diff options
-rw-r--r-- | .github/pull_request_template.md | 8 | ||||
-rw-r--r-- | etc/inc/disable-programs.inc | 4 | ||||
-rw-r--r-- | etc/profile-m-z/newsbeuter.profile | 18 | ||||
-rw-r--r-- | etc/profile-m-z/newsboat.profile | 14 | ||||
-rw-r--r-- | etc/profile-m-z/telegram.profile | 10 | ||||
-rw-r--r-- | etc/profile-m-z/virtualbox.profile | 1 | ||||
-rw-r--r-- | etc/profile-m-z/youtube-dl-gui.profile | 56 | ||||
-rw-r--r-- | etc/templates/profile.template | 2 | ||||
-rw-r--r-- | src/firecfg/firecfg.config | 1 | ||||
-rw-r--r-- | src/firejail/fs.c | 1 | ||||
-rw-r--r-- | src/firejail/fs_home.c | 7 | ||||
-rw-r--r-- | src/firejail/restrict_users.c | 65 | ||||
-rw-r--r-- | src/include/rundefs.h | 2 |
13 files changed, 134 insertions, 55 deletions
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 71791c000..57ac2e9c4 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md | |||
@@ -1,10 +1,10 @@ | |||
1 | 1 | ||
2 | If your PR isn't about profiles or you have no idea how to do one of these, skip the following and go ahead with this PR. | 2 | If your PR isn't about profiles or you have no idea how to do one of these, skip the following and go ahead with this PR. |
3 | 3 | ||
4 | If you make a PR for new profiles or changeing profiles please do the following: | 4 | If you submit a PR for new profiles or changing profiles, please do the following: |
5 | - The ordering of options follow the rules descripted in [/usr/share/doc/firejail/profile.template](https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template). | 5 | - The ordering of options follow the rules described in [/usr/share/doc/firejail/profile.template](https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template). |
6 | > Hint: The profile-template is very new, if you install firejail with your package-manager, it maybe missing, therefore, and to follow the latest rules, it is recommended to use the template from the repository. | 6 | > Hint: The profile-template is very new. If you install firejail with your package manager, it may be missing. In order to follow the latest rules, it is recommended to use the template from the repository. |
7 | - Order the arguments of options alphabetical, you can easy do this with the [sort.py](https://github.com/netblue30/firejail/tree/master/contrib/sort.py). | 7 | - Order the arguments of options alphabetically. You can easily do this with [sort.py](https://github.com/netblue30/firejail/tree/master/contrib/sort.py). |
8 | The path to it depends on your distro: | 8 | The path to it depends on your distro: |
9 | 9 | ||
10 | | Distro | Path | | 10 | | Distro | Path | |
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 06b8cfb6d..7a37c9fb4 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -334,6 +334,7 @@ blacklist ${HOME}/.config/nemo | |||
334 | blacklist ${HOME}/.config/neomutt | 334 | blacklist ${HOME}/.config/neomutt |
335 | blacklist ${HOME}/.config/netsurf | 335 | blacklist ${HOME}/.config/netsurf |
336 | blacklist ${HOME}/.config/newsbeuter | 336 | blacklist ${HOME}/.config/newsbeuter |
337 | blacklist ${HOME}/.config/newsboat | ||
337 | blacklist ${HOME}/.config/newsflash | 338 | blacklist ${HOME}/.config/newsflash |
338 | blacklist ${HOME}/.config/nheko | 339 | blacklist ${HOME}/.config/nheko |
339 | blacklist ${HOME}/.config/NitroShare | 340 | blacklist ${HOME}/.config/NitroShare |
@@ -437,6 +438,7 @@ blacklist ${HOME}/.config/yandex-browser | |||
437 | blacklist ${HOME}/.config/yandex-browser-beta | 438 | blacklist ${HOME}/.config/yandex-browser-beta |
438 | blacklist ${HOME}/.config/yelp | 439 | blacklist ${HOME}/.config/yelp |
439 | blacklist ${HOME}/.config/youtube-dl | 440 | blacklist ${HOME}/.config/youtube-dl |
441 | blacklist ${HOME}/.config/youtube-dlg | ||
440 | blacklist ${HOME}/.config/youtubemusic-nativefier-040164 | 442 | blacklist ${HOME}/.config/youtubemusic-nativefier-040164 |
441 | blacklist ${HOME}/.config/youtube-music-desktop-app | 443 | blacklist ${HOME}/.config/youtube-music-desktop-app |
442 | blacklist ${HOME}/.config/youtube-viewer | 444 | blacklist ${HOME}/.config/youtube-viewer |
@@ -702,6 +704,8 @@ blacklist ${HOME}/.local/share/nautilus-python | |||
702 | blacklist ${HOME}/.local/share/nemo | 704 | blacklist ${HOME}/.local/share/nemo |
703 | blacklist ${HOME}/.local/share/nemo-python | 705 | blacklist ${HOME}/.local/share/nemo-python |
704 | blacklist ${HOME}/.local/share/news-flash | 706 | blacklist ${HOME}/.local/share/news-flash |
707 | blacklist ${HOME}/.local/share/newsbeuter | ||
708 | blacklist ${HOME}/.local/share/newsboat | ||
705 | blacklist ${HOME}/.local/share/nomacs | 709 | blacklist ${HOME}/.local/share/nomacs |
706 | blacklist ${HOME}/.local/share/notes | 710 | blacklist ${HOME}/.local/share/notes |
707 | blacklist ${HOME}/.local/share/ocenaudio | 711 | blacklist ${HOME}/.local/share/ocenaudio |
diff --git a/etc/profile-m-z/newsbeuter.profile b/etc/profile-m-z/newsbeuter.profile index 85581a2f0..6efb19502 100644 --- a/etc/profile-m-z/newsbeuter.profile +++ b/etc/profile-m-z/newsbeuter.profile | |||
@@ -7,13 +7,23 @@ include newsbeuter.local | |||
7 | # added by included profile | 7 | # added by included profile |
8 | #include globals.local | 8 | #include globals.local |
9 | 9 | ||
10 | noblacklist ${HOME}/.config/newsbeuter | 10 | ignore include newsboat.local |
11 | noblacklist ${HOME}/.newsbeuter | 11 | ignore mkdir ${HOME}/.config/newsboat |
12 | ignore mkdir ${HOME}/.local/share/newsboat | ||
13 | ignore mkdir ${HOME}/.newsboat | ||
14 | blacklist ${PATH}/newsboat | ||
15 | |||
16 | blacklist ${HOME}/.config/newsboat | ||
17 | blacklist ${HOME}/.local/share/newsboat | ||
18 | blacklist ${HOME}/.newsboat | ||
19 | |||
20 | nowhitelist ${HOME}/.config/newsboat | ||
21 | nowhitelist ${HOME}/.local/share/newsboat | ||
22 | nowhitelist ${HOME}/.newsboat | ||
12 | 23 | ||
13 | mkdir ${HOME}/.config/newsbeuter | 24 | mkdir ${HOME}/.config/newsbeuter |
25 | mkdir ${HOME}/.local/share/newsbeuter | ||
14 | mkdir ${HOME}/.newsbeuter | 26 | mkdir ${HOME}/.newsbeuter |
15 | whitelist ${HOME}/.config/newsbeuter | ||
16 | whitelist ${HOME}/.newsbeuter | ||
17 | 27 | ||
18 | private-bin newsbeuter | 28 | private-bin newsbeuter |
19 | 29 | ||
diff --git a/etc/profile-m-z/newsboat.profile b/etc/profile-m-z/newsboat.profile index 85b780ced..23c2de43c 100644 --- a/etc/profile-m-z/newsboat.profile +++ b/etc/profile-m-z/newsboat.profile | |||
@@ -6,6 +6,11 @@ include newsboat.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/newsbeuter | ||
10 | noblacklist ${HOME}/.config/newsboat | ||
11 | noblacklist ${HOME}/.local/share/newsbeuter | ||
12 | noblacklist ${HOME}/.local/share/newsboat | ||
13 | noblacklist ${HOME}/.newsbeuter | ||
9 | noblacklist ${HOME}/.newsboat | 14 | noblacklist ${HOME}/.newsboat |
10 | 15 | ||
11 | include disable-common.inc | 16 | include disable-common.inc |
@@ -16,7 +21,14 @@ include disable-passwdmgr.inc | |||
16 | include disable-programs.inc | 21 | include disable-programs.inc |
17 | include disable-xdg.inc | 22 | include disable-xdg.inc |
18 | 23 | ||
24 | mkdir ${HOME}/.config/newsboat | ||
25 | mkdir ${HOME}/.local/share/newsboat | ||
19 | mkdir ${HOME}/.newsboat | 26 | mkdir ${HOME}/.newsboat |
27 | whitelist ${HOME}/.config/newsbeuter | ||
28 | whitelist ${HOME}/.config/newsboat | ||
29 | whitelist ${HOME}/.local/share/newsbeuter | ||
30 | whitelist ${HOME}/.local/share/newsboat | ||
31 | whitelist ${HOME}/.newsbeuter | ||
20 | whitelist ${HOME}/.newsboat | 32 | whitelist ${HOME}/.newsboat |
21 | include whitelist-common.inc | 33 | include whitelist-common.inc |
22 | include whitelist-runuser-common.inc | 34 | include whitelist-runuser-common.inc |
@@ -38,7 +50,7 @@ seccomp | |||
38 | shell none | 50 | shell none |
39 | 51 | ||
40 | disable-mnt | 52 | disable-mnt |
41 | private-bin gzip,lynx,newsboat,sh | 53 | private-bin gzip,lynx,newsboat,sh,w3m |
42 | private-cache | 54 | private-cache |
43 | private-dev | 55 | private-dev |
44 | private-etc alternatives,ca-certificates,crypto-policies,lynx.cfg,lynx.lss,pki,resolv.conf,ssl,terminfo | 56 | private-etc alternatives,ca-certificates,crypto-policies,lynx.cfg,lynx.lss,pki,resolv.conf,ssl,terminfo |
diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile index fce7dc461..38d291324 100644 --- a/etc/profile-m-z/telegram.profile +++ b/etc/profile-m-z/telegram.profile | |||
@@ -36,10 +36,20 @@ noroot | |||
36 | notv | 36 | notv |
37 | protocol unix,inet,inet6,netlink | 37 | protocol unix,inet,inet6,netlink |
38 | seccomp | 38 | seccomp |
39 | seccomp.block-secondary | ||
39 | shell none | 40 | shell none |
41 | tracelog | ||
40 | 42 | ||
41 | disable-mnt | 43 | disable-mnt |
44 | #private-bin telegram,Telegram,telegram-desktop | ||
42 | private-cache | 45 | private-cache |
43 | private-dev | 46 | private-dev |
44 | private-etc alsa,alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,machine-id,os-release,passwd,pki,pulse,resolv.conf,ssl,xdg | 47 | private-etc alsa,alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,machine-id,os-release,passwd,pki,pulse,resolv.conf,ssl,xdg |
45 | private-tmp | 48 | private-tmp |
49 | |||
50 | dbus-user filter | ||
51 | dbus-user.talk org.freedesktop.Notifications | ||
52 | dbus-user.talk org.kde.StatusNotifierWatcher | ||
53 | dbus-user.talk org.gnome.Mutter.IdleMonitor | ||
54 | dbus-user.talk org.freedesktop.ScreenSaver | ||
55 | dbus-system none | ||
diff --git a/etc/profile-m-z/virtualbox.profile b/etc/profile-m-z/virtualbox.profile index 232ff8ae4..64d787bfb 100644 --- a/etc/profile-m-z/virtualbox.profile +++ b/etc/profile-m-z/virtualbox.profile | |||
@@ -44,6 +44,7 @@ shell none | |||
44 | tracelog | 44 | tracelog |
45 | 45 | ||
46 | #disable-mnt | 46 | #disable-mnt |
47 | #private-bin basename,bash,env,gawk,grep,ps,readlink,sh,virtualbox,VirtualBox,VBox*,vbox*,whoami | ||
47 | private-cache | 48 | private-cache |
48 | private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl | 49 | private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl |
49 | private-tmp | 50 | private-tmp |
diff --git a/etc/profile-m-z/youtube-dl-gui.profile b/etc/profile-m-z/youtube-dl-gui.profile new file mode 100644 index 000000000..c072d6267 --- /dev/null +++ b/etc/profile-m-z/youtube-dl-gui.profile | |||
@@ -0,0 +1,56 @@ | |||
1 | # Firejail profile for youtube-dl-gui | ||
2 | # Description: A cross platform front-end GUI of the popular youtube-dl media downloader | ||
3 | include youtube-dl-gui.local | ||
4 | # This file is overwritten after every install/update | ||
5 | include globals.local | ||
6 | |||
7 | #These are blacklisted by disable-interpreters.inc | ||
8 | include allow-python2.inc | ||
9 | include allow-python3.inc | ||
10 | |||
11 | noblacklist ${HOME}/.config/youtube-dlg | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-shell.inc | ||
20 | include disable-xdg.inc | ||
21 | |||
22 | mkdir ${HOME}/.config/youtube-dlg | ||
23 | whitelist ${HOME}/.config/youtube-dlg | ||
24 | whitelist ${DOWNLOADS} | ||
25 | include whitelist-common.inc | ||
26 | include whitelist-runuser-common.inc | ||
27 | include whitelist-usr-share-common.inc | ||
28 | include whitelist-var-common.inc | ||
29 | |||
30 | apparmor | ||
31 | caps.drop all | ||
32 | machine-id | ||
33 | netfilter | ||
34 | nodvd | ||
35 | nogroups | ||
36 | nonewprivs | ||
37 | noroot | ||
38 | nosound | ||
39 | notv | ||
40 | nou2f | ||
41 | novideo | ||
42 | protocol unix,inet,inet6 | ||
43 | seccomp | ||
44 | seccomp.block-secondary | ||
45 | shell none | ||
46 | tracelog | ||
47 | |||
48 | disable-mnt | ||
49 | private-bin atomicparsley,ffmpeg,ffprobe,python*,youtube-dl-gui | ||
50 | private-cache | ||
51 | private-dev | ||
52 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,locale,locale.conf,passwd,pki,resolv.conf,ssl | ||
53 | private-tmp | ||
54 | |||
55 | dbus-user none | ||
56 | dbus-system none | ||
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index af5497757..065245a63 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
@@ -203,7 +203,7 @@ include globals.local | |||
203 | # - Some features like native notifications are implemented as portal too. | 203 | # - Some features like native notifications are implemented as portal too. |
204 | # - In order to make dconf work (when used by the app) you need to allow | 204 | # - In order to make dconf work (when used by the app) you need to allow |
205 | # 'ca.desrt.dconf' even when not allowed by flatpak. | 205 | # 'ca.desrt.dconf' even when not allowed by flatpak. |
206 | # Notes and Policiy about addresses can be found at | 206 | # Notes and policies about addresses can be found at |
207 | # <https://github.com/netblue30/firejail/wiki/Restrict-D-Bus> | 207 | # <https://github.com/netblue30/firejail/wiki/Restrict-D-Bus> |
208 | #dbus-user filter | 208 | #dbus-user filter |
209 | #dbus-user.own com.github.netblue30.firejail | 209 | #dbus-user.own com.github.netblue30.firejail |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 85a5b0453..3da415b70 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -875,6 +875,7 @@ yandex-browser | |||
875 | yelp | 875 | yelp |
876 | youtube | 876 | youtube |
877 | youtube-dl | 877 | youtube-dl |
878 | youtube-dl-gui | ||
878 | youtube-viewer | 879 | youtube-viewer |
879 | youtubemusic-nativefier | 880 | youtubemusic-nativefier |
880 | ytmdesktop | 881 | ytmdesktop |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index fe79daa70..8b7e49611 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -170,6 +170,7 @@ static void disable_file(OPERATION op, const char *filename) { | |||
170 | } | 170 | } |
171 | } | 171 | } |
172 | fs_tmpfs(fname, getuid()); | 172 | fs_tmpfs(fname, getuid()); |
173 | selinux_relabel_path(fname, fname); | ||
173 | last_disable = SUCCESSFUL; | 174 | last_disable = SUCCESSFUL; |
174 | } | 175 | } |
175 | else | 176 | else |
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 2c5ea8be0..46f32d7ad 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
@@ -31,7 +31,7 @@ | |||
31 | 31 | ||
32 | #include <fcntl.h> | 32 | #include <fcntl.h> |
33 | #ifndef O_PATH | 33 | #ifndef O_PATH |
34 | # define O_PATH 010000000 | 34 | #define O_PATH 010000000 |
35 | #endif | 35 | #endif |
36 | 36 | ||
37 | static void skel(const char *homedir, uid_t u, gid_t g) { | 37 | static void skel(const char *homedir, uid_t u, gid_t g) { |
@@ -384,7 +384,6 @@ void fs_private(void) { | |||
384 | if (chown(homedir, u, g) < 0) | 384 | if (chown(homedir, u, g) < 0) |
385 | errExit("chown"); | 385 | errExit("chown"); |
386 | 386 | ||
387 | selinux_relabel_path(homedir, homedir); | ||
388 | fs_logger2("mkdir", homedir); | 387 | fs_logger2("mkdir", homedir); |
389 | fs_logger2("tmpfs", homedir); | 388 | fs_logger2("tmpfs", homedir); |
390 | } | 389 | } |
@@ -392,6 +391,8 @@ void fs_private(void) { | |||
392 | // mask user home directory | 391 | // mask user home directory |
393 | // the directory should be owned by the current user | 392 | // the directory should be owned by the current user |
394 | fs_tmpfs(homedir, 1); | 393 | fs_tmpfs(homedir, 1); |
394 | |||
395 | selinux_relabel_path(homedir, homedir); | ||
395 | } | 396 | } |
396 | 397 | ||
397 | skel(homedir, u, g); | 398 | skel(homedir, u, g); |
@@ -549,7 +550,7 @@ void fs_private_home_list(void) { | |||
549 | 550 | ||
550 | // create /run/firejail/mnt/home directory | 551 | // create /run/firejail/mnt/home directory |
551 | mkdir_attr(RUN_HOME_DIR, 0755, uid, gid); | 552 | mkdir_attr(RUN_HOME_DIR, 0755, uid, gid); |
552 | selinux_relabel_path(RUN_HOME_DIR, "/home"); | 553 | selinux_relabel_path(RUN_HOME_DIR, homedir); |
553 | fs_logger_print(); // save the current log | 554 | fs_logger_print(); // save the current log |
554 | 555 | ||
555 | if (arg_debug) | 556 | if (arg_debug) |
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index 0dfd9ca1c..a0ca4c02c 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c | |||
@@ -72,7 +72,7 @@ static void sanitize_home(void) { | |||
72 | 72 | ||
73 | if (arg_debug) | 73 | if (arg_debug) |
74 | printf("Cleaning /home directory\n"); | 74 | printf("Cleaning /home directory\n"); |
75 | // keep a copy of the user home directory | 75 | // open user home directory in order to keep it around |
76 | int fd = safe_fd(cfg.homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); | 76 | int fd = safe_fd(cfg.homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); |
77 | if (fd == -1) | 77 | if (fd == -1) |
78 | goto errout; | 78 | goto errout; |
@@ -82,47 +82,38 @@ static void sanitize_home(void) { | |||
82 | close(fd); | 82 | close(fd); |
83 | goto errout; | 83 | goto errout; |
84 | } | 84 | } |
85 | char *proc; | ||
86 | if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) | ||
87 | errExit("asprintf"); | ||
88 | if (mkdir(RUN_WHITELIST_HOME_DIR, 0755) == -1) | ||
89 | errExit("mkdir"); | ||
90 | if (mount(proc, RUN_WHITELIST_HOME_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
91 | errExit("mount bind"); | ||
92 | free(proc); | ||
93 | close(fd); | ||
94 | 85 | ||
95 | // mount tmpfs in the new home | 86 | // mount tmpfs on /home |
96 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) | 87 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) |
97 | errExit("mount tmpfs"); | 88 | errExit("mount tmpfs"); |
98 | selinux_relabel_path("/home", "/home"); | 89 | selinux_relabel_path("/home", "/home"); |
99 | fs_logger("tmpfs /home"); | 90 | fs_logger("tmpfs /home"); |
100 | 91 | ||
101 | // create user home directory | 92 | // create new user home directory |
102 | if (mkdir(cfg.homedir, 0755) == -1) { | 93 | if (mkdir(cfg.homedir, 0755) == -1) { |
103 | if (mkpath_as_root(cfg.homedir)) | 94 | if (mkpath_as_root(cfg.homedir) == -1) |
104 | errExit("mkpath"); | 95 | errExit("mkpath"); |
105 | if (mkdir(cfg.homedir, 0755) == -1) | 96 | if (mkdir(cfg.homedir, 0755) == -1) |
106 | errExit("mkdir"); | 97 | errExit("mkdir"); |
107 | selinux_relabel_path(cfg.homedir, cfg.homedir); | ||
108 | } | 98 | } |
109 | fs_logger2("mkdir", cfg.homedir); | 99 | fs_logger2("mkdir", cfg.homedir); |
110 | 100 | ||
111 | // set mode and ownership | 101 | // set mode and ownership |
112 | if (set_perms(cfg.homedir, s.st_uid, s.st_gid, s.st_mode)) | 102 | if (set_perms(cfg.homedir, s.st_uid, s.st_gid, s.st_mode)) |
113 | errExit("set_perms"); | 103 | errExit("set_perms"); |
104 | selinux_relabel_path(cfg.homedir, cfg.homedir); | ||
114 | 105 | ||
115 | // mount user home directory | 106 | // bring back real user home directory |
116 | if (mount(RUN_WHITELIST_HOME_DIR, cfg.homedir, NULL, MS_BIND|MS_REC, NULL) < 0) | 107 | char *proc; |
108 | if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) | ||
109 | errExit("asprintf"); | ||
110 | if (mount(proc, cfg.homedir, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
117 | errExit("mount bind"); | 111 | errExit("mount bind"); |
112 | free(proc); | ||
113 | close(fd); | ||
118 | 114 | ||
119 | // mask home dir under /run | ||
120 | if (mount("tmpfs", RUN_WHITELIST_HOME_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) | ||
121 | errExit("mount tmpfs"); | ||
122 | fs_logger2("tmpfs", RUN_WHITELIST_HOME_DIR); | ||
123 | if (!arg_private) | 115 | if (!arg_private) |
124 | fs_logger2("whitelist", cfg.homedir); | 116 | fs_logger2("whitelist", cfg.homedir); |
125 | |||
126 | return; | 117 | return; |
127 | 118 | ||
128 | errout: | 119 | errout: |
@@ -137,22 +128,15 @@ static void sanitize_run(void) { | |||
137 | if (asprintf(&runuser, "/run/user/%u", getuid()) == -1) | 128 | if (asprintf(&runuser, "/run/user/%u", getuid()) == -1) |
138 | errExit("asprintf"); | 129 | errExit("asprintf"); |
139 | 130 | ||
140 | struct stat s; | 131 | // open /run/user/$UID directory in order to keep it around |
141 | if (stat(runuser, &s) == -1) { | 132 | int fd = open(runuser, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); |
142 | // cannot find /user/run/$UID directory, just return | 133 | if (fd == -1) { |
143 | if (arg_debug) | 134 | if (arg_debug) |
144 | printf("Cannot find %s directory\n", runuser); | 135 | printf("Cannot open %s directory\n", runuser); |
145 | free(runuser); | 136 | free(runuser); |
146 | return; | 137 | return; |
147 | } | 138 | } |
148 | 139 | ||
149 | if (mkdir(RUN_WHITELIST_RUN_DIR, 0755) == -1) | ||
150 | errExit("mkdir"); | ||
151 | |||
152 | // keep a copy of the /run/user/$UID directory | ||
153 | if (mount(runuser, RUN_WHITELIST_RUN_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
154 | errExit("mount bind"); | ||
155 | |||
156 | // mount tmpfs on /run/user | 140 | // mount tmpfs on /run/user |
157 | if (mount("tmpfs", "/run/user", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) | 141 | if (mount("tmpfs", "/run/user", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) |
158 | errExit("mount tmpfs"); | 142 | errExit("mount tmpfs"); |
@@ -162,22 +146,23 @@ static void sanitize_run(void) { | |||
162 | // create new user directory | 146 | // create new user directory |
163 | if (mkdir(runuser, 0700) == -1) | 147 | if (mkdir(runuser, 0700) == -1) |
164 | errExit("mkdir"); | 148 | errExit("mkdir"); |
165 | selinux_relabel_path(runuser, runuser); | ||
166 | fs_logger2("mkdir", runuser); | 149 | fs_logger2("mkdir", runuser); |
167 | 150 | ||
168 | // set mode and ownership | 151 | // set mode and ownership |
169 | if (set_perms(runuser, getuid(), getgid(), 0700)) | 152 | if (set_perms(runuser, getuid(), getgid(), 0700)) |
170 | errExit("set_perms"); | 153 | errExit("set_perms"); |
154 | selinux_relabel_path(runuser, runuser); | ||
171 | 155 | ||
172 | // mount /run/user/$UID directory | 156 | // bring back real run/user/$UID directory |
173 | if (mount(RUN_WHITELIST_RUN_DIR, runuser, NULL, MS_BIND|MS_REC, NULL) < 0) | 157 | char *proc; |
158 | if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) | ||
159 | errExit("asprintf"); | ||
160 | if (mount(proc, runuser, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
174 | errExit("mount bind"); | 161 | errExit("mount bind"); |
162 | free(proc); | ||
163 | close(fd); | ||
175 | 164 | ||
176 | // mask mirrored /run/user/$UID directory | 165 | fs_logger2("whitelist", runuser); |
177 | if (mount("tmpfs", RUN_WHITELIST_RUN_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) | ||
178 | errExit("mount tmpfs"); | ||
179 | fs_logger2("tmpfs", RUN_WHITELIST_RUN_DIR); | ||
180 | |||
181 | free(runuser); | 166 | free(runuser); |
182 | } | 167 | } |
183 | 168 | ||
diff --git a/src/include/rundefs.h b/src/include/rundefs.h index 5749c66e4..d14f6782f 100644 --- a/src/include/rundefs.h +++ b/src/include/rundefs.h | |||
@@ -84,8 +84,6 @@ | |||
84 | #define RUN_DEVLOG_FILE RUN_MNT_DIR "/devlog" | 84 | #define RUN_DEVLOG_FILE RUN_MNT_DIR "/devlog" |
85 | 85 | ||
86 | #define RUN_WHITELIST_X11_DIR RUN_MNT_DIR "/orig-x11" | 86 | #define RUN_WHITELIST_X11_DIR RUN_MNT_DIR "/orig-x11" |
87 | #define RUN_WHITELIST_HOME_DIR RUN_MNT_DIR "/orig-home" // default home directory masking | ||
88 | #define RUN_WHITELIST_RUN_DIR RUN_MNT_DIR "/orig-run" // default run directory masking | ||
89 | #define RUN_WHITELIST_HOME_USER_DIR RUN_MNT_DIR "/orig-home-user" // home directory whitelisting | 87 | #define RUN_WHITELIST_HOME_USER_DIR RUN_MNT_DIR "/orig-home-user" // home directory whitelisting |
90 | #define RUN_WHITELIST_RUN_USER_DIR RUN_MNT_DIR "/orig-run-user" // run directory whitelisting | 88 | #define RUN_WHITELIST_RUN_USER_DIR RUN_MNT_DIR "/orig-run-user" // run directory whitelisting |
91 | #define RUN_WHITELIST_TMP_DIR RUN_MNT_DIR "/orig-tmp" | 89 | #define RUN_WHITELIST_TMP_DIR RUN_MNT_DIR "/orig-tmp" |