diff options
-rw-r--r-- | etc/profile-a-l/firefox-common.profile | 2 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/main.c | 5 | ||||
-rw-r--r-- | src/firejail/profile.c | 16 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 9 |
5 files changed, 32 insertions, 1 deletions
diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile index 36e3405b0..47eb8638e 100644 --- a/etc/profile-a-l/firefox-common.profile +++ b/etc/profile-a-l/firefox-common.profile | |||
@@ -33,6 +33,8 @@ include whitelist-runuser-common.inc | |||
33 | include whitelist-var-common.inc | 33 | include whitelist-var-common.inc |
34 | 34 | ||
35 | apparmor | 35 | apparmor |
36 | # Fixme! | ||
37 | apparmor-replace | ||
36 | caps.drop all | 38 | caps.drop all |
37 | # machine-id breaks pulse audio; add it to your firefox-common.local if sound is not required. | 39 | # machine-id breaks pulse audio; add it to your firefox-common.local if sound is not required. |
38 | #machine-id | 40 | #machine-id |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 65907e8ee..65f93d9d1 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -339,6 +339,7 @@ extern int arg_writable_var_log; // writable /var/log | |||
339 | extern int arg_appimage; // appimage | 339 | extern int arg_appimage; // appimage |
340 | extern int arg_apparmor; // apparmor | 340 | extern int arg_apparmor; // apparmor |
341 | extern char *apparmor_profile; // apparmor profile | 341 | extern char *apparmor_profile; // apparmor profile |
342 | extern bool apparmor_replace; // whether apparmor should replace the profile (legacy behavior) | ||
342 | extern int arg_allow_debuggers; // allow debuggers | 343 | extern int arg_allow_debuggers; // allow debuggers |
343 | extern int arg_x11_block; // block X11 | 344 | extern int arg_x11_block; // block X11 |
344 | extern int arg_x11_xorg; // use X11 security extension | 345 | extern int arg_x11_xorg; // use X11 security extension |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 1eda26f99..54479dc0c 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -134,6 +134,7 @@ int arg_writable_var_log = 0; // writable /var/log | |||
134 | int arg_appimage = 0; // appimage | 134 | int arg_appimage = 0; // appimage |
135 | int arg_apparmor = 0; // apparmor | 135 | int arg_apparmor = 0; // apparmor |
136 | char *apparmor_profile = NULL; // apparmor profile | 136 | char *apparmor_profile = NULL; // apparmor profile |
137 | bool apparmor_replace = false; // apparmor profile | ||
137 | int arg_allow_debuggers = 0; // allow debuggers | 138 | int arg_allow_debuggers = 0; // allow debuggers |
138 | int arg_x11_block = 0; // block X11 | 139 | int arg_x11_block = 0; // block X11 |
139 | int arg_x11_xorg = 0; // use X11 security extension | 140 | int arg_x11_xorg = 0; // use X11 security extension |
@@ -1383,6 +1384,10 @@ int main(int argc, char **argv, char **envp) { | |||
1383 | arg_apparmor = 1; | 1384 | arg_apparmor = 1; |
1384 | apparmor_profile = argv[i] + 11; | 1385 | apparmor_profile = argv[i] + 11; |
1385 | } | 1386 | } |
1387 | else if (strncmp(argv[i], "--apparmor-replace", 18) == 0) { | ||
1388 | arg_apparmor = 1; | ||
1389 | apparmor_replace = true; | ||
1390 | } | ||
1386 | #endif | 1391 | #endif |
1387 | else if (strncmp(argv[i], "--protocol=", 11) == 0) { | 1392 | else if (strncmp(argv[i], "--protocol=", 11) == 0) { |
1388 | if (checkcfg(CFG_SECCOMP)) { | 1393 | if (checkcfg(CFG_SECCOMP)) { |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 24964d40d..15e833288 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -956,6 +956,22 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
956 | return 0; | 956 | return 0; |
957 | } | 957 | } |
958 | 958 | ||
959 | if (strcmp(ptr, "apparmor-replace") == 0) { | ||
960 | #ifdef HAVE_APPARMOR | ||
961 | arg_apparmor = 1; | ||
962 | apparmor_replace = true; | ||
963 | #endif | ||
964 | return 0; | ||
965 | } | ||
966 | |||
967 | if (strcmp(ptr, "apparmor-stack") == 0) { | ||
968 | #ifdef HAVE_APPARMOR | ||
969 | arg_apparmor = 1; | ||
970 | apparmor_replace = false; | ||
971 | #endif | ||
972 | return 0; | ||
973 | } | ||
974 | |||
959 | if (strncmp(ptr, "protocol ", 9) == 0) { | 975 | if (strncmp(ptr, "protocol ", 9) == 0) { |
960 | if (checkcfg(CFG_SECCOMP)) { | 976 | if (checkcfg(CFG_SECCOMP)) { |
961 | const char *add = ptr + 9; | 977 | const char *add = ptr + 9; |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 9299268a3..3295362e1 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -130,7 +130,14 @@ static void set_caps(void) { | |||
130 | static void set_apparmor(void) { | 130 | static void set_apparmor(void) { |
131 | EUID_ASSERT(); | 131 | EUID_ASSERT(); |
132 | if (checkcfg(CFG_APPARMOR) && arg_apparmor) { | 132 | if (checkcfg(CFG_APPARMOR) && arg_apparmor) { |
133 | if (aa_stack_onexec(apparmor_profile)) { | 133 | int res = 0; |
134 | if(apparmor_replace){ | ||
135 | fwarning("Replacing profile instead of stacking it. It is a legacy behavior that can result in relaxation of the protection. It is here as a temporary measure to unbreak the software that has been broken by switching to the stacking behavior.\n"); | ||
136 | res = aa_change_onexec(apparmor_profile); | ||
137 | } else { | ||
138 | res = aa_stack_onexec(apparmor_profile); | ||
139 | } | ||
140 | if (res) { | ||
134 | fwarning("Cannot confine the application using AppArmor.\n" | 141 | fwarning("Cannot confine the application using AppArmor.\n" |
135 | "Maybe firejail-default AppArmor profile is not loaded into the kernel.\n" | 142 | "Maybe firejail-default AppArmor profile is not loaded into the kernel.\n" |
136 | "As root, run \"aa-enforce firejail-default\" to load it.\n"); | 143 | "As root, run \"aa-enforce firejail-default\" to load it.\n"); |