3 files changed, 161 insertions, 1 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index ade23d89e..ab3c13598 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -766,7 +766,7 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc,
 // sbox.c
 // programs
 #define PATH_FNET (LIBDIR "/firejail/fnet")
-#define PATH_FNETFILTER (LIBDIR "/firejail/fnetfilter")
+#define PATH_FNETFILTER (LIBDIR "/firejail/fnetfilter#define PATH_FNET (LIBDIR "/firejail/fnet")
 #define PATH_FIREMON (PREFIX "/bin/firemon")
 #define PATH_FIREJAIL (PREFIX "/bin/firejail")
 #define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp")
diff --git a/src/fnetfilter/Makefile.in b/src/fnetfilter/Makefile.in
new file mode 100644
index 000000000..1063737e1
--- /dev/null
+++ b/src/fnetfilter/Makefile.in
@@ -0,0 +1,45 @@
+all: fnetfilter
+CC=@CC@
+prefix=@prefix@
+exec_prefix=@exec_prefix@
+libdir=@libdir@
+sysconfdir=@sysconfdir@
+VERSION=@PACKAGE_VERSION@
+NAME=@PACKAGE_NAME@
+HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
+HAVE_SECCOMP=@HAVE_SECCOMP@
+HAVE_CHROOT=@HAVE_CHROOT@
+HAVE_BIND=@HAVE_BIND@
+HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
+HAVE_NETWORK=@HAVE_NETWORK@
+HAVE_USERNS=@HAVE_USERNS@
+HAVE_X11=@HAVE_X11@
+HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
+HAVE_WHITELIST=@HAVE_WHITELIST@
+HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
+HAVE_APPARMOR=@HAVE_APPARMOR@
+HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
+HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
+EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
+HAVE_GCOV=@HAVE_GCOV@
+EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
+H_FILE_LIST       = $(sort $(wildcard *.[h]))
+C_FILE_LIST       = $(sort $(wildcard *.c))
+OBJS = $(C_FILE_LIST:.c=.o)
+BINOBJS =  $(foreach file, $(OBJS), $file)
+CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
+LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
+%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h
+        $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
+fnetfilter: $(OBJS)
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
+clean:; rm -f *.o fnetfilter *.gcov *.gcda *.gcno
+distclean: clean
+        rm -fr Makefile
diff --git a/src/fnetfilter/main.c b/src/fnetfilter/main.c
new file mode 100644
index 000000000..67ab31832
--- /dev/null
+++ b/src/fnetfilter/main.c
@@ -0,0 +1,115 @@
+ /*
+ * Copyright (C) 2014-2017 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "../include/common.h"
+#define MAXBUF 4098
+int arg_quiet = 0;
+static char *default_filter =
+"*filter\n"
+":INPUT DROP [0:0]\n"
+":FORWARD DROP [0:0]\n"
+":OUTPUT ACCEPT [0:0]\n"
+"-A INPUT -i lo -j ACCEPT\n"
+"-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n"
+"# echo replay is handled by -m state RELATED/ESTABLISHED below\n"
+"#-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT\n"
+"-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT\n"
+"-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT\n"
+"-A INPUT -p icmp --icmp-type echo-request -j ACCEPT \n"
+"# disable STUN\n"
+"-A OUTPUT -p udp --dport 3478 -j DROP\n"
+"-A OUTPUT -p udp --dport 3479 -j DROP\n"
+"-A OUTPUT -p tcp --dport 3478 -j DROP\n"
+"-A OUTPUT -p tcp --dport 3479 -j DROP\n"
+"COMMIT\n";
+static void usage(void) {
+        printf("Usage:\n");
+        printf("\tfnetfilter netfilter-command destination-file\n");
+}
+int main(int argc, char **argv) {
+#if 0
+{
+system("cat /proc/self/status");
+int i;
+for (i = 0; i < argc; i++)
+        printf("*%s* ", argv[i]);
+printf("\n");
+}
+#endif
+        char *quiet = getenv("FIREJAIL_QUIET");
+        if (quiet && strcmp(quiet, "yes") == 0)
+                arg_quiet = 1;
+        if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") ==0) {
+                usage();
+                return 0;
+        }
+        if (argc != 2 && argc != 3) {
+                usage();
+                return 1;
+        }
+        char *destfile = (argc == 3)? argv[2]: argv[1];
+        char *command = (argc == 3)? argv[1]: NULL;     
+//printf("command %s\n", command);
+//printf("destfile %s\n", destfile);
+        // handle default config (command = NULL, destfile)
+        if (command == NULL) {
+                // create a default filter file
+                FILE *fp = fopen(destfile, "w");
+                if (!fp) {
+                        fprintf(stderr, "Error fnetfilter: cannot open %s\n", destfile);
+                        exit(1);
+                }
+                fprintf(fp, "%s\n", default_filter);
+                fclose(fp);
+        }
+        else {
+                // copy the file
+                FILE *fp1 = fopen(command, "r");
+                if (!fp1) {
+                        fprintf(stderr, "Error fnetfilter: cannot open %s\n", command);
+                        exit(1);
+                }
+                FILE *fp2 = fopen(destfile, "w");
+                if (!fp2) {
+                        fprintf(stderr, "Error fnetfilter: cannot open %s\n", destfile);
+                        exit(1);
+                }
+                
+                char buf[MAXBUF];
+                while (fgets(buf, MAXBUF, fp1))
+                        fprintf(fp2, "%s", buf);
+                fclose(fp1);
+                fclose(fp2);
+        }
+        
+printf("fnetfilter running\n");
+        return 0;
+}

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index ade23d89e..ab3c13598 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -766,7 +766,7 @@ void build_appimage_cmdline(char command_line, char window_title, int argc,
766	// sbox.c	766	// sbox.c
767	// programs	767	// programs
768	#define PATH_FNET (LIBDIR "/firejail/fnet")	768	#define PATH_FNET (LIBDIR "/firejail/fnet")
769	#define PATH_FNETFILTER (LIBDIR "/firejail/fnetfilter")	769	#define PATH_FNETFILTER (LIBDIR "/firejail/fnetfilter#define PATH_FNET (LIBDIR "/firejail/fnet")
770	#define PATH_FIREMON (PREFIX "/bin/firemon")	770	#define PATH_FIREMON (PREFIX "/bin/firemon")
771	#define PATH_FIREJAIL (PREFIX "/bin/firejail")	771	#define PATH_FIREJAIL (PREFIX "/bin/firejail")
772	#define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp")	772	#define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp")


diff --git a/src/fnetfilter/Makefile.in b/src/fnetfilter/Makefile.in new file mode 100644 index 000000000..1063737e1 --- /dev/null +++ b/src/fnetfilter/Makefile.in
@@ -0,0 +1,45 @@
		1	all: fnetfilter
		2
		3	CC=@CC@
		4	prefix=@prefix@
		5	exec_prefix=@exec_prefix@
		6	libdir=@libdir@
		7	sysconfdir=@sysconfdir@
		8
		9	VERSION=@PACKAGE_VERSION@
		10	NAME=@PACKAGE_NAME@
		11	HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
		12	HAVE_SECCOMP=@HAVE_SECCOMP@
		13	HAVE_CHROOT=@HAVE_CHROOT@
		14	HAVE_BIND=@HAVE_BIND@
		15	HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
		16	HAVE_NETWORK=@HAVE_NETWORK@
		17	HAVE_USERNS=@HAVE_USERNS@
		18	HAVE_X11=@HAVE_X11@
		19	HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
		20	HAVE_WHITELIST=@HAVE_WHITELIST@
		21	HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
		22	HAVE_APPARMOR=@HAVE_APPARMOR@
		23	HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
		24	HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
		25	EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
		26	HAVE_GCOV=@HAVE_GCOV@
		27	EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
		28
		29	H_FILE_LIST = $(sort $(wildcard *.[h]))
		30	C_FILE_LIST = $(sort $(wildcard *.c))
		31	OBJS = $(C_FILE_LIST:.c=.o)
		32	BINOBJS = $(foreach file, $(OBJS), $file)
		33	CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
		34	LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
		35
		36	%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h
		37	$(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
		38
		39	fnetfilter: $(OBJS)
		40	$(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
		41
		42	clean:; rm -f .o fnetfilter .gcov .gcda .gcno
		43
		44	distclean: clean
		45	rm -fr Makefile


diff --git a/src/fnetfilter/main.c b/src/fnetfilter/main.c new file mode 100644 index 000000000..67ab31832 --- /dev/null +++ b/src/fnetfilter/main.c
@@ -0,0 +1,115 @@
		1	/*
		2	* Copyright (C) 2014-2017 Firejail Authors
		3	*
		4	* This file is part of firejail project
		5	*
		6	* This program is free software; you can redistribute it and/or modify
		7	* it under the terms of the GNU General Public License as published by
		8	* the Free Software Foundation; either version 2 of the License, or
		9	* (at your option) any later version.
		10	*
		11	* This program is distributed in the hope that it will be useful,
		12	* but WITHOUT ANY WARRANTY; without even the implied warranty of
		13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
		14	* GNU General Public License for more details.
		15	*
		16	* You should have received a copy of the GNU General Public License along
		17	* with this program; if not, write to the Free Software Foundation, Inc.,
		18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
		19	*/
		20	#include "../include/common.h"
		21
		22	#define MAXBUF 4098
		23	int arg_quiet = 0;
		24
		25	static char *default_filter =
		26	"*filter\n"
		27	":INPUT DROP [0:0]\n"
		28	":FORWARD DROP [0:0]\n"
		29	":OUTPUT ACCEPT [0:0]\n"
		30	"-A INPUT -i lo -j ACCEPT\n"
		31	"-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n"
		32	"# echo replay is handled by -m state RELATED/ESTABLISHED below\n"
		33	"#-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT\n"
		34	"-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT\n"
		35	"-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT\n"
		36	"-A INPUT -p icmp --icmp-type echo-request -j ACCEPT \n"
		37	"# disable STUN\n"
		38	"-A OUTPUT -p udp --dport 3478 -j DROP\n"
		39	"-A OUTPUT -p udp --dport 3479 -j DROP\n"
		40	"-A OUTPUT -p tcp --dport 3478 -j DROP\n"
		41	"-A OUTPUT -p tcp --dport 3479 -j DROP\n"
		42	"COMMIT\n";
		43
		44	static void usage(void) {
		45	printf("Usage:\n");
		46	printf("\tfnetfilter netfilter-command destination-file\n");
		47	}
		48
		49	int main(int argc, char **argv) {
		50	#if 0
		51	{
		52	system("cat /proc/self/status");
		53	int i;
		54	for (i = 0; i < argc; i++)
		55	printf("%s ", argv[i]);
		56	printf("\n");
		57	}
		58	#endif
		59
		60	char *quiet = getenv("FIREJAIL_QUIET");
		61	if (quiet && strcmp(quiet, "yes") == 0)
		62	arg_quiet = 1;
		63
		64	if (strcmp(argv[1], "-h") == 0 \|\| strcmp(argv[1], "--help") == 0 \|\| strcmp(argv[1], "-?") ==0) {
		65	usage();
		66	return 0;
		67	}
		68
		69	if (argc != 2 && argc != 3) {
		70	usage();
		71	return 1;
		72	}
		73
		74	char *destfile = (argc == 3)? argv[2]: argv[1];
		75	char *command = (argc == 3)? argv[1]: NULL;
		76	//printf("command %s\n", command);
		77	//printf("destfile %s\n", destfile);
		78
		79	// handle default config (command = NULL, destfile)
		80	if (command == NULL) {
		81	// create a default filter file
		82	FILE *fp = fopen(destfile, "w");
		83	if (!fp) {
		84	fprintf(stderr, "Error fnetfilter: cannot open %s\n", destfile);
		85	exit(1);
		86	}
		87	fprintf(fp, "%s\n", default_filter);
		88	fclose(fp);
		89	}
		90	else {
		91	// copy the file
		92	FILE *fp1 = fopen(command, "r");
		93	if (!fp1) {
		94	fprintf(stderr, "Error fnetfilter: cannot open %s\n", command);
		95	exit(1);
		96	}
		97
		98	FILE *fp2 = fopen(destfile, "w");
		99	if (!fp2) {
		100	fprintf(stderr, "Error fnetfilter: cannot open %s\n", destfile);
		101	exit(1);
		102	}
		103
		104	char buf[MAXBUF];
		105	while (fgets(buf, MAXBUF, fp1))
		106	fprintf(fp2, "%s", buf);
		107
		108	fclose(fp1);
		109	fclose(fp2);
		110	}
		111
		112
		113	printf("fnetfilter running\n");
		114	return 0;
		115	}