diff options
42 files changed, 1265 insertions, 100 deletions
diff --git a/.gitignore b/.gitignore index 0c803b135..cbb1b2e83 100644 --- a/.gitignore +++ b/.gitignore | |||
@@ -22,6 +22,7 @@ firejail-users.5 | |||
22 | firejail.1 | 22 | firejail.1 |
23 | firemon.1 | 23 | firemon.1 |
24 | firecfg.1 | 24 | firecfg.1 |
25 | jailtest.5 | ||
25 | mkdeb.sh | 26 | mkdeb.sh |
26 | src/firejail/firejail | 27 | src/firejail/firejail |
27 | src/firemon/firemon | 28 | src/firemon/firemon |
@@ -40,6 +41,7 @@ src/fbuilder/fbuilder | |||
40 | src/profstats/profstats | 41 | src/profstats/profstats |
41 | src/bash_completion/firejail.bash_completion | 42 | src/bash_completion/firejail.bash_completion |
42 | src/zsh_completion/_firejail | 43 | src/zsh_completion/_firejail |
44 | src/jailtest/jailtest | ||
43 | uids.h | 45 | uids.h |
44 | seccomp | 46 | seccomp |
45 | seccomp.debug | 47 | seccomp.debug |
diff --git a/Makefile.in b/Makefile.in index 593afdacf..b0deee03b 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -23,13 +23,13 @@ endif | |||
23 | 23 | ||
24 | COMPLETIONDIRS = src/zsh_completion src/bash_completion | 24 | COMPLETIONDIRS = src/zsh_completion src/bash_completion |
25 | all: all_items mydirs $(MAN_TARGET) filters | 25 | all: all_items mydirs $(MAN_TARGET) filters |
26 | APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats | 26 | APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats src/jailtest/jailtest |
27 | SBOX_APPS = src/faudit/faudit src/fbuilder/fbuilder src/ftee/ftee | 27 | SBOX_APPS = src/faudit/faudit src/fbuilder/fbuilder src/ftee/ftee |
28 | SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter | 28 | SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter |
29 | MYDIRS = src/lib $(MAN_SRC) $(COMPLETIONDIRS) | 29 | MYDIRS = src/lib $(MAN_SRC) $(COMPLETIONDIRS) |
30 | MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so | 30 | MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so |
31 | COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion | 31 | COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion |
32 | MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 | 32 | MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 jailtest.5 |
33 | SBOX_APPS_NON_DUMPABLE += src/fsec-optimize/fsec-optimize src/fsec-print/fsec-print src/fseccomp/fseccomp | 33 | SBOX_APPS_NON_DUMPABLE += src/fsec-optimize/fsec-optimize src/fsec-print/fsec-print src/fseccomp/fseccomp |
34 | SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32 | 34 | SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32 |
35 | ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS) | 35 | ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS) |
@@ -109,6 +109,8 @@ endif | |||
109 | install -m 0755 src/firemon/firemon $(DESTDIR)$(bindir) | 109 | install -m 0755 src/firemon/firemon $(DESTDIR)$(bindir) |
110 | # firecfg executable | 110 | # firecfg executable |
111 | install -m 0755 src/firecfg/firecfg $(DESTDIR)$(bindir) | 111 | install -m 0755 src/firecfg/firecfg $(DESTDIR)$(bindir) |
112 | # jailtest executable | ||
113 | install -m 0755 src/jailtest/jailtest $(DESTDIR)$(bindir) | ||
112 | # libraries and plugins | 114 | # libraries and plugins |
113 | install -m 0755 -d $(DESTDIR)$(libdir)/firejail | 115 | install -m 0755 -d $(DESTDIR)$(libdir)/firejail |
114 | install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS) src/firecfg/firecfg.config | 116 | install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS) src/firecfg/firecfg.config |
@@ -177,6 +179,7 @@ uninstall: | |||
177 | rm -f $(DESTDIR)$(bindir)/firemon | 179 | rm -f $(DESTDIR)$(bindir)/firemon |
178 | rm -f $(DESTDIR)$(bindir)/firecfg | 180 | rm -f $(DESTDIR)$(bindir)/firecfg |
179 | rm -fr $(DESTDIR)$(libdir)/firejail | 181 | rm -fr $(DESTDIR)$(libdir)/firejail |
182 | rm -fr $(DESTDIR)$(libdir)/jailtest | ||
180 | rm -fr $(DESTDIR)$(datarootdir)/doc/firejail | 183 | rm -fr $(DESTDIR)$(datarootdir)/doc/firejail |
181 | for man in $(MANPAGES); do \ | 184 | for man in $(MANPAGES); do \ |
182 | rm -f $(DESTDIR)$(mandir)/man5/$$man*; \ | 185 | rm -f $(DESTDIR)$(mandir)/man5/$$man*; \ |
@@ -44,9 +44,10 @@ Committers | |||
44 | - Fred-Barclay (https://github.com/Fred-Barclay) | 44 | - Fred-Barclay (https://github.com/Fred-Barclay) |
45 | - Kelvin M. Klann (https://github.com/kmk3) | 45 | - Kelvin M. Klann (https://github.com/kmk3) |
46 | - Kristóf Marussy (https://github.com/kris7t) | 46 | - Kristóf Marussy (https://github.com/kris7t) |
47 | - Neo00001 (https://github.com/Neo00001) | ||
47 | - Reiner Herrmann (https://github.com/reinerh - Debian/Ubuntu maintainer) | 48 | - Reiner Herrmann (https://github.com/reinerh - Debian/Ubuntu maintainer) |
48 | - rusty-snake (https://github.com/rusty-snake) | 49 | - rusty-snake (https://github.com/rusty-snake) |
49 | - smithsohu (https://github.com/smitsohu) | 50 | - smitsohu (https://github.com/smitsohu) |
50 | - SkewedZeppelin (https://github.com/SkewedZeppelin) | 51 | - SkewedZeppelin (https://github.com/SkewedZeppelin) |
51 | - startx2017 (https://github.com/startx2017) - LTS and *bugfixes branches maintainer) | 52 | - startx2017 (https://github.com/startx2017) - LTS and *bugfixes branches maintainer) |
52 | - Topi Miettinen (https://github.com/topimiettinen) | 53 | - Topi Miettinen (https://github.com/topimiettinen) |
@@ -198,7 +198,100 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe | |||
198 | Milestone page: https://github.com/netblue30/firejail/milestone/1 | 198 | Milestone page: https://github.com/netblue30/firejail/milestone/1 |
199 | Release discussion: https://github.com/netblue30/firejail/issues/3696 | 199 | Release discussion: https://github.com/netblue30/firejail/issues/3696 |
200 | 200 | ||
201 | ### jailtest | ||
202 | ````` | ||
203 | JAILTEST(1) JAILTEST man page JAILTEST(1) | ||
204 | |||
205 | NAME | ||
206 | jailtest - Simple utility program to test running sandboxes | ||
207 | |||
208 | SYNOPSIS | ||
209 | sudo jailtest [OPTIONS] [directory] | ||
210 | |||
211 | DESCRIPTION | ||
212 | WORK IN PROGRESS! jailtest attaches itself to all sandboxes started by | ||
213 | the user and performs some basic tests on the sandbox filesystem: | ||
214 | |||
215 | 1. Virtual directories | ||
216 | jailtest extracts a list with the main virtual directories in‐ | ||
217 | stalled by the sandbox. These directories are build by firejail | ||
218 | at startup using --private* and --whitelist commands. | ||
219 | |||
220 | 2. Noexec test | ||
221 | jailtest inserts executable programs in /home/username, /tmp, | ||
222 | and /var/tmp directories and tries to run them form inside the | ||
223 | sandbox, thus testing if the directory is executable or not. | ||
224 | |||
225 | 3. Read access test | ||
226 | jailtest creates test files in the directories specified by the | ||
227 | user and tries to read them from inside the sandbox. | ||
228 | |||
229 | 4. AppArmor test | ||
230 | |||
231 | 5. Seccomp test | ||
232 | |||
233 | The program is started as root using sudo. | ||
234 | |||
235 | OPTIONS | ||
236 | --debug | ||
237 | Print debug messages | ||
238 | |||
239 | -?, --help | ||
240 | Print options end exit. | ||
241 | |||
242 | --version | ||
243 | Print program version and exit. | ||
201 | 244 | ||
245 | [directory] | ||
246 | One or more directories in user home to test for read access. | ||
247 | ~/.ssh and ~/.gnupg are tested by default. | ||
248 | |||
249 | OUTPUT | ||
250 | For each sandbox detected we print the following line: | ||
251 | |||
252 | PID:USER:Sandbox Name:Command | ||
253 | |||
254 | It is followed by relevant sandbox information, such as the virtual di‐ | ||
255 | rectories and various warnings. | ||
256 | |||
257 | EXAMPLE | ||
258 | $ sudo jailtest | ||
259 | 2014:netblue::firejail /usr/bin/gimp | ||
260 | Virtual dirs: /tmp, /var/tmp, /dev, /usr/share, | ||
261 | Warning: I can run programs in /home/netblue | ||
262 | |||
263 | 2055:netblue::firejail /usr/bin/ssh -X netblue@x.y.z.net | ||
264 | Virtual dirs: /var/tmp, /dev, /usr/share, /run/user/1000, | ||
265 | Warning: I can read ~/.ssh | ||
266 | |||
267 | 2186:netblue:libreoffice:firejail --appimage /opt/LibreOffice-fresh.ap‐ | ||
268 | pimage | ||
269 | Virtual dirs: /tmp, /var/tmp, /dev, | ||
270 | |||
271 | 26090:netblue::/usr/bin/firejail /opt/firefox/firefox | ||
272 | Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /usr/share, | ||
273 | /run/user/1000, | ||
274 | |||
275 | 26160:netblue:tor:firejail --private=~/tor-browser_en-US ./start-tor | ||
276 | Warning: AppArmor not enabled | ||
277 | Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /bin, | ||
278 | /usr/share, /run/user/1000, | ||
279 | Warning: I can run programs in /home/netblue | ||
280 | |||
281 | LICENSE | ||
282 | This program is free software; you can redistribute it and/or modify it | ||
283 | under the terms of the GNU General Public License as published by the | ||
284 | Free Software Foundation; either version 2 of the License, or (at your | ||
285 | option) any later version. | ||
286 | |||
287 | Homepage: https://firejail.wordpress.com | ||
288 | |||
289 | SEE ALSO | ||
290 | firejail(1), firemon(1), firecfg(1), firejail-profile(5), firejail-lo‐ | ||
291 | gin(5), firejail-users(5), | ||
292 | |||
293 | 0.9.65 Feb 2021 JAILTEST(1) | ||
294 | ````` | ||
202 | 295 | ||
203 | ### Profile Statistics | 296 | ### Profile Statistics |
204 | 297 | ||
@@ -210,31 +303,31 @@ $ ./profstats *.profile | |||
210 | Warning: multiple caps in transmission-daemon.profile | 303 | Warning: multiple caps in transmission-daemon.profile |
211 | 304 | ||
212 | Stats: | 305 | Stats: |
213 | profiles 1064 | 306 | profiles 1077 |
214 | include local profile 1064 (include profile-name.local) | 307 | include local profile 1077 (include profile-name.local) |
215 | include globals 1064 (include globals.local) | 308 | include globals 1077 (include globals.local) |
216 | blacklist ~/.ssh 959 (include disable-common.inc) | 309 | blacklist ~/.ssh 971 (include disable-common.inc) |
217 | seccomp 975 | 310 | seccomp 988 |
218 | capabilities 1063 | 311 | capabilities 1076 |
219 | noexec 944 (include disable-exec.inc) | 312 | noexec 960 (include disable-exec.inc) |
220 | memory-deny-write-execute 229 | 313 | memory-deny-write-execute 231 |
221 | apparmor 605 | 314 | apparmor 621 |
222 | private-bin 564 | 315 | private-bin 571 |
223 | private-dev 932 | 316 | private-dev 949 |
224 | private-etc 462 | 317 | private-etc 470 |
225 | private-tmp 823 | 318 | private-tmp 835 |
226 | whitelist home directory 502 | 319 | whitelist home directory 508 |
227 | whitelist var 744 (include whitelist-var-common.inc) | 320 | whitelist var 758 (include whitelist-var-common.inc) |
228 | whitelist run/user 461 (include whitelist-runuser-common.inc | 321 | whitelist run/user 539 (include whitelist-runuser-common.inc |
229 | or blacklist ${RUNUSER}) | 322 | or blacklist ${RUNUSER}) |
230 | whitelist usr/share 451 (include whitelist-usr-share-common.inc | 323 | whitelist usr/share 526 (include whitelist-usr-share-common.inc |
231 | net none 345 | 324 | net none 354 |
232 | dbus-user none 564 | 325 | dbus-user none 573 |
233 | dbus-user filter 85 | 326 | dbus-user filter 86 |
234 | dbus-system none 696 | 327 | dbus-system none 706 |
235 | dbus-system filter 7 | 328 | dbus-system filter 7 |
236 | ``` | 329 | ``` |
237 | 330 | ||
238 | ### New profiles: | 331 | ### New profiles: |
239 | 332 | ||
240 | vmware-view, display-im6.q16 | 333 | vmware-view, display-im6.q16, ipcalc, ipcalc-ng, ebook-convert, ebook-edit, ebook-meta, ebook-polish, lzop |
@@ -1,7 +1,8 @@ | |||
1 | firejail (0.9.65) baseline; urgency=low | 1 | firejail (0.9.65) baseline; urgency=low |
2 | * filtering environment variables | 2 | * filtering environment variables |
3 | * zsh completion | 3 | * zsh completion |
4 | * new profiles: vmware-view, display-im6.q16 | 4 | * new profiles: vmware-view, display-im6.q16, ipcalc, ipcalc-ng |
5 | * ebook-convert, ebook-edit, ebook-meta, ebook-polish, lzop | ||
5 | -- netblue30 <netblue30@yahoo.com> Tue, 9 Feb 2021 09:00:00 -0500 | 6 | -- netblue30 <netblue30@yahoo.com> Tue, 9 Feb 2021 09:00:00 -0500 |
6 | 7 | ||
7 | firejail (0.9.64.4) baseline; urgency=low | 8 | firejail (0.9.64.4) baseline; urgency=low |
@@ -4269,7 +4269,7 @@ fi | |||
4269 | 4269 | ||
4270 | ac_config_files="$ac_config_files mkdeb.sh" | 4270 | ac_config_files="$ac_config_files mkdeb.sh" |
4271 | 4271 | ||
4272 | ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile" | 4272 | ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile src/jailtest/Makefile" |
4273 | 4273 | ||
4274 | cat >confcache <<\_ACEOF | 4274 | cat >confcache <<\_ACEOF |
4275 | # This file is a shell script that caches the results of configure | 4275 | # This file is a shell script that caches the results of configure |
@@ -5000,7 +5000,10 @@ do | |||
5000 | "src/fsec-optimize/Makefile") CONFIG_FILES="$CONFIG_FILES src/fsec-optimize/Makefile" ;; | 5000 | "src/fsec-optimize/Makefile") CONFIG_FILES="$CONFIG_FILES src/fsec-optimize/Makefile" ;; |
5001 | "src/profstats/Makefile") CONFIG_FILES="$CONFIG_FILES src/profstats/Makefile" ;; | 5001 | "src/profstats/Makefile") CONFIG_FILES="$CONFIG_FILES src/profstats/Makefile" ;; |
5002 | "src/man/Makefile") CONFIG_FILES="$CONFIG_FILES src/man/Makefile" ;; | 5002 | "src/man/Makefile") CONFIG_FILES="$CONFIG_FILES src/man/Makefile" ;; |
5003 | "src/zsh_completion/Makefile") CONFIG_FILES="$CONFIG_FILES src/zsh_completion/Makefile" ;; | ||
5004 | "src/bash_completion/Makefile") CONFIG_FILES="$CONFIG_FILES src/bash_completion/Makefile" ;; | ||
5003 | "test/Makefile") CONFIG_FILES="$CONFIG_FILES test/Makefile" ;; | 5005 | "test/Makefile") CONFIG_FILES="$CONFIG_FILES test/Makefile" ;; |
5006 | "src/jailtest/Makefile") CONFIG_FILES="$CONFIG_FILES src/jailtest/Makefile" ;; | ||
5004 | 5007 | ||
5005 | *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; | 5008 | *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; |
5006 | esac | 5009 | esac |
diff --git a/configure.ac b/configure.ac index aa2d0fb6b..b2e9a7b86 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -234,7 +234,8 @@ AC_CONFIG_FILES([mkdeb.sh], [chmod +x mkdeb.sh]) | |||
234 | AC_OUTPUT(Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \ | 234 | AC_OUTPUT(Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \ |
235 | src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile \ | 235 | src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile \ |
236 | src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile \ | 236 | src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile \ |
237 | src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile) | 237 | src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile \ |
238 | src/jailtest/Makefile) | ||
238 | 239 | ||
239 | echo | 240 | echo |
240 | echo "Configuration options:" | 241 | echo "Configuration options:" |
diff --git a/etc/apparmor/firejail-default b/etc/apparmor/firejail-default index 397bf753b..80d527e41 100644 --- a/etc/apparmor/firejail-default +++ b/etc/apparmor/firejail-default | |||
@@ -126,43 +126,14 @@ signal (receive), | |||
126 | # We let Firejail deal with capabilities, but ensure that | 126 | # We let Firejail deal with capabilities, but ensure that |
127 | # some AppArmor related capabilities will not be available. | 127 | # some AppArmor related capabilities will not be available. |
128 | ########## | 128 | ########## |
129 | capability checkpoint_restore, | 129 | # The list of recognized capabilities varies from one apparmor version to another. |
130 | capability perfmon, | 130 | # For example on Debian 10 (apparmor 2.13.2) checkpoint_restore, perfmon, bpf are not available |
131 | capability bpf, | 131 | # We allow all caps by default and remove the ones we don't like: |
132 | capability chown, | 132 | capability, |
133 | capability dac_override, | 133 | deny capability audit_write, |
134 | capability dac_read_search, | 134 | deny capability audit_control, |
135 | capability fowner, | 135 | deny capability mac_override, |
136 | capability fsetid, | 136 | deny capability mac_admin, |
137 | capability kill, | ||
138 | capability setgid, | ||
139 | capability setuid, | ||
140 | capability setpcap, | ||
141 | capability linux_immutable, | ||
142 | capability net_bind_service, | ||
143 | capability net_broadcast, | ||
144 | capability net_admin, | ||
145 | capability net_raw, | ||
146 | capability ipc_lock, | ||
147 | capability ipc_owner, | ||
148 | capability sys_module, | ||
149 | capability sys_rawio, | ||
150 | capability sys_chroot, | ||
151 | capability sys_ptrace, | ||
152 | capability sys_pacct, | ||
153 | capability sys_admin, | ||
154 | capability sys_boot, | ||
155 | capability sys_nice, | ||
156 | capability sys_resource, | ||
157 | capability sys_time, | ||
158 | capability sys_tty_config, | ||
159 | capability mknod, | ||
160 | capability lease, | ||
161 | #capability audit_write, | ||
162 | #capability audit_control, | ||
163 | capability setfcap, | ||
164 | #capability mac_override, | ||
165 | #capability mac_admin, | ||
166 | 137 | ||
167 | # Site-specific additions and overrides. See local/README for details. | 138 | # Site-specific additions and overrides. See local/README for details. |
168 | #include <local/firejail-default> | 139 | #include <local/firejail-default> |
diff --git a/etc/profile-a-l/dosbox.profile b/etc/profile-a-l/dosbox.profile index 11b9a4f42..b9ef5d49d 100644 --- a/etc/profile-a-l/dosbox.profile +++ b/etc/profile-a-l/dosbox.profile | |||
@@ -11,14 +11,17 @@ noblacklist ${DOCUMENTS} | |||
11 | 11 | ||
12 | include disable-common.inc | 12 | include disable-common.inc |
13 | include disable-devel.inc | 13 | include disable-devel.inc |
14 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 17 | include disable-programs.inc |
17 | include disable-shell.inc | 18 | include disable-shell.inc |
18 | include disable-xdg.inc | 19 | include disable-xdg.inc |
19 | 20 | ||
21 | include whitelist-usr-share-common.inc | ||
20 | include whitelist-var-common.inc | 22 | include whitelist-var-common.inc |
21 | 23 | ||
24 | apparmor | ||
22 | caps.drop all | 25 | caps.drop all |
23 | netfilter | 26 | netfilter |
24 | nodvd | 27 | nodvd |
@@ -36,3 +39,6 @@ tracelog | |||
36 | private-bin dosbox | 39 | private-bin dosbox |
37 | private-dev | 40 | private-dev |
38 | private-tmp | 41 | private-tmp |
42 | |||
43 | dbus-user none | ||
44 | dbus-system none | ||
diff --git a/etc/profile-a-l/ebook-convert.profile b/etc/profile-a-l/ebook-convert.profile new file mode 100644 index 000000000..988ba90fc --- /dev/null +++ b/etc/profile-a-l/ebook-convert.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile alias for calibre | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include ebook-convert.local | ||
5 | |||
6 | net none | ||
7 | dbus-user none | ||
8 | dbus-system none | ||
9 | |||
10 | # Redirect | ||
11 | include calibre.profile | ||
diff --git a/etc/profile-a-l/ebook-edit.profile b/etc/profile-a-l/ebook-edit.profile new file mode 100644 index 000000000..3b5fee0a8 --- /dev/null +++ b/etc/profile-a-l/ebook-edit.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile alias for calibre | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include ebook-edit.local | ||
5 | |||
6 | net none | ||
7 | dbus-user none | ||
8 | dbus-system none | ||
9 | |||
10 | # Redirect | ||
11 | include calibre.profile | ||
diff --git a/etc/profile-a-l/ebook-meta.profile b/etc/profile-a-l/ebook-meta.profile new file mode 100644 index 000000000..594a8e241 --- /dev/null +++ b/etc/profile-a-l/ebook-meta.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile alias for calibre | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include ebook-meta.local | ||
5 | |||
6 | net none | ||
7 | dbus-user none | ||
8 | dbus-system none | ||
9 | |||
10 | # Redirect | ||
11 | include calibre.profile | ||
diff --git a/etc/profile-a-l/ebook-polish.profile b/etc/profile-a-l/ebook-polish.profile new file mode 100644 index 000000000..ad94e32a2 --- /dev/null +++ b/etc/profile-a-l/ebook-polish.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile alias for calibre | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include ebook-polish.local | ||
5 | |||
6 | net none | ||
7 | dbus-user none | ||
8 | dbus-system none | ||
9 | |||
10 | # Redirect | ||
11 | include calibre.profile | ||
diff --git a/etc/profile-a-l/ipcalc-ng.profile b/etc/profile-a-l/ipcalc-ng.profile new file mode 100644 index 000000000..3ad0f3a4f --- /dev/null +++ b/etc/profile-a-l/ipcalc-ng.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile ipcalc-ng | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include ipcalc-ng.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include ipcalc.profile | ||
diff --git a/etc/profile-a-l/ipcalc.profile b/etc/profile-a-l/ipcalc.profile new file mode 100644 index 000000000..4b97b83b7 --- /dev/null +++ b/etc/profile-a-l/ipcalc.profile | |||
@@ -0,0 +1,62 @@ | |||
1 | # Firejail profile for ipcalc | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include ipcalc.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Allow perl (blacklisted by disable-interpreters.inc) | ||
10 | include allow-perl.inc | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | # include disable-shell.inc | ||
19 | include disable-write-mnt.inc | ||
20 | include disable-xdg.inc | ||
21 | |||
22 | # include whitelist-common.inc | ||
23 | include whitelist-runuser-common.inc | ||
24 | include whitelist-usr-share-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | apparmor | ||
28 | caps.drop all | ||
29 | ipc-namespace | ||
30 | # machine-id | ||
31 | net none | ||
32 | netfilter | ||
33 | no3d | ||
34 | nodvd | ||
35 | nogroups | ||
36 | nonewprivs | ||
37 | noroot | ||
38 | nosound | ||
39 | notv | ||
40 | nou2f | ||
41 | novideo | ||
42 | # protocol unix | ||
43 | seccomp | ||
44 | shell none | ||
45 | # tracelog | ||
46 | |||
47 | disable-mnt | ||
48 | private | ||
49 | private-bin bash,ipcalc,ipcalc-ng,perl,sh | ||
50 | # private-cache | ||
51 | private-dev | ||
52 | # empty etc directory | ||
53 | private-etc none | ||
54 | private-lib | ||
55 | private-opt none | ||
56 | private-tmp | ||
57 | |||
58 | dbus-user none | ||
59 | dbus-system none | ||
60 | |||
61 | # memory-deny-write-execute | ||
62 | # read-only ${HOME} | ||
diff --git a/etc/profile-a-l/lzop.profile b/etc/profile-a-l/lzop.profile new file mode 100644 index 000000000..f3175c590 --- /dev/null +++ b/etc/profile-a-l/lzop.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for lzop | ||
2 | # Description: File compressor using lzo lib | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include lzop.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
10 | |||
11 | # Redirect | ||
12 | include cpio.profile | ||
diff --git a/etc/profile-m-z/man.profile b/etc/profile-m-z/man.profile index 6f74e6da3..c6c50cf47 100644 --- a/etc/profile-m-z/man.profile +++ b/etc/profile-m-z/man.profile | |||
@@ -29,6 +29,7 @@ whitelist /usr/share/locale | |||
29 | whitelist /usr/share/man | 29 | whitelist /usr/share/man |
30 | whitelist /var/cache/man | 30 | whitelist /var/cache/man |
31 | include whitelist-common.inc | 31 | include whitelist-common.inc |
32 | include whitelist-runuser-common.inc | ||
32 | include whitelist-usr-share-common.inc | 33 | include whitelist-usr-share-common.inc |
33 | include whitelist-var-common.inc | 34 | include whitelist-var-common.inc |
34 | 35 | ||
@@ -53,7 +54,7 @@ tracelog | |||
53 | x11 none | 54 | x11 none |
54 | 55 | ||
55 | disable-mnt | 56 | disable-mnt |
56 | private-bin apropos,bash,cat,catman,col,gpreconv,groff,grotty,gunzip,gzip,less,man,most,nroff,preconv,sed,sh,tbl,tr,troff,whatis,which,xtotroff,zcat,zsoelim | 57 | #private-bin apropos,bash,cat,catman,col,gpreconv,groff,grotty,gunzip,gzip,less,man,most,nroff,preconv,sed,sh,tbl,tr,troff,whatis,which,xtotroff,zcat,zsoelim |
57 | private-cache | 58 | private-cache |
58 | private-dev | 59 | private-dev |
59 | private-etc alternatives,fonts,locale,locale.alias,locale.conf,man_db.conf,manpath.config,selinux,sysless,xdg | 60 | private-etc alternatives,fonts,locale,locale.alias,locale.conf,man_db.conf,manpath.config,selinux,sysless,xdg |
diff --git a/etc/profile-m-z/patch.profile b/etc/profile-m-z/patch.profile index 46a84372c..b034efde9 100644 --- a/etc/profile-m-z/patch.profile +++ b/etc/profile-m-z/patch.profile | |||
@@ -43,7 +43,7 @@ x11 none | |||
43 | 43 | ||
44 | private-bin patch,red | 44 | private-bin patch,red |
45 | private-dev | 45 | private-dev |
46 | private-lib libfakeroot | 46 | private-lib libdl.so.*,libfakeroot |
47 | 47 | ||
48 | dbus-user none | 48 | dbus-user none |
49 | dbus-system none | 49 | dbus-system none |
diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile index 666a37def..ebd3168b3 100644 --- a/etc/profile-m-z/signal-desktop.profile +++ b/etc/profile-m-z/signal-desktop.profile | |||
@@ -6,7 +6,6 @@ include signal-desktop.local | |||
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Disabled until someone reported positive feedback | 8 | # Disabled until someone reported positive feedback |
9 | ignore include-xdg.inc | ||
10 | ignore include whitelist-runuser-common.inc | 9 | ignore include whitelist-runuser-common.inc |
11 | ignore include whitelist-usr-share-common.inc | 10 | ignore include whitelist-usr-share-common.inc |
12 | ignore private-cache | 11 | ignore private-cache |
diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile index 641c3a79d..7bc731333 100644 --- a/etc/profile-m-z/ssh.profile +++ b/etc/profile-m-z/ssh.profile | |||
@@ -24,6 +24,7 @@ whitelist ${RUNUSER}/keyring/ssh | |||
24 | include whitelist-usr-share-common.inc | 24 | include whitelist-usr-share-common.inc |
25 | include whitelist-runuser-common.inc | 25 | include whitelist-runuser-common.inc |
26 | 26 | ||
27 | apparmor | ||
27 | caps.drop all | 28 | caps.drop all |
28 | ipc-namespace | 29 | ipc-namespace |
29 | netfilter | 30 | netfilter |
diff --git a/etc/profile-m-z/torbrowser-launcher.profile b/etc/profile-m-z/torbrowser-launcher.profile index 1045fa02a..8b1ed1645 100644 --- a/etc/profile-m-z/torbrowser-launcher.profile +++ b/etc/profile-m-z/torbrowser-launcher.profile | |||
@@ -15,6 +15,9 @@ noblacklist ${HOME}/.local/share/torbrowser | |||
15 | include allow-python2.inc | 15 | include allow-python2.inc |
16 | include allow-python3.inc | 16 | include allow-python3.inc |
17 | 17 | ||
18 | blacklist /opt | ||
19 | blacklist /srv | ||
20 | |||
18 | include disable-common.inc | 21 | include disable-common.inc |
19 | include disable-devel.inc | 22 | include disable-devel.inc |
20 | include disable-exec.inc | 23 | include disable-exec.inc |
@@ -30,6 +33,8 @@ whitelist ${HOME}/.config/torbrowser | |||
30 | whitelist ${HOME}/.local/share/torbrowser | 33 | whitelist ${HOME}/.local/share/torbrowser |
31 | include whitelist-common.inc | 34 | include whitelist-common.inc |
32 | include whitelist-var-common.inc | 35 | include whitelist-var-common.inc |
36 | include whitelist-runuser-common.inc | ||
37 | include whitelist-usr-share-common.inc | ||
33 | 38 | ||
34 | # Uncomment the line below or put 'apparmor' in your torbrowser-launcher.local. | 39 | # Uncomment the line below or put 'apparmor' in your torbrowser-launcher.local. |
35 | # IMPORTANT: the relevant rule in /etc/apparmor.d/local/firejail-default will need | 40 | # IMPORTANT: the relevant rule in /etc/apparmor.d/local/firejail-default will need |
diff --git a/etc/profile-m-z/vmware-player.profile b/etc/profile-m-z/vmware-player.profile new file mode 100644 index 000000000..582a0f693 --- /dev/null +++ b/etc/profile-m-z/vmware-player.profile | |||
@@ -0,0 +1,8 @@ | |||
1 | # Firejail profile for vmware-player | ||
2 | # Description: The industry standard for running multiple operating systems as virtual machines on a single Linux PC. | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include vmware-player.local | ||
6 | |||
7 | # Redirect | ||
8 | include vmware.profile | ||
diff --git a/etc/profile-m-z/vmware-workstation.profile b/etc/profile-m-z/vmware-workstation.profile new file mode 100644 index 000000000..6290b57f4 --- /dev/null +++ b/etc/profile-m-z/vmware-workstation.profile | |||
@@ -0,0 +1,8 @@ | |||
1 | # Firejail profile for vmware-workstation | ||
2 | # Description: The industry standard for running multiple operating systems as virtual machines on a single Linux PC. | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include vmware-workstation.local | ||
6 | |||
7 | # Redirect | ||
8 | include vmware.profile | ||
diff --git a/platform/rpm/firejail.spec b/platform/rpm/firejail.spec index b73ffe857..85df1b4eb 100644 --- a/platform/rpm/firejail.spec +++ b/platform/rpm/firejail.spec | |||
@@ -35,6 +35,7 @@ rm -rf %{buildroot} | |||
35 | %attr(4755, -, -) %{_bindir}/__NAME__ | 35 | %attr(4755, -, -) %{_bindir}/__NAME__ |
36 | %{_bindir}/firecfg | 36 | %{_bindir}/firecfg |
37 | %{_bindir}/firemon | 37 | %{_bindir}/firemon |
38 | %{_bindir}/jailtest | ||
38 | %{_libdir}/__NAME__ | 39 | %{_libdir}/__NAME__ |
39 | %{_datarootdir}/bash-completion/completions/__NAME__ | 40 | %{_datarootdir}/bash-completion/completions/__NAME__ |
40 | %{_datarootdir}/bash-completion/completions/firecfg | 41 | %{_datarootdir}/bash-completion/completions/firecfg |
@@ -47,4 +48,5 @@ rm -rf %{buildroot} | |||
47 | %{_mandir}/man5/__NAME__-login.5.gz | 48 | %{_mandir}/man5/__NAME__-login.5.gz |
48 | %{_mandir}/man5/__NAME__-profile.5.gz | 49 | %{_mandir}/man5/__NAME__-profile.5.gz |
49 | %{_mandir}/man5/__NAME__-users.5.gz | 50 | %{_mandir}/man5/__NAME__-users.5.gz |
51 | %{_mandir}/man5/jailtest.5.gz | ||
50 | %config(noreplace) %{_sysconfdir}/__NAME__ | 52 | %config(noreplace) %{_sysconfdir}/__NAME__ |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index d056d0654..b44a1bc85 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -191,6 +191,10 @@ dropbox | |||
191 | d-feet | 191 | d-feet |
192 | easystroke | 192 | easystroke |
193 | ebook-viewer | 193 | ebook-viewer |
194 | ebook-convert | ||
195 | ebook-edit | ||
196 | ebook-meta | ||
197 | ebook-polish | ||
194 | electron-mail | 198 | electron-mail |
195 | electrum | 199 | electrum |
196 | element-desktop | 200 | element-desktop |
@@ -375,6 +379,8 @@ impressive | |||
375 | inkscape | 379 | inkscape |
376 | inkview | 380 | inkview |
377 | inox | 381 | inox |
382 | ipcalc | ||
383 | ipcalc-ng | ||
378 | iridium | 384 | iridium |
379 | iridium-browser | 385 | iridium-browser |
380 | jd-gui | 386 | jd-gui |
@@ -458,7 +464,7 @@ lynx | |||
458 | lyx | 464 | lyx |
459 | macrofusion | 465 | macrofusion |
460 | magicor | 466 | magicor |
461 | # man | 467 | man |
462 | manaplus | 468 | manaplus |
463 | marker | 469 | marker |
464 | masterpdfeditor | 470 | masterpdfeditor |
@@ -803,6 +809,8 @@ vivaldi-snapshot | |||
803 | vivaldi-stable | 809 | vivaldi-stable |
804 | vlc | 810 | vlc |
805 | vmware | 811 | vmware |
812 | vmware-player | ||
813 | vmware-workstation | ||
806 | vscodium | 814 | vscodium |
807 | vulturesclaw | 815 | vulturesclaw |
808 | vultureseye | 816 | vultureseye |
diff --git a/src/jailtest/Makefile.in b/src/jailtest/Makefile.in new file mode 100644 index 000000000..9c9c0c508 --- /dev/null +++ b/src/jailtest/Makefile.in | |||
@@ -0,0 +1,14 @@ | |||
1 | all: jailtest | ||
2 | |||
3 | include ../common.mk | ||
4 | |||
5 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/pid.h | ||
6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ | ||
7 | |||
8 | jailtest: $(OBJS) | ||
9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/pid.o $(LIBS) $(EXTRA_LDFLAGS) | ||
10 | |||
11 | clean:; rm -fr *.o jailtest *.gcov *.gcda *.gcno *.plist | ||
12 | |||
13 | distclean: clean | ||
14 | rm -fr Makefile | ||
diff --git a/src/jailtest/access.c b/src/jailtest/access.c new file mode 100644 index 000000000..4e737dc7a --- /dev/null +++ b/src/jailtest/access.c | |||
@@ -0,0 +1,143 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2021 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "jailtest.h" | ||
21 | #include <dirent.h> | ||
22 | #include <sys/wait.h> | ||
23 | |||
24 | typedef struct { | ||
25 | char *tfile; | ||
26 | char *tdir; | ||
27 | } TestDir; | ||
28 | |||
29 | #define MAX_TEST_FILES 16 | ||
30 | TestDir td[MAX_TEST_FILES]; | ||
31 | static int files_cnt = 0; | ||
32 | |||
33 | void access_setup(const char *directory) { | ||
34 | // I am root! | ||
35 | assert(directory); | ||
36 | assert(user_home_dir); | ||
37 | |||
38 | if (files_cnt >= MAX_TEST_FILES) { | ||
39 | fprintf(stderr, "Error: maximum number of test directories exceded\n"); | ||
40 | exit(1); | ||
41 | } | ||
42 | |||
43 | char *fname = strdup(directory); | ||
44 | if (!fname) | ||
45 | errExit("strdup"); | ||
46 | if (strncmp(fname, "~/", 2) == 0) { | ||
47 | free(fname); | ||
48 | if (asprintf(&fname, "%s/%s", user_home_dir, directory + 2) == -1) | ||
49 | errExit("asprintf"); | ||
50 | } | ||
51 | |||
52 | char *path = realpath(fname, NULL); | ||
53 | free(fname); | ||
54 | if (path == NULL) { | ||
55 | fprintf(stderr, "Warning: invalid directory %s, skipping...\n", directory); | ||
56 | return; | ||
57 | } | ||
58 | |||
59 | // file in home directory | ||
60 | if (strncmp(path, user_home_dir, strlen(user_home_dir)) != 0) { | ||
61 | fprintf(stderr, "Warning: file %s is not in user home directory, skipping...\n", directory); | ||
62 | free(path); | ||
63 | return; | ||
64 | } | ||
65 | |||
66 | // try to open the dir as root | ||
67 | DIR *dir = opendir(path); | ||
68 | if (!dir) { | ||
69 | fprintf(stderr, "Warning: directory %s not found, skipping\n", directory); | ||
70 | free(path); | ||
71 | return; | ||
72 | } | ||
73 | closedir(dir); | ||
74 | |||
75 | // create a test file | ||
76 | char *test_file; | ||
77 | if (asprintf(&test_file, "%s/jailtest-access-%d", path, getpid()) == -1) | ||
78 | errExit("asprintf"); | ||
79 | |||
80 | FILE *fp = fopen(test_file, "w"); | ||
81 | if (!fp) { | ||
82 | printf("Warning: I cannot create test file in directory %s, skipping...\n", directory); | ||
83 | return; | ||
84 | } | ||
85 | fprintf(fp, "this file was created by firetest utility, you can safely delete it\n"); | ||
86 | fclose(fp); | ||
87 | int rv = chown(test_file, user_uid, user_gid); | ||
88 | if (rv) | ||
89 | errExit("chown"); | ||
90 | |||
91 | char *dname = strdup(directory); | ||
92 | if (!dname) | ||
93 | errExit("strdup"); | ||
94 | td[files_cnt].tdir = dname; | ||
95 | td[files_cnt].tfile = test_file; | ||
96 | files_cnt++; | ||
97 | } | ||
98 | |||
99 | void access_destroy(void) { | ||
100 | // remove test files | ||
101 | int i; | ||
102 | |||
103 | for (i = 0; i < files_cnt; i++) { | ||
104 | int rv = unlink(td[i].tfile); | ||
105 | (void) rv; | ||
106 | } | ||
107 | files_cnt = 0; | ||
108 | } | ||
109 | |||
110 | void access_test(void) { | ||
111 | // I am root in sandbox mount namespace | ||
112 | assert(user_uid); | ||
113 | int i; | ||
114 | |||
115 | pid_t child = fork(); | ||
116 | if (child == -1) | ||
117 | errExit("fork"); | ||
118 | |||
119 | if (child == 0) { // child | ||
120 | // drop privileges | ||
121 | if (setgid(user_gid) != 0) | ||
122 | errExit("setgid"); | ||
123 | if (setuid(user_uid) != 0) | ||
124 | errExit("setuid"); | ||
125 | |||
126 | for (i = 0; i < files_cnt; i++) { | ||
127 | assert(td[i].tfile); | ||
128 | |||
129 | // try to open the file for reading | ||
130 | FILE *fp = fopen(td[i].tfile, "r"); | ||
131 | if (fp) { | ||
132 | |||
133 | printf(" Warning: I can read %s\n", td[i].tdir); | ||
134 | fclose(fp); | ||
135 | } | ||
136 | } | ||
137 | exit(0); | ||
138 | } | ||
139 | |||
140 | // wait for the child to finish | ||
141 | int status; | ||
142 | wait(&status); | ||
143 | } | ||
diff --git a/src/jailtest/apparmor.c b/src/jailtest/apparmor.c new file mode 100644 index 000000000..9ddfea3de --- /dev/null +++ b/src/jailtest/apparmor.c | |||
@@ -0,0 +1,40 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2021 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "jailtest.h" | ||
21 | |||
22 | #ifdef HAVE_APPARMOR | ||
23 | #include <sys/apparmor.h> | ||
24 | |||
25 | void apparmor_test(pid_t pid) { | ||
26 | char *label = NULL; | ||
27 | char *mode = NULL; | ||
28 | int rv = aa_gettaskcon(pid, &label, &mode); | ||
29 | if (rv == -1 || mode == NULL) | ||
30 | printf(" Warning: AppArmor not enabled\n"); | ||
31 | } | ||
32 | |||
33 | |||
34 | #else | ||
35 | void apparmor_test(pid_t pid) { | ||
36 | (void) pid; | ||
37 | return; | ||
38 | } | ||
39 | #endif | ||
40 | |||
diff --git a/src/jailtest/jailtest.h b/src/jailtest/jailtest.h new file mode 100644 index 000000000..10174cc9a --- /dev/null +++ b/src/jailtest/jailtest.h | |||
@@ -0,0 +1,58 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2021 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #ifndef JAILTEST_H | ||
21 | #define JAILTEST_H | ||
22 | |||
23 | #include "../include/common.h" | ||
24 | |||
25 | // main.c | ||
26 | extern uid_t user_uid; | ||
27 | extern gid_t user_gid; | ||
28 | extern char *user_name; | ||
29 | extern char *user_home_dir; | ||
30 | extern char *user_run_dir; | ||
31 | |||
32 | // access.c | ||
33 | void access_setup(const char *directory); | ||
34 | void access_test(void); | ||
35 | void access_destroy(void); | ||
36 | |||
37 | // noexec.c | ||
38 | void noexec_setup(void); | ||
39 | void noexec_test(const char *msg); | ||
40 | |||
41 | // virtual.c | ||
42 | void virtual_setup(const char *directory); | ||
43 | void virtual_destroy(void); | ||
44 | void virtual_test(void); | ||
45 | |||
46 | // apparmor.c | ||
47 | void apparmor_test(pid_t pid); | ||
48 | |||
49 | // seccomp.c | ||
50 | void seccomp_test(pid_t pid); | ||
51 | |||
52 | // utils.c | ||
53 | char *get_sudo_user(void); | ||
54 | char *get_homedir(const char *user, uid_t *uid, gid_t *gid); | ||
55 | int find_child(pid_t pid); | ||
56 | pid_t switch_to_child(pid_t pid); | ||
57 | |||
58 | #endif \ No newline at end of file | ||
diff --git a/src/jailtest/main.c b/src/jailtest/main.c new file mode 100644 index 000000000..850277bc5 --- /dev/null +++ b/src/jailtest/main.c | |||
@@ -0,0 +1,167 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2021 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "jailtest.h" | ||
21 | #include "../include/firejail_user.h" | ||
22 | #include "../include/pid.h" | ||
23 | #include <sys/wait.h> | ||
24 | |||
25 | uid_t user_uid = 0; | ||
26 | gid_t user_gid = 0; | ||
27 | char *user_name = NULL; | ||
28 | char *user_home_dir = NULL; | ||
29 | char *user_run_dir = NULL; | ||
30 | int arg_debug = 0; | ||
31 | |||
32 | static char *usage_str = | ||
33 | "Usage: jailtest [options] directory [directory]\n\n" | ||
34 | "Options:\n" | ||
35 | " --debug - print debug messages.\n" | ||
36 | " --help, -? - this help screen.\n" | ||
37 | " --version - print program version and exit.\n"; | ||
38 | |||
39 | |||
40 | static void usage(void) { | ||
41 | printf("firetest - version %s\n\n", VERSION); | ||
42 | puts(usage_str); | ||
43 | } | ||
44 | |||
45 | static void cleanup(void) { | ||
46 | // running only as root | ||
47 | if (getuid() == 0) { | ||
48 | if (arg_debug) | ||
49 | printf("cleaning up!\n"); | ||
50 | access_destroy(); | ||
51 | virtual_destroy(); | ||
52 | } | ||
53 | } | ||
54 | |||
55 | int main(int argc, char **argv) { | ||
56 | int i; | ||
57 | int findex = 0; | ||
58 | |||
59 | for (i = 1; i < argc; i++) { | ||
60 | if (strcmp(argv[i], "-?") == 0 || strcmp(argv[i], "--help") == 0) { | ||
61 | usage(); | ||
62 | return 0; | ||
63 | } | ||
64 | else if (strcmp(argv[i], "--version") == 0) { | ||
65 | printf("firetest version %s\n\n", VERSION); | ||
66 | return 0; | ||
67 | } | ||
68 | else if (strncmp(argv[i], "--hello=", 8) == 0) { // used by noexec test | ||
69 | printf(" Warning: I can run programs in %s\n", argv[i] + 8); | ||
70 | return 0; | ||
71 | } | ||
72 | else if (strcmp(argv[i], "--debug") == 0) | ||
73 | arg_debug = 1; | ||
74 | else if (strncmp(argv[i], "--", 2) == 0) { | ||
75 | fprintf(stderr, "Error: invalid option\n"); | ||
76 | return 1; | ||
77 | } | ||
78 | else { | ||
79 | findex = i; | ||
80 | break; | ||
81 | } | ||
82 | } | ||
83 | |||
84 | // user setup | ||
85 | if (getuid() != 0) { | ||
86 | fprintf(stderr, "Error: you need to be root (via sudo) to run this program\n"); | ||
87 | exit(1); | ||
88 | } | ||
89 | user_name = get_sudo_user(); | ||
90 | assert(user_name); | ||
91 | user_home_dir = get_homedir(user_name, &user_uid, &user_gid); | ||
92 | if (user_uid == 0) { | ||
93 | fprintf(stderr, "Error: root user not supported\n"); | ||
94 | exit(1); | ||
95 | } | ||
96 | if (asprintf(&user_run_dir, "/run/user/%d", user_uid) == -1) | ||
97 | errExit("asprintf"); | ||
98 | |||
99 | // test setup | ||
100 | atexit(cleanup); | ||
101 | access_setup("~/.ssh"); | ||
102 | access_setup("~/.gnupg"); | ||
103 | if (findex > 0) { | ||
104 | for (i = findex; i < argc; i++) | ||
105 | access_setup(argv[i]); | ||
106 | } | ||
107 | |||
108 | noexec_setup(); | ||
109 | virtual_setup(user_home_dir); | ||
110 | virtual_setup("/tmp"); | ||
111 | virtual_setup("/var/tmp"); | ||
112 | virtual_setup("/dev"); | ||
113 | virtual_setup("/etc"); | ||
114 | virtual_setup("/bin"); | ||
115 | virtual_setup("/usr/share"); | ||
116 | virtual_setup(user_run_dir); | ||
117 | |||
118 | |||
119 | |||
120 | // print processes | ||
121 | pid_read(0); | ||
122 | for (i = 0; i < max_pids; i++) { | ||
123 | if (pids[i].level == 1) { | ||
124 | uid_t uid = pid_get_uid(i); | ||
125 | if (uid != user_uid) // not interested in other user sandboxes | ||
126 | continue; | ||
127 | |||
128 | // in case the pid is that of a firejail process, use the pid of the first child process | ||
129 | uid_t pid = find_child(i); | ||
130 | printf("\n"); | ||
131 | pid_print_list(i, 0); // no wrapping | ||
132 | apparmor_test(pid); | ||
133 | seccomp_test(pid); | ||
134 | fflush(0); | ||
135 | |||
136 | pid_t child = fork(); | ||
137 | if (child == -1) | ||
138 | errExit("fork"); | ||
139 | if (child == 0) { | ||
140 | int rv = join_namespace(pid, "mnt"); | ||
141 | if (rv == 0) { | ||
142 | virtual_test(); | ||
143 | noexec_test(user_home_dir); | ||
144 | noexec_test("/tmp"); | ||
145 | noexec_test("/var/tmp"); | ||
146 | noexec_test(user_run_dir); | ||
147 | access_test(); | ||
148 | } | ||
149 | else { | ||
150 | printf(" Error: I cannot join the process mount space\n"); | ||
151 | exit(1); | ||
152 | } | ||
153 | |||
154 | // drop privileges in order not to trigger cleanup() | ||
155 | if (setgid(user_gid) != 0) | ||
156 | errExit("setgid"); | ||
157 | if (setuid(user_uid) != 0) | ||
158 | errExit("setuid"); | ||
159 | return 0; | ||
160 | } | ||
161 | int status; | ||
162 | wait(&status); | ||
163 | } | ||
164 | } | ||
165 | |||
166 | return 0; | ||
167 | } | ||
diff --git a/src/jailtest/noexec.c b/src/jailtest/noexec.c new file mode 100644 index 000000000..4347b7eef --- /dev/null +++ b/src/jailtest/noexec.c | |||
@@ -0,0 +1,113 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2021 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "jailtest.h" | ||
21 | #include <sys/wait.h> | ||
22 | #include <sys/stat.h> | ||
23 | #include <fcntl.h> | ||
24 | |||
25 | static unsigned char *execfile = NULL; | ||
26 | static int execfile_len = 0; | ||
27 | |||
28 | void noexec_setup(void) { | ||
29 | // grab a copy of myself | ||
30 | char *self = realpath("/proc/self/exe", NULL); | ||
31 | if (self) { | ||
32 | struct stat s; | ||
33 | if (access(self, X_OK) == 0 && stat(self, &s) == 0) { | ||
34 | assert(s.st_size); | ||
35 | execfile = malloc(s.st_size); | ||
36 | |||
37 | int fd = open(self, O_RDONLY); | ||
38 | if (fd == -1) | ||
39 | errExit("open"); | ||
40 | int len = 0; | ||
41 | do { | ||
42 | int rv = read(fd, execfile + len, s.st_size - len); | ||
43 | if (rv == -1) | ||
44 | errExit("read"); | ||
45 | if (rv == 0) { | ||
46 | // something went wrong! | ||
47 | free(execfile); | ||
48 | execfile = NULL; | ||
49 | printf("Warning: I cannot grab a copy of myself, skipping noexec test...\n"); | ||
50 | break; | ||
51 | } | ||
52 | len += rv; | ||
53 | } | ||
54 | while (len < s.st_size); | ||
55 | execfile_len = s.st_size; | ||
56 | close(fd); | ||
57 | } | ||
58 | } | ||
59 | } | ||
60 | |||
61 | |||
62 | void noexec_test(const char *path) { | ||
63 | assert(user_uid); | ||
64 | |||
65 | // I am root in sandbox mount namespace | ||
66 | if (!execfile) | ||
67 | return; | ||
68 | |||
69 | char *fname; | ||
70 | if (asprintf(&fname, "%s/jailtest-noexec-%d", path, getpid()) == -1) | ||
71 | errExit("asprintf"); | ||
72 | |||
73 | pid_t child = fork(); | ||
74 | if (child == -1) | ||
75 | errExit("fork"); | ||
76 | |||
77 | if (child == 0) { // child | ||
78 | // drop privileges | ||
79 | if (setgid(user_gid) != 0) | ||
80 | errExit("setgid"); | ||
81 | if (setuid(user_uid) != 0) | ||
82 | errExit("setuid"); | ||
83 | int fd = open(fname, O_CREAT | O_TRUNC | O_WRONLY, 0700); | ||
84 | if (fd == -1) { | ||
85 | printf(" I cannot create files in %s, skipping noexec...\n", path); | ||
86 | exit(1); | ||
87 | } | ||
88 | |||
89 | int len = 0; | ||
90 | while (len < execfile_len) { | ||
91 | int rv = write(fd, execfile + len, execfile_len - len); | ||
92 | if (rv == -1 || rv == 0) { | ||
93 | printf(" I cannot create files in %s, skipping noexec....\n", path); | ||
94 | exit(1); | ||
95 | } | ||
96 | len += rv; | ||
97 | } | ||
98 | fchmod(fd, 0700); | ||
99 | close(fd); | ||
100 | |||
101 | char *arg; | ||
102 | if (asprintf(&arg, "--hello=%s", path) == -1) | ||
103 | errExit("asprintf"); | ||
104 | int rv = execl(fname, fname, arg, NULL); | ||
105 | (void) rv; // if we get here execl failed | ||
106 | exit(0); | ||
107 | } | ||
108 | |||
109 | int status; | ||
110 | wait(&status); | ||
111 | int rv = unlink(fname); | ||
112 | (void) rv; | ||
113 | } \ No newline at end of file | ||
diff --git a/src/jailtest/seccomp.c b/src/jailtest/seccomp.c new file mode 100644 index 000000000..2cecb4b4d --- /dev/null +++ b/src/jailtest/seccomp.c | |||
@@ -0,0 +1,47 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2021 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "jailtest.h" | ||
21 | #define MAXBUF 4096 | ||
22 | |||
23 | void seccomp_test(pid_t pid) { | ||
24 | char *file; | ||
25 | if (asprintf(&file, "/proc/%d/status", pid) == -1) | ||
26 | errExit("asprintf"); | ||
27 | |||
28 | FILE *fp = fopen(file, "r"); | ||
29 | if (!fp) { | ||
30 | printf(" Error: cannot open %s\n", file); | ||
31 | free(file); | ||
32 | return; | ||
33 | } | ||
34 | |||
35 | char buf[MAXBUF]; | ||
36 | while (fgets(buf, MAXBUF, fp)) { | ||
37 | if (strncmp(buf, "Seccomp:", 8) == 0) { | ||
38 | int val = -1; | ||
39 | int rv = sscanf(buf + 8, "\t%d", &val); | ||
40 | if (rv != 1 || val == 0) | ||
41 | printf(" Warning: seccomp not enabled\n"); | ||
42 | break; | ||
43 | } | ||
44 | } | ||
45 | fclose(fp); | ||
46 | free(file); | ||
47 | } | ||
diff --git a/src/jailtest/utils.c b/src/jailtest/utils.c new file mode 100644 index 000000000..41c21b753 --- /dev/null +++ b/src/jailtest/utils.c | |||
@@ -0,0 +1,102 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2021 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "jailtest.h" | ||
21 | #include "../include/pid.h" | ||
22 | #include <errno.h> | ||
23 | #include <pwd.h> | ||
24 | #include <dirent.h> | ||
25 | |||
26 | #define BUFLEN 4096 | ||
27 | |||
28 | char *get_sudo_user(void) { | ||
29 | char *user = getenv("SUDO_USER"); | ||
30 | if (!user) { | ||
31 | user = getpwuid(getuid())->pw_name; | ||
32 | if (!user) { | ||
33 | fprintf(stderr, "Error: cannot detect login user\n"); | ||
34 | exit(1); | ||
35 | } | ||
36 | } | ||
37 | |||
38 | return user; | ||
39 | } | ||
40 | |||
41 | char *get_homedir(const char *user, uid_t *uid, gid_t *gid) { | ||
42 | // find home directory | ||
43 | struct passwd *pw = getpwnam(user); | ||
44 | if (!pw) | ||
45 | goto errexit; | ||
46 | |||
47 | char *home = pw->pw_dir; | ||
48 | if (!home) | ||
49 | goto errexit; | ||
50 | |||
51 | *uid = pw->pw_uid; | ||
52 | *gid = pw->pw_gid; | ||
53 | |||
54 | return home; | ||
55 | |||
56 | errexit: | ||
57 | fprintf(stderr, "Error: cannot find home directory for user %s\n", user); | ||
58 | exit(1); | ||
59 | } | ||
60 | |||
61 | // find the second child process for the specified pid | ||
62 | // return -1 if not found | ||
63 | // | ||
64 | // Example: | ||
65 | //14776:netblue:/usr/bin/firejail /usr/bin/transmission-qt | ||
66 | // 14777:netblue:/usr/bin/firejail /usr/bin/transmission-qt | ||
67 | // 14792:netblue:/usr/bin/transmission-qt | ||
68 | // We need 14792, the first real sandboxed process | ||
69 | // duplicate from src/firemon/main.c | ||
70 | int find_child(int id) { | ||
71 | int i; | ||
72 | int first_child = -1; | ||
73 | |||
74 | // find the first child | ||
75 | for (i = 0; i < max_pids; i++) { | ||
76 | if (pids[i].level == 2 && pids[i].parent == id) { | ||
77 | // skip /usr/bin/xdg-dbus-proxy (started by firejail for dbus filtering) | ||
78 | char *cmdline = pid_proc_cmdline(i); | ||
79 | if (strncmp(cmdline, XDG_DBUS_PROXY_PATH, strlen(XDG_DBUS_PROXY_PATH)) == 0) { | ||
80 | free(cmdline); | ||
81 | continue; | ||
82 | } | ||
83 | free(cmdline); | ||
84 | first_child = i; | ||
85 | break; | ||
86 | } | ||
87 | } | ||
88 | |||
89 | if (first_child == -1) | ||
90 | return -1; | ||
91 | |||
92 | // find the second-level child | ||
93 | for (i = 0; i < max_pids; i++) { | ||
94 | if (pids[i].level == 3 && pids[i].parent == first_child) | ||
95 | return i; | ||
96 | } | ||
97 | |||
98 | // if a second child is not found, return the first child pid | ||
99 | // this happens for processes sandboxed with --join | ||
100 | return first_child; | ||
101 | } | ||
102 | |||
diff --git a/src/jailtest/virtual.c b/src/jailtest/virtual.c new file mode 100644 index 000000000..fcdcf9720 --- /dev/null +++ b/src/jailtest/virtual.c | |||
@@ -0,0 +1,125 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2021 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "jailtest.h" | ||
21 | #include <dirent.h> | ||
22 | #include <sys/wait.h> | ||
23 | |||
24 | |||
25 | #define MAX_TEST_FILES 16 | ||
26 | static char *dirs[MAX_TEST_FILES]; | ||
27 | static char *files[MAX_TEST_FILES]; | ||
28 | static int files_cnt = 0; | ||
29 | |||
30 | void virtual_setup(const char *directory) { | ||
31 | // I am root! | ||
32 | assert(directory); | ||
33 | assert(*directory == '/'); | ||
34 | assert(files_cnt < MAX_TEST_FILES); | ||
35 | |||
36 | // try to open the dir as root | ||
37 | DIR *dir = opendir(directory); | ||
38 | if (!dir) { | ||
39 | fprintf(stderr, "Warning: directory %s not found, skipping\n", directory); | ||
40 | return; | ||
41 | } | ||
42 | closedir(dir); | ||
43 | |||
44 | // create a test file | ||
45 | char *test_file; | ||
46 | if (asprintf(&test_file, "%s/jailtest-private-%d", directory, getpid()) == -1) | ||
47 | errExit("asprintf"); | ||
48 | |||
49 | FILE *fp = fopen(test_file, "w"); | ||
50 | if (!fp) { | ||
51 | printf("Warning: I cannot create test file in directory %s, skipping...\n", directory); | ||
52 | return; | ||
53 | } | ||
54 | fprintf(fp, "this file was created by firetest utility, you can safely delete it\n"); | ||
55 | fclose(fp); | ||
56 | if (strcmp(directory, user_home_dir) == 0) { | ||
57 | int rv = chown(test_file, user_uid, user_gid); | ||
58 | if (rv) | ||
59 | errExit("chown"); | ||
60 | } | ||
61 | |||
62 | char *dname = strdup(directory); | ||
63 | if (!dname) | ||
64 | errExit("strdup"); | ||
65 | dirs[files_cnt] = dname; | ||
66 | files[files_cnt] = test_file; | ||
67 | files_cnt++; | ||
68 | } | ||
69 | |||
70 | void virtual_destroy(void) { | ||
71 | // remove test files | ||
72 | int i; | ||
73 | |||
74 | for (i = 0; i < files_cnt; i++) { | ||
75 | int rv = unlink(files[i]); | ||
76 | (void) rv; | ||
77 | } | ||
78 | files_cnt = 0; | ||
79 | } | ||
80 | |||
81 | void virtual_test(void) { | ||
82 | // I am root in sandbox mount namespace | ||
83 | assert(user_uid); | ||
84 | int i; | ||
85 | |||
86 | int cnt = 0; | ||
87 | cnt += printf(" Virtual dirs: "); fflush(0); | ||
88 | |||
89 | for (i = 0; i < files_cnt; i++) { | ||
90 | assert(files[i]); | ||
91 | |||
92 | // I am root! | ||
93 | pid_t child = fork(); | ||
94 | if (child == -1) | ||
95 | errExit("fork"); | ||
96 | |||
97 | if (child == 0) { // child | ||
98 | // drop privileges | ||
99 | if (setgid(user_gid) != 0) | ||
100 | errExit("setgid"); | ||
101 | if (setuid(user_uid) != 0) | ||
102 | errExit("setuid"); | ||
103 | |||
104 | // try to open the file for reading | ||
105 | FILE *fp = fopen(files[i], "r"); | ||
106 | if (fp) | ||
107 | fclose(fp); | ||
108 | else { | ||
109 | if (cnt == 0) | ||
110 | cnt += printf("\n "); | ||
111 | cnt += printf("%s, ", dirs[i]); | ||
112 | if (cnt > 60) | ||
113 | cnt = 0; | ||
114 | } | ||
115 | fflush(0); | ||
116 | exit(cnt); | ||
117 | } | ||
118 | |||
119 | // wait for the child to finish | ||
120 | int status; | ||
121 | wait(&status); | ||
122 | cnt = WEXITSTATUS(status); | ||
123 | } | ||
124 | printf("\n"); | ||
125 | } | ||
diff --git a/src/man/Makefile.in b/src/man/Makefile.in index 1c4444307..1a1f8ba08 100644 --- a/src/man/Makefile.in +++ b/src/man/Makefile.in | |||
@@ -1,4 +1,4 @@ | |||
1 | all: firecfg.man firejail.man firejail-login.man firejail-users.man firejail-profile.man firemon.man | 1 | all: firecfg.man firejail.man firejail-login.man firejail-users.man firejail-profile.man firemon.man jailtest.man |
2 | include ../common.mk | 2 | include ../common.mk |
3 | 3 | ||
4 | %.man: %.txt | 4 | %.man: %.txt |
diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt index 2c02aee47..dbb9397c6 100644 --- a/src/man/firecfg.txt +++ b/src/man/firecfg.txt | |||
@@ -130,8 +130,9 @@ This program is free software; you can redistribute it and/or modify it under th | |||
130 | .PP | 130 | .PP |
131 | Homepage: https://firejail.wordpress.com | 131 | Homepage: https://firejail.wordpress.com |
132 | .SH SEE ALSO | 132 | .SH SEE ALSO |
133 | \&\flfirejail\fR\|(1), | 133 | .BR firejail (1), |
134 | \&\flfiremon\fR\|(1), | 134 | .BR firemon (1), |
135 | \&\flfirejail-profile\fR\|(5), | 135 | .BR firejail-profile (5), |
136 | \&\flfirejail-login\fR\|(5) | 136 | .BR firejail-login (5), |
137 | \&\flfirejail-users\fR\|(5) | 137 | .BR firejail-users (5), |
138 | .BR jailtest (1) | ||
diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.txt index 430e86cc8..ce27729b7 100644 --- a/src/man/firejail-login.txt +++ b/src/man/firejail-login.txt | |||
@@ -34,8 +34,9 @@ Firejail is free software; you can redistribute it and/or modify it under the te | |||
34 | .PP | 34 | .PP |
35 | Homepage: https://firejail.wordpress.com | 35 | Homepage: https://firejail.wordpress.com |
36 | .SH SEE ALSO | 36 | .SH SEE ALSO |
37 | \&\flfirejail\fR\|(1), | 37 | .BR firejail (1), |
38 | \&\flfiremon\fR\|(1), | 38 | .BR firemon (1), |
39 | \&\flfirecfg\fR\|(1), | 39 | .BR firecfg (1), |
40 | \&\flfirejail-profile\fR\|(5) | 40 | .BR firejail-profile (5), |
41 | \&\flfirejail-users\fR\|(5) | 41 | .BR firejail-users (5), |
42 | .BR jailtest (1) | ||
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 5e77b5f70..c7dc4c434 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -889,10 +889,12 @@ Firejail is free software; you can redistribute it and/or modify it under the te | |||
889 | .PP | 889 | .PP |
890 | Homepage: https://firejail.wordpress.com | 890 | Homepage: https://firejail.wordpress.com |
891 | .SH SEE ALSO | 891 | .SH SEE ALSO |
892 | \&\flfirejail\fR\|(1), | 892 | .BR firejail (1), |
893 | \&\flfiremon\fR\|(1), | 893 | .BR firemon (1), |
894 | \&\flfirecfg\fR\|(1), | 894 | .BR firecfg (1), |
895 | \&\flfirejail-login\fR\|(5), | 895 | .BR firejail-login (5), |
896 | \&\flfirejail-users\fR\|(5), | 896 | .BR firejail-users (5), |
897 | .BR jailtest (1) | ||
898 | |||
897 | .UR https://github.com/netblue30/firejail/wiki/Creating-Profiles | 899 | .UR https://github.com/netblue30/firejail/wiki/Creating-Profiles |
898 | .UE | 900 | .UE |
diff --git a/src/man/firejail-users.txt b/src/man/firejail-users.txt index 6fa09e05e..c5a9c1848 100644 --- a/src/man/firejail-users.txt +++ b/src/man/firejail-users.txt | |||
@@ -54,8 +54,9 @@ as published by the Free Software Foundation; either version 2 of the License, o | |||
54 | .PP | 54 | .PP |
55 | Homepage: https://firejail.wordpress.com | 55 | Homepage: https://firejail.wordpress.com |
56 | .SH SEE ALSO | 56 | .SH SEE ALSO |
57 | \&\flfirejail\fR\|(1), | 57 | .BR firejail (1), |
58 | \&\flfiremon\fR\|(1), | 58 | .BR firemon (1), |
59 | \&\flfirecfg\fR\|(1), | 59 | .BR firecfg (1), |
60 | \&\flfirejail-profile\fR\|(5) | 60 | .BR firejail-profile (5), |
61 | \&\flfirejail-login\fR\|(5) | 61 | .BR firejail-login (5), |
62 | .BR jailtest (1) | ||
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index e85a02ee8..9e89d4e79 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -3332,11 +3332,13 @@ This program is free software; you can redistribute it and/or modify it under th | |||
3332 | .PP | 3332 | .PP |
3333 | Homepage: https://firejail.wordpress.com | 3333 | Homepage: https://firejail.wordpress.com |
3334 | .SH SEE ALSO | 3334 | .SH SEE ALSO |
3335 | \&\flfiremon\fR\|(1), | 3335 | .BR firemon (1), |
3336 | \&\flfirecfg\fR\|(1), | 3336 | .BR firecfg (1), |
3337 | \&\flfirejail-profile\fR\|(5), | 3337 | .BR firejail-profile (5), |
3338 | \&\flfirejail-login\fR\|(5), | 3338 | .BR firejail-login (5), |
3339 | \&\flfirejail-users\fR\|(5), | 3339 | .BR firejail-users (5), |
3340 | .BR jailtest (1) | ||
3341 | |||
3340 | .UR https://github.com/netblue30/firejail/wiki | 3342 | .UR https://github.com/netblue30/firejail/wiki |
3341 | .UE , | 3343 | .UE , |
3342 | .UR https://github.com/netblue30/firejail | 3344 | .UR https://github.com/netblue30/firejail |
diff --git a/src/man/firemon.txt b/src/man/firemon.txt index cea6c0265..64f15a1f0 100644 --- a/src/man/firemon.txt +++ b/src/man/firemon.txt | |||
@@ -115,8 +115,9 @@ This program is free software; you can redistribute it and/or modify it under th | |||
115 | .PP | 115 | .PP |
116 | Homepage: https://firejail.wordpress.com | 116 | Homepage: https://firejail.wordpress.com |
117 | .SH SEE ALSO | 117 | .SH SEE ALSO |
118 | \&\flfirejail\fR\|(1), | 118 | .BR firejail (1), |
119 | \&\flfirecfg\fR\|(1), | 119 | .BR firecfg (1), |
120 | \&\flfirejail-profile\fR\|(5), | 120 | .BR firejail-profile (5), |
121 | \&\flfirejail-login\fR\|(5) | 121 | .BR firejail-login (5), |
122 | \&\flfirejail-users\fR\|(5) | 122 | .BR firejail-users (5), |
123 | .BR jailtest (1) | ||
diff --git a/src/man/jailtest.txt b/src/man/jailtest.txt new file mode 100644 index 000000000..1b64097ea --- /dev/null +++ b/src/man/jailtest.txt | |||
@@ -0,0 +1,106 @@ | |||
1 | .TH JAILTEST 1 "MONTH YEAR" "VERSION" "JAILTEST man page" | ||
2 | .SH NAME | ||
3 | jailtest \- Simple utility program to test running sandboxes | ||
4 | .SH SYNOPSIS | ||
5 | sudo jailtest [OPTIONS] [directory] | ||
6 | .SH DESCRIPTION | ||
7 | WORK IN PROGRESS! | ||
8 | jailtest attaches itself to all sandboxes started by the user and performs some basic tests | ||
9 | on the sandbox filesystem: | ||
10 | .TP | ||
11 | \fB1. Virtual directories | ||
12 | jailtest extracts a list with the main virtual directories installed by the sandbox. | ||
13 | These directories are build by firejail at startup using --private* and --whitelist commands. | ||
14 | .TP | ||
15 | \fB2. Noexec test | ||
16 | jailtest inserts executable programs in /home/username, /tmp, and /var/tmp directories | ||
17 | and tries to run them form inside the sandbox, thus testing if the directory is executable or not. | ||
18 | .TP | ||
19 | \fB3. Read access test | ||
20 | jailtest creates test files in the directories specified by the user and tries to read | ||
21 | them from inside the sandbox. | ||
22 | .TP | ||
23 | \fB4. AppArmor test | ||
24 | .TP | ||
25 | \fB5. Seccomp test | ||
26 | .TP | ||
27 | The program is started as root using sudo. | ||
28 | |||
29 | .SH OPTIONS | ||
30 | .TP | ||
31 | \fB\-\-debug | ||
32 | Print debug messages | ||
33 | .TP | ||
34 | \fB\-?\fR, \fB\-\-help\fR | ||
35 | Print options end exit. | ||
36 | .TP | ||
37 | \fB\-\-version | ||
38 | Print program version and exit. | ||
39 | .TP | ||
40 | \fB[directory] | ||
41 | One or more directories in user home to test for read access. ~/.ssh and ~/.gnupg are tested by default. | ||
42 | |||
43 | .SH OUTPUT | ||
44 | For each sandbox detected we print the following line: | ||
45 | |||
46 | PID:USER:Sandbox Name:Command | ||
47 | |||
48 | It is followed by relevant sandbox information, such as the virtual directories and various warnings. | ||
49 | |||
50 | .SH EXAMPLE | ||
51 | |||
52 | $ sudo jailtest | ||
53 | .br | ||
54 | 2014:netblue::firejail /usr/bin/gimp | ||
55 | .br | ||
56 | Virtual dirs: /tmp, /var/tmp, /dev, /usr/share, | ||
57 | .br | ||
58 | Warning: I can run programs in /home/netblue | ||
59 | .br | ||
60 | |||
61 | .br | ||
62 | 2055:netblue::firejail /usr/bin/ssh -X netblue@x.y.z.net | ||
63 | .br | ||
64 | Virtual dirs: /var/tmp, /dev, /usr/share, /run/user/1000, | ||
65 | .br | ||
66 | Warning: I can read ~/.ssh | ||
67 | .br | ||
68 | |||
69 | .br | ||
70 | 2186:netblue:libreoffice:firejail --appimage /opt/LibreOffice-fresh.appimage | ||
71 | .br | ||
72 | Virtual dirs: /tmp, /var/tmp, /dev, | ||
73 | .br | ||
74 | |||
75 | .br | ||
76 | 26090:netblue::/usr/bin/firejail /opt/firefox/firefox | ||
77 | .br | ||
78 | Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /usr/share, | ||
79 | .br | ||
80 | /run/user/1000, | ||
81 | .br | ||
82 | |||
83 | .br | ||
84 | 26160:netblue:tor:firejail --private=~/tor-browser_en-US ./start-tor | ||
85 | .br | ||
86 | Warning: AppArmor not enabled | ||
87 | .br | ||
88 | Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /bin, | ||
89 | .br | ||
90 | /usr/share, /run/user/1000, | ||
91 | .br | ||
92 | Warning: I can run programs in /home/netblue | ||
93 | .br | ||
94 | |||
95 | |||
96 | .SH LICENSE | ||
97 | This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. | ||
98 | .PP | ||
99 | Homepage: https://firejail.wordpress.com | ||
100 | .SH SEE ALSO | ||
101 | .BR firejail (1), | ||
102 | .BR firemon (1), | ||
103 | .BR firecfg (1), | ||
104 | .BR firejail-profile (5), | ||
105 | .BR firejail-login (5), | ||
106 | .BR firejail-users (5), | ||