diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/checkcfg.c | 118 | ||||
-rw-r--r-- | src/firejail/firejail.h | 35 | ||||
-rw-r--r-- | src/firejail/main.c | 27 | ||||
-rw-r--r-- | src/firejail/usage.c | 2 | ||||
-rw-r--r-- | src/fseccomp/syscall.c | 5 | ||||
-rw-r--r-- | src/man/firejail.txt | 19 |
6 files changed, 114 insertions, 92 deletions
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 430771a13..8786c018e 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -25,11 +25,6 @@ | |||
25 | 25 | ||
26 | static int initialized = 0; | 26 | static int initialized = 0; |
27 | static int cfg_val[CFG_MAX]; | 27 | static int cfg_val[CFG_MAX]; |
28 | char *xephyr_screen = "800x600"; | ||
29 | char *xephyr_extra_params = ""; | ||
30 | char *xpra_extra_params = ""; | ||
31 | char *xvfb_screen = "800x600x24"; | ||
32 | char *xvfb_extra_params = ""; | ||
33 | char *netfilter_default = NULL; | 28 | char *netfilter_default = NULL; |
34 | 29 | ||
35 | int checkcfg(int val) { | 30 | int checkcfg(int val) { |
@@ -45,11 +40,9 @@ int checkcfg(int val) { | |||
45 | cfg_val[i] = 1; // most of them are enabled by default | 40 | cfg_val[i] = 1; // most of them are enabled by default |
46 | cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default | 41 | cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default |
47 | cfg_val[CFG_FORCE_NONEWPRIVS] = 0; | 42 | cfg_val[CFG_FORCE_NONEWPRIVS] = 0; |
48 | cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 0; | ||
49 | cfg_val[CFG_FIREJAIL_PROMPT] = 0; | 43 | cfg_val[CFG_FIREJAIL_PROMPT] = 0; |
50 | cfg_val[CFG_DISABLE_MNT] = 0; | 44 | cfg_val[CFG_DISABLE_MNT] = 0; |
51 | cfg_val[CFG_ARP_PROBES] = DEFAULT_ARP_PROBES; | 45 | cfg_val[CFG_ARP_PROBES] = DEFAULT_ARP_PROBES; |
52 | cfg_val[CFG_XPRA_ATTACH] = 0; | ||
53 | 46 | ||
54 | // open configuration file | 47 | // open configuration file |
55 | const char *fname = SYSCONFDIR "/firejail.config"; | 48 | const char *fname = SYSCONFDIR "/firejail.config"; |
@@ -75,25 +68,6 @@ int checkcfg(int val) { | |||
75 | ptr = line_remove_spaces(buf); | 68 | ptr = line_remove_spaces(buf); |
76 | if (!ptr) | 69 | if (!ptr) |
77 | continue; | 70 | continue; |
78 | |||
79 | // dbus | ||
80 | else if (strncmp(ptr, "dbus ", 5) == 0) { | ||
81 | if (strcmp(ptr + 5, "yes") == 0) | ||
82 | cfg_val[CFG_DBUS] = 1; | ||
83 | else if (strcmp(ptr + 5, "no") == 0) | ||
84 | cfg_val[CFG_DBUS] = 0; | ||
85 | else | ||
86 | goto errout; | ||
87 | } | ||
88 | // join | ||
89 | else if (strncmp(ptr, "join ", 5) == 0) { | ||
90 | if (strcmp(ptr + 5, "yes") == 0) | ||
91 | cfg_val[CFG_JOIN] = 1; | ||
92 | else if (strcmp(ptr + 5, "no") == 0) | ||
93 | cfg_val[CFG_JOIN] = 0; | ||
94 | else | ||
95 | goto errout; | ||
96 | } | ||
97 | // apparmor | 71 | // apparmor |
98 | else if (strncmp(ptr, "apparmor ", 9) == 0) { | 72 | else if (strncmp(ptr, "apparmor ", 9) == 0) { |
99 | if (strcmp(ptr + 9, "yes") == 0) | 73 | if (strcmp(ptr + 9, "yes") == 0) |
@@ -103,6 +77,13 @@ int checkcfg(int val) { | |||
103 | else | 77 | else |
104 | goto errout; | 78 | goto errout; |
105 | } | 79 | } |
80 | // arp probes | ||
81 | else if (strncmp(ptr, "arp-probes ", 11) == 0) { | ||
82 | int arp_probes = atoi(ptr + 11); | ||
83 | if (arp_probes <= 1 || arp_probes > 30) | ||
84 | goto errout; | ||
85 | cfg_val[CFG_ARP_PROBES] = arp_probes; | ||
86 | } | ||
106 | // bind | 87 | // bind |
107 | else if (strncmp(ptr, "bind ", 5) == 0) { | 88 | else if (strncmp(ptr, "bind ", 5) == 0) { |
108 | if (strcmp(ptr + 5, "yes") == 0) | 89 | if (strcmp(ptr + 5, "yes") == 0) |
@@ -112,12 +93,20 @@ int checkcfg(int val) { | |||
112 | else | 93 | else |
113 | goto errout; | 94 | goto errout; |
114 | } | 95 | } |
115 | // user namespace | 96 | // dbus |
116 | else if (strncmp(ptr, "userns ", 7) == 0) { | 97 | else if (strncmp(ptr, "dbus ", 5) == 0) { |
117 | if (strcmp(ptr + 7, "yes") == 0) | 98 | if (strcmp(ptr + 5, "yes") == 0) |
118 | cfg_val[CFG_USERNS] = 1; | 99 | cfg_val[CFG_DBUS] = 1; |
119 | else if (strcmp(ptr + 7, "no") == 0) | 100 | else if (strcmp(ptr + 5, "no") == 0) |
120 | cfg_val[CFG_USERNS] = 0; | 101 | cfg_val[CFG_DBUS] = 0; |
102 | else | ||
103 | goto errout; | ||
104 | } | ||
105 | else if (strncmp(ptr, "disable-mnt ", 12) == 0) { | ||
106 | if (strcmp(ptr + 12, "yes") == 0) | ||
107 | cfg_val[CFG_DISABLE_MNT] = 1; | ||
108 | else if (strcmp(ptr + 12, "no") == 0) | ||
109 | cfg_val[CFG_DISABLE_MNT] = 0; | ||
121 | else | 110 | else |
122 | goto errout; | 111 | goto errout; |
123 | } | 112 | } |
@@ -148,21 +137,12 @@ int checkcfg(int val) { | |||
148 | else | 137 | else |
149 | goto errout; | 138 | goto errout; |
150 | } | 139 | } |
151 | // seccomp | 140 | // join |
152 | else if (strncmp(ptr, "seccomp ", 8) == 0) { | 141 | else if (strncmp(ptr, "join ", 5) == 0) { |
153 | if (strcmp(ptr + 8, "yes") == 0) | 142 | if (strcmp(ptr + 5, "yes") == 0) |
154 | cfg_val[CFG_SECCOMP] = 1; | 143 | cfg_val[CFG_JOIN] = 1; |
155 | else if (strcmp(ptr + 8, "no") == 0) | 144 | else if (strcmp(ptr + 5, "no") == 0) |
156 | cfg_val[CFG_SECCOMP] = 0; | 145 | cfg_val[CFG_JOIN] = 0; |
157 | else | ||
158 | goto errout; | ||
159 | } | ||
160 | // whitelist | ||
161 | else if (strncmp(ptr, "whitelist ", 10) == 0) { | ||
162 | if (strcmp(ptr + 10, "yes") == 0) | ||
163 | cfg_val[CFG_WHITELIST] = 1; | ||
164 | else if (strcmp(ptr + 10, "no") == 0) | ||
165 | cfg_val[CFG_WHITELIST] = 0; | ||
166 | else | 146 | else |
167 | goto errout; | 147 | goto errout; |
168 | } | 148 | } |
@@ -175,6 +155,15 @@ int checkcfg(int val) { | |||
175 | else | 155 | else |
176 | goto errout; | 156 | goto errout; |
177 | } | 157 | } |
158 | // quiet by default | ||
159 | else if (strncmp(ptr, "quiet-by-default ", 17) == 0) { | ||
160 | if (strcmp(ptr + 17, "yes") == 0) | ||
161 | arg_quiet = 1; | ||
162 | else if (strcmp(ptr + 17, "no") == 0) | ||
163 | arg_quiet = 0; | ||
164 | else | ||
165 | goto errout; | ||
166 | } | ||
178 | // network | 167 | // network |
179 | else if (strncmp(ptr, "restricted-network ", 19) == 0) { | 168 | else if (strncmp(ptr, "restricted-network ", 19) == 0) { |
180 | if (strcmp(ptr + 19, "yes") == 0) | 169 | if (strcmp(ptr + 19, "yes") == 0) |
@@ -208,29 +197,32 @@ int checkcfg(int val) { | |||
208 | if (arg_debug) | 197 | if (arg_debug) |
209 | printf("netfilter default file %s\n", fname); | 198 | printf("netfilter default file %s\n", fname); |
210 | } | 199 | } |
211 | // quiet by default | 200 | // seccomp |
212 | else if (strncmp(ptr, "quiet-by-default ", 17) == 0) { | 201 | else if (strncmp(ptr, "seccomp ", 8) == 0) { |
213 | if (strcmp(ptr + 17, "yes") == 0) | 202 | if (strcmp(ptr + 8, "yes") == 0) |
214 | arg_quiet = 1; | 203 | cfg_val[CFG_SECCOMP] = 1; |
215 | else if (strcmp(ptr + 17, "no") == 0) | 204 | else if (strcmp(ptr + 8, "no") == 0) |
216 | arg_quiet = 0; | 205 | cfg_val[CFG_SECCOMP] = 0; |
217 | else | 206 | else |
218 | goto errout; | 207 | goto errout; |
219 | } | 208 | } |
220 | else if (strncmp(ptr, "disable-mnt ", 12) == 0) { | 209 | // user namespace |
221 | if (strcmp(ptr + 12, "yes") == 0) | 210 | else if (strncmp(ptr, "userns ", 7) == 0) { |
222 | cfg_val[CFG_DISABLE_MNT] = 1; | 211 | if (strcmp(ptr + 7, "yes") == 0) |
223 | else if (strcmp(ptr + 12, "no") == 0) | 212 | cfg_val[CFG_USERNS] = 1; |
224 | cfg_val[CFG_DISABLE_MNT] = 0; | 213 | else if (strcmp(ptr + 7, "no") == 0) |
214 | cfg_val[CFG_USERNS] = 0; | ||
225 | else | 215 | else |
226 | goto errout; | 216 | goto errout; |
227 | } | 217 | } |
228 | // arp probes | 218 | // whitelist |
229 | else if (strncmp(ptr, "arp-probes ", 11) == 0) { | 219 | else if (strncmp(ptr, "whitelist ", 10) == 0) { |
230 | int arp_probes = atoi(ptr + 11); | 220 | if (strcmp(ptr + 10, "yes") == 0) |
231 | if (arp_probes <= 1 || arp_probes > 30) | 221 | cfg_val[CFG_WHITELIST] = 1; |
222 | else if (strcmp(ptr + 10, "no") == 0) | ||
223 | cfg_val[CFG_WHITELIST] = 0; | ||
224 | else | ||
232 | goto errout; | 225 | goto errout; |
233 | cfg_val[CFG_ARP_PROBES] = arp_probes; | ||
234 | } | 226 | } |
235 | else | 227 | else |
236 | goto errout; | 228 | goto errout; |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 2ab4a0b85..533ed880a 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -650,40 +650,25 @@ void restrict_users(void); | |||
650 | // checkcfg.c | 650 | // checkcfg.c |
651 | #define DEFAULT_ARP_PROBES 2 | 651 | #define DEFAULT_ARP_PROBES 2 |
652 | enum { | 652 | enum { |
653 | CFG_FILE_TRANSFER = 0, | 653 | CFG_APPARMOR = 0, |
654 | CFG_X11, | 654 | CFG_ARP_PROBES, |
655 | CFG_BIND, | 655 | CFG_BIND, |
656 | CFG_USERNS, | 656 | CFG_DBUS, |
657 | CFG_CHROOT, | 657 | CFG_DISABLE_MNT, |
658 | CFG_SECCOMP, | ||
659 | CFG_NETWORK, | ||
660 | CFG_RESTRICTED_NETWORK, | ||
661 | CFG_FORCE_NONEWPRIVS, | ||
662 | CFG_WHITELIST, | ||
663 | CFG_XEPHYR_WINDOW_TITLE, | ||
664 | CFG_OVERLAYFS, | ||
665 | CFG_PRIVATE_HOME, | ||
666 | CFG_PRIVATE_BIN_NO_LOCAL, | ||
667 | CFG_FIREJAIL_PROMPT, | 658 | CFG_FIREJAIL_PROMPT, |
668 | CFG_FOLLOW_SYMLINK_AS_USER, | 659 | CFG_FOLLOW_SYMLINK_AS_USER, |
669 | CFG_DISABLE_MNT, | 660 | CFG_FORCE_NONEWPRIVS, |
670 | CFG_JOIN, | 661 | CFG_JOIN, |
671 | CFG_ARP_PROBES, | 662 | CFG_NETWORK, |
672 | CFG_XPRA_ATTACH, | 663 | CFG_RESTRICTED_NETWORK, |
673 | CFG_PRIVATE_LIB, | 664 | CFG_SECCOMP, |
674 | CFG_APPARMOR, | 665 | CFG_USERNS, |
675 | CFG_DBUS, | 666 | CFG_WHITELIST, |
676 | CFG_MAX // this should always be the last entry | 667 | CFG_MAX // this should always be the last entry |
677 | }; | 668 | }; |
678 | extern char *xephyr_screen; | ||
679 | extern char *xephyr_extra_params; | ||
680 | extern char *xpra_extra_params; | ||
681 | extern char *xvfb_screen; | ||
682 | extern char *xvfb_extra_params; | ||
683 | extern char *netfilter_default; | 669 | extern char *netfilter_default; |
684 | int checkcfg(int val); | 670 | int checkcfg(int val); |
685 | void print_compiletime_support(void); | 671 | void print_compiletime_support(void); |
686 | void x11_xorg(void); | ||
687 | 672 | ||
688 | // appimage.c | 673 | // appimage.c |
689 | void appimage_set(const char *appimage_path); | 674 | void appimage_set(const char *appimage_path); |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 594a6d83c..c4944c7d5 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1011,6 +1011,33 @@ int main(int argc, char **argv) { | |||
1011 | } | 1011 | } |
1012 | else if (strcmp(argv[i], "--disable-mnt") == 0) | 1012 | else if (strcmp(argv[i], "--disable-mnt") == 0) |
1013 | arg_disable_mnt = 1; | 1013 | arg_disable_mnt = 1; |
1014 | else if (strcmp(argv[i], "--tunnel") == 0) { | ||
1015 | // try to connect to the default client side of the tunnel | ||
1016 | // if this fails, try the default server side of the tunnel | ||
1017 | if (access("/run/firetunnel/ftc", R_OK) == 0) | ||
1018 | profile_read("/run/firetunnel/ftc"); | ||
1019 | else if (access("/run/firetunnel/fts", R_OK) == 0) | ||
1020 | profile_read("/run/firetunnel/fts"); | ||
1021 | else { | ||
1022 | fprintf(stderr, "Error: no default firetunnel found, please specify it using --tunnel=devname option\n"); | ||
1023 | exit(1); | ||
1024 | } | ||
1025 | } | ||
1026 | else if (strncmp(argv[i], "--tunnel=", 9) == 0) { | ||
1027 | char *fname; | ||
1028 | if (asprintf(&fname, "/run/firetunnel/%s", argv[i] + 9) == -1) | ||
1029 | errExit("asprintf"); | ||
1030 | invalid_filename(fname, 0); // no globbing | ||
1031 | if (access(fname, R_OK) == 0) | ||
1032 | profile_read(fname); | ||
1033 | else { | ||
1034 | fprintf(stderr, "Error: tunnel not found\n"); | ||
1035 | exit(1); | ||
1036 | } | ||
1037 | } | ||
1038 | |||
1039 | |||
1040 | |||
1014 | else if (strncmp(argv[i], "--profile=", 10) == 0) { | 1041 | else if (strncmp(argv[i], "--profile=", 10) == 0) { |
1015 | // multiple profile files are allowed! | 1042 | // multiple profile files are allowed! |
1016 | 1043 | ||
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 73af66be2..d5033c4a1 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -171,6 +171,8 @@ static char *usage_str = | |||
171 | " --tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n" | 171 | " --tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n" |
172 | " --top - monitor the most CPU-intensive sandboxes.\n" | 172 | " --top - monitor the most CPU-intensive sandboxes.\n" |
173 | " --tree - print a tree of all sandboxed processes.\n" | 173 | " --tree - print a tree of all sandboxed processes.\n" |
174 | " --tunnel[=devname] - connect the sandbox to a tunnel created by\n" | ||
175 | "\tfiretunnel utility.\n" | ||
174 | " --version - print program version and exit.\n" | 176 | " --version - print program version and exit.\n" |
175 | #ifdef HAVE_NETWORK | 177 | #ifdef HAVE_NETWORK |
176 | " --veth-name=name - use this name for the interface connected to the bridge.\n" | 178 | " --veth-name=name - use this name for the interface connected to the bridge.\n" |
diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c index bc51d04f6..3b10c4473 100644 --- a/src/fseccomp/syscall.c +++ b/src/fseccomp/syscall.c | |||
@@ -495,10 +495,7 @@ int syscall_check_list(const char *slist, void (*callback)(int fd, int syscall, | |||
495 | } | 495 | } |
496 | else { | 496 | else { |
497 | syscall_process_name(ptr, &syscall_nr, &error_nr); | 497 | syscall_process_name(ptr, &syscall_nr, &error_nr); |
498 | if (syscall_nr == -1) { | 498 | if (syscall_nr == -1) {;} |
499 | if (!arg_quiet) | ||
500 | fprintf(stderr, "Warning fseccomp: syscall \"%s\" not available on this platform\n", ptr); | ||
501 | } | ||
502 | else if (callback != NULL) { | 499 | else if (callback != NULL) { |
503 | if (error_nr != -1 && fd != 0) { | 500 | if (error_nr != -1 && fd != 0) { |
504 | filter_add_errno(fd, syscall_nr, error_nr, ptrarg); | 501 | filter_add_errno(fd, syscall_nr, error_nr, ptrarg); |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 11dedbf35..0bc1c1b5d 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1788,6 +1788,25 @@ $ firejail \-\-tree | |||
1788 | 11970:netblue:transmission-gtk | 1788 | 11970:netblue:transmission-gtk |
1789 | 1789 | ||
1790 | .TP | 1790 | .TP |
1791 | \fB\-\-tunnel[=devname] | ||
1792 | Connect the sandbox to a network overlay/VPN tunnel created by firetunnel utility. This options | ||
1793 | tries first the client side of the tunnel. If this fails, it tries the server side. If multiple tunnels are active, | ||
1794 | please specify the tunnel device using \-\-tunnel=devname. | ||
1795 | .br | ||
1796 | .br | ||
1797 | The available tunnel devices are listed in /etc/firetunnel directory, one file for each device. | ||
1798 | The files are regular firejail profile files containing the network configuration, | ||
1799 | and are created and managed by firetunnel utility. | ||
1800 | By default ftc is the client-side device and fts is the server-side device. For more information | ||
1801 | please see man 1 firetunnel. | ||
1802 | .br | ||
1803 | .br | ||
1804 | Example: | ||
1805 | .br | ||
1806 | $ firejail --tunnel firefox | ||
1807 | .br | ||
1808 | |||
1809 | .TP | ||
1791 | \fB\-\-version | 1810 | \fB\-\-version |
1792 | Print program version and exit. | 1811 | Print program version and exit. |
1793 | .br | 1812 | .br |