diff options
34 files changed, 603 insertions, 35 deletions
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index e1d972d04..55ed5e71b 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml | |||
@@ -47,7 +47,7 @@ jobs: | |||
47 | 47 | ||
48 | # Initializes the CodeQL tools for scanning. | 48 | # Initializes the CodeQL tools for scanning. |
49 | - name: Initialize CodeQL | 49 | - name: Initialize CodeQL |
50 | uses: github/codeql-action/init@883476649888a9e8e219d5b2e6b789dc024f690c | 50 | uses: github/codeql-action/init@1ed1437484560351c5be56cf73a48a279d116b78 |
51 | with: | 51 | with: |
52 | languages: ${{ matrix.language }} | 52 | languages: ${{ matrix.language }} |
53 | # If you wish to specify custom queries, you can do so here or in a config file. | 53 | # If you wish to specify custom queries, you can do so here or in a config file. |
@@ -58,7 +58,7 @@ jobs: | |||
58 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). | 58 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). |
59 | # If this step fails, then you should remove it and run the build manually (see below) | 59 | # If this step fails, then you should remove it and run the build manually (see below) |
60 | - name: Autobuild | 60 | - name: Autobuild |
61 | uses: github/codeql-action/autobuild@883476649888a9e8e219d5b2e6b789dc024f690c | 61 | uses: github/codeql-action/autobuild@1ed1437484560351c5be56cf73a48a279d116b78 |
62 | 62 | ||
63 | # âšī¸ Command-line programs to run using the OS shell. | 63 | # âšī¸ Command-line programs to run using the OS shell. |
64 | # đ https://git.io/JvXDl | 64 | # đ https://git.io/JvXDl |
@@ -72,4 +72,4 @@ jobs: | |||
72 | # make release | 72 | # make release |
73 | 73 | ||
74 | - name: Perform CodeQL Analysis | 74 | - name: Perform CodeQL Analysis |
75 | uses: github/codeql-action/analyze@883476649888a9e8e219d5b2e6b789dc024f690c | 75 | uses: github/codeql-action/analyze@1ed1437484560351c5be56cf73a48a279d116b78 |
diff --git a/.gitignore b/.gitignore index 29e0b63d6..e172d1af3 100644 --- a/.gitignore +++ b/.gitignore | |||
@@ -24,6 +24,8 @@ firemon.1 | |||
24 | firecfg.1 | 24 | firecfg.1 |
25 | jailcheck.1 | 25 | jailcheck.1 |
26 | mkdeb.sh | 26 | mkdeb.sh |
27 | src/fnettrace-dns/fnettrace-dns | ||
28 | src/fnettrace-sni/fnettrace-sni | ||
27 | src/firejail/firejail | 29 | src/firejail/firejail |
28 | src/firemon/firemon | 30 | src/firemon/firemon |
29 | src/firecfg/firecfg | 31 | src/firecfg/firecfg |
diff --git a/Makefile.in b/Makefile.in index f38191880..9b1ecc4ad 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -29,7 +29,7 @@ APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profsta | |||
29 | SBOX_APPS = src/fbuilder/fbuilder src/ftee/ftee src/fids/fids | 29 | SBOX_APPS = src/fbuilder/fbuilder src/ftee/ftee src/fids/fids |
30 | SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter | 30 | SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter |
31 | SBOX_APPS_NON_DUMPABLE += src/fsec-optimize/fsec-optimize src/fsec-print/fsec-print src/fseccomp/fseccomp | 31 | SBOX_APPS_NON_DUMPABLE += src/fsec-optimize/fsec-optimize src/fsec-print/fsec-print src/fseccomp/fseccomp |
32 | SBOX_APPS_NON_DUMPABLE += src/fnettrace/fnettrace | 32 | SBOX_APPS_NON_DUMPABLE += src/fnettrace/fnettrace src/fnettrace-dns/fnettrace-dns src/fnettrace-sni/fnettrace-sni |
33 | MYDIRS = src/lib $(MAN_SRC) $(COMPLETIONDIRS) | 33 | MYDIRS = src/lib $(MAN_SRC) $(COMPLETIONDIRS) |
34 | MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so | 34 | MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so |
35 | COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion | 35 | COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion |
@@ -4288,7 +4288,7 @@ fi | |||
4288 | 4288 | ||
4289 | ac_config_files="$ac_config_files mkdeb.sh" | 4289 | ac_config_files="$ac_config_files mkdeb.sh" |
4290 | 4290 | ||
4291 | ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile src/jailcheck/Makefile src/fids/Makefile src/fnettrace/Makefile" | 4291 | ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile src/jailcheck/Makefile src/fids/Makefile src/fnettrace/Makefile src/fnettrace-dns/Makefile src/fnettrace-sni/Makefile" |
4292 | 4292 | ||
4293 | cat >confcache <<\_ACEOF | 4293 | cat >confcache <<\_ACEOF |
4294 | # This file is a shell script that caches the results of configure | 4294 | # This file is a shell script that caches the results of configure |
@@ -5024,6 +5024,8 @@ do | |||
5024 | "src/jailcheck/Makefile") CONFIG_FILES="$CONFIG_FILES src/jailcheck/Makefile" ;; | 5024 | "src/jailcheck/Makefile") CONFIG_FILES="$CONFIG_FILES src/jailcheck/Makefile" ;; |
5025 | "src/fids/Makefile") CONFIG_FILES="$CONFIG_FILES src/fids/Makefile" ;; | 5025 | "src/fids/Makefile") CONFIG_FILES="$CONFIG_FILES src/fids/Makefile" ;; |
5026 | "src/fnettrace/Makefile") CONFIG_FILES="$CONFIG_FILES src/fnettrace/Makefile" ;; | 5026 | "src/fnettrace/Makefile") CONFIG_FILES="$CONFIG_FILES src/fnettrace/Makefile" ;; |
5027 | "src/fnettrace-dns/Makefile") CONFIG_FILES="$CONFIG_FILES src/fnettrace-dns/Makefile" ;; | ||
5028 | "src/fnettrace-sni/Makefile") CONFIG_FILES="$CONFIG_FILES src/fnettrace-sni/Makefile" ;; | ||
5027 | 5029 | ||
5028 | *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; | 5030 | *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; |
5029 | esac | 5031 | esac |
diff --git a/configure.ac b/configure.ac index 4ca30e6d7..071dea228 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -280,7 +280,7 @@ AC_CONFIG_FILES([Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/ | |||
280 | src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile \ | 280 | src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile \ |
281 | src/ftee/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile \ | 281 | src/ftee/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile \ |
282 | src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile \ | 282 | src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile \ |
283 | src/jailcheck/Makefile src/fids/Makefile src/fnettrace/Makefile]) | 283 | src/jailcheck/Makefile src/fids/Makefile src/fnettrace/Makefile src/fnettrace-dns/Makefile src/fnettrace-sni/Makefile]) |
284 | AC_OUTPUT | 284 | AC_OUTPUT |
285 | 285 | ||
286 | cat <<EOF | 286 | cat <<EOF |
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index 2a0fec3c5..93679b472 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc | |||
@@ -599,7 +599,14 @@ noblacklist /var/lib/flatpak/exports | |||
599 | blacklist /var/lib/flatpak/* | 599 | blacklist /var/lib/flatpak/* |
600 | 600 | ||
601 | # snap | 601 | # snap |
602 | blacklist ${HOME}/snap | ||
603 | blacklist ${PATH}/snap | ||
604 | blacklist ${PATH}/snapctl | ||
602 | blacklist ${RUNUSER}/snapd-session-agent.socket | 605 | blacklist ${RUNUSER}/snapd-session-agent.socket |
606 | blacklist /snap | ||
607 | blacklist /usr/lib/snapd | ||
608 | blacklist /var/lib/snapd | ||
609 | blacklist /var/snap | ||
603 | 610 | ||
604 | # mail directories used by mutt | 611 | # mail directories used by mutt |
605 | blacklist ${HOME}/.Mail | 612 | blacklist ${HOME}/.Mail |
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 558ae2446..e2e550368 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -815,6 +815,7 @@ blacklist ${HOME}/.local/share/Empathy | |||
815 | blacklist ${HOME}/.local/share/Enpass | 815 | blacklist ${HOME}/.local/share/Enpass |
816 | blacklist ${HOME}/.local/share/FasterThanLight | 816 | blacklist ${HOME}/.local/share/FasterThanLight |
817 | blacklist ${HOME}/.local/share/Flavio Tordini | 817 | blacklist ${HOME}/.local/share/Flavio Tordini |
818 | blacklist ${HOME}/.local/share/HotlineMiami | ||
818 | blacklist ${HOME}/.local/share/IntoTheBreach | 819 | blacklist ${HOME}/.local/share/IntoTheBreach |
819 | blacklist ${HOME}/.local/share/JetBrains | 820 | blacklist ${HOME}/.local/share/JetBrains |
820 | blacklist ${HOME}/.local/share/KDE/neochat | 821 | blacklist ${HOME}/.local/share/KDE/neochat |
diff --git a/etc/profile-a-l/bnox.profile b/etc/profile-a-l/bnox.profile index 8729d8d40..c76f5d90e 100644 --- a/etc/profile-a-l/bnox.profile +++ b/etc/profile-a-l/bnox.profile | |||
@@ -6,6 +6,8 @@ include bnox.local | |||
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 | 8 | # Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 |
9 | ignore whitelist /usr/share/mozilla/extensions | ||
10 | ignore whitelist /usr/share/webext | ||
9 | ignore include whitelist-runuser-common.inc | 11 | ignore include whitelist-runuser-common.inc |
10 | ignore include whitelist-usr-share-common.inc | 12 | ignore include whitelist-usr-share-common.inc |
11 | 13 | ||
diff --git a/etc/profile-a-l/dnox.profile b/etc/profile-a-l/dnox.profile index 2169c8552..612bd0527 100644 --- a/etc/profile-a-l/dnox.profile +++ b/etc/profile-a-l/dnox.profile | |||
@@ -6,6 +6,8 @@ include dnox.local | |||
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 | 8 | # Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 |
9 | ignore whitelist /usr/share/mozilla/extensions | ||
10 | ignore whitelist /usr/share/webext | ||
9 | ignore include whitelist-runuser-common.inc | 11 | ignore include whitelist-runuser-common.inc |
10 | ignore include whitelist-usr-share-common.inc | 12 | ignore include whitelist-usr-share-common.inc |
11 | 13 | ||
diff --git a/etc/profile-a-l/dnsmasq.profile b/etc/profile-a-l/dnsmasq.profile index 2db1548a4..13efd2fa8 100644 --- a/etc/profile-a-l/dnsmasq.profile +++ b/etc/profile-a-l/dnsmasq.profile | |||
@@ -9,9 +9,10 @@ include globals.local | |||
9 | 9 | ||
10 | noblacklist /sbin | 10 | noblacklist /sbin |
11 | noblacklist /usr/sbin | 11 | noblacklist /usr/sbin |
12 | noblacklist /var/lib/libvirt | ||
12 | 13 | ||
13 | blacklist /tmp/.X11-unix | 14 | blacklist /tmp/.X11-unix |
14 | blacklist ${RUNUSER}/wayland-* | 15 | blacklist ${RUNUSER} |
15 | 16 | ||
16 | include disable-common.inc | 17 | include disable-common.inc |
17 | include disable-devel.inc | 18 | include disable-devel.inc |
@@ -19,6 +20,9 @@ include disable-interpreters.inc | |||
19 | include disable-programs.inc | 20 | include disable-programs.inc |
20 | include disable-xdg.inc | 21 | include disable-xdg.inc |
21 | 22 | ||
23 | whitelist /var/lib/libvirt/dnsmasq | ||
24 | whitelist /var/run | ||
25 | |||
22 | caps.keep net_admin,net_bind_service,net_raw,setgid,setuid | 26 | caps.keep net_admin,net_bind_service,net_raw,setgid,setuid |
23 | no3d | 27 | no3d |
24 | nodvd | 28 | nodvd |
@@ -33,5 +37,6 @@ seccomp | |||
33 | 37 | ||
34 | disable-mnt | 38 | disable-mnt |
35 | private | 39 | private |
36 | private-cache | ||
37 | private-dev | 40 | private-dev |
41 | private-tmp | ||
42 | writable-var | ||
diff --git a/etc/profile-a-l/enox.profile b/etc/profile-a-l/enox.profile index ef766c654..0199fcf34 100644 --- a/etc/profile-a-l/enox.profile +++ b/etc/profile-a-l/enox.profile | |||
@@ -6,6 +6,8 @@ include enox.local | |||
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 | 8 | # Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 |
9 | ignore whitelist /usr/share/mozilla/extensions | ||
10 | ignore whitelist /usr/share/webext | ||
9 | ignore include whitelist-runuser-common.inc | 11 | ignore include whitelist-runuser-common.inc |
10 | ignore include whitelist-usr-share-common.inc | 12 | ignore include whitelist-usr-share-common.inc |
11 | 13 | ||
diff --git a/etc/profile-a-l/flashpeak-slimjet.profile b/etc/profile-a-l/flashpeak-slimjet.profile index 317a20bb7..90683675c 100644 --- a/etc/profile-a-l/flashpeak-slimjet.profile +++ b/etc/profile-a-l/flashpeak-slimjet.profile | |||
@@ -6,6 +6,8 @@ include flashpeak-slimjet.local | |||
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 | 8 | # Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 |
9 | ignore whitelist /usr/share/mozilla/extensions | ||
10 | ignore whitelist /usr/share/webext | ||
9 | ignore include whitelist-runuser-common.inc | 11 | ignore include whitelist-runuser-common.inc |
10 | ignore include whitelist-usr-share-common.inc | 12 | ignore include whitelist-usr-share-common.inc |
11 | 13 | ||
diff --git a/etc/profile-a-l/google-chrome-beta.profile b/etc/profile-a-l/google-chrome-beta.profile index fed227b06..72766085a 100644 --- a/etc/profile-a-l/google-chrome-beta.profile +++ b/etc/profile-a-l/google-chrome-beta.profile | |||
@@ -6,6 +6,8 @@ include google-chrome-beta.local | |||
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 | 8 | # Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 |
9 | ignore whitelist /usr/share/mozilla/extensions | ||
10 | ignore whitelist /usr/share/webext | ||
9 | ignore include whitelist-runuser-common.inc | 11 | ignore include whitelist-runuser-common.inc |
10 | ignore include whitelist-usr-share-common.inc | 12 | ignore include whitelist-usr-share-common.inc |
11 | 13 | ||
diff --git a/etc/profile-a-l/google-chrome-unstable.profile b/etc/profile-a-l/google-chrome-unstable.profile index 91962c62a..b8ded94d3 100644 --- a/etc/profile-a-l/google-chrome-unstable.profile +++ b/etc/profile-a-l/google-chrome-unstable.profile | |||
@@ -6,6 +6,8 @@ include google-chrome-unstable.local | |||
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 | 8 | # Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 |
9 | ignore whitelist /usr/share/mozilla/extensions | ||
10 | ignore whitelist /usr/share/webext | ||
9 | ignore include whitelist-runuser-common.inc | 11 | ignore include whitelist-runuser-common.inc |
10 | ignore include whitelist-usr-share-common.inc | 12 | ignore include whitelist-usr-share-common.inc |
11 | 13 | ||
diff --git a/etc/profile-a-l/google-chrome.profile b/etc/profile-a-l/google-chrome.profile index 7a4cb5fc9..6de1405ee 100644 --- a/etc/profile-a-l/google-chrome.profile +++ b/etc/profile-a-l/google-chrome.profile | |||
@@ -6,6 +6,8 @@ include google-chrome.local | |||
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 | 8 | # Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 |
9 | ignore whitelist /usr/share/mozilla/extensions | ||
10 | ignore whitelist /usr/share/webext | ||
9 | ignore include whitelist-runuser-common.inc | 11 | ignore include whitelist-runuser-common.inc |
10 | ignore include whitelist-usr-share-common.inc | 12 | ignore include whitelist-usr-share-common.inc |
11 | 13 | ||
diff --git a/etc/profile-a-l/inox.profile b/etc/profile-a-l/inox.profile index a5cac12f2..5f0ea7c74 100644 --- a/etc/profile-a-l/inox.profile +++ b/etc/profile-a-l/inox.profile | |||
@@ -6,7 +6,8 @@ include inox.local | |||
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 | 8 | # Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 |
9 | ignore whitelist /usr/share/chromium | 9 | ignore whitelist /usr/share/mozilla/extensions |
10 | ignore whitelist /usr/share/webext | ||
10 | ignore include whitelist-runuser-common.inc | 11 | ignore include whitelist-runuser-common.inc |
11 | ignore include whitelist-usr-share-common.inc | 12 | ignore include whitelist-usr-share-common.inc |
12 | 13 | ||
diff --git a/etc/profile-m-z/server.profile b/etc/profile-m-z/server.profile index 9e40796a6..fd7ffb38d 100644 --- a/etc/profile-m-z/server.profile +++ b/etc/profile-m-z/server.profile | |||
@@ -33,6 +33,7 @@ include globals.local | |||
33 | 33 | ||
34 | noblacklist /sbin | 34 | noblacklist /sbin |
35 | noblacklist /usr/sbin | 35 | noblacklist /usr/sbin |
36 | noblacklist /etc/init.d | ||
36 | # noblacklist /var/opt | 37 | # noblacklist /var/opt |
37 | 38 | ||
38 | blacklist /tmp/.X11-unix | 39 | blacklist /tmp/.X11-unix |
@@ -50,7 +51,9 @@ include disable-xdg.inc | |||
50 | # include whitelist-usr-share-common.inc | 51 | # include whitelist-usr-share-common.inc |
51 | # include whitelist-var-common.inc | 52 | # include whitelist-var-common.inc |
52 | 53 | ||
53 | apparmor | 54 | # people use to install servers all over the place! |
55 | # apparmor runs executable only from default system locations | ||
56 | # apparmor | ||
54 | caps | 57 | caps |
55 | # ipc-namespace | 58 | # ipc-namespace |
56 | machine-id | 59 | machine-id |
@@ -59,15 +62,16 @@ no3d | |||
59 | nodvd | 62 | nodvd |
60 | # nogroups | 63 | # nogroups |
61 | noinput | 64 | noinput |
62 | # nonewprivs | 65 | nonewprivs |
63 | # noroot | 66 | # noroot |
64 | nosound | 67 | nosound |
65 | notv | 68 | notv |
66 | nou2f | 69 | nou2f |
67 | novideo | 70 | novideo |
68 | # protocol unix,inet,inet6,netlink | 71 | protocol unix,inet,inet6,netlink,packet |
69 | seccomp | 72 | seccomp |
70 | # shell none | 73 | # shell none |
74 | tab # allow tab completion | ||
71 | 75 | ||
72 | disable-mnt | 76 | disable-mnt |
73 | private | 77 | private |
diff --git a/etc/profile-m-z/snox.profile b/etc/profile-m-z/snox.profile index 9d3ed8c1a..ce2b715bb 100644 --- a/etc/profile-m-z/snox.profile +++ b/etc/profile-m-z/snox.profile | |||
@@ -6,6 +6,8 @@ include snox.local | |||
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 | 8 | # Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 |
9 | ignore whitelist /usr/share/mozilla/extensions | ||
10 | ignore whitelist /usr/share/webext | ||
9 | ignore include whitelist-runuser-common.inc | 11 | ignore include whitelist-runuser-common.inc |
10 | ignore include whitelist-usr-share-common.inc | 12 | ignore include whitelist-usr-share-common.inc |
11 | 13 | ||
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile index 4137839f8..d6bc226a4 100644 --- a/etc/profile-m-z/steam.profile +++ b/etc/profile-m-z/steam.profile | |||
@@ -21,6 +21,7 @@ noblacklist ${HOME}/.local/share/cdprojektred | |||
21 | noblacklist ${HOME}/.local/share/Dredmor | 21 | noblacklist ${HOME}/.local/share/Dredmor |
22 | noblacklist ${HOME}/.local/share/FasterThanLight | 22 | noblacklist ${HOME}/.local/share/FasterThanLight |
23 | noblacklist ${HOME}/.local/share/feral-interactive | 23 | noblacklist ${HOME}/.local/share/feral-interactive |
24 | noblacklist ${HOME}/.local/share/HotlineMiami | ||
24 | noblacklist ${HOME}/.local/share/IntoTheBreach | 25 | noblacklist ${HOME}/.local/share/IntoTheBreach |
25 | noblacklist ${HOME}/.local/share/Paradox Interactive | 26 | noblacklist ${HOME}/.local/share/Paradox Interactive |
26 | noblacklist ${HOME}/.local/share/PillarsOfEternity | 27 | noblacklist ${HOME}/.local/share/PillarsOfEternity |
@@ -70,6 +71,7 @@ mkdir ${HOME}/.local/share/cdprojektred | |||
70 | mkdir ${HOME}/.local/share/Dredmor | 71 | mkdir ${HOME}/.local/share/Dredmor |
71 | mkdir ${HOME}/.local/share/FasterThanLight | 72 | mkdir ${HOME}/.local/share/FasterThanLight |
72 | mkdir ${HOME}/.local/share/feral-interactive | 73 | mkdir ${HOME}/.local/share/feral-interactive |
74 | mkdir ${HOME}/.local/share/HotlineMiami | ||
73 | mkdir ${HOME}/.local/share/IntoTheBreach | 75 | mkdir ${HOME}/.local/share/IntoTheBreach |
74 | mkdir ${HOME}/.local/share/Paradox Interactive | 76 | mkdir ${HOME}/.local/share/Paradox Interactive |
75 | mkdir ${HOME}/.local/share/PillarsOfEternity | 77 | mkdir ${HOME}/.local/share/PillarsOfEternity |
@@ -103,6 +105,7 @@ whitelist ${HOME}/.local/share/cdprojektred | |||
103 | whitelist ${HOME}/.local/share/Dredmor | 105 | whitelist ${HOME}/.local/share/Dredmor |
104 | whitelist ${HOME}/.local/share/FasterThanLight | 106 | whitelist ${HOME}/.local/share/FasterThanLight |
105 | whitelist ${HOME}/.local/share/feral-interactive | 107 | whitelist ${HOME}/.local/share/feral-interactive |
108 | whitelist ${HOME}/.local/share/HotlineMiami | ||
106 | whitelist ${HOME}/.local/share/IntoTheBreach | 109 | whitelist ${HOME}/.local/share/IntoTheBreach |
107 | whitelist ${HOME}/.local/share/Paradox Interactive | 110 | whitelist ${HOME}/.local/share/Paradox Interactive |
108 | whitelist ${HOME}/.local/share/PillarsOfEternity | 111 | whitelist ${HOME}/.local/share/PillarsOfEternity |
diff --git a/etc/profile-m-z/unbound.profile b/etc/profile-m-z/unbound.profile index e8424cd7d..ef43ee822 100644 --- a/etc/profile-m-z/unbound.profile +++ b/etc/profile-m-z/unbound.profile | |||
@@ -10,7 +10,7 @@ noblacklist /sbin | |||
10 | noblacklist /usr/sbin | 10 | noblacklist /usr/sbin |
11 | 11 | ||
12 | blacklist /tmp/.X11-unix | 12 | blacklist /tmp/.X11-unix |
13 | blacklist ${RUNUSER}/wayland-* | 13 | blacklist ${RUNUSER} |
14 | 14 | ||
15 | include disable-common.inc | 15 | include disable-common.inc |
16 | include disable-devel.inc | 16 | include disable-devel.inc |
@@ -19,8 +19,11 @@ include disable-interpreters.inc | |||
19 | include disable-programs.inc | 19 | include disable-programs.inc |
20 | include disable-xdg.inc | 20 | include disable-xdg.inc |
21 | 21 | ||
22 | whitelist /usr/share/dns | ||
22 | include whitelist-usr-share-common.inc | 23 | include whitelist-usr-share-common.inc |
23 | 24 | ||
25 | whitelist /var/lib/ca-certificates | ||
26 | read-only /var/lib/ca-certificates | ||
24 | whitelist /var/lib/unbound | 27 | whitelist /var/lib/unbound |
25 | whitelist /var/run | 28 | whitelist /var/run |
26 | 29 | ||
@@ -48,5 +51,4 @@ writable-var | |||
48 | dbus-user none | 51 | dbus-user none |
49 | dbus-system none | 52 | dbus-system none |
50 | 53 | ||
51 | # mdwe can break modules/plugins | ||
52 | memory-deny-write-execute | 54 | memory-deny-write-execute |
diff --git a/etc/profile-m-z/vlc.profile b/etc/profile-m-z/vlc.profile index 68db032aa..4a43ed196 100644 --- a/etc/profile-m-z/vlc.profile +++ b/etc/profile-m-z/vlc.profile | |||
@@ -27,9 +27,11 @@ whitelist ${HOME}/.config/aacs | |||
27 | whitelist ${HOME}/.local/share/vlc | 27 | whitelist ${HOME}/.local/share/vlc |
28 | include whitelist-common.inc | 28 | include whitelist-common.inc |
29 | include whitelist-player-common.inc | 29 | include whitelist-player-common.inc |
30 | include whitelist-run-common.inc | ||
31 | include whitelist-runuser-common.inc | ||
30 | include whitelist-var-common.inc | 32 | include whitelist-var-common.inc |
31 | 33 | ||
32 | #apparmor - on Ubuntu 18.04 it refuses to start without dbus access | 34 | apparmor |
33 | caps.drop all | 35 | caps.drop all |
34 | netfilter | 36 | netfilter |
35 | nogroups | 37 | nogroups |
@@ -45,9 +47,10 @@ private-bin cvlc,nvlc,qvlc,rvlc,svlc,vlc | |||
45 | private-dev | 47 | private-dev |
46 | private-tmp | 48 | private-tmp |
47 | 49 | ||
48 | # dbus needed for MPRIS | 50 | dbus-user filter |
49 | # dbus-user none | 51 | dbus-user.own org.mpris.MediaPlayer2.vlc |
50 | # dbus-system none | 52 | dbus-user.talk org.freedesktop.Notifications |
51 | 53 | dbus-user.talk org.freedesktop.ScreenSaver | |
52 | # mdwe is disabled due to breaking hardware accelerated decoding | 54 | ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher |
53 | #memory-deny-write-execute | 55 | dbus-user.talk org.mpris.MediaPlayer2.Player |
56 | dbus-system none | ||
diff --git a/etc/profile-m-z/yandex-browser.profile b/etc/profile-m-z/yandex-browser.profile index 3ae6b1cf0..ca2018903 100644 --- a/etc/profile-m-z/yandex-browser.profile +++ b/etc/profile-m-z/yandex-browser.profile | |||
@@ -6,6 +6,8 @@ include yandex-browser.local | |||
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 | 8 | # Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 |
9 | ignore whitelist /usr/share/mozilla/extensions | ||
10 | ignore whitelist /usr/share/webext | ||
9 | ignore include whitelist-runuser-common.inc | 11 | ignore include whitelist-runuser-common.inc |
10 | ignore include whitelist-usr-share-common.inc | 12 | ignore include whitelist-usr-share-common.inc |
11 | 13 | ||
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index aefb75c2c..28339765f 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
@@ -106,7 +106,7 @@ include globals.local | |||
106 | #blacklist ${RUNUSER}/wayland-* | 106 | #blacklist ${RUNUSER}/wayland-* |
107 | # Disable RUNUSER (cli only; supersedes Disable Wayland) | 107 | # Disable RUNUSER (cli only; supersedes Disable Wayland) |
108 | #blacklist ${RUNUSER} | 108 | #blacklist ${RUNUSER} |
109 | # Remove the next blacklist if you system has no /usr/libexec dir, | 109 | # Remove the next blacklist if your system has no /usr/libexec dir, |
110 | # otherwise try to add it. | 110 | # otherwise try to add it. |
111 | #blacklist /usr/libexec | 111 | #blacklist /usr/libexec |
112 | 112 | ||
diff --git a/src/firejail/main.c b/src/firejail/main.c index 4b01ea0a5..fd96f8bb5 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -2874,6 +2874,17 @@ int main(int argc, char **argv, char **envp) { | |||
2874 | } | 2874 | } |
2875 | } | 2875 | } |
2876 | 2876 | ||
2877 | // check writable_etc and DNS/DHCP | ||
2878 | if (arg_writable_etc) { | ||
2879 | if (cfg.dns1 != NULL || any_dhcp()) { | ||
2880 | // we could end up overwriting the real /etc/resolv.conf, so we better exit now! | ||
2881 | fprintf(stderr, "Error: --dns/--ip=dhcp and --writable-etc are mutually exclusive\n"); | ||
2882 | exit(1); | ||
2883 | } | ||
2884 | } | ||
2885 | |||
2886 | |||
2887 | |||
2877 | // enable seccomp if only seccomp.block-secondary was specified | 2888 | // enable seccomp if only seccomp.block-secondary was specified |
2878 | if (arg_seccomp_block_secondary) | 2889 | if (arg_seccomp_block_secondary) |
2879 | arg_seccomp = 1; | 2890 | arg_seccomp = 1; |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 96407d081..635137feb 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -1077,9 +1077,10 @@ int sandbox(void* sandbox_arg) { | |||
1077 | fs_dev_disable_input(); | 1077 | fs_dev_disable_input(); |
1078 | 1078 | ||
1079 | //**************************** | 1079 | //**************************** |
1080 | // set dns | 1080 | // rebuild etc directory, set dns |
1081 | //**************************** | 1081 | //**************************** |
1082 | fs_rebuild_etc(); | 1082 | if (!arg_writable_etc) |
1083 | fs_rebuild_etc(); | ||
1083 | 1084 | ||
1084 | //**************************** | 1085 | //**************************** |
1085 | // start dhcp client | 1086 | // start dhcp client |
diff --git a/src/fnettrace-dns/Makefile.in b/src/fnettrace-dns/Makefile.in new file mode 100644 index 000000000..6c11e5bc8 --- /dev/null +++ b/src/fnettrace-dns/Makefile.in | |||
@@ -0,0 +1,17 @@ | |||
1 | .PHONY: all | ||
2 | all: fnettrace-dns | ||
3 | |||
4 | include ../common.mk | ||
5 | |||
6 | %.o : %.c $(H_FILE_LIST) | ||
7 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ | ||
8 | |||
9 | fnettrace-dns: $(OBJS) | ||
10 | $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) | ||
11 | |||
12 | .PHONY: clean | ||
13 | clean:; rm -fr *.o fnettrace-dns *.gcov *.gcda *.gcno *.plist | ||
14 | |||
15 | .PHONY: distclean | ||
16 | distclean: clean | ||
17 | rm -fr Makefile | ||
diff --git a/src/fnettrace-dns/fnettrace_dns.h b/src/fnettrace-dns/fnettrace_dns.h new file mode 100644 index 000000000..db2e1a668 --- /dev/null +++ b/src/fnettrace-dns/fnettrace_dns.h | |||
@@ -0,0 +1,34 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2022 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #ifndef FNETTRACE_DNS_H | ||
21 | #define FNETTRACE_DNS_H | ||
22 | |||
23 | #include "../include/common.h" | ||
24 | #include <unistd.h> | ||
25 | #include <sys/stat.h> | ||
26 | #include <sys/types.h> | ||
27 | #include <sys/socket.h> | ||
28 | #include <netinet/in.h> | ||
29 | #include <time.h> | ||
30 | #include <stdarg.h> | ||
31 | #include <fcntl.h> | ||
32 | #include <sys/mman.h> | ||
33 | |||
34 | #endif \ No newline at end of file | ||
diff --git a/src/fnettrace-dns/main.c b/src/fnettrace-dns/main.c new file mode 100644 index 000000000..0281b5157 --- /dev/null +++ b/src/fnettrace-dns/main.c | |||
@@ -0,0 +1,162 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2022 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "fnettrace_dns.h" | ||
21 | #include <sys/ioctl.h> | ||
22 | #include <time.h> | ||
23 | #include <linux/filter.h> | ||
24 | #include <linux/if_ether.h> | ||
25 | #define MAX_BUF_SIZE (64 * 1024) | ||
26 | |||
27 | // pkt - start of DNS layer | ||
28 | void print_dns(uint32_t ip_src, unsigned char *pkt) { | ||
29 | assert(pkt); | ||
30 | |||
31 | char ip[30]; | ||
32 | sprintf(ip, "%d.%d.%d.%d", PRINT_IP(ip_src)); | ||
33 | time_t seconds = time(NULL); | ||
34 | struct tm *t = localtime(&seconds); | ||
35 | |||
36 | // expecting a single question count | ||
37 | if (pkt[4] != 0 || pkt[5] != 1) | ||
38 | goto errout; | ||
39 | |||
40 | // check cname | ||
41 | unsigned char *ptr = pkt + 12; | ||
42 | int len = 0; | ||
43 | while (*ptr != 0 && len < 255) { // 255 is the maximum length of a domain name including multiple '.' | ||
44 | if (*ptr > 63) // the name left of a '.' is 63 length maximum | ||
45 | goto errout; | ||
46 | |||
47 | int delta = *ptr + 1; | ||
48 | *ptr = '.'; | ||
49 | len += delta;; | ||
50 | ptr += delta; | ||
51 | } | ||
52 | |||
53 | printf("%02d:%02d:%02d %15s %s\n", t->tm_hour, t->tm_min, t->tm_sec, ip, pkt + 12 + 1); | ||
54 | return; | ||
55 | |||
56 | errout: | ||
57 | printf("%02d:%02d:%02d %15s Error: invalid DNS packet\n", t->tm_hour, t->tm_min, t->tm_sec, ip); | ||
58 | } | ||
59 | |||
60 | // https://www.kernel.org/doc/html/latest/networking/filter.html | ||
61 | static void custom_bpf(int sock) { | ||
62 | struct sock_filter code[] = { | ||
63 | // sudo tcpdump ip and udp and src port 53 -dd | ||
64 | { 0x28, 0, 0, 0x0000000c }, | ||
65 | { 0x15, 0, 8, 0x00000800 }, | ||
66 | { 0x30, 0, 0, 0x00000017 }, | ||
67 | { 0x15, 0, 6, 0x00000011 }, | ||
68 | { 0x28, 0, 0, 0x00000014 }, | ||
69 | { 0x45, 4, 0, 0x00001fff }, | ||
70 | { 0xb1, 0, 0, 0x0000000e }, | ||
71 | { 0x48, 0, 0, 0x0000000e }, | ||
72 | { 0x15, 0, 1, 0x00000035 }, | ||
73 | { 0x6, 0, 0, 0x00040000 }, | ||
74 | { 0x6, 0, 0, 0x00000000 }, | ||
75 | }; | ||
76 | |||
77 | struct sock_fprog bpf = { | ||
78 | .len = (unsigned short) sizeof(code) / sizeof(code[0]), | ||
79 | .filter = code, | ||
80 | }; | ||
81 | |||
82 | int rv = setsockopt(sock, SOL_SOCKET, SO_ATTACH_FILTER, &bpf, sizeof(bpf)); | ||
83 | if (rv < 0) { | ||
84 | fprintf(stderr, "Error: cannot attach BPF filter\n"); | ||
85 | exit(1); | ||
86 | } | ||
87 | } | ||
88 | |||
89 | static void run_trace(void) { | ||
90 | // grab all Ethernet packets and use a custom BPF filter to get only UDP from source port 53 | ||
91 | int s = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)); | ||
92 | if (s < 0) | ||
93 | errExit("socket"); | ||
94 | custom_bpf(s); | ||
95 | |||
96 | unsigned char buf[MAX_BUF_SIZE]; | ||
97 | while (1) { | ||
98 | fd_set rfds; | ||
99 | FD_ZERO(&rfds); | ||
100 | FD_SET(s, &rfds); | ||
101 | struct timeval tv; | ||
102 | tv.tv_sec = 1; | ||
103 | tv.tv_usec = 0; | ||
104 | int rv = select(s + 1, &rfds, NULL, NULL, &tv); | ||
105 | if (rv < 0) | ||
106 | errExit("select"); | ||
107 | else if (rv == 0) | ||
108 | continue; | ||
109 | unsigned bytes = recvfrom(s, buf, MAX_BUF_SIZE, 0, NULL, NULL); | ||
110 | |||
111 | if (bytes >= (14 + 20 + 8)) { // size of MAC + IP + UDP headers | ||
112 | uint8_t ip_hlen = (buf[14] & 0x0f) * 4; | ||
113 | uint16_t port_src; | ||
114 | memcpy(&port_src, buf + 14 + ip_hlen, 2); | ||
115 | port_src = ntohs(port_src); | ||
116 | uint8_t protocol = buf[14 + 9]; | ||
117 | uint32_t ip_src; | ||
118 | memcpy(&ip_src, buf + 14 + 12, 4); | ||
119 | ip_src = ntohl(ip_src); | ||
120 | |||
121 | // if DNS packet, extract the query | ||
122 | if (port_src == 53 && protocol == 0x11) // UDP protocol | ||
123 | print_dns(ip_src, buf + 14 + ip_hlen + 8); // IP and UDP header len | ||
124 | } | ||
125 | } | ||
126 | |||
127 | close(s); | ||
128 | } | ||
129 | |||
130 | |||
131 | static void usage(void) { | ||
132 | printf("Usage: fnettrace-dns [OPTIONS]\n"); | ||
133 | printf("Options:\n"); | ||
134 | printf(" --help, -? - this help screen\n"); | ||
135 | printf("\n"); | ||
136 | } | ||
137 | |||
138 | int main(int argc, char **argv) { | ||
139 | int i; | ||
140 | |||
141 | for (i = 1; i < argc; i++) { | ||
142 | if (strcmp(argv[i], "--help") == 0 || strcmp(argv[i], "-?") == 0) { | ||
143 | usage(); | ||
144 | return 0; | ||
145 | } | ||
146 | else { | ||
147 | fprintf(stderr, "Error: invalid argument\n"); | ||
148 | return 1; | ||
149 | } | ||
150 | } | ||
151 | |||
152 | if (getuid() != 0) { | ||
153 | fprintf(stderr, "Error: you need to be root to run this program\n"); | ||
154 | return 1; | ||
155 | } | ||
156 | |||
157 | time_t now = time(NULL); | ||
158 | printf("DNS trace for %s\n", ctime(&now)); | ||
159 | run_trace(); | ||
160 | |||
161 | return 0; | ||
162 | } | ||
diff --git a/src/fnettrace-sni/Makefile.in b/src/fnettrace-sni/Makefile.in new file mode 100644 index 000000000..9fe954874 --- /dev/null +++ b/src/fnettrace-sni/Makefile.in | |||
@@ -0,0 +1,17 @@ | |||
1 | .PHONY: all | ||
2 | all: fnettrace-sni | ||
3 | |||
4 | include ../common.mk | ||
5 | |||
6 | %.o : %.c $(H_FILE_LIST) | ||
7 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ | ||
8 | |||
9 | fnettrace-sni: $(OBJS) | ||
10 | $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) | ||
11 | |||
12 | .PHONY: clean | ||
13 | clean:; rm -fr *.o fnettrace-sni *.gcov *.gcda *.gcno *.plist | ||
14 | |||
15 | .PHONY: distclean | ||
16 | distclean: clean | ||
17 | rm -fr Makefile | ||
diff --git a/src/fnettrace-sni/fnettrace_sni.h b/src/fnettrace-sni/fnettrace_sni.h new file mode 100644 index 000000000..790a3ce7f --- /dev/null +++ b/src/fnettrace-sni/fnettrace_sni.h | |||
@@ -0,0 +1,34 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2022 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #ifndef FNETTRACE_SNI_H | ||
21 | #define FNETTRACE_SNI_H | ||
22 | |||
23 | #include "../include/common.h" | ||
24 | #include <unistd.h> | ||
25 | #include <sys/stat.h> | ||
26 | #include <sys/types.h> | ||
27 | #include <sys/socket.h> | ||
28 | #include <netinet/in.h> | ||
29 | #include <time.h> | ||
30 | #include <stdarg.h> | ||
31 | #include <fcntl.h> | ||
32 | #include <sys/mman.h> | ||
33 | |||
34 | #endif \ No newline at end of file | ||
diff --git a/src/fnettrace-sni/main.c b/src/fnettrace-sni/main.c new file mode 100644 index 000000000..ea7a91548 --- /dev/null +++ b/src/fnettrace-sni/main.c | |||
@@ -0,0 +1,207 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2022 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "fnettrace_sni.h" | ||
21 | #include <sys/ioctl.h> | ||
22 | #include <time.h> | ||
23 | #include <linux/filter.h> | ||
24 | #include <linux/if_ether.h> | ||
25 | #define MAX_BUF_SIZE (64 * 1024) | ||
26 | |||
27 | // pkt - start of TLS layer | ||
28 | static void print_tls(uint32_t ip_dest, unsigned char *pkt, unsigned len) { | ||
29 | assert(pkt); | ||
30 | |||
31 | char ip[30]; | ||
32 | sprintf(ip, "%d.%d.%d.%d", PRINT_IP(ip_dest)); | ||
33 | time_t seconds = time(NULL); | ||
34 | struct tm *t = localtime(&seconds); | ||
35 | |||
36 | // expecting a handshake packet and client hello | ||
37 | if (pkt[0] != 0x16 || pkt[5] != 0x01) | ||
38 | goto errout; | ||
39 | |||
40 | |||
41 | // look for server name indication | ||
42 | unsigned char *ptr = pkt; | ||
43 | unsigned int i = 0; | ||
44 | char *name = NULL; | ||
45 | while (i < (len - 20)) { | ||
46 | // 3 zeros and 3 matching length fields | ||
47 | if (*ptr == 0 && *(ptr + 1) == 0 && (*(ptr + 2) == 0 || *(ptr + 2) == 1) && *(ptr + 6) == 0) { | ||
48 | uint16_t len1; | ||
49 | memcpy(&len1, ptr + 2, 2); | ||
50 | len1 = ntohs(len1); | ||
51 | |||
52 | uint16_t len2; | ||
53 | memcpy(&len2, ptr + 4, 2); | ||
54 | len2 = ntohs(len2); | ||
55 | |||
56 | uint16_t len3; | ||
57 | memcpy(&len3, ptr + 7, 2); | ||
58 | len3 = ntohs(len3); | ||
59 | |||
60 | if (len1 == (len2 + 2) && len1 == (len3 + 5)) { | ||
61 | *(ptr + 9 + len3) = 0; | ||
62 | name = (char *) (ptr + 9); | ||
63 | break; | ||
64 | } | ||
65 | } | ||
66 | ptr++; | ||
67 | i++; | ||
68 | } | ||
69 | |||
70 | if (name) | ||
71 | printf("%02d:%02d:%02d %15s %s\n", t->tm_hour, t->tm_min, t->tm_sec, ip, name); | ||
72 | else | ||
73 | goto nosni; | ||
74 | return; | ||
75 | |||
76 | errout: | ||
77 | printf("%02d:%02d:%02d %15s Error: invalid TLS packet\n", t->tm_hour, t->tm_min, t->tm_sec, ip); | ||
78 | return; | ||
79 | |||
80 | nosni: | ||
81 | printf("%02d:%02d:%02d %15s no SNI\n", t->tm_hour, t->tm_min, t->tm_sec, ip); | ||
82 | return; | ||
83 | } | ||
84 | |||
85 | // https://www.kernel.org/doc/html/latest/networking/filter.html | ||
86 | static void custom_bpf(int sock) { | ||
87 | struct sock_filter code[] = { | ||
88 | // sudo tcpdump "tcp port 443 and (tcp[((tcp[12] & 0xf0) >>2)] = 0x16) && (tcp[((tcp[12] & 0xf0) >>2)+5] = 0x01)" -dd | ||
89 | { 0x28, 0, 0, 0x0000000c }, | ||
90 | { 0x15, 27, 0, 0x000086dd }, | ||
91 | { 0x15, 0, 26, 0x00000800 }, | ||
92 | { 0x30, 0, 0, 0x00000017 }, | ||
93 | { 0x15, 0, 24, 0x00000006 }, | ||
94 | { 0x28, 0, 0, 0x00000014 }, | ||
95 | { 0x45, 22, 0, 0x00001fff }, | ||
96 | { 0xb1, 0, 0, 0x0000000e }, | ||
97 | { 0x48, 0, 0, 0x0000000e }, | ||
98 | { 0x15, 2, 0, 0x000001bb }, | ||
99 | { 0x48, 0, 0, 0x00000010 }, | ||
100 | { 0x15, 0, 17, 0x000001bb }, | ||
101 | { 0x50, 0, 0, 0x0000001a }, | ||
102 | { 0x54, 0, 0, 0x000000f0 }, | ||
103 | { 0x74, 0, 0, 0x00000002 }, | ||
104 | { 0xc, 0, 0, 0x00000000 }, | ||
105 | { 0x7, 0, 0, 0x00000000 }, | ||
106 | { 0x50, 0, 0, 0x0000000e }, | ||
107 | { 0x15, 0, 10, 0x00000016 }, | ||
108 | { 0xb1, 0, 0, 0x0000000e }, | ||
109 | { 0x50, 0, 0, 0x0000001a }, | ||
110 | { 0x54, 0, 0, 0x000000f0 }, | ||
111 | { 0x74, 0, 0, 0x00000002 }, | ||
112 | { 0x4, 0, 0, 0x00000005 }, | ||
113 | { 0xc, 0, 0, 0x00000000 }, | ||
114 | { 0x7, 0, 0, 0x00000000 }, | ||
115 | { 0x50, 0, 0, 0x0000000e }, | ||
116 | { 0x15, 0, 1, 0x00000001 }, | ||
117 | { 0x6, 0, 0, 0x00040000 }, | ||
118 | { 0x6, 0, 0, 0x00000000 }, | ||
119 | }; | ||
120 | |||
121 | struct sock_fprog bpf = { | ||
122 | .len = (unsigned short) sizeof(code) / sizeof(code[0]), | ||
123 | .filter = code, | ||
124 | }; | ||
125 | |||
126 | int rv = setsockopt(sock, SOL_SOCKET, SO_ATTACH_FILTER, &bpf, sizeof(bpf)); | ||
127 | if (rv < 0) { | ||
128 | fprintf(stderr, "Error: cannot attach BPF filter\n"); | ||
129 | exit(1); | ||
130 | } | ||
131 | } | ||
132 | |||
133 | static void run_trace(void) { | ||
134 | // grab all Ethernet packets and use a custom BPF filter to get only UDP from source port 53 | ||
135 | int s = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)); | ||
136 | if (s < 0) | ||
137 | errExit("socket"); | ||
138 | custom_bpf(s); | ||
139 | |||
140 | unsigned char buf[MAX_BUF_SIZE]; | ||
141 | while (1) { | ||
142 | fd_set rfds; | ||
143 | FD_ZERO(&rfds); | ||
144 | FD_SET(s, &rfds); | ||
145 | struct timeval tv; | ||
146 | tv.tv_sec = 1; | ||
147 | tv.tv_usec = 0; | ||
148 | int rv = select(s + 1, &rfds, NULL, NULL, &tv); | ||
149 | if (rv < 0) | ||
150 | errExit("select"); | ||
151 | else if (rv == 0) | ||
152 | continue; | ||
153 | unsigned bytes = recvfrom(s, buf, MAX_BUF_SIZE, 0, NULL, NULL); | ||
154 | |||
155 | if (bytes >= (14 + 20 + 20)) { // size of MAC + IP + TCP headers | ||
156 | uint8_t ip_hlen = (buf[14] & 0x0f) * 4; | ||
157 | uint16_t port_dest; | ||
158 | memcpy(&port_dest, buf + 14 + ip_hlen + 2, 2); | ||
159 | port_dest = ntohs(port_dest); | ||
160 | uint8_t protocol = buf[14 + 9]; | ||
161 | uint32_t ip_dest; | ||
162 | memcpy(&ip_dest, buf + 14 + 16, 4); | ||
163 | ip_dest = ntohl(ip_dest); | ||
164 | uint8_t tcp_hlen = (buf[14 + ip_hlen + 12] & 0xf0) >> 2; | ||
165 | |||
166 | // if TLS packet, extract SNI | ||
167 | if (port_dest == 443 && protocol == 6) // TCP protocol | ||
168 | print_tls(ip_dest, buf + 14 + ip_hlen + tcp_hlen, bytes - 14 - ip_hlen - tcp_hlen); // IP and TCP header len | ||
169 | } | ||
170 | } | ||
171 | |||
172 | close(s); | ||
173 | } | ||
174 | |||
175 | |||
176 | static void usage(void) { | ||
177 | printf("Usage: fnettrace-sni [OPTIONS]\n"); | ||
178 | printf("Options:\n"); | ||
179 | printf(" --help, -? - this help screen\n"); | ||
180 | printf("\n"); | ||
181 | } | ||
182 | |||
183 | int main(int argc, char **argv) { | ||
184 | int i; | ||
185 | |||
186 | for (i = 1; i < argc; i++) { | ||
187 | if (strcmp(argv[i], "--help") == 0 || strcmp(argv[i], "-?") == 0) { | ||
188 | usage(); | ||
189 | return 0; | ||
190 | } | ||
191 | else { | ||
192 | fprintf(stderr, "Error: invalid argument\n"); | ||
193 | return 1; | ||
194 | } | ||
195 | } | ||
196 | |||
197 | if (getuid() != 0) { | ||
198 | fprintf(stderr, "Error: you need to be root to run this program\n"); | ||
199 | return 1; | ||
200 | } | ||
201 | |||
202 | time_t now = time(NULL); | ||
203 | printf("SNI trace for %s\n", ctime(&now)); | ||
204 | run_trace(); | ||
205 | |||
206 | return 0; | ||
207 | } | ||
diff --git a/src/fnettrace/main.c b/src/fnettrace/main.c index 31d49d839..634d408a3 100644 --- a/src/fnettrace/main.c +++ b/src/fnettrace/main.c | |||
@@ -28,7 +28,7 @@ static char *arg_log = NULL; | |||
28 | 28 | ||
29 | typedef struct hnode_t { | 29 | typedef struct hnode_t { |
30 | struct hnode_t *hnext; // used for hash table and unused linked list | 30 | struct hnode_t *hnext; // used for hash table and unused linked list |
31 | struct hnode_t *dnext; // used to display stremas on the screen | 31 | struct hnode_t *dnext; // used to display streams on the screen |
32 | uint32_t ip_src; | 32 | uint32_t ip_src; |
33 | uint32_t bytes; // number of bytes received in the last display interval | 33 | uint32_t bytes; // number of bytes received in the last display interval |
34 | uint16_t port_src; | 34 | uint16_t port_src; |
@@ -221,6 +221,37 @@ static unsigned adjust_bandwidth(unsigned bw) { | |||
221 | return (max < (sum / 2))? sum: max; | 221 | return (max < (sum / 2))? sum: max; |
222 | } | 222 | } |
223 | 223 | ||
224 | static inline const char *common_port(uint16_t port) { | ||
225 | if (port > 123) | ||
226 | return NULL; | ||
227 | |||
228 | if (port == 20 || port == 21) | ||
229 | return "(FTP)"; | ||
230 | else if (port == 22) | ||
231 | return "(SSH)"; | ||
232 | else if (port == 23) | ||
233 | return "(telnet)"; | ||
234 | else if (port == 25) | ||
235 | return "(SMTP)"; | ||
236 | else if (port == 43) | ||
237 | return "(WHOIS)"; | ||
238 | else if (port == 67) | ||
239 | return "(DHCP)"; | ||
240 | else if (port == 69) | ||
241 | return "(TFTP)"; | ||
242 | else if (port == 80) | ||
243 | return "(HTTP)"; | ||
244 | else if (port == 109) | ||
245 | return "(POP2)"; | ||
246 | else if (port == 110) | ||
247 | return "(POP3)"; | ||
248 | else if (port == 123) | ||
249 | return "(NTP)"; | ||
250 | |||
251 | return NULL; | ||
252 | } | ||
253 | |||
254 | |||
224 | static void hnode_print(unsigned bw) { | 255 | static void hnode_print(unsigned bw) { |
225 | assert(!arg_netfilter); | 256 | assert(!arg_netfilter); |
226 | bw = (bw < 1024 * DISPLAY_INTERVAL)? 1024 * DISPLAY_INTERVAL: bw; | 257 | bw = (bw < 1024 * DISPLAY_INTERVAL)? 1024 * DISPLAY_INTERVAL: bw; |
@@ -285,19 +316,19 @@ static void hnode_print(unsigned bw) { | |||
285 | else | 316 | else |
286 | bwline = print_bw(ptr->bytes / bwunit); | 317 | bwline = print_bw(ptr->bytes / bwunit); |
287 | 318 | ||
288 | char *protocol = ""; | 319 | const char *protocol = NULL; |
289 | if (ptr->port_src == 80) | 320 | if (ptr->port_src == 443) |
290 | protocol = "(HTTP)"; | 321 | protocol = "(TLS)"; |
322 | else if (ptr->port_src == 53) | ||
323 | protocol = "(DNS)"; | ||
291 | else if (ptr->port_src == 853) | 324 | else if (ptr->port_src == 853) |
292 | protocol = "(DoT)"; | 325 | protocol = "(DoT)"; |
326 | else if ((protocol = common_port(ptr->port_src)) != NULL) | ||
327 | ; | ||
293 | else if (ptr->protocol == 0x11) | 328 | else if (ptr->protocol == 0x11) |
294 | protocol = "(UDP)"; | 329 | protocol = "(UDP)"; |
295 | /* | 330 | if (protocol == NULL) |
296 | else (ptr->port_src == 443) | 331 | protocol = ""; |
297 | protocol = "TLS"; | ||
298 | else if (ptr->port_src == 53) | ||
299 | protocol = "DNS"; | ||
300 | */ | ||
301 | 332 | ||
302 | len = snprintf(line, LINE_MAX, "%10s %s %d.%d.%d.%d:%u%s %s\n", | 333 | len = snprintf(line, LINE_MAX, "%10s %s %d.%d.%d.%d:%u%s %s\n", |
303 | bytes, bwline, PRINT_IP(ptr->ip_src), ptr->port_src, protocol, ptr->hostname); | 334 | bytes, bwline, PRINT_IP(ptr->ip_src), ptr->port_src, protocol, ptr->hostname); |
@@ -409,7 +440,8 @@ static void run_trace(void) { | |||
409 | memcpy(&port_src, buf + hlen, 2); | 440 | memcpy(&port_src, buf + hlen, 2); |
410 | port_src = ntohs(port_src); | 441 | port_src = ntohs(port_src); |
411 | 442 | ||
412 | hnode_add(ip_src, buf[9], port_src, bytes + 14); | 443 | uint8_t protocol = buf[9]; |
444 | hnode_add(ip_src, protocol, port_src, bytes + 14); | ||
413 | } | 445 | } |
414 | } | 446 | } |
415 | } | 447 | } |
diff --git a/src/fnettrace/static-ip-map b/src/fnettrace/static-ip-map index e24ecf218..17ffe7f82 100644 --- a/src/fnettrace/static-ip-map +++ b/src/fnettrace/static-ip-map | |||
@@ -37,8 +37,10 @@ | |||
37 | 192.168.0.0/16 local network | 37 | 192.168.0.0/16 local network |
38 | 10.0.0.0/8 local network | 38 | 10.0.0.0/8 local network |
39 | 172.16.0.0/16 local network | 39 | 172.16.0.0/16 local network |
40 | 169.254.0.0/16 local link | ||
40 | 41 | ||
41 | # huge address ranges | 42 | # huge address ranges |
43 | 4.0.0.0/9 Level 3 | ||
42 | 6.0.0.0/8 US Army | 44 | 6.0.0.0/8 US Army |
43 | 7.0.0.0/8 US Army | 45 | 7.0.0.0/8 US Army |
44 | 9.0.0.0/8 IBM | 46 | 9.0.0.0/8 IBM |
diff --git a/src/include/seccomp.h b/src/include/seccomp.h index 9dbe25bfa..503bf54ac 100644 --- a/src/include/seccomp.h +++ b/src/include/seccomp.h | |||
@@ -250,6 +250,9 @@ | |||
250 | #define RETURN_ALLOW \ | 250 | #define RETURN_ALLOW \ |
251 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) | 251 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) |
252 | 252 | ||
253 | #define RETURN_KILL \ | ||
254 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL) | ||
255 | |||
253 | #define RETURN_ERRNO(nr) \ | 256 | #define RETURN_ERRNO(nr) \ |
254 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO | nr) | 257 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO | nr) |
255 | 258 | ||