diff options
-rw-r--r-- | README.md | 2 | ||||
-rw-r--r-- | RELNOTES | 2 | ||||
-rw-r--r-- | etc/allow-lua.inc | 4 | ||||
-rw-r--r-- | etc/conky.profile | 3 | ||||
-rw-r--r-- | etc/disable-interpreters.inc | 3 | ||||
-rw-r--r-- | etc/discord-common.profile | 9 | ||||
-rw-r--r-- | etc/file-roller.profile | 2 | ||||
-rw-r--r-- | etc/firefox-esr.profile | 2 | ||||
-rw-r--r-- | etc/firefox.profile | 1 | ||||
-rw-r--r-- | etc/mpv.profile | 2 | ||||
-rw-r--r-- | etc/openshot.profile | 3 | ||||
-rw-r--r-- | etc/slack.profile | 2 | ||||
-rw-r--r-- | etc/thunderbird.profile | 1 | ||||
-rw-r--r-- | etc/xournal.profile | 47 | ||||
-rw-r--r-- | etc/zoom.profile | 4 | ||||
-rw-r--r-- | src/firecfg/firecfg.config | 1 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/fs_dev.c | 5 | ||||
-rw-r--r-- | src/firejail/join.c | 54 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 34 | ||||
-rw-r--r-- | src/firejail/sbox.c | 13 |
21 files changed, 157 insertions, 38 deletions
@@ -151,4 +151,4 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe | |||
151 | 151 | ||
152 | ### New profiles: | 152 | ### New profiles: |
153 | 153 | ||
154 | gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, gnome-passwordsafe, bibtex, gummi, latex, pdflatex, tex, wpp, wpspdf, wps, et, multimc, gnome-hexgl, com.github.johnfactotum.Foliate, desktopeditors, impressive, mupdf-gl, mupdf-x11, mupdf-x11-curl, muraster, mutool, planmaker18, planmaker18free, presentations18, presentations18free, textmaker18, textmaker18free, teams | 154 | gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, gnome-passwordsafe, bibtex, gummi, latex, pdflatex, tex, wpp, wpspdf, wps, et, multimc, gnome-hexgl, com.github.johnfactotum.Foliate, desktopeditors, impressive, mupdf-gl, mupdf-x11, mupdf-x11-curl, muraster, mutool, planmaker18, planmaker18free, presentations18, presentations18free, textmaker18, textmaker18free, teams, xournal |
@@ -8,7 +8,7 @@ firejail (0.9.63) baseline; urgency=low | |||
8 | * new profiles: gnome-hexgl, com.github.johnfactotum.Foliate, mupdf-gl, mutool | 8 | * new profiles: gnome-hexgl, com.github.johnfactotum.Foliate, mupdf-gl, mutool |
9 | * new profiles: desktopeditors, impressive, planmaker18, planmaker18free | 9 | * new profiles: desktopeditors, impressive, planmaker18, planmaker18free |
10 | * new profiles: presentations18, presentations18free, textmaker18, teams | 10 | * new profiles: presentations18, presentations18free, textmaker18, teams |
11 | * new profiles: textmaker18free | 11 | * new profiles: textmaker18free, xournal |
12 | 12 | ||
13 | firejail (0.9.62) baseline; urgency=low | 13 | firejail (0.9.62) baseline; urgency=low |
14 | * added file-copy-limit in /etc/firejail/firejail.config | 14 | * added file-copy-limit in /etc/firejail/firejail.config |
diff --git a/etc/allow-lua.inc b/etc/allow-lua.inc index fbdee22ee..9df8e8d32 100644 --- a/etc/allow-lua.inc +++ b/etc/allow-lua.inc | |||
@@ -3,6 +3,8 @@ | |||
3 | include allow-lua.local | 3 | include allow-lua.local |
4 | 4 | ||
5 | noblacklist ${PATH}/lua* | 5 | noblacklist ${PATH}/lua* |
6 | noblacklist /usr/include/lua* | 6 | noblacklist /usr/include |
7 | noblacklist /usr/lib/liblua* | ||
7 | noblacklist /usr/lib/lua | 8 | noblacklist /usr/lib/lua |
8 | noblacklist /usr/share/lua | 9 | noblacklist /usr/share/lua |
10 | noblacklist /usr/share/lua* | ||
diff --git a/etc/conky.profile b/etc/conky.profile index 10a243cd3..e5cd7085a 100644 --- a/etc/conky.profile +++ b/etc/conky.profile | |||
@@ -8,6 +8,9 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${PICTURES} | 9 | noblacklist ${PICTURES} |
10 | 10 | ||
11 | # Allow lua (blacklisted by disable-interpreters.inc) | ||
12 | include allow-lua.inc | ||
13 | |||
11 | include disable-common.inc | 14 | include disable-common.inc |
12 | include disable-devel.inc | 15 | include disable-devel.inc |
13 | include disable-exec.inc | 16 | include disable-exec.inc |
diff --git a/etc/disable-interpreters.inc b/etc/disable-interpreters.inc index ae539e1bc..495a75a54 100644 --- a/etc/disable-interpreters.inc +++ b/etc/disable-interpreters.inc | |||
@@ -13,8 +13,9 @@ blacklist /usr/lib64/libgjs* | |||
13 | # Lua | 13 | # Lua |
14 | blacklist ${PATH}/lua* | 14 | blacklist ${PATH}/lua* |
15 | blacklist /usr/include/lua* | 15 | blacklist /usr/include/lua* |
16 | blacklist /usr/lib/liblua* | ||
16 | blacklist /usr/lib/lua | 17 | blacklist /usr/lib/lua |
17 | blacklist /usr/share/lua | 18 | blacklist /usr/share/lua* |
18 | 19 | ||
19 | # Node.js | 20 | # Node.js |
20 | blacklist ${PATH}/node | 21 | blacklist ${PATH}/node |
diff --git a/etc/discord-common.profile b/etc/discord-common.profile index a6e730937..43e8d5cd7 100644 --- a/etc/discord-common.profile +++ b/etc/discord-common.profile | |||
@@ -6,8 +6,11 @@ include discord-common.local | |||
6 | # added by caller profile | 6 | # added by caller profile |
7 | #include globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | ignore noexec ${HOME} | ||
10 | |||
9 | include disable-common.inc | 11 | include disable-common.inc |
10 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
11 | include disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
12 | include disable-programs.inc | 15 | include disable-programs.inc |
13 | 16 | ||
@@ -25,11 +28,9 @@ notv | |||
25 | nou2f | 28 | nou2f |
26 | novideo | 29 | novideo |
27 | protocol unix,inet,inet6,netlink | 30 | protocol unix,inet,inet6,netlink |
28 | seccomp | 31 | seccomp !chroot |
29 | 32 | ||
30 | private-bin bash,cut,echo,egrep,grep,head,sed,sh,tr,xdg-mime,xdg-open,zsh | 33 | private-bin bash,cut,echo,egrep,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh |
31 | private-dev | 34 | private-dev |
32 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,resolv.conf,ssl | 35 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,resolv.conf,ssl |
33 | private-tmp | 36 | private-tmp |
34 | |||
35 | noexec /tmp | ||
diff --git a/etc/file-roller.profile b/etc/file-roller.profile index 253b82cfe..9d84f07de 100644 --- a/etc/file-roller.profile +++ b/etc/file-roller.profile | |||
@@ -36,7 +36,7 @@ seccomp | |||
36 | shell none | 36 | shell none |
37 | tracelog | 37 | tracelog |
38 | 38 | ||
39 | private-bin 7z,7za,7zr,ar,arj,brotli,bzip2,compress,cpio,dpkg-deb,file-roller,gtar,gzip,isoinfo,lha,lrzip,lsar,lz4,lzip,lzma,lzop,rar,rzip,tar,unace,unalz,unar,uncompress,unrar,unsquashfs,unstuff,unzip,xz,zip,zoo | 39 | private-bin 7z,7za,7zr,ar,arj,bash,brotli,bzip2,compress,cpio,dpkg-deb,file-roller,gtar,gzip,isoinfo,lha,lrzip,lsar,lz4,lzip,lzma,lzop,p7zip,rar,rzip,sh,tar,unace,unalz,unar,uncompress,unrar,unsquashfs,unstuff,unzip,xz,zip,zoo |
40 | private-cache | 40 | private-cache |
41 | private-dev | 41 | private-dev |
42 | private-etc dconf,fonts,gtk-3.0,xdg | 42 | private-etc dconf,fonts,gtk-3.0,xdg |
diff --git a/etc/firefox-esr.profile b/etc/firefox-esr.profile index 6c1d77986..5e69fdb51 100644 --- a/etc/firefox-esr.profile +++ b/etc/firefox-esr.profile | |||
@@ -6,5 +6,7 @@ include firefox-esr.local | |||
6 | # added by included profile | 6 | # added by included profile |
7 | #include globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | whitelist /usr/share/firefox-esr | ||
10 | |||
9 | # Redirect | 11 | # Redirect |
10 | include firefox.profile | 12 | include firefox.profile |
diff --git a/etc/firefox.profile b/etc/firefox.profile index 0530516d8..4a2cb260f 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile | |||
@@ -15,6 +15,7 @@ whitelist ${HOME}/.cache/mozilla/firefox | |||
15 | whitelist ${HOME}/.mozilla | 15 | whitelist ${HOME}/.mozilla |
16 | 16 | ||
17 | whitelist /usr/share/doc | 17 | whitelist /usr/share/doc |
18 | whitelist /usr/share/firefox | ||
18 | whitelist /usr/share/gtk-doc/html | 19 | whitelist /usr/share/gtk-doc/html |
19 | whitelist /usr/share/mozilla | 20 | whitelist /usr/share/mozilla |
20 | whitelist /usr/share/webext | 21 | whitelist /usr/share/webext |
diff --git a/etc/mpv.profile b/etc/mpv.profile index 56cd66199..80c45d20b 100644 --- a/etc/mpv.profile +++ b/etc/mpv.profile | |||
@@ -11,6 +11,8 @@ noblacklist ${HOME}/.config/mpv | |||
11 | noblacklist ${HOME}/.config/youtube-dl | 11 | noblacklist ${HOME}/.config/youtube-dl |
12 | noblacklist ${HOME}/.netrc | 12 | noblacklist ${HOME}/.netrc |
13 | 13 | ||
14 | # Allow lua (blacklisted by disable-interpreters.inc) | ||
15 | include allow-lua.inc | ||
14 | # Allow python (blacklisted by disable-interpreters.inc) | 16 | # Allow python (blacklisted by disable-interpreters.inc) |
15 | include allow-python2.inc | 17 | include allow-python2.inc |
16 | include allow-python3.inc | 18 | include allow-python3.inc |
diff --git a/etc/openshot.profile b/etc/openshot.profile index 9d0b4c4c9..482528be1 100644 --- a/etc/openshot.profile +++ b/etc/openshot.profile | |||
@@ -23,8 +23,7 @@ include whitelist-var-common.inc | |||
23 | 23 | ||
24 | apparmor | 24 | apparmor |
25 | caps.drop all | 25 | caps.drop all |
26 | #net none | 26 | net none |
27 | netfilter | ||
28 | nodbus | 27 | nodbus |
29 | nodvd | 28 | nodvd |
30 | nogroups | 29 | nogroups |
diff --git a/etc/slack.profile b/etc/slack.profile index 54069f657..9a10e38fe 100644 --- a/etc/slack.profile +++ b/etc/slack.profile | |||
@@ -28,7 +28,7 @@ noroot | |||
28 | notv | 28 | notv |
29 | nou2f | 29 | nou2f |
30 | protocol unix,inet,inet6,netlink | 30 | protocol unix,inet,inet6,netlink |
31 | seccomp | 31 | seccomp !chroot |
32 | shell none | 32 | shell none |
33 | 33 | ||
34 | disable-mnt | 34 | disable-mnt |
diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile index 6e888c163..f6efcf1a4 100644 --- a/etc/thunderbird.profile +++ b/etc/thunderbird.profile | |||
@@ -47,6 +47,7 @@ whitelist ${HOME}/.thunderbird | |||
47 | 47 | ||
48 | whitelist /usr/share/gnupg | 48 | whitelist /usr/share/gnupg |
49 | whitelist /usr/share/mozilla | 49 | whitelist /usr/share/mozilla |
50 | whitelist /usr/share/thunderbird | ||
50 | whitelist /usr/share/webext | 51 | whitelist /usr/share/webext |
51 | include whitelist-usr-share-common.inc | 52 | include whitelist-usr-share-common.inc |
52 | 53 | ||
diff --git a/etc/xournal.profile b/etc/xournal.profile new file mode 100644 index 000000000..fa5200ea3 --- /dev/null +++ b/etc/xournal.profile | |||
@@ -0,0 +1,47 @@ | |||
1 | # Firejail profile for xournal | ||
2 | # Description: Note taking and PDF editing | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include xournal.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${DOCUMENTS} | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | whitelist /usr/share/xournal | ||
20 | whitelist /usr/share/poppler | ||
21 | include whitelist-usr-share-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | machine-id | ||
26 | net none | ||
27 | no3d | ||
28 | nodbus | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | nosound | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | protocol unix | ||
38 | seccomp | ||
39 | shell none | ||
40 | tracelog | ||
41 | |||
42 | private-bin xournal | ||
43 | private-cache | ||
44 | private-dev | ||
45 | private-etc alternatives,fonts,group,machine-id,passwd | ||
46 | # TODO should use private-lib | ||
47 | private-tmp | ||
diff --git a/etc/zoom.profile b/etc/zoom.profile index 6d312aff6..6eac10703 100644 --- a/etc/zoom.profile +++ b/etc/zoom.profile | |||
@@ -27,7 +27,7 @@ nodvd | |||
27 | nonewprivs | 27 | nonewprivs |
28 | noroot | 28 | noroot |
29 | notv | 29 | notv |
30 | protocol unix,inet,inet6 | 30 | protocol unix,inet,inet6,netlink |
31 | seccomp | 31 | seccomp !chroot |
32 | 32 | ||
33 | private-tmp | 33 | private-tmp |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index adf66f008..4cd4fad6c 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -722,6 +722,7 @@ xmr-stak | |||
722 | xonotic | 722 | xonotic |
723 | xonotic-glx | 723 | xonotic-glx |
724 | xonotic-sdl | 724 | xonotic-sdl |
725 | xournal | ||
725 | xpdf | 726 | xpdf |
726 | xplayer | 727 | xplayer |
727 | xplayer-audio-preview | 728 | xplayer-audio-preview |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index cc5f01ead..7391a8994 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -359,6 +359,7 @@ char *guess_shell(void); | |||
359 | // sandbox.c | 359 | // sandbox.c |
360 | int sandbox(void* sandbox_arg); | 360 | int sandbox(void* sandbox_arg); |
361 | void start_application(int no_sandbox, FILE *fp); | 361 | void start_application(int no_sandbox, FILE *fp); |
362 | void set_apparmor(void); | ||
362 | 363 | ||
363 | // network_main.c | 364 | // network_main.c |
364 | void net_configure_sandbox_ip(Bridge *br); | 365 | void net_configure_sandbox_ip(Bridge *br); |
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index 500b6bf1b..fbce72429 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c | |||
@@ -157,9 +157,6 @@ static void create_link(const char *oldpath, const char *newpath) { | |||
157 | fprintf(stderr, "Error: cannot create %s device\n", newpath); | 157 | fprintf(stderr, "Error: cannot create %s device\n", newpath); |
158 | exit(1); | 158 | exit(1); |
159 | } | 159 | } |
160 | |||
161 | if (chown(newpath, 0, 0) < 0) {;} | ||
162 | |||
163 | fs_logger2("create", newpath); | 160 | fs_logger2("create", newpath); |
164 | return; | 161 | return; |
165 | } | 162 | } |
@@ -302,12 +299,10 @@ void fs_private_dev(void){ | |||
302 | fs_logger("clone /dev/pts"); | 299 | fs_logger("clone /dev/pts"); |
303 | 300 | ||
304 | // stdin, stdout, stderr | 301 | // stdin, stdout, stderr |
305 | #if 0 | ||
306 | create_link("/proc/self/fd", "/dev/fd"); | 302 | create_link("/proc/self/fd", "/dev/fd"); |
307 | create_link("/proc/self/fd/0", "/dev/stdin"); | 303 | create_link("/proc/self/fd/0", "/dev/stdin"); |
308 | create_link("/proc/self/fd/1", "/dev/stdout"); | 304 | create_link("/proc/self/fd/1", "/dev/stdout"); |
309 | create_link("/proc/self/fd/2", "/dev/stderr"); | 305 | create_link("/proc/self/fd/2", "/dev/stderr"); |
310 | #endif | ||
311 | 306 | ||
312 | // symlinks for DVD/CD players | 307 | // symlinks for DVD/CD players |
313 | if (stat("/dev/sr0", &s) == 0) { | 308 | if (stat("/dev/sr0", &s) == 0) { |
diff --git a/src/firejail/join.c b/src/firejail/join.c index 531f8c06a..fa1f64333 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -26,7 +26,11 @@ | |||
26 | 26 | ||
27 | #include <sys/prctl.h> | 27 | #include <sys/prctl.h> |
28 | #ifndef PR_SET_NO_NEW_PRIVS | 28 | #ifndef PR_SET_NO_NEW_PRIVS |
29 | # define PR_SET_NO_NEW_PRIVS 38 | 29 | #define PR_SET_NO_NEW_PRIVS 38 |
30 | #endif | ||
31 | |||
32 | #ifdef HAVE_APPARMOR | ||
33 | #include <sys/apparmor.h> | ||
30 | #endif | 34 | #endif |
31 | 35 | ||
32 | static int apply_caps = 0; | 36 | static int apply_caps = 0; |
@@ -50,6 +54,46 @@ static void install_handler(void) { | |||
50 | sigaction(SIGTERM, &sga, NULL); | 54 | sigaction(SIGTERM, &sga, NULL); |
51 | } | 55 | } |
52 | 56 | ||
57 | #ifdef HAVE_APPARMOR | ||
58 | static void extract_apparmor(pid_t pid) { | ||
59 | if (checkcfg(CFG_APPARMOR)) { | ||
60 | EUID_USER(); | ||
61 | if (aa_is_enabled() == 1) { | ||
62 | // get pid of next child process | ||
63 | pid_t child; | ||
64 | if (find_child(pid, &child) == 1) | ||
65 | child = pid; // no child, proceed with current pid | ||
66 | |||
67 | // get name of AppArmor profile | ||
68 | char *fname; | ||
69 | if (asprintf(&fname, "/proc/%d/attr/current", child) == -1) | ||
70 | errExit("asprintf"); | ||
71 | EUID_ROOT(); | ||
72 | int fd = open(fname, O_RDONLY|O_CLOEXEC); | ||
73 | EUID_USER(); | ||
74 | free(fname); | ||
75 | if (fd == -1) | ||
76 | goto errexit; | ||
77 | char buf[BUFLEN]; | ||
78 | ssize_t rv = read(fd, buf, sizeof(buf) - 1); | ||
79 | close(fd); | ||
80 | if (rv < 0) | ||
81 | goto errexit; | ||
82 | buf[rv] = '\0'; | ||
83 | // process confined by Firejail's AppArmor policy? | ||
84 | if (strncmp(buf, "firejail-default", 16) == 0) | ||
85 | arg_apparmor = 1; | ||
86 | } | ||
87 | EUID_ROOT(); | ||
88 | } | ||
89 | return; | ||
90 | |||
91 | errexit: | ||
92 | fprintf(stderr, "Error: cannot read /proc file\n"); | ||
93 | exit(1); | ||
94 | } | ||
95 | #endif // HAVE_APPARMOR | ||
96 | |||
53 | static void extract_x11_display(pid_t pid) { | 97 | static void extract_x11_display(pid_t pid) { |
54 | char *fname; | 98 | char *fname; |
55 | if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_X11_DIR, pid) == -1) | 99 | if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_X11_DIR, pid) == -1) |
@@ -388,6 +432,9 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
388 | extract_cgroup(pid); | 432 | extract_cgroup(pid); |
389 | extract_nogroups(pid); | 433 | extract_nogroups(pid); |
390 | extract_user_namespace(pid); | 434 | extract_user_namespace(pid); |
435 | #ifdef HAVE_APPARMOR | ||
436 | extract_apparmor(pid); | ||
437 | #endif | ||
391 | } | 438 | } |
392 | 439 | ||
393 | // set cgroup | 440 | // set cgroup |
@@ -501,6 +548,11 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
501 | // kill the child in case the parent died | 548 | // kill the child in case the parent died |
502 | prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); | 549 | prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); |
503 | 550 | ||
551 | #ifdef HAVE_APPARMOR | ||
552 | // add apparmor confinement after the execve | ||
553 | set_apparmor(); | ||
554 | #endif | ||
555 | |||
504 | extract_command(argc, argv, index); | 556 | extract_command(argc, argv, index); |
505 | if (cfg.command_line == NULL) { | 557 | if (cfg.command_line == NULL) { |
506 | assert(cfg.shell); | 558 | assert(cfg.shell); |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index d1d98f636..d1879fd98 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -29,6 +29,7 @@ | |||
29 | #include <dirent.h> | 29 | #include <dirent.h> |
30 | #include <errno.h> | 30 | #include <errno.h> |
31 | #include <fcntl.h> | 31 | #include <fcntl.h> |
32 | #include <syscall.h> | ||
32 | 33 | ||
33 | #include <sched.h> | 34 | #include <sched.h> |
34 | #ifndef CLONE_NEWUSER | 35 | #ifndef CLONE_NEWUSER |
@@ -37,16 +38,15 @@ | |||
37 | 38 | ||
38 | #include <sys/prctl.h> | 39 | #include <sys/prctl.h> |
39 | #ifndef PR_SET_NO_NEW_PRIVS | 40 | #ifndef PR_SET_NO_NEW_PRIVS |
40 | # define PR_SET_NO_NEW_PRIVS 38 | 41 | #define PR_SET_NO_NEW_PRIVS 38 |
41 | #endif | 42 | #endif |
42 | #ifndef PR_GET_NO_NEW_PRIVS | 43 | #ifndef PR_GET_NO_NEW_PRIVS |
43 | # define PR_GET_NO_NEW_PRIVS 39 | 44 | #define PR_GET_NO_NEW_PRIVS 39 |
44 | #endif | 45 | #endif |
45 | 46 | ||
46 | #ifdef HAVE_APPARMOR | 47 | #ifdef HAVE_APPARMOR |
47 | #include <sys/apparmor.h> | 48 | #include <sys/apparmor.h> |
48 | #endif | 49 | #endif |
49 | #include <syscall.h> | ||
50 | 50 | ||
51 | 51 | ||
52 | static int force_nonewprivs = 0; | 52 | static int force_nonewprivs = 0; |
@@ -125,6 +125,21 @@ static void set_caps(void) { | |||
125 | caps_drop_dac_override(); | 125 | caps_drop_dac_override(); |
126 | } | 126 | } |
127 | 127 | ||
128 | #ifdef HAVE_APPARMOR | ||
129 | void set_apparmor(void) { | ||
130 | EUID_ASSERT(); | ||
131 | if (checkcfg(CFG_APPARMOR) && arg_apparmor) { | ||
132 | if (aa_change_onexec("firejail-default")) { | ||
133 | fwarning("Cannot confine the application using AppArmor.\n" | ||
134 | "Maybe firejail-default AppArmor profile is not loaded into the kernel.\n" | ||
135 | "As root, run \"aa-enforce firejail-default\" to load it.\n"); | ||
136 | } | ||
137 | else if (arg_debug) | ||
138 | printf("AppArmor enabled\n"); | ||
139 | } | ||
140 | } | ||
141 | #endif | ||
142 | |||
128 | static void save_nogroups(void) { | 143 | static void save_nogroups(void) { |
129 | if (arg_nogroups == 0) | 144 | if (arg_nogroups == 0) |
130 | return; | 145 | return; |
@@ -1203,17 +1218,10 @@ int sandbox(void* sandbox_arg) { | |||
1203 | 1218 | ||
1204 | if (app_pid == 0) { | 1219 | if (app_pid == 0) { |
1205 | #ifdef HAVE_APPARMOR | 1220 | #ifdef HAVE_APPARMOR |
1206 | if (checkcfg(CFG_APPARMOR) && arg_apparmor) { | 1221 | // add apparmor confinement after the execve |
1207 | errno = 0; | 1222 | set_apparmor(); |
1208 | if (aa_change_onexec("firejail-default")) { | ||
1209 | fwarning("Cannot confine the application using AppArmor.\n" | ||
1210 | "Maybe firejail-default AppArmor profile is not loaded into the kernel.\n" | ||
1211 | "As root, run \"aa-enforce firejail-default\" to load it.\n"); | ||
1212 | } | ||
1213 | else if (arg_debug) | ||
1214 | printf("AppArmor enabled\n"); | ||
1215 | } | ||
1216 | #endif | 1223 | #endif |
1224 | |||
1217 | // set nice and rlimits | 1225 | // set nice and rlimits |
1218 | if (arg_nice) | 1226 | if (arg_nice) |
1219 | set_nice(cfg.nice); | 1227 | set_nice(cfg.nice); |
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index c3b68f3a8..0c7b13f1c 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c | |||
@@ -53,11 +53,17 @@ static struct sock_filter filter[] = { | |||
53 | #ifdef SYS_ptrace | 53 | #ifdef SYS_ptrace |
54 | BLACKLIST(SYS_ptrace), // trace processes | 54 | BLACKLIST(SYS_ptrace), // trace processes |
55 | #endif | 55 | #endif |
56 | #ifdef SYS_process_vm_readv | ||
57 | BLACKLIST(SYS_process_vm_readv), | ||
58 | #endif | ||
59 | #ifdef SYS_process_vm_writev | ||
60 | BLACKLIST(SYS_process_vm_writev), | ||
61 | #endif | ||
56 | #ifdef SYS_kexec_file_load | 62 | #ifdef SYS_kexec_file_load |
57 | BLACKLIST(SYS_kexec_file_load), | 63 | BLACKLIST(SYS_kexec_file_load), // loading a different kernel |
58 | #endif | 64 | #endif |
59 | #ifdef SYS_kexec_load | 65 | #ifdef SYS_kexec_load |
60 | BLACKLIST(SYS_kexec_load), // loading a different kernel | 66 | BLACKLIST(SYS_kexec_load), |
61 | #endif | 67 | #endif |
62 | #ifdef SYS_name_to_handle_at | 68 | #ifdef SYS_name_to_handle_at |
63 | BLACKLIST(SYS_name_to_handle_at), | 69 | BLACKLIST(SYS_name_to_handle_at), |
@@ -83,9 +89,6 @@ static struct sock_filter filter[] = { | |||
83 | #ifdef SYS_ioperm | 89 | #ifdef SYS_ioperm |
84 | BLACKLIST(SYS_ioperm), | 90 | BLACKLIST(SYS_ioperm), |
85 | #endif | 91 | #endif |
86 | #ifdef SYS_iopl | ||
87 | BLACKLIST(SYS_iopl), // io permissions | ||
88 | #endif | ||
89 | #ifdef SYS_ioprio_set | 92 | #ifdef SYS_ioprio_set |
90 | BLACKLIST(SYS_ioprio_set), | 93 | BLACKLIST(SYS_ioprio_set), |
91 | #endif | 94 | #endif |