diff options
-rw-r--r-- | README | 2 | ||||
-rw-r--r-- | RELNOTES | 2 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/fs.c | 38 | ||||
-rw-r--r-- | src/firejail/main.c | 39 | ||||
-rw-r--r-- | src/man/firejail.txt | 22 |
6 files changed, 58 insertions, 46 deletions
@@ -39,6 +39,8 @@ Aleksey Manevich (https://github.com/manevich) | |||
39 | - Busybox support | 39 | - Busybox support |
40 | - X11 support rewrite | 40 | - X11 support rewrite |
41 | - gether shell selection code in one place | 41 | - gether shell selection code in one place |
42 | hamzadis (https://github.com/hamzadis) | ||
43 | - added --overlay-named=name and --overlay-path=path | ||
42 | Gaman Gabriel (https://github.com/stelariusinfinitek) | 44 | Gaman Gabriel (https://github.com/stelariusinfinitek) |
43 | - inox profile | 45 | - inox profile |
44 | Laurent Declercq (https://github.com/nuxwin) | 46 | Laurent Declercq (https://github.com/nuxwin) |
@@ -10,6 +10,8 @@ firejail (0.9.42~rc2) baseline; urgency=low | |||
10 | * remove environment variable (--rmenv) | 10 | * remove environment variable (--rmenv) |
11 | * noexec support (--noexec) | 11 | * noexec support (--noexec) |
12 | * --overlay-clean option | 12 | * --overlay-clean option |
13 | * --overlay-named=name option | ||
14 | * --overlay-path=path option | ||
13 | * Ubuntu snap support | 15 | * Ubuntu snap support |
14 | * include /dev/snd in --private-dev | 16 | * include /dev/snd in --private-dev |
15 | * added mkfile profile command | 17 | * added mkfile profile command |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 9a7f89a4a..633935108 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -326,6 +326,7 @@ void fs_proc_sys_dev_boot(void); | |||
326 | // build a basic read-only filesystem | 326 | // build a basic read-only filesystem |
327 | void fs_basic_fs(void); | 327 | void fs_basic_fs(void); |
328 | // mount overlayfs on top of / directory | 328 | // mount overlayfs on top of / directory |
329 | char *fs_check_overlay_dir(const char *subdirname, int allow_reuse); | ||
329 | void fs_overlayfs(void); | 330 | void fs_overlayfs(void); |
330 | // chroot into an existing directory; mount exiting /dev and update /etc/resolv.conf | 331 | // chroot into an existing directory; mount exiting /dev and update /etc/resolv.conf |
331 | void fs_chroot(const char *rootdir); | 332 | void fs_chroot(const char *rootdir); |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 484b99537..63ffa8bff 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -814,6 +814,44 @@ void fs_basic_fs(void) { | |||
814 | } | 814 | } |
815 | 815 | ||
816 | 816 | ||
817 | |||
818 | char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) { | ||
819 | // create ~/.firejail directory | ||
820 | struct stat s; | ||
821 | char *dirname; | ||
822 | if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1) | ||
823 | errExit("asprintf"); | ||
824 | if (stat(dirname, &s) == -1) { | ||
825 | /* coverity[toctou] */ | ||
826 | if (mkdir(dirname, 0700)) | ||
827 | errExit("mkdir"); | ||
828 | if (chown(dirname, getuid(), getgid()) < 0) | ||
829 | errExit("chown"); | ||
830 | if (chmod(dirname, 0700) < 0) | ||
831 | errExit("chmod"); | ||
832 | } | ||
833 | else if (is_link(dirname)) { | ||
834 | fprintf(stderr, "Error: invalid ~/.firejail directory\n"); | ||
835 | exit(1); | ||
836 | } | ||
837 | |||
838 | free(dirname); | ||
839 | |||
840 | // check overlay directory | ||
841 | if (asprintf(&dirname, "%s/.firejail/%s", cfg.homedir, subdirname) == -1) | ||
842 | errExit("asprintf"); | ||
843 | if (allow_reuse == 0) { | ||
844 | if (stat(dirname, &s) == 0) { | ||
845 | fprintf(stderr, "Error: overlay directory already exists: %s\n", dirname); | ||
846 | exit(1); | ||
847 | } | ||
848 | } | ||
849 | |||
850 | return dirname; | ||
851 | } | ||
852 | |||
853 | |||
854 | |||
817 | // mount overlayfs on top of / directory | 855 | // mount overlayfs on top of / directory |
818 | // mounting an overlay and chrooting into it: | 856 | // mounting an overlay and chrooting into it: |
819 | // | 857 | // |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 1fa68e2f4..4946db2bd 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -704,41 +704,6 @@ static void delete_x11_file(pid_t pid) { | |||
704 | free(fname); | 704 | free(fname); |
705 | } | 705 | } |
706 | 706 | ||
707 | static char *create_and_check_overlay_dir(const char *subdirname, int allow_reuse) { | ||
708 | // create ~/.firejail directory | ||
709 | struct stat s; | ||
710 | char *dirname; | ||
711 | if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1) | ||
712 | errExit("asprintf"); | ||
713 | if (stat(dirname, &s) == -1) { | ||
714 | /* coverity[toctou] */ | ||
715 | if (mkdir(dirname, 0700)) | ||
716 | errExit("mkdir"); | ||
717 | if (chown(dirname, getuid(), getgid()) < 0) | ||
718 | errExit("chown"); | ||
719 | if (chmod(dirname, 0700) < 0) | ||
720 | errExit("chmod"); | ||
721 | } | ||
722 | else if (is_link(dirname)) { | ||
723 | fprintf(stderr, "Error: invalid ~/.firejail directory\n"); | ||
724 | exit(1); | ||
725 | } | ||
726 | |||
727 | free(dirname); | ||
728 | |||
729 | // check overlay directory | ||
730 | if (asprintf(&dirname, "%s/.firejail/%s", cfg.homedir, subdirname) == -1) | ||
731 | errExit("asprintf"); | ||
732 | if (allow_reuse == 0) { | ||
733 | if (stat(dirname, &s) == 0) { | ||
734 | fprintf(stderr, "Error: overlay directory already exists: %s\n", dirname); | ||
735 | exit(1); | ||
736 | } | ||
737 | } | ||
738 | |||
739 | return dirname; | ||
740 | } | ||
741 | |||
742 | static void detect_quiet(int argc, char **argv) { | 707 | static void detect_quiet(int argc, char **argv) { |
743 | int i; | 708 | int i; |
744 | 709 | ||
@@ -1329,7 +1294,7 @@ int main(int argc, char **argv) { | |||
1329 | char *subdirname; | 1294 | char *subdirname; |
1330 | if (asprintf(&subdirname, "%d", getpid()) == -1) | 1295 | if (asprintf(&subdirname, "%d", getpid()) == -1) |
1331 | errExit("asprintf"); | 1296 | errExit("asprintf"); |
1332 | cfg.overlay_dir = create_and_check_overlay_dir(subdirname, arg_overlay_reuse); | 1297 | cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse); |
1333 | 1298 | ||
1334 | free(subdirname); | 1299 | free(subdirname); |
1335 | } | 1300 | } |
@@ -1352,7 +1317,7 @@ int main(int argc, char **argv) { | |||
1352 | fprintf(stderr, "Error: invalid overlay option\n"); | 1317 | fprintf(stderr, "Error: invalid overlay option\n"); |
1353 | exit(1); | 1318 | exit(1); |
1354 | } | 1319 | } |
1355 | cfg.overlay_dir = create_and_check_overlay_dir(subdirname, arg_overlay_reuse); | 1320 | cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse); |
1356 | } | 1321 | } |
1357 | else if (strncmp(argv[i], "--overlay-path=", 15) == 0) { | 1322 | else if (strncmp(argv[i], "--overlay-path=", 15) == 0) { |
1358 | if (cfg.chrootdir) { | 1323 | if (cfg.chrootdir) { |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 3cc9a8401..732d14624 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -994,12 +994,13 @@ $ ls -l sandboxlog* | |||
994 | \fB\-\-overlay | 994 | \fB\-\-overlay |
995 | Mount a filesystem overlay on top of the current filesystem. Unlike the regular filesystem container, | 995 | Mount a filesystem overlay on top of the current filesystem. Unlike the regular filesystem container, |
996 | the system directories are mounted read-write. All filesystem modifications go into the overlay. | 996 | the system directories are mounted read-write. All filesystem modifications go into the overlay. |
997 | The overlay is stored in $HOME/.firejail/<PID> directory. This option is not available on Grsecurity systems. | 997 | The overlay is stored in $HOME/.firejail/<PID> directory. |
998 | .br | 998 | .br |
999 | 999 | ||
1000 | .br | 1000 | .br |
1001 | OverlayFS support is required in Linux kernel for this option to work. | 1001 | OverlayFS support is required in Linux kernel for this option to work. |
1002 | OverlayFS was officially introduced in Linux kernel version 3.18 | 1002 | OverlayFS was officially introduced in Linux kernel version 3.18. |
1003 | This option is not available on Grsecurity systems. | ||
1003 | .br | 1004 | .br |
1004 | 1005 | ||
1005 | .br | 1006 | .br |
@@ -1012,12 +1013,13 @@ $ firejail \-\-overlay firefox | |||
1012 | Mount a filesystem overlay on top of the current filesystem. Unlike the regular filesystem container, | 1013 | Mount a filesystem overlay on top of the current filesystem. Unlike the regular filesystem container, |
1013 | the system directories are mounted read-write. All filesystem modifications go into the overlay. | 1014 | the system directories are mounted read-write. All filesystem modifications go into the overlay. |
1014 | The overlay is stored in $HOME/.firejail/<NAME> directory. The created overlay can be reused between multiple | 1015 | The overlay is stored in $HOME/.firejail/<NAME> directory. The created overlay can be reused between multiple |
1015 | sessions. This option is not available on Grsecurity systems. | 1016 | sessions. |
1016 | .br | 1017 | .br |
1017 | 1018 | ||
1018 | .br | 1019 | .br |
1019 | OverlayFS support is required in Linux kernel for this option to work. | 1020 | OverlayFS support is required in Linux kernel for this option to work. |
1020 | OverlayFS was officially introduced in Linux kernel version 3.18 | 1021 | OverlayFS was officially introduced in Linux kernel version 3.18. |
1022 | This option is not available on Grsecurity systems. | ||
1021 | .br | 1023 | .br |
1022 | 1024 | ||
1023 | .br | 1025 | .br |
@@ -1030,12 +1032,12 @@ $ firejail \-\-overlay-named=jail1 firefox | |||
1030 | Mount a filesystem overlay on top of the current filesystem. Unlike the regular filesystem container, | 1032 | Mount a filesystem overlay on top of the current filesystem. Unlike the regular filesystem container, |
1031 | the system directories are mounted read-write. All filesystem modifications go into the overlay. | 1033 | the system directories are mounted read-write. All filesystem modifications go into the overlay. |
1032 | The overlay is stored in the specified path. The created overlay can be reused between multiple sessions. | 1034 | The overlay is stored in the specified path. The created overlay can be reused between multiple sessions. |
1033 | This option is not available on Grsecurity systems. | ||
1034 | .br | 1035 | .br |
1035 | 1036 | ||
1036 | .br | 1037 | .br |
1037 | OverlayFS support is required in Linux kernel for this option to work. | 1038 | OverlayFS support is required in Linux kernel for this option to work. |
1038 | OverlayFS was officially introduced in Linux kernel version 3.18 | 1039 | OverlayFS was officially introduced in Linux kernel version 3.18. |
1040 | This option is not available on Grsecurity systems. | ||
1039 | .br | 1041 | .br |
1040 | 1042 | ||
1041 | .br | 1043 | .br |
@@ -1046,12 +1048,13 @@ $ firejail \-\-overlay-path=~/jails/jail1 firefox | |||
1046 | .TP | 1048 | .TP |
1047 | \fB\-\-overlay-tmpfs | 1049 | \fB\-\-overlay-tmpfs |
1048 | Mount a filesystem overlay on top of the current filesystem. All filesystem modifications go into the overlay, | 1050 | Mount a filesystem overlay on top of the current filesystem. All filesystem modifications go into the overlay, |
1049 | and are discarded when the sandbox is closed. This option is not available on Grsecurity systems. | 1051 | and are discarded when the sandbox is closed. |
1050 | .br | 1052 | .br |
1051 | 1053 | ||
1052 | .br | 1054 | .br |
1053 | OverlayFS support is required in Linux kernel for this option to work. | 1055 | OverlayFS support is required in Linux kernel for this option to work. |
1054 | OverlayFS was officially introduced in Linux kernel version 3.18 | 1056 | OverlayFS was officially introduced in Linux kernel version 3.18. |
1057 | This option is not available on Grsecurity systems. | ||
1055 | .br | 1058 | .br |
1056 | 1059 | ||
1057 | .br | 1060 | .br |
@@ -1061,7 +1064,8 @@ $ firejail \-\-overlay-tmpfs firefox | |||
1061 | 1064 | ||
1062 | .TP | 1065 | .TP |
1063 | \fB\-\-overlay-clean | 1066 | \fB\-\-overlay-clean |
1064 | Clean all overlays stored in $HOME/.firejail directory. | 1067 | Clean all overlays stored in $HOME/.firejail directory. Overlays created with --overlay-path=path |
1068 | outside $HOME/.firejail will not be deleted. | ||
1065 | .br | 1069 | .br |
1066 | 1070 | ||
1067 | .br | 1071 | .br |