diff options
-rw-r--r-- | etc/templates/profile.template | 6 | ||||
-rw-r--r-- | src/firejail/fs.c | 1 | ||||
-rw-r--r-- | src/firejail/fs_home.c | 7 | ||||
-rw-r--r-- | src/firejail/restrict_users.c | 65 | ||||
-rw-r--r-- | src/include/rundefs.h | 2 |
5 files changed, 33 insertions, 48 deletions
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index 17d7f55b2..af5497757 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for PROGRAM_NAME | 1 | # Firejail profile for PROGRAM_NAME |
2 | # Description: DESCRIPTION | 2 | # Description: DESCRIPTION OF THE PROGRAM |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # --- CUT HERE --- | 4 | # --- CUT HERE --- |
5 | # This is a generic template to help you create profiles. | 5 | # This is a generic template to help you create profiles. |
@@ -10,8 +10,8 @@ | |||
10 | # - lines with two ## are only needed in special situations | 10 | # - lines with two ## are only needed in special situations |
11 | # - make the profile as restrictive as possible while still keeping the program useful | 11 | # - make the profile as restrictive as possible while still keeping the program useful |
12 | # (e.g. a program that is unable to save user's work is considered bad practice) | 12 | # (e.g. a program that is unable to save user's work is considered bad practice) |
13 | # - dedicate ample time (based on the complexity of the application) to profile testing before raising | 13 | # - dedicate ample time (based on the complexity of the application) to profile testing before |
14 | # a pull request | 14 | # submitting a pull request |
15 | # - keep the sections structure, use a single empty line as separator | 15 | # - keep the sections structure, use a single empty line as separator |
16 | # - entries within sections are alphabetically sorted | 16 | # - entries within sections are alphabetically sorted |
17 | # - consider putting binary into src/firecfg/firecfg.config (keep list sorted) but beware | 17 | # - consider putting binary into src/firecfg/firecfg.config (keep list sorted) but beware |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index fe79daa70..8b7e49611 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -170,6 +170,7 @@ static void disable_file(OPERATION op, const char *filename) { | |||
170 | } | 170 | } |
171 | } | 171 | } |
172 | fs_tmpfs(fname, getuid()); | 172 | fs_tmpfs(fname, getuid()); |
173 | selinux_relabel_path(fname, fname); | ||
173 | last_disable = SUCCESSFUL; | 174 | last_disable = SUCCESSFUL; |
174 | } | 175 | } |
175 | else | 176 | else |
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 2c5ea8be0..46f32d7ad 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
@@ -31,7 +31,7 @@ | |||
31 | 31 | ||
32 | #include <fcntl.h> | 32 | #include <fcntl.h> |
33 | #ifndef O_PATH | 33 | #ifndef O_PATH |
34 | # define O_PATH 010000000 | 34 | #define O_PATH 010000000 |
35 | #endif | 35 | #endif |
36 | 36 | ||
37 | static void skel(const char *homedir, uid_t u, gid_t g) { | 37 | static void skel(const char *homedir, uid_t u, gid_t g) { |
@@ -384,7 +384,6 @@ void fs_private(void) { | |||
384 | if (chown(homedir, u, g) < 0) | 384 | if (chown(homedir, u, g) < 0) |
385 | errExit("chown"); | 385 | errExit("chown"); |
386 | 386 | ||
387 | selinux_relabel_path(homedir, homedir); | ||
388 | fs_logger2("mkdir", homedir); | 387 | fs_logger2("mkdir", homedir); |
389 | fs_logger2("tmpfs", homedir); | 388 | fs_logger2("tmpfs", homedir); |
390 | } | 389 | } |
@@ -392,6 +391,8 @@ void fs_private(void) { | |||
392 | // mask user home directory | 391 | // mask user home directory |
393 | // the directory should be owned by the current user | 392 | // the directory should be owned by the current user |
394 | fs_tmpfs(homedir, 1); | 393 | fs_tmpfs(homedir, 1); |
394 | |||
395 | selinux_relabel_path(homedir, homedir); | ||
395 | } | 396 | } |
396 | 397 | ||
397 | skel(homedir, u, g); | 398 | skel(homedir, u, g); |
@@ -549,7 +550,7 @@ void fs_private_home_list(void) { | |||
549 | 550 | ||
550 | // create /run/firejail/mnt/home directory | 551 | // create /run/firejail/mnt/home directory |
551 | mkdir_attr(RUN_HOME_DIR, 0755, uid, gid); | 552 | mkdir_attr(RUN_HOME_DIR, 0755, uid, gid); |
552 | selinux_relabel_path(RUN_HOME_DIR, "/home"); | 553 | selinux_relabel_path(RUN_HOME_DIR, homedir); |
553 | fs_logger_print(); // save the current log | 554 | fs_logger_print(); // save the current log |
554 | 555 | ||
555 | if (arg_debug) | 556 | if (arg_debug) |
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index 0dfd9ca1c..a0ca4c02c 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c | |||
@@ -72,7 +72,7 @@ static void sanitize_home(void) { | |||
72 | 72 | ||
73 | if (arg_debug) | 73 | if (arg_debug) |
74 | printf("Cleaning /home directory\n"); | 74 | printf("Cleaning /home directory\n"); |
75 | // keep a copy of the user home directory | 75 | // open user home directory in order to keep it around |
76 | int fd = safe_fd(cfg.homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); | 76 | int fd = safe_fd(cfg.homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); |
77 | if (fd == -1) | 77 | if (fd == -1) |
78 | goto errout; | 78 | goto errout; |
@@ -82,47 +82,38 @@ static void sanitize_home(void) { | |||
82 | close(fd); | 82 | close(fd); |
83 | goto errout; | 83 | goto errout; |
84 | } | 84 | } |
85 | char *proc; | ||
86 | if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) | ||
87 | errExit("asprintf"); | ||
88 | if (mkdir(RUN_WHITELIST_HOME_DIR, 0755) == -1) | ||
89 | errExit("mkdir"); | ||
90 | if (mount(proc, RUN_WHITELIST_HOME_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
91 | errExit("mount bind"); | ||
92 | free(proc); | ||
93 | close(fd); | ||
94 | 85 | ||
95 | // mount tmpfs in the new home | 86 | // mount tmpfs on /home |
96 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) | 87 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) |
97 | errExit("mount tmpfs"); | 88 | errExit("mount tmpfs"); |
98 | selinux_relabel_path("/home", "/home"); | 89 | selinux_relabel_path("/home", "/home"); |
99 | fs_logger("tmpfs /home"); | 90 | fs_logger("tmpfs /home"); |
100 | 91 | ||
101 | // create user home directory | 92 | // create new user home directory |
102 | if (mkdir(cfg.homedir, 0755) == -1) { | 93 | if (mkdir(cfg.homedir, 0755) == -1) { |
103 | if (mkpath_as_root(cfg.homedir)) | 94 | if (mkpath_as_root(cfg.homedir) == -1) |
104 | errExit("mkpath"); | 95 | errExit("mkpath"); |
105 | if (mkdir(cfg.homedir, 0755) == -1) | 96 | if (mkdir(cfg.homedir, 0755) == -1) |
106 | errExit("mkdir"); | 97 | errExit("mkdir"); |
107 | selinux_relabel_path(cfg.homedir, cfg.homedir); | ||
108 | } | 98 | } |
109 | fs_logger2("mkdir", cfg.homedir); | 99 | fs_logger2("mkdir", cfg.homedir); |
110 | 100 | ||
111 | // set mode and ownership | 101 | // set mode and ownership |
112 | if (set_perms(cfg.homedir, s.st_uid, s.st_gid, s.st_mode)) | 102 | if (set_perms(cfg.homedir, s.st_uid, s.st_gid, s.st_mode)) |
113 | errExit("set_perms"); | 103 | errExit("set_perms"); |
104 | selinux_relabel_path(cfg.homedir, cfg.homedir); | ||
114 | 105 | ||
115 | // mount user home directory | 106 | // bring back real user home directory |
116 | if (mount(RUN_WHITELIST_HOME_DIR, cfg.homedir, NULL, MS_BIND|MS_REC, NULL) < 0) | 107 | char *proc; |
108 | if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) | ||
109 | errExit("asprintf"); | ||
110 | if (mount(proc, cfg.homedir, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
117 | errExit("mount bind"); | 111 | errExit("mount bind"); |
112 | free(proc); | ||
113 | close(fd); | ||
118 | 114 | ||
119 | // mask home dir under /run | ||
120 | if (mount("tmpfs", RUN_WHITELIST_HOME_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) | ||
121 | errExit("mount tmpfs"); | ||
122 | fs_logger2("tmpfs", RUN_WHITELIST_HOME_DIR); | ||
123 | if (!arg_private) | 115 | if (!arg_private) |
124 | fs_logger2("whitelist", cfg.homedir); | 116 | fs_logger2("whitelist", cfg.homedir); |
125 | |||
126 | return; | 117 | return; |
127 | 118 | ||
128 | errout: | 119 | errout: |
@@ -137,22 +128,15 @@ static void sanitize_run(void) { | |||
137 | if (asprintf(&runuser, "/run/user/%u", getuid()) == -1) | 128 | if (asprintf(&runuser, "/run/user/%u", getuid()) == -1) |
138 | errExit("asprintf"); | 129 | errExit("asprintf"); |
139 | 130 | ||
140 | struct stat s; | 131 | // open /run/user/$UID directory in order to keep it around |
141 | if (stat(runuser, &s) == -1) { | 132 | int fd = open(runuser, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); |
142 | // cannot find /user/run/$UID directory, just return | 133 | if (fd == -1) { |
143 | if (arg_debug) | 134 | if (arg_debug) |
144 | printf("Cannot find %s directory\n", runuser); | 135 | printf("Cannot open %s directory\n", runuser); |
145 | free(runuser); | 136 | free(runuser); |
146 | return; | 137 | return; |
147 | } | 138 | } |
148 | 139 | ||
149 | if (mkdir(RUN_WHITELIST_RUN_DIR, 0755) == -1) | ||
150 | errExit("mkdir"); | ||
151 | |||
152 | // keep a copy of the /run/user/$UID directory | ||
153 | if (mount(runuser, RUN_WHITELIST_RUN_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
154 | errExit("mount bind"); | ||
155 | |||
156 | // mount tmpfs on /run/user | 140 | // mount tmpfs on /run/user |
157 | if (mount("tmpfs", "/run/user", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) | 141 | if (mount("tmpfs", "/run/user", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) |
158 | errExit("mount tmpfs"); | 142 | errExit("mount tmpfs"); |
@@ -162,22 +146,23 @@ static void sanitize_run(void) { | |||
162 | // create new user directory | 146 | // create new user directory |
163 | if (mkdir(runuser, 0700) == -1) | 147 | if (mkdir(runuser, 0700) == -1) |
164 | errExit("mkdir"); | 148 | errExit("mkdir"); |
165 | selinux_relabel_path(runuser, runuser); | ||
166 | fs_logger2("mkdir", runuser); | 149 | fs_logger2("mkdir", runuser); |
167 | 150 | ||
168 | // set mode and ownership | 151 | // set mode and ownership |
169 | if (set_perms(runuser, getuid(), getgid(), 0700)) | 152 | if (set_perms(runuser, getuid(), getgid(), 0700)) |
170 | errExit("set_perms"); | 153 | errExit("set_perms"); |
154 | selinux_relabel_path(runuser, runuser); | ||
171 | 155 | ||
172 | // mount /run/user/$UID directory | 156 | // bring back real run/user/$UID directory |
173 | if (mount(RUN_WHITELIST_RUN_DIR, runuser, NULL, MS_BIND|MS_REC, NULL) < 0) | 157 | char *proc; |
158 | if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) | ||
159 | errExit("asprintf"); | ||
160 | if (mount(proc, runuser, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
174 | errExit("mount bind"); | 161 | errExit("mount bind"); |
162 | free(proc); | ||
163 | close(fd); | ||
175 | 164 | ||
176 | // mask mirrored /run/user/$UID directory | 165 | fs_logger2("whitelist", runuser); |
177 | if (mount("tmpfs", RUN_WHITELIST_RUN_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) | ||
178 | errExit("mount tmpfs"); | ||
179 | fs_logger2("tmpfs", RUN_WHITELIST_RUN_DIR); | ||
180 | |||
181 | free(runuser); | 166 | free(runuser); |
182 | } | 167 | } |
183 | 168 | ||
diff --git a/src/include/rundefs.h b/src/include/rundefs.h index 5749c66e4..d14f6782f 100644 --- a/src/include/rundefs.h +++ b/src/include/rundefs.h | |||
@@ -84,8 +84,6 @@ | |||
84 | #define RUN_DEVLOG_FILE RUN_MNT_DIR "/devlog" | 84 | #define RUN_DEVLOG_FILE RUN_MNT_DIR "/devlog" |
85 | 85 | ||
86 | #define RUN_WHITELIST_X11_DIR RUN_MNT_DIR "/orig-x11" | 86 | #define RUN_WHITELIST_X11_DIR RUN_MNT_DIR "/orig-x11" |
87 | #define RUN_WHITELIST_HOME_DIR RUN_MNT_DIR "/orig-home" // default home directory masking | ||
88 | #define RUN_WHITELIST_RUN_DIR RUN_MNT_DIR "/orig-run" // default run directory masking | ||
89 | #define RUN_WHITELIST_HOME_USER_DIR RUN_MNT_DIR "/orig-home-user" // home directory whitelisting | 87 | #define RUN_WHITELIST_HOME_USER_DIR RUN_MNT_DIR "/orig-home-user" // home directory whitelisting |
90 | #define RUN_WHITELIST_RUN_USER_DIR RUN_MNT_DIR "/orig-run-user" // run directory whitelisting | 88 | #define RUN_WHITELIST_RUN_USER_DIR RUN_MNT_DIR "/orig-run-user" // run directory whitelisting |
91 | #define RUN_WHITELIST_TMP_DIR RUN_MNT_DIR "/orig-tmp" | 89 | #define RUN_WHITELIST_TMP_DIR RUN_MNT_DIR "/orig-tmp" |