diff options
-rw-r--r-- | .gitignore | 2 | ||||
-rw-r--r-- | Makefile | 4 | ||||
-rw-r--r-- | RELNOTES | 3 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/main.c | 5 | ||||
-rw-r--r-- | src/firejail/preproc.c | 4 | ||||
-rw-r--r-- | src/firejail/profile.c | 4 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 14 | ||||
-rw-r--r-- | src/include/rundefs.h | 2 |
9 files changed, 34 insertions, 5 deletions
diff --git a/.gitignore b/.gitignore index 180f623eb..549f12738 100644 --- a/.gitignore +++ b/.gitignore | |||
@@ -61,6 +61,8 @@ seccomp.64 | |||
61 | seccomp.block_secondary | 61 | seccomp.block_secondary |
62 | seccomp.mdwx | 62 | seccomp.mdwx |
63 | seccomp.mdwx.32 | 63 | seccomp.mdwx.32 |
64 | seccomp.namespaces | ||
65 | seccomp.namespaces.32 | ||
64 | aclocal.m4 | 66 | aclocal.m4 |
65 | __pycache__ | 67 | __pycache__ |
66 | *.pyc | 68 | *.pyc |
@@ -17,7 +17,7 @@ SBOX_APPS_NON_DUMPABLE += src/fnettrace-icmp/fnettrace-icmp | |||
17 | MYDIRS = src/lib src/man $(COMPLETIONDIRS) | 17 | MYDIRS = src/lib src/man $(COMPLETIONDIRS) |
18 | MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so | 18 | MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so |
19 | COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion | 19 | COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion |
20 | SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32 | 20 | SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32 seccomp.namespaces seccomp.namespaces.32 |
21 | 21 | ||
22 | SYSCALL_HEADERS := $(sort $(wildcard src/include/syscall*.h)) | 22 | SYSCALL_HEADERS := $(sort $(wildcard src/include/syscall*.h)) |
23 | 23 | ||
@@ -63,6 +63,8 @@ define build_filters | |||
63 | src/fseccomp/fseccomp secondary block seccomp.block_secondary | 63 | src/fseccomp/fseccomp secondary block seccomp.block_secondary |
64 | src/fseccomp/fseccomp memory-deny-write-execute seccomp.mdwx | 64 | src/fseccomp/fseccomp memory-deny-write-execute seccomp.mdwx |
65 | src/fseccomp/fseccomp memory-deny-write-execute.32 seccomp.mdwx.32 | 65 | src/fseccomp/fseccomp memory-deny-write-execute.32 seccomp.mdwx.32 |
66 | src/fseccomp/fseccomp restrict-namespaces seccomp.namespaces cgroup,ipc,net,mnt,pid,time,user,uts | ||
67 | src/fseccomp/fseccomp restrict-namespaces seccomp.namespaces.32 cgroup,ipc,net,mnt,pid,time,user,uts | ||
66 | endef | 68 | endef |
67 | 69 | ||
68 | 70 | ||
@@ -6,6 +6,7 @@ firejail (0.9.73) baseline; urgency=low | |||
6 | overwritten using --hostname command | 6 | overwritten using --hostname command |
7 | * feature: add IPv6 support for --net.print option | 7 | * feature: add IPv6 support for --net.print option |
8 | * feature: QUIC (HTTP/3) support in --nettrace | 8 | * feature: QUIC (HTTP/3) support in --nettrace |
9 | * feature: use seccomp filters build at install time for --restrict-namespaces | ||
9 | * modif: Stop forwarding own double-dash to the shell (#5599 #5600) | 10 | * modif: Stop forwarding own double-dash to the shell (#5599 #5600) |
10 | * modif: Prevent sandbox name (--name=) and host name (--hostname=) | 11 | * modif: Prevent sandbox name (--name=) and host name (--hostname=) |
11 | from containing only digits (#5578 #5741) | 12 | from containing only digits (#5578 #5741) |
@@ -20,7 +21,7 @@ firejail (0.9.73) baseline; urgency=low | |||
20 | #5618) | 21 | #5618) |
21 | * bugfix: fix --hostname and --hosts-file commands | 22 | * bugfix: fix --hostname and --hosts-file commands |
22 | * bugfix: arp.c: ensure positive timeout on select(2) (#5806) | 23 | * bugfix: arp.c: ensure positive timeout on select(2) (#5806) |
23 | * bugfix: makefiles fixes: seccomp filters and man pages are build every | 24 | * build: fixed problem with seccomp filters and man pages built every |
24 | time when running make | 25 | time when running make |
25 | * build: auto-generate syntax files (#5627) | 26 | * build: auto-generate syntax files (#5627) |
26 | * build: mark all phony targets as such (#5637) | 27 | * build: mark all phony targets as such (#5637) |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index d85b470e6..c791913ea 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -357,6 +357,7 @@ extern int arg_deterministic_exit_code; // always exit with first child's exit s | |||
357 | extern int arg_deterministic_shutdown; // shut down the sandbox if first child dies | 357 | extern int arg_deterministic_shutdown; // shut down the sandbox if first child dies |
358 | extern int arg_keep_fd_all; // inherit all file descriptors to sandbox | 358 | extern int arg_keep_fd_all; // inherit all file descriptors to sandbox |
359 | extern int arg_netlock; // netlocker | 359 | extern int arg_netlock; // netlocker |
360 | extern int arg_restrict_namespaces; | ||
360 | 361 | ||
361 | typedef enum { | 362 | typedef enum { |
362 | DBUS_POLICY_ALLOW, // Allow unrestricted access to the bus | 363 | DBUS_POLICY_ALLOW, // Allow unrestricted access to the bus |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 732ca93c2..45b199db4 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -165,6 +165,7 @@ int arg_tab = 0; | |||
165 | int login_shell = 0; | 165 | int login_shell = 0; |
166 | int just_run_the_shell = 0; | 166 | int just_run_the_shell = 0; |
167 | int arg_netlock = 0; | 167 | int arg_netlock = 0; |
168 | int arg_restrict_namespaces = 0; | ||
168 | 169 | ||
169 | int parent_to_child_fds[2]; | 170 | int parent_to_child_fds[2]; |
170 | int child_to_parent_fds[2]; | 171 | int child_to_parent_fds[2]; |
@@ -1508,8 +1509,10 @@ int main(int argc, char **argv, char **envp) { | |||
1508 | exit_err_feature("seccomp"); | 1509 | exit_err_feature("seccomp"); |
1509 | } | 1510 | } |
1510 | else if (strcmp(argv[i], "--restrict-namespaces") == 0) { | 1511 | else if (strcmp(argv[i], "--restrict-namespaces") == 0) { |
1511 | if (checkcfg(CFG_SECCOMP)) | 1512 | if (checkcfg(CFG_SECCOMP)) { |
1513 | arg_restrict_namespaces = 1; | ||
1512 | profile_list_augment(&cfg.restrict_namespaces, "cgroup,ipc,net,mnt,pid,time,user,uts"); | 1514 | profile_list_augment(&cfg.restrict_namespaces, "cgroup,ipc,net,mnt,pid,time,user,uts"); |
1515 | } | ||
1513 | else | 1516 | else |
1514 | exit_err_feature("seccomp"); | 1517 | exit_err_feature("seccomp"); |
1515 | } | 1518 | } |
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index 6055ec95b..e0c11a005 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c | |||
@@ -96,12 +96,16 @@ void preproc_mount_mnt_dir(void) { | |||
96 | if (set_perms(RUN_SECCOMP_PROTOCOL, getuid(), getgid(), 0644)) | 96 | if (set_perms(RUN_SECCOMP_PROTOCOL, getuid(), getgid(), 0644)) |
97 | errExit("set_perms"); | 97 | errExit("set_perms"); |
98 | if (cfg.restrict_namespaces) { | 98 | if (cfg.restrict_namespaces) { |
99 | copy_file(PATH_SECCOMP_NAMESPACES, RUN_SECCOMP_NS, getuid(), getgid(), 0644); // root needed | ||
100 | copy_file(PATH_SECCOMP_NAMESPACES_32, RUN_SECCOMP_NS_32, getuid(), getgid(), 0644); // root needed | ||
101 | #if 0 | ||
99 | create_empty_file_as_root(RUN_SECCOMP_NS, 0644); | 102 | create_empty_file_as_root(RUN_SECCOMP_NS, 0644); |
100 | if (set_perms(RUN_SECCOMP_NS, getuid(), getgid(), 0644)) | 103 | if (set_perms(RUN_SECCOMP_NS, getuid(), getgid(), 0644)) |
101 | errExit("set_perms"); | 104 | errExit("set_perms"); |
102 | create_empty_file_as_root(RUN_SECCOMP_NS_32, 0644); | 105 | create_empty_file_as_root(RUN_SECCOMP_NS_32, 0644); |
103 | if (set_perms(RUN_SECCOMP_NS_32, getuid(), getgid(), 0644)) | 106 | if (set_perms(RUN_SECCOMP_NS_32, getuid(), getgid(), 0644)) |
104 | errExit("set_perms"); | 107 | errExit("set_perms"); |
108 | #endif | ||
105 | } | 109 | } |
106 | create_empty_file_as_root(RUN_SECCOMP_POSTEXEC, 0644); | 110 | create_empty_file_as_root(RUN_SECCOMP_POSTEXEC, 0644); |
107 | if (set_perms(RUN_SECCOMP_POSTEXEC, getuid(), getgid(), 0644)) | 111 | if (set_perms(RUN_SECCOMP_POSTEXEC, getuid(), getgid(), 0644)) |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index ae881664b..07449f646 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -1088,8 +1088,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1088 | 1088 | ||
1089 | // restrict-namespaces | 1089 | // restrict-namespaces |
1090 | if (strcmp(ptr, "restrict-namespaces") == 0) { | 1090 | if (strcmp(ptr, "restrict-namespaces") == 0) { |
1091 | if (checkcfg(CFG_SECCOMP)) | 1091 | if (checkcfg(CFG_SECCOMP)) { |
1092 | arg_restrict_namespaces = 1; | ||
1092 | profile_list_augment(&cfg.restrict_namespaces, "cgroup,ipc,net,mnt,pid,time,user,uts"); | 1093 | profile_list_augment(&cfg.restrict_namespaces, "cgroup,ipc,net,mnt,pid,time,user,uts"); |
1094 | } | ||
1093 | else | 1095 | else |
1094 | warning_feature_disabled("seccomp"); | 1096 | warning_feature_disabled("seccomp"); |
1095 | return 0; | 1097 | return 0; |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 9eb476f16..538f5be67 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -1211,7 +1211,19 @@ int sandbox(void* sandbox_arg) { | |||
1211 | seccomp_load(RUN_SECCOMP_MDWX_32); | 1211 | seccomp_load(RUN_SECCOMP_MDWX_32); |
1212 | } | 1212 | } |
1213 | 1213 | ||
1214 | if (cfg.restrict_namespaces) { | 1214 | if (arg_restrict_namespaces) { |
1215 | if (arg_seccomp_error_action != EPERM) { | ||
1216 | seccomp_filter_namespaces(true, cfg.restrict_namespaces); | ||
1217 | seccomp_filter_namespaces(false, cfg.restrict_namespaces); | ||
1218 | } | ||
1219 | |||
1220 | if (arg_debug) | ||
1221 | printf("Install namespaces filter\n"); | ||
1222 | seccomp_load(RUN_SECCOMP_NS); // install filter | ||
1223 | seccomp_load(RUN_SECCOMP_NS_32); | ||
1224 | |||
1225 | } | ||
1226 | else if (cfg.restrict_namespaces) { | ||
1215 | seccomp_filter_namespaces(true, cfg.restrict_namespaces); | 1227 | seccomp_filter_namespaces(true, cfg.restrict_namespaces); |
1216 | seccomp_filter_namespaces(false, cfg.restrict_namespaces); | 1228 | seccomp_filter_namespaces(false, cfg.restrict_namespaces); |
1217 | 1229 | ||
diff --git a/src/include/rundefs.h b/src/include/rundefs.h index 7fc0f21f3..d36851a4e 100644 --- a/src/include/rundefs.h +++ b/src/include/rundefs.h | |||
@@ -79,6 +79,8 @@ | |||
79 | #define PATH_SECCOMP_DEBUG_32 LIBDIR "/firejail/seccomp.debug32" // 32bit arch debug filter built during make | 79 | #define PATH_SECCOMP_DEBUG_32 LIBDIR "/firejail/seccomp.debug32" // 32bit arch debug filter built during make |
80 | #define PATH_SECCOMP_MDWX LIBDIR "/firejail/seccomp.mdwx" // filter for memory-deny-write-execute built during make | 80 | #define PATH_SECCOMP_MDWX LIBDIR "/firejail/seccomp.mdwx" // filter for memory-deny-write-execute built during make |
81 | #define PATH_SECCOMP_MDWX_32 LIBDIR "/firejail/seccomp.mdwx.32" | 81 | #define PATH_SECCOMP_MDWX_32 LIBDIR "/firejail/seccomp.mdwx.32" |
82 | #define PATH_SECCOMP_NAMESPACES LIBDIR "/firejail/seccomp.namespaces" // filter for restrict-namespaces | ||
83 | #define PATH_SECCOMP_NAMESPACES_32 LIBDIR "/firejail/seccomp.namespaces.32" | ||
82 | #define PATH_SECCOMP_BLOCK_SECONDARY LIBDIR "/firejail/seccomp.block_secondary" // secondary arch blocking filter built during make | 84 | #define PATH_SECCOMP_BLOCK_SECONDARY LIBDIR "/firejail/seccomp.block_secondary" // secondary arch blocking filter built during make |
83 | 85 | ||
84 | #define RUN_DEV_DIR RUN_MNT_DIR "/dev" | 86 | #define RUN_DEV_DIR RUN_MNT_DIR "/dev" |