diff options
-rw-r--r-- | RELNOTES | 1 | ||||
-rw-r--r-- | etc/firejail.config | 5 | ||||
-rw-r--r-- | src/firejail/checkcfg.c | 8 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/fs.c | 138 |
5 files changed, 68 insertions, 85 deletions
@@ -1,5 +1,6 @@ | |||
1 | firejail (0.9.55) baseline; urgency=low | 1 | firejail (0.9.55) baseline; urgency=low |
2 | * work in progress | 2 | * work in progress |
3 | * modif: removed CFG_CHROOT_DESKTOP configuration option | ||
3 | * support full paths in private-lib | 4 | * support full paths in private-lib |
4 | * globbing support in private-lib | 5 | * globbing support in private-lib |
5 | -- netblue30 <netblue30@yahoo.com> Fri, 25 May 2018 08:00:00 -0500 | 6 | -- netblue30 <netblue30@yahoo.com> Fri, 25 May 2018 08:00:00 -0500 |
diff --git a/etc/firejail.config b/etc/firejail.config index 0cd4dca3a..1f47f77d0 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
@@ -18,11 +18,6 @@ | |||
18 | # Enable or disable chroot support, default enabled. | 18 | # Enable or disable chroot support, default enabled. |
19 | # chroot yes | 19 | # chroot yes |
20 | 20 | ||
21 | # Use chroot for desktop programs, default enabled. The sandbox will have full | ||
22 | # access to system's /dev directory in order to allow video acceleration, | ||
23 | # and it will harden the rest of the chroot tree. | ||
24 | # chroot-desktop yes | ||
25 | |||
26 | # Enable or disable dbus handling by --nodbus flag, default enabled. | 21 | # Enable or disable dbus handling by --nodbus flag, default enabled. |
27 | # dbus yes | 22 | # dbus yes |
28 | 23 | ||
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index ac3ad7cd8..68e93e16e 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -331,14 +331,6 @@ int checkcfg(int val) { | |||
331 | else | 331 | else |
332 | goto errout; | 332 | goto errout; |
333 | } | 333 | } |
334 | else if (strncmp(ptr, "chroot-desktop ", 15) == 0) { | ||
335 | if (strcmp(ptr + 15, "yes") == 0) | ||
336 | cfg_val[CFG_CHROOT_DESKTOP] = 1; | ||
337 | else if (strcmp(ptr + 15, "no") == 0) | ||
338 | cfg_val[CFG_CHROOT_DESKTOP] = 0; | ||
339 | else | ||
340 | goto errout; | ||
341 | } | ||
342 | else if (strncmp(ptr, "private-bin-no-local ", 21) == 0) { | 334 | else if (strncmp(ptr, "private-bin-no-local ", 21) == 0) { |
343 | if (strcmp(ptr + 21, "yes") == 0) | 335 | if (strcmp(ptr + 21, "yes") == 0) |
344 | cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 1; | 336 | cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 1; |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 18d66b983..e2a780d77 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -740,7 +740,6 @@ enum { | |||
740 | CFG_WHITELIST, | 740 | CFG_WHITELIST, |
741 | CFG_XEPHYR_WINDOW_TITLE, | 741 | CFG_XEPHYR_WINDOW_TITLE, |
742 | CFG_OVERLAYFS, | 742 | CFG_OVERLAYFS, |
743 | CFG_CHROOT_DESKTOP, | ||
744 | CFG_PRIVATE_HOME, | 743 | CFG_PRIVATE_HOME, |
745 | CFG_PRIVATE_BIN_NO_LOCAL, | 744 | CFG_PRIVATE_BIN_NO_LOCAL, |
746 | CFG_FIREJAIL_PROMPT, | 745 | CFG_FIREJAIL_PROMPT, |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 4e411c5ee..2546ab0bb 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -1199,63 +1199,61 @@ void fs_check_chroot_dir(const char *rootdir) { | |||
1199 | void fs_chroot(const char *rootdir) { | 1199 | void fs_chroot(const char *rootdir) { |
1200 | assert(rootdir); | 1200 | assert(rootdir); |
1201 | 1201 | ||
1202 | if (checkcfg(CFG_CHROOT_DESKTOP)) { | 1202 | // mount-bind a /dev in rootdir |
1203 | // mount-bind a /dev in rootdir | 1203 | char *newdev; |
1204 | char *newdev; | 1204 | if (asprintf(&newdev, "%s/dev", rootdir) == -1) |
1205 | if (asprintf(&newdev, "%s/dev", rootdir) == -1) | 1205 | errExit("asprintf"); |
1206 | if (arg_debug) | ||
1207 | printf("Mounting /dev on %s\n", newdev); | ||
1208 | if (mount("/dev", newdev, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
1209 | errExit("mounting /dev"); | ||
1210 | free(newdev); | ||
1211 | |||
1212 | // x11 | ||
1213 | if (getenv("FIREJAIL_X11")) { | ||
1214 | char *newx11; | ||
1215 | if (asprintf(&newx11, "%s/tmp/.X11-unix", rootdir) == -1) | ||
1206 | errExit("asprintf"); | 1216 | errExit("asprintf"); |
1207 | if (arg_debug) | 1217 | if (arg_debug) |
1208 | printf("Mounting /dev on %s\n", newdev); | 1218 | printf("Mounting /tmp/.X11-unix on %s\n", newx11); |
1209 | if (mount("/dev", newdev, NULL, MS_BIND|MS_REC, NULL) < 0) | 1219 | if (mount("/tmp/.X11-unix", newx11, NULL, MS_BIND|MS_REC, NULL) < 0) |
1210 | errExit("mounting /dev"); | 1220 | errExit("mounting /tmp/.X11-unix"); |
1211 | free(newdev); | 1221 | free(newx11); |
1212 | 1222 | } | |
1213 | // x11 | ||
1214 | if (getenv("FIREJAIL_X11")) { | ||
1215 | char *newx11; | ||
1216 | if (asprintf(&newx11, "%s/tmp/.X11-unix", rootdir) == -1) | ||
1217 | errExit("asprintf"); | ||
1218 | if (arg_debug) | ||
1219 | printf("Mounting /tmp/.X11-unix on %s\n", newx11); | ||
1220 | if (mount("/tmp/.X11-unix", newx11, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
1221 | errExit("mounting /tmp/.X11-unix"); | ||
1222 | free(newx11); | ||
1223 | } | ||
1224 | 1223 | ||
1225 | // some older distros don't have a /run directory | 1224 | // some older distros don't have a /run directory |
1226 | // create one by default | 1225 | // create one by default |
1227 | // create /run/firejail directory in chroot | 1226 | // create /run/firejail directory in chroot |
1228 | char *rundir; | 1227 | char *rundir; |
1229 | if (asprintf(&rundir, "%s/run", rootdir) == -1) | 1228 | if (asprintf(&rundir, "%s/run", rootdir) == -1) |
1230 | errExit("asprintf"); | 1229 | errExit("asprintf"); |
1231 | if (is_link(rundir)) { | 1230 | if (is_link(rundir)) { |
1232 | fprintf(stderr, "Error: invalid run directory inside chroot\n"); | 1231 | fprintf(stderr, "Error: invalid run directory inside chroot\n"); |
1233 | exit(1); | 1232 | exit(1); |
1234 | } | 1233 | } |
1235 | create_empty_dir_as_root(rundir, 0755); | 1234 | create_empty_dir_as_root(rundir, 0755); |
1236 | free(rundir); | 1235 | free(rundir); |
1237 | if (asprintf(&rundir, "%s/run/firejail", rootdir) == -1) | 1236 | if (asprintf(&rundir, "%s/run/firejail", rootdir) == -1) |
1238 | errExit("asprintf"); | 1237 | errExit("asprintf"); |
1239 | create_empty_dir_as_root(rundir, 0755); | 1238 | create_empty_dir_as_root(rundir, 0755); |
1240 | free(rundir); | 1239 | free(rundir); |
1241 | 1240 | ||
1242 | // create /run/firejail/mnt directory in chroot and mount the current one | 1241 | // create /run/firejail/mnt directory in chroot and mount the current one |
1243 | if (asprintf(&rundir, "%s%s", rootdir, RUN_MNT_DIR) == -1) | 1242 | if (asprintf(&rundir, "%s%s", rootdir, RUN_MNT_DIR) == -1) |
1244 | errExit("asprintf"); | 1243 | errExit("asprintf"); |
1245 | create_empty_dir_as_root(rundir, 0755); | 1244 | create_empty_dir_as_root(rundir, 0755); |
1246 | if (mount(RUN_MNT_DIR, rundir, NULL, MS_BIND|MS_REC, NULL) < 0) | 1245 | if (mount(RUN_MNT_DIR, rundir, NULL, MS_BIND|MS_REC, NULL) < 0) |
1247 | errExit("mount bind"); | 1246 | errExit("mount bind"); |
1248 | 1247 | ||
1249 | // copy /etc/resolv.conf in chroot directory | 1248 | // copy /etc/resolv.conf in chroot directory |
1250 | char *fname; | 1249 | char *fname; |
1251 | if (asprintf(&fname, "%s/etc/resolv.conf", rootdir) == -1) | 1250 | if (asprintf(&fname, "%s/etc/resolv.conf", rootdir) == -1) |
1252 | errExit("asprintf"); | 1251 | errExit("asprintf"); |
1253 | if (arg_debug) | 1252 | if (arg_debug) |
1254 | printf("Updating /etc/resolv.conf in %s\n", fname); | 1253 | printf("Updating /etc/resolv.conf in %s\n", fname); |
1255 | unlink(fname); | 1254 | unlink(fname); |
1256 | if (copy_file("/etc/resolv.conf", fname, 0, 0, 0644) == -1) // root needed | 1255 | if (copy_file("/etc/resolv.conf", fname, 0, 0, 0644) == -1) // root needed |
1257 | fwarning("/etc/resolv.conf not initialized\n"); | 1256 | fwarning("/etc/resolv.conf not initialized\n"); |
1258 | } | ||
1259 | 1257 | ||
1260 | // chroot into the new directory | 1258 | // chroot into the new directory |
1261 | #ifdef HAVE_GCOV | 1259 | #ifdef HAVE_GCOV |
@@ -1275,30 +1273,28 @@ void fs_chroot(const char *rootdir) { | |||
1275 | // create all other /run/firejail files and directories | 1273 | // create all other /run/firejail files and directories |
1276 | preproc_build_firejail_dir(); | 1274 | preproc_build_firejail_dir(); |
1277 | 1275 | ||
1278 | if (checkcfg(CFG_CHROOT_DESKTOP)) { | 1276 | // update /var directory in order to support multiple sandboxes running on the same root directory |
1279 | // update /var directory in order to support multiple sandboxes running on the same root directory | ||
1280 | // if (!arg_private_dev) | 1277 | // if (!arg_private_dev) |
1281 | // fs_dev_shm(); | 1278 | // fs_dev_shm(); |
1282 | fs_var_lock(); | 1279 | fs_var_lock(); |
1283 | if (!arg_keep_var_tmp) | 1280 | if (!arg_keep_var_tmp) |
1284 | fs_var_tmp(); | 1281 | fs_var_tmp(); |
1285 | if (!arg_writable_var_log) | 1282 | if (!arg_writable_var_log) |
1286 | fs_var_log(); | 1283 | fs_var_log(); |
1287 | else | 1284 | else |
1288 | fs_rdwr("/var/log"); | 1285 | fs_rdwr("/var/log"); |
1289 | 1286 | ||
1290 | fs_var_lib(); | 1287 | fs_var_lib(); |
1291 | fs_var_cache(); | 1288 | fs_var_cache(); |
1292 | fs_var_utmp(); | 1289 | fs_var_utmp(); |
1293 | fs_machineid(); | 1290 | fs_machineid(); |
1294 | 1291 | ||
1295 | // don't leak user information | 1292 | // don't leak user information |
1296 | restrict_users(); | 1293 | restrict_users(); |
1297 | 1294 | ||
1298 | // when starting as root, firejail config is not disabled; | 1295 | // when starting as root, firejail config is not disabled; |
1299 | if (getuid() != 0) | 1296 | if (getuid() != 0) |
1300 | disable_config(); | 1297 | disable_config(); |
1301 | } | ||
1302 | } | 1298 | } |
1303 | #endif | 1299 | #endif |
1304 | 1300 | ||