diff options
| -rw-r--r-- | Makefile.in | 3 | ||||
| -rw-r--r-- | etc/firejail-default | 92 | ||||
| -rw-r--r-- | src/firecfg/main.c | 16 | ||||
| -rw-r--r-- | src/firejail/fs_bin.c | 5 | ||||
| -rw-r--r-- | src/firejail/sandbox.c | 10 | ||||
| -rw-r--r-- | src/man/firecfg.txt | 3 | ||||
| -rw-r--r-- | todo | 2 |
7 files changed, 84 insertions, 47 deletions
diff --git a/Makefile.in b/Makefile.in index 4d7526826..4e55e5ea1 100644 --- a/Makefile.in +++ b/Makefile.in | |||
| @@ -86,7 +86,8 @@ realinstall: | |||
| 86 | sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" | 86 | sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" |
| 87 | rm -fr .etc | 87 | rm -fr .etc |
| 88 | # install apparmor profile | 88 | # install apparmor profile |
| 89 | sh -c "if [ -d /etc/apparmor.d ]; then install -c -m 0644 etc/firejail-default /etc/apparmor.d/firejail-default; fi;" | 89 | sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d; fi;" |
| 90 | install -c -m 0644 etc/firejail-default $(DESTDIR)/$(sysconfdir)/apparmor.d/. | ||
| 90 | # man pages | 91 | # man pages |
| 91 | install -m 0755 -d $(DESTDIR)/$(mandir)/man1 | 92 | install -m 0755 -d $(DESTDIR)/$(mandir)/man1 |
| 92 | install -m 0755 -d $(DESTDIR)/$(mandir)/man5 | 93 | install -m 0755 -d $(DESTDIR)/$(mandir)/man5 |
diff --git a/etc/firejail-default b/etc/firejail-default index 609ab6c19..8abf2400b 100644 --- a/etc/firejail-default +++ b/etc/firejail-default | |||
| @@ -1,19 +1,38 @@ | |||
| 1 | #include <tunables/global> | 1 | ######################################### |
| 2 | # Generic Firejail AppArmor profile | ||
| 3 | ######################################### | ||
| 4 | |||
| 5 | ########## | ||
| 6 | # A simple PID declaration based on Ubuntu's @{pid} | ||
| 7 | # Ubuntu keeps it under tunables/kernelvars and include it via tunables/global. | ||
| 8 | # We don't know if this definition is available outside Debian and Ubuntu, so | ||
| 9 | # we declare our own here. | ||
| 10 | ########## | ||
| 11 | @{PID}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]} | ||
| 2 | 12 | ||
| 3 | profile firejail-default { | 13 | profile firejail-default { |
| 4 | 14 | ||
| 5 | ##### | 15 | ########## |
| 6 | # D-Bus is a huge security hole, we disable it here. Uncomment this line if you | 16 | # D-Bus is a huge security hole. Uncomment this line if you need D-Bus |
| 7 | # need D-Bus functionality. | 17 | # functionality. |
| 8 | # | 18 | ########## |
| 9 | #dbus, | 19 | #dbus, |
| 10 | 20 | ||
| 11 | ##### | 21 | ########## |
| 12 | # Mask /proc and /sys information leakage. The configuration here is barely | 22 | # Mask /proc and /sys information leakage. The configuration here is barely |
| 13 | # enough to run "top" or "ps aux". | 23 | # enough to run "top" or "ps aux". |
| 14 | # | 24 | ########## |
| 15 | / r, | 25 | / r, |
| 16 | /[^proc,^sys]** mrwlk, | 26 | /[^proc,^sys]** mrwlk, |
| 27 | /{,var/}run/ r, | ||
| 28 | /{,var/}run/** r, | ||
| 29 | /{,var/}run/user/**/dconf/ rw, | ||
| 30 | /{,var/}run/user/**/dconf/user rw, | ||
| 31 | /{,var/}run/user/**/pulse/ rw, | ||
| 32 | /{,var/}run/user/**/pulse/** rw, | ||
| 33 | /{,var/}run/firejail/mnt/fslogger r, | ||
| 34 | /{run,dev}/shm/ r, | ||
| 35 | /{run,dev}/shm/** rmwk, | ||
| 17 | 36 | ||
| 18 | /proc/ r, | 37 | /proc/ r, |
| 19 | /proc/meminfo r, | 38 | /proc/meminfo r, |
| @@ -22,16 +41,21 @@ profile firejail-default { | |||
| 22 | /proc/uptime r, | 41 | /proc/uptime r, |
| 23 | /proc/loadavg r, | 42 | /proc/loadavg r, |
| 24 | /proc/stat r, | 43 | /proc/stat r, |
| 25 | /proc/@{pid}/ r, | 44 | |
| 26 | /proc/@{pid}/fd/ r, | 45 | /proc/@{PID}/ r, |
| 27 | /proc/@{pid}/task/ r, | 46 | /proc/@{PID}/fd/ r, |
| 28 | /proc/@{pid}/cmdline r, | 47 | /proc/@{PID}/task/ r, |
| 29 | /proc/@{pid}/comm r, | 48 | /proc/@{PID}/cmdline r, |
| 30 | /proc/@{pid}/stat r, | 49 | /proc/@{PID}/comm r, |
| 31 | /proc/@{pid}/statm r, | 50 | /proc/@{PID}/stat r, |
| 32 | /proc/@{pid}/status r, | 51 | /proc/@{PID}/statm r, |
| 52 | /proc/@{PID}/status r, | ||
| 53 | /proc/@{PID}/task/@{PID}/stat r, | ||
| 33 | /proc/sys/kernel/pid_max r, | 54 | /proc/sys/kernel/pid_max r, |
| 34 | /proc/sys/kernel/shmmax r, | 55 | /proc/sys/kernel/shmmax r, |
| 56 | /proc/sys/vm/overcommit_memory r, | ||
| 57 | /proc/sys/vm/overcommit_ratio r, | ||
| 58 | |||
| 35 | /sys/ r, | 59 | /sys/ r, |
| 36 | /sys/bus/ r, | 60 | /sys/bus/ r, |
| 37 | /sys/bus/** r, | 61 | /sys/bus/** r, |
| @@ -40,19 +64,15 @@ profile firejail-default { | |||
| 40 | /sys/devices/ r, | 64 | /sys/devices/ r, |
| 41 | /sys/devices/** r, | 65 | /sys/devices/** r, |
| 42 | 66 | ||
| 43 | /proc/@{pid}/maps r, | 67 | /proc/@{PID}/maps r, |
| 44 | /proc/@{pid}/mounts r, | 68 | /proc/@{PID}/mounts r, |
| 45 | /proc/@{pid}/mountinfo r, | 69 | /proc/@{PID}/mountinfo r, |
| 46 | /proc/@{pid}/oom_score_adj r, | 70 | /proc/@{PID}/oom_score_adj r, |
| 47 | 71 | ||
| 48 | /{,var/}run/firejail/mnt/fslogger r, | 72 | ########## |
| 49 | /{,var/}run/user/**/dconf/ r, | ||
| 50 | /{,var/}run/user/**/dconf/user r, | ||
| 51 | |||
| 52 | ##### | ||
| 53 | # Allow running programs only from well-known system directories. If you need | 73 | # Allow running programs only from well-known system directories. If you need |
| 54 | # to run programs from your home directory, uncomment /home line. | 74 | # to run programs from your home directory, uncomment /home line. |
| 55 | # | 75 | ########## |
| 56 | /lib/** ix, | 76 | /lib/** ix, |
| 57 | /lib64/** ix, | 77 | /lib64/** ix, |
| 58 | /bin/** ix, | 78 | /bin/** ix, |
| @@ -65,24 +85,23 @@ profile firejail-default { | |||
| 65 | /opt/** ix, | 85 | /opt/** ix, |
| 66 | #/home/** ix, | 86 | #/home/** ix, |
| 67 | 87 | ||
| 68 | ##### | 88 | ########## |
| 69 | # Allow all networking functionality, and control it from Firejail. | 89 | # Allow all networking functionality, and control it from Firejail. |
| 70 | # | 90 | ########## |
| 71 | network inet, | 91 | network inet, |
| 72 | network inet6, | 92 | network inet6, |
| 73 | network unix, | 93 | network unix, |
| 74 | network netlink, | 94 | network netlink, |
| 75 | network raw, | 95 | network raw, |
| 76 | 96 | ||
| 77 | ##### | 97 | ########## |
| 78 | # There is no equivalent in Firejail for filtering signals. | 98 | # There is no equivalent in Firejail for filtering signals. |
| 79 | # | 99 | ########## |
| 80 | signal, | 100 | signal, |
| 81 | 101 | ||
| 82 | ##### | 102 | ########## |
| 83 | # Disable all capabilities. If you run your sandbox as root, you might need to | 103 | # We let Firejail deal with capabilities. |
| 84 | # enable/uncomment some of them. | 104 | ########## |
| 85 | # | ||
| 86 | capability chown, | 105 | capability chown, |
| 87 | capability dac_override, | 106 | capability dac_override, |
| 88 | capability dac_read_search, | 107 | capability dac_read_search, |
| @@ -118,12 +137,13 @@ capability setfcap, | |||
| 118 | capability mac_override, | 137 | capability mac_override, |
| 119 | capability mac_admin, | 138 | capability mac_admin, |
| 120 | 139 | ||
| 121 | ##### | 140 | ########## |
| 122 | # No mount/umount functionality when running as regular user. | 141 | # We let Firejail deal with mount/umount functionality. |
| 123 | # | 142 | ########## |
| 124 | mount, | 143 | mount, |
| 125 | remount, | 144 | remount, |
| 126 | umount, | 145 | umount, |
| 127 | pivot_root, | 146 | pivot_root, |
| 128 | 147 | ||
| 129 | } | 148 | } |
| 149 | |||
diff --git a/src/firecfg/main.c b/src/firecfg/main.c index f0f2aaeb7..9c7c49e1d 100644 --- a/src/firecfg/main.c +++ b/src/firecfg/main.c | |||
| @@ -26,6 +26,7 @@ | |||
| 26 | #include <sys/stat.h> | 26 | #include <sys/stat.h> |
| 27 | #include <unistd.h> | 27 | #include <unistd.h> |
| 28 | #include "../include/common.h" | 28 | #include "../include/common.h" |
| 29 | static int arg_debug = 0; | ||
| 29 | 30 | ||
| 30 | static void usage(void) { | 31 | static void usage(void) { |
| 31 | printf("firecfg - version %s\n\n", VERSION); | 32 | printf("firecfg - version %s\n\n", VERSION); |
| @@ -37,6 +38,7 @@ static void usage(void) { | |||
| 37 | printf("DESKTOP INTEGRATION section in man 1 firejail.\n\n"); | 38 | printf("DESKTOP INTEGRATION section in man 1 firejail.\n\n"); |
| 38 | printf("Usage: firecfg [OPTIONS]\n\n"); | 39 | printf("Usage: firecfg [OPTIONS]\n\n"); |
| 39 | printf(" --clean - remove all firejail symbolic links.\n\n"); | 40 | printf(" --clean - remove all firejail symbolic links.\n\n"); |
| 41 | printf(" --debug - print debug messages.\n\n"); | ||
| 40 | printf(" --help, -? - this help screen.\n\n"); | 42 | printf(" --help, -? - this help screen.\n\n"); |
| 41 | printf(" --list - list all firejail symbolic links.\n\n"); | 43 | printf(" --list - list all firejail symbolic links.\n\n"); |
| 42 | printf(" --version - print program version and exit.\n\n"); | 44 | printf(" --version - print program version and exit.\n\n"); |
| @@ -67,9 +69,12 @@ static int find(const char *program, const char *directory) { | |||
| 67 | errExit("asprintf"); | 69 | errExit("asprintf"); |
| 68 | 70 | ||
| 69 | struct stat s; | 71 | struct stat s; |
| 70 | if (stat(fname, &s) == 0) | 72 | if (stat(fname, &s) == 0) { |
| 73 | if (arg_debug) | ||
| 74 | printf("found %s in directory %s\n", program, directory); | ||
| 71 | retval = 1; | 75 | retval = 1; |
| 72 | 76 | } | |
| 77 | |||
| 73 | free(fname); | 78 | free(fname); |
| 74 | return retval; | 79 | return retval; |
| 75 | } | 80 | } |
| @@ -206,8 +211,9 @@ static void set_file(const char *name, const char *firejail_exec) { | |||
| 206 | errExit("asprintf"); | 211 | errExit("asprintf"); |
| 207 | 212 | ||
| 208 | struct stat s; | 213 | struct stat s; |
| 209 | if (stat(fname, &s) == 0) | 214 | if (stat(fname, &s) == 0) { |
| 210 | ; //printf("%s already present\n", fname); | 215 | printf("%s is already present, skipping...\n", fname); |
| 216 | } | ||
| 211 | else { | 217 | else { |
| 212 | int rv = symlink(firejail_exec, fname); | 218 | int rv = symlink(firejail_exec, fname); |
| 213 | if (rv) { | 219 | if (rv) { |
| @@ -289,6 +295,8 @@ int main(int argc, char **argv) { | |||
| 289 | usage(); | 295 | usage(); |
| 290 | return 0; | 296 | return 0; |
| 291 | } | 297 | } |
| 298 | else if (strcmp(argv[i], "--debug") == 0) | ||
| 299 | arg_debug = 1; | ||
| 292 | else if (strcmp(argv[i], "--version") == 0) { | 300 | else if (strcmp(argv[i], "--version") == 0) { |
| 293 | printf("firecfg version %s\n\n", VERSION); | 301 | printf("firecfg version %s\n\n", VERSION); |
| 294 | return 0; | 302 | return 0; |
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index dca66888c..cc2aa8f4d 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c | |||
| @@ -28,6 +28,8 @@ static char *paths[] = { | |||
| 28 | "/usr/local/bin", | 28 | "/usr/local/bin", |
| 29 | "/usr/bin", | 29 | "/usr/bin", |
| 30 | "/bin", | 30 | "/bin", |
| 31 | "/usr/games", | ||
| 32 | "/usr/local/games", | ||
| 31 | "/usr/local/sbin", | 33 | "/usr/local/sbin", |
| 32 | "/usr/sbin", | 34 | "/usr/sbin", |
| 33 | "/sbin", | 35 | "/sbin", |
| @@ -76,7 +78,8 @@ static char *check_dir_or_file(const char *name) { | |||
| 76 | } | 78 | } |
| 77 | 79 | ||
| 78 | if (!fname) { | 80 | if (!fname) { |
| 79 | // fprintf(stderr, "Warning: file %s not found\n", name); | 81 | if (arg_debug) |
| 82 | fprintf(stderr, "Warning: file %s not found\n", name); | ||
| 80 | return NULL; | 83 | return NULL; |
| 81 | } | 84 | } |
| 82 | 85 | ||
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index d9866385e..f37605e20 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
| @@ -541,6 +541,11 @@ int sandbox(void* sandbox_arg) { | |||
| 541 | fs_private_tmp(); | 541 | fs_private_tmp(); |
| 542 | 542 | ||
| 543 | //**************************** | 543 | //**************************** |
| 544 | // update /proc, /sys, /dev, /boot directorymy | ||
| 545 | //**************************** | ||
| 546 | fs_proc_sys_dev_boot(); | ||
| 547 | |||
| 548 | //**************************** | ||
| 544 | // apply the profile file | 549 | // apply the profile file |
| 545 | //**************************** | 550 | //**************************** |
| 546 | if (cfg.profile) { | 551 | if (cfg.profile) { |
| @@ -558,11 +563,6 @@ int sandbox(void* sandbox_arg) { | |||
| 558 | fs_trace(); | 563 | fs_trace(); |
| 559 | 564 | ||
| 560 | //**************************** | 565 | //**************************** |
| 561 | // update /proc, /dev, /boot directorymy | ||
| 562 | //**************************** | ||
| 563 | fs_proc_sys_dev_boot(); | ||
| 564 | |||
| 565 | //**************************** | ||
| 566 | // --nosound and fix for pulseaudio 7.0 | 566 | // --nosound and fix for pulseaudio 7.0 |
| 567 | //**************************** | 567 | //**************************** |
| 568 | if (arg_nosound) { | 568 | if (arg_nosound) { |
diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt index c12bf7731..9458c4b67 100644 --- a/src/man/firecfg.txt +++ b/src/man/firecfg.txt | |||
| @@ -17,6 +17,9 @@ The symbolic links are placed in /usr/local/bin. For more information, see | |||
| 17 | \fB\-\-clean | 17 | \fB\-\-clean |
| 18 | Remove all firejail symbolic links. | 18 | Remove all firejail symbolic links. |
| 19 | .TP | 19 | .TP |
| 20 | \fB\-\-debug | ||
| 21 | Print debug messages. | ||
| 22 | .TP | ||
| 20 | \fB\-?\fR, \fB\-\-help\fR | 23 | \fB\-?\fR, \fB\-\-help\fR |
| 21 | Print options end exit. | 24 | Print options end exit. |
| 22 | .TP | 25 | .TP |
| @@ -263,4 +263,6 @@ $ sudo aa-notify -p -f /var/log/audit/audit.log | |||
| 263 | /sys/module/apparmor/parameters/enabled | 263 | /sys/module/apparmor/parameters/enabled |
| 264 | /sys/kernel/security/apparmor | 264 | /sys/kernel/security/apparmor |
| 265 | 265 | ||
| 266 | 24. check monitor proc behaviour for sandboxes with --blacklist=/proc | ||
| 267 | also check --apparmor in this case | ||
| 266 | 268 | ||