diff options
Diffstat (limited to 'src/firejail/firejail.h')
-rw-r--r-- | src/firejail/firejail.h | 354 |
1 files changed, 354 insertions, 0 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h new file mode 100644 index 000000000..2ec6e54c9 --- /dev/null +++ b/src/firejail/firejail.h | |||
@@ -0,0 +1,354 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014, 2015 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #ifndef FIREJAIL_H | ||
21 | #define FIREJAIL_H | ||
22 | #include "../include/common.h" | ||
23 | |||
24 | #define USELOCK | ||
25 | #define FIREJAIL_DIR "/tmp/firejail" | ||
26 | #define RO_DIR "/tmp/firejail/firejail.ro.dir" | ||
27 | #define RO_FILE "/tmp/firejail/firejail.ro.file" | ||
28 | #define MNT_DIR "/tmp/firejail/mnt" | ||
29 | #define OVERLAY_DIR "/tmp/firejail/overlay" | ||
30 | #define HOME_DIR "/tmp/firejail/mnt/home" | ||
31 | #define MAX_INCLUDE_LEVEL 6 | ||
32 | |||
33 | // main.c | ||
34 | typedef struct bridge_t { | ||
35 | // on the host | ||
36 | char *dev; // interface device name: bridge or regular ethernet | ||
37 | uint32_t ip; // interface device IP address | ||
38 | uint32_t mask; // interface device mask | ||
39 | uint8_t mac[6]; // interface mac address | ||
40 | |||
41 | // inside the sandbox | ||
42 | char *devsandbox; // name of the device inside the sandbox | ||
43 | uint32_t ipsandbox; // ip address inside the sandbox | ||
44 | uint8_t macsandbox[6]; // mac address inside the sandbox | ||
45 | uint32_t iprange_start;// iprange arp scan start range | ||
46 | uint32_t iprange_end; // iprange arp scan end range | ||
47 | |||
48 | // flags | ||
49 | uint8_t arg_ip_none; // --ip=none | ||
50 | uint8_t macvlan; // set by --net=eth0 (or eth1, ...); reset by --net=br0 (or br1, ...) | ||
51 | uint8_t configured; | ||
52 | uint8_t scan; // set by --scan | ||
53 | } Bridge; | ||
54 | |||
55 | typedef struct profile_entry_t { | ||
56 | struct profile_entry_t *next; | ||
57 | char *data; | ||
58 | }ProfileEntry; | ||
59 | |||
60 | typedef struct config_t { | ||
61 | // user data | ||
62 | char *username; | ||
63 | char *homedir; | ||
64 | |||
65 | // filesystem | ||
66 | ProfileEntry *profile; | ||
67 | char *chrootdir; // chroot directory | ||
68 | char *home_private; // private home directory | ||
69 | char *home_private_keep; // keep list for private home directory | ||
70 | char *cwd; // current working directory | ||
71 | |||
72 | // networking | ||
73 | char *hostname; | ||
74 | uint32_t defaultgw; // default gateway | ||
75 | Bridge bridge0; | ||
76 | Bridge bridge1; | ||
77 | Bridge bridge2; | ||
78 | Bridge bridge3; | ||
79 | uint32_t dns1; // up to 3 IP addresses for dns servers | ||
80 | uint32_t dns2; | ||
81 | uint32_t dns3; | ||
82 | |||
83 | // rlimits | ||
84 | unsigned rlimit_nofile; | ||
85 | unsigned rlimit_nproc; | ||
86 | unsigned rlimit_fsize; | ||
87 | unsigned rlimit_sigpending; | ||
88 | |||
89 | // cpu affinity and control groups | ||
90 | uint32_t cpus; | ||
91 | char *cgroup; | ||
92 | |||
93 | |||
94 | // command line | ||
95 | char *command_line; | ||
96 | char *command_name; | ||
97 | char *shell; | ||
98 | char **original_argv; | ||
99 | int original_argc; | ||
100 | int original_program_index; | ||
101 | } Config; | ||
102 | extern Config cfg; | ||
103 | |||
104 | static inline int any_bridge_configured(void) { | ||
105 | if (cfg.bridge3.configured || cfg.bridge2.configured || cfg.bridge1.configured || cfg.bridge0.configured) | ||
106 | return 1; | ||
107 | else | ||
108 | return 0; | ||
109 | } | ||
110 | extern int arg_private; // mount private /home and /tmp directory | ||
111 | extern int arg_debug; // print debug messages | ||
112 | extern int arg_nonetwork; // --net=none | ||
113 | extern int arg_command; // -c | ||
114 | extern int arg_overlay; // --overlay | ||
115 | extern int arg_zsh; // use zsh as default shell | ||
116 | extern int arg_csh; // use csh as default shell | ||
117 | |||
118 | extern int arg_seccomp; // enable default seccomp filter | ||
119 | extern char *arg_seccomp_list;// optional seccomp list on top of default filter | ||
120 | extern char *arg_seccomp_list_drop; // seccomp drop list | ||
121 | extern char *arg_seccomp_list_keep; // seccomp keep list | ||
122 | |||
123 | extern int arg_caps_default_filter; // enable default capabilities filter | ||
124 | extern int arg_caps_drop; // drop list | ||
125 | extern int arg_caps_drop_all; // drop all capabilities | ||
126 | extern int arg_caps_keep; // keep list | ||
127 | extern char *arg_caps_list; // optional caps list | ||
128 | |||
129 | extern int arg_trace; // syscall tracing support | ||
130 | extern int arg_rlimit_nofile; // rlimit nofile | ||
131 | extern int arg_rlimit_nproc; // rlimit nproc | ||
132 | extern int arg_rlimit_fsize; // rlimit fsize | ||
133 | extern int arg_rlimit_sigpending;// rlimit sigpending | ||
134 | extern int arg_nox11; // kill the program if x11 unix domain socket is accessed | ||
135 | extern int arg_nodbus; // kill the program if D-Bus is accessed | ||
136 | extern int arg_nogroups; // disable supplementary groups | ||
137 | extern int arg_noroot; // create a new user namespace and disable root user | ||
138 | extern int arg_netfilter; // enable netfilter | ||
139 | extern char *arg_netfilter_file; // netfilter file | ||
140 | extern int arg_doubledash; // double dash | ||
141 | extern int arg_shell_none; // run the program directly without a shell | ||
142 | extern int arg_private_dev; // private dev directory | ||
143 | extern int arg_scan; // arp-scan all interfaces | ||
144 | |||
145 | extern int parent_to_child_fds[2]; | ||
146 | extern int child_to_parent_fds[2]; | ||
147 | extern pid_t sandbox_pid; | ||
148 | |||
149 | |||
150 | |||
151 | #define MAX_ARGS 128 // maximum number of command arguments (argc) | ||
152 | extern char *fullargv[MAX_ARGS]; | ||
153 | extern int fullargc; | ||
154 | |||
155 | // main.c | ||
156 | void check_user_namespace(void); | ||
157 | |||
158 | // sandbox.c | ||
159 | int sandbox(void* sandbox_arg); | ||
160 | |||
161 | // network_main.c | ||
162 | void net_configure_bridge(Bridge *br, char *dev_name); | ||
163 | void net_configure_sandbox_ip(Bridge *br); | ||
164 | void net_configure_veth_pair(Bridge *br, const char *ifname, pid_t child); | ||
165 | void net_check_cfg(void); | ||
166 | void net_dns_print_name(const char *name); | ||
167 | void net_dns_print(pid_t pid); | ||
168 | |||
169 | // network.c | ||
170 | void net_if_up(const char *ifname); | ||
171 | void net_if_ip(const char *ifname, uint32_t ip, uint32_t mask); | ||
172 | int net_get_if_addr(const char *bridge, uint32_t *ip, uint32_t *mask, uint8_t mac[6]); | ||
173 | int net_add_route(uint32_t dest, uint32_t mask, uint32_t gw); | ||
174 | void net_ifprint(void); | ||
175 | void net_bridge_add_interface(const char *bridge, const char *dev); | ||
176 | uint32_t network_get_defaultgw(void); | ||
177 | int net_config_mac(const char *ifname, const unsigned char mac[6]); | ||
178 | int net_get_mac(const char *ifname, unsigned char mac[6]); | ||
179 | |||
180 | // fs.c | ||
181 | // build /tmp/firejail directory | ||
182 | void fs_build_firejail_dir(void); | ||
183 | // build /tmp/firejail/mnt directory | ||
184 | void fs_build_mnt_dir(void); | ||
185 | // blacklist files or directoies by mounting empty files on top of them | ||
186 | void fs_blacklist(const char *homedir); | ||
187 | //void fs_blacklist(char **blacklist, const char *homedir); | ||
188 | // remount a directory read-only | ||
189 | void fs_rdonly(const char *dir); | ||
190 | // mount /proc and /sys directories | ||
191 | void fs_proc_sys_dev_boot(void); | ||
192 | // build a basic read-only filesystem | ||
193 | void fs_basic_fs(void); | ||
194 | // mount overlayfs on top of / directory | ||
195 | void fs_overlayfs(void); | ||
196 | // chroot into an existing directory; mount exiting /dev and update /etc/resolv.conf | ||
197 | void fs_chroot(const char *rootdir); | ||
198 | int fs_check_chroot_dir(const char *rootdir); | ||
199 | |||
200 | // profile.c | ||
201 | // find and read the profile specified by name from dir directory | ||
202 | int profile_find(const char *name, const char *dir); | ||
203 | // read a profile file | ||
204 | void profile_read(const char *fname, const char *skip1, const char *skip2); | ||
205 | // check profile line; if line == 0, this was generated from a command line option | ||
206 | // return 1 if the command is to be added to the linked list of profile commands | ||
207 | // return 0 if the command was already executed inside the function | ||
208 | int profile_check_line(char *ptr, int lineno); | ||
209 | // add a profile entry in cfg.profile list; use str to populate the list | ||
210 | void profile_add(char *str); | ||
211 | |||
212 | // list.c | ||
213 | void list(void); | ||
214 | void tree(void); | ||
215 | void top(void); | ||
216 | void netstats(void); | ||
217 | |||
218 | // usage.c | ||
219 | void usage(void); | ||
220 | |||
221 | // join.c | ||
222 | void join(pid_t pid, const char *homedir, int argc, char **argv, int index); | ||
223 | void join_name(const char *name, const char *homedir, int argc, char **argv, int index); | ||
224 | void shut(pid_t pid); | ||
225 | void shut_name(const char *name); | ||
226 | |||
227 | // restricted_shell.c | ||
228 | extern char *restricted_user; | ||
229 | int restricted_shell(const char *user); | ||
230 | |||
231 | // arp.c | ||
232 | // returns 0 if the address is not in use, -1 otherwise | ||
233 | int arp_check(const char *dev, uint32_t destaddr, uint32_t srcaddr); | ||
234 | // assign an IP address using arp scanning | ||
235 | uint32_t arp_assign(const char *dev, Bridge *br); | ||
236 | // scan interface (--scan option) | ||
237 | void arp_scan(const char *dev, uint32_t srcaddr, uint32_t srcmask); | ||
238 | |||
239 | // veth.c | ||
240 | int net_create_veth(const char *dev, const char *nsdev, unsigned pid); | ||
241 | int net_create_macvlan(const char *dev, const char *parent, unsigned pid); | ||
242 | |||
243 | // util.c | ||
244 | void drop_privs(int nogroups); | ||
245 | void extract_command_name(const char *str); | ||
246 | void logsignal(int s); | ||
247 | void logmsg(const char *msg); | ||
248 | void logargs(int argc, char **argv) ; | ||
249 | void logerr(const char *msg); | ||
250 | int copy_file(const char *srcname, const char *destname); | ||
251 | char *get_link(const char *fname); | ||
252 | int is_dir(const char *fname); | ||
253 | int is_link(const char *fname); | ||
254 | char *line_remove_spaces(const char *buf); | ||
255 | char *split_comma(char *str); | ||
256 | int not_unsigned(const char *str); | ||
257 | int find_child(pid_t parent, pid_t *child); | ||
258 | void check_private_dir(void); | ||
259 | void update_map(char *mapping, char *map_file); | ||
260 | void wait_for_other(int fd); | ||
261 | void notify_other(int fd); | ||
262 | |||
263 | // fs_var.c | ||
264 | void fs_var_log(void); // mounting /var/log | ||
265 | void fs_var_lib(void); // various other fixes for software in /var directory | ||
266 | void fs_var_cache(void); // various other fixes for software in /var/cache directory | ||
267 | void fs_var_run(void); | ||
268 | void fs_var_lock(void); | ||
269 | void fs_var_tmp(void); | ||
270 | void fs_var_utmp(void); | ||
271 | void dbg_test_dir(const char *dir); | ||
272 | |||
273 | // fs_dev.c | ||
274 | void fs_dev_shm(void); | ||
275 | void fs_private_dev(void); | ||
276 | |||
277 | // fs_home.c | ||
278 | // private mode (--private) | ||
279 | void fs_private(void); | ||
280 | // private mode (--private=homedir) | ||
281 | void fs_private_homedir(void); | ||
282 | // private mode (--private.keep=list) | ||
283 | void fs_private_home_list(void); | ||
284 | // check directory linst specified by user (--private.keep option) - exit if it fails | ||
285 | void fs_check_home_list(void); | ||
286 | // check new private home directory (--private= option) - exit if it fails | ||
287 | void fs_check_private_dir(void); | ||
288 | |||
289 | |||
290 | // seccomp.c | ||
291 | int seccomp_filter_drop(void); | ||
292 | int seccomp_filter_keep(void); | ||
293 | void seccomp_set(void); | ||
294 | void seccomp_print_filter_name(const char *name); | ||
295 | void seccomp_print_filter(pid_t pid); | ||
296 | |||
297 | // caps.c | ||
298 | int caps_default_filter(void); | ||
299 | void caps_print(void); | ||
300 | void caps_drop_all(void); | ||
301 | void caps_set(uint64_t caps); | ||
302 | int caps_check_list(const char *clist, void (*callback)(int)); | ||
303 | void caps_drop_list(const char *clist); | ||
304 | void caps_keep_list(const char *clist); | ||
305 | void caps_print_filter(pid_t pid); | ||
306 | void caps_print_filter_name(const char *name); | ||
307 | |||
308 | // syscall.c | ||
309 | const char *syscall_find_nr(int nr); | ||
310 | // return -1 if error, 0 if no error | ||
311 | int syscall_check_list(const char *slist, void (*callback)(int)); | ||
312 | // print all available syscalls | ||
313 | void syscall_print(void); | ||
314 | |||
315 | // fs_trace.c | ||
316 | void fs_trace_preload(void); | ||
317 | void fs_trace(void); | ||
318 | |||
319 | // fs_hostname.c | ||
320 | void fs_hostname(const char *hostname); | ||
321 | void fs_resolvconf(void); | ||
322 | |||
323 | // rlimit.c | ||
324 | void set_rlimits(void); | ||
325 | |||
326 | // cpu.c | ||
327 | void read_cpu_list(const char *str); | ||
328 | void set_cpu_affinity(void); | ||
329 | void load_cpu(const char *fname); | ||
330 | void save_cpu(void); | ||
331 | |||
332 | // cgroup.c | ||
333 | void save_cgroup(void); | ||
334 | void load_cgroup(const char *fname); | ||
335 | void set_cgroup(const char *path); | ||
336 | |||
337 | // output.c | ||
338 | void check_output(int argc, char **argv); | ||
339 | |||
340 | // netfilter.c | ||
341 | void check_netfilter_file(const char *fname); | ||
342 | void netfilter(const char *fname); | ||
343 | |||
344 | // bandwidth.c | ||
345 | void shm_create_firejail_dir(void); | ||
346 | void bandwidth_shm_del_file(pid_t pid); | ||
347 | void bandwidth_shm_set(pid_t pid, const char *dev, int down, int up); | ||
348 | void bandwidth_name(const char *name, const char *command, const char *dev, int down, int up); | ||
349 | void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, int up); | ||
350 | void network_shm_del_file(pid_t pid); | ||
351 | void network_shm_set_file(pid_t pid); | ||
352 | |||
353 | |||
354 | #endif \ No newline at end of file | ||