diff options
| -rw-r--r-- | etc/profile-a-l/firefox-common.profile | 2 | ||||
| -rw-r--r-- | src/firejail/firejail.h | 1 | ||||
| -rw-r--r-- | src/firejail/main.c | 5 | ||||
| -rw-r--r-- | src/firejail/profile.c | 16 | ||||
| -rw-r--r-- | src/firejail/sandbox.c | 9 |
5 files changed, 32 insertions, 1 deletions
diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile index 36e3405b0..47eb8638e 100644 --- a/etc/profile-a-l/firefox-common.profile +++ b/etc/profile-a-l/firefox-common.profile | |||
| @@ -33,6 +33,8 @@ include whitelist-runuser-common.inc | |||
| 33 | include whitelist-var-common.inc | 33 | include whitelist-var-common.inc |
| 34 | 34 | ||
| 35 | apparmor | 35 | apparmor |
| 36 | # Fixme! | ||
| 37 | apparmor-replace | ||
| 36 | caps.drop all | 38 | caps.drop all |
| 37 | # machine-id breaks pulse audio; add it to your firefox-common.local if sound is not required. | 39 | # machine-id breaks pulse audio; add it to your firefox-common.local if sound is not required. |
| 38 | #machine-id | 40 | #machine-id |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 65907e8ee..65f93d9d1 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
| @@ -339,6 +339,7 @@ extern int arg_writable_var_log; // writable /var/log | |||
| 339 | extern int arg_appimage; // appimage | 339 | extern int arg_appimage; // appimage |
| 340 | extern int arg_apparmor; // apparmor | 340 | extern int arg_apparmor; // apparmor |
| 341 | extern char *apparmor_profile; // apparmor profile | 341 | extern char *apparmor_profile; // apparmor profile |
| 342 | extern bool apparmor_replace; // whether apparmor should replace the profile (legacy behavior) | ||
| 342 | extern int arg_allow_debuggers; // allow debuggers | 343 | extern int arg_allow_debuggers; // allow debuggers |
| 343 | extern int arg_x11_block; // block X11 | 344 | extern int arg_x11_block; // block X11 |
| 344 | extern int arg_x11_xorg; // use X11 security extension | 345 | extern int arg_x11_xorg; // use X11 security extension |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 1eda26f99..54479dc0c 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
| @@ -134,6 +134,7 @@ int arg_writable_var_log = 0; // writable /var/log | |||
| 134 | int arg_appimage = 0; // appimage | 134 | int arg_appimage = 0; // appimage |
| 135 | int arg_apparmor = 0; // apparmor | 135 | int arg_apparmor = 0; // apparmor |
| 136 | char *apparmor_profile = NULL; // apparmor profile | 136 | char *apparmor_profile = NULL; // apparmor profile |
| 137 | bool apparmor_replace = false; // apparmor profile | ||
| 137 | int arg_allow_debuggers = 0; // allow debuggers | 138 | int arg_allow_debuggers = 0; // allow debuggers |
| 138 | int arg_x11_block = 0; // block X11 | 139 | int arg_x11_block = 0; // block X11 |
| 139 | int arg_x11_xorg = 0; // use X11 security extension | 140 | int arg_x11_xorg = 0; // use X11 security extension |
| @@ -1383,6 +1384,10 @@ int main(int argc, char **argv, char **envp) { | |||
| 1383 | arg_apparmor = 1; | 1384 | arg_apparmor = 1; |
| 1384 | apparmor_profile = argv[i] + 11; | 1385 | apparmor_profile = argv[i] + 11; |
| 1385 | } | 1386 | } |
| 1387 | else if (strncmp(argv[i], "--apparmor-replace", 18) == 0) { | ||
| 1388 | arg_apparmor = 1; | ||
| 1389 | apparmor_replace = true; | ||
| 1390 | } | ||
| 1386 | #endif | 1391 | #endif |
| 1387 | else if (strncmp(argv[i], "--protocol=", 11) == 0) { | 1392 | else if (strncmp(argv[i], "--protocol=", 11) == 0) { |
| 1388 | if (checkcfg(CFG_SECCOMP)) { | 1393 | if (checkcfg(CFG_SECCOMP)) { |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 24964d40d..15e833288 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
| @@ -956,6 +956,22 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
| 956 | return 0; | 956 | return 0; |
| 957 | } | 957 | } |
| 958 | 958 | ||
| 959 | if (strcmp(ptr, "apparmor-replace") == 0) { | ||
| 960 | #ifdef HAVE_APPARMOR | ||
| 961 | arg_apparmor = 1; | ||
| 962 | apparmor_replace = true; | ||
| 963 | #endif | ||
| 964 | return 0; | ||
| 965 | } | ||
| 966 | |||
| 967 | if (strcmp(ptr, "apparmor-stack") == 0) { | ||
| 968 | #ifdef HAVE_APPARMOR | ||
| 969 | arg_apparmor = 1; | ||
| 970 | apparmor_replace = false; | ||
| 971 | #endif | ||
| 972 | return 0; | ||
| 973 | } | ||
| 974 | |||
| 959 | if (strncmp(ptr, "protocol ", 9) == 0) { | 975 | if (strncmp(ptr, "protocol ", 9) == 0) { |
| 960 | if (checkcfg(CFG_SECCOMP)) { | 976 | if (checkcfg(CFG_SECCOMP)) { |
| 961 | const char *add = ptr + 9; | 977 | const char *add = ptr + 9; |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 9299268a3..3295362e1 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
| @@ -130,7 +130,14 @@ static void set_caps(void) { | |||
| 130 | static void set_apparmor(void) { | 130 | static void set_apparmor(void) { |
| 131 | EUID_ASSERT(); | 131 | EUID_ASSERT(); |
| 132 | if (checkcfg(CFG_APPARMOR) && arg_apparmor) { | 132 | if (checkcfg(CFG_APPARMOR) && arg_apparmor) { |
| 133 | if (aa_stack_onexec(apparmor_profile)) { | 133 | int res = 0; |
| 134 | if(apparmor_replace){ | ||
| 135 | fwarning("Replacing profile instead of stacking it. It is a legacy behavior that can result in relaxation of the protection. It is here as a temporary measure to unbreak the software that has been broken by switching to the stacking behavior.\n"); | ||
| 136 | res = aa_change_onexec(apparmor_profile); | ||
| 137 | } else { | ||
| 138 | res = aa_stack_onexec(apparmor_profile); | ||
| 139 | } | ||
| 140 | if (res) { | ||
| 134 | fwarning("Cannot confine the application using AppArmor.\n" | 141 | fwarning("Cannot confine the application using AppArmor.\n" |
| 135 | "Maybe firejail-default AppArmor profile is not loaded into the kernel.\n" | 142 | "Maybe firejail-default AppArmor profile is not loaded into the kernel.\n" |
| 136 | "As root, run \"aa-enforce firejail-default\" to load it.\n"); | 143 | "As root, run \"aa-enforce firejail-default\" to load it.\n"); |