aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--RELNOTES1
-rw-r--r--etc/firejail.config8
-rw-r--r--src/firejail/checkcfg.c8
-rw-r--r--src/firejail/firejail.h3
-rw-r--r--src/firejail/main.c168
5 files changed, 115 insertions, 73 deletions
diff --git a/RELNOTES b/RELNOTES
index d9e4314ba..d59618c7c 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -16,6 +16,7 @@ firejail (0.9.42~rc2) baseline; urgency=low
16 * --overlay-clean option 16 * --overlay-clean option
17 * --overlay-named=name option 17 * --overlay-named=name option
18 * --overlay-path=path option 18 * --overlay-path=path option
19 * compile time and run time support to disable overlayfs
19 * Ubuntu snap support 20 * Ubuntu snap support
20 * include /dev/snd in --private-dev 21 * include /dev/snd in --private-dev
21 * added mkfile profile command 22 * added mkfile profile command
diff --git a/etc/firejail.config b/etc/firejail.config
index 1b8d5f4e3..275bba8e2 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -3,9 +3,6 @@
3# Most features are enabled by default. Use 'yes' or 'no' as configuration 3# Most features are enabled by default. Use 'yes' or 'no' as configuration
4# values. 4# values.
5 5
6# Remount /proc and /sys inside the sandbox, default enabled.
7# remount-proc-sys yes
8
9# Enable or disable bind support, default enabled. 6# Enable or disable bind support, default enabled.
10# bind yes 7# bind yes
11 8
@@ -24,9 +21,14 @@
24# Enable or disable networking features, default enabled. 21# Enable or disable networking features, default enabled.
25# network yes 22# network yes
26 23
24# Enable or disable overlayfs features, default enabled.
25# overlayfs yes
26
27# Enable --quiet as default every time the sandbox is started. Default disabled. 27# Enable --quiet as default every time the sandbox is started. Default disabled.
28# quiet-by-default no 28# quiet-by-default no
29 29
30# Remount /proc and /sys inside the sandbox, default enabled.
31# remount-proc-sys yes
30 32
31# Enable or disable restricted network support, default disabled. If enabled, 33# Enable or disable restricted network support, default disabled. If enabled,
32# networking features should also be enabled (network yes). 34# networking features should also be enabled (network yes).
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index c4a6888a9..fed934434 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -233,6 +233,14 @@ int checkcfg(int val) {
233 else 233 else
234 goto errout; 234 goto errout;
235 } 235 }
236 else if (strncmp(ptr, "overlayfs ", 10) == 0) {
237 if (strcmp(ptr + 10, "yes") == 0)
238 cfg_val[CFG_OVERLAYFS] = 1;
239 else if (strcmp(ptr + 10, "no") == 0)
240 cfg_val[CFG_OVERLAYFS] = 0;
241 else
242 goto errout;
243 }
236 else 244 else
237 goto errout; 245 goto errout;
238 246
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 067d788a6..98ba8ee3b 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -591,7 +591,8 @@ void sandboxfs(int op, pid_t pid, const char *patqh);
591#define CFG_WHITELIST 9 591#define CFG_WHITELIST 9
592#define CFG_XEPHYR_WINDOW_TITLE 10 592#define CFG_XEPHYR_WINDOW_TITLE 10
593#define CFG_REMOUNT_PROC_SYS 11 593#define CFG_REMOUNT_PROC_SYS 11
594#define CFG_MAX 12 // this should always be the last entry 594#define CFG_OVERLAYFS 12
595#define CFG_MAX 13 // this should always be the last entry
595extern char *xephyr_screen; 596extern char *xephyr_screen;
596extern char *xephyr_extra_params; 597extern char *xephyr_extra_params;
597extern char *netfilter_default; 598extern char *netfilter_default;
diff --git a/src/firejail/main.c b/src/firejail/main.c
index c366390cc..1824765eb 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -266,18 +266,24 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
266 } 266 }
267#ifdef HAVE_OVERLAYFS 267#ifdef HAVE_OVERLAYFS
268 else if (strcmp(argv[i], "--overlay-clean") == 0) { 268 else if (strcmp(argv[i], "--overlay-clean") == 0) {
269 char *path; 269 if (checkcfg(CFG_OVERLAYFS)) {
270 if (asprintf(&path, "%s/.firejail", cfg.homedir) == -1) 270 char *path;
271 errExit("asprintf"); 271 if (asprintf(&path, "%s/.firejail", cfg.homedir) == -1)
272 EUID_ROOT(); 272 errExit("asprintf");
273 if (setreuid(0, 0) < 0) 273 EUID_ROOT();
274 errExit("setreuid"); 274 if (setreuid(0, 0) < 0)
275 if (setregid(0, 0) < 0) 275 errExit("setreuid");
276 errExit("setregid"); 276 if (setregid(0, 0) < 0)
277 errno = 0; 277 errExit("setregid");
278 int rv = remove_directory(path); 278 errno = 0;
279 if (rv) { 279 int rv = remove_directory(path);
280 fprintf(stderr, "Error: cannot removed overlays stored in ~/.firejail directory, errno %d\n", errno); 280 if (rv) {
281 fprintf(stderr, "Error: cannot removed overlays stored in ~/.firejail directory, errno %d\n", errno);
282 exit(1);
283 }
284 }
285 else {
286 fprintf(stderr, "Error: overlayfs feature is disabled in Firejail configuration file\n");
281 exit(1); 287 exit(1);
282 } 288 }
283 exit(0); 289 exit(0);
@@ -1283,78 +1289,103 @@ int main(int argc, char **argv) {
1283 } 1289 }
1284#ifdef HAVE_OVERLAYFS 1290#ifdef HAVE_OVERLAYFS
1285 else if (strcmp(argv[i], "--overlay") == 0) { 1291 else if (strcmp(argv[i], "--overlay") == 0) {
1286 if (cfg.chrootdir) { 1292 if (checkcfg(CFG_OVERLAYFS)) {
1287 fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); 1293 if (cfg.chrootdir) {
1288 exit(1); 1294 fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
1295 exit(1);
1296 }
1297 struct stat s;
1298 if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {
1299 fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n");
1300 exit(1);
1301 }
1302 arg_overlay = 1;
1303 arg_overlay_keep = 1;
1304
1305 char *subdirname;
1306 if (asprintf(&subdirname, "%d", getpid()) == -1)
1307 errExit("asprintf");
1308 cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse);
1309
1310 free(subdirname);
1289 } 1311 }
1290 struct stat s; 1312 else {
1291 if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { 1313 fprintf(stderr, "Error: overlayfs feature is disabled in Firejail configuration file\n");
1292 fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n"); 1314 exit(1);
1293 exit(1);
1294 } 1315 }
1295 arg_overlay = 1;
1296 arg_overlay_keep = 1;
1297
1298 char *subdirname;
1299 if (asprintf(&subdirname, "%d", getpid()) == -1)
1300 errExit("asprintf");
1301 cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse);
1302
1303 free(subdirname);
1304 } 1316 }
1305 else if (strncmp(argv[i], "--overlay-named=", 16) == 0) { 1317 else if (strncmp(argv[i], "--overlay-named=", 16) == 0) {
1306 if (cfg.chrootdir) { 1318 if (checkcfg(CFG_OVERLAYFS)) {
1307 fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); 1319 if (cfg.chrootdir) {
1308 exit(1); 1320 fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
1309 } 1321 exit(1);
1310 struct stat s; 1322 }
1311 if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { 1323 struct stat s;
1312 fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n"); 1324 if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {
1313 exit(1); 1325 fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n");
1326 exit(1);
1327 }
1328 arg_overlay = 1;
1329 arg_overlay_keep = 1;
1330 arg_overlay_reuse = 1;
1331
1332 char *subdirname = argv[i] + 16;
1333 if (subdirname == '\0') {
1334 fprintf(stderr, "Error: invalid overlay option\n");
1335 exit(1);
1336 }
1337 cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse);
1314 } 1338 }
1315 arg_overlay = 1; 1339 else {
1316 arg_overlay_keep = 1; 1340 fprintf(stderr, "Error: overlayfs feature is disabled in Firejail configuration file\n");
1317 arg_overlay_reuse = 1;
1318
1319 char *subdirname = argv[i] + 16;
1320 if (subdirname == '\0') {
1321 fprintf(stderr, "Error: invalid overlay option\n");
1322 exit(1); 1341 exit(1);
1323 } 1342 }
1324 cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse); 1343
1325 } 1344 }
1326 else if (strncmp(argv[i], "--overlay-path=", 15) == 0) { 1345 else if (strncmp(argv[i], "--overlay-path=", 15) == 0) {
1327 if (cfg.chrootdir) { 1346 if (checkcfg(CFG_OVERLAYFS)) {
1328 fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); 1347 if (cfg.chrootdir) {
1329 exit(1); 1348 fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
1330 } 1349 exit(1);
1331 struct stat s; 1350 }
1332 if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { 1351 struct stat s;
1333 fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n"); 1352 if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {
1334 exit(1); 1353 fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n");
1354 exit(1);
1355 }
1356 arg_overlay = 1;
1357 arg_overlay_keep = 1;
1358 arg_overlay_reuse = 1;
1359
1360 char *dirname = argv[i] + 15;
1361 if (dirname == '\0') {
1362 fprintf(stderr, "Error: invalid overlay option\n");
1363 exit(1);
1364 }
1365 cfg.overlay_dir = expand_home(dirname, cfg.homedir);
1335 } 1366 }
1336 arg_overlay = 1; 1367 else {
1337 arg_overlay_keep = 1; 1368 fprintf(stderr, "Error: overlayfs feature is disabled in Firejail configuration file\n");
1338 arg_overlay_reuse = 1;
1339
1340 char *dirname = argv[i] + 15;
1341 if (dirname == '\0') {
1342 fprintf(stderr, "Error: invalid overlay option\n");
1343 exit(1); 1369 exit(1);
1344 } 1370 }
1345 cfg.overlay_dir = expand_home(dirname, cfg.homedir);
1346 } 1371 }
1347 else if (strcmp(argv[i], "--overlay-tmpfs") == 0) { 1372 else if (strcmp(argv[i], "--overlay-tmpfs") == 0) {
1348 if (cfg.chrootdir) { 1373 if (checkcfg(CFG_OVERLAYFS)) {
1349 fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); 1374 if (cfg.chrootdir) {
1350 exit(1); 1375 fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
1376 exit(1);
1377 }
1378 struct stat s;
1379 if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {
1380 fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n");
1381 exit(1);
1382 }
1383 arg_overlay = 1;
1351 } 1384 }
1352 struct stat s; 1385 else {
1353 if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { 1386 fprintf(stderr, "Error: overlayfs feature is disabled in Firejail configuration file\n");
1354 fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n"); 1387 exit(1);
1355 exit(1);
1356 } 1388 }
1357 arg_overlay = 1;
1358 } 1389 }
1359#endif 1390#endif
1360 else if (strncmp(argv[i], "--profile=", 10) == 0) { 1391 else if (strncmp(argv[i], "--profile=", 10) == 0) {
@@ -1477,7 +1508,6 @@ int main(int argc, char **argv) {
1477 fprintf(stderr, "Error: --chroot feature is disabled in Firejail configuration file\n"); 1508 fprintf(stderr, "Error: --chroot feature is disabled in Firejail configuration file\n");
1478 exit(1); 1509 exit(1);
1479 } 1510 }
1480
1481 } 1511 }
1482#endif 1512#endif
1483 else if (strcmp(argv[i], "--writable-etc") == 0) { 1513 else if (strcmp(argv[i], "--writable-etc") == 0) {
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-11 15:14:47 +0000