diff options
-rw-r--r-- | etc/profile-a-l/firefox-common.profile | 2 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/main.c | 5 | ||||
-rw-r--r-- | src/firejail/profile.c | 16 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 9 |
5 files changed, 32 insertions, 1 deletions
diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile index 13313cb67..60d64736e 100644 --- a/etc/profile-a-l/firefox-common.profile +++ b/etc/profile-a-l/firefox-common.profile | |||
@@ -35,6 +35,8 @@ include whitelist-runuser-common.inc | |||
35 | include whitelist-var-common.inc | 35 | include whitelist-var-common.inc |
36 | 36 | ||
37 | apparmor | 37 | apparmor |
38 | # Fixme! | ||
39 | apparmor-replace | ||
38 | caps.drop all | 40 | caps.drop all |
39 | # machine-id breaks pulse audio; add it to your firefox-common.local if sound is not required. | 41 | # machine-id breaks pulse audio; add it to your firefox-common.local if sound is not required. |
40 | #machine-id | 42 | #machine-id |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 776649131..4fe3a5974 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -339,6 +339,7 @@ extern int arg_writable_var_log; // writable /var/log | |||
339 | extern int arg_appimage; // appimage | 339 | extern int arg_appimage; // appimage |
340 | extern int arg_apparmor; // apparmor | 340 | extern int arg_apparmor; // apparmor |
341 | extern char *apparmor_profile; // apparmor profile | 341 | extern char *apparmor_profile; // apparmor profile |
342 | extern bool apparmor_replace; // whether apparmor should replace the profile (legacy behavior) | ||
342 | extern int arg_allow_debuggers; // allow debuggers | 343 | extern int arg_allow_debuggers; // allow debuggers |
343 | extern int arg_x11_block; // block X11 | 344 | extern int arg_x11_block; // block X11 |
344 | extern int arg_x11_xorg; // use X11 security extension | 345 | extern int arg_x11_xorg; // use X11 security extension |
diff --git a/src/firejail/main.c b/src/firejail/main.c index c95964503..18e9ae651 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -134,6 +134,7 @@ int arg_writable_var_log = 0; // writable /var/log | |||
134 | int arg_appimage = 0; // appimage | 134 | int arg_appimage = 0; // appimage |
135 | int arg_apparmor = 0; // apparmor | 135 | int arg_apparmor = 0; // apparmor |
136 | char *apparmor_profile = NULL; // apparmor profile | 136 | char *apparmor_profile = NULL; // apparmor profile |
137 | bool apparmor_replace = false; // apparmor profile | ||
137 | int arg_allow_debuggers = 0; // allow debuggers | 138 | int arg_allow_debuggers = 0; // allow debuggers |
138 | int arg_x11_block = 0; // block X11 | 139 | int arg_x11_block = 0; // block X11 |
139 | int arg_x11_xorg = 0; // use X11 security extension | 140 | int arg_x11_xorg = 0; // use X11 security extension |
@@ -1383,6 +1384,10 @@ int main(int argc, char **argv, char **envp) { | |||
1383 | arg_apparmor = 1; | 1384 | arg_apparmor = 1; |
1384 | apparmor_profile = argv[i] + 11; | 1385 | apparmor_profile = argv[i] + 11; |
1385 | } | 1386 | } |
1387 | else if (strncmp(argv[i], "--apparmor-replace", 18) == 0) { | ||
1388 | arg_apparmor = 1; | ||
1389 | apparmor_replace = true; | ||
1390 | } | ||
1386 | #endif | 1391 | #endif |
1387 | else if (strncmp(argv[i], "--protocol=", 11) == 0) { | 1392 | else if (strncmp(argv[i], "--protocol=", 11) == 0) { |
1388 | if (checkcfg(CFG_SECCOMP)) { | 1393 | if (checkcfg(CFG_SECCOMP)) { |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 4e6ebdbca..acf206da6 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -966,6 +966,22 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
966 | return 0; | 966 | return 0; |
967 | } | 967 | } |
968 | 968 | ||
969 | if (strcmp(ptr, "apparmor-replace") == 0) { | ||
970 | #ifdef HAVE_APPARMOR | ||
971 | arg_apparmor = 1; | ||
972 | apparmor_replace = true; | ||
973 | #endif | ||
974 | return 0; | ||
975 | } | ||
976 | |||
977 | if (strcmp(ptr, "apparmor-stack") == 0) { | ||
978 | #ifdef HAVE_APPARMOR | ||
979 | arg_apparmor = 1; | ||
980 | apparmor_replace = false; | ||
981 | #endif | ||
982 | return 0; | ||
983 | } | ||
984 | |||
969 | if (strncmp(ptr, "protocol ", 9) == 0) { | 985 | if (strncmp(ptr, "protocol ", 9) == 0) { |
970 | if (checkcfg(CFG_SECCOMP)) { | 986 | if (checkcfg(CFG_SECCOMP)) { |
971 | const char *add = ptr + 9; | 987 | const char *add = ptr + 9; |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index bae189a0d..77fe73174 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -130,7 +130,14 @@ static void set_caps(void) { | |||
130 | static void set_apparmor(void) { | 130 | static void set_apparmor(void) { |
131 | EUID_ASSERT(); | 131 | EUID_ASSERT(); |
132 | if (checkcfg(CFG_APPARMOR) && arg_apparmor) { | 132 | if (checkcfg(CFG_APPARMOR) && arg_apparmor) { |
133 | if (aa_stack_onexec(apparmor_profile)) { | 133 | int res = 0; |
134 | if(apparmor_replace){ | ||
135 | fwarning("Replacing profile instead of stacking it. It is a legacy behavior that can result in relaxation of the protection. It is here as a temporary measure to unbreak the software that has been broken by switching to the stacking behavior.\n"); | ||
136 | res = aa_change_onexec(apparmor_profile); | ||
137 | } else { | ||
138 | res = aa_stack_onexec(apparmor_profile); | ||
139 | } | ||
140 | if (res) { | ||
134 | fwarning("Cannot confine the application using AppArmor.\n" | 141 | fwarning("Cannot confine the application using AppArmor.\n" |
135 | "Maybe firejail-default AppArmor profile is not loaded into the kernel.\n" | 142 | "Maybe firejail-default AppArmor profile is not loaded into the kernel.\n" |
136 | "As root, run \"aa-enforce firejail-default\" to load it.\n"); | 143 | "As root, run \"aa-enforce firejail-default\" to load it.\n"); |