diff options
-rw-r--r-- | RELNOTES | 2 | ||||
-rw-r--r-- | etc/disable-mgmt.inc | 3 | ||||
-rw-r--r-- | src/firejail/fs.c | 19 | ||||
-rwxr-xr-x | test/configure | 2 | ||||
-rwxr-xr-x | test/features/1.1.exp | 4 | ||||
-rwxr-xr-x | test/features/1.5.exp | 4 | ||||
-rwxr-xr-x | test/features/1.6.exp | 4 | ||||
-rwxr-xr-x | test/features/1.7.exp | 4 | ||||
-rwxr-xr-x | test/features/1.8.exp | 38 | ||||
-rwxr-xr-x | test/features/test.sh | 10 |
10 files changed, 63 insertions, 27 deletions
@@ -6,6 +6,8 @@ firejail (0.9.35) baseline; urgency=low | |||
6 | /etc/passwd and /etc/group | 6 | /etc/passwd and /etc/group |
7 | * added /etc/firejail/nolocal.net network filter | 7 | * added /etc/firejail/nolocal.net network filter |
8 | * added /etc/firejail/webserver.net network filter | 8 | * added /etc/firejail/webserver.net network filter |
9 | * manipulation of firejail configuration disabled by default | ||
10 | * added automated feature testing framework | ||
9 | * bugfixes | 11 | * bugfixes |
10 | -- netblue30 <netblue30@yahoo.com> ongoing development | 12 | -- netblue30 <netblue30@yahoo.com> ongoing development |
11 | 13 | ||
diff --git a/etc/disable-mgmt.inc b/etc/disable-mgmt.inc index ab9fe3cb1..4a8994a03 100644 --- a/etc/disable-mgmt.inc +++ b/etc/disable-mgmt.inc | |||
@@ -14,6 +14,3 @@ blacklist ${PATH}/xev | |||
14 | blacklist ${PATH}/strace | 14 | blacklist ${PATH}/strace |
15 | blacklist ${PATH}/nc | 15 | blacklist ${PATH}/nc |
16 | 16 | ||
17 | # Prevent manipulation of firejail configuration | ||
18 | blacklist /etc/firejail | ||
19 | blacklist ${HOME}/.config/firejail | ||
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index c6dfdec30..a0a7d9342 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -552,6 +552,19 @@ void fs_proc_sys_dev_boot(void) { | |||
552 | } | 552 | } |
553 | } | 553 | } |
554 | 554 | ||
555 | // disable firejail configuration in /etc/firejail and in ~/.config/firejail | ||
556 | static void disable_firejail_config(void) { | ||
557 | struct stat s; | ||
558 | if (stat("/etc/firejail", &s) == 0) | ||
559 | disable_file(BLACKLIST_FILE, "/etc/firejail"); | ||
560 | |||
561 | char *fname; | ||
562 | if (asprintf(&fname, "%s/.config/firejail", cfg.homedir) == -1) | ||
563 | errExit("asprintf"); | ||
564 | disable_file(BLACKLIST_FILE, fname); | ||
565 | free(fname); | ||
566 | } | ||
567 | |||
555 | 568 | ||
556 | // build a basic read-only filesystem | 569 | // build a basic read-only filesystem |
557 | void fs_basic_fs(void) { | 570 | void fs_basic_fs(void) { |
@@ -577,6 +590,8 @@ void fs_basic_fs(void) { | |||
577 | 590 | ||
578 | // don't leak user information | 591 | // don't leak user information |
579 | restrict_users(); | 592 | restrict_users(); |
593 | |||
594 | disable_firejail_config(); | ||
580 | } | 595 | } |
581 | 596 | ||
582 | 597 | ||
@@ -723,6 +738,8 @@ void fs_overlayfs(void) { | |||
723 | // don't leak user information | 738 | // don't leak user information |
724 | restrict_users(); | 739 | restrict_users(); |
725 | 740 | ||
741 | disable_firejail_config(); | ||
742 | |||
726 | // cleanup and exit | 743 | // cleanup and exit |
727 | free(option); | 744 | free(option); |
728 | free(oroot); | 745 | free(oroot); |
@@ -846,6 +863,8 @@ void fs_chroot(const char *rootdir) { | |||
846 | 863 | ||
847 | // don't leak user information | 864 | // don't leak user information |
848 | restrict_users(); | 865 | restrict_users(); |
866 | |||
867 | disable_firejail_config(); | ||
849 | } | 868 | } |
850 | #endif | 869 | #endif |
851 | 870 | ||
diff --git a/test/configure b/test/configure index 21844bb7e..b46b97985 100755 --- a/test/configure +++ b/test/configure | |||
@@ -26,6 +26,8 @@ DEFAULT_FILES+=" /bin/cp /bin/ls /bin/cat /bin/ps /bin/grep /usr/bin/id /usr/bin | |||
26 | 26 | ||
27 | rm -fr $ROOTDIR | 27 | rm -fr $ROOTDIR |
28 | mkdir -p $ROOTDIR/{root,bin,lib,lib64,usr,home,etc,dev/shm,tmp,var/run,var/tmp,var/lock,var/log,proc} | 28 | mkdir -p $ROOTDIR/{root,bin,lib,lib64,usr,home,etc,dev/shm,tmp,var/run,var/tmp,var/lock,var/log,proc} |
29 | mkdir -p $ROOTDIR/etc/firejail | ||
30 | mkdir -p $ROOTDIR/home/netblue/.config/firejail | ||
29 | touch $ROOTDIR/var/log/syslog | 31 | touch $ROOTDIR/var/log/syslog |
30 | touch $ROOTDIR/var/tmp/somefile | 32 | touch $ROOTDIR/var/tmp/somefile |
31 | SORTED=`for FILE in $* $DEFAULT_FILES; do echo " $FILE "; ldd $FILE | grep -v dynamic | cut -d " " -f 3; done | sort -u` | 33 | SORTED=`for FILE in $* $DEFAULT_FILES; do echo " $FILE "; ldd $FILE | grep -v dynamic | cut -d " " -f 3; done | sort -u` |
diff --git a/test/features/1.1.exp b/test/features/1.1.exp index 41443a080..5ba123107 100755 --- a/test/features/1.1.exp +++ b/test/features/1.1.exp | |||
@@ -51,14 +51,14 @@ sleep 1 | |||
51 | # | 51 | # |
52 | send -- "firejail --noprofile --chroot=/tmp/chroot\r" | 52 | send -- "firejail --noprofile --chroot=/tmp/chroot\r" |
53 | expect { | 53 | expect { |
54 | timeout {puts "TESTING ERROR 3\n";exit} | 54 | timeout {puts "TESTING ERROR 4\n";exit} |
55 | "Child process initialized" | 55 | "Child process initialized" |
56 | } | 56 | } |
57 | sleep 1 | 57 | sleep 1 |
58 | 58 | ||
59 | send -- "ls -l /boot | wc -l\r" | 59 | send -- "ls -l /boot | wc -l\r" |
60 | expect { | 60 | expect { |
61 | timeout {puts "TESTING ERROR 4\n";exit} | 61 | timeout {puts "TESTING ERROR 5\n";exit} |
62 | "1" | 62 | "1" |
63 | } | 63 | } |
64 | after 100 | 64 | after 100 |
diff --git a/test/features/1.5.exp b/test/features/1.5.exp index d722c5811..84c00937f 100755 --- a/test/features/1.5.exp +++ b/test/features/1.5.exp | |||
@@ -51,14 +51,14 @@ sleep 1 | |||
51 | # | 51 | # |
52 | send -- "firejail --noprofile --chroot=/tmp/chroot\r" | 52 | send -- "firejail --noprofile --chroot=/tmp/chroot\r" |
53 | expect { | 53 | expect { |
54 | timeout {puts "TESTING ERROR 3\n";exit} | 54 | timeout {puts "TESTING ERROR 4\n";exit} |
55 | "Child process initialized" | 55 | "Child process initialized" |
56 | } | 56 | } |
57 | sleep 1 | 57 | sleep 1 |
58 | 58 | ||
59 | send -- "ps aux | wc -l \r" | 59 | send -- "ps aux | wc -l \r" |
60 | expect { | 60 | expect { |
61 | timeout {puts "TESTING ERROR 4\n";exit} | 61 | timeout {puts "TESTING ERROR 5\n";exit} |
62 | "5" | 62 | "5" |
63 | } | 63 | } |
64 | after 100 | 64 | after 100 |
diff --git a/test/features/1.6.exp b/test/features/1.6.exp index a9c8f2a19..0a4b788b8 100755 --- a/test/features/1.6.exp +++ b/test/features/1.6.exp | |||
@@ -51,14 +51,14 @@ sleep 1 | |||
51 | # | 51 | # |
52 | send -- "firejail --noprofile --chroot=/tmp/chroot\r" | 52 | send -- "firejail --noprofile --chroot=/tmp/chroot\r" |
53 | expect { | 53 | expect { |
54 | timeout {puts "TESTING ERROR 3\n";exit} | 54 | timeout {puts "TESTING ERROR 4\n";exit} |
55 | "Child process initialized" | 55 | "Child process initialized" |
56 | } | 56 | } |
57 | sleep 1 | 57 | sleep 1 |
58 | 58 | ||
59 | send -- "ls -l /var/log/syslog | wc -l\r" | 59 | send -- "ls -l /var/log/syslog | wc -l\r" |
60 | expect { | 60 | expect { |
61 | timeout {puts "TESTING ERROR 4\n";exit} | 61 | timeout {puts "TESTING ERROR 5\n";exit} |
62 | "0" | 62 | "0" |
63 | } | 63 | } |
64 | after 100 | 64 | after 100 |
diff --git a/test/features/1.7.exp b/test/features/1.7.exp index 0de3e224d..c95184fd1 100755 --- a/test/features/1.7.exp +++ b/test/features/1.7.exp | |||
@@ -53,14 +53,14 @@ sleep 1 | |||
53 | # | 53 | # |
54 | send -- "firejail --noprofile --chroot=/tmp/chroot\r" | 54 | send -- "firejail --noprofile --chroot=/tmp/chroot\r" |
55 | expect { | 55 | expect { |
56 | timeout {puts "TESTING ERROR 3\n";exit} | 56 | timeout {puts "TESTING ERROR 4\n";exit} |
57 | "Child process initialized" | 57 | "Child process initialized" |
58 | } | 58 | } |
59 | sleep 1 | 59 | sleep 1 |
60 | 60 | ||
61 | send -- "ls -l /var/tmp/somefile | wc -l\r" | 61 | send -- "ls -l /var/tmp/somefile | wc -l\r" |
62 | expect { | 62 | expect { |
63 | timeout {puts "TESTING ERROR 4\n";exit} | 63 | timeout {puts "TESTING ERROR 5\n";exit} |
64 | "0" | 64 | "0" |
65 | } | 65 | } |
66 | after 100 | 66 | after 100 |
diff --git a/test/features/1.8.exp b/test/features/1.8.exp index 514dd3b81..aefe9d8c5 100755 --- a/test/features/1.8.exp +++ b/test/features/1.8.exp | |||
@@ -10,7 +10,6 @@ match_max 100000 | |||
10 | # | 10 | # |
11 | # N | 11 | # N |
12 | # | 12 | # |
13 | send -- "touch /var/tmp/somefile\r" | ||
14 | sleep 1 | 13 | sleep 1 |
15 | send -- "firejail --noprofile\r" | 14 | send -- "firejail --noprofile\r" |
16 | expect { | 15 | expect { |
@@ -19,10 +18,16 @@ expect { | |||
19 | } | 18 | } |
20 | sleep 1 | 19 | sleep 1 |
21 | 20 | ||
22 | send -- "ls -l /var/tmp/somefile | wc -l\r" | 21 | send -- "ls /etc/firejail\r" |
23 | expect { | 22 | expect { |
24 | timeout {puts "TESTING ERROR 1\n";exit} | 23 | timeout {puts "TESTING ERROR 1\n";exit} |
25 | "0" | 24 | "Permission denied" |
25 | } | ||
26 | after 100 | ||
27 | send -- "ls ~/.config/firejail\r" | ||
28 | expect { | ||
29 | timeout {puts "TESTING ERROR 1.1\n";exit} | ||
30 | "Permission denied" | ||
26 | } | 31 | } |
27 | after 100 | 32 | after 100 |
28 | send -- "exit\r" | 33 | send -- "exit\r" |
@@ -38,13 +43,19 @@ expect { | |||
38 | "Child process initialized" | 43 | "Child process initialized" |
39 | } | 44 | } |
40 | sleep 1 | 45 | sleep 1 |
41 | 46 | send -- "ls /etc/firejail\r" | |
42 | send -- "ls -l /var/tmp/somefile | wc -l\r" | ||
43 | expect { | 47 | expect { |
44 | timeout {puts "TESTING ERROR 3\n";exit} | 48 | timeout {puts "TESTING ERROR 3\n";exit} |
45 | "0" | 49 | "Permission denied" |
46 | } | 50 | } |
47 | after 100 | 51 | after 100 |
52 | send -- "ls ~/.config/firejail\r" | ||
53 | expect { | ||
54 | timeout {puts "TESTING ERROR 3.1\n";exit} | ||
55 | "Permission denied" | ||
56 | } | ||
57 | after 100 | ||
58 | |||
48 | send -- "exit\r" | 59 | send -- "exit\r" |
49 | sleep 1 | 60 | sleep 1 |
50 | 61 | ||
@@ -53,15 +64,20 @@ sleep 1 | |||
53 | # | 64 | # |
54 | send -- "firejail --noprofile --chroot=/tmp/chroot\r" | 65 | send -- "firejail --noprofile --chroot=/tmp/chroot\r" |
55 | expect { | 66 | expect { |
56 | timeout {puts "TESTING ERROR 3\n";exit} | 67 | timeout {puts "TESTING ERROR 4\n";exit} |
57 | "Child process initialized" | 68 | "Child process initialized" |
58 | } | 69 | } |
59 | sleep 1 | 70 | sleep 1 |
60 | 71 | send -- "ls /etc/firejail\r" | |
61 | send -- "ls -l /var/tmp/somefile | wc -l\r" | ||
62 | expect { | 72 | expect { |
63 | timeout {puts "TESTING ERROR 4\n";exit} | 73 | timeout {puts "TESTING ERROR 5\n";exit} |
64 | "0" | 74 | "Permission denied" |
75 | } | ||
76 | after 100 | ||
77 | send -- "ls ~/.config/firejail\r" | ||
78 | expect { | ||
79 | timeout {puts "TESTING ERROR 5.1\n";exit} | ||
80 | "Permission denied" | ||
65 | } | 81 | } |
66 | after 100 | 82 | after 100 |
67 | send -- "exit\r" | 83 | send -- "exit\r" |
diff --git a/test/features/test.sh b/test/features/test.sh index b4ef6503a..1fb7557c8 100755 --- a/test/features/test.sh +++ b/test/features/test.sh | |||
@@ -4,13 +4,13 @@ | |||
4 | # Feature testing | 4 | # Feature testing |
5 | # | 5 | # |
6 | 6 | ||
7 | echo "TESTING: 1.1. new /boot" | 7 | echo "TESTING: 1.1 new /boot" |
8 | ./1.1.exp | 8 | ./1.1.exp |
9 | 9 | ||
10 | echo "TESTING: 1.2. new /proc" | 10 | echo "TESTING: 1.2 new /proc" |
11 | ./1.2.exp | 11 | ./1.2.exp |
12 | 12 | ||
13 | echo "TESTING: 1.5. PID namespace" | 13 | echo "TESTING: 1.5 PID namespace" |
14 | ./1.5.exp | 14 | ./1.5.exp |
15 | 15 | ||
16 | echo "TESTING: 1.6 new /var/log" | 16 | echo "TESTING: 1.6 new /var/log" |
@@ -19,6 +19,6 @@ echo "TESTING: 1.6 new /var/log" | |||
19 | echo "TESTING: 1.7 new /var/tmp" | 19 | echo "TESTING: 1.7 new /var/tmp" |
20 | ./1.7.exp | 20 | ./1.7.exp |
21 | 21 | ||
22 | #echo "TESTING: " | 22 | echo "TESTING: 1.8 disable /etc/firejail and ~/.config/firejail" |
23 | #./1..exp | 23 | ./1.8.exp |
24 | 24 | ||