aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--Makefile.in3
-rw-r--r--README.md2
-rw-r--r--etc/inc/allow-ssh.inc9
-rw-r--r--etc/inc/disable-common.inc4
-rw-r--r--src/fids/main.c19
-rw-r--r--src/firecfg/firecfg.config2
-rw-r--r--src/firecfg/main.c8
-rw-r--r--src/firejail/appimage.c6
-rw-r--r--src/firejail/fs.c43
-rw-r--r--src/firejail/seccomp.c6
-rw-r--r--src/man/firecfg.txt2
11 files changed, 60 insertions, 44 deletions
diff --git a/Makefile.in b/Makefile.in
index 11193122d..ddc63c1af 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -116,7 +116,7 @@ endif
116 install -m 0755 src/jailcheck/jailcheck $(DESTDIR)$(bindir) 116 install -m 0755 src/jailcheck/jailcheck $(DESTDIR)$(bindir)
117 # libraries and plugins 117 # libraries and plugins
118 install -m 0755 -d $(DESTDIR)$(libdir)/firejail 118 install -m 0755 -d $(DESTDIR)$(libdir)/firejail
119 install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS) src/firecfg/firecfg.config 119 install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS)
120 install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS) 120 install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS)
121 # plugins w/o read permission (non-dumpable) 121 # plugins w/o read permission (non-dumpable)
122 install -m 0711 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS_NON_DUMPABLE) 122 install -m 0711 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS_NON_DUMPABLE)
@@ -135,6 +135,7 @@ endif
135 install -m 0644 -t $(DESTDIR)$(DOCDIR) COPYING README RELNOTES etc/templates/* 135 install -m 0644 -t $(DESTDIR)$(DOCDIR) COPYING README RELNOTES etc/templates/*
136 # profiles and settings 136 # profiles and settings
137 install -m 0755 -d $(DESTDIR)$(sysconfdir)/firejail 137 install -m 0755 -d $(DESTDIR)$(sysconfdir)/firejail
138 install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail src/firecfg/firecfg.config
138 install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/profile-a-l/*.profile etc/profile-m-z/*.profile etc/inc/*.inc etc/net/*.net etc/firejail.config etc/ids.config 139 install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/profile-a-l/*.profile etc/profile-m-z/*.profile etc/inc/*.inc etc/net/*.net etc/firejail.config etc/ids.config
139 sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" 140 sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;"
140ifeq ($(BUSYBOX_WORKAROUND),yes) 141ifeq ($(BUSYBOX_WORKAROUND),yes)
diff --git a/README.md b/README.md
index c58ef84c0..7594f1328 100644
--- a/README.md
+++ b/README.md
@@ -150,7 +150,7 @@ PulseAudio changes.
150Start your programs the way you are used to: desktop manager menus, file manager, desktop launchers. 150Start your programs the way you are used to: desktop manager menus, file manager, desktop launchers.
151The integration applies to any program supported by default by Firejail. There are about 250 default applications 151The integration applies to any program supported by default by Firejail. There are about 250 default applications
152in current Firejail version, and the number goes up with every new release. 152in current Firejail version, and the number goes up with every new release.
153We keep the application list in [/usr/lib/firejail/firecfg.config](https://github.com/netblue30/firejail/blob/master/src/firecfg/firecfg.config) file. 153We keep the application list in [/etc/firejail/firecfg.config](https://github.com/netblue30/firejail/blob/master/src/firecfg/firecfg.config) file.
154 154
155## Security profiles 155## Security profiles
156 156
diff --git a/etc/inc/allow-ssh.inc b/etc/inc/allow-ssh.inc
index a78798a18..5d41e6607 100644
--- a/etc/inc/allow-ssh.inc
+++ b/etc/inc/allow-ssh.inc
@@ -5,6 +5,11 @@ include allow-ssh.local
5noblacklist ${HOME}/.ssh 5noblacklist ${HOME}/.ssh
6noblacklist /etc/ssh 6noblacklist /etc/ssh
7noblacklist /etc/ssh/ssh_config 7noblacklist /etc/ssh/ssh_config
8noblacklist /tmp/ssh-*
9noblacklist ${PATH}/ssh 8noblacklist ${PATH}/ssh
10noblacklist /usr/lib/openssh/ssh-keysign 9noblacklist /tmp/ssh-*
10# Arch Linux and derivatives
11noblacklist /usr/lib/ssh
12# Debian/Ubuntu and derivatives
13noblacklist /usr/lib/openssh
14# Fedora and derivatives
15noblacklist /usr/libexec/openssh
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index 1a4de9b26..bdc5ff6b2 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -495,7 +495,9 @@ blacklist ${PATH}/xev
495blacklist ${PATH}/xinput 495blacklist ${PATH}/xinput
496# from 0.9.67 496# from 0.9.67
497blacklist ${PATH}/ssh 497blacklist ${PATH}/ssh
498blacklist /usr/lib/openssh/ssh-keysign 498blacklist /usr/lib/openssh
499blacklist /usr/lib/ssh
500blacklist /usr/libexec/openssh
499blacklist ${PATH}/passwd 501blacklist ${PATH}/passwd
500blacklist /usr/lib/xorg/Xorg.wrap 502blacklist /usr/lib/xorg/Xorg.wrap
501blacklist /usr/lib/policykit-1/polkit-agent-helper-1 503blacklist /usr/lib/policykit-1/polkit-agent-helper-1
diff --git a/src/fids/main.c b/src/fids/main.c
index c899b55e1..8f9bc1ea0 100644
--- a/src/fids/main.c
+++ b/src/fids/main.c
@@ -210,22 +210,29 @@ static void process_config(const char *fname) {
210 exit(1); 210 exit(1);
211 } 211 }
212 212
213 // make sure the file is owned by root 213 fprintf(stderr, "Opening config file %s\n", fname);
214 struct stat s; 214 int fd = open(fname, O_RDONLY|O_CLOEXEC);
215 if (stat(fname, &s)) { 215 if (fd < 0) {
216 if (include_level == 1) { 216 if (include_level == 1) {
217 fprintf(stderr, "Error ids: config file not found\n"); 217 fprintf(stderr, "Error ids: cannot open config file %s\n", fname);
218 exit(1); 218 exit(1);
219 } 219 }
220 return; 220 return;
221 } 221 }
222
223 // make sure the file is owned by root
224 struct stat s;
225 if (fstat(fd, &s)) {
226 fprintf(stderr, "Error ids: cannot stat config file %s\n", fname);
227 exit(1);
228 }
222 if (s.st_uid || s.st_gid) { 229 if (s.st_uid || s.st_gid) {
223 fprintf(stderr, "Error ids: config file not owned by root\n"); 230 fprintf(stderr, "Error ids: config file not owned by root\n");
224 exit(1); 231 exit(1);
225 } 232 }
226 233
227 fprintf(stderr, "Loading %s config file\n", fname); 234 fprintf(stderr, "Loading config file %s\n", fname);
228 FILE *fp = fopen(fname, "r"); 235 FILE *fp = fdopen(fd, "r");
229 if (!fp) { 236 if (!fp) {
230 fprintf(stderr, "Error fids: cannot open config file %s\n", fname); 237 fprintf(stderr, "Error fids: cannot open config file %s\n", fname);
231 exit(1); 238 exit(1);
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 0f4c1b18b..3ec5f9660 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -1,4 +1,4 @@
1# /usr/lib/firejail/firecfg.config - firecfg utility configuration file 1# /etc/firejail/firecfg.config - firecfg utility configuration file
2# This is the list of programs in alphabetical order handled by firecfg utility 2# This is the list of programs in alphabetical order handled by firecfg utility
3# 3#
40ad 40ad
diff --git a/src/firecfg/main.c b/src/firecfg/main.c
index 363000e15..fafa0e635 100644
--- a/src/firecfg/main.c
+++ b/src/firecfg/main.c
@@ -171,17 +171,17 @@ static void set_file(const char *name, const char *firejail_exec) {
171 free(fname); 171 free(fname);
172} 172}
173 173
174// parse /usr/lib/firejail/firecfg.cfg file 174// parse /etc/firejail/firecfg.config file
175static void set_links_firecfg(void) { 175static void set_links_firecfg(void) {
176 char *cfgfile; 176 char *cfgfile;
177 if (asprintf(&cfgfile, "%s/firejail/firecfg.config", LIBDIR) == -1) 177 if (asprintf(&cfgfile, "%s/firecfg.config", SYSCONFDIR) == -1)
178 errExit("asprintf"); 178 errExit("asprintf");
179 179
180 char *firejail_exec; 180 char *firejail_exec;
181 if (asprintf(&firejail_exec, "%s/bin/firejail", PREFIX) == -1) 181 if (asprintf(&firejail_exec, "%s/bin/firejail", PREFIX) == -1)
182 errExit("asprintf"); 182 errExit("asprintf");
183 183
184 // parse /usr/lib/firejail/firecfg.cfg file 184 // parse /etc/firejail/firecfg.config file
185 FILE *fp = fopen(cfgfile, "r"); 185 FILE *fp = fopen(cfgfile, "r");
186 if (!fp) { 186 if (!fp) {
187 perror("fopen"); 187 perror("fopen");
@@ -440,7 +440,7 @@ int main(int argc, char **argv) {
440 // clear all symlinks 440 // clear all symlinks
441 clean(); 441 clean();
442 442
443 // set new symlinks based on /usr/lib/firejail/firecfg.cfg 443 // set new symlinks based on /etc/firejail/firecfg.config
444 set_links_firecfg(); 444 set_links_firecfg();
445 445
446 if (getuid() == 0) { 446 if (getuid() == 0) {
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c
index 2266fa499..bb5b29d79 100644
--- a/src/firejail/appimage.c
+++ b/src/firejail/appimage.c
@@ -45,10 +45,10 @@ int appimage_find_profile(const char *archive) {
45 assert(archive); 45 assert(archive);
46 assert(strlen(archive)); 46 assert(strlen(archive));
47 47
48 // try to match the name of the archive with the list of programs in /usr/lib/firejail/firecfg.config 48 // try to match the name of the archive with the list of programs in /etc/firejail/firecfg.config
49 FILE *fp = fopen(LIBDIR "/firejail/firecfg.config", "r"); 49 FILE *fp = fopen(SYSCONFDIR "/firecfg.config", "r");
50 if (!fp) { 50 if (!fp) {
51 fprintf(stderr, "Error: cannot find %s, firejail is not correctly installed\n", LIBDIR "/firejail/firecfg.config"); 51 fprintf(stderr, "Error: cannot find %s, firejail is not correctly installed\n", SYSCONFDIR "/firecfg.config");
52 exit(1); 52 exit(1);
53 } 53 }
54 char buf[MAXBUF]; 54 char buf[MAXBUF];
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 9c1b889ed..f62e6404e 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -94,16 +94,7 @@ static void disable_file(OPERATION op, const char *filename) {
94 return; 94 return;
95 } 95 }
96 96
97 // if the file is not present, do nothing
98 assert(fname); 97 assert(fname);
99 struct stat s;
100 if (stat(fname, &s) < 0) {
101 if (arg_debug)
102 printf("Warning (blacklisting): cannot access %s: %s\n", fname, strerror(errno));
103 free(fname);
104 return;
105 }
106
107 // check for firejail executable 98 // check for firejail executable
108 // we might have a file found in ${PATH} pointing to /usr/bin/firejail 99 // we might have a file found in ${PATH} pointing to /usr/bin/firejail
109 // blacklisting it here will end up breaking situations like user clicks on a link in Thunderbird 100 // blacklisting it here will end up breaking situations like user clicks on a link in Thunderbird
@@ -113,6 +104,24 @@ static void disable_file(OPERATION op, const char *filename) {
113 return; 104 return;
114 } 105 }
115 106
107 // if the file is not present, do nothing
108 int fd = open(fname, O_PATH|O_CLOEXEC);
109 if (fd < 0) {
110 if (arg_debug)
111 printf("Warning (blacklisting): cannot open %s: %s\n", fname, strerror(errno));
112 free(fname);
113 return;
114 }
115
116 struct stat s;
117 if (fstat(fd, &s) < 0) {
118 if (arg_debug)
119 printf("Warning (blacklisting): cannot stat %s: %s\n", fname, strerror(errno));
120 free(fname);
121 close(fd);
122 return;
123 }
124
116 // modify the file 125 // modify the file
117 if (op == BLACKLIST_FILE || op == BLACKLIST_NOLOG) { 126 if (op == BLACKLIST_FILE || op == BLACKLIST_NOLOG) {
118 // some distros put all executables under /usr/bin and make /bin a symbolic link 127 // some distros put all executables under /usr/bin and make /bin a symbolic link
@@ -136,13 +145,6 @@ static void disable_file(OPERATION op, const char *filename) {
136 printf(" - no logging\n"); 145 printf(" - no logging\n");
137 } 146 }
138 147
139 int fd = open(fname, O_PATH|O_CLOEXEC);
140 if (fd < 0) {
141 if (arg_debug)
142 printf("Warning (blacklisting): cannot open %s: %s\n", fname, strerror(errno));
143 free(fname);
144 return;
145 }
146 EUID_ROOT(); 148 EUID_ROOT();
147 if (S_ISDIR(s.st_mode)) { 149 if (S_ISDIR(s.st_mode)) {
148 if (bind_mount_path_to_fd(RUN_RO_DIR, fd) < 0) 150 if (bind_mount_path_to_fd(RUN_RO_DIR, fd) < 0)
@@ -153,7 +155,6 @@ static void disable_file(OPERATION op, const char *filename) {
153 errExit("disable file"); 155 errExit("disable file");
154 } 156 }
155 EUID_USER(); 157 EUID_USER();
156 close(fd);
157 158
158 if (op == BLACKLIST_FILE) 159 if (op == BLACKLIST_FILE)
159 fs_logger2("blacklist", fname); 160 fs_logger2("blacklist", fname);
@@ -180,8 +181,7 @@ static void disable_file(OPERATION op, const char *filename) {
180 else if (op == MOUNT_TMPFS) { 181 else if (op == MOUNT_TMPFS) {
181 if (!S_ISDIR(s.st_mode)) { 182 if (!S_ISDIR(s.st_mode)) {
182 fwarning("%s is not a directory; cannot mount a tmpfs on top of it.\n", fname); 183 fwarning("%s is not a directory; cannot mount a tmpfs on top of it.\n", fname);
183 free(fname); 184 goto out;
184 return;
185 } 185 }
186 186
187 uid_t uid = getuid(); 187 uid_t uid = getuid();
@@ -191,8 +191,7 @@ static void disable_file(OPERATION op, const char *filename) {
191 strncmp(cfg.homedir, fname, strlen(cfg.homedir)) != 0 || 191 strncmp(cfg.homedir, fname, strlen(cfg.homedir)) != 0 ||
192 fname[strlen(cfg.homedir)] != '/') { 192 fname[strlen(cfg.homedir)] != '/') {
193 fwarning("you are not allowed to mount a tmpfs on %s\n", fname); 193 fwarning("you are not allowed to mount a tmpfs on %s\n", fname);
194 free(fname); 194 goto out;
195 return;
196 } 195 }
197 } 196 }
198 197
@@ -202,6 +201,8 @@ static void disable_file(OPERATION op, const char *filename) {
202 else 201 else
203 assert(0); 202 assert(0);
204 203
204out:
205 close(fd);
205 free(fname); 206 free(fname);
206} 207}
207 208
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 3d9bf9082..e02be29f1 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -435,11 +435,11 @@ void seccomp_print_filter(pid_t pid) {
435 if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_SECCOMP_LIST) == -1) 435 if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_SECCOMP_LIST) == -1)
436 errExit("asprintf"); 436 errExit("asprintf");
437 437
438 struct stat s; 438 int fd = open(fname, O_RDONLY|O_CLOEXEC);
439 if (stat(fname, &s) == -1) 439 if (fd < 0)
440 goto errexit; 440 goto errexit;
441 441
442 FILE *fp = fopen(fname, "re"); 442 FILE *fp = fdopen(fd, "r");
443 if (!fp) 443 if (!fp)
444 goto errexit; 444 goto errexit;
445 free(fname); 445 free(fname);
diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt
index 7e0a57f92..189e9cc8d 100644
--- a/src/man/firecfg.txt
+++ b/src/man/firecfg.txt
@@ -27,7 +27,7 @@ desktop managers are supported in this moment
27To set it up, run "sudo firecfg" after installing Firejail software. 27To set it up, run "sudo firecfg" after installing Firejail software.
28The same command should also be run after 28The same command should also be run after
29installing new programs. If the program is supported by Firejail, the symbolic link in /usr/local/bin 29installing new programs. If the program is supported by Firejail, the symbolic link in /usr/local/bin
30will be created. For a full list of programs supported by default run "cat /usr/lib/firejail/firecfg.config". 30will be created. For a full list of programs supported by default run "cat /etc/firejail/firecfg.config".
31 31
32For user-driven manual integration, see \fBDESKTOP INTEGRATION\fR section in \fBman 1 firejail\fR. 32For user-driven manual integration, see \fBDESKTOP INTEGRATION\fR section in \fBman 1 firejail\fR.
33.SH DEFAULT ACTIONS 33.SH DEFAULT ACTIONS
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2024-09-07 03:35:49 +0000