diff options
-rw-r--r-- | etc/firejail-default | 103 | ||||
-rw-r--r-- | src/firecfg/desktop_files.c | 8 | ||||
-rw-r--r-- | src/firejail/cmdline.c | 1 | ||||
-rw-r--r-- | src/firejail/fs_whitelist.c | 11 | ||||
-rw-r--r-- | src/fsec-print/main.c | 3 | ||||
-rw-r--r-- | src/libpostexecseccomp/libpostexecseccomp.c | 2 |
6 files changed, 56 insertions, 72 deletions
diff --git a/etc/firejail-default b/etc/firejail-default index 09dc896e6..e05d09468 100644 --- a/etc/firejail-default +++ b/etc/firejail-default | |||
@@ -22,42 +22,30 @@ dbus, | |||
22 | 22 | ||
23 | ########## | 23 | ########## |
24 | # With ptrace it is possible to inspect and hijack running programs. Usually this | 24 | # With ptrace it is possible to inspect and hijack running programs. Usually this |
25 | # is needed only for debugging. To allow ptrace, uncomment the following line | 25 | # is needed only for debugging. To allow ptrace, uncomment the following line. |
26 | ########## | 26 | ########## |
27 | #ptrace, | 27 | #ptrace, |
28 | 28 | ||
29 | ########## | 29 | ########## |
30 | # Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes | 30 | # Allow read access to whole filesystem and control it from firejail. |
31 | ########## | 31 | ########## |
32 | / r, | 32 | /{,**} rklm, |
33 | /{usr,bin,sbin,dev,etc,home,root,lib,media,mnt,opt,srv,tmp,var}** mrwlk, | ||
34 | /run/firejail/mnt/oroot/{usr,bin,sbin,dev,etc,home,root,lib,media,mnt,opt,srv,tmp,var}** mrwlk, | ||
35 | 33 | ||
36 | /{,var/}run/ r, | 34 | ########## |
37 | /{,var/}run/** r, | 35 | # Allow write access to paths writable in firejail which aren't used for |
38 | /run/firejail/mnt/oroot/{,var/}run/ r, | 36 | # executing programs. /run, /proc and /sys are handled separately. |
39 | /run/firejail/mnt/oroot/{,var/}run/** r, | 37 | # Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes. |
40 | 38 | ########## | |
41 | owner /{,var/}run/user/[0-9]*/** rw, | 39 | /{,run/firejail/mnt/oroot/}{dev,etc,home,media,mnt,root,srv,tmp,var}/** w, |
42 | owner /{,var/}run/user/[0-9]*/*.slave-socket rwl, | ||
43 | owner /{,var/}run/user/[0-9]*/orcexec.* rwkm, | ||
44 | owner /run/firejail/mnt/oroot/{,var/}run/user/[0-9]*/** rw, | ||
45 | owner /run/firejail/mnt/oroot/{,var/}run/user/[0-9]*/*.slave-socket rwl, | ||
46 | owner /run/firejail/mnt/oroot/{,var/}run/user/[0-9]*/orcexec.* rwkm, | ||
47 | 40 | ||
48 | /{,var/}run/firejail/mnt/fslogger r, | 41 | ########## |
49 | /{,var/}run/firejail/appimage r, | 42 | # Whitelist writable paths under /run, /proc and /sys. |
50 | /{,var/}run/firejail/appimage/** r, | 43 | ########## |
51 | /{,var/}run/firejail/appimage/** ix, | 44 | owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/** w, |
52 | /run/firejail/mnt/oroot/{,var/}run/firejail/mnt/fslogger r, | 45 | owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/*.slave-socket w, |
53 | /run/firejail/mnt/oroot/{,var/}run/firejail/appimage r, | 46 | owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/orcexec.* w, |
54 | /run/firejail/mnt/oroot/{,var/}run/firejail/appimage/** r, | ||
55 | /run/firejail/mnt/oroot/{,var/}run/firejail/appimage/** ix, | ||
56 | 47 | ||
57 | /{run,dev}/shm/ r, | 48 | owner /{,run/firejail/mnt/oroot/}{run,dev}/shm/** w, |
58 | owner /{run,dev}/shm/** rmwk, | ||
59 | /run/firejail/mnt/oroot/{run,dev}/shm/ r, | ||
60 | owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk, | ||
61 | 49 | ||
62 | # Allow logging Firejail blacklist violations to journal | 50 | # Allow logging Firejail blacklist violations to journal |
63 | /{,var/}run/systemd/journal/socket w, | 51 | /{,var/}run/systemd/journal/socket w, |
@@ -66,58 +54,41 @@ owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk, | |||
66 | # Needed for wine | 54 | # Needed for wine |
67 | /{,var/}run/firejail/profile/@{PID} w, | 55 | /{,var/}run/firejail/profile/@{PID} w, |
68 | 56 | ||
69 | ########## | 57 | # Allow access to cups printing socket. |
70 | # Allow /proc and /sys read-only access. | 58 | /{,var/}run/cups/cups.sock w, |
71 | # Blacklisting is controlled from userspace Firejail. | 59 | |
72 | ########## | 60 | # Needed for firefox sandbox |
73 | /proc/ r, | ||
74 | /proc/** r, | ||
75 | /proc/[0-9]*/{uid_map,gid_map,setgroups} w, | 61 | /proc/[0-9]*/{uid_map,gid_map,setgroups} w, |
76 | # Uncomment to silence all denied write warnings | 62 | |
77 | #deny /proc/** w, | 63 | # Silence noise |
78 | deny /proc/@{PID}/oom_adj w, | 64 | deny /proc/@{PID}/oom_adj w, |
79 | deny /proc/@{PID}/oom_score_adj w, | 65 | deny /proc/@{PID}/oom_score_adj w, |
80 | 66 | ||
81 | /sys/ r, | ||
82 | /sys/** r, | ||
83 | # Uncomment to silence all denied write warnings | 67 | # Uncomment to silence all denied write warnings |
84 | #deny /sys/** w, | 68 | #deny /proc/** w, |
85 | 69 | ||
86 | # Blacklist snapshots | 70 | # Uncomment to silence all denied write warnings |
87 | deny /**/.snapshots/ rwx, | 71 | #deny /sys/** w, |
88 | 72 | ||
89 | ########## | 73 | ########## |
90 | # Allow running programs only from well-known system directories. If you need | 74 | # Allow running programs only from well-known system directories. If you need |
91 | # to run programs from your home directory, uncomment /home line. | 75 | # to run programs from your home directory, uncomment /home line. |
92 | ########## | 76 | ########## |
93 | /lib/** ix, | 77 | /{,run/firejail/mnt/oroot/}{,usr/,usr/local/}bin/** ix, |
94 | /lib64/** ix, | 78 | /{,run/firejail/mnt/oroot/}{,usr/,usr/local/}sbin/** ix, |
95 | /bin/** ix, | 79 | /{,run/firejail/mnt/oroot/}{,usr/,usr/local/}games/** ix, |
96 | /sbin/** ix, | 80 | /{,run/firejail/mnt/oroot/}{,usr/,usr/local/}lib{,32,64}/** ix, |
97 | /usr/bin/** ix, | 81 | /{,run/firejail/mnt/oroot/}{,usr/,usr/local/}opt/** ix, |
98 | /usr/sbin/** ix, | 82 | #/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}home/** ix, |
99 | /usr/local/** ix, | 83 | |
100 | /usr/lib/** ix, | 84 | # Appimage support |
101 | /usr/lib64/** ix, | 85 | /{,run/firejail/mnt/oroot/}{,var/}run/firejail/appimage/** ix, |
102 | /usr/games/** ix, | ||
103 | /opt/** ix, | ||
104 | #/home/** ix, | ||
105 | /run/firejail/mnt/oroot/lib/** ix, | ||
106 | /run/firejail/mnt/oroot/lib64/** ix, | ||
107 | /run/firejail/mnt/oroot/bin/** ix, | ||
108 | /run/firejail/mnt/oroot/sbin/** ix, | ||
109 | /run/firejail/mnt/oroot/usr/bin/** ix, | ||
110 | /run/firejail/mnt/oroot/usr/sbin/** ix, | ||
111 | /run/firejail/mnt/oroot/usr/local/** ix, | ||
112 | /run/firejail/mnt/oroot/usr/lib/** ix, | ||
113 | /run/firejail/mnt/oroot/usr/lib64/** ix, | ||
114 | /run/firejail/mnt/oroot/usr/games/** ix, | ||
115 | /run/firejail/mnt/oroot/opt/** ix, | ||
116 | 86 | ||
117 | ########## | 87 | ########## |
118 | # Allow access to cups printing socket. | 88 | # Blacklist specific sensitive paths. |
119 | ########## | 89 | ########## |
120 | /run/cups/cups.sock w, | 90 | # Common backup directory |
91 | deny /**/.snapshots/ rwx, | ||
121 | 92 | ||
122 | ########## | 93 | ########## |
123 | # Allow all networking functionality, and control it from Firejail. | 94 | # Allow all networking functionality, and control it from Firejail. |
diff --git a/src/firecfg/desktop_files.c b/src/firecfg/desktop_files.c index 71b39390e..de2b8cfa2 100644 --- a/src/firecfg/desktop_files.c +++ b/src/firecfg/desktop_files.c | |||
@@ -144,6 +144,8 @@ void fix_desktop_files(char *homedir) { | |||
144 | perror("opendir"); | 144 | perror("opendir"); |
145 | fprintf(stderr, "Warning: cannot access /usr/share/applications directory, desktop files fixing skipped...\n"); | 145 | fprintf(stderr, "Warning: cannot access /usr/share/applications directory, desktop files fixing skipped...\n"); |
146 | free(user_apps_dir); | 146 | free(user_apps_dir); |
147 | if (dir) | ||
148 | closedir(dir); | ||
147 | return; | 149 | return; |
148 | } | 150 | } |
149 | 151 | ||
@@ -266,12 +268,16 @@ void fix_desktop_files(char *homedir) { | |||
266 | 268 | ||
267 | if (stat(outname, &sb) == 0) { | 269 | if (stat(outname, &sb) == 0) { |
268 | printf(" %s skipped: file exists\n", filename); | 270 | printf(" %s skipped: file exists\n", filename); |
271 | if (change_exec) | ||
272 | free(change_exec); | ||
269 | continue; | 273 | continue; |
270 | } | 274 | } |
271 | 275 | ||
272 | FILE *fpin = fopen(filename, "r"); | 276 | FILE *fpin = fopen(filename, "r"); |
273 | if (!fpin) { | 277 | if (!fpin) { |
274 | fprintf(stderr, "Warning: cannot open /usr/share/applications/%s\n", filename); | 278 | fprintf(stderr, "Warning: cannot open /usr/share/applications/%s\n", filename); |
279 | if (change_exec) | ||
280 | free(change_exec); | ||
275 | continue; | 281 | continue; |
276 | } | 282 | } |
277 | 283 | ||
@@ -279,6 +285,8 @@ void fix_desktop_files(char *homedir) { | |||
279 | if (!fpout) { | 285 | if (!fpout) { |
280 | fprintf(stderr, "Warning: cannot open ~/.local/share/applications/%s\n", outname); | 286 | fprintf(stderr, "Warning: cannot open ~/.local/share/applications/%s\n", outname); |
281 | fclose(fpin); | 287 | fclose(fpin); |
288 | if (change_exec) | ||
289 | free(change_exec); | ||
282 | continue; | 290 | continue; |
283 | } | 291 | } |
284 | fprintf(fpout, "# converted by firecfg\n"); | 292 | fprintf(fpout, "# converted by firecfg\n"); |
diff --git a/src/firejail/cmdline.c b/src/firejail/cmdline.c index ce1e281a5..1fe5a2398 100644 --- a/src/firejail/cmdline.c +++ b/src/firejail/cmdline.c | |||
@@ -208,4 +208,5 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc, | |||
208 | 208 | ||
209 | // free strdup | 209 | // free strdup |
210 | free(tmp1); | 210 | free(tmp1); |
211 | free(command_line_tmp); | ||
211 | } | 212 | } |
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 602985b4e..9b68b6753 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -371,10 +371,13 @@ void fs_whitelist(void) { | |||
371 | 371 | ||
372 | // resolve macros | 372 | // resolve macros |
373 | if (is_macro(dataptr)) { | 373 | if (is_macro(dataptr)) { |
374 | char *tmp = resolve_macro(dataptr); | 374 | char *tmp = resolve_macro(dataptr); // returns allocated mem |
375 | if (tmp != NULL) | 375 | if (tmp != NULL) { |
376 | tmp = parse_nowhitelist(nowhitelist_flag, tmp); | 376 | char *tmp1 = parse_nowhitelist(nowhitelist_flag, tmp); |
377 | 377 | assert(tmp1); | |
378 | free(tmp); | ||
379 | tmp = tmp1; | ||
380 | } | ||
378 | if (tmp) { | 381 | if (tmp) { |
379 | entry->data = tmp; | 382 | entry->data = tmp; |
380 | dataptr = (nowhitelist_flag)? entry->data + 12: entry->data + 10; | 383 | dataptr = (nowhitelist_flag)? entry->data + 12: entry->data + 10; |
diff --git a/src/fsec-print/main.c b/src/fsec-print/main.c index 94c60687f..5a1e34080 100644 --- a/src/fsec-print/main.c +++ b/src/fsec-print/main.c | |||
@@ -74,7 +74,8 @@ printf("\n"); | |||
74 | close(fd); | 74 | close(fd); |
75 | return 0; | 75 | return 0; |
76 | errexit: | 76 | errexit: |
77 | close(fd); | 77 | if (fd != -1) |
78 | close(fd); | ||
78 | fprintf(stderr, "Error: cannot read %s\n", fname); | 79 | fprintf(stderr, "Error: cannot read %s\n", fname); |
79 | exit(1); | 80 | exit(1); |
80 | 81 | ||
diff --git a/src/libpostexecseccomp/libpostexecseccomp.c b/src/libpostexecseccomp/libpostexecseccomp.c index 0ccb74b10..6d2c8c695 100644 --- a/src/libpostexecseccomp/libpostexecseccomp.c +++ b/src/libpostexecseccomp/libpostexecseccomp.c | |||
@@ -31,7 +31,7 @@ static void load_seccomp(void) { | |||
31 | if (fd == -1) | 31 | if (fd == -1) |
32 | return; | 32 | return; |
33 | 33 | ||
34 | int size = lseek(fd, 0, SEEK_END); | 34 | off_t size = lseek(fd, 0, SEEK_END); |
35 | unsigned short entries = (unsigned short) size / (unsigned short) sizeof(struct sock_filter); | 35 | unsigned short entries = (unsigned short) size / (unsigned short) sizeof(struct sock_filter); |
36 | struct sock_filter *filter = MAP_FAILED; | 36 | struct sock_filter *filter = MAP_FAILED; |
37 | if (size != 0) | 37 | if (size != 0) |