diff options
-rw-r--r-- | Makefile.in | 3 | ||||
-rwxr-xr-x | configure | 19 | ||||
-rw-r--r-- | configure.ac | 10 | ||||
-rwxr-xr-x | mketc.sh | 14 | ||||
-rw-r--r-- | src/firejail/fs.c | 40 |
5 files changed, 79 insertions, 7 deletions
diff --git a/Makefile.in b/Makefile.in index 5269170c2..6c98742b7 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -16,6 +16,7 @@ NAME=@PACKAGE_NAME@ | |||
16 | PACKAGE_TARNAME=@PACKAGE_TARNAME@ | 16 | PACKAGE_TARNAME=@PACKAGE_TARNAME@ |
17 | DOCDIR=@docdir@ | 17 | DOCDIR=@docdir@ |
18 | HAVE_APPARMOR=@HAVE_APPARMOR@ | 18 | HAVE_APPARMOR=@HAVE_APPARMOR@ |
19 | BUSYBOX_WORKAROUND=@BUSYBOX_WORKAROUND@ | ||
19 | 20 | ||
20 | .PHONY: mylibs $(MYLIBS) | 21 | .PHONY: mylibs $(MYLIBS) |
21 | mylibs: $(MYLIBS) | 22 | mylibs: $(MYLIBS) |
@@ -79,7 +80,7 @@ realinstall: | |||
79 | install -c -m 0644 README $(DESTDIR)/$(DOCDIR)/. | 80 | install -c -m 0644 README $(DESTDIR)/$(DOCDIR)/. |
80 | install -c -m 0644 RELNOTES $(DESTDIR)/$(DOCDIR)/. | 81 | install -c -m 0644 RELNOTES $(DESTDIR)/$(DOCDIR)/. |
81 | # etc files | 82 | # etc files |
82 | ./mketc.sh $(sysconfdir) | 83 | ./mketc.sh $(sysconfdir) $(BUSYBOX_WORKAROUND) |
83 | install -m 0755 -d $(DESTDIR)/$(sysconfdir)/firejail | 84 | install -m 0755 -d $(DESTDIR)/$(sysconfdir)/firejail |
84 | for file in .etc/* etc/firejail.config; do \ | 85 | for file in .etc/* etc/firejail.config; do \ |
85 | install -c -m 0644 $$file $(DESTDIR)/$(sysconfdir)/firejail; \ | 86 | install -c -m 0644 $$file $(DESTDIR)/$(sysconfdir)/firejail; \ |
@@ -625,6 +625,7 @@ ac_includes_default="\ | |||
625 | ac_subst_vars='LTLIBOBJS | 625 | ac_subst_vars='LTLIBOBJS |
626 | LIBOBJS | 626 | LIBOBJS |
627 | HAVE_SECCOMP_H | 627 | HAVE_SECCOMP_H |
628 | BUSYBOX_WORKAROUND | ||
628 | HAVE_FATAL_WARNINGS | 629 | HAVE_FATAL_WARNINGS |
629 | HAVE_WHITELIST | 630 | HAVE_WHITELIST |
630 | HAVE_FILE_TRANSFER | 631 | HAVE_FILE_TRANSFER |
@@ -703,6 +704,7 @@ enable_x11 | |||
703 | enable_file_transfer | 704 | enable_file_transfer |
704 | enable_whitelist | 705 | enable_whitelist |
705 | enable_fatal_warnings | 706 | enable_fatal_warnings |
707 | enable_busybox_workaround | ||
706 | ' | 708 | ' |
707 | ac_precious_vars='build_alias | 709 | ac_precious_vars='build_alias |
708 | host_alias | 710 | host_alias |
@@ -1336,6 +1338,8 @@ Optional Features: | |||
1336 | --disable-file-transfer disable file transfer | 1338 | --disable-file-transfer disable file transfer |
1337 | --disable-whitelist disable whitelist | 1339 | --disable-whitelist disable whitelist |
1338 | --enable-fatal-warnings -W -Wall -Werror | 1340 | --enable-fatal-warnings -W -Wall -Werror |
1341 | --enable-busybox-workaround | ||
1342 | enable busybox workaround | ||
1339 | 1343 | ||
1340 | Some influential environment variables: | 1344 | Some influential environment variables: |
1341 | CC C compiler command | 1345 | CC C compiler command |
@@ -3647,6 +3651,20 @@ if test "x$enable_fatal_warnings" = "xyes"; then : | |||
3647 | 3651 | ||
3648 | fi | 3652 | fi |
3649 | 3653 | ||
3654 | BUSYBOX_WORKAROUND="no" | ||
3655 | # Check whether --enable-busybox-workaround was given. | ||
3656 | if test "${enable_busybox_workaround+set}" = set; then : | ||
3657 | enableval=$enable_busybox_workaround; | ||
3658 | fi | ||
3659 | |||
3660 | if test "x$enable_busybox_workaround" = "xyes"; then : | ||
3661 | |||
3662 | BUSYBOX_WORKAROUND="yes" | ||
3663 | |||
3664 | |||
3665 | fi | ||
3666 | |||
3667 | |||
3650 | 3668 | ||
3651 | # checking pthread library | 3669 | # checking pthread library |
3652 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpthread" >&5 | 3670 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpthread" >&5 |
@@ -4905,6 +4923,7 @@ echo " X11 sandboxing support: $HAVE_X11" | |||
4905 | echo " whitelisting: $HAVE_WHITELIST" | 4923 | echo " whitelisting: $HAVE_WHITELIST" |
4906 | echo " file transfer support: $HAVE_FILE_TRANSFER" | 4924 | echo " file transfer support: $HAVE_FILE_TRANSFER" |
4907 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" | 4925 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" |
4926 | echo " busybox workaround: $BUSYBOX_WORKAROUND" | ||
4908 | printf " uid_min: "; grep UID_MIN uids.h | 4927 | printf " uid_min: "; grep UID_MIN uids.h |
4909 | printf " gid_min: "; grep GID_MIN uids.h | 4928 | printf " gid_min: "; grep GID_MIN uids.h |
4910 | printf " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" | 4929 | printf " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" |
diff --git a/configure.ac b/configure.ac index 315c25038..149f76eae 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -115,6 +115,15 @@ AS_IF([test "x$enable_fatal_warnings" = "xyes"], [ | |||
115 | AC_SUBST(HAVE_FATAL_WARNINGS) | 115 | AC_SUBST(HAVE_FATAL_WARNINGS) |
116 | ]) | 116 | ]) |
117 | 117 | ||
118 | BUSYBOX_WORKAROUND="no" | ||
119 | AC_ARG_ENABLE([busybox-workaround], | ||
120 | AS_HELP_STRING([--enable-busybox-workaround], [enable busybox workaround])) | ||
121 | AS_IF([test "x$enable_busybox_workaround" = "xyes"], [ | ||
122 | BUSYBOX_WORKAROUND="yes" | ||
123 | AC_SUBST(BUSYBOX_WORKAROUND) | ||
124 | ]) | ||
125 | |||
126 | |||
118 | 127 | ||
119 | # checking pthread library | 128 | # checking pthread library |
120 | AC_CHECK_LIB([pthread], [main], [], AC_MSG_ERROR([*** POSIX thread support not installed ***])) | 129 | AC_CHECK_LIB([pthread], [main], [], AC_MSG_ERROR([*** POSIX thread support not installed ***])) |
@@ -148,6 +157,7 @@ echo " X11 sandboxing support: $HAVE_X11" | |||
148 | echo " whitelisting: $HAVE_WHITELIST" | 157 | echo " whitelisting: $HAVE_WHITELIST" |
149 | echo " file transfer support: $HAVE_FILE_TRANSFER" | 158 | echo " file transfer support: $HAVE_FILE_TRANSFER" |
150 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" | 159 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" |
160 | echo " busybox workaround: $BUSYBOX_WORKAROUND" | ||
151 | printf " uid_min: "; grep UID_MIN uids.h | 161 | printf " uid_min: "; grep UID_MIN uids.h |
152 | printf " gid_min: "; grep GID_MIN uids.h | 162 | printf " gid_min: "; grep GID_MIN uids.h |
153 | printf " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" | 163 | printf " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" |
@@ -6,3 +6,17 @@ for file in etc/*.profile etc/*.inc etc/*.net; | |||
6 | do | 6 | do |
7 | sed "s;/etc/firejail;$1/firejail;g" $file > .$file | 7 | sed "s;/etc/firejail;$1/firejail;g" $file > .$file |
8 | done | 8 | done |
9 | |||
10 | if [ "x$2" = "xyes" ] | ||
11 | then | ||
12 | sed -i -e ' | ||
13 | 1i# Workaround for systems where common UNIX utilities are symlinks to busybox.\ | ||
14 | # If this is not your case you can remove --enable-busybox-workaround from\ | ||
15 | # ./configure options, for added security.\ | ||
16 | noblacklist \${PATH}/mount\ | ||
17 | noblacklist \${PATH}/umount\ | ||
18 | noblacklist \${PATH}/su\ | ||
19 | noblacklist \${PATH}/sudo\ | ||
20 | noblacklist \${PATH}/nc\ | ||
21 | ' .etc/disable-common.inc | ||
22 | fi | ||
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index ff5887c10..5bcfa6066 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -478,12 +478,40 @@ void fs_blacklist(void) { | |||
478 | 478 | ||
479 | // Process noblacklist command | 479 | // Process noblacklist command |
480 | if (strncmp(entry->data, "noblacklist ", 12) == 0) { | 480 | if (strncmp(entry->data, "noblacklist ", 12) == 0) { |
481 | if (noblacklist_c >= noblacklist_m) { | 481 | char **paths = build_paths(); |
482 | noblacklist_m *= 2; | 482 | |
483 | noblacklist = realloc(noblacklist, sizeof(*noblacklist) * noblacklist_m); | 483 | char *enames[sizeof(paths)+1] = {0}; |
484 | if (noblacklist == NULL) | 484 | int i = 0; |
485 | errExit("failed increasing memory for noblacklist entries");} | 485 | |
486 | noblacklist[noblacklist_c++] = expand_home(entry->data + 12, homedir); | 486 | if (strncmp(entry->data + 12, "${PATH}", 7) == 0) { |
487 | // expand ${PATH} macro | ||
488 | while (paths[i] != NULL) { | ||
489 | if (asprintf(&enames[i], "%s%s", paths[i], entry->data + 19) == -1) | ||
490 | errExit("asprintf"); | ||
491 | i++; | ||
492 | } | ||
493 | } else { | ||
494 | // expand ${HOME} macro if found or pass as is | ||
495 | enames[0] = expand_home(entry->data + 12, homedir); | ||
496 | enames[1] = NULL; | ||
497 | } | ||
498 | |||
499 | i = 0; | ||
500 | while (enames[i] != NULL) { | ||
501 | if (noblacklist_c >= noblacklist_m) { | ||
502 | noblacklist_m *= 2; | ||
503 | noblacklist = realloc(noblacklist, sizeof(*noblacklist) * noblacklist_m); | ||
504 | if (noblacklist == NULL) | ||
505 | errExit("failed increasing memory for noblacklist entries"); | ||
506 | } | ||
507 | noblacklist[noblacklist_c++] = enames[i]; | ||
508 | i++; | ||
509 | } | ||
510 | |||
511 | while (enames[i] != NULL) { | ||
512 | free(enames[i]); | ||
513 | } | ||
514 | |||
487 | entry = entry->next; | 515 | entry = entry->next; |
488 | continue; | 516 | continue; |
489 | } | 517 | } |