diff options
-rw-r--r-- | Makefile.in | 4 | ||||
-rw-r--r-- | etc/firefox.profile | 1 | ||||
-rw-r--r-- | src/firejail/firejail.h | 4 | ||||
-rw-r--r-- | src/firejail/fs.c | 10 | ||||
-rw-r--r-- | src/firejail/fs_bin.c | 5 | ||||
-rw-r--r-- | src/firejail/fs_var.c | 2 | ||||
-rw-r--r-- | src/firejail/profile.c | 8 | ||||
-rwxr-xr-x | test/chromium.exp | 10 | ||||
-rwxr-xr-x | test/fscheck-shell.exp | 14 | ||||
-rwxr-xr-x | test/private-bin.exp | 71 | ||||
-rw-r--r-- | test/private-bin.profile | 1 | ||||
-rwxr-xr-x | test/test.sh | 12 |
12 files changed, 116 insertions, 26 deletions
diff --git a/Makefile.in b/Makefile.in index 4d00e3aef..14fbaa0bf 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -8,7 +8,9 @@ bindir=@bindir@ | |||
8 | libdir=@libdir@ | 8 | libdir=@libdir@ |
9 | datarootdir=@datarootdir@ | 9 | datarootdir=@datarootdir@ |
10 | mandir=@mandir@ | 10 | mandir=@mandir@ |
11 | sysconfdir=@sysconfdir@ | 11 | # todo: fix sysconfdir |
12 | # sysconfdir=@sysconfdir@ | ||
13 | sysconfdir=/etc | ||
12 | 14 | ||
13 | VERSION=@PACKAGE_VERSION@ | 15 | VERSION=@PACKAGE_VERSION@ |
14 | NAME=@PACKAGE_NAME@ | 16 | NAME=@PACKAGE_NAME@ |
diff --git a/etc/firefox.profile b/etc/firefox.profile index b31f25fc6..fae7d7ad4 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile | |||
@@ -8,6 +8,5 @@ caps.drop all | |||
8 | seccomp | 8 | seccomp |
9 | netfilter | 9 | netfilter |
10 | noroot | 10 | noroot |
11 | shell none | ||
12 | 11 | ||
13 | 12 | ||
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 64cf3ccef..cbc4086fb 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -407,5 +407,9 @@ void errno_print(void); | |||
407 | // pulseaudio.c | 407 | // pulseaudio.c |
408 | void pulseaudio_init(void); | 408 | void pulseaudio_init(void); |
409 | 409 | ||
410 | // fs_bin.c | ||
411 | void fs_check_bin_list(void); | ||
412 | void fs_private_bin_list(void); | ||
413 | |||
410 | #endif | 414 | #endif |
411 | 415 | ||
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 54086e0bb..b3748de51 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -435,23 +435,23 @@ void fs_proc_sys_dev_boot(void) { | |||
435 | if (arg_debug) | 435 | if (arg_debug) |
436 | printf("Disable /sys/firmware directory\n"); | 436 | printf("Disable /sys/firmware directory\n"); |
437 | if (mount("tmpfs", "/sys/firmware", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 437 | if (mount("tmpfs", "/sys/firmware", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
438 | errExit("disable /sys/firmware directory"); | 438 | fprintf(stderr, "Warning: cannot disable /sys/firmware directory\n"); |
439 | if (arg_debug) | 439 | if (arg_debug) |
440 | printf("Disable /sys/hypervisor directory\n"); | 440 | printf("Disable /sys/hypervisor directory\n"); |
441 | if (mount("tmpfs", "/sys/hypervisor", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 441 | if (mount("tmpfs", "/sys/hypervisor", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
442 | errExit("disable /sys/hypervisor directory"); | 442 | fprintf(stderr, "Warning: cannot disable /sys/hypervisor directory\n"); |
443 | if (arg_debug) | 443 | if (arg_debug) |
444 | printf("Disable /sys/fs directory\n"); | 444 | printf("Disable /sys/fs directory\n"); |
445 | if (mount("tmpfs", "/sys/fs", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 445 | if (mount("tmpfs", "/sys/fs", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
446 | errExit("disable /sys/fs directory"); | 446 | fprintf(stderr, "Warning: cannot disable /sys/fs directory\n"); |
447 | if (arg_debug) | 447 | if (arg_debug) |
448 | printf("Disable /sys/module directory\n"); | 448 | printf("Disable /sys/module directory\n"); |
449 | if (mount("tmpfs", "/sys/module", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 449 | if (mount("tmpfs", "/sys/module", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
450 | errExit("disable /sys/module directory"); | 450 | fprintf(stderr, "Warning: cannot disable /sys/module directory\n"); |
451 | if (arg_debug) | 451 | if (arg_debug) |
452 | printf("Disable /sys/power directory\n"); | 452 | printf("Disable /sys/power directory\n"); |
453 | if (mount("tmpfs", "/sys/power", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 453 | if (mount("tmpfs", "/sys/power", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
454 | errExit("disable /sys/power directory"); | 454 | fprintf(stderr, "Warning: cannot disable /sys/power directory\n"); |
455 | 455 | ||
456 | 456 | ||
457 | 457 | ||
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index 4b3292b6c..dcfdadb6b 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c | |||
@@ -44,9 +44,9 @@ static char *check_dir_or_file(const char *name) { | |||
44 | errExit("asprintf"); | 44 | errExit("asprintf"); |
45 | if (arg_debug) | 45 | if (arg_debug) |
46 | printf("Checking %s/%s\n", paths[i], name); | 46 | printf("Checking %s/%s\n", paths[i], name); |
47 | if (stat(fname, &s) == 0) | 47 | if (stat(fname, &s) == 0 && !S_ISDIR(s.st_mode)) // do not allow directories |
48 | break; // file found | 48 | break; // file found |
49 | 49 | ||
50 | free(fname); | 50 | free(fname); |
51 | fname = NULL; | 51 | fname = NULL; |
52 | i++; | 52 | i++; |
@@ -99,7 +99,6 @@ void fs_check_bin_list(void) { | |||
99 | else | 99 | else |
100 | notfound = 1; | 100 | notfound = 1; |
101 | } | 101 | } |
102 | printf("here %d: newlist #%s#\n", __LINE__, newlist); | ||
103 | 102 | ||
104 | if (*newlist == '\0') { | 103 | if (*newlist == '\0') { |
105 | fprintf(stderr, "Warning: no --private-bin list executable found, option disabled\n"); | 104 | fprintf(stderr, "Warning: no --private-bin list executable found, option disabled\n"); |
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c index 3200c5282..93625633a 100644 --- a/src/firejail/fs_var.c +++ b/src/firejail/fs_var.c | |||
@@ -146,7 +146,7 @@ void fs_var_log(void) { | |||
146 | errExit("chmod"); | 146 | errExit("chmod"); |
147 | } | 147 | } |
148 | else | 148 | else |
149 | fprintf(stderr, "Warning: cannot mount tmpfs in top of /var/log\n"); | 149 | fprintf(stderr, "Warning: cannot mount tmpfs on top of /var/log\n"); |
150 | } | 150 | } |
151 | 151 | ||
152 | void fs_var_lib(void) { | 152 | void fs_var_lib(void) { |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 2863b454e..5b18cc179 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -257,6 +257,14 @@ int profile_check_line(char *ptr, int lineno) { | |||
257 | return 0; | 257 | return 0; |
258 | } | 258 | } |
259 | 259 | ||
260 | // private /bin list of files | ||
261 | if (strncmp(ptr, "private-bin ", 12) == 0) { | ||
262 | cfg.bin_private_keep = ptr + 12; | ||
263 | fs_check_bin_list(); | ||
264 | arg_private_bin = 1; | ||
265 | return 0; | ||
266 | } | ||
267 | |||
260 | // filesystem bind | 268 | // filesystem bind |
261 | if (strncmp(ptr, "bind ", 5) == 0) { | 269 | if (strncmp(ptr, "bind ", 5) == 0) { |
262 | if (getuid() != 0) { | 270 | if (getuid() != 0) { |
diff --git a/test/chromium.exp b/test/chromium.exp index 020826f3d..77325d070 100755 --- a/test/chromium.exp +++ b/test/chromium.exp | |||
@@ -4,10 +4,10 @@ set timeout 10 | |||
4 | spawn $env(SHELL) | 4 | spawn $env(SHELL) |
5 | match_max 100000 | 5 | match_max 100000 |
6 | 6 | ||
7 | send -- "firejail chromium-browser www.gentoo.org\r" | 7 | send -- "firejail chromium www.gentoo.org\r" |
8 | expect { | 8 | expect { |
9 | timeout {puts "TESTING ERROR 0\n";exit} | 9 | timeout {puts "TESTING ERROR 0\n";exit} |
10 | "Reading profile /etc/firejail/chromium-browser.profile" | 10 | "Reading profile /etc/firejail/chromium.profile" |
11 | } | 11 | } |
12 | expect { | 12 | expect { |
13 | timeout {puts "TESTING ERROR 1\n";exit} | 13 | timeout {puts "TESTING ERROR 1\n";exit} |
@@ -23,7 +23,7 @@ expect { | |||
23 | } | 23 | } |
24 | expect { | 24 | expect { |
25 | timeout {puts "TESTING ERROR 3.1\n";exit} | 25 | timeout {puts "TESTING ERROR 3.1\n";exit} |
26 | "chromium-browser" | 26 | "chromium" |
27 | } | 27 | } |
28 | sleep 1 | 28 | sleep 1 |
29 | 29 | ||
@@ -38,7 +38,7 @@ spawn $env(SHELL) | |||
38 | send -- "firemon --seccomp\r" | 38 | send -- "firemon --seccomp\r" |
39 | expect { | 39 | expect { |
40 | timeout {puts "TESTING ERROR 5\n";exit} | 40 | timeout {puts "TESTING ERROR 5\n";exit} |
41 | ":firejail chromium-browser" | 41 | ":firejail chromium" |
42 | } | 42 | } |
43 | expect { | 43 | expect { |
44 | timeout {puts "TESTING ERROR 5.1\n";exit} | 44 | timeout {puts "TESTING ERROR 5.1\n";exit} |
@@ -52,7 +52,7 @@ sleep 1 | |||
52 | send -- "firemon --caps\r" | 52 | send -- "firemon --caps\r" |
53 | expect { | 53 | expect { |
54 | timeout {puts "TESTING ERROR 6\n";exit} | 54 | timeout {puts "TESTING ERROR 6\n";exit} |
55 | ":firejail chromium-browser" | 55 | ":firejail chromium" |
56 | } | 56 | } |
57 | expect { | 57 | expect { |
58 | timeout {puts "TESTING ERROR 6.1\n";exit} | 58 | timeout {puts "TESTING ERROR 6.1\n";exit} |
diff --git a/test/fscheck-shell.exp b/test/fscheck-shell.exp index d2320a4c3..548955e60 100755 --- a/test/fscheck-shell.exp +++ b/test/fscheck-shell.exp | |||
@@ -15,7 +15,7 @@ after 100 | |||
15 | # .. | 15 | # .. |
16 | send -- "firejail --net=br0 --shell=../test/fscheck-dir\r" | 16 | send -- "firejail --net=br0 --shell=../test/fscheck-dir\r" |
17 | expect { | 17 | expect { |
18 | timeout {puts "TESTING ERROR 0.1\n";exit} | 18 | timeout {puts "TESTING ERROR 1\n";exit} |
19 | "Error" | 19 | "Error" |
20 | } | 20 | } |
21 | after 100 | 21 | after 100 |
@@ -23,7 +23,7 @@ after 100 | |||
23 | # dir link | 23 | # dir link |
24 | send -- "firejail --net=br0 --shell=fscheck-dir-link\r" | 24 | send -- "firejail --net=br0 --shell=fscheck-dir-link\r" |
25 | expect { | 25 | expect { |
26 | timeout {puts "TESTING ERROR 1\n";exit} | 26 | timeout {puts "TESTING ERROR 2\n";exit} |
27 | "Error" | 27 | "Error" |
28 | } | 28 | } |
29 | after 100 | 29 | after 100 |
@@ -31,7 +31,7 @@ after 100 | |||
31 | # .. | 31 | # .. |
32 | send -- "firejail --net=br0 --shell=../test/fscheck-dir-link\r" | 32 | send -- "firejail --net=br0 --shell=../test/fscheck-dir-link\r" |
33 | expect { | 33 | expect { |
34 | timeout {puts "TESTING ERROR 1.1\n";exit} | 34 | timeout {puts "TESTING ERROR 3\n";exit} |
35 | "Error" | 35 | "Error" |
36 | } | 36 | } |
37 | after 100 | 37 | after 100 |
@@ -39,7 +39,7 @@ after 100 | |||
39 | # file link | 39 | # file link |
40 | send -- "firejail --net=br0 --shell=fscheck-file-link\r" | 40 | send -- "firejail --net=br0 --shell=fscheck-file-link\r" |
41 | expect { | 41 | expect { |
42 | timeout {puts "TESTING ERROR 2\n";exit} | 42 | timeout {puts "TESTING ERROR 4\n";exit} |
43 | "Error" | 43 | "Error" |
44 | } | 44 | } |
45 | after 100 | 45 | after 100 |
@@ -47,7 +47,7 @@ after 100 | |||
47 | # .. | 47 | # .. |
48 | send -- "firejail --net=br0 --shell=../test/fscheck-file-link\r" | 48 | send -- "firejail --net=br0 --shell=../test/fscheck-file-link\r" |
49 | expect { | 49 | expect { |
50 | timeout {puts "TESTING ERROR 2\n";exit} | 50 | timeout {puts "TESTING ERROR 5\n";exit} |
51 | "Error" | 51 | "Error" |
52 | } | 52 | } |
53 | after 100 | 53 | after 100 |
@@ -55,7 +55,7 @@ after 100 | |||
55 | # no file | 55 | # no file |
56 | send -- "firejail --net=br0 --shell=../test/nofile\r" | 56 | send -- "firejail --net=br0 --shell=../test/nofile\r" |
57 | expect { | 57 | expect { |
58 | timeout {puts "TESTING ERROR 3\n";exit} | 58 | timeout {puts "TESTING ERROR 6\n";exit} |
59 | "Error" | 59 | "Error" |
60 | } | 60 | } |
61 | after 100 | 61 | after 100 |
@@ -63,7 +63,7 @@ after 100 | |||
63 | # real GID/UID | 63 | # real GID/UID |
64 | send -- "firejail --net=br0 --shell=/etc/shadow\r" | 64 | send -- "firejail --net=br0 --shell=/etc/shadow\r" |
65 | expect { | 65 | expect { |
66 | timeout {puts "TESTING ERROR 4\n";exit} | 66 | timeout {puts "TESTING ERROR 7\n";exit} |
67 | "Error" | 67 | "Error" |
68 | } | 68 | } |
69 | after 100 | 69 | after 100 |
diff --git a/test/private-bin.exp b/test/private-bin.exp new file mode 100755 index 000000000..cc5ea99c7 --- /dev/null +++ b/test/private-bin.exp | |||
@@ -0,0 +1,71 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | |||
3 | set timeout 10 | ||
4 | spawn $env(SHELL) | ||
5 | match_max 100000 | ||
6 | |||
7 | send -- "firejail --private-bin=bash,ls,sh\r" | ||
8 | expect { | ||
9 | timeout {puts "TESTING ERROR 1\n";exit} | ||
10 | "Child process initialized" | ||
11 | } | ||
12 | sleep 1 | ||
13 | |||
14 | send -- "ls -al /bin\r" | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 2\n";exit} | ||
17 | "bash" | ||
18 | } | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 3\n";exit} | ||
21 | "ls" | ||
22 | } | ||
23 | expect { | ||
24 | timeout {puts "TESTING ERROR 4\n";exit} | ||
25 | "sh" | ||
26 | } | ||
27 | |||
28 | send -- "ls -al /bin\r" | ||
29 | expect { | ||
30 | timeout {puts "TESTING ERROR 5\n";exit} | ||
31 | "ping" {puts "TESTING ERROR 6\n";exit} | ||
32 | "sh" | ||
33 | } | ||
34 | send -- "exit\r" | ||
35 | sleep 1 | ||
36 | |||
37 | send -- "firejail --profile=private-bin.profile\r" | ||
38 | expect { | ||
39 | timeout {puts "TESTING ERROR 7\n";exit} | ||
40 | "Child process initialized" | ||
41 | } | ||
42 | sleep 1 | ||
43 | |||
44 | send -- "ls -al /bin\r" | ||
45 | expect { | ||
46 | timeout {puts "TESTING ERROR 8\n";exit} | ||
47 | "bash" | ||
48 | } | ||
49 | expect { | ||
50 | timeout {puts "TESTING ERROR 9\n";exit} | ||
51 | "ls" | ||
52 | } | ||
53 | expect { | ||
54 | timeout {puts "TESTING ERROR 10\n";exit} | ||
55 | "sh" | ||
56 | } | ||
57 | |||
58 | send -- "ls -al /bin\r" | ||
59 | expect { | ||
60 | timeout {puts "TESTING ERROR 5\n";exit} | ||
61 | "ping" {puts "TESTING ERROR 6\n";exit} | ||
62 | "sh" | ||
63 | } | ||
64 | send -- "exit\r" | ||
65 | |||
66 | |||
67 | |||
68 | |||
69 | sleep 1 | ||
70 | puts "\nall done\n" | ||
71 | |||
diff --git a/test/private-bin.profile b/test/private-bin.profile new file mode 100644 index 000000000..24cf5929a --- /dev/null +++ b/test/private-bin.profile | |||
@@ -0,0 +1 @@ | |||
private-bin bash,ls,sh | |||
diff --git a/test/test.sh b/test/test.sh index 6f198cd52..2e7b1e2bc 100755 --- a/test/test.sh +++ b/test/test.sh | |||
@@ -18,9 +18,15 @@ echo "TESTING: environment variables" | |||
18 | echo "TESTING: private-etc" | 18 | echo "TESTING: private-etc" |
19 | ./private-etc.exp | 19 | ./private-etc.exp |
20 | 20 | ||
21 | echo "TESTING: private-bin" | ||
22 | ./private-bin.exp | ||
23 | |||
24 | sleep 1 | ||
25 | rm -fr dir\ with\ space | ||
21 | mkdir dir\ with\ space | 26 | mkdir dir\ with\ space |
22 | echo "TESTING: blacklist" | 27 | echo "TESTING: blacklist" |
23 | ./blacklist.exp | 28 | ./blacklist.exp |
29 | sleep 1 | ||
24 | rm -fr dir\ with\ space | 30 | rm -fr dir\ with\ space |
25 | 31 | ||
26 | ln -s auto auto2 | 32 | ln -s auto auto2 |
@@ -155,7 +161,7 @@ else | |||
155 | echo "TESTING: midori not found" | 161 | echo "TESTING: midori not found" |
156 | fi | 162 | fi |
157 | 163 | ||
158 | which chromium-browser | 164 | which chromium |
159 | if [ "$?" -eq 0 ]; | 165 | if [ "$?" -eq 0 ]; |
160 | then | 166 | then |
161 | echo "TESTING: chromium" | 167 | echo "TESTING: chromium" |
@@ -278,10 +284,10 @@ echo "TESTING: seccomp su" | |||
278 | echo "TESTING: seccomp ptrace" | 284 | echo "TESTING: seccomp ptrace" |
279 | ./seccomp-ptrace.exp | 285 | ./seccomp-ptrace.exp |
280 | 286 | ||
281 | echo "TESTING: seccomp chmod (seccomp lists)" | 287 | echo "TESTING: seccomp chmod - seccomp lists" |
282 | ./seccomp-chmod.exp | 288 | ./seccomp-chmod.exp |
283 | 289 | ||
284 | echo "TESTING: seccomp chmod profile (seccomp lists)" | 290 | echo "TESTING: seccomp chmod profile - seccomp lists" |
285 | ./seccomp-chmod-profile.exp | 291 | ./seccomp-chmod-profile.exp |
286 | 292 | ||
287 | echo "TESTING: seccomp empty" | 293 | echo "TESTING: seccomp empty" |