diff options
-rw-r--r-- | README | 1 | ||||
-rw-r--r-- | RELNOTES | 1 | ||||
-rw-r--r-- | etc/firejail.config | 3 | ||||
-rw-r--r-- | src/firejail/checkcfg.c | 11 | ||||
-rw-r--r-- | src/firejail/firejail.h | 3 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 9 |
6 files changed, 24 insertions, 4 deletions
@@ -41,6 +41,7 @@ Aleksey Manevich (https://github.com/manevich) | |||
41 | - gether shell selection code in one place | 41 | - gether shell selection code in one place |
42 | greigdp (https://github.com/greigdp) | 42 | greigdp (https://github.com/greigdp) |
43 | - Gajim IM client profile | 43 | - Gajim IM client profile |
44 | - fix Slack profile | ||
44 | Icaro Perseo (https://github.com/icaroperseo) | 45 | Icaro Perseo (https://github.com/icaroperseo) |
45 | - Icecat profile | 46 | - Icecat profile |
46 | - several profile fixes | 47 | - several profile fixes |
@@ -24,6 +24,7 @@ firejail (0.9.42~rc2) baseline; urgency=low | |||
24 | * seccomp filter updated | 24 | * seccomp filter updated |
25 | * compile time and run time support to disable whitelists | 25 | * compile time and run time support to disable whitelists |
26 | * compile time support to disable global configuration file | 26 | * compile time support to disable global configuration file |
27 | * run time support to disable remounting of /proc and /sys | ||
27 | * added quiet-by-default config option in /etc/firejail/firejail.config | 28 | * added quiet-by-default config option in /etc/firejail/firejail.config |
28 | * added netfilter-default config option in /etc/firejail/firejail.config | 29 | * added netfilter-default config option in /etc/firejail/firejail.config |
29 | * new profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice | 30 | * new profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice |
diff --git a/etc/firejail.config b/etc/firejail.config index 82fe65ac7..1b8d5f4e3 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
@@ -3,6 +3,9 @@ | |||
3 | # Most features are enabled by default. Use 'yes' or 'no' as configuration | 3 | # Most features are enabled by default. Use 'yes' or 'no' as configuration |
4 | # values. | 4 | # values. |
5 | 5 | ||
6 | # Remount /proc and /sys inside the sandbox, default enabled. | ||
7 | # remount-proc-sys yes | ||
8 | |||
6 | # Enable or disable bind support, default enabled. | 9 | # Enable or disable bind support, default enabled. |
7 | # bind yes | 10 | # bind yes |
8 | 11 | ||
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index f5ea7439b..c4a6888a9 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -29,7 +29,6 @@ char *xephyr_extra_params = ""; | |||
29 | char *netfilter_default = NULL; | 29 | char *netfilter_default = NULL; |
30 | 30 | ||
31 | int checkcfg(int val) { | 31 | int checkcfg(int val) { |
32 | EUID_ASSERT(); | ||
33 | assert(val < CFG_MAX); | 32 | assert(val < CFG_MAX); |
34 | int line = 0; | 33 | int line = 0; |
35 | 34 | ||
@@ -38,7 +37,6 @@ int checkcfg(int val) { | |||
38 | int i; | 37 | int i; |
39 | for (i = 0; i < CFG_MAX; i++) | 38 | for (i = 0; i < CFG_MAX; i++) |
40 | cfg_val[i] = 1; // most of them are enabled by default | 39 | cfg_val[i] = 1; // most of them are enabled by default |
41 | |||
42 | cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default | 40 | cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default |
43 | cfg_val[CFG_FORCE_NONEWPRIVS] = 0; // disabled by default | 41 | cfg_val[CFG_FORCE_NONEWPRIVS] = 0; // disabled by default |
44 | 42 | ||
@@ -226,6 +224,15 @@ int checkcfg(int val) { | |||
226 | if (strcmp(ptr + 17, "yes") == 0) | 224 | if (strcmp(ptr + 17, "yes") == 0) |
227 | arg_quiet = 1; | 225 | arg_quiet = 1; |
228 | } | 226 | } |
227 | // remount /proc and /sys | ||
228 | else if (strncmp(ptr, "remount-proc-sys ", 17) == 0) { | ||
229 | if (strcmp(ptr + 17, "yes") == 0) | ||
230 | cfg_val[CFG_REMOUNT_PROC_SYS] = 1; | ||
231 | else if (strcmp(ptr + 17, "no") == 0) | ||
232 | cfg_val[CFG_REMOUNT_PROC_SYS] = 0; | ||
233 | else | ||
234 | goto errout; | ||
235 | } | ||
229 | else | 236 | else |
230 | goto errout; | 237 | goto errout; |
231 | 238 | ||
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 8301a79a0..067d788a6 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -590,7 +590,8 @@ void sandboxfs(int op, pid_t pid, const char *patqh); | |||
590 | #define CFG_FORCE_NONEWPRIVS 8 | 590 | #define CFG_FORCE_NONEWPRIVS 8 |
591 | #define CFG_WHITELIST 9 | 591 | #define CFG_WHITELIST 9 |
592 | #define CFG_XEPHYR_WINDOW_TITLE 10 | 592 | #define CFG_XEPHYR_WINDOW_TITLE 10 |
593 | #define CFG_MAX 11 // this should always be the last entry | 593 | #define CFG_REMOUNT_PROC_SYS 11 |
594 | #define CFG_MAX 12 // this should always be the last entry | ||
594 | extern char *xephyr_screen; | 595 | extern char *xephyr_screen; |
595 | extern char *xephyr_extra_params; | 596 | extern char *xephyr_extra_params; |
596 | extern char *netfilter_default; | 597 | extern char *netfilter_default; |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index a33c81937..0818bf450 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -208,6 +208,12 @@ static int monitor_application(pid_t app_pid) { | |||
208 | if (arg_debug) | 208 | if (arg_debug) |
209 | printf("Sandbox monitor: waitpid %u retval %d status %d\n", monitored_pid, rv, status); | 209 | printf("Sandbox monitor: waitpid %u retval %d status %d\n", monitored_pid, rv, status); |
210 | 210 | ||
211 | // if /proc is not remounted, we cannot check /proc directory, | ||
212 | // for now we just get out of here | ||
213 | // todo: find another way of checking child processes! | ||
214 | if (!checkcfg(CFG_REMOUNT_PROC_SYS)) | ||
215 | break; | ||
216 | |||
211 | DIR *dir; | 217 | DIR *dir; |
212 | if (!(dir = opendir("/proc"))) { | 218 | if (!(dir = opendir("/proc"))) { |
213 | // sleep 2 seconds and try again | 219 | // sleep 2 seconds and try again |
@@ -551,7 +557,8 @@ int sandbox(void* sandbox_arg) { | |||
551 | //**************************** | 557 | //**************************** |
552 | // update /proc, /sys, /dev, /boot directorymy | 558 | // update /proc, /sys, /dev, /boot directorymy |
553 | //**************************** | 559 | //**************************** |
554 | fs_proc_sys_dev_boot(); | 560 | if (checkcfg(CFG_REMOUNT_PROC_SYS)) |
561 | fs_proc_sys_dev_boot(); | ||
555 | 562 | ||
556 | //**************************** | 563 | //**************************** |
557 | // apply the profile file | 564 | // apply the profile file |