diff options
-rw-r--r-- | src/firejail/dhcp.c | 26 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/main.c | 13 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 2 | ||||
-rw-r--r-- | src/include/rundefs.h | 2 |
5 files changed, 40 insertions, 4 deletions
diff --git a/src/firejail/dhcp.c b/src/firejail/dhcp.c index 37547a985..456bba91b 100644 --- a/src/firejail/dhcp.c +++ b/src/firejail/dhcp.c | |||
@@ -130,7 +130,9 @@ static void dhcp_waitll_all() { | |||
130 | dhcp_waitll(cfg.bridge3.devsandbox); | 130 | dhcp_waitll(cfg.bridge3.devsandbox); |
131 | } | 131 | } |
132 | 132 | ||
133 | void dhcp_start(void) { | 133 | // Temporarily copy dhclient executable under /run/firejail/mnt and start it from there |
134 | // in order to recognize it later in firemon and firetools | ||
135 | void dhcp_store_exec(void) { | ||
134 | if (!any_dhcp()) | 136 | if (!any_dhcp()) |
135 | return; | 137 | return; |
136 | 138 | ||
@@ -144,6 +146,26 @@ void dhcp_start(void) { | |||
144 | } | 146 | } |
145 | } | 147 | } |
146 | 148 | ||
149 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", dhclient_path, RUN_MNT_DIR); | ||
150 | } | ||
151 | |||
152 | void dhcp_start(void) { | ||
153 | if (!any_dhcp()) | ||
154 | return; | ||
155 | |||
156 | char *dhclient_path = RUN_MNT_DIR "/dhclient";; | ||
157 | struct stat s; | ||
158 | if (stat(dhclient_path, &s) == -1) { | ||
159 | dhclient_path = "/usr/sbin/dhclient"; | ||
160 | if (stat(dhclient_path, &s) == -1) { | ||
161 | fprintf(stderr, "Error: dhclient was not found.\n"); | ||
162 | exit(1); | ||
163 | } | ||
164 | } | ||
165 | |||
166 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", dhclient_path, RUN_MNT_DIR); | ||
167 | dhclient_path = RUN_MNT_DIR "/dhclient"; | ||
168 | |||
147 | EUID_ROOT(); | 169 | EUID_ROOT(); |
148 | if (mkdir(RUN_DHCLIENT_DIR, 0700)) | 170 | if (mkdir(RUN_DHCLIENT_DIR, 0700)) |
149 | errExit("mkdir"); | 171 | errExit("mkdir"); |
@@ -163,4 +185,6 @@ void dhcp_start(void) { | |||
163 | exit(1); | 185 | exit(1); |
164 | } | 186 | } |
165 | } | 187 | } |
188 | |||
189 | unlink(dhclient_path); | ||
166 | } | 190 | } |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 2bb8dd351..6c0ebcd43 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -867,6 +867,7 @@ void dbus_apply_policy(void); | |||
867 | // dhcp.c | 867 | // dhcp.c |
868 | extern pid_t dhclient4_pid; | 868 | extern pid_t dhclient4_pid; |
869 | extern pid_t dhclient6_pid; | 869 | extern pid_t dhclient6_pid; |
870 | void dhcp_store_exec(void); | ||
870 | void dhcp_start(void); | 871 | void dhcp_start(void); |
871 | 872 | ||
872 | // selinux.c | 873 | // selinux.c |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 5cc2d4123..daa924698 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -888,19 +888,20 @@ char *guess_shell(void) { | |||
888 | return shell; | 888 | return shell; |
889 | } | 889 | } |
890 | 890 | ||
891 | // return argument index | ||
891 | static int check_arg(int argc, char **argv, const char *argument, int strict) { | 892 | static int check_arg(int argc, char **argv, const char *argument, int strict) { |
892 | int i; | 893 | int i; |
893 | int found = 0; | 894 | int found = 0; |
894 | for (i = 1; i < argc; i++) { | 895 | for (i = 1; i < argc; i++) { |
895 | if (strict) { | 896 | if (strict) { |
896 | if (strcmp(argv[i], argument) == 0) { | 897 | if (strcmp(argv[i], argument) == 0) { |
897 | found = 1; | 898 | found = i; |
898 | break; | 899 | break; |
899 | } | 900 | } |
900 | } | 901 | } |
901 | else { | 902 | else { |
902 | if (strncmp(argv[i], argument, strlen(argument)) == 0) { | 903 | if (strncmp(argv[i], argument, strlen(argument)) == 0) { |
903 | found = 1; | 904 | found = i; |
904 | break; | 905 | break; |
905 | } | 906 | } |
906 | } | 907 | } |
@@ -1046,6 +1047,14 @@ int main(int argc, char **argv, char **envp) { | |||
1046 | } | 1047 | } |
1047 | EUID_USER(); | 1048 | EUID_USER(); |
1048 | 1049 | ||
1050 | // --ip=dhcp - we need access to /sbin and /usr/sbin directories in order to run ISC DHCP client (dhclient) | ||
1051 | // these paths are disabled in disable-common.inc | ||
1052 | if ((i = check_arg(argc, argv, "--ip", 0)) != 0) { | ||
1053 | if (strncmp(argv[i] + 4, "=dhcp", 5) == 0) { | ||
1054 | profile_add("noblacklist /sbin"); | ||
1055 | profile_add("noblacklist /usr/sbin"); | ||
1056 | } | ||
1057 | } | ||
1049 | 1058 | ||
1050 | // for appimages we need to remove "include disable-shell.inc from the profile | 1059 | // for appimages we need to remove "include disable-shell.inc from the profile |
1051 | // a --profile command can show up before --appimage | 1060 | // a --profile command can show up before --appimage |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index ff6be986f..3e8dbe5d9 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -651,6 +651,8 @@ int sandbox(void* sandbox_arg) { | |||
651 | if (mount(LIBDIR "/firejail", RUN_FIREJAIL_LIB_DIR, NULL, MS_BIND, NULL) < 0 || | 651 | if (mount(LIBDIR "/firejail", RUN_FIREJAIL_LIB_DIR, NULL, MS_BIND, NULL) < 0 || |
652 | mount(NULL, RUN_FIREJAIL_LIB_DIR, NULL, MS_RDONLY|MS_NOSUID|MS_NODEV|MS_BIND|MS_REMOUNT, NULL) < 0) | 652 | mount(NULL, RUN_FIREJAIL_LIB_DIR, NULL, MS_RDONLY|MS_NOSUID|MS_NODEV|MS_BIND|MS_REMOUNT, NULL) < 0) |
653 | errExit("mounting " RUN_FIREJAIL_LIB_DIR); | 653 | errExit("mounting " RUN_FIREJAIL_LIB_DIR); |
654 | // keep a copy of dhclient executable before the filesystem is modified | ||
655 | dhcp_store_exec(); | ||
654 | 656 | ||
655 | //**************************** | 657 | //**************************** |
656 | // log sandbox data | 658 | // log sandbox data |
diff --git a/src/include/rundefs.h b/src/include/rundefs.h index 4da2db748..21aad66f7 100644 --- a/src/include/rundefs.h +++ b/src/include/rundefs.h | |||
@@ -51,7 +51,7 @@ | |||
51 | #define RUN_LIB_DIR RUN_MNT_DIR "/lib" | 51 | #define RUN_LIB_DIR RUN_MNT_DIR "/lib" |
52 | #define RUN_LIB_FILE RUN_MNT_DIR "/libfiles" | 52 | #define RUN_LIB_FILE RUN_MNT_DIR "/libfiles" |
53 | #define RUN_DNS_ETC RUN_MNT_DIR "/dns-etc" | 53 | #define RUN_DNS_ETC RUN_MNT_DIR "/dns-etc" |
54 | #define RUN_DHCLIENT_DIR RUN_MNT_DIR "/dhclient" | 54 | #define RUN_DHCLIENT_DIR RUN_MNT_DIR "/dhclient-dir" |
55 | #define RUN_DHCLIENT_4_LEASES_FILE RUN_DHCLIENT_DIR "/dhclient.leases" | 55 | #define RUN_DHCLIENT_4_LEASES_FILE RUN_DHCLIENT_DIR "/dhclient.leases" |
56 | #define RUN_DHCLIENT_6_LEASES_FILE RUN_DHCLIENT_DIR "/dhclient6.leases" | 56 | #define RUN_DHCLIENT_6_LEASES_FILE RUN_DHCLIENT_DIR "/dhclient6.leases" |
57 | #define RUN_DHCLIENT_4_LEASES_FILE RUN_DHCLIENT_DIR "/dhclient.leases" | 57 | #define RUN_DHCLIENT_4_LEASES_FILE RUN_DHCLIENT_DIR "/dhclient.leases" |