diff options
-rw-r--r-- | README | 2 | ||||
-rw-r--r-- | RELNOTES | 1 | ||||
-rw-r--r-- | etc/conkeror.profile | 6 | ||||
-rw-r--r-- | etc/disable-common.inc | 4 | ||||
-rw-r--r-- | etc/dnscrypt-proxy.profile | 3 | ||||
-rw-r--r-- | etc/unbound.profile | 4 | ||||
-rw-r--r-- | etc/whitelist-common.inc | 1 | ||||
-rw-r--r-- | src/firejail/firejail.h | 3 | ||||
-rw-r--r-- | src/firejail/fs.c | 12 | ||||
-rw-r--r-- | src/firejail/main.c | 1 | ||||
-rw-r--r-- | src/firejail/usage.c | 1 | ||||
-rw-r--r-- | src/firejail/user.c | 114 | ||||
-rw-r--r-- | src/man/firejail.txt | 9 | ||||
-rwxr-xr-x | test/kmsg.exp | 29 | ||||
-rwxr-xr-x | test/test.sh | 3 |
15 files changed, 184 insertions, 9 deletions
@@ -18,6 +18,8 @@ License: GPL v2 | |||
18 | Firejail Authors: | 18 | Firejail Authors: |
19 | 19 | ||
20 | netblue30 (netblue30@yahoo.com) | 20 | netblue30 (netblue30@yahoo.com) |
21 | curiosity-seeker (https://github.com/curiosity-seeker) | ||
22 | - tightening unbound and dnscrypt-proxy profiles | ||
21 | sinkuu (https://github.com/sinkuu) | 23 | sinkuu (https://github.com/sinkuu) |
22 | - blacklisting kwalletd | 24 | - blacklisting kwalletd |
23 | Bader Zaidan (https://github.com/BaderSZ) | 25 | Bader Zaidan (https://github.com/BaderSZ) |
@@ -6,6 +6,7 @@ firejail (0.9.37) baseline; urgency=low | |||
6 | * added KMail, Seamonkey, Telegram profiles | 6 | * added KMail, Seamonkey, Telegram profiles |
7 | * --join command enhancement (--join-network, --join-filesystem) | 7 | * --join command enhancement (--join-network, --join-filesystem) |
8 | * symlink invocation | 8 | * symlink invocation |
9 | * --user command | ||
9 | -- netblue30 <netblue30@yahoo.com> Tue, 5 Jan 2016 08:00:00 -0500 | 10 | -- netblue30 <netblue30@yahoo.com> Tue, 5 Jan 2016 08:00:00 -0500 |
10 | 11 | ||
11 | firejail (0.9.36) baseline; urgency=low | 12 | firejail (0.9.36) baseline; urgency=low |
diff --git a/etc/conkeror.profile b/etc/conkeror.profile index 7c1384523..e2e55a045 100644 --- a/etc/conkeror.profile +++ b/etc/conkeror.profile | |||
@@ -21,8 +21,4 @@ whitelist ~/.pentadactyl | |||
21 | whitelist ~/.conkerorrc | 21 | whitelist ~/.conkerorrc |
22 | 22 | ||
23 | # common | 23 | # common |
24 | whitelist ~/.fonts | 24 | include /etc/firejail/whitelist-common.inc |
25 | whitelist ~/.fonts.d | ||
26 | whitelist ~/.fontconfig | ||
27 | whitelist ~/.fonts.conf | ||
28 | whitelist ~/.fonts.conf.d | ||
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index f04702618..e7974f02d 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -119,7 +119,3 @@ read-only ${HOME}/.xmonad | |||
119 | # The user ~/bin directory can override commands such as ls | 119 | # The user ~/bin directory can override commands such as ls |
120 | read-only ${HOME}/bin | 120 | read-only ${HOME}/bin |
121 | 121 | ||
122 | # syslog | ||
123 | blacklist /dev/kmsg | ||
124 | blacklist /proc/kmsg | ||
125 | |||
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile index e0c5c93a3..d13bab06b 100644 --- a/etc/dnscrypt-proxy.profile +++ b/etc/dnscrypt-proxy.profile | |||
@@ -2,6 +2,9 @@ | |||
2 | noblacklist /sbin | 2 | noblacklist /sbin |
3 | noblacklist /usr/sbin | 3 | noblacklist /usr/sbin |
4 | include /etc/firejail/disable-mgmt.inc | 4 | include /etc/firejail/disable-mgmt.inc |
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-secret.inc | ||
5 | private | 8 | private |
6 | private-dev | 9 | private-dev |
7 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open | 10 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open |
diff --git a/etc/unbound.profile b/etc/unbound.profile index 4dd00178b..aba5a9ba1 100644 --- a/etc/unbound.profile +++ b/etc/unbound.profile | |||
@@ -2,6 +2,10 @@ | |||
2 | noblacklist /sbin | 2 | noblacklist /sbin |
3 | noblacklist /usr/sbin | 3 | noblacklist /usr/sbin |
4 | include /etc/firejail/disable-mgmt.inc | 4 | include /etc/firejail/disable-mgmt.inc |
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-secret.inc | ||
8 | private | ||
5 | private | 9 | private |
6 | private-dev | 10 | private-dev |
7 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open | 11 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open |
diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc index 3c8318ff8..5a96c7fc4 100644 --- a/etc/whitelist-common.inc +++ b/etc/whitelist-common.inc | |||
@@ -13,6 +13,7 @@ whitelist ~/.fontconfig | |||
13 | whitelist ~/.fonts.conf | 13 | whitelist ~/.fonts.conf |
14 | whitelist ~/.fonts.conf.d | 14 | whitelist ~/.fonts.conf.d |
15 | whitelist ~/.config/fontconfig | 15 | whitelist ~/.config/fontconfig |
16 | whitelist ~/.cache/fontconfig | ||
16 | 17 | ||
17 | # gtk | 18 | # gtk |
18 | whitelist ~/.gtkrc | 19 | whitelist ~/.gtkrc |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 21ca6c508..a2afd4a8d 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -505,5 +505,8 @@ void fs_logger_print_log(pid_t pid); | |||
505 | // run_symlink.c | 505 | // run_symlink.c |
506 | void run_symlink(int argc, char **argv); | 506 | void run_symlink(int argc, char **argv); |
507 | 507 | ||
508 | // user.c | ||
509 | void check_user(int argc, char **argv); | ||
510 | |||
508 | #endif | 511 | #endif |
509 | 512 | ||
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 50e55f868..f4c448024 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -604,6 +604,18 @@ void fs_proc_sys_dev_boot(void) { | |||
604 | if (stat("/dev/port", &s) == 0) { | 604 | if (stat("/dev/port", &s) == 0) { |
605 | disable_file(BLACKLIST_FILE, "/dev/port"); | 605 | disable_file(BLACKLIST_FILE, "/dev/port"); |
606 | } | 606 | } |
607 | |||
608 | if (getuid() != 0) { | ||
609 | // disable /dev/kmsg | ||
610 | if (stat("/dev/kmsg", &s) == 0) { | ||
611 | disable_file(BLACKLIST_FILE, "/dev/kmsg"); | ||
612 | } | ||
613 | |||
614 | // disable /proc/kmsg | ||
615 | if (stat("/proc/kmsg", &s) == 0) { | ||
616 | disable_file(BLACKLIST_FILE, "/proc/kmsg"); | ||
617 | } | ||
618 | } | ||
607 | } | 619 | } |
608 | 620 | ||
609 | // disable firejail configuration in /etc/firejail and in ~/.config/firejail | 621 | // disable firejail configuration in /etc/firejail and in ~/.config/firejail |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 2ae3213ee..7afbf9ce3 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -514,6 +514,7 @@ int main(int argc, char **argv) { | |||
514 | else { | 514 | else { |
515 | // check --output option and execute it; | 515 | // check --output option and execute it; |
516 | check_output(argc, argv); // the function will not return if --output option was found | 516 | check_output(argc, argv); // the function will not return if --output option was found |
517 | check_user(argc, argv); // the function will not return if --user option was found | ||
517 | } | 518 | } |
518 | 519 | ||
519 | // parse arguments | 520 | // parse arguments |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 9197baae2..d3ebefaae 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -286,6 +286,7 @@ void usage(void) { | |||
286 | printf("\t--tracelog - add a syslog message for every access to files or\n"); | 286 | printf("\t--tracelog - add a syslog message for every access to files or\n"); |
287 | printf("\t\tdirectoires blacklisted by the security profile.\n\n"); | 287 | printf("\t\tdirectoires blacklisted by the security profile.\n\n"); |
288 | printf("\t--tree - print a tree of all sandboxed processes.\n\n"); | 288 | printf("\t--tree - print a tree of all sandboxed processes.\n\n"); |
289 | printf("\t--user=new_user - switch the user before starting the sandbox.\n\n"); | ||
289 | printf("\t--version - print program version and exit.\n\n"); | 290 | printf("\t--version - print program version and exit.\n\n"); |
290 | printf("\t--whitelist=dirname_or_filename - whitelist directory or file.\n\n"); | 291 | printf("\t--whitelist=dirname_or_filename - whitelist directory or file.\n\n"); |
291 | printf("\t--zsh - use /usr/bin/zsh as default shell.\n\n"); | 292 | printf("\t--zsh - use /usr/bin/zsh as default shell.\n\n"); |
diff --git a/src/firejail/user.c b/src/firejail/user.c new file mode 100644 index 000000000..e5f7848e8 --- /dev/null +++ b/src/firejail/user.c | |||
@@ -0,0 +1,114 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2016 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "firejail.h" | ||
21 | #include <sys/types.h> | ||
22 | #include <sys/stat.h> | ||
23 | #include <unistd.h> | ||
24 | #include <grp.h> | ||
25 | #include <pwd.h> | ||
26 | |||
27 | |||
28 | void check_user(int argc, char **argv) { | ||
29 | int i; | ||
30 | char *user = NULL; | ||
31 | |||
32 | int found = 0; | ||
33 | for (i = 1; i < argc; i++) { | ||
34 | // check options | ||
35 | if (strcmp(argv[i], "--") == 0) | ||
36 | break; | ||
37 | if (strncmp(argv[i], "--", 2) != 0) | ||
38 | break; | ||
39 | |||
40 | // check user option | ||
41 | if (strncmp(argv[i], "--user=", 7) == 0) { | ||
42 | found = 1; | ||
43 | user = argv[i] + 7; | ||
44 | break; | ||
45 | } | ||
46 | } | ||
47 | if (!found) | ||
48 | return; | ||
49 | |||
50 | // check root | ||
51 | if (getuid() != 0) { | ||
52 | fprintf(stderr, "Error: you need to be root to use --user command line option\n"); | ||
53 | exit(1); | ||
54 | } | ||
55 | |||
56 | // switch user | ||
57 | struct passwd *pw = getpwnam(user); | ||
58 | if (!pw) { | ||
59 | fprintf(stderr, "Error: cannot find user %s\n", user); | ||
60 | exit(1); | ||
61 | } | ||
62 | |||
63 | printf("Switching to user %s, UID %d, GID %d\n", user, pw->pw_uid, pw->pw_gid); | ||
64 | int rv = initgroups(user, pw->pw_gid); | ||
65 | if (rv == -1) { | ||
66 | perror("initgroups"); | ||
67 | fprintf(stderr, "Error: cannot switch to user %s\n", user); | ||
68 | } | ||
69 | |||
70 | rv = setgid(pw->pw_gid); | ||
71 | if (rv == -1) { | ||
72 | perror("setgid"); | ||
73 | fprintf(stderr, "Error: cannot switch to user %s\n", user); | ||
74 | } | ||
75 | |||
76 | rv = setuid(pw->pw_uid); | ||
77 | if (rv == -1) { | ||
78 | perror("setuid"); | ||
79 | fprintf(stderr, "Error: cannot switch to user %s\n", user); | ||
80 | } | ||
81 | |||
82 | // build the new command line | ||
83 | int len = 0; | ||
84 | for (i = 0; i < argc; i++) { | ||
85 | len += strlen(argv[i]) + 1; // + ' ' | ||
86 | } | ||
87 | |||
88 | char *cmd = malloc(len + 1); // + '\0' | ||
89 | if (!cmd) | ||
90 | errExit("malloc"); | ||
91 | |||
92 | char *ptr = cmd; | ||
93 | int first = 1; | ||
94 | for (i = 0; i < argc; i++) { | ||
95 | if (strncmp(argv[i], "--user=", 7) == 0 && first) { | ||
96 | first = 0; | ||
97 | continue; | ||
98 | } | ||
99 | |||
100 | ptr += sprintf(ptr, "%s ", argv[i]); | ||
101 | } | ||
102 | |||
103 | // run command | ||
104 | char *a[4]; | ||
105 | a[0] = "/bin/bash"; | ||
106 | a[1] = "-c"; | ||
107 | a[2] = cmd; | ||
108 | a[3] = NULL; | ||
109 | |||
110 | execvp(a[0], a); | ||
111 | |||
112 | perror("execvp"); | ||
113 | exit(1); | ||
114 | } | ||
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 13eccbdce..ef65530db 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1441,6 +1441,15 @@ $ firejail \-\-tree | |||
1441 | .br | 1441 | .br |
1442 | 11970:netblue:transmission-gtk | 1442 | 11970:netblue:transmission-gtk |
1443 | .TP | 1443 | .TP |
1444 | \fB\-\-user=new-user | ||
1445 | Switch the user before starting the sandbox. This command should be run as root. | ||
1446 | .br | ||
1447 | |||
1448 | .br | ||
1449 | Example: | ||
1450 | .br | ||
1451 | # firejail \-\-user=www-data | ||
1452 | .TP | ||
1444 | \fB\-\-version | 1453 | \fB\-\-version |
1445 | Print program version and exit. | 1454 | Print program version and exit. |
1446 | .br | 1455 | .br |
diff --git a/test/kmsg.exp b/test/kmsg.exp new file mode 100755 index 000000000..096bdb708 --- /dev/null +++ b/test/kmsg.exp | |||
@@ -0,0 +1,29 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | |||
3 | set timeout 10 | ||
4 | spawn $env(SHELL) | ||
5 | match_max 100000 | ||
6 | |||
7 | send -- "firejail\r" | ||
8 | expect { | ||
9 | timeout {puts "TESTING ERROR 1\n";exit} | ||
10 | "Child process initialized" | ||
11 | } | ||
12 | sleep 1 | ||
13 | |||
14 | send -- "cat /dev/kmsg\r" | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 2\n";exit} | ||
17 | "Permission denied" | ||
18 | } | ||
19 | sleep 1 | ||
20 | |||
21 | send -- "cat /proc/kmsg\r" | ||
22 | expect { | ||
23 | timeout {puts "TESTING ERROR 3\n";exit} | ||
24 | "Permission denied" | ||
25 | } | ||
26 | sleep 1 | ||
27 | |||
28 | puts "\nall done\n" | ||
29 | |||
diff --git a/test/test.sh b/test/test.sh index 44bb7ba99..2c051d13b 100755 --- a/test/test.sh +++ b/test/test.sh | |||
@@ -86,6 +86,9 @@ rm -f index.html* | |||
86 | echo "TESTING: extract command" | 86 | echo "TESTING: extract command" |
87 | ./extract_command.exp | 87 | ./extract_command.exp |
88 | 88 | ||
89 | echo "TESTING: kmsg access" | ||
90 | ./kmsg.exp | ||
91 | |||
89 | echo "TESTING: rlimit" | 92 | echo "TESTING: rlimit" |
90 | ./option_rlimit.exp | 93 | ./option_rlimit.exp |
91 | 94 | ||