV_U2F}, |
83 | {"/dev/hidraw1", RUN_DEV_DIR "/hidraw1", DEV_U2F}, | 90 | {"/dev/hidraw1", RUN_DEV_DIR "/hidraw1", DEV_U2F}, |
84 | {"/dev/hidraw2", RUN_DEV_DIR "/hidraw2", DEV_U2F}, | 91 | {"/dev/hidraw2", RUN_DEV_DIR "/hidraw2", DEV_U2F}, |
@@ -105,6 +112,7 @@ static void deventry_mount(void) { | |||
105 | (dev[i].type == DEV_VIDEO && arg_novideo == 0) || | 112 | (dev[i].type == DEV_VIDEO && arg_novideo == 0) || |
106 | (dev[i].type == DEV_TV && arg_notv == 0) || | 113 | (dev[i].type == DEV_TV && arg_notv == 0) || |
107 | (dev[i].type == DEV_DVD && arg_nodvd == 0) || | 114 | (dev[i].type == DEV_DVD && arg_nodvd == 0) || |
115 | (dev[i].type == DEV_TPM && arg_notpm == 0) || | ||
108 | (dev[i].type == DEV_U2F && arg_nou2f == 0) || | 116 | (dev[i].type == DEV_U2F && arg_nou2f == 0) || |
109 | (dev[i].type == DEV_INPUT && arg_noinput == 0)) { | 117 | (dev[i].type == DEV_INPUT && arg_noinput == 0)) { |
110 | 118 | ||
@@ -384,6 +392,15 @@ void fs_dev_disable_dvd(void) { | |||
384 | } | 392 | } |
385 | } | 393 | } |
386 | 394 | ||
395 | void fs_dev_disable_tpm(void) { | ||
396 | int i = 0; | ||
397 | while (dev[i].dev_fname != NULL) { | ||
398 | if (dev[i].type == DEV_TPM) | ||
399 | disable_file_or_dir(dev[i].dev_fname); | ||
400 | i++; | ||
401 | } | ||
402 | } | ||
403 | |||
387 | void fs_dev_disable_u2f(void) { | 404 | void fs_dev_disable_u2f(void) { |
388 | int i = 0; | 405 | int i = 0; |
389 | while (dev[i].dev_fname != NULL) { | 406 | while (dev[i].dev_fname != NULL) { |
diff --git a/src/firejail/main.c b/src/firejail/main.c index acbb4bf38..27ae68eb0 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -155,6 +155,7 @@ int arg_noprofile = 0; // use default.profile if none other found/specified | |||
155 | int arg_memory_deny_write_execute = 0; // block writable and executable memory | 155 | int arg_memory_deny_write_execute = 0; // block writable and executable memory |
156 | int arg_notv = 0; // --notv | 156 | int arg_notv = 0; // --notv |
157 | int arg_nodvd = 0; // --nodvd | 157 | int arg_nodvd = 0; // --nodvd |
158 | int arg_notpm = 0; // --notpm | ||
158 | int arg_nou2f = 0; // --nou2f | 159 | int arg_nou2f = 0; // --nou2f |
159 | int arg_noinput = 0; // --noinput | 160 | int arg_noinput = 0; // --noinput |
160 | int arg_deterministic_exit_code = 0; // always exit with first child's exit status | 161 | int arg_deterministic_exit_code = 0; // always exit with first child's exit status |
@@ -2209,6 +2210,8 @@ int main(int argc, char **argv, char **envp) { | |||
2209 | arg_notv = 1; | 2210 | arg_notv = 1; |
2210 | else if (strcmp(argv[i], "--nodvd") == 0) | 2211 | else if (strcmp(argv[i], "--nodvd") == 0) |
2211 | arg_nodvd = 1; | 2212 | arg_nodvd = 1; |
2213 | else if (strcmp(argv[i], "--notpm") == 0) | ||
2214 | arg_notpm = 1; | ||
2212 | else if (strcmp(argv[i], "--nou2f") == 0) | 2215 | else if (strcmp(argv[i], "--nou2f") == 0) |
2213 | arg_nou2f = 1; | 2216 | arg_nou2f = 1; |
2214 | else if (strcmp(argv[i], "--noinput") == 0) | 2217 | else if (strcmp(argv[i], "--noinput") == 0) |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 4c6830250..1bb008f5f 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -618,6 +618,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
618 | #endif | 618 | #endif |
619 | return 1; | 619 | return 1; |
620 | } | 620 | } |
621 | else if (strcmp(ptr, "notpm") == 0) { | ||
622 | arg_notpm = 1; | ||
623 | return 0; | ||
624 | } | ||
621 | else if (strcmp(ptr, "nou2f") == 0) { | 625 | else if (strcmp(ptr, "nou2f") == 0) { |
622 | arg_nou2f = 1; | 626 | arg_nou2f = 1; |
623 | return 0; | 627 | return 0; |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 9e2b10d9c..57c90d489 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -1101,6 +1101,9 @@ int sandbox(void* sandbox_arg) { | |||
1101 | if (arg_nodvd) | 1101 | if (arg_nodvd) |
1102 | fs_dev_disable_dvd(); | 1102 | fs_dev_disable_dvd(); |
1103 | 1103 | ||
1104 | if (arg_notpm) | ||
1105 | fs_dev_disable_tpm(); | ||
1106 | |||
1104 | if (arg_nou2f) | 1107 | if (arg_nou2f) |
1105 | fs_dev_disable_u2f(); | 1108 | fs_dev_disable_u2f(); |
1106 | 1109 | ||
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 248b35853..773596213 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -191,6 +191,7 @@ static const char *const usage_str = | |||
191 | " --nosound - disable sound system.\n" | 191 | " --nosound - disable sound system.\n" |
192 | " --noautopulse - disable automatic ~/.config/pulse init.\n" | 192 | " --noautopulse - disable automatic ~/.config/pulse init.\n" |
193 | " --novideo - disable video devices.\n" | 193 | " --novideo - disable video devices.\n" |
194 | " --notpm - disable TPM devices.\n" | ||
194 | " --nou2f - disable U2F devices.\n" | 195 | " --nou2f - disable U2F devices.\n" |
195 | " --nowhitelist=filename - disable whitelist for file or directory.\n" | 196 | " --nowhitelist=filename - disable whitelist for file or directory.\n" |
196 | " --oom=value - configure OutOfMemory killer for the sandbox\n" | 197 | " --oom=value - configure OutOfMemory killer for the sandbox\n" |
diff --git a/src/man/firejail-profile.5.in b/src/man/firejail-profile.5.in index 9ed07e9e1..89784a984 100644 --- a/src/man/firejail-profile.5.in +++ b/src/man/firejail-profile.5.in | |||
@@ -383,10 +383,10 @@ Set working directory inside the jail. Full directory path is required. Symbolic | |||
383 | .TP | 383 | .TP |
384 | \fBprivate-dev | 384 | \fBprivate-dev |
385 | Create a new /dev directory. | 385 | Create a new /dev directory. |
386 | Only disc, dri, dvb, full, hidraw, log, null, ptmx, pts, random, shm, snd, tty, | 386 | Only disc, dri, dvb, full, hidraw, log, null, ptmx, pts, random, shm, snd, tpm, |
387 | urandom, usb, video and zero devices are available. | 387 | tty, urandom, usb, video and zero devices are available. |
388 | Use the options no3d, nodvd, nosound, notv, nou2f and novideo for additional | 388 | Use the options no3d, nodvd, nosound, notpm, notv, nou2f and novideo for |
389 | restrictions. | 389 | additional restrictions. |
390 | 390 | ||
391 | .TP | 391 | .TP |
392 | \fBprivate-etc file,directory | 392 | \fBprivate-etc file,directory |
@@ -819,6 +819,9 @@ Disable input devices. | |||
819 | \fBnosound | 819 | \fBnosound |
820 | Disable sound system. | 820 | Disable sound system. |
821 | .TP | 821 | .TP |
822 | \fBnotpm | ||
823 | Disable Trusted Platform Module (TPM) devices. | ||
824 | .TP | ||
822 | \fBnotv | 825 | \fBnotv |
823 | Disable DVB (Digital Video Broadcasting) TV devices. | 826 | Disable DVB (Digital Video Broadcasting) TV devices. |
824 | .TP | 827 | .TP |
diff --git a/src/man/firejail.1.in b/src/man/firejail.1.in index 76f0e29ab..f14eb6ec0 100644 --- a/src/man/firejail.1.in +++ b/src/man/firejail.1.in | |||
@@ -1919,6 +1919,16 @@ Example: | |||
1919 | $ firejail \-\-nosound firefox | 1919 | $ firejail \-\-nosound firefox |
1920 | 1920 | ||
1921 | .TP | 1921 | .TP |
1922 | \fB\-\-notpm | ||
1923 | Disable Trusted Platform Module (TPM) devices. | ||
1924 | .br | ||
1925 | |||
1926 | .br | ||
1927 | Example: | ||
1928 | .br | ||
1929 | $ firejail \-\-notpm | ||
1930 | |||
1931 | .TP | ||
1922 | \fB\-\-notv | 1932 | \fB\-\-notv |
1923 | Disable DVB (Digital Video Broadcasting) TV devices. | 1933 | Disable DVB (Digital Video Broadcasting) TV devices. |
1924 | .br | 1934 | .br |
@@ -2173,10 +2183,10 @@ $ pwd | |||
2173 | .TP | 2183 | .TP |
2174 | \fB\-\-private-dev | 2184 | \fB\-\-private-dev |
2175 | Create a new /dev directory. | 2185 | Create a new /dev directory. |
2176 | Only disc, dri, dvb, full, hidraw, log, null, ptmx, pts, random, shm, snd, tty, | 2186 | Only disc, dri, dvb, full, hidraw, log, null, ptmx, pts, random, shm, snd, tpm, |
2177 | urandom, usb, video and zero devices are available. | 2187 | tty, urandom, usb, video and zero devices are available. |
2178 | Use the options \-\-no3d, \-\-nodvd, \-\-nosound, \-\-notv, \-\-nou2f and | 2188 | Use the options \-\-no3d, \-\-nodvd, \-\-nosound, \-\-notpm, \-\-notv, |
2179 | \-\-novideo for additional restrictions. | 2189 | \-\-nou2f and \-\-novideo for additional restrictions. |
2180 | .br | 2190 | .br |
2181 | 2191 | ||
2182 | .br | 2192 | .br |
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index 15e9a5111..633f41ade 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in | |||
@@ -134,6 +134,7 @@ _firejail_args=( | |||
134 | '--nonewprivs[sets the NO_NEW_PRIVS prctl]' | 134 | '--nonewprivs[sets the NO_NEW_PRIVS prctl]' |
135 | '--noprinters[disable printers]' | 135 | '--noprinters[disable printers]' |
136 | '--nosound[disable sound system]' | 136 | '--nosound[disable sound system]' |
137 | '--notpm[disable TPM devices]' | ||
137 | '--nou2f[disable U2F devices]' | 138 | '--nou2f[disable U2F devices]' |
138 | '--novideo[disable video devices]' | 139 | '--novideo[disable video devices]' |
139 | '--private[temporary home directory]' | 140 | '--private[temporary home directory]' |