diff options
-rw-r--r-- | Makefile.in | 4 | ||||
-rwxr-xr-x | configure | 3 | ||||
-rw-r--r-- | configure.ac | 2 | ||||
-rw-r--r-- | platform/debian/conffiles | 1 | ||||
-rw-r--r-- | src/faudit/dbus.c | 6 | ||||
-rw-r--r-- | src/faudit/x11.c | 3 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/fs_trace.c | 8 | ||||
-rw-r--r-- | src/firejail/ls.c | 2 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 8 | ||||
-rw-r--r-- | src/firejail/x11.c | 6 | ||||
-rw-r--r-- | src/libx11/Makefile.in | 25 | ||||
-rw-r--r-- | src/libx11/libx11.c | 66 |
13 files changed, 118 insertions, 17 deletions
diff --git a/Makefile.in b/Makefile.in index ee17ae60c..cdb3535c2 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -1,6 +1,6 @@ | |||
1 | all: apps man | 1 | all: apps man |
2 | MYLIBS = src/lib | 2 | MYLIBS = src/lib |
3 | APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit | 3 | APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/libx11 |
4 | MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 | 4 | MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 |
5 | 5 | ||
6 | prefix=@prefix@ | 6 | prefix=@prefix@ |
@@ -71,6 +71,7 @@ realinstall: | |||
71 | install -m 0755 -d $(DESTDIR)/$(libdir)/firejail | 71 | install -m 0755 -d $(DESTDIR)/$(libdir)/firejail |
72 | install -c -m 0644 src/libtrace/libtrace.so $(DESTDIR)/$(libdir)/firejail/. | 72 | install -c -m 0644 src/libtrace/libtrace.so $(DESTDIR)/$(libdir)/firejail/. |
73 | install -c -m 0644 src/libtracelog/libtracelog.so $(DESTDIR)/$(libdir)/firejail/. | 73 | install -c -m 0644 src/libtracelog/libtracelog.so $(DESTDIR)/$(libdir)/firejail/. |
74 | install -c -m 0644 src/libx11/libx11.so $(DESTDIR)/$(libdir)/firejail/. | ||
74 | install -c -m 0755 src/ftee/ftee $(DESTDIR)/$(libdir)/firejail/. | 75 | install -c -m 0755 src/ftee/ftee $(DESTDIR)/$(libdir)/firejail/. |
75 | install -c -m 0755 src/fshaper/fshaper.sh $(DESTDIR)/$(libdir)/firejail/. | 76 | install -c -m 0755 src/fshaper/fshaper.sh $(DESTDIR)/$(libdir)/firejail/. |
76 | install -c -m 0644 src/firecfg/firecfg.config $(DESTDIR)/$(libdir)/firejail/. | 77 | install -c -m 0644 src/firecfg/firecfg.config $(DESTDIR)/$(libdir)/firejail/. |
@@ -120,6 +121,7 @@ install-strip: all | |||
120 | strip src/firecfg/firecfg | 121 | strip src/firecfg/firecfg |
121 | strip src/libtrace/libtrace.so | 122 | strip src/libtrace/libtrace.so |
122 | strip src/libtracelog/libtracelog.so | 123 | strip src/libtracelog/libtracelog.so |
124 | strip src/libx11/libx11.so | ||
123 | strip src/ftee/ftee | 125 | strip src/ftee/ftee |
124 | strip src/faudit/faudit | 126 | strip src/faudit/faudit |
125 | $(MAKE) realinstall | 127 | $(MAKE) realinstall |
@@ -3759,7 +3759,7 @@ if test "$prefix" = /usr; then | |||
3759 | sysconfdir="/etc" | 3759 | sysconfdir="/etc" |
3760 | fi | 3760 | fi |
3761 | 3761 | ||
3762 | ac_config_files="$ac_config_files Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile" | 3762 | ac_config_files="$ac_config_files Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile src/libx11/Makefile" |
3763 | 3763 | ||
3764 | cat >confcache <<\_ACEOF | 3764 | cat >confcache <<\_ACEOF |
3765 | # This file is a shell script that caches the results of configure | 3765 | # This file is a shell script that caches the results of configure |
@@ -4477,6 +4477,7 @@ do | |||
4477 | "src/firecfg/Makefile") CONFIG_FILES="$CONFIG_FILES src/firecfg/Makefile" ;; | 4477 | "src/firecfg/Makefile") CONFIG_FILES="$CONFIG_FILES src/firecfg/Makefile" ;; |
4478 | "src/ftee/Makefile") CONFIG_FILES="$CONFIG_FILES src/ftee/Makefile" ;; | 4478 | "src/ftee/Makefile") CONFIG_FILES="$CONFIG_FILES src/ftee/Makefile" ;; |
4479 | "src/faudit/Makefile") CONFIG_FILES="$CONFIG_FILES src/faudit/Makefile" ;; | 4479 | "src/faudit/Makefile") CONFIG_FILES="$CONFIG_FILES src/faudit/Makefile" ;; |
4480 | "src/libx11/Makefile") CONFIG_FILES="$CONFIG_FILES src/libx11/Makefile" ;; | ||
4480 | 4481 | ||
4481 | *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; | 4482 | *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; |
4482 | esac | 4483 | esac |
diff --git a/configure.ac b/configure.ac index e664cbe31..523ebd831 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -148,7 +148,7 @@ if test "$prefix" = /usr; then | |||
148 | sysconfdir="/etc" | 148 | sysconfdir="/etc" |
149 | fi | 149 | fi |
150 | 150 | ||
151 | AC_OUTPUT(Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile) | 151 | AC_OUTPUT(Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile src/libx11/Makefile) |
152 | 152 | ||
153 | echo | 153 | echo |
154 | echo "Configuration options:" | 154 | echo "Configuration options:" |
diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 75e7a469b..fb6c18b36 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles | |||
@@ -149,4 +149,3 @@ | |||
149 | /etc/firejail/synfigstudio.profile | 149 | /etc/firejail/synfigstudio.profile |
150 | /etc/firejail/gimp.profile | 150 | /etc/firejail/gimp.profile |
151 | /etc/firejail/inkscape.profile | 151 | /etc/firejail/inkscape.profile |
152 | |||
diff --git a/src/faudit/dbus.c b/src/faudit/dbus.c index d17d3922a..4debf2ff6 100644 --- a/src/faudit/dbus.c +++ b/src/faudit/dbus.c | |||
@@ -79,10 +79,8 @@ void dbus_test(void) { | |||
79 | else if (rv == -1) | 79 | else if (rv == -1) |
80 | printf("GOOD: cannot connect to D-Bus socket %s\n", sockfile); | 80 | printf("GOOD: cannot connect to D-Bus socket %s\n", sockfile); |
81 | } | 81 | } |
82 | else if ((sockfile = strstr(bus, "tcp:host=")) != NULL) { | 82 | else if ((sockfile = strstr(bus, "tcp:host=")) != NULL) |
83 | printf("UGLY: session bus configured for TCPcommunication.\n"); | 83 | printf("UGLY: session bus configured for TCP communication.\n"); |
84 | rv = -2; | ||
85 | } | ||
86 | else | 84 | else |
87 | printf("GOOD: cannot find a D-Bus socket\n"); | 85 | printf("GOOD: cannot find a D-Bus socket\n"); |
88 | 86 | ||
diff --git a/src/faudit/x11.c b/src/faudit/x11.c index e1a4bf66e..43f40f4e9 100644 --- a/src/faudit/x11.c +++ b/src/faudit/x11.c | |||
@@ -35,8 +35,9 @@ void x11_test(void) { | |||
35 | if (!(dir = opendir("/tmp/.X11-unix"))) { | 35 | if (!(dir = opendir("/tmp/.X11-unix"))) { |
36 | // sleep 2 seconds and try again | 36 | // sleep 2 seconds and try again |
37 | sleep(2); | 37 | sleep(2); |
38 | if (!(dir = opendir("/tmp/.X11-unix"))) | 38 | if (!(dir = opendir("/tmp/.X11-unix"))) { |
39 | ; | 39 | ; |
40 | } | ||
40 | } | 41 | } |
41 | 42 | ||
42 | if (dir == NULL) | 43 | if (dir == NULL) |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 29cdc2c20..f2d490a6c 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -627,6 +627,7 @@ void fs_mkdir(const char *name); | |||
627 | void fs_mkfile(const char *name); | 627 | void fs_mkfile(const char *name); |
628 | 628 | ||
629 | // x11.c | 629 | // x11.c |
630 | extern int mask_x11_abstract_socket; | ||
630 | void fs_x11(void); | 631 | void fs_x11(void); |
631 | int x11_display(void); | 632 | int x11_display(void); |
632 | void x11_start(int argc, char **argv); | 633 | void x11_start(int argc, char **argv); |
diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c index bab117b7e..861b8a9a7 100644 --- a/src/firejail/fs_trace.c +++ b/src/firejail/fs_trace.c | |||
@@ -54,15 +54,17 @@ void fs_trace(void) { | |||
54 | FILE *fp = fopen(RUN_LDPRELOAD_FILE, "w"); | 54 | FILE *fp = fopen(RUN_LDPRELOAD_FILE, "w"); |
55 | if (!fp) | 55 | if (!fp) |
56 | errExit("fopen"); | 56 | errExit("fopen"); |
57 | if (arg_trace) | 57 | if (arg_trace) { |
58 | fprintf(fp, "%s/firejail/libtrace.so\n", LIBDIR); | 58 | fprintf(fp, "%s/firejail/libtrace.so\n", LIBDIR); |
59 | } | ||
59 | else if (arg_tracelog) { | 60 | else if (arg_tracelog) { |
60 | fprintf(fp, "%s/firejail/libtracelog.so\n", LIBDIR); | 61 | fprintf(fp, "%s/firejail/libtracelog.so\n", LIBDIR); |
61 | if (!arg_quiet) | 62 | if (!arg_quiet) |
62 | printf("Blacklist violations are logged to syslog\n"); | 63 | printf("Blacklist violations are logged to syslog\n"); |
63 | } | 64 | } |
64 | else | 65 | |
65 | assert(0); | 66 | if (mask_x11_abstract_socket) |
67 | fprintf(fp, "%s/firejail/libx11.so\n", LIBDIR); | ||
66 | 68 | ||
67 | SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); | 69 | SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); |
68 | fclose(fp); | 70 | fclose(fp); |
diff --git a/src/firejail/ls.c b/src/firejail/ls.c index 14991ba94..39efaa0a6 100644 --- a/src/firejail/ls.c +++ b/src/firejail/ls.c | |||
@@ -419,7 +419,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { | |||
419 | EUID_USER(); | 419 | EUID_USER(); |
420 | } | 420 | } |
421 | // get file from host and store it in the sandbox | 421 | // get file from host and store it in the sandbox |
422 | else if (op == SANDBOX_FS_PUT) { | 422 | else if (op == SANDBOX_FS_PUT && path2) { |
423 | // verify the source file | 423 | // verify the source file |
424 | const char *src_fname = path1; | 424 | const char *src_fname = path1; |
425 | struct stat s; | 425 | struct stat s; |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 7666f1f62..7b519c8c2 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -479,7 +479,7 @@ int sandbox(void* sandbox_arg) { | |||
479 | fs_build_cp_command(); | 479 | fs_build_cp_command(); |
480 | 480 | ||
481 | // trace pre-install | 481 | // trace pre-install |
482 | if (arg_trace || arg_tracelog) | 482 | if (arg_trace || arg_tracelog || mask_x11_abstract_socket) |
483 | fs_trace_preload(); | 483 | fs_trace_preload(); |
484 | 484 | ||
485 | //**************************** | 485 | //**************************** |
@@ -505,7 +505,7 @@ int sandbox(void* sandbox_arg) { | |||
505 | //**************************** | 505 | //**************************** |
506 | // trace pre-install, this time inside chroot | 506 | // trace pre-install, this time inside chroot |
507 | //**************************** | 507 | //**************************** |
508 | if (arg_trace || arg_tracelog) | 508 | if (arg_trace || arg_tracelog || mask_x11_abstract_socket) |
509 | fs_trace_preload(); | 509 | fs_trace_preload(); |
510 | } | 510 | } |
511 | else | 511 | else |
@@ -575,7 +575,7 @@ int sandbox(void* sandbox_arg) { | |||
575 | else { | 575 | else { |
576 | fs_private_etc_list(); | 576 | fs_private_etc_list(); |
577 | // create /etc/ld.so.preload file again | 577 | // create /etc/ld.so.preload file again |
578 | if (arg_trace || arg_tracelog) | 578 | if (arg_trace || arg_tracelog || mask_x11_abstract_socket) |
579 | fs_trace_preload(); | 579 | fs_trace_preload(); |
580 | } | 580 | } |
581 | } | 581 | } |
@@ -626,7 +626,7 @@ int sandbox(void* sandbox_arg) { | |||
626 | //**************************** | 626 | //**************************** |
627 | // install trace | 627 | // install trace |
628 | //**************************** | 628 | //**************************** |
629 | if (arg_trace || arg_tracelog) | 629 | if (arg_trace || arg_tracelog || mask_x11_abstract_socket) |
630 | fs_trace(); | 630 | fs_trace(); |
631 | 631 | ||
632 | //**************************** | 632 | //**************************** |
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 774294ff1..2fa7f84d8 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
@@ -27,6 +27,7 @@ | |||
27 | #include <dirent.h> | 27 | #include <dirent.h> |
28 | #include <sys/mount.h> | 28 | #include <sys/mount.h> |
29 | #include <sys/wait.h> | 29 | #include <sys/wait.h> |
30 | int mask_x11_abstract_socket = 0; | ||
30 | 31 | ||
31 | #ifdef HAVE_X11 | 32 | #ifdef HAVE_X11 |
32 | // return 1 if xpra is installed on the system | 33 | // return 1 if xpra is installed on the system |
@@ -51,6 +52,7 @@ static int x11_check_xephyr(void) { | |||
51 | return 1; | 52 | return 1; |
52 | } | 53 | } |
53 | 54 | ||
55 | #if 0 | ||
54 | // check for X11 abstract sockets | 56 | // check for X11 abstract sockets |
55 | static int x11_abstract_sockets_present(void) { | 57 | static int x11_abstract_sockets_present(void) { |
56 | char *path; | 58 | char *path; |
@@ -75,6 +77,7 @@ static int x11_abstract_sockets_present(void) { | |||
75 | 77 | ||
76 | return 0; | 78 | return 0; |
77 | } | 79 | } |
80 | #endif | ||
78 | 81 | ||
79 | static int random_display_number(void) { | 82 | static int random_display_number(void) { |
80 | int i; | 83 | int i; |
@@ -594,6 +597,8 @@ void x11_start(int argc, char **argv) { | |||
594 | 597 | ||
595 | void x11_block(void) { | 598 | void x11_block(void) { |
596 | #ifdef HAVE_X11 | 599 | #ifdef HAVE_X11 |
600 | mask_x11_abstract_socket = 1; | ||
601 | #if 0 | ||
597 | // check abstract socket presence and network namespace options | 602 | // check abstract socket presence and network namespace options |
598 | if ((!arg_nonetwork && !cfg.bridge0.configured && !cfg.interface0.configured) | 603 | if ((!arg_nonetwork && !cfg.bridge0.configured && !cfg.interface0.configured) |
599 | && x11_abstract_sockets_present()) { | 604 | && x11_abstract_sockets_present()) { |
@@ -604,6 +609,7 @@ void x11_block(void) { | |||
604 | " (eg. to your display manager config, or /etc/X11/xinit/xserverrc)\n"); | 609 | " (eg. to your display manager config, or /etc/X11/xinit/xserverrc)\n"); |
605 | exit(1); | 610 | exit(1); |
606 | } | 611 | } |
612 | #endif | ||
607 | 613 | ||
608 | // blacklist sockets | 614 | // blacklist sockets |
609 | profile_check_line("blacklist /tmp/.X11-unix", 0, NULL); | 615 | profile_check_line("blacklist /tmp/.X11-unix", 0, NULL); |
diff --git a/src/libx11/Makefile.in b/src/libx11/Makefile.in new file mode 100644 index 000000000..2dfef8076 --- /dev/null +++ b/src/libx11/Makefile.in | |||
@@ -0,0 +1,25 @@ | |||
1 | PREFIX=@prefix@ | ||
2 | VERSION=@PACKAGE_VERSION@ | ||
3 | NAME=@PACKAGE_NAME@ | ||
4 | HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ | ||
5 | |||
6 | H_FILE_LIST = $(sort $(wildcard *.[h])) | ||
7 | C_FILE_LIST = $(sort $(wildcard *.c)) | ||
8 | OBJS = $(C_FILE_LIST:.c=.o) | ||
9 | BINOBJS = $(foreach file, $(OBJS), $file) | ||
10 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security | ||
11 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now | ||
12 | |||
13 | all: libx11.so | ||
14 | |||
15 | %.o : %.c $(H_FILE_LIST) | ||
16 | $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ | ||
17 | |||
18 | libx11.so: $(OBJS) | ||
19 | $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl | ||
20 | |||
21 | |||
22 | clean:; rm -f $(OBJS) libx11.so | ||
23 | |||
24 | distclean: clean | ||
25 | rm -fr Makefile | ||
diff --git a/src/libx11/libx11.c b/src/libx11/libx11.c new file mode 100644 index 000000000..208fb65ed --- /dev/null +++ b/src/libx11/libx11.c | |||
@@ -0,0 +1,66 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2016 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #define _GNU_SOURCE | ||
21 | #include <stdio.h> | ||
22 | #include <stdlib.h> | ||
23 | #include <string.h> | ||
24 | #include <dlfcn.h> | ||
25 | #include <sys/types.h> | ||
26 | #include <unistd.h> | ||
27 | #include <sys/socket.h> | ||
28 | #include <netinet/in.h> | ||
29 | #include <arpa/inet.h> | ||
30 | #include <sys/un.h> | ||
31 | #include <sys/stat.h> | ||
32 | #include <dirent.h> | ||
33 | #include <errno.h> | ||
34 | |||
35 | //#define DEBUG | ||
36 | |||
37 | //static int check_sockaddr(int sockfd, const char *call, const struct sockaddr *addr, int rv) { | ||
38 | static int check_sockaddr(const struct sockaddr *addr) { | ||
39 | if (addr->sa_family == AF_UNIX) { | ||
40 | struct sockaddr_un *a = (struct sockaddr_un *) addr; | ||
41 | if (a->sun_path[0] == '\0') { | ||
42 | // printf("@%s\n", a->sun_path + 1); | ||
43 | errno = ENOENT; | ||
44 | return -1; | ||
45 | } | ||
46 | } | ||
47 | |||
48 | return 0; | ||
49 | } | ||
50 | |||
51 | // | ||
52 | // syscalls | ||
53 | // | ||
54 | |||
55 | // connect | ||
56 | typedef int (*orig_connect_t)(int sockfd, const struct sockaddr *addr, socklen_t addrlen); | ||
57 | static orig_connect_t orig_connect = NULL; | ||
58 | int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen) { | ||
59 | if (!orig_connect) | ||
60 | orig_connect = (orig_connect_t)dlsym(RTLD_NEXT, "connect"); | ||
61 | |||
62 | if (check_sockaddr(addr) == -1) | ||
63 | return -1; | ||
64 | |||
65 | return orig_connect(sockfd, addr, addrlen); | ||
66 | } | ||