diff options
-rw-r--r-- | README | 4 | ||||
-rw-r--r-- | RELNOTES | 1 | ||||
-rw-r--r-- | etc/disable-common.inc | 12 | ||||
-rw-r--r-- | etc/disable-programs.inc | 2 | ||||
-rw-r--r-- | etc/firefox.profile | 2 | ||||
-rw-r--r-- | etc/firejail.config | 4 | ||||
-rw-r--r-- | src/firejail/checkcfg.c | 9 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/main.c | 34 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 14 | ||||
-rw-r--r-- | src/include/syscall.h | 34 |
11 files changed, 95 insertions, 22 deletions
@@ -351,6 +351,10 @@ SYN-cook (https://github.com/SYN-cook) | |||
351 | - Engrampa profile | 351 | - Engrampa profile |
352 | - Scribus profile | 352 | - Scribus profile |
353 | - autostart blacklist for KDE | 353 | - autostart blacklist for KDE |
354 | - blacklist startup scripts | ||
355 | startx2017 (https://github.com/startx2017) | ||
356 | - syscall list update | ||
357 | - enable/disable join support in /etc/firejail/firejail.config | ||
354 | thewisenerd (https://github.com/thewisenerd) | 358 | thewisenerd (https://github.com/thewisenerd) |
355 | - allow multiple private-home commands | 359 | - allow multiple private-home commands |
356 | - use $SHELL variable if the shell is not specified | 360 | - use $SHELL variable if the shell is not specified |
@@ -37,6 +37,7 @@ firejail (0.9.45) baseline; urgency=low | |||
37 | * feature: allow tmpfs for regular users for files in home directory | 37 | * feature: allow tmpfs for regular users for files in home directory |
38 | * feature: mount a tmpfs on top of ~/.cache directory by default | 38 | * feature: mount a tmpfs on top of ~/.cache directory by default |
39 | * feature: config support to disable tmpfs mounting on ~/.cache (cache-tmpfs) | 39 | * feature: config support to disable tmpfs mounting on ~/.cache (cache-tmpfs) |
40 | * feature: config support to disable join (join) | ||
40 | * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire, | 41 | * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire, |
41 | * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma, | 42 | * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma, |
42 | * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator, | 43 | * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator, |
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 3bf609214..be3144133 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -7,19 +7,27 @@ blacklist-nolog ${HOME}/.history | |||
7 | blacklist-nolog ${HOME}/.*_history | 7 | blacklist-nolog ${HOME}/.*_history |
8 | blacklist-nolog ${HOME}/.bash_history | 8 | blacklist-nolog ${HOME}/.bash_history |
9 | blacklist ${HOME}/.local/share/systemd | 9 | blacklist ${HOME}/.local/share/systemd |
10 | blacklist ${HOME}/.config/systemd | ||
10 | blacklist-nolog ${HOME}/.adobe | 11 | blacklist-nolog ${HOME}/.adobe |
11 | blacklist-nolog ${HOME}/.macromedia | 12 | blacklist-nolog ${HOME}/.macromedia |
12 | read-only ${HOME}/.local/share/applications | 13 | read-only ${HOME}/.local/share/applications |
13 | 14 | ||
14 | # X11 session autostart | 15 | # X11 session autostart |
15 | blacklist ${HOME}/.xinitrc | 16 | blacklist ${HOME}/.xinitrc |
17 | blacklist ${HOME}/.xserverrc | ||
18 | blacklist /etc/X11/Xsession.d/ | ||
19 | blacklist ${HOME}/.Xsession | ||
20 | blacklist ${HOME}/.xsession | ||
21 | blacklist ${HOME}/.xsessionrc | ||
16 | blacklist ${HOME}/.xprofile | 22 | blacklist ${HOME}/.xprofile |
23 | blacklist ${HOME}/.gnomerc | ||
17 | blacklist ${HOME}/.config/autostart | 24 | blacklist ${HOME}/.config/autostart |
18 | blacklist /etc/xdg/autostart | 25 | blacklist /etc/xdg/autostart |
19 | blacklist ${HOME}/.kde4/Autostart | 26 | blacklist ${HOME}/.kde4/Autostart |
20 | blacklist ${HOME}/.kde4/share/autostart | 27 | blacklist ${HOME}/.kde4/share/autostart |
21 | blacklist ${HOME}/.kde/Autostart | 28 | blacklist ${HOME}/.kde/Autostart |
22 | blacklist ${HOME}/.kde/share/autostart | 29 | blacklist ${HOME}/.kde/share/autostart |
30 | blacklist ${HOME}/.local/share/autostart | ||
23 | blacklist ${HOME}/.config/autostart-scripts | 31 | blacklist ${HOME}/.config/autostart-scripts |
24 | blacklist ${HOME}/.config/plasma-workspace/shutdown | 32 | blacklist ${HOME}/.config/plasma-workspace/shutdown |
25 | blacklist ${HOME}/.config/plasma-workspace/env | 33 | blacklist ${HOME}/.config/plasma-workspace/env |
@@ -27,8 +35,6 @@ blacklist ${HOME}/.config/lxsession/LXDE/autostart | |||
27 | blacklist ${HOME}/.fluxbox/startup | 35 | blacklist ${HOME}/.fluxbox/startup |
28 | blacklist ${HOME}/.config/openbox/autostart | 36 | blacklist ${HOME}/.config/openbox/autostart |
29 | blacklist ${HOME}/.config/openbox/environment | 37 | blacklist ${HOME}/.config/openbox/environment |
30 | blacklist ${HOME}/.gnomerc | ||
31 | blacklist /etc/X11/Xsession.d/ | ||
32 | # blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs | 38 | # blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs |
33 | 39 | ||
34 | # VirtualBox | 40 | # VirtualBox |
@@ -78,8 +84,6 @@ blacklist /etc/rc.local | |||
78 | blacklist /etc/anacrontab | 84 | blacklist /etc/anacrontab |
79 | 85 | ||
80 | # Startup files | 86 | # Startup files |
81 | read-only ${HOME}/.xinitrc | ||
82 | read-only ${HOME}/.xserverrc | ||
83 | read-only ${HOME}/.antigen | 87 | read-only ${HOME}/.antigen |
84 | read-only ${HOME}/.bash_login | 88 | read-only ${HOME}/.bash_login |
85 | read-only ${HOME}/.bashrc | 89 | read-only ${HOME}/.bashrc |
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 90d0d5375..00c6e195a 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -42,8 +42,6 @@ blacklist ${HOME}/.config/ardour5 | |||
42 | blacklist ${HOME}/.config/arkrc | 42 | blacklist ${HOME}/.config/arkrc |
43 | blacklist ${HOME}/.config/atril | 43 | blacklist ${HOME}/.config/atril |
44 | blacklist ${HOME}/.config/audacious | 44 | blacklist ${HOME}/.config/audacious |
45 | blacklist ${HOME}/.config/autostart | ||
46 | blacklist ${HOME}/.config/autostart/dropbox.desktop | ||
47 | blacklist ${HOME}/.config/aweather | 45 | blacklist ${HOME}/.config/aweather |
48 | blacklist ${HOME}/.config/blender | 46 | blacklist ${HOME}/.config/blender |
49 | blacklist ${HOME}/.config/bless | 47 | blacklist ${HOME}/.config/bless |
diff --git a/etc/firefox.profile b/etc/firefox.profile index dec44ca67..20acde62a 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile | |||
@@ -51,4 +51,4 @@ include /etc/firejail/whitelist-common.inc | |||
51 | #private-bin firefox,which,sh,dbus-launch,dbus-send,env | 51 | #private-bin firefox,which,sh,dbus-launch,dbus-send,env |
52 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse | 52 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse |
53 | private-dev | 53 | private-dev |
54 | #private-tmp | 54 | private-tmp |
diff --git a/etc/firejail.config b/etc/firejail.config index 0887e05b5..1db734f77 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
@@ -43,6 +43,10 @@ | |||
43 | # that is partially under their control. Default disabled. | 43 | # that is partially under their control. Default disabled. |
44 | # force-nonewprivs no | 44 | # force-nonewprivs no |
45 | 45 | ||
46 | # Allow sandbox joining as a regular user, default enabled. | ||
47 | # root user can always join sandboxes. | ||
48 | # join yes | ||
49 | |||
46 | # Enable or disable networking features, default enabled. | 50 | # Enable or disable networking features, default enabled. |
47 | # network yes | 51 | # network yes |
48 | 52 | ||
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 476ecbe10..67bcd996a 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -92,6 +92,15 @@ int checkcfg(int val) { | |||
92 | else | 92 | else |
93 | goto errout; | 93 | goto errout; |
94 | } | 94 | } |
95 | // join | ||
96 | else if (strncmp(ptr, "join ", 5) == 0) { | ||
97 | if (strcmp(ptr + 5, "yes") == 0) | ||
98 | cfg_val[CFG_JOIN] = 1; | ||
99 | else if (strcmp(ptr + 5, "no") == 0) | ||
100 | cfg_val[CFG_JOIN] = 0; | ||
101 | else | ||
102 | goto errout; | ||
103 | } | ||
95 | // x11 | 104 | // x11 |
96 | else if (strncmp(ptr, "x11 ", 4) == 0) { | 105 | else if (strncmp(ptr, "x11 ", 4) == 0) { |
97 | if (strcmp(ptr + 4, "yes") == 0) | 106 | if (strcmp(ptr + 4, "yes") == 0) |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index f85560588..dbb6c4d16 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -686,6 +686,7 @@ enum { | |||
686 | CFG_FOLLOW_SYMLINK_PRIVATE_BIN, | 686 | CFG_FOLLOW_SYMLINK_PRIVATE_BIN, |
687 | CFG_DISABLE_MNT, | 687 | CFG_DISABLE_MNT, |
688 | CFG_CACHE_TMPFS, | 688 | CFG_CACHE_TMPFS, |
689 | CFG_JOIN, | ||
689 | CFG_MAX // this should always be the last entry | 690 | CFG_MAX // this should always be the last entry |
690 | }; | 691 | }; |
691 | extern char *xephyr_screen; | 692 | extern char *xephyr_screen; |
diff --git a/src/firejail/main.c b/src/firejail/main.c index db9a9c8cb..3dcc5c62d 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -615,23 +615,27 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
615 | } | 615 | } |
616 | #endif | 616 | #endif |
617 | else if (strncmp(argv[i], "--join=", 7) == 0) { | 617 | else if (strncmp(argv[i], "--join=", 7) == 0) { |
618 | logargs(argc, argv); | 618 | if (checkcfg(CFG_JOIN) || getuid() == 0) { |
619 | 619 | logargs(argc, argv); | |
620 | if (arg_shell_none) { | 620 | |
621 | if (argc <= (i+1)) { | 621 | if (arg_shell_none) { |
622 | fprintf(stderr, "Error: --shell=none set, but no command specified\n"); | 622 | if (argc <= (i+1)) { |
623 | exit(1); | 623 | fprintf(stderr, "Error: --shell=none set, but no command specified\n"); |
624 | exit(1); | ||
625 | } | ||
626 | cfg.original_program_index = i + 1; | ||
624 | } | 627 | } |
625 | cfg.original_program_index = i + 1; | 628 | |
629 | if (!cfg.shell && !arg_shell_none) | ||
630 | cfg.shell = guess_shell(); | ||
631 | |||
632 | // join sandbox by pid or by name | ||
633 | pid_t pid = read_pid(argv[i] + 7); | ||
634 | join(pid, argc, argv, i + 1); | ||
635 | exit(0); | ||
626 | } | 636 | } |
627 | 637 | else | |
628 | if (!cfg.shell && !arg_shell_none) | 638 | exit_err_feature("join"); |
629 | cfg.shell = guess_shell(); | ||
630 | |||
631 | // join sandbox by pid or by name | ||
632 | pid_t pid = read_pid(argv[i] + 7); | ||
633 | join(pid, argc, argv, i + 1); | ||
634 | exit(0); | ||
635 | 639 | ||
636 | } | 640 | } |
637 | else if (strncmp(argv[i], "--join-or-start=", 16) == 0) { | 641 | else if (strncmp(argv[i], "--join-or-start=", 16) == 0) { |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index f26f8b06a..d1557e8b2 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -742,6 +742,20 @@ int sandbox(void* sandbox_arg) { | |||
742 | else { | 742 | else { |
743 | // private-tmp is implemented as a whitelist | 743 | // private-tmp is implemented as a whitelist |
744 | EUID_USER(); | 744 | EUID_USER(); |
745 | // check XAUTHORITY file, KDE keeps it under /tmp | ||
746 | char *xauth = getenv("XAUTHORITY"); | ||
747 | if (xauth) { | ||
748 | char *rp = realpath(xauth, NULL); | ||
749 | if (rp && strncmp(rp, "/tmp/", 5) == 0) { | ||
750 | char *cmd; | ||
751 | if (asprintf(&cmd, "whitelist %s", rp) == -1) | ||
752 | errExit("asprintf"); | ||
753 | profile_add(cmd); // profile_add does not duplicate the string | ||
754 | } | ||
755 | if (rp) | ||
756 | free(rp); | ||
757 | } | ||
758 | // whitelist x11 directory | ||
745 | profile_add("whitelist /tmp/.X11-unix"); | 759 | profile_add("whitelist /tmp/.X11-unix"); |
746 | EUID_ROOT(); | 760 | EUID_ROOT(); |
747 | } | 761 | } |
diff --git a/src/include/syscall.h b/src/include/syscall.h index c49760703..8852fcbd5 100644 --- a/src/include/syscall.h +++ b/src/include/syscall.h | |||
@@ -1076,6 +1076,11 @@ | |||
1076 | {"preadv", __NR_preadv}, | 1076 | {"preadv", __NR_preadv}, |
1077 | #endif | 1077 | #endif |
1078 | #endif | 1078 | #endif |
1079 | #ifdef SYS_preadv2 | ||
1080 | #ifdef __NR_preadv2 | ||
1081 | {"preadv2", __NR_preadv2}, | ||
1082 | #endif | ||
1083 | #endif | ||
1079 | #ifdef SYS_prlimit64 | 1084 | #ifdef SYS_prlimit64 |
1080 | #ifdef __NR_prlimit64 | 1085 | #ifdef __NR_prlimit64 |
1081 | {"prlimit64", __NR_prlimit64}, | 1086 | {"prlimit64", __NR_prlimit64}, |
@@ -1126,6 +1131,11 @@ | |||
1126 | {"pwritev", __NR_pwritev}, | 1131 | {"pwritev", __NR_pwritev}, |
1127 | #endif | 1132 | #endif |
1128 | #endif | 1133 | #endif |
1134 | #ifdef SYS_pwritev2 | ||
1135 | #ifdef __NR_pwritev2 | ||
1136 | {"pwritev2", __NR_pwritev2}, | ||
1137 | #endif | ||
1138 | #endif | ||
1129 | #ifdef SYS_query_module | 1139 | #ifdef SYS_query_module |
1130 | #ifdef __NR_query_module | 1140 | #ifdef __NR_query_module |
1131 | {"query_module", __NR_query_module}, | 1141 | {"query_module", __NR_query_module}, |
@@ -1892,6 +1902,7 @@ | |||
1892 | #endif | 1902 | #endif |
1893 | #endif | 1903 | #endif |
1894 | #endif | 1904 | #endif |
1905 | //#endif | ||
1895 | #if defined __x86_64__ && defined __LP64__ | 1906 | #if defined __x86_64__ && defined __LP64__ |
1896 | #ifdef SYS__sysctl | 1907 | #ifdef SYS__sysctl |
1897 | #ifdef __NR__sysctl | 1908 | #ifdef __NR__sysctl |
@@ -2828,6 +2839,11 @@ | |||
2828 | {"preadv", __NR_preadv}, | 2839 | {"preadv", __NR_preadv}, |
2829 | #endif | 2840 | #endif |
2830 | #endif | 2841 | #endif |
2842 | #ifdef SYS_preadv2 | ||
2843 | #ifdef __NR_preadv2 | ||
2844 | {"preadv2", __NR_preadv2}, | ||
2845 | #endif | ||
2846 | #endif | ||
2831 | #ifdef SYS_prlimit64 | 2847 | #ifdef SYS_prlimit64 |
2832 | #ifdef __NR_prlimit64 | 2848 | #ifdef __NR_prlimit64 |
2833 | {"prlimit64", __NR_prlimit64}, | 2849 | {"prlimit64", __NR_prlimit64}, |
@@ -2868,6 +2884,11 @@ | |||
2868 | {"pwritev", __NR_pwritev}, | 2884 | {"pwritev", __NR_pwritev}, |
2869 | #endif | 2885 | #endif |
2870 | #endif | 2886 | #endif |
2887 | #ifdef SYS_pwritev2 | ||
2888 | #ifdef __NR_pwritev2 | ||
2889 | {"pwritev2", __NR_pwritev2}, | ||
2890 | #endif | ||
2891 | #endif | ||
2871 | #ifdef SYS_query_module | 2892 | #ifdef SYS_query_module |
2872 | #ifdef __NR_query_module | 2893 | #ifdef __NR_query_module |
2873 | {"query_module", __NR_query_module}, | 2894 | {"query_module", __NR_query_module}, |
@@ -3529,6 +3550,7 @@ | |||
3529 | #endif | 3550 | #endif |
3530 | #endif | 3551 | #endif |
3531 | #endif | 3552 | #endif |
3553 | //#endif | ||
3532 | #if defined __x86_64__ && defined __ILP32__ | 3554 | #if defined __x86_64__ && defined __ILP32__ |
3533 | #ifdef SYS_accept | 3555 | #ifdef SYS_accept |
3534 | #ifdef __NR_accept | 3556 | #ifdef __NR_accept |
@@ -4430,6 +4452,11 @@ | |||
4430 | {"preadv", __NR_preadv}, | 4452 | {"preadv", __NR_preadv}, |
4431 | #endif | 4453 | #endif |
4432 | #endif | 4454 | #endif |
4455 | #ifdef SYS_preadv2 | ||
4456 | #ifdef __NR_preadv2 | ||
4457 | {"preadv2", __NR_preadv2}, | ||
4458 | #endif | ||
4459 | #endif | ||
4433 | #ifdef SYS_prlimit64 | 4460 | #ifdef SYS_prlimit64 |
4434 | #ifdef __NR_prlimit64 | 4461 | #ifdef __NR_prlimit64 |
4435 | {"prlimit64", __NR_prlimit64}, | 4462 | {"prlimit64", __NR_prlimit64}, |
@@ -4470,6 +4497,11 @@ | |||
4470 | {"pwritev", __NR_pwritev}, | 4497 | {"pwritev", __NR_pwritev}, |
4471 | #endif | 4498 | #endif |
4472 | #endif | 4499 | #endif |
4500 | #ifdef SYS_pwritev2 | ||
4501 | #ifdef __NR_pwritev2 | ||
4502 | {"pwritev2", __NR_pwritev2}, | ||
4503 | #endif | ||
4504 | #endif | ||
4473 | #ifdef SYS_quotactl | 4505 | #ifdef SYS_quotactl |
4474 | #ifdef __NR_quotactl | 4506 | #ifdef __NR_quotactl |
4475 | {"quotactl", __NR_quotactl}, | 4507 | {"quotactl", __NR_quotactl}, |
@@ -5111,3 +5143,5 @@ | |||
5111 | #endif | 5143 | #endif |
5112 | #endif | 5144 | #endif |
5113 | #endif | 5145 | #endif |
5146 | //#endif | ||
5147 | |||