diff options
-rw-r--r-- | README.md | 21 | ||||
-rw-r--r-- | RELNOTES | 2 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/main.c | 16 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 20 | ||||
-rw-r--r-- | src/man/firejail.txt | 3 |
6 files changed, 57 insertions, 6 deletions
@@ -65,6 +65,27 @@ More packages build by AppImage developer Simon Peter: https://bintray.com/probo | |||
65 | 65 | ||
66 | AppImage project home: https://github.com/probonopd/AppImageKit | 66 | AppImage project home: https://github.com/probonopd/AppImageKit |
67 | 67 | ||
68 | ## Sandbox auditing | ||
69 | ````` | ||
70 | AUDIT | ||
71 | Audit feature allows the user to point out gaps in security profiles. | ||
72 | The implementation replaces the program to be sandboxed with a test | ||
73 | program. By default, we use faudit program distributed with Firejail. A | ||
74 | custom test program can also be supplied by the user. Examples: | ||
75 | |||
76 | Running the default audit program: | ||
77 | $ firejail --audit transmission-gtk | ||
78 | |||
79 | Running a custom audit program: | ||
80 | $ firejail --audit=~/sandbox-test transmission-gtk | ||
81 | |||
82 | In the examples above, the sandbox configures transmission-gtk profile | ||
83 | and starts the test program. The real program, transmission-gtk, will | ||
84 | not be started. | ||
85 | |||
86 | Limitations: audit feature is not implemented for --x11 commands. | ||
87 | ````` | ||
88 | |||
68 | ## Converting profiles to private-bin - work in progress! | 89 | ## Converting profiles to private-bin - work in progress! |
69 | 90 | ||
70 | BitTorrent: deluge, qbittorrent, rtorrent, transmission-gtk, transmission-qt, uget-gtk | 91 | BitTorrent: deluge, qbittorrent, rtorrent, transmission-gtk, transmission-qt, uget-gtk |
@@ -1,5 +1,7 @@ | |||
1 | firejail (0.9.41) baseline; urgency=low | 1 | firejail (0.9.41) baseline; urgency=low |
2 | * work in progress... | 2 | * work in progress... |
3 | * AppImage support (--appimage) | ||
4 | * Sandbox auditing support (--audit) | ||
3 | * compile time and run time support to disable whitelists | 5 | * compile time and run time support to disable whitelists |
4 | * compile time support to disable global configuration file | 6 | * compile time support to disable global configuration file |
5 | * some profiles have been converted to private-bin | 7 | * some profiles have been converted to private-bin |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 39013de56..ddc37e203 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -261,6 +261,7 @@ extern int arg_writable_etc; // writable etc | |||
261 | extern int arg_writable_var; // writable var | 261 | extern int arg_writable_var; // writable var |
262 | extern int arg_appimage; // appimage | 262 | extern int arg_appimage; // appimage |
263 | extern int arg_audit; // audit | 263 | extern int arg_audit; // audit |
264 | extern char *arg_audit_prog; // audit | ||
264 | 265 | ||
265 | extern int parent_to_child_fds[2]; | 266 | extern int parent_to_child_fds[2]; |
266 | extern int child_to_parent_fds[2]; | 267 | extern int child_to_parent_fds[2]; |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 34cc38cd5..ac554ca2a 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -101,6 +101,7 @@ int arg_writable_etc = 0; // writable etc | |||
101 | int arg_writable_var = 0; // writable var | 101 | int arg_writable_var = 0; // writable var |
102 | int arg_appimage = 0; // appimage | 102 | int arg_appimage = 0; // appimage |
103 | int arg_audit = 0; // audit | 103 | int arg_audit = 0; // audit |
104 | char *arg_audit_prog; // audit | ||
104 | 105 | ||
105 | int parent_to_child_fds[2]; | 106 | int parent_to_child_fds[2]; |
106 | int child_to_parent_fds[2]; | 107 | int child_to_parent_fds[2]; |
@@ -1831,8 +1832,21 @@ int main(int argc, char **argv) { | |||
1831 | //************************************* | 1832 | //************************************* |
1832 | // command | 1833 | // command |
1833 | //************************************* | 1834 | //************************************* |
1834 | else if (strcmp(argv[i], "--audit") == 0) | 1835 | else if (strcmp(argv[i], "--audit") == 0) { |
1836 | if (asprintf(&arg_audit_prog, "%s/firejail/faudit", LIBDIR) == -1) | ||
1837 | errExit("asprintf"); | ||
1835 | arg_audit = 1; | 1838 | arg_audit = 1; |
1839 | } | ||
1840 | else if (strncmp(argv[i], "--audit=", 8) == 0) { | ||
1841 | if (strlen(argv[i] + 8) == 0) { | ||
1842 | fprintf(stderr, "Error: invalid audit program\n"); | ||
1843 | exit(1); | ||
1844 | } | ||
1845 | arg_audit_prog = strdup(argv[i] + 8); | ||
1846 | if (!arg_audit_prog) | ||
1847 | errExit("strdup"); | ||
1848 | arg_audit = 1; | ||
1849 | } | ||
1836 | else if (strcmp(argv[i], "--appimage") == 0) | 1850 | else if (strcmp(argv[i], "--appimage") == 0) |
1837 | arg_appimage = 1; | 1851 | arg_appimage = 1; |
1838 | else if (strcmp(argv[i], "--csh") == 0) { | 1852 | else if (strcmp(argv[i], "--csh") == 0) { |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 8cf2486b3..d384d6fa0 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -272,16 +272,27 @@ static int monitor_application(pid_t app_pid) { | |||
272 | #endif | 272 | #endif |
273 | } | 273 | } |
274 | 274 | ||
275 | void start_audit(void) { | ||
276 | char *audit_prog; | ||
277 | if (asprintf(&audit_prog, "%s/firejail/faudit", LIBDIR) == -1) | ||
278 | errExit("asprintf"); | ||
279 | execl(audit_prog, audit_prog, NULL); | ||
280 | perror("execl"); | ||
281 | exit(1); | ||
282 | } | ||
275 | 283 | ||
276 | static void start_application(void) { | 284 | static void start_application(void) { |
277 | //**************************************** | 285 | //**************************************** |
278 | // audit | 286 | // audit |
279 | //**************************************** | 287 | //**************************************** |
280 | if (arg_audit) { | 288 | if (arg_audit) { |
281 | char *audit_prog; | 289 | assert(arg_audit_prog); |
282 | if (asprintf(&audit_prog, "%s/firejail/faudit", LIBDIR) == -1) | 290 | struct stat s; |
283 | errExit("asprintf"); | 291 | if (stat(arg_audit_prog, &s) != 0) { |
284 | execl(audit_prog, audit_prog, NULL); | 292 | fprintf(stderr, "Error: cannot find the audit program\n"); |
293 | exit(1); | ||
294 | } | ||
295 | execl(arg_audit_prog, arg_audit_prog, NULL); | ||
285 | } | 296 | } |
286 | //**************************************** | 297 | //**************************************** |
287 | // start the program without using a shell | 298 | // start the program without using a shell |
@@ -305,6 +316,7 @@ static void start_application(void) { | |||
305 | printf("Child process initialized\n"); | 316 | printf("Child process initialized\n"); |
306 | 317 | ||
307 | execvp(cfg.original_argv[cfg.original_program_index], &cfg.original_argv[cfg.original_program_index]); | 318 | execvp(cfg.original_argv[cfg.original_program_index], &cfg.original_argv[cfg.original_program_index]); |
319 | exit(1); | ||
308 | } | 320 | } |
309 | //**************************************** | 321 | //**************************************** |
310 | // start the program using a shell | 322 | // start the program using a shell |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index a523e51cb..e4505754e 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1741,12 +1741,13 @@ Running the default audit program: | |||
1741 | 1741 | ||
1742 | Running a custom audit program: | 1742 | Running a custom audit program: |
1743 | .br | 1743 | .br |
1744 | $ firejail --audit=~/sandbox-test transmission-gtk\n\n"); | 1744 | $ firejail --audit=~/sandbox-test transmission-gtk |
1745 | 1745 | ||
1746 | In the examples above, the sandbox configures transmission-gtk profile and | 1746 | In the examples above, the sandbox configures transmission-gtk profile and |
1747 | starts the test program. The real program, transmission-gtk, will not be | 1747 | starts the test program. The real program, transmission-gtk, will not be |
1748 | started. | 1748 | started. |
1749 | 1749 | ||
1750 | Limitations: audit feature is not implemented for --x11 commands. | ||
1750 | 1751 | ||
1751 | .SH MONITORING | 1752 | .SH MONITORING |
1752 | Option \-\-list prints a list of all sandboxes. The format | 1753 | Option \-\-list prints a list of all sandboxes. The format |