diff options
-rw-r--r-- | Makefile | 2 | ||||
-rw-r--r-- | etc/firejail.config | 4 | ||||
-rw-r--r-- | src/firejail/checkcfg.c | 2 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/fs.c | 4 | ||||
-rw-r--r-- | src/firejail/fs_etc.c | 37 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 6 | ||||
-rw-r--r-- | src/include/rundefs.h | 2 |
8 files changed, 45 insertions, 13 deletions
@@ -276,7 +276,7 @@ $(TEST_TARGETS): | |||
276 | 276 | ||
277 | 277 | ||
278 | # extract some data about the testing setup: kernel, network connectivity, user | 278 | # extract some data about the testing setup: kernel, network connectivity, user |
279 | lab-setup:; uname -r; pwd; whoami; cat /etc/resolv.conf; cat /etc/hosts; dig dns.quad9.net; | 279 | lab-setup:; uname -r; pwd; whoami; cat /etc/resolv.conf; cat /etc/hosts |
280 | 280 | ||
281 | test: lab-setup test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters | 281 | test: lab-setup test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters |
282 | echo "TEST COMPLETE" | 282 | echo "TEST COMPLETE" |
diff --git a/etc/firejail.config b/etc/firejail.config index 13db32f1e..e8bf45751 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
@@ -78,10 +78,6 @@ | |||
78 | # Enable or disable overlayfs features, default enabled. | 78 | # Enable or disable overlayfs features, default enabled. |
79 | # overlayfs yes | 79 | # overlayfs yes |
80 | 80 | ||
81 | # Hide blacklisted files in /etc directory (enabling this may break | ||
82 | # /etc/resolv.conf; see #5010), default disabled. | ||
83 | # etc-hide-blacklisted no | ||
84 | |||
85 | # Set the limit for file copy in several --private-* options. The size is set | 81 | # Set the limit for file copy in several --private-* options. The size is set |
86 | # in megabytes. By default we allow up to 500MB. | 82 | # in megabytes. By default we allow up to 500MB. |
87 | # Note: the files are copied in RAM. | 83 | # Note: the files are copied in RAM. |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index ce8446cc8..62b8c4dc4 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -51,7 +51,6 @@ int checkcfg(int val) { | |||
51 | cfg_val[i] = 1; // most of them are enabled by default | 51 | cfg_val[i] = 1; // most of them are enabled by default |
52 | cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default | 52 | cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default |
53 | cfg_val[CFG_FORCE_NONEWPRIVS] = 0; | 53 | cfg_val[CFG_FORCE_NONEWPRIVS] = 0; |
54 | cfg_val[CFG_ETC_HIDE_BLACKLISTED] = 0; | ||
55 | cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 0; | 54 | cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 0; |
56 | cfg_val[CFG_FIREJAIL_PROMPT] = 0; | 55 | cfg_val[CFG_FIREJAIL_PROMPT] = 0; |
57 | cfg_val[CFG_DISABLE_MNT] = 0; | 56 | cfg_val[CFG_DISABLE_MNT] = 0; |
@@ -116,7 +115,6 @@ int checkcfg(int val) { | |||
116 | PARSE_YESNO(CFG_TRACELOG, "tracelog") | 115 | PARSE_YESNO(CFG_TRACELOG, "tracelog") |
117 | PARSE_YESNO(CFG_XEPHYR_WINDOW_TITLE, "xephyr-window-title") | 116 | PARSE_YESNO(CFG_XEPHYR_WINDOW_TITLE, "xephyr-window-title") |
118 | PARSE_YESNO(CFG_OVERLAYFS, "overlayfs") | 117 | PARSE_YESNO(CFG_OVERLAYFS, "overlayfs") |
119 | PARSE_YESNO(CFG_ETC_HIDE_BLACKLISTED, "etc-hide-blacklisted") | ||
120 | PARSE_YESNO(CFG_PRIVATE_BIN, "private-bin") | 118 | PARSE_YESNO(CFG_PRIVATE_BIN, "private-bin") |
121 | PARSE_YESNO(CFG_PRIVATE_BIN_NO_LOCAL, "private-bin-no-local") | 119 | PARSE_YESNO(CFG_PRIVATE_BIN_NO_LOCAL, "private-bin-no-local") |
122 | PARSE_YESNO(CFG_PRIVATE_CACHE, "private-cache") | 120 | PARSE_YESNO(CFG_PRIVATE_CACHE, "private-cache") |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 13ee573ad..4fe3a5974 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -811,7 +811,6 @@ enum { | |||
811 | CFG_FORCE_NONEWPRIVS, | 811 | CFG_FORCE_NONEWPRIVS, |
812 | CFG_XEPHYR_WINDOW_TITLE, | 812 | CFG_XEPHYR_WINDOW_TITLE, |
813 | CFG_OVERLAYFS, | 813 | CFG_OVERLAYFS, |
814 | CFG_ETC_HIDE_BLACKLISTED, | ||
815 | CFG_PRIVATE_BIN, | 814 | CFG_PRIVATE_BIN, |
816 | CFG_PRIVATE_BIN_NO_LOCAL, | 815 | CFG_PRIVATE_BIN_NO_LOCAL, |
817 | CFG_PRIVATE_CACHE, | 816 | CFG_PRIVATE_CACHE, |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 74f7bddd9..89a67f686 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -67,7 +67,7 @@ static void disable_file(OPERATION op, const char *filename) { | |||
67 | // they don't seem to like a uid of 0 | 67 | // they don't seem to like a uid of 0 |
68 | // force mounting | 68 | // force mounting |
69 | int fd = open(filename, O_PATH|O_CLOEXEC); | 69 | int fd = open(filename, O_PATH|O_CLOEXEC); |
70 | if (fd < 0) | 70 | if (fd < 0) |
71 | return; | 71 | return; |
72 | 72 | ||
73 | EUID_ROOT(); | 73 | EUID_ROOT(); |
@@ -159,7 +159,7 @@ static void disable_file(OPERATION op, const char *filename) { | |||
159 | fs_logger2("blacklist-nolog", fname); | 159 | fs_logger2("blacklist-nolog", fname); |
160 | 160 | ||
161 | // files in /etc will be reprocessed during /etc rebuild | 161 | // files in /etc will be reprocessed during /etc rebuild |
162 | if (checkcfg(CFG_ETC_HIDE_BLACKLISTED) && strncmp(fname, "/etc/", 5) == 0) { | 162 | if (strncmp(fname, "/etc/", 5) == 0) { |
163 | ProfileEntry *prf = malloc(sizeof(ProfileEntry)); | 163 | ProfileEntry *prf = malloc(sizeof(ProfileEntry)); |
164 | if (!prf) | 164 | if (!prf) |
165 | errExit("malloc"); | 165 | errExit("malloc"); |
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index aa4d76431..5eb3e34e0 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c | |||
@@ -26,6 +26,41 @@ | |||
26 | #include <unistd.h> | 26 | #include <unistd.h> |
27 | #include <dirent.h> | 27 | #include <dirent.h> |
28 | 28 | ||
29 | void fs_resolvconf(void) { | ||
30 | if (arg_debug) | ||
31 | printf("Creating a new /etc/resolv.conf file\n"); | ||
32 | FILE *fp = fopen(RUN_RESOLVCONF_FILE, "wxe"); | ||
33 | if (!fp) { | ||
34 | fprintf(stderr, "Error: cannot create /etc/resolv.conf file\n"); | ||
35 | exit(1); | ||
36 | } | ||
37 | |||
38 | if (cfg.dns1) { | ||
39 | if (any_dhcp()) | ||
40 | fwarning("network setup uses DHCP, nameservers will likely be overwritten\n"); | ||
41 | fprintf(fp, "nameserver %s\n", cfg.dns1); | ||
42 | } | ||
43 | if (cfg.dns2) | ||
44 | fprintf(fp, "nameserver %s\n", cfg.dns2); | ||
45 | if (cfg.dns3) | ||
46 | fprintf(fp, "nameserver %s\n", cfg.dns3); | ||
47 | if (cfg.dns4) | ||
48 | fprintf(fp, "nameserver %s\n", cfg.dns4); | ||
49 | |||
50 | // mode and owner | ||
51 | SET_PERMS_STREAM(fp, 0, 0, 0644); | ||
52 | |||
53 | fclose(fp); | ||
54 | selinux_relabel_path(RUN_RESOLVCONF_FILE, "/etc/resolv.conf"); | ||
55 | |||
56 | |||
57 | if (mount(RUN_RESOLVCONF_FILE, "/etc/resolv.conf", "none", MS_BIND, "mode=644,gid=0") < 0) | ||
58 | errExit("mount"); | ||
59 | |||
60 | fs_logger("create /etc/resolv.conf"); | ||
61 | } | ||
62 | |||
63 | |||
29 | // spoof /etc/machine_id | 64 | // spoof /etc/machine_id |
30 | void fs_machineid(void) { | 65 | void fs_machineid(void) { |
31 | union machineid_t { | 66 | union machineid_t { |
@@ -262,6 +297,7 @@ void fs_private_dir_list(const char *private_dir, const char *private_run_dir, c | |||
262 | fmessage("Private %s installed in %0.2f ms\n", private_dir, timetrace_end()); | 297 | fmessage("Private %s installed in %0.2f ms\n", private_dir, timetrace_end()); |
263 | } | 298 | } |
264 | 299 | ||
300 | #if 0 | ||
265 | void fs_rebuild_etc(void) { | 301 | void fs_rebuild_etc(void) { |
266 | int have_dhcp = 1; | 302 | int have_dhcp = 1; |
267 | if (cfg.dns1 == NULL && !any_dhcp()) { | 303 | if (cfg.dns1 == NULL && !any_dhcp()) { |
@@ -392,3 +428,4 @@ void fs_rebuild_etc(void) { | |||
392 | 428 | ||
393 | fs_logger("create /etc/resolv.conf"); | 429 | fs_logger("create /etc/resolv.conf"); |
394 | } | 430 | } |
431 | #endif \ No newline at end of file | ||
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 1afb3a293..3d0d43965 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -1096,10 +1096,10 @@ int sandbox(void* sandbox_arg) { | |||
1096 | fs_dev_disable_input(); | 1096 | fs_dev_disable_input(); |
1097 | 1097 | ||
1098 | //**************************** | 1098 | //**************************** |
1099 | // rebuild etc directory, set dns | 1099 | // set DNS |
1100 | //**************************** | 1100 | //**************************** |
1101 | if (!arg_writable_etc) | 1101 | if (cfg.dns1 != NULL || any_dhcp()) |
1102 | fs_rebuild_etc(); | 1102 | fs_resolvconf(); |
1103 | 1103 | ||
1104 | //**************************** | 1104 | //**************************** |
1105 | // start dhcp client | 1105 | // start dhcp client |
diff --git a/src/include/rundefs.h b/src/include/rundefs.h index 079670f10..b3ad564ac 100644 --- a/src/include/rundefs.h +++ b/src/include/rundefs.h | |||
@@ -99,5 +99,7 @@ | |||
99 | #define RUN_UMASK_FILE RUN_MNT_DIR "/umask" | 99 | #define RUN_UMASK_FILE RUN_MNT_DIR "/umask" |
100 | #define RUN_JOIN_FILE RUN_MNT_DIR "/join" | 100 | #define RUN_JOIN_FILE RUN_MNT_DIR "/join" |
101 | #define RUN_OVERLAY_ROOT RUN_MNT_DIR "/oroot" | 101 | #define RUN_OVERLAY_ROOT RUN_MNT_DIR "/oroot" |
102 | #define RUN_RESOLVCONF_FILE RUN_MNT_DIR "/resolv.conf" | ||
103 | |||
102 | 104 | ||
103 | #endif | 105 | #endif |