netfilter rework

author: netblue30 <netblue30@yahoo.com> 2016-11-28 10:36:04 -0500
committer: netblue30 <netblue30@yahoo.com> 2016-11-28 10:36:04 -0500
commit: d0c1fcfa273d323a26aa8477130e176dc2435bf5 (patch)
tree: 5c0823ed12cabf602ace114a12b53fb3b2872b99 /src
parent: cleanup (diff)
download: firejail-d0c1fcfa273d323a26aa8477130e176dc2435bf5.tar.gz
firejail-d0c1fcfa273d323a26aa8477130e176dc2435bf5.tar.zst
firejail-d0c1fcfa273d323a26aa8477130e176dc2435bf5.zip
5 files changed, 115 insertions, 198 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 4ae3cfd9f..61de17bf8 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -41,7 +41,6 @@
 #define RUN_CPU_CFG     "/run/firejail/mnt/cpu"
 #define RUN_GROUPS_CFG  "/run/firejail/mnt/groups"
 #define RUN_PROTOCOL_CFG        "/run/firejail/mnt/protocol"
-#define RUN_CP_COMMAND  "/run/firejail/mnt/cp"
 #define RUN_HOME_DIR    "/run/firejail/mnt/home"
 #define RUN_ETC_DIR     "/run/firejail/mnt/etc"
 #define RUN_BIN_DIR     "/run/firejail/mnt/bin"
@@ -463,6 +462,7 @@ void create_empty_dir_as_root(const char *dir, mode_t mode);
 void create_empty_file_as_root(const char *dir, mode_t mode);
 int set_perms(const char *fname, uid_t uid, gid_t gid, mode_t mode);
 void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid);
+char *read_text_file_or_exit(const char *fname);
 // fs_var.c
 void fs_var_log(void);  // mounting /var/log
@@ -679,6 +679,8 @@ void build_cmdline(char **command_line, char **window_title, int argc, char **ar
 #define PATH_FIREMON (PREFIX "/bin/firemon")
 #define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp")
 #define PATH_FCOPY (LIBDIR "/firejail/fcopy")
+#define SBOX_STDIN_FILE "/run/firejail/mnt/sbox_stdin"
 // bitmapped filters for sbox_run
 #define SBOX_ROOT (1 << 0)                      // run the sandbox as root
 #define SBOX_USER (1 << 1)                      // run the sandbox as a regular user
@@ -686,6 +688,7 @@ void build_cmdline(char **command_line, char **window_title, int argc, char **ar
 #define SBOX_CAPS_NONE (1 << 3)         // drop all capabilities
 #define SBOX_CAPS_NETWORK (1 << 4)      // caps filter for programs running network programs
 #define SBOX_ALLOW_STDIN (1 << 5)               // don't close stdin
+#define SBOX_STDIN_FROM_FILE (1 << 6)   // open file and redirect it to stdin
 // run sbox
 int sbox_run(unsigned filter, int num, ...);
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c
index 43f08e45b..ef4915f15 100644
--- a/src/firejail/netfilter.c
+++ b/src/firejail/netfilter.c
@@ -61,59 +61,6 @@ void check_netfilter_file(const char *fname) {
 void netfilter(const char *fname) {
-        // default filter
-        char *filter = client_filter;
-        // custom filter
-        int allocated = 0;
-        if (netfilter_default)
-                fname = netfilter_default;
-        if (fname) {
-                assert(fname);
-                
-                // open filter file
-                int fd = open(fname, O_RDONLY);
-                if (fd == -1)
-                        goto errexit;
-                int size = lseek(fd, 0, SEEK_END);
-                if (size == -1)
-                        goto errexit;
-                if (lseek(fd, 0 , SEEK_SET) == -1)
-                        goto errexit;
-                
-                // read filter
-                filter = malloc(size + 1);        // + '\0'
-                if (filter == NULL)
-                        goto errexit;
-                memset(filter, 0, size + 1);
-                int rd = 0;
-                while (rd < size) {
-                        int rv = read(fd, (unsigned char *) filter + rd, size - rd);
-                        if (rv == -1) {
-                                close(fd);
-                                goto errexit;
-                        }
-                        rd += rv;
-                }
-                
-                // close file
-                close(fd);
-                allocated = 1;
-        }
-        // temporarily mount a tempfs on top of /tmp directory
-        if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
-                errExit("mounting /tmp");
-        // create the filter file
-        FILE *fp = fopen("/tmp/netfilter", "w");
-        if (!fp) {
-                fprintf(stderr, "Error: cannot open /tmp/netfilter file\n");
-                exit(1);
-        }
-        fprintf(fp, "%s\n", filter);
-        fclose(fp);
        // find iptables command
        struct stat s;
        char *iptables = NULL;
@@ -127,113 +74,49 @@ void netfilter(const char *fname) {
                iptables_restore = "/usr/sbin/iptables-restore";
        }
        if (iptables == NULL || iptables_restore == NULL) {
-                fprintf(stderr, "Error: iptables command not found\n");
+                fprintf(stderr, "Error: iptables command not found, netfilter not configured\n");
-                goto doexit;
+                return;
        }
-        // push filter
+        // read filter
-        pid_t child = fork();
+        char *filter = client_filter;
-        if (child < 0)
+        int allocated = 0;
-                errExit("fork");
+        if (netfilter_default)
-        if (child == 0) {
+                fname = netfilter_default;
-                if (arg_debug)
+        if (fname) {
-                        printf("Installing network filter:\n%s\n", filter);
+                filter = read_text_file_or_exit(fname);
+                allocated = 1;
-                int fd;
-                if((fd = open("/tmp/netfilter", O_RDONLY)) == -1) {
-                        fprintf(stderr,"Error: cannot open /tmp/netfilter\n");
-                        exit(1);
-                }
-                dup2(fd,STDIN_FILENO);
-                // wipe out environment variables
-                clearenv();     
-                execl(iptables_restore, iptables_restore, NULL);
-                perror("execl");
-                _exit(1);
        }
-        // wait for the child to finish
-        waitpid(child, NULL, 0);
-        // debug
+        // create the filter file
-        if (arg_debug) {
+        FILE *fp = fopen(SBOX_STDIN_FILE, "w");
-                child = fork();
+        if (!fp) {
-                if (child < 0)
+                fprintf(stderr, "Error: cannot open %s\n", SBOX_STDIN_FILE);
-                        errExit("fork");
+                exit(1);
-                if (child == 0) {
-                        // elevate privileges in order to get grsecurity working
-                        if (setreuid(0, 0))
-                                errExit("setreuid");
-                        if (setregid(0, 0))
-                                errExit("setregid");
-                        environ = NULL;
-                        assert(getenv("LD_PRELOAD") == NULL);   
-                        execl(iptables, iptables, "-vL", NULL);
-                        perror("execl");
-                        _exit(1);
-                }
-                // wait for the child to finish
-                waitpid(child, NULL, 0);
        }
+        fprintf(fp, "%s\n", filter);
+        fclose(fp);
-doexit:
+        // push filter
-        // unmount /tmp
+        if (arg_debug)
-        umount("/tmp");
+                printf("Installing network filter:\n%s\n", filter);
+        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP | SBOX_STDIN_FROM_FILE, 1, iptables_restore);
+        unlink(SBOX_STDIN_FILE);
+        // debug
+        if (arg_debug) 
+                sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 2, iptables, "-vL");
        if (allocated)
                free(filter);
        return;
-errexit:
-        fprintf(stderr, "Error: cannot read network filter %s\n", fname);
-        exit(1);
 }
 void netfilter6(const char *fname) {
        if (fname == NULL)
                return;
                
-        char *filter;
-        // open filter file
-        int fd = open(fname, O_RDONLY);
-        if (fd == -1)
-                goto errexit;
-        int size = lseek(fd, 0, SEEK_END);
-        if (size == -1)
-                goto errexit;
-        if (lseek(fd, 0 , SEEK_SET) == -1)
-                goto errexit;
-        
-        // read filter
-        filter = malloc(size + 1);        // + '\0'
-        if (filter == NULL)
-                goto errexit;
-        memset(filter, 0, size + 1);
-        int rd = 0;
-        while (rd < size) {
-                int rv = read(fd, (unsigned char *) filter + rd, size - rd);
-                if (rv == -1)
-                        goto errexit;
-                rd += rv;
-        }
-        
-        // close file
-        close(fd);
-        // temporarily mount a tempfs on top of /tmp directory
-        if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
-                errExit("mounting /tmp");
-        // create the filter file
-        FILE *fp = fopen("/tmp/netfilter6", "w");
-        if (!fp) {
-                fprintf(stderr, "Error: cannot open /tmp/netfilter6 file\n");
-                exit(1);
-        }
-        fprintf(fp, "%s\n", filter);
-        fclose(fp);
        // find iptables command
        char *ip6tables = NULL;
        char *ip6tables_restore = NULL;
@@ -247,56 +130,30 @@ void netfilter6(const char *fname) {
                ip6tables_restore = "/usr/sbin/ip6tables-restore";
        }
        if (ip6tables == NULL || ip6tables_restore == NULL) {
-                fprintf(stderr, "Error: ip6tables command not found\n");
+                fprintf(stderr, "Error: ip6tables command not found, netfilter6 not configured\n");
-                goto doexit;
+                return;
        }
-        // push filter
+        // create the filter file
-        pid_t child = fork();
+        char *filter = read_text_file_or_exit(fname);
-        if (child < 0)
+        FILE *fp = fopen(SBOX_STDIN_FILE, "w");
-                errExit("fork");
+        if (!fp) {
-        if (child == 0) {
+                fprintf(stderr, "Error: cannot open /tmp/netfilter6 file\n");
-                if (arg_debug)
+                exit(1);
-                        printf("Installing network filter:\n%s\n", filter);
-                int fd;
-                if((fd = open("/tmp/netfilter6", O_RDONLY)) == -1) {
-                        fprintf(stderr,"Error: cannot open /tmp/netfilter6\n");
-                        exit(1);
-                }
-                dup2(fd,STDIN_FILENO);
-                // wipe out environment variables
-                clearenv();     
-                execl(ip6tables_restore, ip6tables_restore, NULL);
-                perror("execl");
-                _exit(1);
        }
-        // wait for the child to finish
+        fprintf(fp, "%s\n", filter);
-        waitpid(child, NULL, 0);
+        fclose(fp);
+        // push filter
+        if (arg_debug)
+                printf("Installing network filter:\n%s\n", filter);
+        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP | SBOX_STDIN_FROM_FILE, 1, ip6tables_restore);
+        unlink(SBOX_STDIN_FILE);
+        
        // debug
-        if (arg_debug) {
+        if (arg_debug)
-                child = fork();
+                sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 2, ip6tables, "-vL");
-                if (child < 0)
-                        errExit("fork");
-                if (child == 0) {
-                        clearenv();     
-                        execl(ip6tables, ip6tables, "-vL", NULL);
-                        perror("execl");
-                        _exit(1);
-                }
-                // wait for the child to finish
-                waitpid(child, NULL, 0);
-        }
-doexit:
-        // unmount /tmp
-        umount("/tmp");
        free(filter);
        return;
-        
-errexit:
-        fprintf(stderr, "Error: cannot read network filter %s\n", fname);
-        exit(1);
 }
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c
index 65c4e35e9..f28bbaf1a 100644
--- a/src/firejail/sbox.c
+++ b/src/firejail/sbox.c
@@ -138,18 +138,34 @@ int sbox_run(unsigned filter, int num, ...) {
        if (child == 0) {
                // clean the new process
                clearenv();
-                int max = 20; // getdtablesize() is overkill for a firejail process
+                
-                for (i = 3; i < max; i++)
+                if (filter & SBOX_STDIN_FROM_FILE) {
-                        close(i); // close open files
+                        int fd;
-                if ((filter & SBOX_ALLOW_STDIN) == 0) {
+                        if((fd = open(SBOX_STDIN_FILE, O_RDONLY)) == -1) {
-                        int fd = open("/dev/null",O_RDWR, 0);
+                                fprintf(stderr,"Error: cannot open /tmp/netfilter\n");
-                        if (fd != -1) {
+                                exit(1);
-                                dup2 (fd, STDIN_FILENO);
-                                close(fd);
                        }
+                        dup2(fd,STDIN_FILENO);
+                }
+                else if ((filter & SBOX_ALLOW_STDIN) == 0) {
+                        int fd = open("/dev/null",O_RDWR, 0);
+                        if (fd != -1)
+                                dup2(fd, STDIN_FILENO);
                        else // the user could run the sandbox without /dev/null
                                close(STDIN_FILENO);
                }
+                
+                // close all other file descriptors
+                int max = 20; // getdtablesize() is overkill for a firejail process
+                for (i = 3; i < max; i++)
+                        close(i); // close open files
+                if (arg_debug) {
+                        printf("sbox file descriptors:\n");
+                        int rv = system("ls -l /proc/self/fd");
+                        (void) rv;      
+                }
                umask(027);     
                // apply filters
diff --git a/src/firejail/util.c b/src/firejail/util.c
index c3e00a110..75f2acdb9 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -777,3 +777,45 @@ void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid) {
        ASSERT_PERMS(fname, uid, gid, mode);
 }
+char *read_text_file_or_exit(const char *fname) {
+        assert(fname);
+        
+        // open file
+        int fd = open(fname, O_RDONLY);
+        if (fd == -1) {
+                fprintf(stderr, "Error: cannot read %s\n", fname);
+                exit(1);
+        }
+        int size = lseek(fd, 0, SEEK_END);
+        if (size == -1)
+                goto errexit;
+        if (lseek(fd, 0 , SEEK_SET) == -1)
+                goto errexit;
+        
+        // allocate memory
+        char *data = malloc(size + 1);    // + '\0'
+        if (data == NULL)
+                goto errexit;
+        memset(data, 0, size + 1);
+        // read file
+        int rd = 0;
+        while (rd < size) {
+                int rv = read(fd, (unsigned char *) data + rd, size - rd);
+                if (rv == -1) {
+                        goto errexit;
+                }
+                rd += rv;
+        }
+        
+        // close file
+        close(fd);
+        return data;
+        
+errexit:
+        close(fd);
+        fprintf(stderr, "Error: cannot read %s\n", fname);
+        exit(1);
+}
+\ No newline at end of file
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index d9b3b23d1..e67260490 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -252,7 +252,6 @@ void x11_start_xephyr(int argc, char **argv) {
                }
                for (i = 0; i < (int) strlen(xephyr_extra_params)-1; i++) {
-//todo: if working , add a -2 also in 0.9.44-bugfix                     
                        if (pos >= (sizeof(server_argv)/sizeof(*server_argv)) - 2) {
                                fprintf(stderr, "Error: arg count limit exceeded while parsing xephyr_extra_params\n");
                                exit(1);
author	netblue30 <netblue30@yahoo.com>	2016-11-28 10:36:04 -0500
committer	netblue30 <netblue30@yahoo.com>	2016-11-28 10:36:04 -0500
commit	d0c1fcfa273d323a26aa8477130e176dc2435bf5 (patch)
tree	5c0823ed12cabf602ace114a12b53fb3b2872b99 /src
parent	cleanup (diff)
download	firejail-d0c1fcfa273d323a26aa8477130e176dc2435bf5.tar.gz firejail-d0c1fcfa273d323a26aa8477130e176dc2435bf5.tar.zst firejail-d0c1fcfa273d323a26aa8477130e176dc2435bf5.zip

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 4ae3cfd9f..61de17bf8 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -41,7 +41,6 @@
41	#define RUN_CPU_CFG "/run/firejail/mnt/cpu"	41	#define RUN_CPU_CFG "/run/firejail/mnt/cpu"
42	#define RUN_GROUPS_CFG "/run/firejail/mnt/groups"	42	#define RUN_GROUPS_CFG "/run/firejail/mnt/groups"
43	#define RUN_PROTOCOL_CFG "/run/firejail/mnt/protocol"	43	#define RUN_PROTOCOL_CFG "/run/firejail/mnt/protocol"
44	#define RUN_CP_COMMAND "/run/firejail/mnt/cp"
45	#define RUN_HOME_DIR "/run/firejail/mnt/home"	44	#define RUN_HOME_DIR "/run/firejail/mnt/home"
46	#define RUN_ETC_DIR "/run/firejail/mnt/etc"	45	#define RUN_ETC_DIR "/run/firejail/mnt/etc"
47	#define RUN_BIN_DIR "/run/firejail/mnt/bin"	46	#define RUN_BIN_DIR "/run/firejail/mnt/bin"
@@ -463,6 +462,7 @@ void create_empty_dir_as_root(const char *dir, mode_t mode);
463	void create_empty_file_as_root(const char *dir, mode_t mode);	462	void create_empty_file_as_root(const char *dir, mode_t mode);
464	int set_perms(const char *fname, uid_t uid, gid_t gid, mode_t mode);	463	int set_perms(const char *fname, uid_t uid, gid_t gid, mode_t mode);
465	void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid);	464	void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid);
		465	char read_text_file_or_exit(const char fname);
466		466
467	// fs_var.c	467	// fs_var.c
468	void fs_var_log(void); // mounting /var/log	468	void fs_var_log(void); // mounting /var/log
@@ -679,6 +679,8 @@ void build_cmdline(char command_line, char window_title, int argc, char **ar
679	#define PATH_FIREMON (PREFIX "/bin/firemon")	679	#define PATH_FIREMON (PREFIX "/bin/firemon")
680	#define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp")	680	#define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp")
681	#define PATH_FCOPY (LIBDIR "/firejail/fcopy")	681	#define PATH_FCOPY (LIBDIR "/firejail/fcopy")
		682	#define SBOX_STDIN_FILE "/run/firejail/mnt/sbox_stdin"
		683
682	// bitmapped filters for sbox_run	684	// bitmapped filters for sbox_run
683	#define SBOX_ROOT (1 << 0) // run the sandbox as root	685	#define SBOX_ROOT (1 << 0) // run the sandbox as root
684	#define SBOX_USER (1 << 1) // run the sandbox as a regular user	686	#define SBOX_USER (1 << 1) // run the sandbox as a regular user
@@ -686,6 +688,7 @@ void build_cmdline(char command_line, char window_title, int argc, char **ar
686	#define SBOX_CAPS_NONE (1 << 3) // drop all capabilities	688	#define SBOX_CAPS_NONE (1 << 3) // drop all capabilities
687	#define SBOX_CAPS_NETWORK (1 << 4) // caps filter for programs running network programs	689	#define SBOX_CAPS_NETWORK (1 << 4) // caps filter for programs running network programs
688	#define SBOX_ALLOW_STDIN (1 << 5) // don't close stdin	690	#define SBOX_ALLOW_STDIN (1 << 5) // don't close stdin
		691	#define SBOX_STDIN_FROM_FILE (1 << 6) // open file and redirect it to stdin
689		692
690	// run sbox	693	// run sbox
691	int sbox_run(unsigned filter, int num, ...);	694	int sbox_run(unsigned filter, int num, ...);


diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c index 43f08e45b..ef4915f15 100644 --- a/src/firejail/netfilter.c +++ b/src/firejail/netfilter.c
@@ -61,59 +61,6 @@ void check_netfilter_file(const char *fname) {
61		61
62		62
63	void netfilter(const char *fname) {	63	void netfilter(const char *fname) {
64	// default filter
65	char *filter = client_filter;
66
67	// custom filter
68	int allocated = 0;
69	if (netfilter_default)
70	fname = netfilter_default;
71	if (fname) {
72	assert(fname);
73
74	// open filter file
75	int fd = open(fname, O_RDONLY);
76	if (fd == -1)
77	goto errexit;
78	int size = lseek(fd, 0, SEEK_END);
79	if (size == -1)
80	goto errexit;
81	if (lseek(fd, 0 , SEEK_SET) == -1)
82	goto errexit;
83
84	// read filter
85	filter = malloc(size + 1); // + '\0'
86	if (filter == NULL)
87	goto errexit;
88	memset(filter, 0, size + 1);
89	int rd = 0;
90	while (rd < size) {
91	int rv = read(fd, (unsigned char *) filter + rd, size - rd);
92	if (rv == -1) {
93	close(fd);
94	goto errexit;
95	}
96	rd += rv;
97	}
98
99	// close file
100	close(fd);
101	allocated = 1;
102	}
103
104	// temporarily mount a tempfs on top of /tmp directory
105	if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID \| MS_STRICTATIME \| MS_REC, "mode=755,gid=0") < 0)
106	errExit("mounting /tmp");
107
108	// create the filter file
109	FILE *fp = fopen("/tmp/netfilter", "w");
110	if (!fp) {
111	fprintf(stderr, "Error: cannot open /tmp/netfilter file\n");
112	exit(1);
113	}
114	fprintf(fp, "%s\n", filter);
115	fclose(fp);
116
117	// find iptables command	64	// find iptables command
118	struct stat s;	65	struct stat s;
119	char *iptables = NULL;	66	char *iptables = NULL;
@@ -127,113 +74,49 @@ void netfilter(const char *fname) {
127	iptables_restore = "/usr/sbin/iptables-restore";	74	iptables_restore = "/usr/sbin/iptables-restore";
128	}	75	}
129	if (iptables == NULL \|\| iptables_restore == NULL) {	76	if (iptables == NULL \|\| iptables_restore == NULL) {
130	fprintf(stderr, "Error: iptables command not found\n");	77	fprintf(stderr, "Error: iptables command not found, netfilter not configured\n");
131	goto doexit;	78	return;
132	}	79	}
133		80
134	// push filter	81	// read filter
135	pid_t child = fork();	82	char *filter = client_filter;
136	if (child < 0)	83	int allocated = 0;
137	errExit("fork");	84	if (netfilter_default)
138	if (child == 0) {	85	fname = netfilter_default;
139	if (arg_debug)	86	if (fname) {
140	printf("Installing network filter:\n%s\n", filter);	87	filter = read_text_file_or_exit(fname);
141		88	allocated = 1;
142	int fd;
143	if((fd = open("/tmp/netfilter", O_RDONLY)) == -1) {
144	fprintf(stderr,"Error: cannot open /tmp/netfilter\n");
145	exit(1);
146	}
147	dup2(fd,STDIN_FILENO);
148
149	// wipe out environment variables
150	clearenv();
151	execl(iptables_restore, iptables_restore, NULL);
152	perror("execl");
153	_exit(1);
154	}	89	}
155	// wait for the child to finish
156	waitpid(child, NULL, 0);
157		90
158	// debug	91	// create the filter file
159	if (arg_debug) {	92	FILE *fp = fopen(SBOX_STDIN_FILE, "w");
160	child = fork();	93	if (!fp) {
161	if (child < 0)	94	fprintf(stderr, "Error: cannot open %s\n", SBOX_STDIN_FILE);
162	errExit("fork");	95	exit(1);
163	if (child == 0) {
164	// elevate privileges in order to get grsecurity working
165	if (setreuid(0, 0))
166	errExit("setreuid");
167	if (setregid(0, 0))
168	errExit("setregid");
169	environ = NULL;
170	assert(getenv("LD_PRELOAD") == NULL);
171	execl(iptables, iptables, "-vL", NULL);
172	perror("execl");
173	_exit(1);
174	}
175	// wait for the child to finish
176	waitpid(child, NULL, 0);
177	}	96	}
		97	fprintf(fp, "%s\n", filter);
		98	fclose(fp);
		99
178		100
179	doexit:	101	// push filter
180	// unmount /tmp	102	if (arg_debug)
181	umount("/tmp");	103	printf("Installing network filter:\n%s\n", filter);
		104	sbox_run(SBOX_ROOT \| SBOX_CAPS_NETWORK \| SBOX_SECCOMP \| SBOX_STDIN_FROM_FILE, 1, iptables_restore);
		105	unlink(SBOX_STDIN_FILE);
		106
		107	// debug
		108	if (arg_debug)
		109	sbox_run(SBOX_ROOT \| SBOX_CAPS_NETWORK \| SBOX_SECCOMP, 2, iptables, "-vL");
182		110
183	if (allocated)	111	if (allocated)
184	free(filter);	112	free(filter);
185	return;	113	return;
186
187	errexit:
188	fprintf(stderr, "Error: cannot read network filter %s\n", fname);
189	exit(1);
190	}	114	}
191		115
192	void netfilter6(const char *fname) {	116	void netfilter6(const char *fname) {
193	if (fname == NULL)	117	if (fname == NULL)
194	return;	118	return;
195		119
196	char *filter;
197
198	// open filter file
199	int fd = open(fname, O_RDONLY);
200	if (fd == -1)
201	goto errexit;
202	int size = lseek(fd, 0, SEEK_END);
203	if (size == -1)
204	goto errexit;
205	if (lseek(fd, 0 , SEEK_SET) == -1)
206	goto errexit;
207
208	// read filter
209	filter = malloc(size + 1); // + '\0'
210	if (filter == NULL)
211	goto errexit;
212	memset(filter, 0, size + 1);
213	int rd = 0;
214	while (rd < size) {
215	int rv = read(fd, (unsigned char *) filter + rd, size - rd);
216	if (rv == -1)
217	goto errexit;
218	rd += rv;
219	}
220
221	// close file
222	close(fd);
223
224	// temporarily mount a tempfs on top of /tmp directory
225	if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID \| MS_STRICTATIME \| MS_REC, "mode=755,gid=0") < 0)
226	errExit("mounting /tmp");
227
228	// create the filter file
229	FILE *fp = fopen("/tmp/netfilter6", "w");
230	if (!fp) {
231	fprintf(stderr, "Error: cannot open /tmp/netfilter6 file\n");
232	exit(1);
233	}
234	fprintf(fp, "%s\n", filter);
235	fclose(fp);
236
237	// find iptables command	120	// find iptables command
238	char *ip6tables = NULL;	121	char *ip6tables = NULL;
239	char *ip6tables_restore = NULL;	122	char *ip6tables_restore = NULL;
@@ -247,56 +130,30 @@ void netfilter6(const char *fname) {
247	ip6tables_restore = "/usr/sbin/ip6tables-restore";	130	ip6tables_restore = "/usr/sbin/ip6tables-restore";
248	}	131	}
249	if (ip6tables == NULL \|\| ip6tables_restore == NULL) {	132	if (ip6tables == NULL \|\| ip6tables_restore == NULL) {
250	fprintf(stderr, "Error: ip6tables command not found\n");	133	fprintf(stderr, "Error: ip6tables command not found, netfilter6 not configured\n");
251	goto doexit;	134	return;
252	}	135	}
253		136
254	// push filter	137	// create the filter file
255	pid_t child = fork();	138	char *filter = read_text_file_or_exit(fname);
256	if (child < 0)	139	FILE *fp = fopen(SBOX_STDIN_FILE, "w");
257	errExit("fork");	140	if (!fp) {
258	if (child == 0) {	141	fprintf(stderr, "Error: cannot open /tmp/netfilter6 file\n");
259	if (arg_debug)	142	exit(1);
260	printf("Installing network filter:\n%s\n", filter);
261
262	int fd;
263	if((fd = open("/tmp/netfilter6", O_RDONLY)) == -1) {
264	fprintf(stderr,"Error: cannot open /tmp/netfilter6\n");
265	exit(1);
266	}
267	dup2(fd,STDIN_FILENO);
268
269	// wipe out environment variables
270	clearenv();
271	execl(ip6tables_restore, ip6tables_restore, NULL);
272	perror("execl");
273	_exit(1);
274	}	143	}
275	// wait for the child to finish	144	fprintf(fp, "%s\n", filter);
276	waitpid(child, NULL, 0);	145	fclose(fp);
277		146
		147	// push filter
		148	if (arg_debug)
		149	printf("Installing network filter:\n%s\n", filter);
		150	sbox_run(SBOX_ROOT \| SBOX_CAPS_NETWORK \| SBOX_SECCOMP \| SBOX_STDIN_FROM_FILE, 1, ip6tables_restore);
		151	unlink(SBOX_STDIN_FILE);
		152
278	// debug	153	// debug
279	if (arg_debug) {	154	if (arg_debug)
280	child = fork();	155	sbox_run(SBOX_ROOT \| SBOX_CAPS_NETWORK \| SBOX_SECCOMP, 2, ip6tables, "-vL");
281	if (child < 0)
282	errExit("fork");
283	if (child == 0) {
284	clearenv();
285	execl(ip6tables, ip6tables, "-vL", NULL);
286	perror("execl");
287	_exit(1);
288	}
289	// wait for the child to finish
290	waitpid(child, NULL, 0);
291	}
292		156
293	doexit:
294	// unmount /tmp
295	umount("/tmp");
296	free(filter);	157	free(filter);
297	return;	158	return;
298
299	errexit:
300	fprintf(stderr, "Error: cannot read network filter %s\n", fname);
301	exit(1);
302	}	159	}


diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index 65c4e35e9..f28bbaf1a 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c
@@ -138,18 +138,34 @@ int sbox_run(unsigned filter, int num, ...) {
138	if (child == 0) {	138	if (child == 0) {
139	// clean the new process	139	// clean the new process
140	clearenv();	140	clearenv();
141	int max = 20; // getdtablesize() is overkill for a firejail process	141
142	for (i = 3; i < max; i++)	142	if (filter & SBOX_STDIN_FROM_FILE) {
143	close(i); // close open files	143	int fd;
144	if ((filter & SBOX_ALLOW_STDIN) == 0) {	144	if((fd = open(SBOX_STDIN_FILE, O_RDONLY)) == -1) {
145	int fd = open("/dev/null",O_RDWR, 0);	145	fprintf(stderr,"Error: cannot open /tmp/netfilter\n");
146	if (fd != -1) {	146	exit(1);
147	dup2 (fd, STDIN_FILENO);
148	close(fd);
149	}	147	}
		148	dup2(fd,STDIN_FILENO);
		149	}
		150	else if ((filter & SBOX_ALLOW_STDIN) == 0) {
		151	int fd = open("/dev/null",O_RDWR, 0);
		152	if (fd != -1)
		153	dup2(fd, STDIN_FILENO);
150	else // the user could run the sandbox without /dev/null	154	else // the user could run the sandbox without /dev/null
151	close(STDIN_FILENO);	155	close(STDIN_FILENO);
152	}	156	}
		157
		158	// close all other file descriptors
		159	int max = 20; // getdtablesize() is overkill for a firejail process
		160	for (i = 3; i < max; i++)
		161	close(i); // close open files
		162
		163	if (arg_debug) {
		164	printf("sbox file descriptors:\n");
		165	int rv = system("ls -l /proc/self/fd");
		166	(void) rv;
		167	}
		168
153	umask(027);	169	umask(027);
154		170
155	// apply filters	171	// apply filters


diff --git a/src/firejail/util.c b/src/firejail/util.c index c3e00a110..75f2acdb9 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c
@@ -777,3 +777,45 @@ void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid) {
777		777
778	ASSERT_PERMS(fname, uid, gid, mode);	778	ASSERT_PERMS(fname, uid, gid, mode);
779	}	779	}
		780
		781	char read_text_file_or_exit(const char fname) {
		782	assert(fname);
		783
		784	// open file
		785	int fd = open(fname, O_RDONLY);
		786	if (fd == -1) {
		787	fprintf(stderr, "Error: cannot read %s\n", fname);
		788	exit(1);
		789	}
		790
		791	int size = lseek(fd, 0, SEEK_END);
		792	if (size == -1)
		793	goto errexit;
		794	if (lseek(fd, 0 , SEEK_SET) == -1)
		795	goto errexit;
		796
		797	// allocate memory
		798	char *data = malloc(size + 1); // + '\0'
		799	if (data == NULL)
		800	goto errexit;
		801	memset(data, 0, size + 1);
		802
		803	// read file
		804	int rd = 0;
		805	while (rd < size) {
		806	int rv = read(fd, (unsigned char *) data + rd, size - rd);
		807	if (rv == -1) {
		808	goto errexit;
		809	}
		810	rd += rv;
		811	}
		812
		813	// close file
		814	close(fd);
		815	return data;
		816
		817	errexit:
		818	close(fd);
		819	fprintf(stderr, "Error: cannot read %s\n", fname);
		820	exit(1);
		821	} \ No newline at end of file


diff --git a/src/firejail/x11.c b/src/firejail/x11.c index d9b3b23d1..e67260490 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c
@@ -252,7 +252,6 @@ void x11_start_xephyr(int argc, char **argv) {
252	}	252	}
253		253
254	for (i = 0; i < (int) strlen(xephyr_extra_params)-1; i++) {	254	for (i = 0; i < (int) strlen(xephyr_extra_params)-1; i++) {
255	//todo: if working , add a -2 also in 0.9.44-bugfix
256	if (pos >= (sizeof(server_argv)/sizeof(*server_argv)) - 2) {	255	if (pos >= (sizeof(server_argv)/sizeof(*server_argv)) - 2) {
257	fprintf(stderr, "Error: arg count limit exceeded while parsing xephyr_extra_params\n");	256	fprintf(stderr, "Error: arg count limit exceeded while parsing xephyr_extra_params\n");
258	exit(1);	257	exit(1);