aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--.github/workflows/codeql-analysis.yml6
-rw-r--r--.gitignore21
-rw-r--r--Makefile57
-rw-r--r--RELNOTES6
-rw-r--r--etc/profile-m-z/server.profile2
-rw-r--r--src/firejail/firejail.h1
-rw-r--r--src/firejail/main.c5
-rw-r--r--src/firejail/preproc.c4
-rw-r--r--src/firejail/profile.c4
-rw-r--r--src/firejail/sandbox.c14
-rw-r--r--src/fnettrace/Makefile3
-rw-r--r--src/include/rundefs.h2
-rw-r--r--src/man/Makefile60
-rw-r--r--src/man/firecfg.1.in (renamed from src/man/firecfg.txt)0
-rw-r--r--src/man/firejail-login.5.in (renamed from src/man/firejail-login.txt)0
-rw-r--r--src/man/firejail-profile.5.in (renamed from src/man/firejail-profile.txt)0
-rw-r--r--src/man/firejail-users.5.in (renamed from src/man/firejail-users.txt)0
-rw-r--r--src/man/firejail.1.in (renamed from src/man/firejail.txt)0
-rw-r--r--src/man/firemon.1.in (renamed from src/man/firemon.txt)0
-rw-r--r--src/man/jailcheck.1.in (renamed from src/man/jailcheck.txt)0
-rwxr-xr-xsrc/man/mkman.sh8
21 files changed, 104 insertions, 89 deletions
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 9b82ab240..1c4c952f5 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -93,7 +93,7 @@ jobs:
93 93
94 # Initializes the CodeQL tools for scanning. 94 # Initializes the CodeQL tools for scanning.
95 - name: Initialize CodeQL 95 - name: Initialize CodeQL
96 uses: github/codeql-action/init@f6e388ebf0efc915c6c5b165b019ee61a6746a38 96 uses: github/codeql-action/init@46ed16ded91731b2df79a2893d3aea8e9f03b5c4
97 with: 97 with:
98 languages: ${{ matrix.language }} 98 languages: ${{ matrix.language }}
99 # If you wish to specify custom queries, you can do so here or in a config file. 99 # If you wish to specify custom queries, you can do so here or in a config file.
@@ -104,7 +104,7 @@ jobs:
104 # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). 104 # Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
105 # If this step fails, then you should remove it and run the build manually (see below) 105 # If this step fails, then you should remove it and run the build manually (see below)
106 - name: Autobuild 106 - name: Autobuild
107 uses: github/codeql-action/autobuild@f6e388ebf0efc915c6c5b165b019ee61a6746a38 107 uses: github/codeql-action/autobuild@46ed16ded91731b2df79a2893d3aea8e9f03b5c4
108 108
109 # ℹī¸ Command-line programs to run using the OS shell. 109 # ℹī¸ Command-line programs to run using the OS shell.
110 # 📚 https://git.io/JvXDl 110 # 📚 https://git.io/JvXDl
@@ -118,4 +118,4 @@ jobs:
118 # make release 118 # make release
119 119
120 - name: Perform CodeQL Analysis 120 - name: Perform CodeQL Analysis
121 uses: github/codeql-action/analyze@f6e388ebf0efc915c6c5b165b019ee61a6746a38 121 uses: github/codeql-action/analyze@46ed16ded91731b2df79a2893d3aea8e9f03b5c4
diff --git a/.gitignore b/.gitignore
index 180f623eb..2285c3e5d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -6,9 +6,9 @@
6*.rpm 6*.rpm
7*.gcda 7*.gcda
8*.gcno 8*.gcno
9*.gz
9*.DS_Store 10*.DS_Store
10.directory 11.directory
11*.man
12.vscode 12.vscode
13/firejail-*/ 13/firejail-*/
14autom4te.cache/ 14autom4te.cache/
@@ -20,14 +20,6 @@ contrib/syntax/files/example
20contrib/syntax/files/firejail-profile.lang 20contrib/syntax/files/firejail-profile.lang
21contrib/syntax/files/firejail.vim 21contrib/syntax/files/firejail.vim
22firejail-*.tar.xz 22firejail-*.tar.xz
23firejail-login.5
24firejail-profile.5
25firejail-config.5
26firejail-users.5
27firejail.1
28firemon.1
29firecfg.1
30jailcheck.1
31src/fnettrace-dns/fnettrace-dns 23src/fnettrace-dns/fnettrace-dns
32src/fnettrace-sni/fnettrace-sni 24src/fnettrace-sni/fnettrace-sni
33src/fnettrace-icmp/fnettrace-icmp 25src/fnettrace-icmp/fnettrace-icmp
@@ -61,15 +53,12 @@ seccomp.64
61seccomp.block_secondary 53seccomp.block_secondary
62seccomp.mdwx 54seccomp.mdwx
63seccomp.mdwx.32 55seccomp.mdwx.32
56seccomp.namespaces
57seccomp.namespaces.32
64aclocal.m4 58aclocal.m4
65__pycache__ 59__pycache__
66*.pyc 60*.pyc
67*.pyo 61*.pyo
68src/fnettrace/static-ip-map 62src/fnettrace/static-ip-map
69src/man/firecfg.1.gz 63src/man/*.1
70src/man/firejail-login.5.gz 64src/man/*.5
71src/man/firejail-profile.5.gz
72src/man/firejail-users.5.gz
73src/man/firejail.1.gz
74src/man/firemon.1.gz
75src/man/jailcheck.1.gz
diff --git a/Makefile b/Makefile
index 494f853d5..53b57a0e1 100644
--- a/Makefile
+++ b/Makefile
@@ -2,6 +2,10 @@
2ROOT = . 2ROOT = .
3-include config.mk 3-include config.mk
4 4
5ifneq ($(HAVE_MAN),no)
6MAN_TARGET = man
7endif
8
5ifneq ($(HAVE_CONTRIB_INSTALL),no) 9ifneq ($(HAVE_CONTRIB_INSTALL),no)
6CONTRIB_TARGET = contrib 10CONTRIB_TARGET = contrib
7endif 11endif
@@ -14,10 +18,15 @@ SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfil
14SBOX_APPS_NON_DUMPABLE += src/fsec-optimize/fsec-optimize src/fsec-print/fsec-print src/fseccomp/fseccomp 18SBOX_APPS_NON_DUMPABLE += src/fsec-optimize/fsec-optimize src/fsec-print/fsec-print src/fseccomp/fseccomp
15SBOX_APPS_NON_DUMPABLE += src/fnettrace/fnettrace src/fnettrace-dns/fnettrace-dns src/fnettrace-sni/fnettrace-sni 19SBOX_APPS_NON_DUMPABLE += src/fnettrace/fnettrace src/fnettrace-dns/fnettrace-dns src/fnettrace-sni/fnettrace-sni
16SBOX_APPS_NON_DUMPABLE += src/fnettrace-icmp/fnettrace-icmp 20SBOX_APPS_NON_DUMPABLE += src/fnettrace-icmp/fnettrace-icmp
17MYDIRS = src/lib src/man $(COMPLETIONDIRS) 21MYDIRS = src/lib $(COMPLETIONDIRS)
18MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so 22MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so
19COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion 23COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion
20SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32 24SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32 seccomp.namespaces seccomp.namespaces.32
25
26MANPAGES1_IN := $(sort $(wildcard src/man/*.1.in))
27MANPAGES5_IN := $(sort $(wildcard src/man/*.5.in))
28MANPAGES1_GZ := $(MANPAGES1_IN:.in=.gz)
29MANPAGES5_GZ := $(MANPAGES5_IN:.in=.gz)
21 30
22SYSCALL_HEADERS := $(sort $(wildcard src/include/syscall*.h)) 31SYSCALL_HEADERS := $(sort $(wildcard src/include/syscall*.h))
23 32
@@ -37,13 +46,13 @@ SYNTAX_FILES := $(SYNTAX_FILES_IN:.in=)
37ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS) 46ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS)
38 47
39.PHONY: all 48.PHONY: all
40all: all_items mydirs $(CONTRIB_TARGET) 49all: all_items mydirs filters $(MAN_TARGET) $(CONTRIB_TARGET)
41 50
42config.mk config.sh: 51config.mk config.sh:
43 @printf 'error: run ./configure to generate %s\n' "$@" >&2 52 @printf 'error: run ./configure to generate %s\n' "$@" >&2
44 @false 53 @false
45 54
46.PHONY: all_items $(ALL_ITEMS) 55.PHONY: all_items
47all_items: $(ALL_ITEMS) 56all_items: $(ALL_ITEMS)
48$(ALL_ITEMS): $(MYDIRS) 57$(ALL_ITEMS): $(MYDIRS)
49 $(MAKE) -C $(dir $@) 58 $(MAKE) -C $(dir $@)
@@ -53,19 +62,38 @@ mydirs: $(MYDIRS)
53$(MYDIRS): 62$(MYDIRS):
54 $(MAKE) -C $@ 63 $(MAKE) -C $@
55 64
56define build_filters 65.PHONY: filters
66filters: $(SECCOMP_FILTERS)
67seccomp: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize
57 src/fseccomp/fseccomp default seccomp 68 src/fseccomp/fseccomp default seccomp
58 src/fsec-optimize/fsec-optimize seccomp 69 src/fsec-optimize/fsec-optimize seccomp
70
71seccomp.debug: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize
59 src/fseccomp/fseccomp default seccomp.debug allow-debuggers 72 src/fseccomp/fseccomp default seccomp.debug allow-debuggers
60 src/fsec-optimize/fsec-optimize seccomp.debug 73 src/fsec-optimize/fsec-optimize seccomp.debug
74
75seccomp.32: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize
61 src/fseccomp/fseccomp secondary 32 seccomp.32 76 src/fseccomp/fseccomp secondary 32 seccomp.32
62 src/fsec-optimize/fsec-optimize seccomp.32 77 src/fsec-optimize/fsec-optimize seccomp.32
78
79seccomp.block_secondary: src/fseccomp/fseccomp
63 src/fseccomp/fseccomp secondary block seccomp.block_secondary 80 src/fseccomp/fseccomp secondary block seccomp.block_secondary
81
82seccomp.mdwx: src/fseccomp/fseccomp
64 src/fseccomp/fseccomp memory-deny-write-execute seccomp.mdwx 83 src/fseccomp/fseccomp memory-deny-write-execute seccomp.mdwx
84
85seccomp.mdwx.32: src/fseccomp/fseccomp
65 src/fseccomp/fseccomp memory-deny-write-execute.32 seccomp.mdwx.32 86 src/fseccomp/fseccomp memory-deny-write-execute.32 seccomp.mdwx.32
66endef
67 87
88seccomp.namespaces: src/fseccomp/fseccomp
89 src/fseccomp/fseccomp restrict-namespaces seccomp.namespaces cgroup,ipc,net,mnt,pid,time,user,uts
68 90
91seccomp.namespaces.32: src/fseccomp/fseccomp
92 src/fseccomp/fseccomp restrict-namespaces seccomp.namespaces.32 cgroup,ipc,net,mnt,pid,time,user,uts
93
94.PHONY: man
95man:
96 $(MAKE) -C src/man
69 97
70# Makes all targets in contrib/ 98# Makes all targets in contrib/
71.PHONY: contrib 99.PHONY: contrib
@@ -135,6 +163,7 @@ clean:
135 for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \ 163 for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \
136 $(MAKE) -C $$dir clean; \ 164 $(MAKE) -C $$dir clean; \
137 done 165 done
166 $(MAKE) -C src/man clean
138 $(MAKE) -C test clean 167 $(MAKE) -C test clean
139 rm -f $(SECCOMP_FILTERS) 168 rm -f $(SECCOMP_FILTERS)
140 rm -f firejail*.rpm 169 rm -f firejail*.rpm
@@ -178,7 +207,6 @@ endif
178 # libraries and plugins 207 # libraries and plugins
179 install -m 0755 -d $(DESTDIR)$(libdir)/firejail 208 install -m 0755 -d $(DESTDIR)$(libdir)/firejail
180 install -m 0755 -t $(DESTDIR)$(libdir)/firejail src/firecfg/firejail-welcome.sh 209 install -m 0755 -t $(DESTDIR)$(libdir)/firejail src/firecfg/firejail-welcome.sh
181 $(call build_filters)
182 install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS) 210 install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS)
183 install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS) 211 install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS)
184 install -m 0755 -t $(DESTDIR)$(libdir)/firejail src/profstats/profstats 212 install -m 0755 -t $(DESTDIR)$(libdir)/firejail src/profstats/profstats
@@ -228,13 +256,8 @@ endif
228ifneq ($(HAVE_MAN),no) 256ifneq ($(HAVE_MAN),no)
229 # man pages 257 # man pages
230 install -m 0755 -d $(DESTDIR)$(mandir)/man1 $(DESTDIR)$(mandir)/man5 258 install -m 0755 -d $(DESTDIR)$(mandir)/man1 $(DESTDIR)$(mandir)/man5
231 install -m 0644 src/man/firejail.1.gz $(DESTDIR)$(mandir)/man1/ 259 install -m 0644 $(MANPAGES1_GZ) $(DESTDIR)$(mandir)/man1/
232 install -m 0644 src/man/firemon.1.gz $(DESTDIR)$(mandir)/man1/ 260 install -m 0644 $(MANPAGES5_GZ) $(DESTDIR)$(mandir)/man5/
233 install -m 0644 src/man/firecfg.1.gz $(DESTDIR)$(mandir)/man1/
234 install -m 0644 src/man/jailcheck.1.gz $(DESTDIR)$(mandir)/man1/
235 install -m 0644 src/man/firejail-login.5.gz $(DESTDIR)$(mandir)/man5/
236 install -m 0644 src/man/firejail-users.5.gz $(DESTDIR)$(mandir)/man5/
237 install -m 0644 src/man/firejail-profile.5.gz $(DESTDIR)$(mandir)/man5/
238endif 261endif
239 # bash completion 262 # bash completion
240 install -m 0755 -d $(DESTDIR)$(datarootdir)/bash-completion/completions 263 install -m 0755 -d $(DESTDIR)$(datarootdir)/bash-completion/completions
@@ -262,10 +285,8 @@ uninstall: config.mk
262 rm -f $(DESTDIR)$(bindir)/jailcheck 285 rm -f $(DESTDIR)$(bindir)/jailcheck
263 rm -fr $(DESTDIR)$(libdir)/firejail 286 rm -fr $(DESTDIR)$(libdir)/firejail
264 rm -fr $(DESTDIR)$(datarootdir)/doc/firejail 287 rm -fr $(DESTDIR)$(datarootdir)/doc/firejail
265 for man in $(MANPAGES); do \ 288 rm -f $(addprefix $(DESTDIR)$(mandir)/man1/,$(notdir $(MANPAGES1_GZ)))
266 rm -f $(DESTDIR)$(mandir)/man5/$$man*; \ 289 rm -f $(addprefix $(DESTDIR)$(mandir)/man5/,$(notdir $(MANPAGES5_GZ)))
267 rm -f $(DESTDIR)$(mandir)/man1/$$man*; \
268 done
269 rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firejail 290 rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firejail
270 rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firemon 291 rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firemon
271 rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firecfg 292 rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firecfg
diff --git a/RELNOTES b/RELNOTES
index e356d712a..dfa62a7c0 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -6,6 +6,7 @@ firejail (0.9.73) baseline; urgency=low
6 overwritten using --hostname command 6 overwritten using --hostname command
7 * feature: add IPv6 support for --net.print option 7 * feature: add IPv6 support for --net.print option
8 * feature: QUIC (HTTP/3) support in --nettrace 8 * feature: QUIC (HTTP/3) support in --nettrace
9 * feature: use seccomp filters build at install time for --restrict-namespaces
9 * modif: Stop forwarding own double-dash to the shell (#5599 #5600) 10 * modif: Stop forwarding own double-dash to the shell (#5599 #5600)
10 * modif: Prevent sandbox name (--name=) and host name (--hostname=) 11 * modif: Prevent sandbox name (--name=) and host name (--hostname=)
11 from containing only digits (#5578 #5741) 12 from containing only digits (#5578 #5741)
@@ -20,8 +21,6 @@ firejail (0.9.73) baseline; urgency=low
20 #5618) 21 #5618)
21 * bugfix: fix --hostname and --hosts-file commands 22 * bugfix: fix --hostname and --hosts-file commands
22 * bugfix: arp.c: ensure positive timeout on select(2) (#5806) 23 * bugfix: arp.c: ensure positive timeout on select(2) (#5806)
23 * bugfix: makefiles fixes: seccomp filters and man pages are build every
24 time when running make
25 * build: auto-generate syntax files (#5627) 24 * build: auto-generate syntax files (#5627)
26 * build: mark all phony targets as such (#5637) 25 * build: mark all phony targets as such (#5637)
27 * build: mkdeb.sh: pass all arguments to ./configure (#5654) 26 * build: mkdeb.sh: pass all arguments to ./configure (#5654)
@@ -31,6 +30,9 @@ firejail (0.9.73) baseline; urgency=low
31 * build: remove -mretpoline and NO_EXTRA_CFLAGS (#5859) 30 * build: remove -mretpoline and NO_EXTRA_CFLAGS (#5859)
32 * build: disable all built-in implicit make rules (#5864) 31 * build: disable all built-in implicit make rules (#5864)
33 * build: organize and standardize make vars and targets (#5866) 32 * build: organize and standardize make vars and targets (#5866)
33 * build: fix seccomp filters and man pages always being rebuilt when running
34 make
35 * build: simplify code related to man pages (#5898)
34 * ci: always update the package db before installing packages (#5742) 36 * ci: always update the package db before installing packages (#5742)
35 * ci: fix codeql unable to download its own bundle (#5783) 37 * ci: fix codeql unable to download its own bundle (#5783)
36 * ci: split configure/build/install commands on gitlab (#5784) 38 * ci: split configure/build/install commands on gitlab (#5784)
diff --git a/etc/profile-m-z/server.profile b/etc/profile-m-z/server.profile
index 5b71fe6c3..05170267b 100644
--- a/etc/profile-m-z/server.profile
+++ b/etc/profile-m-z/server.profile
@@ -93,4 +93,4 @@ dbus-user none
93# deterministic-shutdown 93# deterministic-shutdown
94# memory-deny-write-execute 94# memory-deny-write-execute
95# read-only ${HOME} 95# read-only ${HOME}
96restrict-namespaces 96# restrict-namespaces
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index d85b470e6..c791913ea 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -357,6 +357,7 @@ extern int arg_deterministic_exit_code; // always exit with first child's exit s
357extern int arg_deterministic_shutdown; // shut down the sandbox if first child dies 357extern int arg_deterministic_shutdown; // shut down the sandbox if first child dies
358extern int arg_keep_fd_all; // inherit all file descriptors to sandbox 358extern int arg_keep_fd_all; // inherit all file descriptors to sandbox
359extern int arg_netlock; // netlocker 359extern int arg_netlock; // netlocker
360extern int arg_restrict_namespaces;
360 361
361typedef enum { 362typedef enum {
362 DBUS_POLICY_ALLOW, // Allow unrestricted access to the bus 363 DBUS_POLICY_ALLOW, // Allow unrestricted access to the bus
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 732ca93c2..45b199db4 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -165,6 +165,7 @@ int arg_tab = 0;
165int login_shell = 0; 165int login_shell = 0;
166int just_run_the_shell = 0; 166int just_run_the_shell = 0;
167int arg_netlock = 0; 167int arg_netlock = 0;
168int arg_restrict_namespaces = 0;
168 169
169int parent_to_child_fds[2]; 170int parent_to_child_fds[2];
170int child_to_parent_fds[2]; 171int child_to_parent_fds[2];
@@ -1508,8 +1509,10 @@ int main(int argc, char **argv, char **envp) {
1508 exit_err_feature("seccomp"); 1509 exit_err_feature("seccomp");
1509 } 1510 }
1510 else if (strcmp(argv[i], "--restrict-namespaces") == 0) { 1511 else if (strcmp(argv[i], "--restrict-namespaces") == 0) {
1511 if (checkcfg(CFG_SECCOMP)) 1512 if (checkcfg(CFG_SECCOMP)) {
1513 arg_restrict_namespaces = 1;
1512 profile_list_augment(&cfg.restrict_namespaces, "cgroup,ipc,net,mnt,pid,time,user,uts"); 1514 profile_list_augment(&cfg.restrict_namespaces, "cgroup,ipc,net,mnt,pid,time,user,uts");
1515 }
1513 else 1516 else
1514 exit_err_feature("seccomp"); 1517 exit_err_feature("seccomp");
1515 } 1518 }
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c
index 6055ec95b..e0c11a005 100644
--- a/src/firejail/preproc.c
+++ b/src/firejail/preproc.c
@@ -96,12 +96,16 @@ void preproc_mount_mnt_dir(void) {
96 if (set_perms(RUN_SECCOMP_PROTOCOL, getuid(), getgid(), 0644)) 96 if (set_perms(RUN_SECCOMP_PROTOCOL, getuid(), getgid(), 0644))
97 errExit("set_perms"); 97 errExit("set_perms");
98 if (cfg.restrict_namespaces) { 98 if (cfg.restrict_namespaces) {
99 copy_file(PATH_SECCOMP_NAMESPACES, RUN_SECCOMP_NS, getuid(), getgid(), 0644); // root needed
100 copy_file(PATH_SECCOMP_NAMESPACES_32, RUN_SECCOMP_NS_32, getuid(), getgid(), 0644); // root needed
101#if 0
99 create_empty_file_as_root(RUN_SECCOMP_NS, 0644); 102 create_empty_file_as_root(RUN_SECCOMP_NS, 0644);
100 if (set_perms(RUN_SECCOMP_NS, getuid(), getgid(), 0644)) 103 if (set_perms(RUN_SECCOMP_NS, getuid(), getgid(), 0644))
101 errExit("set_perms"); 104 errExit("set_perms");
102 create_empty_file_as_root(RUN_SECCOMP_NS_32, 0644); 105 create_empty_file_as_root(RUN_SECCOMP_NS_32, 0644);
103 if (set_perms(RUN_SECCOMP_NS_32, getuid(), getgid(), 0644)) 106 if (set_perms(RUN_SECCOMP_NS_32, getuid(), getgid(), 0644))
104 errExit("set_perms"); 107 errExit("set_perms");
108#endif
105 } 109 }
106 create_empty_file_as_root(RUN_SECCOMP_POSTEXEC, 0644); 110 create_empty_file_as_root(RUN_SECCOMP_POSTEXEC, 0644);
107 if (set_perms(RUN_SECCOMP_POSTEXEC, getuid(), getgid(), 0644)) 111 if (set_perms(RUN_SECCOMP_POSTEXEC, getuid(), getgid(), 0644))
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index ae881664b..07449f646 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -1088,8 +1088,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
1088 1088
1089 // restrict-namespaces 1089 // restrict-namespaces
1090 if (strcmp(ptr, "restrict-namespaces") == 0) { 1090 if (strcmp(ptr, "restrict-namespaces") == 0) {
1091 if (checkcfg(CFG_SECCOMP)) 1091 if (checkcfg(CFG_SECCOMP)) {
1092 arg_restrict_namespaces = 1;
1092 profile_list_augment(&cfg.restrict_namespaces, "cgroup,ipc,net,mnt,pid,time,user,uts"); 1093 profile_list_augment(&cfg.restrict_namespaces, "cgroup,ipc,net,mnt,pid,time,user,uts");
1094 }
1093 else 1095 else
1094 warning_feature_disabled("seccomp"); 1096 warning_feature_disabled("seccomp");
1095 return 0; 1097 return 0;
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 9eb476f16..538f5be67 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -1211,7 +1211,19 @@ int sandbox(void* sandbox_arg) {
1211 seccomp_load(RUN_SECCOMP_MDWX_32); 1211 seccomp_load(RUN_SECCOMP_MDWX_32);
1212 } 1212 }
1213 1213
1214 if (cfg.restrict_namespaces) { 1214 if (arg_restrict_namespaces) {
1215 if (arg_seccomp_error_action != EPERM) {
1216 seccomp_filter_namespaces(true, cfg.restrict_namespaces);
1217 seccomp_filter_namespaces(false, cfg.restrict_namespaces);
1218 }
1219
1220 if (arg_debug)
1221 printf("Install namespaces filter\n");
1222 seccomp_load(RUN_SECCOMP_NS); // install filter
1223 seccomp_load(RUN_SECCOMP_NS_32);
1224
1225 }
1226 else if (cfg.restrict_namespaces) {
1215 seccomp_filter_namespaces(true, cfg.restrict_namespaces); 1227 seccomp_filter_namespaces(true, cfg.restrict_namespaces);
1216 seccomp_filter_namespaces(false, cfg.restrict_namespaces); 1228 seccomp_filter_namespaces(false, cfg.restrict_namespaces);
1217 1229
diff --git a/src/fnettrace/Makefile b/src/fnettrace/Makefile
index 9748a3b47..68a4cbdc0 100644
--- a/src/fnettrace/Makefile
+++ b/src/fnettrace/Makefile
@@ -11,6 +11,3 @@ include $(ROOT)/src/prog.mk
11all: $(TARGET) static-ip-map 11all: $(TARGET) static-ip-map
12static-ip-map: static-ip-map.txt fnettrace 12static-ip-map: static-ip-map.txt fnettrace
13 ./fnettrace --squash-map=static-ip-map.txt > static-ip-map 13 ./fnettrace --squash-map=static-ip-map.txt > static-ip-map
14
15
16
diff --git a/src/include/rundefs.h b/src/include/rundefs.h
index 7fc0f21f3..d36851a4e 100644
--- a/src/include/rundefs.h
+++ b/src/include/rundefs.h
@@ -79,6 +79,8 @@
79#define PATH_SECCOMP_DEBUG_32 LIBDIR "/firejail/seccomp.debug32" // 32bit arch debug filter built during make 79#define PATH_SECCOMP_DEBUG_32 LIBDIR "/firejail/seccomp.debug32" // 32bit arch debug filter built during make
80#define PATH_SECCOMP_MDWX LIBDIR "/firejail/seccomp.mdwx" // filter for memory-deny-write-execute built during make 80#define PATH_SECCOMP_MDWX LIBDIR "/firejail/seccomp.mdwx" // filter for memory-deny-write-execute built during make
81#define PATH_SECCOMP_MDWX_32 LIBDIR "/firejail/seccomp.mdwx.32" 81#define PATH_SECCOMP_MDWX_32 LIBDIR "/firejail/seccomp.mdwx.32"
82#define PATH_SECCOMP_NAMESPACES LIBDIR "/firejail/seccomp.namespaces" // filter for restrict-namespaces
83#define PATH_SECCOMP_NAMESPACES_32 LIBDIR "/firejail/seccomp.namespaces.32"
82#define PATH_SECCOMP_BLOCK_SECONDARY LIBDIR "/firejail/seccomp.block_secondary" // secondary arch blocking filter built during make 84#define PATH_SECCOMP_BLOCK_SECONDARY LIBDIR "/firejail/seccomp.block_secondary" // secondary arch blocking filter built during make
83 85
84#define RUN_DEV_DIR RUN_MNT_DIR "/dev" 86#define RUN_DEV_DIR RUN_MNT_DIR "/dev"
diff --git a/src/man/Makefile b/src/man/Makefile
index 17c5cde13..526ed7fcb 100644
--- a/src/man/Makefile
+++ b/src/man/Makefile
@@ -2,45 +2,25 @@
2ROOT = ../.. 2ROOT = ../..
3-include $(ROOT)/config.mk 3-include $(ROOT)/config.mk
4 4
5all: firecfg.1.gz firejail.1.gz firejail-login.5.gz firejail-users.5.gz firejail-profile.5.gz firemon.1.gz jailcheck.1.gz 5MOD_DIR := $(ROOT)/src/man
6 6MANPAGES_IN := $(sort $(wildcard $(MOD_DIR)/*.in))
7#firecfg.1.gz: firecfg.txt 7MANPAGES_GZ := $(MANPAGES_IN:.in=.gz)
8# gawk -f ./preproc.awk -- $(MANFLAGS) < $< > firecfg.1 8TARGET = $(MANPAGES_GZ)
9# ./mkman.sh $(VERSION) firecfg.1 9
10# gzip -n9 firecfg.1 10.PHONY: all
11 11all: $(TARGET)
12# a small function to build a manpage 12
13define build 13# foo.1: foo.1.in
14 gawk -f ./preproc.awk -- $(MANFLAGS) < $1 > $2 14$(MOD_DIR)/%: $(MOD_DIR)/%.in $(ROOT)/config.mk
15 ./mkman.sh $(VERSION) ./$2 15 @printf 'Generating %s from %s\n' $@ $<
16 rm -f $2.gz 16 @gawk -f $(MOD_DIR)/preproc.awk -- $(MANFLAGS) <$< | \
17 gzip -n9 $2 17 $(MOD_DIR)/mkman.sh $(VERSION) >$@
18endef 18
19 19# foo.1.gz: foo.1
20firecfg.1.gz: firecfg.txt 20$(MOD_DIR)/%.gz: $(MOD_DIR)/%
21 $(call build,firecfg.txt,firecfg.1) 21 @printf 'Generating %s from %s\n' $@ $<
22 22 @rm -f $@
23firejail.1.gz: firejail.txt 23 @gzip -n9 $<
24 $(call build,firejail.txt,firejail.1)
25
26firejail-login.5.gz: firejail-login.txt
27 $(call build,firejail-login.txt,firejail-login.5)
28
29firejail-users.5.gz: firejail-users.txt
30 $(call build,firejail-users.txt,firejail-users.5)
31
32firejail-profile.5.gz: firejail-profile.txt
33 $(call build,firejail-profile.txt,firejail-profile.5)
34
35firemon.1.gz: firemon.txt
36 $(call build,firemon.txt,firemon.1)
37
38jailcheck.1.gz: jailcheck.txt
39 $(call build,jailcheck.txt,jailcheck.1)
40
41 24
42.PHONY: clean 25.PHONY: clean
43clean:; rm -fr *.1 *.5 *.gz 26clean:; rm -f *.1 *.5 *.gz
44
45.PHONY: distclean
46distclean: clean
diff --git a/src/man/firecfg.txt b/src/man/firecfg.1.in
index 42add6a41..42add6a41 100644
--- a/src/man/firecfg.txt
+++ b/src/man/firecfg.1.in
diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.5.in
index f03fc3c37..f03fc3c37 100644
--- a/src/man/firejail-login.txt
+++ b/src/man/firejail-login.5.in
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.5.in
index fa294d888..fa294d888 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.5.in
diff --git a/src/man/firejail-users.txt b/src/man/firejail-users.5.in
index 7aa151680..7aa151680 100644
--- a/src/man/firejail-users.txt
+++ b/src/man/firejail-users.5.in
diff --git a/src/man/firejail.txt b/src/man/firejail.1.in
index 19fc94ebd..19fc94ebd 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.1.in
diff --git a/src/man/firemon.txt b/src/man/firemon.1.in
index fb0cf1175..fb0cf1175 100644
--- a/src/man/firemon.txt
+++ b/src/man/firemon.1.in
diff --git a/src/man/jailcheck.txt b/src/man/jailcheck.1.in
index e889ea91b..e889ea91b 100644
--- a/src/man/jailcheck.txt
+++ b/src/man/jailcheck.1.in
diff --git a/src/man/mkman.sh b/src/man/mkman.sh
index b538b0126..0302e0778 100755
--- a/src/man/mkman.sh
+++ b/src/man/mkman.sh
@@ -5,8 +5,10 @@
5 5
6set -e 6set -e
7 7
8sed -i "s/VERSION/$1/g" "$2"
9MONTH="$(LC_ALL=C date -u --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%b)" 8MONTH="$(LC_ALL=C date -u --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%b)"
10sed -i "s/MONTH/$MONTH/g" "$2"
11YEAR="$(LC_ALL=C date -u --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%Y)" 9YEAR="$(LC_ALL=C date -u --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%Y)"
12sed -i "s/YEAR/$YEAR/g" "$2" 10
11sed \
12 -e "s/VERSION/$1/g" \
13 -e "s/MONTH/$MONTH/g" \
14 -e "s/YEAR/$YEAR/g"
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-20 03:08:22 +0000