diff options
-rw-r--r-- | README | 1 | ||||
-rw-r--r-- | README.md | 6 | ||||
-rw-r--r-- | RELNOTES | 4 | ||||
-rw-r--r-- | etc/disable-programs.inc | 2 | ||||
-rw-r--r-- | etc/firefox-common.profile | 3 | ||||
-rw-r--r-- | etc/picard.profile | 2 | ||||
-rw-r--r-- | etc/qmmp.profile | 34 | ||||
-rw-r--r-- | etc/sayonara.profile | 33 | ||||
-rw-r--r-- | etc/torbrowser-launcher.profile | 2 | ||||
-rw-r--r-- | src/firecfg/firecfg.config | 2 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/fs.c | 57 | ||||
-rw-r--r-- | src/firejail/main.c | 8 | ||||
-rw-r--r-- | src/firejail/pulseaudio.c | 8 | ||||
-rw-r--r-- | src/firejail/sbox.c | 7 | ||||
-rw-r--r-- | src/firejail/x11.c | 9 | ||||
-rw-r--r-- | src/firemon/procevent.c | 44 | ||||
-rw-r--r-- | test/hidepid-howto | 27 |
18 files changed, 205 insertions, 45 deletions
@@ -435,6 +435,7 @@ Pixel Fairy (https://github.com/xahare) | |||
435 | PizzaDude (https://github.com/pizzadude) | 435 | PizzaDude (https://github.com/pizzadude) |
436 | - add mpv support to smplayer | 436 | - add mpv support to smplayer |
437 | - added profile for torbrowser-launcher | 437 | - added profile for torbrowser-launcher |
438 | - added profile for sayonara and qmmp | ||
438 | probonopd (https://github.com/probonopd) | 439 | probonopd (https://github.com/probonopd) |
439 | - automatic build on Travis CI | 440 | - automatic build on Travis CI |
440 | pshpsh (https://github.com/pshpsh) | 441 | pshpsh (https://github.com/pshpsh) |
@@ -337,10 +337,10 @@ enable/disable apparmor functionality globally. By default the flag is enabled. | |||
337 | AppArmor deployment: we are starting apparmor by default for the following programs: | 337 | AppArmor deployment: we are starting apparmor by default for the following programs: |
338 | - web browsers: firefox (firefox-common.profile), chromium (chromium-common.profile) | 338 | - web browsers: firefox (firefox-common.profile), chromium (chromium-common.profile) |
339 | - torrent clients: transmission-qt, transmission-gtk, qbittorrent | 339 | - torrent clients: transmission-qt, transmission-gtk, qbittorrent |
340 | - media players: vlc, mpv, audacious, kodi, smplayer | 340 | - media players: mpv, audacious, kodi, smplayer |
341 | - media editing: kdenlive, audacity, handbrake, inkscape, gimp, krita, openshot | 341 | - media editing: kdenlive, audacity, handbrake, inkscape, gimp, krita, openshot |
342 | - archive managers: ark, engrampa, file-roller | 342 | - archive managers: ark, engrampa, file-roller |
343 | - etc.: digikam, libreoffice, okular, gwenview, galculator, kcalc | 343 | - etc.: digikam, okular, gwenview, galculator, kcalc |
344 | 344 | ||
345 | Checking apparmor status: | 345 | Checking apparmor status: |
346 | ````` | 346 | ````` |
@@ -376,4 +376,4 @@ gnome-recipes, akonadi_control, evince-previewer, evince-thumbnailer, blender-2. | |||
376 | thunderbird-beta, ncdu, gnome-logs, gcloud, musixmatch, gunzip, bunzip2, enchant, | 376 | thunderbird-beta, ncdu, gnome-logs, gcloud, musixmatch, gunzip, bunzip2, enchant, |
377 | enchant-2, enchant-lsmod, enchant-lsmod-2, Discord, acat, adiff, als, apack, arepack, | 377 | enchant-2, enchant-lsmod, enchant-lsmod-2, Discord, acat, adiff, als, apack, arepack, |
378 | aunpack profiles, ppsspp, scallion, clion, baloo_filemetadata_temp_extractor, | 378 | aunpack profiles, ppsspp, scallion, clion, baloo_filemetadata_temp_extractor, |
379 | AnyDesk, webstorm, xmind | 379 | AnyDesk, webstorm, xmind, qmmp, sayonara |
@@ -34,6 +34,7 @@ firejail (0.9.54~rc1) baseline; urgency=low | |||
34 | * private-dev support for overlay and chroot sandboxes | 34 | * private-dev support for overlay and chroot sandboxes |
35 | * private-tmp support for overlay and chroot sandboxes | 35 | * private-tmp support for overlay and chroot sandboxes |
36 | * added sandbox name support in firemon | 36 | * added sandbox name support in firemon |
37 | * firemon/prctl enhancements | ||
37 | * new profiles: basilisk, Tor Browser language packs, PlayOnLinux, sylpheed, | 38 | * new profiles: basilisk, Tor Browser language packs, PlayOnLinux, sylpheed, |
38 | * new profiles: discord-canary, pycharm-community, pycharm-professional, | 39 | * new profiles: discord-canary, pycharm-community, pycharm-professional, |
39 | * new profiles: pdfchain, tilp, vivaldi-snapshot, bitcoin-qt, kaffeine, | 40 | * new profiles: pdfchain, tilp, vivaldi-snapshot, bitcoin-qt, kaffeine, |
@@ -43,7 +44,8 @@ firejail (0.9.54~rc1) baseline; urgency=low | |||
43 | * new profiles: musixmatch, gunzip, bunzip2, enchant-lsmod, enchant-lsmod-2, | 44 | * new profiles: musixmatch, gunzip, bunzip2, enchant-lsmod, enchant-lsmod-2, |
44 | * new profiles: enchant, enchant-2, Discord, acat, adiff, als, apack, | 45 | * new profiles: enchant, enchant-2, Discord, acat, adiff, als, apack, |
45 | * new profiles: arepack, aunpack profiles, ppsspp, scallion, clion, | 46 | * new profiles: arepack, aunpack profiles, ppsspp, scallion, clion, |
46 | * new profiles: baloo_filemetadata_temp_extractor, AnyDesk, webstorm, xmind | 47 | * new profiles: baloo_filemetadata_temp_extractor, AnyDesk, webstorm, xmind, |
48 | * new profiles: qmmp, sayonara | ||
47 | -- netblue30 <netblue30@yahoo.com> Sun, 6 May 2018 08:00:00 -0500 | 49 | -- netblue30 <netblue30@yahoo.com> Sun, 6 May 2018 08:00:00 -0500 |
48 | 50 | ||
49 | firejail (0.9.52) baseline; urgency=low | 51 | firejail (0.9.52) baseline; urgency=low |
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index ea334c289..c7605d660 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -16,6 +16,7 @@ blacklist ${HOME}/.LuminanceHDR | |||
16 | blacklist ${HOME}/.Mathematica | 16 | blacklist ${HOME}/.Mathematica |
17 | blacklist ${HOME}/.Natron | 17 | blacklist ${HOME}/.Natron |
18 | blacklist ${HOME}/.PyCharm* | 18 | blacklist ${HOME}/.PyCharm* |
19 | blacklist ${HOME}/.Sayonara | ||
19 | blacklist ${HOME}/.Skype | 20 | blacklist ${HOME}/.Skype |
20 | blacklist ${HOME}/.Steam | 21 | blacklist ${HOME}/.Steam |
21 | blacklist ${HOME}/.Steampath | 22 | blacklist ${HOME}/.Steampath |
@@ -465,6 +466,7 @@ blacklist ${HOME}/.passwd-s3fs | |||
465 | blacklist ${HOME}/.pingus | 466 | blacklist ${HOME}/.pingus |
466 | blacklist ${HOME}/.purple | 467 | blacklist ${HOME}/.purple |
467 | blacklist ${HOME}/.qemu-launcher | 468 | blacklist ${HOME}/.qemu-launcher |
469 | blacklist ${HOME}/.qmmp | ||
468 | blacklist ${HOME}/.redeclipse | 470 | blacklist ${HOME}/.redeclipse |
469 | blacklist ${HOME}/.remmina | 471 | blacklist ${HOME}/.remmina |
470 | blacklist ${HOME}/.repo_.gitconfig.json | 472 | blacklist ${HOME}/.repo_.gitconfig.json |
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile index 9ebcdba6c..b0de1f1a3 100644 --- a/etc/firefox-common.profile +++ b/etc/firefox-common.profile | |||
@@ -35,7 +35,8 @@ notv | |||
35 | protocol unix,inet,inet6,netlink | 35 | protocol unix,inet,inet6,netlink |
36 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 36 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice |
37 | shell none | 37 | shell none |
38 | tracelog | 38 | #disable tracelog, it breaks or causes major issues with many firefox based browsers, see github issue #1930 |
39 | #tracelog | ||
39 | 40 | ||
40 | disable-mnt | 41 | disable-mnt |
41 | private-dev | 42 | private-dev |
diff --git a/etc/picard.profile b/etc/picard.profile index 9e0d4ab55..484b0e6b2 100644 --- a/etc/picard.profile +++ b/etc/picard.profile | |||
@@ -9,7 +9,9 @@ noblacklist ${HOME}/.cache/MusicBrainz | |||
9 | noblacklist ${HOME}/.config/MusicBrainz | 9 | noblacklist ${HOME}/.config/MusicBrainz |
10 | 10 | ||
11 | # Allow python (blacklisted by disable-interpreters.inc) | 11 | # Allow python (blacklisted by disable-interpreters.inc) |
12 | noblacklist ${PATH}/python2* | ||
12 | noblacklist ${PATH}/python3* | 13 | noblacklist ${PATH}/python3* |
14 | noblacklist /usr/lib/python2* | ||
13 | noblacklist /usr/lib/python3* | 15 | noblacklist /usr/lib/python3* |
14 | 16 | ||
15 | include /etc/firejail/disable-common.inc | 17 | include /etc/firejail/disable-common.inc |
diff --git a/etc/qmmp.profile b/etc/qmmp.profile new file mode 100644 index 000000000..d785ddbbe --- /dev/null +++ b/etc/qmmp.profile | |||
@@ -0,0 +1,34 @@ | |||
1 | # Firejail profile for qmmp | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/qmmp.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.qmmp | ||
9 | |||
10 | include /etc/firejail/disable-common.inc | ||
11 | include /etc/firejail/disable-devel.inc | ||
12 | include /etc/firejail/disable-passwdmgr.inc | ||
13 | include /etc/firejail/disable-programs.inc | ||
14 | |||
15 | caps.drop all | ||
16 | netfilter | ||
17 | # no3d | ||
18 | nodbus | ||
19 | nogroups | ||
20 | nonewprivs | ||
21 | noroot | ||
22 | notv | ||
23 | novideo | ||
24 | protocol unix,inet,inet6 | ||
25 | seccomp | ||
26 | shell none | ||
27 | tracelog | ||
28 | |||
29 | private-bin qmmp | ||
30 | private-dev | ||
31 | private-tmp | ||
32 | |||
33 | noexec ${HOME} | ||
34 | noexec /tmp | ||
diff --git a/etc/sayonara.profile b/etc/sayonara.profile new file mode 100644 index 000000000..756bd99eb --- /dev/null +++ b/etc/sayonara.profile | |||
@@ -0,0 +1,33 @@ | |||
1 | # Firejail profile for sayonara player | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/sayonara.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.Sayonara | ||
9 | |||
10 | include /etc/firejail/disable-common.inc | ||
11 | include /etc/firejail/disable-devel.inc | ||
12 | include /etc/firejail/disable-passwdmgr.inc | ||
13 | include /etc/firejail/disable-programs.inc | ||
14 | |||
15 | caps.drop all | ||
16 | netfilter | ||
17 | no3d | ||
18 | nogroups | ||
19 | nonewprivs | ||
20 | noroot | ||
21 | notv | ||
22 | novideo | ||
23 | protocol unix,inet,inet6 | ||
24 | seccomp | ||
25 | shell none | ||
26 | tracelog | ||
27 | |||
28 | private-bin sayonara | ||
29 | private-dev | ||
30 | private-tmp | ||
31 | |||
32 | noexec ${HOME} | ||
33 | noexec /tmp | ||
diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile index a63798731..a33707ee4 100644 --- a/etc/torbrowser-launcher.profile +++ b/etc/torbrowser-launcher.profile | |||
@@ -41,7 +41,7 @@ shell none | |||
41 | tracelog | 41 | tracelog |
42 | 42 | ||
43 | disable-mnt | 43 | disable-mnt |
44 | private-bin bash,cp,dirname,env,expr,file,getconf,gpg,grep,id,ln,mkdir,python*,readlink,rm,sed,sh,tail,test,tor-browser-en,torbrowser-launcher | 44 | private-bin bash,cp,dirname,env,expr,file,getconf,gpg,grep,id,ln,mkdir,python*,readlink,rm,sed,sh,tail,tclsh,test,tor-browser-en,torbrowser-launcher |
45 | private-dev | 45 | private-dev |
46 | private-etc fonts,hostname,hosts,resolv.conf,pki,ssl,ca-certificates,crypto-policies,alsa,asound.conf,pulse,machine-id,ld.so.cache | 46 | private-etc fonts,hostname,hosts,resolv.conf,pki,ssl,ca-certificates,crypto-policies,alsa,asound.conf,pulse,machine-id,ld.so.cache |
47 | private-tmp | 47 | private-tmp |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index da8937717..1bfc9e66e 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -316,6 +316,7 @@ psi-plus | |||
316 | qbittorrent | 316 | qbittorrent |
317 | qemu-launcher | 317 | qemu-launcher |
318 | qlipper | 318 | qlipper |
319 | qmmp | ||
319 | qpdfview | 320 | qpdfview |
320 | qtox | 321 | qtox |
321 | quassel | 322 | quassel |
@@ -333,6 +334,7 @@ ristretto | |||
333 | rocketchat | 334 | rocketchat |
334 | rtorrent | 335 | rtorrent |
335 | runenpass.sh | 336 | runenpass.sh |
337 | sayonara | ||
336 | scallion | 338 | scallion |
337 | scribus | 339 | scribus |
338 | sdat2img | 340 | sdat2img |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index efc0dfd8d..d873a36f5 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -794,6 +794,7 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc, | |||
794 | #define SBOX_CAPS_NETWORK (1 << 4) // caps filter for programs running network programs | 794 | #define SBOX_CAPS_NETWORK (1 << 4) // caps filter for programs running network programs |
795 | #define SBOX_ALLOW_STDIN (1 << 5) // don't close stdin | 795 | #define SBOX_ALLOW_STDIN (1 << 5) // don't close stdin |
796 | #define SBOX_STDIN_FROM_FILE (1 << 6) // open file and redirect it to stdin | 796 | #define SBOX_STDIN_FROM_FILE (1 << 6) // open file and redirect it to stdin |
797 | #define SBOX_CAPS_HIDEPID (1 << 7) // hidepid caps filter for running firemon | ||
797 | 798 | ||
798 | // run sbox | 799 | // run sbox |
799 | int sbox_run(unsigned filter, int num, ...); | 800 | int sbox_run(unsigned filter, int num, ...); |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index ea0631da5..0562c7424 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -484,29 +484,44 @@ void fs_rdonly(const char *dir) { | |||
484 | 484 | ||
485 | static void fs_rdwr(const char *dir) { | 485 | static void fs_rdwr(const char *dir) { |
486 | assert(dir); | 486 | assert(dir); |
487 | // check directory exists | 487 | // check directory exists and ensure we have a resolved path |
488 | // the resolved path allows to run a sanity check after the mount | ||
489 | char *path = realpath(dir, NULL); | ||
490 | if (path == NULL) | ||
491 | return; | ||
492 | // allow only user owned directories, except the user is root | ||
493 | uid_t u = getuid(); | ||
488 | struct stat s; | 494 | struct stat s; |
489 | int rv = stat(dir, &s); | 495 | int rv = stat(path, &s); |
490 | if (rv == 0) { | 496 | if (rv) { |
491 | // if the file is outside /home directory, allow only root user | 497 | free(path); |
492 | uid_t u = getuid(); | 498 | return; |
493 | if (u != 0 && s.st_uid != u) { | 499 | } |
494 | fwarning("you are not allowed to change %s to read-write\n", dir); | 500 | if (u != 0 && s.st_uid != u) { |
495 | return; | 501 | fwarning("you are not allowed to change %s to read-write\n", path); |
496 | } | 502 | free(path); |
497 | 503 | return; | |
498 | // mount --bind /bin /bin | 504 | } |
499 | // mount --bind -o remount,rw /bin | 505 | // mount --bind /bin /bin |
500 | unsigned long flags = 0; | 506 | // mount --bind -o remount,rw /bin |
501 | get_mount_flags(dir, &flags); | 507 | unsigned long flags = 0; |
502 | if ((flags & MS_RDONLY) == 0) | 508 | get_mount_flags(path, &flags); |
503 | return; | 509 | if ((flags & MS_RDONLY) == 0) { |
504 | flags &= ~MS_RDONLY; | 510 | free(path); |
505 | if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 || | 511 | return; |
506 | mount(NULL, dir, NULL, flags|MS_BIND|MS_REMOUNT|MS_REC, NULL) < 0) | ||
507 | errExit("mount read-write"); | ||
508 | fs_logger2("read-write", dir); | ||
509 | } | 512 | } |
513 | flags &= ~MS_RDONLY; | ||
514 | if (mount(path, path, NULL, MS_BIND|MS_REC, NULL) < 0 || | ||
515 | mount(NULL, path, NULL, flags|MS_BIND|MS_REMOUNT|MS_REC, NULL) < 0) | ||
516 | errExit("mount read-write"); | ||
517 | fs_logger2("read-write", path); | ||
518 | |||
519 | // run a check on /proc/self/mountinfo to validate the mount | ||
520 | MountData *mptr = get_last_mount(); | ||
521 | if (strncmp(mptr->dir, path, strlen(path)) != 0) | ||
522 | errLogExit("invalid read-write mount"); | ||
523 | |||
524 | free(path); | ||
510 | } | 525 | } |
511 | 526 | ||
512 | void fs_noexec(const char *dir) { | 527 | void fs_noexec(const char *dir) { |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 2e47dd938..9d28f3352 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -551,21 +551,21 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
551 | } | 551 | } |
552 | else if (strcmp(argv[i], "--list") == 0) { | 552 | else if (strcmp(argv[i], "--list") == 0) { |
553 | if (pid_hidepid()) | 553 | if (pid_hidepid()) |
554 | sbox_run(SBOX_ROOT| SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--list"); | 554 | sbox_run(SBOX_ROOT| SBOX_CAPS_HIDEPID | SBOX_SECCOMP, 2, PATH_FIREMON, "--list"); |
555 | else | 555 | else |
556 | sbox_run(SBOX_USER| SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--list"); | 556 | sbox_run(SBOX_USER| SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--list"); |
557 | exit(0); | 557 | exit(0); |
558 | } | 558 | } |
559 | else if (strcmp(argv[i], "--tree") == 0) { | 559 | else if (strcmp(argv[i], "--tree") == 0) { |
560 | if (pid_hidepid()) | 560 | if (pid_hidepid()) |
561 | sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--tree"); | 561 | sbox_run(SBOX_ROOT | SBOX_CAPS_HIDEPID | SBOX_SECCOMP, 2, PATH_FIREMON, "--tree"); |
562 | else | 562 | else |
563 | sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--tree"); | 563 | sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--tree"); |
564 | exit(0); | 564 | exit(0); |
565 | } | 565 | } |
566 | else if (strcmp(argv[i], "--top") == 0) { | 566 | else if (strcmp(argv[i], "--top") == 0) { |
567 | if (pid_hidepid()) | 567 | if (pid_hidepid()) |
568 | sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN, | 568 | sbox_run(SBOX_ROOT | SBOX_CAPS_HIDEPID | SBOX_SECCOMP | SBOX_ALLOW_STDIN, |
569 | 2, PATH_FIREMON, "--top"); | 569 | 2, PATH_FIREMON, "--top"); |
570 | else | 570 | else |
571 | sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN, | 571 | sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN, |
@@ -577,7 +577,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
577 | if (checkcfg(CFG_NETWORK)) { | 577 | if (checkcfg(CFG_NETWORK)) { |
578 | struct stat s; | 578 | struct stat s; |
579 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0 || pid_hidepid()) | 579 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0 || pid_hidepid()) |
580 | sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN, | 580 | sbox_run(SBOX_ROOT | SBOX_CAPS_HIDEPID | SBOX_SECCOMP | SBOX_ALLOW_STDIN, |
581 | 2, PATH_FIREMON, "--netstats"); | 581 | 2, PATH_FIREMON, "--netstats"); |
582 | else | 582 | else |
583 | sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN, | 583 | sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN, |
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c index eaaba86c0..15d44e4cc 100644 --- a/src/firejail/pulseaudio.c +++ b/src/firejail/pulseaudio.c | |||
@@ -178,10 +178,10 @@ void pulseaudio_init(void) { | |||
178 | 178 | ||
179 | // check /proc/self/mountinfo to confirm the mount is ok | 179 | // check /proc/self/mountinfo to confirm the mount is ok |
180 | MountData *mptr = get_last_mount(); | 180 | MountData *mptr = get_last_mount(); |
181 | if (strncmp(mptr->dir, homeusercfg, strlen(homeusercfg)) != 0) | 181 | if (strcmp(mptr->dir, homeusercfg) != 0) |
182 | errLogExit("invalid mount on top of %s (should be %s)\n", mptr->dir, homeusercfg); | 182 | errLogExit("invalid pulseaudio mount"); |
183 | if (strncmp(mptr->fstype, "tmpfs", 5) != 0) | 183 | if (strcmp(mptr->fstype, "tmpfs") != 0) |
184 | errLogExit("invalid mount on top of %s (filesystem type is %s)\n", mptr->dir, mptr->fstype); | 184 | errLogExit("invalid pulseaudio mount"); |
185 | 185 | ||
186 | char *p; | 186 | char *p; |
187 | if (asprintf(&p, "%s/client.conf", homeusercfg) == -1) | 187 | if (asprintf(&p, "%s/client.conf", homeusercfg) == -1) |
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index 53df20a54..c11daad58 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c | |||
@@ -166,6 +166,13 @@ int sbox_run(unsigned filter, int num, ...) { | |||
166 | caps_set(set); | 166 | caps_set(set); |
167 | #endif | 167 | #endif |
168 | } | 168 | } |
169 | else if (filter & SBOX_CAPS_HIDEPID) { | ||
170 | #ifndef HAVE_GCOV // the following filter will prevent GCOV from saving info in .gcda files | ||
171 | uint64_t set = ((uint64_t) 1) << CAP_SYS_PTRACE; | ||
172 | set |= ((uint64_t) 1) << CAP_SYS_PACCT; | ||
173 | caps_set(set); | ||
174 | #endif | ||
175 | } | ||
169 | 176 | ||
170 | if (filter & SBOX_SECCOMP) { | 177 | if (filter & SBOX_SECCOMP) { |
171 | if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { | 178 | if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { |
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 0eace3215..ec8775370 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
@@ -1196,10 +1196,11 @@ void x11_xorg(void) { | |||
1196 | 1196 | ||
1197 | // check /proc/self/mountinfo to confirm the mount is ok | 1197 | // check /proc/self/mountinfo to confirm the mount is ok |
1198 | MountData *mptr = get_last_mount(); | 1198 | MountData *mptr = get_last_mount(); |
1199 | if (strncmp(mptr->dir, dest, strlen(dest)) != 0) | 1199 | if (strcmp(mptr->dir, dest) != 0) |
1200 | errLogExit("invalid mount on top of %s (should be %s)\n", mptr->dir, dest); | 1200 | errLogExit("invalid .Xauthority mount"); |
1201 | if (strncmp(mptr->fstype, "tmpfs", 5) != 0) | 1201 | if (strcmp(mptr->fstype, "tmpfs") != 0) |
1202 | errLogExit("invalid mount on top of %s (filesystem type is %s)\n", mptr->dir, mptr->fstype); | 1202 | errLogExit("invalid .Xauthority mount"); |
1203 | |||
1203 | free(dest); | 1204 | free(dest); |
1204 | #endif | 1205 | #endif |
1205 | } | 1206 | } |
diff --git a/src/firemon/procevent.c b/src/firemon/procevent.c index 301e5397b..5b16191be 100644 --- a/src/firemon/procevent.c +++ b/src/firemon/procevent.c | |||
@@ -94,10 +94,21 @@ static int pid_is_firejail(pid_t pid) { | |||
94 | // list of firejail arguments that don't trigger sandbox creation | 94 | // list of firejail arguments that don't trigger sandbox creation |
95 | // the initial -- is not included | 95 | // the initial -- is not included |
96 | char *exclude_args[] = { | 96 | char *exclude_args[] = { |
97 | "ls", "list", "tree", "x11", "help", "version", "top", "netstats", "debug-syscalls", | 97 | // all print options |
98 | "debug-errnos", "debug-protocols", "protocol.print", "debug.caps", | 98 | "apparmor.print", "caps.print", "cpu.print", "dns.print", "fs.print", "netfilter.print", |
99 | "shutdown", "bandwidth", "caps.print", "cpu.print", "debug-caps", | 99 | "netfilter6.print", "profile.print", "protocol.print", "seccomp.print", |
100 | "fs.print", "get", "overlay-clean", NULL | 100 | // debug |
101 | "debug-caps", "debug-errnos", "debug-protocols", "debug-syscalls", | ||
102 | // file transfer | ||
103 | "ls", "get", "put", | ||
104 | // stats | ||
105 | "tree", "list", "top", | ||
106 | // network | ||
107 | "netstats", "bandwidth", | ||
108 | // etc | ||
109 | "help", "version", "overlay-clean", | ||
110 | |||
111 | NULL // end of list marker | ||
101 | }; | 112 | }; |
102 | 113 | ||
103 | int i; | 114 | int i; |
@@ -291,6 +302,7 @@ static int procevent_monitor(const int sock, pid_t mypid) { | |||
291 | child %= max_pids; | 302 | child %= max_pids; |
292 | pids[child].level = pids[pid].level + 1; | 303 | pids[child].level = pids[pid].level + 1; |
293 | pids[child].uid = pid_get_uid(child); | 304 | pids[child].uid = pid_get_uid(child); |
305 | pids[child].parent = pid; | ||
294 | } | 306 | } |
295 | sprintf(lineptr, " fork"); | 307 | sprintf(lineptr, " fork"); |
296 | break; | 308 | break; |
@@ -318,12 +330,22 @@ static int procevent_monitor(const int sock, pid_t mypid) { | |||
318 | sprintf(lineptr, " exit"); | 330 | sprintf(lineptr, " exit"); |
319 | break; | 331 | break; |
320 | 332 | ||
333 | |||
334 | |||
321 | case PROC_EVENT_UID: | 335 | case PROC_EVENT_UID: |
322 | pid = proc_ev->event_data.id.process_tgid; | 336 | pid = proc_ev->event_data.id.process_tgid; |
323 | #ifdef DEBUG_PRCTL | 337 | #ifdef DEBUG_PRCTL |
324 | printf("%s: %d, event uid, pid %d\n", __FUNCTION__, __LINE__, pid); | 338 | printf("%s: %d, event uid, pid %d\n", __FUNCTION__, __LINE__, pid); |
325 | #endif | 339 | #endif |
326 | sprintf(lineptr, " uid "); | 340 | if (pids[pid].level == 1 || |
341 | pids[pids[pid].parent].level == 1) { | ||
342 | sprintf(lineptr, "\n"); | ||
343 | continue; | ||
344 | } | ||
345 | else | ||
346 | sprintf(lineptr, " uid (%d:%d)", | ||
347 | proc_ev->event_data.id.r.ruid, | ||
348 | proc_ev->event_data.id.e.euid); | ||
327 | break; | 349 | break; |
328 | 350 | ||
329 | case PROC_EVENT_GID: | 351 | case PROC_EVENT_GID: |
@@ -331,9 +353,19 @@ static int procevent_monitor(const int sock, pid_t mypid) { | |||
331 | #ifdef DEBUG_PRCTL | 353 | #ifdef DEBUG_PRCTL |
332 | printf("%s: %d, event gid, pid %d\n", __FUNCTION__, __LINE__, pid); | 354 | printf("%s: %d, event gid, pid %d\n", __FUNCTION__, __LINE__, pid); |
333 | #endif | 355 | #endif |
334 | sprintf(lineptr, " gid "); | 356 | if (pids[pid].level == 1 || |
357 | pids[pids[pid].parent].level == 1) { | ||
358 | sprintf(lineptr, "\n"); | ||
359 | continue; | ||
360 | } | ||
361 | else | ||
362 | sprintf(lineptr, " gid (%d:%d)", | ||
363 | proc_ev->event_data.id.r.rgid, | ||
364 | proc_ev->event_data.id.e.egid); | ||
335 | break; | 365 | break; |
336 | 366 | ||
367 | |||
368 | |||
337 | case PROC_EVENT_SID: | 369 | case PROC_EVENT_SID: |
338 | pid = proc_ev->event_data.sid.process_tgid; | 370 | pid = proc_ev->event_data.sid.process_tgid; |
339 | #ifdef DEBUG_PRCTL | 371 | #ifdef DEBUG_PRCTL |
diff --git a/test/hidepid-howto b/test/hidepid-howto new file mode 100644 index 000000000..f207c9109 --- /dev/null +++ b/test/hidepid-howto | |||
@@ -0,0 +1,27 @@ | |||
1 | 1. Find an unused user group for hidepid exception: | ||
2 | |||
3 | $ id | ||
4 | uid=1000(netblue) gid=100(users) groups=100(users),10(wheel),90(network), | ||
5 | 92(audio),93(optical),95(storage),98(power) | ||
6 | |||
7 | From /etc/group I pick up a group I am not part of: | ||
8 | |||
9 | $ cat /etc/group | ||
10 | [...] | ||
11 | xmms2:x:618: | ||
12 | rtkit:x:133: | ||
13 | vboxsf:x:109: | ||
14 | git:x:617: | ||
15 | [...] | ||
16 | |||
17 | I'll use group 618 (xmms2) | ||
18 | |||
19 | 2. Set hidepid and allow xmms2 users to bypass hidepid | ||
20 | |||
21 | $ sudo mount -o remount,rw,hidepid=2,gid=618 /proc | ||
22 | $ cat /proc/mounts | grep proc | ||
23 | proc /proc proc rw,nosuid,nodev,noexec,relatime,gid=618,hidepid=2 0 0 | ||
24 | |||
25 | 3. Test "firejail --list", "firejail --top", "firejail --tree", "firejail --netstats" | ||
26 | |||
27 | |||