spoof machine-id

author: netblue30 <netblue30@yahoo.com> 2016-12-05 08:21:32 -0500
committer: netblue30 <netblue30@yahoo.com> 2016-12-05 08:21:32 -0500
commit: d0cc960c9cd3bdab63dde02367bb9646134a7e28 (patch)
tree: a5f53a210c65d9a947fc7e51ec37bed39d9c1c3f /src
parent: truecrypt and zuluCrypt support (diff)
download: firejail-d0cc960c9cd3bdab63dde02367bb9646134a7e28.tar.gz
firejail-d0cc960c9cd3bdab63dde02367bb9646134a7e28.tar.zst
firejail-d0cc960c9cd3bdab63dde02367bb9646134a7e28.zip
8 files changed, 82 insertions, 1 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index d172efce1..368e0d88d 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -78,6 +78,7 @@
 #define RUN_HOSTNAME_FILE       "/run/firejail/mnt/hostname"
 #define RUN_HOSTS_FILE  "/run/firejail/mnt/hosts"
 #define RUN_RESOLVCONF_FILE     "/run/firejail/mnt/resolv.conf"
+#define RUN_MACHINEID   "/run/firejail/mnt/machine-id"
 #define RUN_LDPRELOAD_FILE      "/run/firejail/mnt/ld.so.preload"
 #define RUN_UTMP_FILE           "/run/firejail/mnt/utmp"
 #define RUN_PASSWD_FILE         "/run/firejail/mnt/passwd"
@@ -342,6 +343,7 @@ extern int arg_allow_debuggers;	// allow debuggers
 extern int arg_x11_block;       // block X11
 extern int arg_x11_xorg;        // use X11 security extention
 extern int arg_allusers;        // all user home directories visible
+extern int arg_machineid;       // preserve /etc/machine-id
 extern int login_shell;
 extern int parent_to_child_fds[2];
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 9a2f4facc..53d63a108 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -597,7 +597,8 @@ void fs_basic_fs(void) {
        fs_var_lib();
        fs_var_cache();
        fs_var_utmp();
+        fs_machineid();
+        
        // don't leak user information
        restrict_users();
        
@@ -880,6 +881,7 @@ void fs_overlayfs(void) {
        fs_var_lib();
        fs_var_cache();
        fs_var_utmp();
+        fs_machineid();
        // don't leak user information
        restrict_users();
@@ -1061,6 +1063,7 @@ void fs_chroot(const char *rootdir) {
                fs_var_lib();
                fs_var_cache();
                fs_var_utmp();
+                fs_machineid();
        
                // don't leak user information
                restrict_users();
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c
index 9a28ac601..a04bf6725 100644
--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@@ -23,6 +23,57 @@
 #include <sys/types.h>
 #include <unistd.h>
+// spoof /etc/machine_id
+void fs_machineid(void) {
+        union machineid_t {
+                uint8_t u8[16];
+                uint32_t u32[4];
+        } mid;
+        // if --machine-id flag is active, do nothing
+        if (arg_machineid)
+                return;
+        // init random number generator
+        srand(time(NULL));
+        
+        // generate random id
+        mid.u32[0] = rand();
+        mid.u32[1] = rand();
+        mid.u32[2] = rand();
+        mid.u32[3] = rand();
+        
+        // UUID version 4 and DCE variant
+        mid.u8[6] = (mid.u8[6] & 0x0F) | 0x40;
+        mid.u8[8] = (mid.u8[8] & 0x3F) | 0x80;
+        
+        // write it in a file
+        FILE *fp = fopen(RUN_MACHINEID, "w");
+        if (!fp)
+                errExit("fopen");
+        fprintf(fp, "%08x%08x%08x%08x\n", mid.u32[0], mid.u32[1], mid.u32[2], mid.u32[3]);
+        fclose(fp);
+        if (set_perms(RUN_MACHINEID, 0, 0, 0444))
+                errExit("set_perms");
+                
+        struct stat s;
+        // mount-bind 
+        if (stat("/etc/machine-id", &s) == 0) {
+                if (arg_debug)
+                        printf("installing a new /etc/machine-id\n");
+                if (mount(RUN_MACHINEID, "/etc/machine-id", "none", MS_BIND, "mode=444,gid=0"))
+                        errExit("mount");
+        }
+//#if 0 // todo: investigate    
+        if (stat("/var/lib/dbus/machine-id", &s) == 0) {
+                if (mount(RUN_MACHINEID, "/etc/machine-id", "none", MS_BIND, "mode=444,gid=0"))
+                        errExit("mount");
+        }
+//#endif
+}
 // return 0 if file not found, 1 if found
 static int check_dir_or_file(const char *fname) {
        assert(fname);
diff --git a/src/firejail/main.c b/src/firejail/main.c
index aa855b7eb..32769845d 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -111,6 +111,7 @@ int arg_allow_debuggers = 0;			// allow debuggers
 int arg_x11_block = 0;                          // block X11
 int arg_x11_xorg = 0;                           // use X11 security extention
 int arg_allusers = 0;                           // all user home directories visible
+int arg_machineid = 0;                          // preserve /etc/machine-id
 int login_shell = 0;
@@ -1520,6 +1521,9 @@ int main(int argc, char **argv) {
                else if (strcmp(argv[i], "--writable-var") == 0) {
                        arg_writable_var = 1;
                }
+                else if (strcmp(argv[i], "--machine-id") == 0) {
+                        arg_machineid = 1;
+                }
                else if (strcmp(argv[i], "--private") == 0) {
                        arg_private = 1;
                }
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 3697b54b9..63678514f 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -650,6 +650,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                return 0;
        }
        
+        if (strcmp(ptr, "machine-id") == 0) {
+                arg_machineid = 1;
+                return 0;
+        }
        // writable-var
        if (strcmp(ptr, "writable-var") == 0) {
                arg_writable_var = 1;
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index c8bed06e3..db3c25a5a 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -94,6 +94,9 @@ void usage(void) {
        printf("    --ls=name|pid dir_or_filename - list files in sandbox container.\n");
 #ifdef HAVE_NETWORK     
        printf("    --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n");
+#endif
+        printf("    --machine-id - preserve /etc/machine-id\n");
+#ifdef HAVE_NETWORK     
        printf("    --mtu=number - set interface MTU.\n");
 #endif
        printf("    --name=name - set sandbox name.\n");
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 007374c75..fa522c154 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -447,6 +447,10 @@ iprange 192.168.1.150,192.168.1.160
 Assign MAC addresses to the last network interface defined by a net command.
 .TP
+\fBmachine-id
+Preserve id number in /etc/machine-id file. By default a new random id is generated inside the sandbox.
+.TP
 \fBmtu number
 Assign a MTU value to the last network interface defined by a net command.
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 450f30c68..fdeb9ea3f 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -666,6 +666,16 @@ Example:
 $ firejail \-\-net=eth0 \-\-mac=00:11:22:33:44:55 firefox
 .TP
+\fB\-\-machine-id
+Preserve id number in /etc/machine-id file. By default a new random id is generated inside the sandbox.
+.br
+.br
+Example:
+.br
+$ firejail \-\-machine-id
+.TP
 \fB\-\-mtu=number
 Assign a MTU value to the last network interface defined by a \-\-net option.
 .br
author	netblue30 <netblue30@yahoo.com>	2016-12-05 08:21:32 -0500
committer	netblue30 <netblue30@yahoo.com>	2016-12-05 08:21:32 -0500
commit	d0cc960c9cd3bdab63dde02367bb9646134a7e28 (patch)
tree	a5f53a210c65d9a947fc7e51ec37bed39d9c1c3f /src
parent	truecrypt and zuluCrypt support (diff)
download	firejail-d0cc960c9cd3bdab63dde02367bb9646134a7e28.tar.gz firejail-d0cc960c9cd3bdab63dde02367bb9646134a7e28.tar.zst firejail-d0cc960c9cd3bdab63dde02367bb9646134a7e28.zip

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index d172efce1..368e0d88d 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -78,6 +78,7 @@
78	#define RUN_HOSTNAME_FILE "/run/firejail/mnt/hostname"	78	#define RUN_HOSTNAME_FILE "/run/firejail/mnt/hostname"
79	#define RUN_HOSTS_FILE "/run/firejail/mnt/hosts"	79	#define RUN_HOSTS_FILE "/run/firejail/mnt/hosts"
80	#define RUN_RESOLVCONF_FILE "/run/firejail/mnt/resolv.conf"	80	#define RUN_RESOLVCONF_FILE "/run/firejail/mnt/resolv.conf"
		81	#define RUN_MACHINEID "/run/firejail/mnt/machine-id"
81	#define RUN_LDPRELOAD_FILE "/run/firejail/mnt/ld.so.preload"	82	#define RUN_LDPRELOAD_FILE "/run/firejail/mnt/ld.so.preload"
82	#define RUN_UTMP_FILE "/run/firejail/mnt/utmp"	83	#define RUN_UTMP_FILE "/run/firejail/mnt/utmp"
83	#define RUN_PASSWD_FILE "/run/firejail/mnt/passwd"	84	#define RUN_PASSWD_FILE "/run/firejail/mnt/passwd"
@@ -342,6 +343,7 @@ extern int arg_allow_debuggers; // allow debuggers
342	extern int arg_x11_block; // block X11	343	extern int arg_x11_block; // block X11
343	extern int arg_x11_xorg; // use X11 security extention	344	extern int arg_x11_xorg; // use X11 security extention
344	extern int arg_allusers; // all user home directories visible	345	extern int arg_allusers; // all user home directories visible
		346	extern int arg_machineid; // preserve /etc/machine-id
345		347
346	extern int login_shell;	348	extern int login_shell;
347	extern int parent_to_child_fds[2];	349	extern int parent_to_child_fds[2];


diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 9a2f4facc..53d63a108 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c
@@ -597,7 +597,8 @@ void fs_basic_fs(void) {
597	fs_var_lib();	597	fs_var_lib();
598	fs_var_cache();	598	fs_var_cache();
599	fs_var_utmp();	599	fs_var_utmp();
600		600	fs_machineid();
		601
601	// don't leak user information	602	// don't leak user information
602	restrict_users();	603	restrict_users();
603		604
@@ -880,6 +881,7 @@ void fs_overlayfs(void) {
880	fs_var_lib();	881	fs_var_lib();
881	fs_var_cache();	882	fs_var_cache();
882	fs_var_utmp();	883	fs_var_utmp();
		884	fs_machineid();
883		885
884	// don't leak user information	886	// don't leak user information
885	restrict_users();	887	restrict_users();
@@ -1061,6 +1063,7 @@ void fs_chroot(const char *rootdir) {
1061	fs_var_lib();	1063	fs_var_lib();
1062	fs_var_cache();	1064	fs_var_cache();
1063	fs_var_utmp();	1065	fs_var_utmp();
		1066	fs_machineid();
1064		1067
1065	// don't leak user information	1068	// don't leak user information
1066	restrict_users();	1069	restrict_users();


diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index 9a28ac601..a04bf6725 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c
@@ -23,6 +23,57 @@
23	#include <sys/types.h>	23	#include <sys/types.h>
24	#include <unistd.h>	24	#include <unistd.h>
25		25
		26	// spoof /etc/machine_id
		27	void fs_machineid(void) {
		28	union machineid_t {
		29	uint8_t u8[16];
		30	uint32_t u32[4];
		31	} mid;
		32
		33	// if --machine-id flag is active, do nothing
		34	if (arg_machineid)
		35	return;
		36
		37	// init random number generator
		38	srand(time(NULL));
		39
		40	// generate random id
		41	mid.u32[0] = rand();
		42	mid.u32[1] = rand();
		43	mid.u32[2] = rand();
		44	mid.u32[3] = rand();
		45
		46	// UUID version 4 and DCE variant
		47	mid.u8[6] = (mid.u8[6] & 0x0F) \| 0x40;
		48	mid.u8[8] = (mid.u8[8] & 0x3F) \| 0x80;
		49
		50	// write it in a file
		51	FILE *fp = fopen(RUN_MACHINEID, "w");
		52	if (!fp)
		53	errExit("fopen");
		54	fprintf(fp, "%08x%08x%08x%08x\n", mid.u32[0], mid.u32[1], mid.u32[2], mid.u32[3]);
		55	fclose(fp);
		56	if (set_perms(RUN_MACHINEID, 0, 0, 0444))
		57	errExit("set_perms");
		58
		59
		60	struct stat s;
		61	// mount-bind
		62	if (stat("/etc/machine-id", &s) == 0) {
		63	if (arg_debug)
		64	printf("installing a new /etc/machine-id\n");
		65
		66	if (mount(RUN_MACHINEID, "/etc/machine-id", "none", MS_BIND, "mode=444,gid=0"))
		67	errExit("mount");
		68	}
		69	//#if 0 // todo: investigate
		70	if (stat("/var/lib/dbus/machine-id", &s) == 0) {
		71	if (mount(RUN_MACHINEID, "/etc/machine-id", "none", MS_BIND, "mode=444,gid=0"))
		72	errExit("mount");
		73	}
		74	//#endif
		75	}
		76
26	// return 0 if file not found, 1 if found	77	// return 0 if file not found, 1 if found
27	static int check_dir_or_file(const char *fname) {	78	static int check_dir_or_file(const char *fname) {
28	assert(fname);	79	assert(fname);


diff --git a/src/firejail/main.c b/src/firejail/main.c index aa855b7eb..32769845d 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -111,6 +111,7 @@ int arg_allow_debuggers = 0; // allow debuggers
111	int arg_x11_block = 0; // block X11	111	int arg_x11_block = 0; // block X11
112	int arg_x11_xorg = 0; // use X11 security extention	112	int arg_x11_xorg = 0; // use X11 security extention
113	int arg_allusers = 0; // all user home directories visible	113	int arg_allusers = 0; // all user home directories visible
		114	int arg_machineid = 0; // preserve /etc/machine-id
114		115
115	int login_shell = 0;	116	int login_shell = 0;
116		117
@@ -1520,6 +1521,9 @@ int main(int argc, char **argv) {
1520	else if (strcmp(argv[i], "--writable-var") == 0) {	1521	else if (strcmp(argv[i], "--writable-var") == 0) {
1521	arg_writable_var = 1;	1522	arg_writable_var = 1;
1522	}	1523	}
		1524	else if (strcmp(argv[i], "--machine-id") == 0) {
		1525	arg_machineid = 1;
		1526	}
1523	else if (strcmp(argv[i], "--private") == 0) {	1527	else if (strcmp(argv[i], "--private") == 0) {
1524	arg_private = 1;	1528	arg_private = 1;
1525	}	1529	}


diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 3697b54b9..63678514f 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c
@@ -650,6 +650,10 @@ int profile_check_line(char ptr, int lineno, const char fname) {
650	return 0;	650	return 0;
651	}	651	}
652		652
		653	if (strcmp(ptr, "machine-id") == 0) {
		654	arg_machineid = 1;
		655	return 0;
		656	}
653	// writable-var	657	// writable-var
654	if (strcmp(ptr, "writable-var") == 0) {	658	if (strcmp(ptr, "writable-var") == 0) {
655	arg_writable_var = 1;	659	arg_writable_var = 1;


diff --git a/src/firejail/usage.c b/src/firejail/usage.c index c8bed06e3..db3c25a5a 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c
@@ -94,6 +94,9 @@ void usage(void) {
94	printf(" --ls=name\|pid dir_or_filename - list files in sandbox container.\n");	94	printf(" --ls=name\|pid dir_or_filename - list files in sandbox container.\n");
95	#ifdef HAVE_NETWORK	95	#ifdef HAVE_NETWORK
96	printf(" --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n");	96	printf(" --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n");
		97	#endif
		98	printf(" --machine-id - preserve /etc/machine-id\n");
		99	#ifdef HAVE_NETWORK
97	printf(" --mtu=number - set interface MTU.\n");	100	printf(" --mtu=number - set interface MTU.\n");
98	#endif	101	#endif
99	printf(" --name=name - set sandbox name.\n");	102	printf(" --name=name - set sandbox name.\n");


diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 007374c75..fa522c154 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt
@@ -447,6 +447,10 @@ iprange 192.168.1.150,192.168.1.160
447	Assign MAC addresses to the last network interface defined by a net command.	447	Assign MAC addresses to the last network interface defined by a net command.
448		448
449	.TP	449	.TP
		450	\fBmachine-id
		451	Preserve id number in /etc/machine-id file. By default a new random id is generated inside the sandbox.
		452
		453	.TP
450	\fBmtu number	454	\fBmtu number
451	Assign a MTU value to the last network interface defined by a net command.	455	Assign a MTU value to the last network interface defined by a net command.
452		456


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 450f30c68..fdeb9ea3f 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -666,6 +666,16 @@ Example:
666	$ firejail \-\-net=eth0 \-\-mac=00:11:22:33:44:55 firefox	666	$ firejail \-\-net=eth0 \-\-mac=00:11:22:33:44:55 firefox
667		667
668	.TP	668	.TP
		669	\fB\-\-machine-id
		670	Preserve id number in /etc/machine-id file. By default a new random id is generated inside the sandbox.
		671	.br
		672
		673	.br
		674	Example:
		675	.br
		676	$ firejail \-\-machine-id
		677
		678	.TP
669	\fB\-\-mtu=number	679	\fB\-\-mtu=number
670	Assign a MTU value to the last network interface defined by a \-\-net option.	680	Assign a MTU value to the last network interface defined by a \-\-net option.
671	.br	681	.br