diff options
-rw-r--r-- | RELNOTES | 3 | ||||
-rwxr-xr-x | configure | 12 | ||||
-rw-r--r-- | configure.ac | 5 | ||||
-rw-r--r-- | src/firejail/checkcfg.c | 11 | ||||
-rw-r--r-- | src/firejail/main.c | 61 | ||||
-rw-r--r-- | src/firejail/profile.c | 37 | ||||
-rwxr-xr-x | test/compile/compile.sh | 21 |
7 files changed, 32 insertions, 118 deletions
@@ -1,6 +1,9 @@ | |||
1 | firejail (0.9.55) baseline; urgency=low | 1 | firejail (0.9.55) baseline; urgency=low |
2 | * work in progress | 2 | * work in progress |
3 | * modif: removed CFG_CHROOT_DESKTOP configuration option | 3 | * modif: removed CFG_CHROOT_DESKTOP configuration option |
4 | * modif: removed compile time --enable-network=restricted | ||
5 | * modif: --net=none allowed even if networking was disabled at compile | ||
6 | time or at run time | ||
4 | * support wireless devices in --net option | 7 | * support wireless devices in --net option |
5 | * support tap devices in --net option (tunneling support) | 8 | * support tap devices in --net option (tunneling support) |
6 | * allow IP address configuration if the parent interface specified | 9 | * allow IP address configuration if the parent interface specified |
@@ -1356,8 +1356,6 @@ Optional Features: | |||
1356 | --disable-globalcfg if the global config file firejail.cfg is not | 1356 | --disable-globalcfg if the global config file firejail.cfg is not |
1357 | present, continue the program using defaults | 1357 | present, continue the program using defaults |
1358 | --disable-network disable network | 1358 | --disable-network disable network |
1359 | --enable-network=restricted | ||
1360 | restrict --net= to root only | ||
1361 | --disable-userns disable user namespace | 1359 | --disable-userns disable user namespace |
1362 | --disable-x11 disable X11 sandboxing support | 1360 | --disable-x11 disable X11 sandboxing support |
1363 | --disable-file-transfer disable file transfer | 1361 | --disable-file-transfer disable file transfer |
@@ -3660,19 +3658,9 @@ if test "${enable_network+set}" = set; then : | |||
3660 | enableval=$enable_network; | 3658 | enableval=$enable_network; |
3661 | fi | 3659 | fi |
3662 | 3660 | ||
3663 | # Check whether --enable-network was given. | ||
3664 | if test "${enable_network+set}" = set; then : | ||
3665 | enableval=$enable_network; | ||
3666 | fi | ||
3667 | |||
3668 | if test "x$enable_network" != "xno"; then : | 3661 | if test "x$enable_network" != "xno"; then : |
3669 | 3662 | ||
3670 | HAVE_NETWORK="-DHAVE_NETWORK" | 3663 | HAVE_NETWORK="-DHAVE_NETWORK" |
3671 | if test "x$enable_network" = "xrestricted"; then : | ||
3672 | |||
3673 | HAVE_NETWORK="$HAVE_NETWORK -DHAVE_NETWORK_RESTRICTED" | ||
3674 | |||
3675 | fi | ||
3676 | 3664 | ||
3677 | 3665 | ||
3678 | fi | 3666 | fi |
diff --git a/configure.ac b/configure.ac index c5243ed55..253749cd5 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -102,13 +102,8 @@ AS_IF([test "x$enable_globalcfg" != "xno"], [ | |||
102 | HAVE_NETWORK="" | 102 | HAVE_NETWORK="" |
103 | AC_ARG_ENABLE([network], | 103 | AC_ARG_ENABLE([network], |
104 | AS_HELP_STRING([--disable-network], [disable network])) | 104 | AS_HELP_STRING([--disable-network], [disable network])) |
105 | AC_ARG_ENABLE([network], | ||
106 | AS_HELP_STRING([--enable-network=restricted], [ restrict --net= to root only])) | ||
107 | AS_IF([test "x$enable_network" != "xno"], [ | 105 | AS_IF([test "x$enable_network" != "xno"], [ |
108 | HAVE_NETWORK="-DHAVE_NETWORK" | 106 | HAVE_NETWORK="-DHAVE_NETWORK" |
109 | AS_IF([test "x$enable_network" = "xrestricted"], [ | ||
110 | HAVE_NETWORK="$HAVE_NETWORK -DHAVE_NETWORK_RESTRICTED" | ||
111 | ]) | ||
112 | AC_SUBST(HAVE_NETWORK) | 107 | AC_SUBST(HAVE_NETWORK) |
113 | ]) | 108 | ]) |
114 | 109 | ||
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 42ff31976..7483136f4 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -373,6 +373,13 @@ int checkcfg(int val) { | |||
373 | initialized = 1; | 373 | initialized = 1; |
374 | } | 374 | } |
375 | 375 | ||
376 | |||
377 | // merge CFG_RESTRICTED_NETWORK into CFG_NETWORK | ||
378 | if (val == CFG_NETWORK) { | ||
379 | if (cfg_val[CFG_RESTRICTED_NETWORK] && getuid() != 0) | ||
380 | return 0; | ||
381 | } | ||
382 | |||
376 | return cfg_val[val]; | 383 | return cfg_val[val]; |
377 | 384 | ||
378 | errout: | 385 | errout: |
@@ -443,10 +450,6 @@ void print_compiletime_support(void) { | |||
443 | #endif | 450 | #endif |
444 | ); | 451 | ); |
445 | 452 | ||
446 | #ifdef HAVE_NETWORK_RESTRICTED | ||
447 | printf("\t- networking features are available only to root user\n"); | ||
448 | #endif | ||
449 | |||
450 | printf("\t- overlayfs support is %s\n", | 453 | printf("\t- overlayfs support is %s\n", |
451 | #ifdef HAVE_OVERLAYFS | 454 | #ifdef HAVE_OVERLAYFS |
452 | "enabled" | 455 | "enabled" |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 8e4fc6f38..3e092a3cc 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1745,22 +1745,21 @@ int main(int argc, char **argv) { | |||
1745 | //************************************* | 1745 | //************************************* |
1746 | // network | 1746 | // network |
1747 | //************************************* | 1747 | //************************************* |
1748 | else if (strcmp(argv[i], "--net=none") == 0) { | ||
1749 | arg_nonetwork = 1; | ||
1750 | cfg.bridge0.configured = 0; | ||
1751 | cfg.bridge1.configured = 0; | ||
1752 | cfg.bridge2.configured = 0; | ||
1753 | cfg.bridge3.configured = 0; | ||
1754 | cfg.interface0.configured = 0; | ||
1755 | cfg.interface1.configured = 0; | ||
1756 | cfg.interface2.configured = 0; | ||
1757 | cfg.interface3.configured = 0; | ||
1758 | continue; | ||
1759 | } | ||
1748 | #ifdef HAVE_NETWORK | 1760 | #ifdef HAVE_NETWORK |
1749 | else if (strncmp(argv[i], "--interface=", 12) == 0) { | 1761 | else if (strncmp(argv[i], "--interface=", 12) == 0) { |
1750 | if (checkcfg(CFG_NETWORK)) { | 1762 | if (checkcfg(CFG_NETWORK)) { |
1751 | #ifdef HAVE_NETWORK_RESTRICTED | ||
1752 | // compile time restricted networking | ||
1753 | if (getuid() != 0) { | ||
1754 | fprintf(stderr, "Error: --interface is allowed only to root user\n"); | ||
1755 | exit(1); | ||
1756 | } | ||
1757 | #endif | ||
1758 | // run time restricted networking | ||
1759 | if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) { | ||
1760 | fprintf(stderr, "Error: --interface is allowed only to root user\n"); | ||
1761 | exit(1); | ||
1762 | } | ||
1763 | |||
1764 | // checks | 1763 | // checks |
1765 | if (arg_nonetwork) { | 1764 | if (arg_nonetwork) { |
1766 | fprintf(stderr, "Error: --network=none and --interface are incompatible\n"); | 1765 | fprintf(stderr, "Error: --network=none and --interface are incompatible\n"); |
@@ -1818,18 +1817,6 @@ int main(int argc, char **argv) { | |||
1818 | continue; | 1817 | continue; |
1819 | } | 1818 | } |
1820 | 1819 | ||
1821 | #ifdef HAVE_NETWORK_RESTRICTED | ||
1822 | // compile time restricted networking | ||
1823 | if (getuid() != 0) { | ||
1824 | fprintf(stderr, "Error: only --net=none is allowed to non-root users\n"); | ||
1825 | exit(1); | ||
1826 | } | ||
1827 | #endif | ||
1828 | // run time restricted networking | ||
1829 | if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) { | ||
1830 | fprintf(stderr, "Error: only --net=none is allowed to non-root users\n"); | ||
1831 | exit(1); | ||
1832 | } | ||
1833 | if (strcmp(argv[i] + 6, "lo") == 0) { | 1820 | if (strcmp(argv[i] + 6, "lo") == 0) { |
1834 | fprintf(stderr, "Error: cannot attach to lo device\n"); | 1821 | fprintf(stderr, "Error: cannot attach to lo device\n"); |
1835 | exit(1); | 1822 | exit(1); |
@@ -2072,18 +2059,6 @@ int main(int argc, char **argv) { | |||
2072 | 2059 | ||
2073 | #ifdef HAVE_NETWORK | 2060 | #ifdef HAVE_NETWORK |
2074 | else if (strcmp(argv[i], "--netfilter") == 0) { | 2061 | else if (strcmp(argv[i], "--netfilter") == 0) { |
2075 | #ifdef HAVE_NETWORK_RESTRICTED | ||
2076 | // compile time restricted networking | ||
2077 | if (getuid() != 0) { | ||
2078 | fprintf(stderr, "Error: --netfilter is only allowed for root\n"); | ||
2079 | exit(1); | ||
2080 | } | ||
2081 | #endif | ||
2082 | // run time restricted networking | ||
2083 | if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) { | ||
2084 | fprintf(stderr, "Error: --netfilter is only allowed for root\n"); | ||
2085 | exit(1); | ||
2086 | } | ||
2087 | if (checkcfg(CFG_NETWORK)) { | 2062 | if (checkcfg(CFG_NETWORK)) { |
2088 | arg_netfilter = 1; | 2063 | arg_netfilter = 1; |
2089 | } | 2064 | } |
@@ -2092,18 +2067,6 @@ int main(int argc, char **argv) { | |||
2092 | } | 2067 | } |
2093 | 2068 | ||
2094 | else if (strncmp(argv[i], "--netfilter=", 12) == 0) { | 2069 | else if (strncmp(argv[i], "--netfilter=", 12) == 0) { |
2095 | #ifdef HAVE_NETWORK_RESTRICTED | ||
2096 | // compile time restricted networking | ||
2097 | if (getuid() != 0) { | ||
2098 | fprintf(stderr, "Error: --netfilter is only allowed for root\n"); | ||
2099 | exit(1); | ||
2100 | } | ||
2101 | #endif | ||
2102 | // run time restricted networking | ||
2103 | if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) { | ||
2104 | fprintf(stderr, "Error: --netfilter is only allowed for root\n"); | ||
2105 | exit(1); | ||
2106 | } | ||
2107 | if (checkcfg(CFG_NETWORK)) { | 2070 | if (checkcfg(CFG_NETWORK)) { |
2108 | arg_netfilter = 1; | 2071 | arg_netfilter = 1; |
2109 | arg_netfilter_file = argv[i] + 12; | 2072 | arg_netfilter_file = argv[i] + 12; |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 425f8f5c9..4b2fb3abd 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -307,39 +307,20 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
307 | return 0; | 307 | return 0; |
308 | } | 308 | } |
309 | else if (strcmp(ptr, "net none") == 0) { | 309 | else if (strcmp(ptr, "net none") == 0) { |
310 | #ifdef HAVE_NETWORK | 310 | arg_nonetwork = 1; |
311 | if (checkcfg(CFG_NETWORK)) { | 311 | cfg.bridge0.configured = 0; |
312 | arg_nonetwork = 1; | 312 | cfg.bridge1.configured = 0; |
313 | cfg.bridge0.configured = 0; | 313 | cfg.bridge2.configured = 0; |
314 | cfg.bridge1.configured = 0; | 314 | cfg.bridge3.configured = 0; |
315 | cfg.bridge2.configured = 0; | 315 | cfg.interface0.configured = 0; |
316 | cfg.bridge3.configured = 0; | 316 | cfg.interface1.configured = 0; |
317 | cfg.interface0.configured = 0; | 317 | cfg.interface2.configured = 0; |
318 | cfg.interface1.configured = 0; | 318 | cfg.interface3.configured = 0; |
319 | cfg.interface2.configured = 0; | ||
320 | cfg.interface3.configured = 0; | ||
321 | } | ||
322 | else | ||
323 | warning_feature_disabled("networking"); | ||
324 | #endif | ||
325 | return 0; | 319 | return 0; |
326 | } | 320 | } |
327 | else if (strncmp(ptr, "net ", 4) == 0) { | 321 | else if (strncmp(ptr, "net ", 4) == 0) { |
328 | #ifdef HAVE_NETWORK | 322 | #ifdef HAVE_NETWORK |
329 | if (checkcfg(CFG_NETWORK)) { | 323 | if (checkcfg(CFG_NETWORK)) { |
330 | #ifdef HAVE_NETWORK_RESTRICTED | ||
331 | // compile time restricted networking | ||
332 | if (getuid() != 0) { | ||
333 | fprintf(stderr, "Error: only \"net none\" is allowed to non-root users\n"); | ||
334 | exit(1); | ||
335 | } | ||
336 | #endif | ||
337 | // run time restricted networking | ||
338 | if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) { | ||
339 | fprintf(stderr, "Error: only \"net none\" is allowed to non-root users\n"); | ||
340 | exit(1); | ||
341 | } | ||
342 | |||
343 | if (strcmp(ptr + 4, "lo") == 0) { | 324 | if (strcmp(ptr + 4, "lo") == 0) { |
344 | fprintf(stderr, "Error: cannot attach to lo device\n"); | 325 | fprintf(stderr, "Error: cannot attach to lo device\n"); |
345 | exit(1); | 326 | exit(1); |
diff --git a/test/compile/compile.sh b/test/compile/compile.sh index 9b7d19057..9d35bbcde 100755 --- a/test/compile/compile.sh +++ b/test/compile/compile.sh | |||
@@ -7,7 +7,7 @@ arr[4]="TEST 4: compile bind disabled" | |||
7 | arr[5]="TEST 5: compile user namespace disabled" | 7 | arr[5]="TEST 5: compile user namespace disabled" |
8 | arr[6]="TEST 6: compile network disabled" | 8 | arr[6]="TEST 6: compile network disabled" |
9 | arr[7]="TEST 7: compile X11 disabled" | 9 | arr[7]="TEST 7: compile X11 disabled" |
10 | arr[8]="TEST 8: compile network restricted" | 10 | arr[8]="deprecated: TEST 8: compile network restricted" |
11 | arr[9]="TEST 9: compile file transfer disabled" | 11 | arr[9]="TEST 9: compile file transfer disabled" |
12 | arr[10]="TEST 10: compile disable whitelist" | 12 | arr[10]="TEST 10: compile disable whitelist" |
13 | arr[11]="TEST 11: compile disable global config" | 13 | arr[11]="TEST 11: compile disable global config" |
@@ -182,25 +182,6 @@ rm output-configure output-make | |||
182 | 182 | ||
183 | 183 | ||
184 | #***************************************************************** | 184 | #***************************************************************** |
185 | # TEST 8 | ||
186 | #***************************************************************** | ||
187 | # - enable network restricted | ||
188 | #***************************************************************** | ||
189 | print_title "${arr[8]}" | ||
190 | # seccomp | ||
191 | cd firejail | ||
192 | make distclean | ||
193 | ./configure --prefix=/usr --enable-network=restricted --enable-fatal-warnings 2>&1 | tee ../output-configure | ||
194 | make -j4 2>&1 | tee ../output-make | ||
195 | cd .. | ||
196 | grep Warning output-configure output-make > ./report-test8 | ||
197 | grep Error output-configure output-make >> ./report-test8 | ||
198 | cp output-configure oc8 | ||
199 | cp output-make om8 | ||
200 | rm output-configure output-make | ||
201 | |||
202 | |||
203 | #***************************************************************** | ||
204 | # TEST 9 | 185 | # TEST 9 |
205 | #***************************************************************** | 186 | #***************************************************************** |
206 | # - disable file transfer | 187 | # - disable file transfer |