diff options
-rw-r--r-- | RELNOTES | 1 | ||||
-rw-r--r-- | src/bash_completion/firejail.bash_completion | 4 | ||||
-rw-r--r-- | src/firejail/firejail.h | 4 | ||||
-rw-r--r-- | src/firejail/fs.c | 39 | ||||
-rw-r--r-- | src/firejail/fs_rdwr.c | 3 | ||||
-rw-r--r-- | src/firejail/main.c | 2 | ||||
-rw-r--r-- | src/firejail/profile.c | 12 | ||||
-rw-r--r-- | src/man/firejail.txt | 17 | ||||
-rw-r--r-- | todo | 2 |
9 files changed, 60 insertions, 24 deletions
@@ -1,6 +1,7 @@ | |||
1 | firejail (0.9.41) baseline; urgency=low | 1 | firejail (0.9.41) baseline; urgency=low |
2 | * work in progress... | 2 | * work in progress... |
3 | * deprecated --user option, please use "sudo -u username firejail" instead | 3 | * deprecated --user option, please use "sudo -u username firejail" instead |
4 | * --read-write opton rework | ||
4 | * AppImage support (--appimage) | 5 | * AppImage support (--appimage) |
5 | * Sandbox auditing support (--audit) | 6 | * Sandbox auditing support (--audit) |
6 | * remove environment variable (--rmenv) | 7 | * remove environment variable (--rmenv) |
diff --git a/src/bash_completion/firejail.bash_completion b/src/bash_completion/firejail.bash_completion index 78bd622fc..d3dcd57d0 100644 --- a/src/bash_completion/firejail.bash_completion +++ b/src/bash_completion/firejail.bash_completion | |||
@@ -47,6 +47,10 @@ _firejail() | |||
47 | _filedir | 47 | _filedir |
48 | return 0 | 48 | return 0 |
49 | ;; | 49 | ;; |
50 | --read-write) | ||
51 | _filedir | ||
52 | return 0 | ||
53 | ;; | ||
50 | --bind) | 54 | --bind) |
51 | _filedir | 55 | _filedir |
52 | return 0 | 56 | return 0 |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 8856986e6..29bb6c494 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -584,10 +584,6 @@ extern char *xephyr_screen; | |||
584 | extern char *xephyr_extra_params; | 584 | extern char *xephyr_extra_params; |
585 | int checkcfg(int val); | 585 | int checkcfg(int val); |
586 | 586 | ||
587 | // fs_rdwr.c | ||
588 | void fs_rdwr_add(const char *path); | ||
589 | void fs_rdwr(void); | ||
590 | |||
591 | // appimage.c | 587 | // appimage.c |
592 | void appimage_set(const char *appimage_path); | 588 | void appimage_set(const char *appimage_path); |
593 | void appimage_clear(void); | 589 | void appimage_clear(void); |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index d426636d8..630458549 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -27,6 +27,8 @@ | |||
27 | #include <fcntl.h> | 27 | #include <fcntl.h> |
28 | #include <errno.h> | 28 | #include <errno.h> |
29 | 29 | ||
30 | static void fs_rdwr(const char *dir); | ||
31 | |||
30 | static void create_empty_dir(void) { | 32 | static void create_empty_dir(void) { |
31 | struct stat s; | 33 | struct stat s; |
32 | 34 | ||
@@ -229,6 +231,7 @@ typedef enum { | |||
229 | MOUNT_READONLY, | 231 | MOUNT_READONLY, |
230 | MOUNT_TMPFS, | 232 | MOUNT_TMPFS, |
231 | MOUNT_NOEXEC, | 233 | MOUNT_NOEXEC, |
234 | MOUNT_RDWR, | ||
232 | OPERATION_MAX | 235 | OPERATION_MAX |
233 | } OPERATION; | 236 | } OPERATION; |
234 | 237 | ||
@@ -331,6 +334,12 @@ static void disable_file(OPERATION op, const char *filename) { | |||
331 | fs_rdonly(fname); | 334 | fs_rdonly(fname); |
332 | // todo: last_disable = SUCCESSFUL; | 335 | // todo: last_disable = SUCCESSFUL; |
333 | } | 336 | } |
337 | else if (op == MOUNT_RDWR) { | ||
338 | if (arg_debug) | ||
339 | printf("Mounting read-only %s\n", fname); | ||
340 | fs_rdwr(fname); | ||
341 | // todo: last_disable = SUCCESSFUL; | ||
342 | } | ||
334 | else if (op == MOUNT_NOEXEC) { | 343 | else if (op == MOUNT_NOEXEC) { |
335 | if (arg_debug) | 344 | if (arg_debug) |
336 | printf("Mounting noexec %s\n", fname); | 345 | printf("Mounting noexec %s\n", fname); |
@@ -492,6 +501,10 @@ void fs_blacklist(void) { | |||
492 | ptr = entry->data + 10; | 501 | ptr = entry->data + 10; |
493 | op = MOUNT_READONLY; | 502 | op = MOUNT_READONLY; |
494 | } | 503 | } |
504 | else if (strncmp(entry->data, "read-write ", 11) == 0) { | ||
505 | ptr = entry->data + 11; | ||
506 | op = MOUNT_RDWR; | ||
507 | } | ||
495 | else if (strncmp(entry->data, "noexec ", 7) == 0) { | 508 | else if (strncmp(entry->data, "noexec ", 7) == 0) { |
496 | ptr = entry->data + 7; | 509 | ptr = entry->data + 7; |
497 | op = MOUNT_NOEXEC; | 510 | op = MOUNT_NOEXEC; |
@@ -560,6 +573,29 @@ void fs_rdonly(const char *dir) { | |||
560 | } | 573 | } |
561 | } | 574 | } |
562 | 575 | ||
576 | static void fs_rdwr(const char *dir) { | ||
577 | assert(dir); | ||
578 | // check directory exists | ||
579 | struct stat s; | ||
580 | int rv = stat(dir, &s); | ||
581 | if (rv == 0) { | ||
582 | // if the file is outside /home directory, allow only root user | ||
583 | uid_t u = getuid(); | ||
584 | if (u != 0 && s.st_uid != u) { | ||
585 | fprintf(stderr, "Warning: you are not allowed to change %s to read-write\n", dir); | ||
586 | return; | ||
587 | } | ||
588 | |||
589 | // mount --bind /bin /bin | ||
590 | if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
591 | errExit("mount read-write"); | ||
592 | // mount --bind -o remount,rw /bin | ||
593 | if (mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_REC, NULL) < 0) | ||
594 | errExit("mount read-write"); | ||
595 | fs_logger2("read-write", dir); | ||
596 | } | ||
597 | } | ||
598 | |||
563 | void fs_noexec(const char *dir) { | 599 | void fs_noexec(const char *dir) { |
564 | assert(dir); | 600 | assert(dir); |
565 | // check directory exists | 601 | // check directory exists |
@@ -757,9 +793,6 @@ void fs_basic_fs(void) { | |||
757 | // firejail sandboxes (firejail --force) | 793 | // firejail sandboxes (firejail --force) |
758 | if (getuid() != 0) | 794 | if (getuid() != 0) |
759 | disable_firejail_config(); | 795 | disable_firejail_config(); |
760 | |||
761 | if (getuid() == 0) | ||
762 | fs_rdwr(); | ||
763 | } | 796 | } |
764 | 797 | ||
765 | 798 | ||
diff --git a/src/firejail/fs_rdwr.c b/src/firejail/fs_rdwr.c index 68df6465f..e098be416 100644 --- a/src/firejail/fs_rdwr.c +++ b/src/firejail/fs_rdwr.c | |||
@@ -17,6 +17,7 @@ | |||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | 17 | * with this program; if not, write to the Free Software Foundation, Inc., |
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
19 | */ | 19 | */ |
20 | #if 0 | ||
20 | #include "firejail.h" | 21 | #include "firejail.h" |
21 | #include <sys/mount.h> | 22 | #include <sys/mount.h> |
22 | #include <sys/stat.h> | 23 | #include <sys/stat.h> |
@@ -91,3 +92,5 @@ void fs_rdwr(void) { | |||
91 | } | 92 | } |
92 | } | 93 | } |
93 | 94 | ||
95 | #endif | ||
96 | |||
diff --git a/src/firejail/main.c b/src/firejail/main.c index 703b9913b..25063700c 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1206,7 +1206,7 @@ int main(int argc, char **argv) { | |||
1206 | errExit("asprintf"); | 1206 | errExit("asprintf"); |
1207 | 1207 | ||
1208 | profile_check_line(line, 0, NULL); // will exit if something wrong | 1208 | profile_check_line(line, 0, NULL); // will exit if something wrong |
1209 | // profile_add(line); is not necessary | 1209 | profile_add(line); |
1210 | } | 1210 | } |
1211 | else if (strcmp(argv[i], "--overlay") == 0) { | 1211 | else if (strcmp(argv[i], "--overlay") == 0) { |
1212 | if (cfg.chrootdir) { | 1212 | if (cfg.chrootdir) { |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 40e2e4330..46ef0921d 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -716,16 +716,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
716 | return 0; | 716 | return 0; |
717 | } | 717 | } |
718 | 718 | ||
719 | // read-write | ||
720 | if (strncmp(ptr, "read-write ", 11) == 0) { | ||
721 | if (getuid() != 0) { | ||
722 | fprintf(stderr, "Error: read-write command is available only for root user\n"); | ||
723 | exit(1); | ||
724 | } | ||
725 | fs_rdwr_add(ptr + 11); | ||
726 | return 0; | ||
727 | } | ||
728 | |||
729 | // rest of filesystem | 719 | // rest of filesystem |
730 | if (strncmp(ptr, "blacklist ", 10) == 0) | 720 | if (strncmp(ptr, "blacklist ", 10) == 0) |
731 | ptr += 10; | 721 | ptr += 10; |
@@ -747,6 +737,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
747 | } | 737 | } |
748 | else if (strncmp(ptr, "read-only ", 10) == 0) | 738 | else if (strncmp(ptr, "read-only ", 10) == 0) |
749 | ptr += 10; | 739 | ptr += 10; |
740 | else if (strncmp(ptr, "read-write ", 11) == 0) | ||
741 | ptr += 11; | ||
750 | else if (strncmp(ptr, "noexec ", 7) == 0) | 742 | else if (strncmp(ptr, "noexec ", 7) == 0) |
751 | ptr += 7; | 743 | ptr += 7; |
752 | else if (strncmp(ptr, "tmpfs ", 6) == 0) { | 744 | else if (strncmp(ptr, "tmpfs ", 6) == 0) { |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index f7079200e..fed573e6c 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1184,16 +1184,23 @@ A short note about mixing \-\-whitelist and \-\-read-only options. Whitelisted d | |||
1184 | should be made read-only independently. Making a parent directory read-only, will not | 1184 | should be made read-only independently. Making a parent directory read-only, will not |
1185 | make the whitelist read-only. Example: | 1185 | make the whitelist read-only. Example: |
1186 | .br | 1186 | .br |
1187 | |||
1188 | .br | ||
1187 | $ firejail --whitelist=~/work --read-only=~ --read-only=~/work | 1189 | $ firejail --whitelist=~/work --read-only=~ --read-only=~/work |
1188 | 1190 | ||
1189 | .TP | 1191 | .TP |
1190 | \fB\-\-read-write=dirname_or_filename | 1192 | \fB\-\-read-write=dirname_or_filename |
1191 | By default, the sandbox mounts system directories read-only. | 1193 | Set directory or file read-write. Only files or directories belonging to the current user are allowed for |
1192 | These directories are /etc, /var, /usr, /bin, /sbin, /lib, /lib32, /libx32 and /lib64. | 1194 | this operation. Example: |
1193 | Use this option to mount read-write files or directories inside the system directories. | 1195 | .br |
1196 | |||
1197 | .br | ||
1198 | $ mkdir ~/test | ||
1199 | .br | ||
1200 | $ touch ~/test/a | ||
1201 | .br | ||
1202 | $ firejail --read-only=~/test --read-write=~/test/a | ||
1194 | 1203 | ||
1195 | This option is available only to root user. It has no effect when --chroot or --overlay are also set. In these | ||
1196 | cases the system directories are mounted read-write. | ||
1197 | 1204 | ||
1198 | .TP | 1205 | .TP |
1199 | \fB\-\-rlimit-fsize=number | 1206 | \fB\-\-rlimit-fsize=number |
@@ -245,4 +245,4 @@ References | |||
245 | https://bestpractices.coreinfrastructure.org | 245 | https://bestpractices.coreinfrastructure.org |
246 | https://twit.tv/shows/floss-weekly/episodes/389 | 246 | https://twit.tv/shows/floss-weekly/episodes/389 |
247 | 247 | ||
248 | @netblue30 \ No newline at end of file | 248 | 22. add support for read-write and noexec to Firetools |