diff options
-rw-r--r-- | src/firejail/firejail.h | 3 | ||||
-rw-r--r-- | src/firejail/fs.c | 72 | ||||
-rw-r--r-- | src/firejail/fs_whitelist.c | 14 | ||||
-rw-r--r-- | src/firejail/usage.c | 5 | ||||
-rw-r--r-- | src/man/firejail.txt | 4 | ||||
-rw-r--r-- | todo | 3 |
6 files changed, 49 insertions, 52 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 4f8968e4a..b29e11923 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -40,7 +40,8 @@ | |||
40 | #define PULSE_DIR "/run/firejail/mnt/pulse" | 40 | #define PULSE_DIR "/run/firejail/mnt/pulse" |
41 | #define DEVLOG_FILE "/run/firejail/mnt/devlog" | 41 | #define DEVLOG_FILE "/run/firejail/mnt/devlog" |
42 | 42 | ||
43 | #define WHITELIST_HOME_DIR "/run/firejail/mnt/orig-home" | 43 | #define WHITELIST_HOME_DIR "/run/firejail/mnt/orig-home" // default home directory masking |
44 | #define WHITELIST_HOME_USER_DIR "/run/firejail/mnt/orig-home-user" // home directory whitelisting | ||
44 | #define WHITELIST_TMP_DIR "/run/firejail/mnt/orig-tmp" | 45 | #define WHITELIST_TMP_DIR "/run/firejail/mnt/orig-tmp" |
45 | #define WHITELIST_MEDIA_DIR "/run/firejail/mnt/orig-media" | 46 | #define WHITELIST_MEDIA_DIR "/run/firejail/mnt/orig-media" |
46 | #define WHITELIST_VAR_DIR "/run/firejail/mnt/orig-var" | 47 | #define WHITELIST_VAR_DIR "/run/firejail/mnt/orig-var" |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 5cce383e2..aec1698b0 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -540,50 +540,48 @@ void fs_proc_sys_dev_boot(void) { | |||
540 | } | 540 | } |
541 | 541 | ||
542 | static void sanitize_home(void) { | 542 | static void sanitize_home(void) { |
543 | // extract current /home directory data | 543 | assert(getuid() != 0); // this code works only for regular users |
544 | struct dirent *dir; | 544 | |
545 | DIR *d = opendir("/home"); | 545 | if (arg_debug) |
546 | if (d == NULL) | 546 | printf("Cleaning /home directory\n"); |
547 | |||
548 | struct stat s; | ||
549 | if (stat(cfg.homedir, &s) == -1) { | ||
550 | // cannot find home directory, just return | ||
551 | fprintf(stderr, "Warning: cannot find home directory\n"); | ||
547 | return; | 552 | return; |
548 | |||
549 | while ((dir = readdir(d))) { | ||
550 | if(strcmp(dir->d_name, "." ) == 0 || strcmp(dir->d_name, ".." ) == 0) | ||
551 | continue; | ||
552 | |||
553 | if (dir->d_type == DT_DIR ) { | ||
554 | // get properties | ||
555 | struct stat s; | ||
556 | char *name; | ||
557 | if (asprintf(&name, "/home/%s", dir->d_name) == -1) | ||
558 | continue; | ||
559 | if (stat(name, &s) == -1) | ||
560 | continue; | ||
561 | if (S_ISLNK(s.st_mode)) { | ||
562 | free(name); | ||
563 | continue; | ||
564 | } | ||
565 | |||
566 | if (strcmp(name, cfg.homedir) == 0) | ||
567 | continue; | ||
568 | |||
569 | // printf("directory %u %u:%u #%s#\n", | ||
570 | // s.st_mode, | ||
571 | // s.st_uid, | ||
572 | // s.st_gid, | ||
573 | // name); | ||
574 | |||
575 | // disable directory | ||
576 | disable_file(BLACKLIST_FILE, name); | ||
577 | free(name); | ||
578 | } | ||
579 | } | 553 | } |
580 | closedir(d); | 554 | |
581 | } | 555 | fs_build_mnt_dir(); |
556 | if (mkdir(WHITELIST_HOME_DIR, 0755) == -1) | ||
557 | errExit("mkdir"); | ||
558 | |||
559 | // keep a copy of the user home directory | ||
560 | if (mount(cfg.homedir, WHITELIST_HOME_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
561 | errExit("mount bind"); | ||
582 | 562 | ||
563 | // mount tmpfs in the new home | ||
564 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | ||
565 | errExit("mount tmpfs"); | ||
583 | 566 | ||
567 | // create user home directory | ||
568 | if (mkdir(cfg.homedir, 0755) == -1) | ||
569 | errExit("mkdir"); | ||
584 | 570 | ||
571 | // set mode and ownership | ||
572 | if (chown(cfg.homedir, s.st_uid, s.st_gid) == -1) | ||
573 | errExit("chown"); | ||
574 | if (chmod(cfg.homedir, s.st_mode) == -1) | ||
575 | errExit("chmod"); | ||
585 | 576 | ||
577 | // mount user home directory | ||
578 | if (mount(WHITELIST_HOME_DIR, cfg.homedir, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
579 | errExit("mount bind"); | ||
586 | 580 | ||
581 | // mask home dir under /run | ||
582 | if (mount("tmpfs", WHITELIST_HOME_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | ||
583 | errExit("mount tmpfs"); | ||
584 | } | ||
587 | 585 | ||
588 | // build a basic read-only filesystem | 586 | // build a basic read-only filesystem |
589 | void fs_basic_fs(void) { | 587 | void fs_basic_fs(void) { |
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 9203e3d00..b081752f4 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -70,7 +70,7 @@ static void whitelist_path(ProfileEntry *entry) { | |||
70 | exit(1); | 70 | exit(1); |
71 | } | 71 | } |
72 | 72 | ||
73 | if (asprintf(&wfile, "%s/%s", WHITELIST_HOME_DIR, fname) == -1) | 73 | if (asprintf(&wfile, "%s/%s", WHITELIST_HOME_USER_DIR, fname) == -1) |
74 | errExit("asprintf"); | 74 | errExit("asprintf"); |
75 | } | 75 | } |
76 | else if (entry->tmp_dir) { | 76 | else if (entry->tmp_dir) { |
@@ -284,16 +284,16 @@ void fs_whitelist(void) { | |||
284 | 284 | ||
285 | // /home/user | 285 | // /home/user |
286 | if (home_dir) { | 286 | if (home_dir) { |
287 | // keep a copy of real home dir in WHITELIST_HOME_DIR | 287 | // keep a copy of real home dir in WHITELIST_HOME_USER_DIR |
288 | int rv = mkdir(WHITELIST_HOME_DIR, S_IRWXU | S_IRWXG | S_IRWXO); | 288 | int rv = mkdir(WHITELIST_HOME_USER_DIR, S_IRWXU | S_IRWXG | S_IRWXO); |
289 | if (rv == -1) | 289 | if (rv == -1) |
290 | errExit("mkdir"); | 290 | errExit("mkdir"); |
291 | if (chown(WHITELIST_HOME_DIR, getuid(), getgid()) < 0) | 291 | if (chown(WHITELIST_HOME_USER_DIR, getuid(), getgid()) < 0) |
292 | errExit("chown"); | 292 | errExit("chown"); |
293 | if (chmod(WHITELIST_HOME_DIR, 0755) < 0) | 293 | if (chmod(WHITELIST_HOME_USER_DIR, 0755) < 0) |
294 | errExit("chmod"); | 294 | errExit("chmod"); |
295 | 295 | ||
296 | if (mount(cfg.homedir, WHITELIST_HOME_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | 296 | if (mount(cfg.homedir, WHITELIST_HOME_USER_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) |
297 | errExit("mount bind"); | 297 | errExit("mount bind"); |
298 | 298 | ||
299 | // mount a tmpfs and initialize /home/user | 299 | // mount a tmpfs and initialize /home/user |
@@ -418,7 +418,7 @@ void fs_whitelist(void) { | |||
418 | 418 | ||
419 | // mask the real home directory, currently mounted on WHITELIST_HOME_DIR | 419 | // mask the real home directory, currently mounted on WHITELIST_HOME_DIR |
420 | if (home_dir) { | 420 | if (home_dir) { |
421 | if (mount("tmpfs", WHITELIST_HOME_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 421 | if (mount("tmpfs", WHITELIST_HOME_USER_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
422 | errExit("mount tmpfs"); | 422 | errExit("mount tmpfs"); |
423 | } | 423 | } |
424 | 424 | ||
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 238205c04..5dde0bdbd 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -188,8 +188,9 @@ void usage(void) { | |||
188 | printf("\t\tthe new home. All modifications are discarded when the sandbox\n"); | 188 | printf("\t\tthe new home. All modifications are discarded when the sandbox\n"); |
189 | printf("\t\tis closed.\n\n"); | 189 | printf("\t\tis closed.\n\n"); |
190 | 190 | ||
191 | printf("\t--private-dev - create a new /dev directory. Only null, full, zero, tty,\n"); | 191 | printf("\t--private-dev - create a new /dev directory. Only dri, null, full, zero,\n"); |
192 | printf("\t\tpst, ptms, random, urandom and shm devices are available.\n\n"); | 192 | printf("\t\ttty, pst, ptms, random, urandom, log and shm devices are\n"); |
193 | printf("\t\tavailable.\n\n"); | ||
193 | 194 | ||
194 | printf("\t--private-etc=file,directory - build a new /etc in a temporary\n"); | 195 | printf("\t--private-etc=file,directory - build a new /etc in a temporary\n"); |
195 | printf("\t\tfilesystem, and copy the files and directories in the list.\n"); | 196 | printf("\t\tfilesystem, and copy the files and directories in the list.\n"); |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index dc518b666..370fce588 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -831,7 +831,7 @@ Example: | |||
831 | $ firejail \-\-private-home=.mozilla firefox | 831 | $ firejail \-\-private-home=.mozilla firefox |
832 | .TP | 832 | .TP |
833 | \fB\-\-private-dev | 833 | \fB\-\-private-dev |
834 | Create a new /dev directory. Only null, full, zero, tty, pts, ptmx, random, urandom and shm devices are available. | 834 | Create a new /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, urandom, log and shm devices are available. |
835 | .br | 835 | .br |
836 | 836 | ||
837 | .br | 837 | .br |
@@ -845,7 +845,7 @@ Child process initialized | |||
845 | .br | 845 | .br |
846 | $ ls /dev | 846 | $ ls /dev |
847 | .br | 847 | .br |
848 | full null ptmx pts random shm tty urandom zero | 848 | dri full log null ptmx pts random shm tty urandom zero |
849 | .br | 849 | .br |
850 | $ | 850 | $ |
851 | .TP | 851 | .TP |
@@ -75,6 +75,3 @@ socat ABSTRACT-LISTEN:/tmp/dbus-awBoQTCc,fork UNIX-CONNECT:/tmp/mysock | |||
75 | 75 | ||
76 | 12. help and man for all protocol commands | 76 | 12. help and man for all protocol commands |
77 | 77 | ||
78 | 13. add /dev/log to private dev in help and man | ||
79 | |||
80 | 14. unbound testing \ No newline at end of file | ||