aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/firejail/firejail.h2
-rw-r--r--src/firejail/profile.c4
-rw-r--r--src/firejail/x11.c15
-rw-r--r--src/firemon/firemon.c2
-rw-r--r--todo35
5 files changed, 20 insertions, 38 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index b37c3aba8..1fcb92fea 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -526,6 +526,8 @@ void fs_mkdir(const char *name);
526void fs_x11(void); 526void fs_x11(void);
527void x11_start(int argc, char **argv); 527void x11_start(int argc, char **argv);
528int x11_display(void); 528int x11_display(void);
529// return 1 if xpra is installed on the system
530int x11_check_xpra(void);
529 531
530#endif 532#endif
531 533
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index ba287027c..8771a7fa8 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -102,13 +102,13 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
102 return 0; 102 return 0;
103 } 103 }
104 104
105 // mkdir
105 if (strncmp(ptr, "mkdir ", 6) == 0) { 106 if (strncmp(ptr, "mkdir ", 6) == 0) {
106 fs_mkdir(ptr + 6); 107 fs_mkdir(ptr + 6);
107 return 0; 108 return 0;
108 } 109 }
109
110 // sandbox name 110 // sandbox name
111 if (strncmp(ptr, "name ", 5) == 0) { 111 else if (strncmp(ptr, "name ", 5) == 0) {
112 cfg.name = ptr + 5; 112 cfg.name = ptr + 5;
113 if (strlen(cfg.name) == 0) { 113 if (strlen(cfg.name) == 0) {
114 fprintf(stderr, "Error: invalid sandbox name\n"); 114 fprintf(stderr, "Error: invalid sandbox name\n");
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 980a4dbca..8f9a4c11f 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -26,6 +26,17 @@
26#include <dirent.h> 26#include <dirent.h>
27#include <sys/mount.h> 27#include <sys/mount.h>
28 28
29// return 1 if xpra is installed on the system
30int x11_check_xpra(void) {
31 struct stat s;
32
33 // check xpra
34 if (stat("/usr/bin/xpra", &s) == -1)
35 return 0;
36
37 return 1;
38}
39
29// return display number, -1 if not configured 40// return display number, -1 if not configured
30int x11_display(void) { 41int x11_display(void) {
31 // extract display 42 // extract display
@@ -117,7 +128,7 @@ void x11_start(int argc, char **argv) {
117 pid_t server = 0; 128 pid_t server = 0;
118 129
119 // check xpra 130 // check xpra
120 if (stat("/usr/bin/xpra", &s) == -1) { 131 if (x11_check_xpra() == 0) {
121 fprintf(stderr, "\nError: Xpra program was not found in /usr/bin directory, please install it:\n"); 132 fprintf(stderr, "\nError: Xpra program was not found in /usr/bin directory, please install it:\n");
122 fprintf(stderr, " Debian/Ubuntu/Mint: sudo apt-get install xpra\n"); 133 fprintf(stderr, " Debian/Ubuntu/Mint: sudo apt-get install xpra\n");
123 exit(0); 134 exit(0);
@@ -127,6 +138,8 @@ void x11_start(int argc, char **argv) {
127 int found = 1; 138 int found = 1;
128 for (i = 0; i < 100; i++) { 139 for (i = 0; i < 100; i++) {
129 display = rand() % 1024; 140 display = rand() % 1024;
141 if (display < 10)
142 continue;
130 char *fname; 143 char *fname;
131 if (asprintf(&fname, "/tmp/.X11-unix/X%d", display) == -1) 144 if (asprintf(&fname, "/tmp/.X11-unix/X%d", display) == -1)
132 errExit("asprintf"); 145 errExit("asprintf");
diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c
index c19c344b0..0e38696ac 100644
--- a/src/firemon/firemon.c
+++ b/src/firemon/firemon.c
@@ -224,7 +224,7 @@ int main(int argc, char **argv) {
224 if (arg_x11) 224 if (arg_x11)
225 x11((pid_t) pid); 225 x11((pid_t) pid);
226 226
227 if (!arg_route && !arg_arp && !arg_interface && !arg_tree && !arg_caps && !arg_seccomp) 227 if (!arg_route && !arg_arp && !arg_interface && !arg_tree && !arg_caps && !arg_seccomp && !arg_x11)
228 procevent((pid_t) pid); // never to return 228 procevent((pid_t) pid); // never to return
229 229
230 return 0; 230 return 0;
diff --git a/todo b/todo
index 438637d24..78b49dde6 100644
--- a/todo
+++ b/todo
@@ -1,34 +1 @@
11. Disable /dev/tcp in bash. Compiled time: --enable-net-redirections, --disable-net-redirections firejail --noprofile --net=eth0 --x11 xterm -fg white -bg black
2ksh and zsh seem to have it.
3
4Tests:
5a)
6cat </dev/tcp/time.nist.gov/13
7
8b)
9exec 3<>/dev/tcp/www.google.com/80
10echo -e "GET / HTTP/1.1\r\nhost: http://www.google.com\r\nConnection: close\r\n\r\n" >&3
11cat <&3
12
13c) A list of attacks
14http://www.lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/
15
162. SELinux integration
17
18Firefox selinux disabled (RedHat): http://danwalsh.livejournal.com/72697.html
19Firefox selinux enabled (Gentoo hardened): http://blog.siphos.be/2015/08/why-we-do-confine-firefox/
20"desktops are notoriously difficult to use a mandatory access control system on"
21
223. abstract unix socket bridge, example for ibus:
23
24before the sandbox is started
25socat UNIX-LISTEN:/tmp/mysoc,fork ABSTRACT-CONNECT:/tmp/dbus-awBoQTCc &
26in sandbox
27socat ABSTRACT-LISTEN:/tmp/dbus-awBoQTCc,fork UNIX-CONNECT:/tmp/mysock
28
295. add support for --ip, --iprange, --mac and --mtu for --interface option
30
316. --shutdown does not clear sandboxes started with --join
32
337. profile for okular
34
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-04 02:04:06 +0000