diff options
-rw-r--r-- | README | 3 | ||||
-rw-r--r-- | etc/chromium.profile | 1 | ||||
-rw-r--r-- | etc/clementine.profile | 3 | ||||
-rw-r--r-- | etc/disable-common.inc | 3 | ||||
-rw-r--r-- | etc/gnome-calculator.profile | 1 | ||||
-rw-r--r-- | etc/google-chrome.profile | 1 | ||||
-rw-r--r-- | src/floader/README.md | 9 | ||||
-rw-r--r-- | src/floader/loader.c | 161 | ||||
-rw-r--r-- | src/floader/makefile | 7 |
9 files changed, 187 insertions, 2 deletions
@@ -259,6 +259,8 @@ Loïc Damien (https://github.com/dzamlo) | |||
259 | - small fixes | 259 | - small fixes |
260 | maces (https://github.com/maces) | 260 | maces (https://github.com/maces) |
261 | - Franz messenger profile | 261 | - Franz messenger profile |
262 | Madura A (https://github.com/manushanga) | ||
263 | - floader | ||
262 | mahdi1234 (https://github.com/mahdi1234) | 264 | mahdi1234 (https://github.com/mahdi1234) |
263 | - cherrytree profile | 265 | - cherrytree profile |
264 | - Seamonkey profiles | 266 | - Seamonkey profiles |
@@ -388,6 +390,7 @@ SYN-cook (https://github.com/SYN-cook) | |||
388 | - added baloo_file profile | 390 | - added baloo_file profile |
389 | - k3b profile update | 391 | - k3b profile update |
390 | - noexec changes | 392 | - noexec changes |
393 | - gnome-calculator changes | ||
391 | startx2017 (https://github.com/startx2017) | 394 | startx2017 (https://github.com/startx2017) |
392 | - syscall list update | 395 | - syscall list update |
393 | - updated default seccomp filters - added bpf, clock_settime, personality, process_vm_writev, query_module, | 396 | - updated default seccomp filters - added bpf, clock_settime, personality, process_vm_writev, query_module, |
diff --git a/etc/chromium.profile b/etc/chromium.profile index 071c8a18a..ff51f6976 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile | |||
@@ -24,6 +24,7 @@ whitelist ~/.config/chromium-flags.conf | |||
24 | 24 | ||
25 | include /etc/firejail/whitelist-common.inc | 25 | include /etc/firejail/whitelist-common.inc |
26 | 26 | ||
27 | caps.keep sys_chroot,sys_admin | ||
27 | ipc-namespace | 28 | ipc-namespace |
28 | netfilter | 29 | netfilter |
29 | nogroups | 30 | nogroups |
diff --git a/etc/clementine.profile b/etc/clementine.profile index f92413a36..d9ce4c9c8 100644 --- a/etc/clementine.profile +++ b/etc/clementine.profile | |||
@@ -12,4 +12,5 @@ caps.drop all | |||
12 | nonewprivs | 12 | nonewprivs |
13 | noroot | 13 | noroot |
14 | protocol unix,inet,inet6 | 14 | protocol unix,inet,inet6 |
15 | seccomp | 15 | # Clementine makes ioprio_set system calls, which are blacklisted by default. |
16 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,name_to_handle_at,open_by_handle_at,create_module,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,chroot,tuxcall,reboot,mfsservctl,get_kernel_syms,bpf,clock_settime,personality,process_vm_writev,query_module,settimeofday,stime,umount,userfaultfd,ustat,vm86,vm86old | ||
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 7a5e8bf5b..c78640cd7 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -6,6 +6,7 @@ include /etc/firejail/disable-common.local | |||
6 | blacklist-nolog ${HOME}/.history | 6 | blacklist-nolog ${HOME}/.history |
7 | blacklist-nolog ${HOME}/.*_history | 7 | blacklist-nolog ${HOME}/.*_history |
8 | blacklist-nolog ${HOME}/.bash_history | 8 | blacklist-nolog ${HOME}/.bash_history |
9 | blacklist-nolog ${HOME}/.local/share/fish/fish_history | ||
9 | blacklist-nolog ${HOME}/.adobe | 10 | blacklist-nolog ${HOME}/.adobe |
10 | blacklist-nolog ${HOME}/.macromedia | 11 | blacklist-nolog ${HOME}/.macromedia |
11 | 12 | ||
@@ -142,6 +143,8 @@ read-only ${HOME}/.zsh_files | |||
142 | read-only ${HOME}/.tcshrc | 143 | read-only ${HOME}/.tcshrc |
143 | read-only ${HOME}/.cshrc | 144 | read-only ${HOME}/.cshrc |
144 | read-only ${HOME}/.csh_files | 145 | read-only ${HOME}/.csh_files |
146 | read-only ${HOME}/.config/fish | ||
147 | read-only ${HOME}/.local/share/fish | ||
145 | read-only ${HOME}/.profile | 148 | read-only ${HOME}/.profile |
146 | read-only ${HOME}/.forward | 149 | read-only ${HOME}/.forward |
147 | read-only ${HOME}/.login | 150 | read-only ${HOME}/.login |
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile index eb9027ca4..67610abea 100644 --- a/etc/gnome-calculator.profile +++ b/etc/gnome-calculator.profile | |||
@@ -16,7 +16,6 @@ include /etc/firejail/whitelist-common.inc | |||
16 | 16 | ||
17 | #Options | 17 | #Options |
18 | caps.drop all | 18 | caps.drop all |
19 | ipc-namespace | ||
20 | netfilter | 19 | netfilter |
21 | #net none | 20 | #net none |
22 | no3d | 21 | no3d |
diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile index 38feb12a5..9cfafdb82 100644 --- a/etc/google-chrome.profile +++ b/etc/google-chrome.profile | |||
@@ -13,6 +13,7 @@ include /etc/firejail/disable-programs.inc | |||
13 | # include /etc/firejail/disable-devel.inc | 13 | # include /etc/firejail/disable-devel.inc |
14 | # | 14 | # |
15 | 15 | ||
16 | caps.keep sys_chroot,sys_admin | ||
16 | netfilter | 17 | netfilter |
17 | 18 | ||
18 | whitelist ${DOWNLOADS} | 19 | whitelist ${DOWNLOADS} |
diff --git a/src/floader/README.md b/src/floader/README.md new file mode 100644 index 000000000..d437763a7 --- /dev/null +++ b/src/floader/README.md | |||
@@ -0,0 +1,9 @@ | |||
1 | READ ME | ||
2 | ------- | ||
3 | |||
4 | * Run 'make' | ||
5 | * Add comma separated process names to ~/.loader.conf | ||
6 | * export LD_PRELOAD=<path>./loader.so (ideally to .bashrc) | ||
7 | * Run any application within shell | ||
8 | |||
9 | |||
diff --git a/src/floader/loader.c b/src/floader/loader.c new file mode 100644 index 000000000..0970794e9 --- /dev/null +++ b/src/floader/loader.c | |||
@@ -0,0 +1,161 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2017 Madura A. (madura.x86@gmail.com) | ||
3 | * | ||
4 | */ | ||
5 | #include <sys/types.h> | ||
6 | #include <sys/stat.h> | ||
7 | #include <sys/mman.h> | ||
8 | #include <fcntl.h> | ||
9 | #include <unistd.h> | ||
10 | |||
11 | #include <string.h> | ||
12 | #include <stdio.h> | ||
13 | #include <stdlib.h> | ||
14 | #include <ctype.h> | ||
15 | |||
16 | #define MAX_MATCHES 32 | ||
17 | #define MAX_ARGS 1024 | ||
18 | #define MAX_ARGS_LEN 4096 | ||
19 | static void loader_main() __attribute__((constructor)); | ||
20 | |||
21 | char cmdline[MAX_ARGS_LEN]; | ||
22 | char *args[MAX_ARGS]; | ||
23 | char loader[] = "firejail"; | ||
24 | char confFile[256]; | ||
25 | char *names[MAX_MATCHES]; | ||
26 | |||
27 | #ifdef DEBUG | ||
28 | #define DBG printf | ||
29 | #else | ||
30 | #define DBG | ||
31 | #endif | ||
32 | void remove_trailing_spaces(char *str) | ||
33 | { | ||
34 | while (!isspace(*str)) | ||
35 | { | ||
36 | str++; | ||
37 | } | ||
38 | |||
39 | while (*str != '\0') | ||
40 | { | ||
41 | *str = '\0'; | ||
42 | str++; | ||
43 | } | ||
44 | } | ||
45 | |||
46 | void read_cmdline() | ||
47 | { | ||
48 | int fd = open("/proc/self/cmdline", O_RDONLY); | ||
49 | ssize_t ret = 0, total = 0; | ||
50 | char* wcmdbuf = cmdline; | ||
51 | while ((ret = read(fd, wcmdbuf, 1)) != 0) | ||
52 | { | ||
53 | wcmdbuf++; | ||
54 | total += ret; | ||
55 | if (total > MAX_ARGS_LEN) | ||
56 | { | ||
57 | printf("Not enough memory\n"); | ||
58 | close(fd); | ||
59 | return ; | ||
60 | } | ||
61 | } | ||
62 | close(fd); | ||
63 | } | ||
64 | |||
65 | void make_args() | ||
66 | { | ||
67 | int cI = 0, argI=0; | ||
68 | char* argstart = &cmdline[0]; | ||
69 | for (;cI<MAX_ARGS_LEN;cI++) | ||
70 | { | ||
71 | if (cmdline[cI] == '\0') | ||
72 | { | ||
73 | args[argI]= argstart; | ||
74 | argstart = &cmdline[cI+1]; | ||
75 | argI++; | ||
76 | if (*argstart == '\0') | ||
77 | { | ||
78 | break; | ||
79 | } | ||
80 | } | ||
81 | } | ||
82 | args[argI] = argstart; | ||
83 | argI++; | ||
84 | args[argI] = NULL; | ||
85 | } | ||
86 | |||
87 | void loader_main() | ||
88 | { | ||
89 | snprintf(confFile, 255, "%s/.loader.conf", getenv("HOME")); | ||
90 | |||
91 | struct stat confFileStat; | ||
92 | |||
93 | stat(confFile, &confFileStat); | ||
94 | |||
95 | int confFd = open(confFile, O_RDONLY); | ||
96 | |||
97 | if (confFd == -1) | ||
98 | { | ||
99 | close(confFd); | ||
100 | return; | ||
101 | } | ||
102 | char* conf = (char*) malloc(confFileStat.st_size); | ||
103 | if (conf == NULL) | ||
104 | { | ||
105 | close(confFd); | ||
106 | return; | ||
107 | } | ||
108 | ssize_t ret = read(confFd, conf, confFileStat.st_size); | ||
109 | if (ret == -1) | ||
110 | { | ||
111 | close(confFd); | ||
112 | return; | ||
113 | } | ||
114 | |||
115 | close(confFd); | ||
116 | size_t fI = 0; | ||
117 | int matchId = 0; | ||
118 | names[matchId] = conf; | ||
119 | matchId++; | ||
120 | for (;fI < confFileStat.st_size-1;fI++) | ||
121 | { | ||
122 | if (conf[fI] == ',') | ||
123 | { | ||
124 | names[matchId] = &conf[fI+1]; | ||
125 | conf[fI] = '\0'; | ||
126 | |||
127 | matchId++; | ||
128 | } | ||
129 | } | ||
130 | |||
131 | remove_trailing_spaces(names[matchId-1]); | ||
132 | |||
133 | read_cmdline(); | ||
134 | |||
135 | make_args(); | ||
136 | |||
137 | #ifdef DEBUG | ||
138 | int xarg=0; | ||
139 | while (args[xarg] != NULL) | ||
140 | { | ||
141 | DBG(".%s\n", args[xarg]); | ||
142 | xarg++; | ||
143 | } | ||
144 | #endif | ||
145 | |||
146 | int x; | ||
147 | |||
148 | for (x = 0;x<matchId;x++) | ||
149 | { | ||
150 | DBG("%s\n",names[x]); | ||
151 | if (strstr(args[0], names[x]) != NULL) | ||
152 | { | ||
153 | DBG("highjack!\n"); | ||
154 | |||
155 | free(conf); | ||
156 | |||
157 | execvp(loader, args ); | ||
158 | } | ||
159 | } | ||
160 | |||
161 | } | ||
diff --git a/src/floader/makefile b/src/floader/makefile new file mode 100644 index 000000000..0de6a3138 --- /dev/null +++ b/src/floader/makefile | |||
@@ -0,0 +1,7 @@ | |||
1 | all: | ||
2 | gcc -ggdb -shared -fPIC loader.c -o loader.so | ||
3 | |||
4 | debug: | ||
5 | gcc -ggdb -shared -DDEBUG -fPIC loader.c -o loader.so | ||
6 | |||
7 | |||