diff options
-rw-r--r-- | .gitignore | 1 | ||||
-rw-r--r-- | Makefile.in | 4 | ||||
-rw-r--r-- | README | 2 | ||||
-rwxr-xr-x | configure | 3 | ||||
-rw-r--r-- | configure.ac | 2 | ||||
-rw-r--r-- | etc/firejail.config | 2 | ||||
-rwxr-xr-x | platform/rpm/old-mkrpm.sh | 2 | ||||
-rw-r--r-- | src/firejail/fs_trace.c | 3 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 8 | ||||
-rw-r--r-- | src/libconnect/Makefile.in | 25 | ||||
-rw-r--r-- | src/libconnect/libconnect.c | 66 |
11 files changed, 11 insertions, 107 deletions
diff --git a/.gitignore b/.gitignore index 89bf3c4fa..1b2c7fc7b 100644 --- a/.gitignore +++ b/.gitignore | |||
@@ -6,6 +6,7 @@ | |||
6 | *.gcda | 6 | *.gcda |
7 | *.gcno | 7 | *.gcno |
8 | Makefile | 8 | Makefile |
9 | autom4te.cache/ | ||
9 | config.log | 10 | config.log |
10 | config.status | 11 | config.status |
11 | firejail-login.5 | 12 | firejail-login.5 |
diff --git a/Makefile.in b/Makefile.in index 7152019d4..7ed27c89d 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -1,6 +1,6 @@ | |||
1 | all: apps man filters | 1 | all: apps man filters |
2 | MYLIBS = src/lib | 2 | MYLIBS = src/lib |
3 | APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/libconnect src/fnet src/fseccomp src/fcopy | 3 | APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fcopy |
4 | MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 | 4 | MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 |
5 | SECCOMP_FILTERS = seccomp seccomp.i386 seccomp.amd64 | 5 | SECCOMP_FILTERS = seccomp seccomp.i386 seccomp.amd64 |
6 | 6 | ||
@@ -79,7 +79,6 @@ realinstall: | |||
79 | install -m 0755 -d $(DESTDIR)/$(libdir)/firejail | 79 | install -m 0755 -d $(DESTDIR)/$(libdir)/firejail |
80 | install -c -m 0644 src/libtrace/libtrace.so $(DESTDIR)/$(libdir)/firejail/. | 80 | install -c -m 0644 src/libtrace/libtrace.so $(DESTDIR)/$(libdir)/firejail/. |
81 | install -c -m 0644 src/libtracelog/libtracelog.so $(DESTDIR)/$(libdir)/firejail/. | 81 | install -c -m 0644 src/libtracelog/libtracelog.so $(DESTDIR)/$(libdir)/firejail/. |
82 | install -c -m 0644 src/libconnect/libconnect.so $(DESTDIR)/$(libdir)/firejail/. | ||
83 | install -c -m 0755 src/ftee/ftee $(DESTDIR)/$(libdir)/firejail/. | 82 | install -c -m 0755 src/ftee/ftee $(DESTDIR)/$(libdir)/firejail/. |
84 | install -c -m 0755 src/fshaper/fshaper.sh $(DESTDIR)/$(libdir)/firejail/. | 83 | install -c -m 0755 src/fshaper/fshaper.sh $(DESTDIR)/$(libdir)/firejail/. |
85 | install -c -m 0755 src/fgit/fgit-install.sh $(DESTDIR)/$(libdir)/firejail/. | 84 | install -c -m 0755 src/fgit/fgit-install.sh $(DESTDIR)/$(libdir)/firejail/. |
@@ -142,7 +141,6 @@ install-strip: all | |||
142 | strip src/firecfg/firecfg | 141 | strip src/firecfg/firecfg |
143 | strip src/libtrace/libtrace.so | 142 | strip src/libtrace/libtrace.so |
144 | strip src/libtracelog/libtracelog.so | 143 | strip src/libtracelog/libtracelog.so |
145 | strip src/libconnect/libconnect.so | ||
146 | strip src/ftee/ftee | 144 | strip src/ftee/ftee |
147 | strip src/faudit/faudit | 145 | strip src/faudit/faudit |
148 | strip src/fnet/fnet | 146 | strip src/fnet/fnet |
@@ -101,6 +101,8 @@ valoq (https://github.com/valoq) | |||
101 | - added wget profile | 101 | - added wget profile |
102 | - disable gnupg and systemd directories under /run/user | 102 | - disable gnupg and systemd directories under /run/user |
103 | - added iridium browser profile | 103 | - added iridium browser profile |
104 | Zack Weinberg (https://github.com/zackw) | ||
105 | - removed libconnect | ||
104 | Igor Bukanov (https://github.com/ibukanov) | 106 | Igor Bukanov (https://github.com/ibukanov) |
105 | - found/fiixed privilege escalation in --hosts-file option | 107 | - found/fiixed privilege escalation in --hosts-file option |
106 | Cat (https://github.com/ecat3) | 108 | Cat (https://github.com/ecat3) |
@@ -3793,7 +3793,7 @@ if test "$prefix" = /usr; then | |||
3793 | sysconfdir="/etc" | 3793 | sysconfdir="/etc" |
3794 | fi | 3794 | fi |
3795 | 3795 | ||
3796 | ac_config_files="$ac_config_files Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile src/libconnect/Makefile src/fseccomp/Makefile" | 3796 | ac_config_files="$ac_config_files Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile" |
3797 | 3797 | ||
3798 | cat >confcache <<\_ACEOF | 3798 | cat >confcache <<\_ACEOF |
3799 | # This file is a shell script that caches the results of configure | 3799 | # This file is a shell script that caches the results of configure |
@@ -4513,7 +4513,6 @@ do | |||
4513 | "src/firecfg/Makefile") CONFIG_FILES="$CONFIG_FILES src/firecfg/Makefile" ;; | 4513 | "src/firecfg/Makefile") CONFIG_FILES="$CONFIG_FILES src/firecfg/Makefile" ;; |
4514 | "src/ftee/Makefile") CONFIG_FILES="$CONFIG_FILES src/ftee/Makefile" ;; | 4514 | "src/ftee/Makefile") CONFIG_FILES="$CONFIG_FILES src/ftee/Makefile" ;; |
4515 | "src/faudit/Makefile") CONFIG_FILES="$CONFIG_FILES src/faudit/Makefile" ;; | 4515 | "src/faudit/Makefile") CONFIG_FILES="$CONFIG_FILES src/faudit/Makefile" ;; |
4516 | "src/libconnect/Makefile") CONFIG_FILES="$CONFIG_FILES src/libconnect/Makefile" ;; | ||
4517 | "src/fseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/fseccomp/Makefile" ;; | 4516 | "src/fseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/fseccomp/Makefile" ;; |
4518 | 4517 | ||
4519 | *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; | 4518 | *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; |
diff --git a/configure.ac b/configure.ac index 6a6c40b40..c04bfed89 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -168,7 +168,7 @@ fi | |||
168 | 168 | ||
169 | AC_OUTPUT(Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile \ | 169 | AC_OUTPUT(Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile \ |
170 | src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile \ | 170 | src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile \ |
171 | src/ftee/Makefile src/faudit/Makefile src/libconnect/Makefile src/fseccomp/Makefile) | 171 | src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile) |
172 | 172 | ||
173 | echo | 173 | echo |
174 | echo "Configuration options:" | 174 | echo "Configuration options:" |
diff --git a/etc/firejail.config b/etc/firejail.config index 5498b2112..766802a7d 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
@@ -85,6 +85,6 @@ | |||
85 | # Firejail window title in Xephyr, default enabled. | 85 | # Firejail window title in Xephyr, default enabled. |
86 | # xephyr-window-title yes | 86 | # xephyr-window-title yes |
87 | 87 | ||
88 | # Xephyr command extra parameters. None by default, and the declaration is commented out. | 88 | # Xephyr command extra parameters. None by default; these are examples. |
89 | # xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev | 89 | # xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev |
90 | # xephyr-extra-params -grayscale | 90 | # xephyr-extra-params -grayscale |
diff --git a/platform/rpm/old-mkrpm.sh b/platform/rpm/old-mkrpm.sh index 017d5e1c3..6c8a4c240 100755 --- a/platform/rpm/old-mkrpm.sh +++ b/platform/rpm/old-mkrpm.sh | |||
@@ -24,7 +24,6 @@ install -m 755 /usr/lib/firejail/fshaper.sh firejail-$VERSION/usr/lib/firejail/ | |||
24 | install -m 755 /usr/lib/firejail/ftee firejail-$VERSION/usr/lib/firejail/. | 24 | install -m 755 /usr/lib/firejail/ftee firejail-$VERSION/usr/lib/firejail/. |
25 | install -m 644 /usr/lib/firejail/libtrace.so firejail-$VERSION/usr/lib/firejail/. | 25 | install -m 644 /usr/lib/firejail/libtrace.so firejail-$VERSION/usr/lib/firejail/. |
26 | install -m 644 /usr/lib/firejail/libtracelog.so firejail-$VERSION/usr/lib/firejail/. | 26 | install -m 644 /usr/lib/firejail/libtracelog.so firejail-$VERSION/usr/lib/firejail/. |
27 | install -m 644 /usr/lib/firejail/libconnect.so firejail-$VERSION/usr/lib/firejail/. | ||
28 | 27 | ||
29 | mkdir -p firejail-$VERSION/usr/share/man/man1 | 28 | mkdir -p firejail-$VERSION/usr/share/man/man1 |
30 | install -m 644 /usr/share/man/man1/firejail.1.gz firejail-$VERSION/usr/share/man/man1/. | 29 | install -m 644 /usr/share/man/man1/firejail.1.gz firejail-$VERSION/usr/share/man/man1/. |
@@ -436,7 +435,6 @@ rm -rf %{buildroot} | |||
436 | 435 | ||
437 | /usr/lib/firejail/libtrace.so | 436 | /usr/lib/firejail/libtrace.so |
438 | /usr/lib/firejail/libtracelog.so | 437 | /usr/lib/firejail/libtracelog.so |
439 | /usr/lib/firejail/libconnect.so | ||
440 | /usr/lib/firejail/faudit | 438 | /usr/lib/firejail/faudit |
441 | /usr/lib/firejail/ftee | 439 | /usr/lib/firejail/ftee |
442 | /usr/lib/firejail/firecfg.config | 440 | /usr/lib/firejail/firecfg.config |
diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c index 9e1dd546e..2a58d1eb2 100644 --- a/src/firejail/fs_trace.c +++ b/src/firejail/fs_trace.c | |||
@@ -60,9 +60,6 @@ void fs_trace(void) { | |||
60 | printf("Blacklist violations are logged to syslog\n"); | 60 | printf("Blacklist violations are logged to syslog\n"); |
61 | } | 61 | } |
62 | 62 | ||
63 | if (mask_x11_abstract_socket) | ||
64 | fprintf(fp, "%s/firejail/libconnect.so\n", LIBDIR); | ||
65 | |||
66 | SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); | 63 | SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); |
67 | fclose(fp); | 64 | fclose(fp); |
68 | 65 | ||
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 3fddc654b..1af9e7286 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -585,7 +585,7 @@ int sandbox(void* sandbox_arg) { | |||
585 | #endif | 585 | #endif |
586 | 586 | ||
587 | // trace pre-install | 587 | // trace pre-install |
588 | if (arg_trace || arg_tracelog || mask_x11_abstract_socket) | 588 | if (arg_trace || arg_tracelog) |
589 | fs_trace_preload(); | 589 | fs_trace_preload(); |
590 | 590 | ||
591 | // store hosts file | 591 | // store hosts file |
@@ -622,7 +622,7 @@ int sandbox(void* sandbox_arg) { | |||
622 | //**************************** | 622 | //**************************** |
623 | // trace pre-install, this time inside chroot | 623 | // trace pre-install, this time inside chroot |
624 | //**************************** | 624 | //**************************** |
625 | if (arg_trace || arg_tracelog || mask_x11_abstract_socket) | 625 | if (arg_trace || arg_tracelog) |
626 | fs_trace_preload(); | 626 | fs_trace_preload(); |
627 | } | 627 | } |
628 | else | 628 | else |
@@ -685,7 +685,7 @@ int sandbox(void* sandbox_arg) { | |||
685 | else { | 685 | else { |
686 | fs_private_dir_list("/etc", RUN_ETC_DIR, cfg.etc_private_keep); | 686 | fs_private_dir_list("/etc", RUN_ETC_DIR, cfg.etc_private_keep); |
687 | // create /etc/ld.so.preload file again | 687 | // create /etc/ld.so.preload file again |
688 | if (arg_trace || arg_tracelog || mask_x11_abstract_socket) | 688 | if (arg_trace || arg_tracelog) |
689 | fs_trace_preload(); | 689 | fs_trace_preload(); |
690 | } | 690 | } |
691 | } | 691 | } |
@@ -781,7 +781,7 @@ int sandbox(void* sandbox_arg) { | |||
781 | //**************************** | 781 | //**************************** |
782 | // install trace | 782 | // install trace |
783 | //**************************** | 783 | //**************************** |
784 | if (arg_trace || arg_tracelog || mask_x11_abstract_socket) | 784 | if (arg_trace || arg_tracelog) |
785 | fs_trace(); | 785 | fs_trace(); |
786 | 786 | ||
787 | //**************************** | 787 | //**************************** |
diff --git a/src/libconnect/Makefile.in b/src/libconnect/Makefile.in deleted file mode 100644 index 5b7a8d0f1..000000000 --- a/src/libconnect/Makefile.in +++ /dev/null | |||
@@ -1,25 +0,0 @@ | |||
1 | PREFIX=@prefix@ | ||
2 | VERSION=@PACKAGE_VERSION@ | ||
3 | NAME=@PACKAGE_NAME@ | ||
4 | HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ | ||
5 | |||
6 | H_FILE_LIST = $(sort $(wildcard *.[h])) | ||
7 | C_FILE_LIST = $(sort $(wildcard *.c)) | ||
8 | OBJS = $(C_FILE_LIST:.c=.o) | ||
9 | BINOBJS = $(foreach file, $(OBJS), $file) | ||
10 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security | ||
11 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now | ||
12 | |||
13 | all: libconnect.so | ||
14 | |||
15 | %.o : %.c $(H_FILE_LIST) | ||
16 | $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ | ||
17 | |||
18 | libconnect.so: $(OBJS) | ||
19 | $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl | ||
20 | |||
21 | |||
22 | clean:; rm -f $(OBJS) libconnect.so | ||
23 | |||
24 | distclean: clean | ||
25 | rm -fr Makefile | ||
diff --git a/src/libconnect/libconnect.c b/src/libconnect/libconnect.c deleted file mode 100644 index d79dcc4cb..000000000 --- a/src/libconnect/libconnect.c +++ /dev/null | |||
@@ -1,66 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2017 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #define _GNU_SOURCE | ||
21 | #include <stdio.h> | ||
22 | #include <stdlib.h> | ||
23 | #include <string.h> | ||
24 | #include <dlfcn.h> | ||
25 | #include <sys/types.h> | ||
26 | #include <unistd.h> | ||
27 | #include <sys/socket.h> | ||
28 | #include <netinet/in.h> | ||
29 | #include <arpa/inet.h> | ||
30 | #include <sys/un.h> | ||
31 | #include <sys/stat.h> | ||
32 | #include <dirent.h> | ||
33 | #include <errno.h> | ||
34 | |||
35 | //#define DEBUG | ||
36 | |||
37 | //static int check_sockaddr(int sockfd, const char *call, const struct sockaddr *addr, int rv) { | ||
38 | static int check_sockaddr(const struct sockaddr *addr) { | ||
39 | if (addr->sa_family == AF_UNIX) { | ||
40 | struct sockaddr_un *a = (struct sockaddr_un *) addr; | ||
41 | if (a->sun_path[0] == '\0' && strstr(a->sun_path + 1, "X11-unix")) { | ||
42 | // printf("@%s\n", a->sun_path + 1); | ||
43 | errno = ENOENT; | ||
44 | return -1; | ||
45 | } | ||
46 | } | ||
47 | |||
48 | return 0; | ||
49 | } | ||
50 | |||
51 | // | ||
52 | // syscalls | ||
53 | // | ||
54 | |||
55 | // connect | ||
56 | typedef int (*orig_connect_t)(int sockfd, const struct sockaddr *addr, socklen_t addrlen); | ||
57 | static orig_connect_t orig_connect = NULL; | ||
58 | int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen) { | ||
59 | if (!orig_connect) | ||
60 | orig_connect = (orig_connect_t)dlsym(RTLD_NEXT, "connect"); | ||
61 | |||
62 | if (check_sockaddr(addr) == -1) | ||
63 | return -1; | ||
64 | |||
65 | return orig_connect(sockfd, addr, addrlen); | ||
66 | } | ||