diff options
-rw-r--r-- | Makefile.in | 4 | ||||
-rwxr-xr-x | configure | 3 | ||||
-rw-r--r-- | configure.ac | 2 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/fs_lib.c | 1 | ||||
-rw-r--r-- | src/firejail/netfilter.c | 65 |
6 files changed, 28 insertions, 48 deletions
diff --git a/Makefile.in b/Makefile.in index 88ed1f476..54b924288 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -1,6 +1,6 @@ | |||
1 | all: apps man filters | 1 | all: apps man filters |
2 | MYLIBS = src/lib | 2 | MYLIBS = src/lib |
3 | APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fbuilder src/fcopy src/fldd src/libpostexecseccomp | 3 | APPS = src/firejail src/firemon src/firecfg src/fnetfilter src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fbuilder src/fcopy src/fldd src/libpostexecseccomp |
4 | MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 | 4 | MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 |
5 | SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.64 seccomp.block_secondary seccomp.mdwx | 5 | SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.64 seccomp.block_secondary seccomp.mdwx |
6 | 6 | ||
@@ -97,6 +97,7 @@ endif | |||
97 | install -c -m 0644 src/firecfg/firecfg.config $(DESTDIR)/$(libdir)/firejail/. | 97 | install -c -m 0644 src/firecfg/firecfg.config $(DESTDIR)/$(libdir)/firejail/. |
98 | install -c -m 0755 src/faudit/faudit $(DESTDIR)/$(libdir)/firejail/. | 98 | install -c -m 0755 src/faudit/faudit $(DESTDIR)/$(libdir)/firejail/. |
99 | install -c -m 0755 src/fnet/fnet $(DESTDIR)/$(libdir)/firejail/. | 99 | install -c -m 0755 src/fnet/fnet $(DESTDIR)/$(libdir)/firejail/. |
100 | install -c -m 0755 src/fnetfilter/fnetfilter $(DESTDIR)/$(libdir)/firejail/. | ||
100 | install -c -m 0755 src/fcopy/fcopy $(DESTDIR)/$(libdir)/firejail/. | 101 | install -c -m 0755 src/fcopy/fcopy $(DESTDIR)/$(libdir)/firejail/. |
101 | install -c -m 0755 src/fldd/fldd $(DESTDIR)/$(libdir)/firejail/. | 102 | install -c -m 0755 src/fldd/fldd $(DESTDIR)/$(libdir)/firejail/. |
102 | install -c -m 0755 src/fbuilder/fbuilder $(DESTDIR)/$(libdir)/firejail/. | 103 | install -c -m 0755 src/fbuilder/fbuilder $(DESTDIR)/$(libdir)/firejail/. |
@@ -167,6 +168,7 @@ install-strip: all | |||
167 | strip src/ftee/ftee | 168 | strip src/ftee/ftee |
168 | strip src/faudit/faudit | 169 | strip src/faudit/faudit |
169 | strip src/fnet/fnet | 170 | strip src/fnet/fnet |
171 | strip src/fnet/fnetfilter | ||
170 | strip src/fseccomp/fseccomp | 172 | strip src/fseccomp/fseccomp |
171 | strip src/fcopy/fcopy | 173 | strip src/fcopy/fcopy |
172 | strip src/fldd/fldd | 174 | strip src/fldd/fldd |
@@ -3823,7 +3823,7 @@ if test "$prefix" = /usr; then | |||
3823 | sysconfdir="/etc" | 3823 | sysconfdir="/etc" |
3824 | fi | 3824 | fi |
3825 | 3825 | ||
3826 | ac_config_files="$ac_config_files Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile" | 3826 | ac_config_files="$ac_config_files Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile" |
3827 | 3827 | ||
3828 | cat >confcache <<\_ACEOF | 3828 | cat >confcache <<\_ACEOF |
3829 | # This file is a shell script that caches the results of configure | 3829 | # This file is a shell script that caches the results of configure |
@@ -4537,6 +4537,7 @@ do | |||
4537 | "src/fcopy/Makefile") CONFIG_FILES="$CONFIG_FILES src/fcopy/Makefile" ;; | 4537 | "src/fcopy/Makefile") CONFIG_FILES="$CONFIG_FILES src/fcopy/Makefile" ;; |
4538 | "src/fnet/Makefile") CONFIG_FILES="$CONFIG_FILES src/fnet/Makefile" ;; | 4538 | "src/fnet/Makefile") CONFIG_FILES="$CONFIG_FILES src/fnet/Makefile" ;; |
4539 | "src/firejail/Makefile") CONFIG_FILES="$CONFIG_FILES src/firejail/Makefile" ;; | 4539 | "src/firejail/Makefile") CONFIG_FILES="$CONFIG_FILES src/firejail/Makefile" ;; |
4540 | "src/fnetfilter/Makefile") CONFIG_FILES="$CONFIG_FILES src/fnetfilter/Makefile" ;; | ||
4540 | "src/firemon/Makefile") CONFIG_FILES="$CONFIG_FILES src/firemon/Makefile" ;; | 4541 | "src/firemon/Makefile") CONFIG_FILES="$CONFIG_FILES src/firemon/Makefile" ;; |
4541 | "src/libtrace/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtrace/Makefile" ;; | 4542 | "src/libtrace/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtrace/Makefile" ;; |
4542 | "src/libtracelog/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtracelog/Makefile" ;; | 4543 | "src/libtracelog/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtracelog/Makefile" ;; |
diff --git a/configure.ac b/configure.ac index 900c8b959..9254a3ee2 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -175,7 +175,7 @@ if test "$prefix" = /usr; then | |||
175 | sysconfdir="/etc" | 175 | sysconfdir="/etc" |
176 | fi | 176 | fi |
177 | 177 | ||
178 | AC_OUTPUT(Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile \ | 178 | AC_OUTPUT(Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \ |
179 | src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile \ | 179 | src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile \ |
180 | src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile) | 180 | src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile) |
181 | 181 | ||
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 59bd4b959..ade23d89e 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -766,6 +766,7 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc, | |||
766 | // sbox.c | 766 | // sbox.c |
767 | // programs | 767 | // programs |
768 | #define PATH_FNET (LIBDIR "/firejail/fnet") | 768 | #define PATH_FNET (LIBDIR "/firejail/fnet") |
769 | #define PATH_FNETFILTER (LIBDIR "/firejail/fnetfilter") | ||
769 | #define PATH_FIREMON (PREFIX "/bin/firemon") | 770 | #define PATH_FIREMON (PREFIX "/bin/firemon") |
770 | #define PATH_FIREJAIL (PREFIX "/bin/firejail") | 771 | #define PATH_FIREJAIL (PREFIX "/bin/firejail") |
771 | #define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp") | 772 | #define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp") |
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c index 23fdb8a6a..46ee22bf3 100644 --- a/src/firejail/fs_lib.c +++ b/src/firejail/fs_lib.c | |||
@@ -387,6 +387,7 @@ void fs_private_lib(void) { | |||
387 | fslib_copy_libs(LIBDIR "/firejail/fcopy"); | 387 | fslib_copy_libs(LIBDIR "/firejail/fcopy"); |
388 | fslib_copy_libs(LIBDIR "/firejail/fldd"); | 388 | fslib_copy_libs(LIBDIR "/firejail/fldd"); |
389 | fslib_copy_libs(LIBDIR "/firejail/fnet"); | 389 | fslib_copy_libs(LIBDIR "/firejail/fnet"); |
390 | fslib_copy_libs(LIBDIR "/firejail/fnetfilter"); | ||
390 | fslib_copy_libs(LIBDIR "/firejail/fseccomp"); | 391 | fslib_copy_libs(LIBDIR "/firejail/fseccomp"); |
391 | fslib_copy_libs(LIBDIR "/firejail/ftee"); | 392 | fslib_copy_libs(LIBDIR "/firejail/ftee"); |
392 | // mount lib filesystem | 393 | // mount lib filesystem |
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c index 7246be8cf..517d0462f 100644 --- a/src/firejail/netfilter.c +++ b/src/firejail/netfilter.c | |||
@@ -24,33 +24,24 @@ | |||
24 | #include <sys/wait.h> | 24 | #include <sys/wait.h> |
25 | #include <fcntl.h> | 25 | #include <fcntl.h> |
26 | 26 | ||
27 | static char *client_filter = | ||
28 | "*filter\n" | ||
29 | ":INPUT DROP [0:0]\n" | ||
30 | ":FORWARD DROP [0:0]\n" | ||
31 | ":OUTPUT ACCEPT [0:0]\n" | ||
32 | "-A INPUT -i lo -j ACCEPT\n" | ||
33 | "-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n" | ||
34 | "# echo replay is handled by -m state RELATED/ESTABLISHED below\n" | ||
35 | "#-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT\n" | ||
36 | "-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT\n" | ||
37 | "-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT\n" | ||
38 | "-A INPUT -p icmp --icmp-type echo-request -j ACCEPT \n" | ||
39 | "# disable STUN\n" | ||
40 | "-A OUTPUT -p udp --dport 3478 -j DROP\n" | ||
41 | "-A OUTPUT -p udp --dport 3479 -j DROP\n" | ||
42 | "-A OUTPUT -p tcp --dport 3478 -j DROP\n" | ||
43 | "-A OUTPUT -p tcp --dport 3479 -j DROP\n" | ||
44 | "COMMIT\n"; | ||
45 | 27 | ||
46 | void check_netfilter_file(const char *fname) { | 28 | void check_netfilter_file(const char *fname) { |
47 | EUID_ASSERT(); | 29 | EUID_ASSERT(); |
48 | invalid_filename(fname, 0); // no globbing | ||
49 | 30 | ||
50 | if (is_dir(fname) || is_link(fname) || strstr(fname, "..") || access(fname, R_OK )) { | 31 | char *tmp = strdup(fname); |
51 | fprintf(stderr, "Error: invalid network filter file %s\n", fname); | 32 | if (!tmp) |
33 | errExit("strdup"); | ||
34 | char *ptr = strchr(tmp, ','); | ||
35 | if (ptr) | ||
36 | *ptr = '\0'; | ||
37 | |||
38 | invalid_filename(tmp, 0); // no globbing | ||
39 | |||
40 | if (is_dir(tmp) || is_link(tmp) || strstr(tmp, "..") || access(tmp, R_OK )) { | ||
41 | fprintf(stderr, "Error: invalid network filter file %s\n", tmp); | ||
52 | exit(1); | 42 | exit(1); |
53 | } | 43 | } |
44 | free(tmp); | ||
54 | } | 45 | } |
55 | 46 | ||
56 | 47 | ||
@@ -72,29 +63,15 @@ void netfilter(const char *fname) { | |||
72 | return; | 63 | return; |
73 | } | 64 | } |
74 | 65 | ||
75 | // read filter | 66 | // create an empty user-owned SBOX_STDIN_FILE |
76 | char *filter = client_filter; | 67 | create_empty_file_as_root(SBOX_STDIN_FILE, 0644); |
77 | int allocated = 0; | 68 | if (set_perms(SBOX_STDIN_FILE, getuid(), getgid(), 0644)) |
78 | if (netfilter_default) | 69 | errExit("set_perms"); |
79 | fname = netfilter_default; | ||
80 | if (fname) { | ||
81 | filter = read_text_file_or_exit(fname); | ||
82 | allocated = 1; | ||
83 | } | ||
84 | 70 | ||
85 | // create the filter file | 71 | if (fname == NULL) |
86 | FILE *fp = fopen(SBOX_STDIN_FILE, "w"); | 72 | sbox_run(SBOX_USER| SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FNETFILTER, SBOX_STDIN_FILE); |
87 | if (!fp) { | 73 | else |
88 | fprintf(stderr, "Error: cannot open %s\n", SBOX_STDIN_FILE); | 74 | sbox_run(SBOX_USER| SBOX_CAPS_NONE | SBOX_SECCOMP, 3, PATH_FNETFILTER, fname, SBOX_STDIN_FILE); |
89 | exit(1); | ||
90 | } | ||
91 | fprintf(fp, "%s\n", filter); | ||
92 | fclose(fp); | ||
93 | |||
94 | |||
95 | // push filter | ||
96 | if (arg_debug) | ||
97 | printf("Installing network filter:\n%s\n", filter); | ||
98 | 75 | ||
99 | // first run of iptables on this platform installs a number of kernel modules such as ip_tables, x_tables, iptable_filter | 76 | // first run of iptables on this platform installs a number of kernel modules such as ip_tables, x_tables, iptable_filter |
100 | // we run this command with caps and seccomp disabled in order to allow the loading of these modules | 77 | // we run this command with caps and seccomp disabled in order to allow the loading of these modules |
@@ -105,8 +82,6 @@ void netfilter(const char *fname) { | |||
105 | if (arg_debug) | 82 | if (arg_debug) |
106 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 2, iptables, "-vL"); | 83 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 2, iptables, "-vL"); |
107 | 84 | ||
108 | if (allocated) | ||
109 | free(filter); | ||
110 | return; | 85 | return; |
111 | } | 86 | } |
112 | 87 | ||