diff options
-rw-r--r-- | .github/workflows/codeql-analysis.yml | 6 | ||||
-rw-r--r-- | .gitignore | 21 | ||||
-rw-r--r-- | Makefile | 57 | ||||
-rw-r--r-- | RELNOTES | 6 | ||||
-rw-r--r-- | etc/profile-m-z/server.profile | 2 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/main.c | 5 | ||||
-rw-r--r-- | src/firejail/preproc.c | 4 | ||||
-rw-r--r-- | src/firejail/profile.c | 4 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 14 | ||||
-rw-r--r-- | src/fnettrace/Makefile | 3 | ||||
-rw-r--r-- | src/include/rundefs.h | 2 | ||||
-rw-r--r-- | src/man/Makefile | 60 | ||||
-rw-r--r-- | src/man/firecfg.1.in (renamed from src/man/firecfg.txt) | 0 | ||||
-rw-r--r-- | src/man/firejail-login.5.in (renamed from src/man/firejail-login.txt) | 0 | ||||
-rw-r--r-- | src/man/firejail-profile.5.in (renamed from src/man/firejail-profile.txt) | 0 | ||||
-rw-r--r-- | src/man/firejail-users.5.in (renamed from src/man/firejail-users.txt) | 0 | ||||
-rw-r--r-- | src/man/firejail.1.in (renamed from src/man/firejail.txt) | 0 | ||||
-rw-r--r-- | src/man/firemon.1.in (renamed from src/man/firemon.txt) | 0 | ||||
-rw-r--r-- | src/man/jailcheck.1.in (renamed from src/man/jailcheck.txt) | 0 | ||||
-rwxr-xr-x | src/man/mkman.sh | 8 |
21 files changed, 104 insertions, 89 deletions
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 9b82ab240..1c4c952f5 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml | |||
@@ -93,7 +93,7 @@ jobs: | |||
93 | 93 | ||
94 | # Initializes the CodeQL tools for scanning. | 94 | # Initializes the CodeQL tools for scanning. |
95 | - name: Initialize CodeQL | 95 | - name: Initialize CodeQL |
96 | uses: github/codeql-action/init@f6e388ebf0efc915c6c5b165b019ee61a6746a38 | 96 | uses: github/codeql-action/init@46ed16ded91731b2df79a2893d3aea8e9f03b5c4 |
97 | with: | 97 | with: |
98 | languages: ${{ matrix.language }} | 98 | languages: ${{ matrix.language }} |
99 | # If you wish to specify custom queries, you can do so here or in a config file. | 99 | # If you wish to specify custom queries, you can do so here or in a config file. |
@@ -104,7 +104,7 @@ jobs: | |||
104 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). | 104 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). |
105 | # If this step fails, then you should remove it and run the build manually (see below) | 105 | # If this step fails, then you should remove it and run the build manually (see below) |
106 | - name: Autobuild | 106 | - name: Autobuild |
107 | uses: github/codeql-action/autobuild@f6e388ebf0efc915c6c5b165b019ee61a6746a38 | 107 | uses: github/codeql-action/autobuild@46ed16ded91731b2df79a2893d3aea8e9f03b5c4 |
108 | 108 | ||
109 | # âšī¸ Command-line programs to run using the OS shell. | 109 | # âšī¸ Command-line programs to run using the OS shell. |
110 | # đ https://git.io/JvXDl | 110 | # đ https://git.io/JvXDl |
@@ -118,4 +118,4 @@ jobs: | |||
118 | # make release | 118 | # make release |
119 | 119 | ||
120 | - name: Perform CodeQL Analysis | 120 | - name: Perform CodeQL Analysis |
121 | uses: github/codeql-action/analyze@f6e388ebf0efc915c6c5b165b019ee61a6746a38 | 121 | uses: github/codeql-action/analyze@46ed16ded91731b2df79a2893d3aea8e9f03b5c4 |
diff --git a/.gitignore b/.gitignore index 180f623eb..2285c3e5d 100644 --- a/.gitignore +++ b/.gitignore | |||
@@ -6,9 +6,9 @@ | |||
6 | *.rpm | 6 | *.rpm |
7 | *.gcda | 7 | *.gcda |
8 | *.gcno | 8 | *.gcno |
9 | *.gz | ||
9 | *.DS_Store | 10 | *.DS_Store |
10 | .directory | 11 | .directory |
11 | *.man | ||
12 | .vscode | 12 | .vscode |
13 | /firejail-*/ | 13 | /firejail-*/ |
14 | autom4te.cache/ | 14 | autom4te.cache/ |
@@ -20,14 +20,6 @@ contrib/syntax/files/example | |||
20 | contrib/syntax/files/firejail-profile.lang | 20 | contrib/syntax/files/firejail-profile.lang |
21 | contrib/syntax/files/firejail.vim | 21 | contrib/syntax/files/firejail.vim |
22 | firejail-*.tar.xz | 22 | firejail-*.tar.xz |
23 | firejail-login.5 | ||
24 | firejail-profile.5 | ||
25 | firejail-config.5 | ||
26 | firejail-users.5 | ||
27 | firejail.1 | ||
28 | firemon.1 | ||
29 | firecfg.1 | ||
30 | jailcheck.1 | ||
31 | src/fnettrace-dns/fnettrace-dns | 23 | src/fnettrace-dns/fnettrace-dns |
32 | src/fnettrace-sni/fnettrace-sni | 24 | src/fnettrace-sni/fnettrace-sni |
33 | src/fnettrace-icmp/fnettrace-icmp | 25 | src/fnettrace-icmp/fnettrace-icmp |
@@ -61,15 +53,12 @@ seccomp.64 | |||
61 | seccomp.block_secondary | 53 | seccomp.block_secondary |
62 | seccomp.mdwx | 54 | seccomp.mdwx |
63 | seccomp.mdwx.32 | 55 | seccomp.mdwx.32 |
56 | seccomp.namespaces | ||
57 | seccomp.namespaces.32 | ||
64 | aclocal.m4 | 58 | aclocal.m4 |
65 | __pycache__ | 59 | __pycache__ |
66 | *.pyc | 60 | *.pyc |
67 | *.pyo | 61 | *.pyo |
68 | src/fnettrace/static-ip-map | 62 | src/fnettrace/static-ip-map |
69 | src/man/firecfg.1.gz | 63 | src/man/*.1 |
70 | src/man/firejail-login.5.gz | 64 | src/man/*.5 |
71 | src/man/firejail-profile.5.gz | ||
72 | src/man/firejail-users.5.gz | ||
73 | src/man/firejail.1.gz | ||
74 | src/man/firemon.1.gz | ||
75 | src/man/jailcheck.1.gz | ||
@@ -2,6 +2,10 @@ | |||
2 | ROOT = . | 2 | ROOT = . |
3 | -include config.mk | 3 | -include config.mk |
4 | 4 | ||
5 | ifneq ($(HAVE_MAN),no) | ||
6 | MAN_TARGET = man | ||
7 | endif | ||
8 | |||
5 | ifneq ($(HAVE_CONTRIB_INSTALL),no) | 9 | ifneq ($(HAVE_CONTRIB_INSTALL),no) |
6 | CONTRIB_TARGET = contrib | 10 | CONTRIB_TARGET = contrib |
7 | endif | 11 | endif |
@@ -14,10 +18,15 @@ SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfil | |||
14 | SBOX_APPS_NON_DUMPABLE += src/fsec-optimize/fsec-optimize src/fsec-print/fsec-print src/fseccomp/fseccomp | 18 | SBOX_APPS_NON_DUMPABLE += src/fsec-optimize/fsec-optimize src/fsec-print/fsec-print src/fseccomp/fseccomp |
15 | SBOX_APPS_NON_DUMPABLE += src/fnettrace/fnettrace src/fnettrace-dns/fnettrace-dns src/fnettrace-sni/fnettrace-sni | 19 | SBOX_APPS_NON_DUMPABLE += src/fnettrace/fnettrace src/fnettrace-dns/fnettrace-dns src/fnettrace-sni/fnettrace-sni |
16 | SBOX_APPS_NON_DUMPABLE += src/fnettrace-icmp/fnettrace-icmp | 20 | SBOX_APPS_NON_DUMPABLE += src/fnettrace-icmp/fnettrace-icmp |
17 | MYDIRS = src/lib src/man $(COMPLETIONDIRS) | 21 | MYDIRS = src/lib $(COMPLETIONDIRS) |
18 | MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so | 22 | MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so |
19 | COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion | 23 | COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion |
20 | SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32 | 24 | SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32 seccomp.namespaces seccomp.namespaces.32 |
25 | |||
26 | MANPAGES1_IN := $(sort $(wildcard src/man/*.1.in)) | ||
27 | MANPAGES5_IN := $(sort $(wildcard src/man/*.5.in)) | ||
28 | MANPAGES1_GZ := $(MANPAGES1_IN:.in=.gz) | ||
29 | MANPAGES5_GZ := $(MANPAGES5_IN:.in=.gz) | ||
21 | 30 | ||
22 | SYSCALL_HEADERS := $(sort $(wildcard src/include/syscall*.h)) | 31 | SYSCALL_HEADERS := $(sort $(wildcard src/include/syscall*.h)) |
23 | 32 | ||
@@ -37,13 +46,13 @@ SYNTAX_FILES := $(SYNTAX_FILES_IN:.in=) | |||
37 | ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS) | 46 | ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS) |
38 | 47 | ||
39 | .PHONY: all | 48 | .PHONY: all |
40 | all: all_items mydirs $(CONTRIB_TARGET) | 49 | all: all_items mydirs filters $(MAN_TARGET) $(CONTRIB_TARGET) |
41 | 50 | ||
42 | config.mk config.sh: | 51 | config.mk config.sh: |
43 | @printf 'error: run ./configure to generate %s\n' "$@" >&2 | 52 | @printf 'error: run ./configure to generate %s\n' "$@" >&2 |
44 | @false | 53 | @false |
45 | 54 | ||
46 | .PHONY: all_items $(ALL_ITEMS) | 55 | .PHONY: all_items |
47 | all_items: $(ALL_ITEMS) | 56 | all_items: $(ALL_ITEMS) |
48 | $(ALL_ITEMS): $(MYDIRS) | 57 | $(ALL_ITEMS): $(MYDIRS) |
49 | $(MAKE) -C $(dir $@) | 58 | $(MAKE) -C $(dir $@) |
@@ -53,19 +62,38 @@ mydirs: $(MYDIRS) | |||
53 | $(MYDIRS): | 62 | $(MYDIRS): |
54 | $(MAKE) -C $@ | 63 | $(MAKE) -C $@ |
55 | 64 | ||
56 | define build_filters | 65 | .PHONY: filters |
66 | filters: $(SECCOMP_FILTERS) | ||
67 | seccomp: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize | ||
57 | src/fseccomp/fseccomp default seccomp | 68 | src/fseccomp/fseccomp default seccomp |
58 | src/fsec-optimize/fsec-optimize seccomp | 69 | src/fsec-optimize/fsec-optimize seccomp |
70 | |||
71 | seccomp.debug: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize | ||
59 | src/fseccomp/fseccomp default seccomp.debug allow-debuggers | 72 | src/fseccomp/fseccomp default seccomp.debug allow-debuggers |
60 | src/fsec-optimize/fsec-optimize seccomp.debug | 73 | src/fsec-optimize/fsec-optimize seccomp.debug |
74 | |||
75 | seccomp.32: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize | ||
61 | src/fseccomp/fseccomp secondary 32 seccomp.32 | 76 | src/fseccomp/fseccomp secondary 32 seccomp.32 |
62 | src/fsec-optimize/fsec-optimize seccomp.32 | 77 | src/fsec-optimize/fsec-optimize seccomp.32 |
78 | |||
79 | seccomp.block_secondary: src/fseccomp/fseccomp | ||
63 | src/fseccomp/fseccomp secondary block seccomp.block_secondary | 80 | src/fseccomp/fseccomp secondary block seccomp.block_secondary |
81 | |||
82 | seccomp.mdwx: src/fseccomp/fseccomp | ||
64 | src/fseccomp/fseccomp memory-deny-write-execute seccomp.mdwx | 83 | src/fseccomp/fseccomp memory-deny-write-execute seccomp.mdwx |
84 | |||
85 | seccomp.mdwx.32: src/fseccomp/fseccomp | ||
65 | src/fseccomp/fseccomp memory-deny-write-execute.32 seccomp.mdwx.32 | 86 | src/fseccomp/fseccomp memory-deny-write-execute.32 seccomp.mdwx.32 |
66 | endef | ||
67 | 87 | ||
88 | seccomp.namespaces: src/fseccomp/fseccomp | ||
89 | src/fseccomp/fseccomp restrict-namespaces seccomp.namespaces cgroup,ipc,net,mnt,pid,time,user,uts | ||
68 | 90 | ||
91 | seccomp.namespaces.32: src/fseccomp/fseccomp | ||
92 | src/fseccomp/fseccomp restrict-namespaces seccomp.namespaces.32 cgroup,ipc,net,mnt,pid,time,user,uts | ||
93 | |||
94 | .PHONY: man | ||
95 | man: | ||
96 | $(MAKE) -C src/man | ||
69 | 97 | ||
70 | # Makes all targets in contrib/ | 98 | # Makes all targets in contrib/ |
71 | .PHONY: contrib | 99 | .PHONY: contrib |
@@ -135,6 +163,7 @@ clean: | |||
135 | for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \ | 163 | for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \ |
136 | $(MAKE) -C $$dir clean; \ | 164 | $(MAKE) -C $$dir clean; \ |
137 | done | 165 | done |
166 | $(MAKE) -C src/man clean | ||
138 | $(MAKE) -C test clean | 167 | $(MAKE) -C test clean |
139 | rm -f $(SECCOMP_FILTERS) | 168 | rm -f $(SECCOMP_FILTERS) |
140 | rm -f firejail*.rpm | 169 | rm -f firejail*.rpm |
@@ -178,7 +207,6 @@ endif | |||
178 | # libraries and plugins | 207 | # libraries and plugins |
179 | install -m 0755 -d $(DESTDIR)$(libdir)/firejail | 208 | install -m 0755 -d $(DESTDIR)$(libdir)/firejail |
180 | install -m 0755 -t $(DESTDIR)$(libdir)/firejail src/firecfg/firejail-welcome.sh | 209 | install -m 0755 -t $(DESTDIR)$(libdir)/firejail src/firecfg/firejail-welcome.sh |
181 | $(call build_filters) | ||
182 | install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS) | 210 | install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS) |
183 | install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS) | 211 | install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS) |
184 | install -m 0755 -t $(DESTDIR)$(libdir)/firejail src/profstats/profstats | 212 | install -m 0755 -t $(DESTDIR)$(libdir)/firejail src/profstats/profstats |
@@ -228,13 +256,8 @@ endif | |||
228 | ifneq ($(HAVE_MAN),no) | 256 | ifneq ($(HAVE_MAN),no) |
229 | # man pages | 257 | # man pages |
230 | install -m 0755 -d $(DESTDIR)$(mandir)/man1 $(DESTDIR)$(mandir)/man5 | 258 | install -m 0755 -d $(DESTDIR)$(mandir)/man1 $(DESTDIR)$(mandir)/man5 |
231 | install -m 0644 src/man/firejail.1.gz $(DESTDIR)$(mandir)/man1/ | 259 | install -m 0644 $(MANPAGES1_GZ) $(DESTDIR)$(mandir)/man1/ |
232 | install -m 0644 src/man/firemon.1.gz $(DESTDIR)$(mandir)/man1/ | 260 | install -m 0644 $(MANPAGES5_GZ) $(DESTDIR)$(mandir)/man5/ |
233 | install -m 0644 src/man/firecfg.1.gz $(DESTDIR)$(mandir)/man1/ | ||
234 | install -m 0644 src/man/jailcheck.1.gz $(DESTDIR)$(mandir)/man1/ | ||
235 | install -m 0644 src/man/firejail-login.5.gz $(DESTDIR)$(mandir)/man5/ | ||
236 | install -m 0644 src/man/firejail-users.5.gz $(DESTDIR)$(mandir)/man5/ | ||
237 | install -m 0644 src/man/firejail-profile.5.gz $(DESTDIR)$(mandir)/man5/ | ||
238 | endif | 261 | endif |
239 | # bash completion | 262 | # bash completion |
240 | install -m 0755 -d $(DESTDIR)$(datarootdir)/bash-completion/completions | 263 | install -m 0755 -d $(DESTDIR)$(datarootdir)/bash-completion/completions |
@@ -262,10 +285,8 @@ uninstall: config.mk | |||
262 | rm -f $(DESTDIR)$(bindir)/jailcheck | 285 | rm -f $(DESTDIR)$(bindir)/jailcheck |
263 | rm -fr $(DESTDIR)$(libdir)/firejail | 286 | rm -fr $(DESTDIR)$(libdir)/firejail |
264 | rm -fr $(DESTDIR)$(datarootdir)/doc/firejail | 287 | rm -fr $(DESTDIR)$(datarootdir)/doc/firejail |
265 | for man in $(MANPAGES); do \ | 288 | rm -f $(addprefix $(DESTDIR)$(mandir)/man1/,$(notdir $(MANPAGES1_GZ))) |
266 | rm -f $(DESTDIR)$(mandir)/man5/$$man*; \ | 289 | rm -f $(addprefix $(DESTDIR)$(mandir)/man5/,$(notdir $(MANPAGES5_GZ))) |
267 | rm -f $(DESTDIR)$(mandir)/man1/$$man*; \ | ||
268 | done | ||
269 | rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firejail | 290 | rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firejail |
270 | rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firemon | 291 | rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firemon |
271 | rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firecfg | 292 | rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firecfg |
@@ -6,6 +6,7 @@ firejail (0.9.73) baseline; urgency=low | |||
6 | overwritten using --hostname command | 6 | overwritten using --hostname command |
7 | * feature: add IPv6 support for --net.print option | 7 | * feature: add IPv6 support for --net.print option |
8 | * feature: QUIC (HTTP/3) support in --nettrace | 8 | * feature: QUIC (HTTP/3) support in --nettrace |
9 | * feature: use seccomp filters build at install time for --restrict-namespaces | ||
9 | * modif: Stop forwarding own double-dash to the shell (#5599 #5600) | 10 | * modif: Stop forwarding own double-dash to the shell (#5599 #5600) |
10 | * modif: Prevent sandbox name (--name=) and host name (--hostname=) | 11 | * modif: Prevent sandbox name (--name=) and host name (--hostname=) |
11 | from containing only digits (#5578 #5741) | 12 | from containing only digits (#5578 #5741) |
@@ -20,8 +21,6 @@ firejail (0.9.73) baseline; urgency=low | |||
20 | #5618) | 21 | #5618) |
21 | * bugfix: fix --hostname and --hosts-file commands | 22 | * bugfix: fix --hostname and --hosts-file commands |
22 | * bugfix: arp.c: ensure positive timeout on select(2) (#5806) | 23 | * bugfix: arp.c: ensure positive timeout on select(2) (#5806) |
23 | * bugfix: makefiles fixes: seccomp filters and man pages are build every | ||
24 | time when running make | ||
25 | * build: auto-generate syntax files (#5627) | 24 | * build: auto-generate syntax files (#5627) |
26 | * build: mark all phony targets as such (#5637) | 25 | * build: mark all phony targets as such (#5637) |
27 | * build: mkdeb.sh: pass all arguments to ./configure (#5654) | 26 | * build: mkdeb.sh: pass all arguments to ./configure (#5654) |
@@ -31,6 +30,9 @@ firejail (0.9.73) baseline; urgency=low | |||
31 | * build: remove -mretpoline and NO_EXTRA_CFLAGS (#5859) | 30 | * build: remove -mretpoline and NO_EXTRA_CFLAGS (#5859) |
32 | * build: disable all built-in implicit make rules (#5864) | 31 | * build: disable all built-in implicit make rules (#5864) |
33 | * build: organize and standardize make vars and targets (#5866) | 32 | * build: organize and standardize make vars and targets (#5866) |
33 | * build: fix seccomp filters and man pages always being rebuilt when running | ||
34 | make | ||
35 | * build: simplify code related to man pages (#5898) | ||
34 | * ci: always update the package db before installing packages (#5742) | 36 | * ci: always update the package db before installing packages (#5742) |
35 | * ci: fix codeql unable to download its own bundle (#5783) | 37 | * ci: fix codeql unable to download its own bundle (#5783) |
36 | * ci: split configure/build/install commands on gitlab (#5784) | 38 | * ci: split configure/build/install commands on gitlab (#5784) |
diff --git a/etc/profile-m-z/server.profile b/etc/profile-m-z/server.profile index 5b71fe6c3..05170267b 100644 --- a/etc/profile-m-z/server.profile +++ b/etc/profile-m-z/server.profile | |||
@@ -93,4 +93,4 @@ dbus-user none | |||
93 | # deterministic-shutdown | 93 | # deterministic-shutdown |
94 | # memory-deny-write-execute | 94 | # memory-deny-write-execute |
95 | # read-only ${HOME} | 95 | # read-only ${HOME} |
96 | restrict-namespaces | 96 | # restrict-namespaces |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index d85b470e6..c791913ea 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -357,6 +357,7 @@ extern int arg_deterministic_exit_code; // always exit with first child's exit s | |||
357 | extern int arg_deterministic_shutdown; // shut down the sandbox if first child dies | 357 | extern int arg_deterministic_shutdown; // shut down the sandbox if first child dies |
358 | extern int arg_keep_fd_all; // inherit all file descriptors to sandbox | 358 | extern int arg_keep_fd_all; // inherit all file descriptors to sandbox |
359 | extern int arg_netlock; // netlocker | 359 | extern int arg_netlock; // netlocker |
360 | extern int arg_restrict_namespaces; | ||
360 | 361 | ||
361 | typedef enum { | 362 | typedef enum { |
362 | DBUS_POLICY_ALLOW, // Allow unrestricted access to the bus | 363 | DBUS_POLICY_ALLOW, // Allow unrestricted access to the bus |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 732ca93c2..45b199db4 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -165,6 +165,7 @@ int arg_tab = 0; | |||
165 | int login_shell = 0; | 165 | int login_shell = 0; |
166 | int just_run_the_shell = 0; | 166 | int just_run_the_shell = 0; |
167 | int arg_netlock = 0; | 167 | int arg_netlock = 0; |
168 | int arg_restrict_namespaces = 0; | ||
168 | 169 | ||
169 | int parent_to_child_fds[2]; | 170 | int parent_to_child_fds[2]; |
170 | int child_to_parent_fds[2]; | 171 | int child_to_parent_fds[2]; |
@@ -1508,8 +1509,10 @@ int main(int argc, char **argv, char **envp) { | |||
1508 | exit_err_feature("seccomp"); | 1509 | exit_err_feature("seccomp"); |
1509 | } | 1510 | } |
1510 | else if (strcmp(argv[i], "--restrict-namespaces") == 0) { | 1511 | else if (strcmp(argv[i], "--restrict-namespaces") == 0) { |
1511 | if (checkcfg(CFG_SECCOMP)) | 1512 | if (checkcfg(CFG_SECCOMP)) { |
1513 | arg_restrict_namespaces = 1; | ||
1512 | profile_list_augment(&cfg.restrict_namespaces, "cgroup,ipc,net,mnt,pid,time,user,uts"); | 1514 | profile_list_augment(&cfg.restrict_namespaces, "cgroup,ipc,net,mnt,pid,time,user,uts"); |
1515 | } | ||
1513 | else | 1516 | else |
1514 | exit_err_feature("seccomp"); | 1517 | exit_err_feature("seccomp"); |
1515 | } | 1518 | } |
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index 6055ec95b..e0c11a005 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c | |||
@@ -96,12 +96,16 @@ void preproc_mount_mnt_dir(void) { | |||
96 | if (set_perms(RUN_SECCOMP_PROTOCOL, getuid(), getgid(), 0644)) | 96 | if (set_perms(RUN_SECCOMP_PROTOCOL, getuid(), getgid(), 0644)) |
97 | errExit("set_perms"); | 97 | errExit("set_perms"); |
98 | if (cfg.restrict_namespaces) { | 98 | if (cfg.restrict_namespaces) { |
99 | copy_file(PATH_SECCOMP_NAMESPACES, RUN_SECCOMP_NS, getuid(), getgid(), 0644); // root needed | ||
100 | copy_file(PATH_SECCOMP_NAMESPACES_32, RUN_SECCOMP_NS_32, getuid(), getgid(), 0644); // root needed | ||
101 | #if 0 | ||
99 | create_empty_file_as_root(RUN_SECCOMP_NS, 0644); | 102 | create_empty_file_as_root(RUN_SECCOMP_NS, 0644); |
100 | if (set_perms(RUN_SECCOMP_NS, getuid(), getgid(), 0644)) | 103 | if (set_perms(RUN_SECCOMP_NS, getuid(), getgid(), 0644)) |
101 | errExit("set_perms"); | 104 | errExit("set_perms"); |
102 | create_empty_file_as_root(RUN_SECCOMP_NS_32, 0644); | 105 | create_empty_file_as_root(RUN_SECCOMP_NS_32, 0644); |
103 | if (set_perms(RUN_SECCOMP_NS_32, getuid(), getgid(), 0644)) | 106 | if (set_perms(RUN_SECCOMP_NS_32, getuid(), getgid(), 0644)) |
104 | errExit("set_perms"); | 107 | errExit("set_perms"); |
108 | #endif | ||
105 | } | 109 | } |
106 | create_empty_file_as_root(RUN_SECCOMP_POSTEXEC, 0644); | 110 | create_empty_file_as_root(RUN_SECCOMP_POSTEXEC, 0644); |
107 | if (set_perms(RUN_SECCOMP_POSTEXEC, getuid(), getgid(), 0644)) | 111 | if (set_perms(RUN_SECCOMP_POSTEXEC, getuid(), getgid(), 0644)) |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index ae881664b..07449f646 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -1088,8 +1088,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1088 | 1088 | ||
1089 | // restrict-namespaces | 1089 | // restrict-namespaces |
1090 | if (strcmp(ptr, "restrict-namespaces") == 0) { | 1090 | if (strcmp(ptr, "restrict-namespaces") == 0) { |
1091 | if (checkcfg(CFG_SECCOMP)) | 1091 | if (checkcfg(CFG_SECCOMP)) { |
1092 | arg_restrict_namespaces = 1; | ||
1092 | profile_list_augment(&cfg.restrict_namespaces, "cgroup,ipc,net,mnt,pid,time,user,uts"); | 1093 | profile_list_augment(&cfg.restrict_namespaces, "cgroup,ipc,net,mnt,pid,time,user,uts"); |
1094 | } | ||
1093 | else | 1095 | else |
1094 | warning_feature_disabled("seccomp"); | 1096 | warning_feature_disabled("seccomp"); |
1095 | return 0; | 1097 | return 0; |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 9eb476f16..538f5be67 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -1211,7 +1211,19 @@ int sandbox(void* sandbox_arg) { | |||
1211 | seccomp_load(RUN_SECCOMP_MDWX_32); | 1211 | seccomp_load(RUN_SECCOMP_MDWX_32); |
1212 | } | 1212 | } |
1213 | 1213 | ||
1214 | if (cfg.restrict_namespaces) { | 1214 | if (arg_restrict_namespaces) { |
1215 | if (arg_seccomp_error_action != EPERM) { | ||
1216 | seccomp_filter_namespaces(true, cfg.restrict_namespaces); | ||
1217 | seccomp_filter_namespaces(false, cfg.restrict_namespaces); | ||
1218 | } | ||
1219 | |||
1220 | if (arg_debug) | ||
1221 | printf("Install namespaces filter\n"); | ||
1222 | seccomp_load(RUN_SECCOMP_NS); // install filter | ||
1223 | seccomp_load(RUN_SECCOMP_NS_32); | ||
1224 | |||
1225 | } | ||
1226 | else if (cfg.restrict_namespaces) { | ||
1215 | seccomp_filter_namespaces(true, cfg.restrict_namespaces); | 1227 | seccomp_filter_namespaces(true, cfg.restrict_namespaces); |
1216 | seccomp_filter_namespaces(false, cfg.restrict_namespaces); | 1228 | seccomp_filter_namespaces(false, cfg.restrict_namespaces); |
1217 | 1229 | ||
diff --git a/src/fnettrace/Makefile b/src/fnettrace/Makefile index 9748a3b47..68a4cbdc0 100644 --- a/src/fnettrace/Makefile +++ b/src/fnettrace/Makefile | |||
@@ -11,6 +11,3 @@ include $(ROOT)/src/prog.mk | |||
11 | all: $(TARGET) static-ip-map | 11 | all: $(TARGET) static-ip-map |
12 | static-ip-map: static-ip-map.txt fnettrace | 12 | static-ip-map: static-ip-map.txt fnettrace |
13 | ./fnettrace --squash-map=static-ip-map.txt > static-ip-map | 13 | ./fnettrace --squash-map=static-ip-map.txt > static-ip-map |
14 | |||
15 | |||
16 | |||
diff --git a/src/include/rundefs.h b/src/include/rundefs.h index 7fc0f21f3..d36851a4e 100644 --- a/src/include/rundefs.h +++ b/src/include/rundefs.h | |||
@@ -79,6 +79,8 @@ | |||
79 | #define PATH_SECCOMP_DEBUG_32 LIBDIR "/firejail/seccomp.debug32" // 32bit arch debug filter built during make | 79 | #define PATH_SECCOMP_DEBUG_32 LIBDIR "/firejail/seccomp.debug32" // 32bit arch debug filter built during make |
80 | #define PATH_SECCOMP_MDWX LIBDIR "/firejail/seccomp.mdwx" // filter for memory-deny-write-execute built during make | 80 | #define PATH_SECCOMP_MDWX LIBDIR "/firejail/seccomp.mdwx" // filter for memory-deny-write-execute built during make |
81 | #define PATH_SECCOMP_MDWX_32 LIBDIR "/firejail/seccomp.mdwx.32" | 81 | #define PATH_SECCOMP_MDWX_32 LIBDIR "/firejail/seccomp.mdwx.32" |
82 | #define PATH_SECCOMP_NAMESPACES LIBDIR "/firejail/seccomp.namespaces" // filter for restrict-namespaces | ||
83 | #define PATH_SECCOMP_NAMESPACES_32 LIBDIR "/firejail/seccomp.namespaces.32" | ||
82 | #define PATH_SECCOMP_BLOCK_SECONDARY LIBDIR "/firejail/seccomp.block_secondary" // secondary arch blocking filter built during make | 84 | #define PATH_SECCOMP_BLOCK_SECONDARY LIBDIR "/firejail/seccomp.block_secondary" // secondary arch blocking filter built during make |
83 | 85 | ||
84 | #define RUN_DEV_DIR RUN_MNT_DIR "/dev" | 86 | #define RUN_DEV_DIR RUN_MNT_DIR "/dev" |
diff --git a/src/man/Makefile b/src/man/Makefile index 17c5cde13..526ed7fcb 100644 --- a/src/man/Makefile +++ b/src/man/Makefile | |||
@@ -2,45 +2,25 @@ | |||
2 | ROOT = ../.. | 2 | ROOT = ../.. |
3 | -include $(ROOT)/config.mk | 3 | -include $(ROOT)/config.mk |
4 | 4 | ||
5 | all: firecfg.1.gz firejail.1.gz firejail-login.5.gz firejail-users.5.gz firejail-profile.5.gz firemon.1.gz jailcheck.1.gz | 5 | MOD_DIR := $(ROOT)/src/man |
6 | 6 | MANPAGES_IN := $(sort $(wildcard $(MOD_DIR)/*.in)) | |
7 | #firecfg.1.gz: firecfg.txt | 7 | MANPAGES_GZ := $(MANPAGES_IN:.in=.gz) |
8 | # gawk -f ./preproc.awk -- $(MANFLAGS) < $< > firecfg.1 | 8 | TARGET = $(MANPAGES_GZ) |
9 | # ./mkman.sh $(VERSION) firecfg.1 | 9 | |
10 | # gzip -n9 firecfg.1 | 10 | .PHONY: all |
11 | 11 | all: $(TARGET) | |
12 | # a small function to build a manpage | 12 | |
13 | define build | 13 | # foo.1: foo.1.in |
14 | gawk -f ./preproc.awk -- $(MANFLAGS) < $1 > $2 | 14 | $(MOD_DIR)/%: $(MOD_DIR)/%.in $(ROOT)/config.mk |
15 | ./mkman.sh $(VERSION) ./$2 | 15 | @printf 'Generating %s from %s\n' $@ $< |
16 | rm -f $2.gz | 16 | @gawk -f $(MOD_DIR)/preproc.awk -- $(MANFLAGS) <$< | \ |
17 | gzip -n9 $2 | 17 | $(MOD_DIR)/mkman.sh $(VERSION) >$@ |
18 | endef | 18 | |
19 | 19 | # foo.1.gz: foo.1 | |
20 | firecfg.1.gz: firecfg.txt | 20 | $(MOD_DIR)/%.gz: $(MOD_DIR)/% |
21 | $(call build,firecfg.txt,firecfg.1) | 21 | @printf 'Generating %s from %s\n' $@ $< |
22 | 22 | @rm -f $@ | |
23 | firejail.1.gz: firejail.txt | 23 | @gzip -n9 $< |
24 | $(call build,firejail.txt,firejail.1) | ||
25 | |||
26 | firejail-login.5.gz: firejail-login.txt | ||
27 | $(call build,firejail-login.txt,firejail-login.5) | ||
28 | |||
29 | firejail-users.5.gz: firejail-users.txt | ||
30 | $(call build,firejail-users.txt,firejail-users.5) | ||
31 | |||
32 | firejail-profile.5.gz: firejail-profile.txt | ||
33 | $(call build,firejail-profile.txt,firejail-profile.5) | ||
34 | |||
35 | firemon.1.gz: firemon.txt | ||
36 | $(call build,firemon.txt,firemon.1) | ||
37 | |||
38 | jailcheck.1.gz: jailcheck.txt | ||
39 | $(call build,jailcheck.txt,jailcheck.1) | ||
40 | |||
41 | 24 | ||
42 | .PHONY: clean | 25 | .PHONY: clean |
43 | clean:; rm -fr *.1 *.5 *.gz | 26 | clean:; rm -f *.1 *.5 *.gz |
44 | |||
45 | .PHONY: distclean | ||
46 | distclean: clean | ||
diff --git a/src/man/firecfg.txt b/src/man/firecfg.1.in index 42add6a41..42add6a41 100644 --- a/src/man/firecfg.txt +++ b/src/man/firecfg.1.in | |||
diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.5.in index f03fc3c37..f03fc3c37 100644 --- a/src/man/firejail-login.txt +++ b/src/man/firejail-login.5.in | |||
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.5.in index fa294d888..fa294d888 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.5.in | |||
diff --git a/src/man/firejail-users.txt b/src/man/firejail-users.5.in index 7aa151680..7aa151680 100644 --- a/src/man/firejail-users.txt +++ b/src/man/firejail-users.5.in | |||
diff --git a/src/man/firejail.txt b/src/man/firejail.1.in index 19fc94ebd..19fc94ebd 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.1.in | |||
diff --git a/src/man/firemon.txt b/src/man/firemon.1.in index fb0cf1175..fb0cf1175 100644 --- a/src/man/firemon.txt +++ b/src/man/firemon.1.in | |||
diff --git a/src/man/jailcheck.txt b/src/man/jailcheck.1.in index e889ea91b..e889ea91b 100644 --- a/src/man/jailcheck.txt +++ b/src/man/jailcheck.1.in | |||
diff --git a/src/man/mkman.sh b/src/man/mkman.sh index b538b0126..0302e0778 100755 --- a/src/man/mkman.sh +++ b/src/man/mkman.sh | |||
@@ -5,8 +5,10 @@ | |||
5 | 5 | ||
6 | set -e | 6 | set -e |
7 | 7 | ||
8 | sed -i "s/VERSION/$1/g" "$2" | ||
9 | MONTH="$(LC_ALL=C date -u --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%b)" | 8 | MONTH="$(LC_ALL=C date -u --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%b)" |
10 | sed -i "s/MONTH/$MONTH/g" "$2" | ||
11 | YEAR="$(LC_ALL=C date -u --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%Y)" | 9 | YEAR="$(LC_ALL=C date -u --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%Y)" |
12 | sed -i "s/YEAR/$YEAR/g" "$2" | 10 | |
11 | sed \ | ||
12 | -e "s/VERSION/$1/g" \ | ||
13 | -e "s/MONTH/$MONTH/g" \ | ||
14 | -e "s/YEAR/$YEAR/g" | ||