diff options
-rw-r--r-- | etc/profile-a-l/kodi.profile | 4 | ||||
-rw-r--r-- | etc/profile-m-z/megaglest.profile | 1 | ||||
-rw-r--r-- | etc/profile-m-z/scorched3d.profile | 1 | ||||
-rw-r--r-- | etc/profile-m-z/seahorse-adventures.profile | 5 | ||||
-rw-r--r-- | etc/profile-m-z/slack.profile | 4 | ||||
-rw-r--r-- | etc/profile-m-z/supertux2.profile | 1 | ||||
-rw-r--r-- | etc/profile-m-z/supertuxkart.profile | 1 | ||||
-rw-r--r-- | etc/profile-m-z/telegram-desktop.profile | 2 | ||||
-rw-r--r-- | etc/templates/profile.template | 19 | ||||
-rw-r--r-- | src/firejail/x11.c | 63 | ||||
-rw-r--r-- | src/include/rundefs.h | 4 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 5 | ||||
-rw-r--r-- | src/man/firejail.txt | 5 |
13 files changed, 54 insertions, 61 deletions
diff --git a/etc/profile-a-l/kodi.profile b/etc/profile-a-l/kodi.profile index b72632bf4..b7091f1fc 100644 --- a/etc/profile-a-l/kodi.profile +++ b/etc/profile-a-l/kodi.profile | |||
@@ -8,6 +8,10 @@ include globals.local | |||
8 | 8 | ||
9 | # noexec ${HOME} breaks plugins | 9 | # noexec ${HOME} breaks plugins |
10 | ignore noexec ${HOME} | 10 | ignore noexec ${HOME} |
11 | # Add the following to your kodi.local if you use a CEC Adapter. | ||
12 | #ignore nogroups | ||
13 | #ignore noroot | ||
14 | #ignore private-dev | ||
11 | 15 | ||
12 | noblacklist ${HOME}/.kodi | 16 | noblacklist ${HOME}/.kodi |
13 | noblacklist ${MUSIC} | 17 | noblacklist ${MUSIC} |
diff --git a/etc/profile-m-z/megaglest.profile b/etc/profile-m-z/megaglest.profile index 972838729..f07b9166a 100644 --- a/etc/profile-m-z/megaglest.profile +++ b/etc/profile-m-z/megaglest.profile | |||
@@ -20,6 +20,7 @@ include disable-xdg.inc | |||
20 | mkdir ${HOME}/.megaglest | 20 | mkdir ${HOME}/.megaglest |
21 | whitelist ${HOME}/.megaglest | 21 | whitelist ${HOME}/.megaglest |
22 | whitelist /usr/share/megaglest | 22 | whitelist /usr/share/megaglest |
23 | whitelist /usr/share/games/megaglest # Debian version | ||
23 | include whitelist-common.inc | 24 | include whitelist-common.inc |
24 | include whitelist-runuser-common.inc | 25 | include whitelist-runuser-common.inc |
25 | include whitelist-usr-share-common.inc | 26 | include whitelist-usr-share-common.inc |
diff --git a/etc/profile-m-z/scorched3d.profile b/etc/profile-m-z/scorched3d.profile index aac3e721f..b1989e474 100644 --- a/etc/profile-m-z/scorched3d.profile +++ b/etc/profile-m-z/scorched3d.profile | |||
@@ -19,6 +19,7 @@ include disable-xdg.inc | |||
19 | mkdir ${HOME}/.scorched3d | 19 | mkdir ${HOME}/.scorched3d |
20 | whitelist ${HOME}/.scorched3d | 20 | whitelist ${HOME}/.scorched3d |
21 | whitelist /usr/share/scorched3d | 21 | whitelist /usr/share/scorched3d |
22 | whitelist /usr/share/games/scorched3d | ||
22 | include whitelist-common.inc | 23 | include whitelist-common.inc |
23 | include whitelist-runuser-common.inc | 24 | include whitelist-runuser-common.inc |
24 | include whitelist-usr-share-common.inc | 25 | include whitelist-usr-share-common.inc |
diff --git a/etc/profile-m-z/seahorse-adventures.profile b/etc/profile-m-z/seahorse-adventures.profile index 131dcbb68..54e179958 100644 --- a/etc/profile-m-z/seahorse-adventures.profile +++ b/etc/profile-m-z/seahorse-adventures.profile | |||
@@ -16,10 +16,11 @@ include disable-exec.inc | |||
16 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
17 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
18 | include disable-programs.inc | 18 | include disable-programs.inc |
19 | include disable-shell.inc | 19 | #include disable-shell.inc - breaks on Debian 10 |
20 | include disable-xdg.inc | 20 | include disable-xdg.inc |
21 | 21 | ||
22 | whitelist /usr/share/seahorse-adventures | 22 | whitelist /usr/share/seahorse-adventures |
23 | whitelist /usr/share/games/seahorse-adventures # Debian version | ||
23 | include whitelist-common.inc | 24 | include whitelist-common.inc |
24 | include whitelist-usr-share-common.inc | 25 | include whitelist-usr-share-common.inc |
25 | include whitelist-var-common.inc | 26 | include whitelist-var-common.inc |
@@ -42,7 +43,7 @@ tracelog | |||
42 | 43 | ||
43 | disable-mnt | 44 | disable-mnt |
44 | private | 45 | private |
45 | private-bin python*,seahorse-adventures | 46 | private-bin python*,seahorse-adventures,bash,dash,sh |
46 | private-cache | 47 | private-cache |
47 | private-dev | 48 | private-dev |
48 | private-etc machine-id | 49 | private-etc machine-id |
diff --git a/etc/profile-m-z/slack.profile b/etc/profile-m-z/slack.profile index 9ad772cd5..51f6c8b00 100644 --- a/etc/profile-m-z/slack.profile +++ b/etc/profile-m-z/slack.profile | |||
@@ -18,12 +18,14 @@ ignore dbus-system none | |||
18 | 18 | ||
19 | noblacklist ${HOME}/.config/Slack | 19 | noblacklist ${HOME}/.config/Slack |
20 | 20 | ||
21 | include allow-bin-sh.inc | ||
22 | |||
21 | include disable-shell.inc | 23 | include disable-shell.inc |
22 | 24 | ||
23 | mkdir ${HOME}/.config/Slack | 25 | mkdir ${HOME}/.config/Slack |
24 | whitelist ${HOME}/.config/Slack | 26 | whitelist ${HOME}/.config/Slack |
25 | 27 | ||
26 | private-bin locale,slack | 28 | private-bin electron,electron[0-9],electron[0-9][0-9],locale,sh,slack |
27 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fedora-release,fonts,group,ld.so.cache,ld.so.conf,localtime,machine-id,os-release,passwd,pki,pulse,redhat-release,resolv.conf,ssl,system-release,system-release-cpe | 29 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fedora-release,fonts,group,ld.so.cache,ld.so.conf,localtime,machine-id,os-release,passwd,pki,pulse,redhat-release,resolv.conf,ssl,system-release,system-release-cpe |
28 | 30 | ||
29 | # Redirect | 31 | # Redirect |
diff --git a/etc/profile-m-z/supertux2.profile b/etc/profile-m-z/supertux2.profile index dd456f085..cfd7a63ea 100644 --- a/etc/profile-m-z/supertux2.profile +++ b/etc/profile-m-z/supertux2.profile | |||
@@ -20,6 +20,7 @@ include disable-xdg.inc | |||
20 | mkdir ${HOME}/.local/share/supertux2 | 20 | mkdir ${HOME}/.local/share/supertux2 |
21 | whitelist ${HOME}/.local/share/supertux2 | 21 | whitelist ${HOME}/.local/share/supertux2 |
22 | whitelist /usr/share/supertux2 | 22 | whitelist /usr/share/supertux2 |
23 | whitelist /usr/share/games/supertux2 # Debian version | ||
23 | include whitelist-common.inc | 24 | include whitelist-common.inc |
24 | include whitelist-runuser-common.inc | 25 | include whitelist-runuser-common.inc |
25 | include whitelist-usr-share-common.inc | 26 | include whitelist-usr-share-common.inc |
diff --git a/etc/profile-m-z/supertuxkart.profile b/etc/profile-m-z/supertuxkart.profile index 095cea7b8..4eb8f921c 100644 --- a/etc/profile-m-z/supertuxkart.profile +++ b/etc/profile-m-z/supertuxkart.profile | |||
@@ -28,6 +28,7 @@ whitelist ${HOME}/.config/supertuxkart | |||
28 | whitelist ${HOME}/.cache/supertuxkart | 28 | whitelist ${HOME}/.cache/supertuxkart |
29 | whitelist ${HOME}/.local/share/supertuxkart | 29 | whitelist ${HOME}/.local/share/supertuxkart |
30 | whitelist /usr/share/supertuxkart | 30 | whitelist /usr/share/supertuxkart |
31 | whitelist /usr/share/games/supertuxkart # Debian version | ||
31 | include whitelist-common.inc | 32 | include whitelist-common.inc |
32 | include whitelist-runuser-common.inc | 33 | include whitelist-runuser-common.inc |
33 | include whitelist-usr-share-common.inc | 34 | include whitelist-usr-share-common.inc |
diff --git a/etc/profile-m-z/telegram-desktop.profile b/etc/profile-m-z/telegram-desktop.profile index e0c5aee9e..7463b761f 100644 --- a/etc/profile-m-z/telegram-desktop.profile +++ b/etc/profile-m-z/telegram-desktop.profile | |||
@@ -2,7 +2,7 @@ | |||
2 | # Description: Official Telegram Desktop client | 2 | # Description: Official Telegram Desktop client |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include tekegram-desktop.local | 5 | include telegram-desktop.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | # added by included profile | 7 | # added by included profile |
8 | #include globals.local | 8 | #include globals.local |
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index fcc7fe949..61e9c9fd8 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
@@ -59,14 +59,6 @@ include globals.local | |||
59 | ##ignore noexec ${HOME} | 59 | ##ignore noexec ${HOME} |
60 | ##ignore noexec /tmp | 60 | ##ignore noexec /tmp |
61 | 61 | ||
62 | ##blacklist PATH | ||
63 | # Disable X11 (CLI only), see also 'x11 none' below | ||
64 | #blacklist /tmp/.X11-unix | ||
65 | # Disable Wayland | ||
66 | #blacklist ${RUNUSER}/wayland-* | ||
67 | # Disable RUNUSER (cli only; supersedes Disable Wayland) | ||
68 | #blacklist ${RUNUSER} | ||
69 | |||
70 | # It is common practice to add files/dirs containing program-specific configuration | 62 | # It is common practice to add files/dirs containing program-specific configuration |
71 | # (often ${HOME}/PROGRAMNAME or ${HOME}/.config/PROGRAMNAME) into disable-programs.inc | 63 | # (often ${HOME}/PROGRAMNAME or ${HOME}/.config/PROGRAMNAME) into disable-programs.inc |
72 | # (keep list sorted) and then disable blacklisting below. | 64 | # (keep list sorted) and then disable blacklisting below. |
@@ -109,6 +101,17 @@ include globals.local | |||
109 | # Allow ssh (blacklisted by disable-common.inc) | 101 | # Allow ssh (blacklisted by disable-common.inc) |
110 | #include allow-ssh.inc | 102 | #include allow-ssh.inc |
111 | 103 | ||
104 | ##blacklist PATH | ||
105 | # Disable X11 (CLI only), see also 'x11 none' below | ||
106 | #blacklist /tmp/.X11-unix | ||
107 | # Disable Wayland | ||
108 | #blacklist ${RUNUSER}/wayland-* | ||
109 | # Disable RUNUSER (cli only; supersedes Disable Wayland) | ||
110 | #blacklist ${RUNUSER} | ||
111 | # Remove the next blacklist if you system has no /usr/libexec dir, | ||
112 | # otherwise try to add it. | ||
113 | #blacklist /usr/libexec | ||
114 | |||
112 | # disable-*.inc includes | 115 | # disable-*.inc includes |
113 | # remove disable-write-mnt.inc if you set disable-mnt | 116 | # remove disable-write-mnt.inc if you set disable-mnt |
114 | #include disable-common.inc | 117 | #include disable-common.inc |
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 257d376a1..f4f093138 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
@@ -1327,7 +1327,7 @@ void fs_x11(void) { | |||
1327 | struct stat s1, s2; | 1327 | struct stat s1, s2; |
1328 | if (stat("/tmp", &s1) != 0 || lstat("/tmp/.X11-unix", &s2) != 0) | 1328 | if (stat("/tmp", &s1) != 0 || lstat("/tmp/.X11-unix", &s2) != 0) |
1329 | return; | 1329 | return; |
1330 | if ((s1.st_mode & S_ISVTX) == 0) { | 1330 | if ((s1.st_mode & S_ISVTX) != S_ISVTX) { |
1331 | fwarning("cannot mask X11 sockets: sticky bit not set on /tmp directory\n"); | 1331 | fwarning("cannot mask X11 sockets: sticky bit not set on /tmp directory\n"); |
1332 | return; | 1332 | return; |
1333 | } | 1333 | } |
@@ -1335,26 +1335,26 @@ void fs_x11(void) { | |||
1335 | fwarning("cannot mask X11 sockets: /tmp/.X11-unix not owned by root user\n"); | 1335 | fwarning("cannot mask X11 sockets: /tmp/.X11-unix not owned by root user\n"); |
1336 | return; | 1336 | return; |
1337 | } | 1337 | } |
1338 | |||
1338 | char *x11file; | 1339 | char *x11file; |
1339 | if (asprintf(&x11file, "/tmp/.X11-unix/X%d", display) == -1) | 1340 | if (asprintf(&x11file, "/tmp/.X11-unix/X%d", display) == -1) |
1340 | errExit("asprintf"); | 1341 | errExit("asprintf"); |
1342 | int src = open(x11file, O_PATH|O_NOFOLLOW|O_CLOEXEC); | ||
1343 | if (src < 0) { | ||
1344 | free(x11file); | ||
1345 | return; | ||
1346 | } | ||
1341 | struct stat x11stat; | 1347 | struct stat x11stat; |
1342 | if (lstat(x11file, &x11stat) != 0 || !S_ISSOCK(x11stat.st_mode)) { | 1348 | if (fstat(src, &x11stat) < 0) |
1349 | errExit("fstat"); | ||
1350 | if (!S_ISSOCK(x11stat.st_mode)) { | ||
1351 | close(src); | ||
1343 | free(x11file); | 1352 | free(x11file); |
1344 | return; | 1353 | return; |
1345 | } | 1354 | } |
1346 | 1355 | ||
1347 | if (arg_debug || arg_debug_whitelists) | 1356 | if (arg_debug || arg_debug_whitelists) |
1348 | fprintf(stderr, "Masking all X11 sockets except %s\n", x11file); | 1357 | fprintf(stderr, "Masking all X11 sockets except %s\n", x11file); |
1349 | |||
1350 | // Move the real /tmp/.X11-unix to a scratch location | ||
1351 | // so we can still access x11file after we mount a | ||
1352 | // tmpfs over /tmp/.X11-unix. | ||
1353 | if (mkdir(RUN_WHITELIST_X11_DIR, 0700) == -1) | ||
1354 | errExit("mkdir"); | ||
1355 | if (mount("/tmp/.X11-unix", RUN_WHITELIST_X11_DIR, 0, MS_BIND|MS_REC, 0) < 0) | ||
1356 | errExit("mount bind"); | ||
1357 | |||
1358 | // This directory must be mode 1777 | 1358 | // This directory must be mode 1777 |
1359 | if (mount("tmpfs", "/tmp/.X11-unix", "tmpfs", | 1359 | if (mount("tmpfs", "/tmp/.X11-unix", "tmpfs", |
1360 | MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME, | 1360 | MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME, |
@@ -1363,40 +1363,21 @@ void fs_x11(void) { | |||
1363 | fs_logger("tmpfs /tmp/.X11-unix"); | 1363 | fs_logger("tmpfs /tmp/.X11-unix"); |
1364 | 1364 | ||
1365 | // create an empty root-owned file which will have the desired socket bind-mounted over it | 1365 | // create an empty root-owned file which will have the desired socket bind-mounted over it |
1366 | int fd = open(x11file, O_RDONLY|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWUSR); | 1366 | int dst = open(x11file, O_RDONLY|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWUSR); |
1367 | if (fd < 0) | 1367 | if (dst < 0) |
1368 | errExit(x11file); | 1368 | errExit("open"); |
1369 | close(fd); | ||
1370 | 1369 | ||
1371 | // the mount source is under control of the user, so be careful and | 1370 | char *proc_src, *proc_dst; |
1372 | // mount without following symbolic links, using a file descriptor | 1371 | if (asprintf(&proc_src, "/proc/self/fd/%d", src) == -1 || |
1373 | char *wx11file; | 1372 | asprintf(&proc_dst, "/proc/self/fd/%d", dst) == -1) |
1374 | if (asprintf(&wx11file, "%s/X%d", RUN_WHITELIST_X11_DIR, display) == -1) | ||
1375 | errExit("asprintf"); | ||
1376 | fd = safer_openat(-1, wx11file, O_PATH|O_NOFOLLOW|O_CLOEXEC); | ||
1377 | if (fd == -1) | ||
1378 | errExit("opening X11 socket"); | ||
1379 | // confirm once more we are mounting a socket | ||
1380 | if (fstat(fd, &x11stat) == -1) | ||
1381 | errExit("fstat"); | ||
1382 | if (!S_ISSOCK(x11stat.st_mode)) { | ||
1383 | errno = ENOTSOCK; | ||
1384 | errExit("mounting X11 socket"); | ||
1385 | } | ||
1386 | char *proc; | ||
1387 | if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) | ||
1388 | errExit("asprintf"); | 1373 | errExit("asprintf"); |
1389 | if (mount(proc, x11file, NULL, MS_BIND|MS_REC, NULL) < 0) | 1374 | if (mount(proc_src, proc_dst, NULL, MS_BIND | MS_REC, NULL) < 0) |
1390 | errExit("mount bind"); | 1375 | errExit("mount bind"); |
1376 | free(proc_src); | ||
1377 | free(proc_dst); | ||
1378 | close(src); | ||
1379 | close(dst); | ||
1391 | fs_logger2("whitelist", x11file); | 1380 | fs_logger2("whitelist", x11file); |
1392 | close(fd); | ||
1393 | free(proc); | ||
1394 | |||
1395 | // block access to RUN_WHITELIST_X11_DIR | ||
1396 | if (mount(RUN_RO_DIR, RUN_WHITELIST_X11_DIR, 0, MS_BIND, 0) < 0) | ||
1397 | errExit("mount"); | ||
1398 | fs_logger2("blacklist", RUN_WHITELIST_X11_DIR); | ||
1399 | free(wx11file); | ||
1400 | free(x11file); | 1381 | free(x11file); |
1401 | #endif | 1382 | #endif |
1402 | } | 1383 | } |
diff --git a/src/include/rundefs.h b/src/include/rundefs.h index a172dd511..3db750da3 100644 --- a/src/include/rundefs.h +++ b/src/include/rundefs.h | |||
@@ -79,12 +79,8 @@ | |||
79 | #define PATH_SECCOMP_MDWX_32 LIBDIR "/firejail/seccomp.mdwx.32" | 79 | #define PATH_SECCOMP_MDWX_32 LIBDIR "/firejail/seccomp.mdwx.32" |
80 | #define PATH_SECCOMP_BLOCK_SECONDARY LIBDIR "/firejail/seccomp.block_secondary" // secondary arch blocking filter built during make | 80 | #define PATH_SECCOMP_BLOCK_SECONDARY LIBDIR "/firejail/seccomp.block_secondary" // secondary arch blocking filter built during make |
81 | 81 | ||
82 | |||
83 | #define RUN_DEV_DIR RUN_MNT_DIR "/dev" | 82 | #define RUN_DEV_DIR RUN_MNT_DIR "/dev" |
84 | #define RUN_DEVLOG_FILE RUN_MNT_DIR "/devlog" | 83 | #define RUN_DEVLOG_FILE RUN_MNT_DIR "/devlog" |
85 | |||
86 | #define RUN_WHITELIST_X11_DIR RUN_MNT_DIR "/orig-x11" | ||
87 | |||
88 | #define RUN_XAUTHORITY_FILE RUN_MNT_DIR "/.Xauthority" // private options | 84 | #define RUN_XAUTHORITY_FILE RUN_MNT_DIR "/.Xauthority" // private options |
89 | #define RUN_XAUTH_FILE RUN_MNT_DIR "/xauth" // x11=xorg | 85 | #define RUN_XAUTH_FILE RUN_MNT_DIR "/xauth" // x11=xorg |
90 | #define RUN_XAUTHORITY_SEC_DIR RUN_MNT_DIR "/.sec.Xauthority" // x11=xorg | 86 | #define RUN_XAUTHORITY_SEC_DIR RUN_MNT_DIR "/.sec.Xauthority" // x11=xorg |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 12e841af5..6f3bef7f2 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -428,8 +428,9 @@ Blacklist violations logged to syslog. | |||
428 | \fBwhitelist file_or_directory | 428 | \fBwhitelist file_or_directory |
429 | Whitelist directory or file. A temporary file system is mounted on the top directory, and the | 429 | Whitelist directory or file. A temporary file system is mounted on the top directory, and the |
430 | whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent, | 430 | whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent, |
431 | everything else is discarded when the sandbox is closed. The top directory could be | 431 | everything else is discarded when the sandbox is closed. The top directory can be |
432 | user home, /dev, /etc, /media, /mnt, /opt, /srv, /sys/module, /usr/share, /var, and /tmp. | 432 | all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and |
433 | all directories in /usr. | ||
433 | .br | 434 | .br |
434 | 435 | ||
435 | .br | 436 | .br |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index f4a549b05..3212a88e4 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -2723,8 +2723,9 @@ $ firejail \-\-net=br0 --veth-name=if0 | |||
2723 | \fB\-\-whitelist=dirname_or_filename | 2723 | \fB\-\-whitelist=dirname_or_filename |
2724 | Whitelist directory or file. A temporary file system is mounted on the top directory, and the | 2724 | Whitelist directory or file. A temporary file system is mounted on the top directory, and the |
2725 | whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent, | 2725 | whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent, |
2726 | everything else is discarded when the sandbox is closed. The top directory could be | 2726 | everything else is discarded when the sandbox is closed. The top directory can be |
2727 | user home, /dev, /etc, /media, /mnt, /opt, /run/user/$UID, /srv, /sys/module, /tmp, /usr/share and /var. | 2727 | all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and |
2728 | all directories in /usr. | ||
2728 | .br | 2729 | .br |
2729 | 2730 | ||
2730 | .br | 2731 | .br |