diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/firejail.h | 2 | ||||
-rw-r--r-- | src/firejail/fs.c | 5 | ||||
-rw-r--r-- | src/firejail/fs_etc.c | 51 | ||||
-rw-r--r-- | src/firejail/main.c | 4 | ||||
-rw-r--r-- | src/firejail/profile.c | 4 | ||||
-rw-r--r-- | src/firejail/usage.c | 3 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 4 | ||||
-rw-r--r-- | src/man/firejail.txt | 10 |
8 files changed, 82 insertions, 1 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index d172efce1..368e0d88d 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -78,6 +78,7 @@ | |||
78 | #define RUN_HOSTNAME_FILE "/run/firejail/mnt/hostname" | 78 | #define RUN_HOSTNAME_FILE "/run/firejail/mnt/hostname" |
79 | #define RUN_HOSTS_FILE "/run/firejail/mnt/hosts" | 79 | #define RUN_HOSTS_FILE "/run/firejail/mnt/hosts" |
80 | #define RUN_RESOLVCONF_FILE "/run/firejail/mnt/resolv.conf" | 80 | #define RUN_RESOLVCONF_FILE "/run/firejail/mnt/resolv.conf" |
81 | #define RUN_MACHINEID "/run/firejail/mnt/machine-id" | ||
81 | #define RUN_LDPRELOAD_FILE "/run/firejail/mnt/ld.so.preload" | 82 | #define RUN_LDPRELOAD_FILE "/run/firejail/mnt/ld.so.preload" |
82 | #define RUN_UTMP_FILE "/run/firejail/mnt/utmp" | 83 | #define RUN_UTMP_FILE "/run/firejail/mnt/utmp" |
83 | #define RUN_PASSWD_FILE "/run/firejail/mnt/passwd" | 84 | #define RUN_PASSWD_FILE "/run/firejail/mnt/passwd" |
@@ -342,6 +343,7 @@ extern int arg_allow_debuggers; // allow debuggers | |||
342 | extern int arg_x11_block; // block X11 | 343 | extern int arg_x11_block; // block X11 |
343 | extern int arg_x11_xorg; // use X11 security extention | 344 | extern int arg_x11_xorg; // use X11 security extention |
344 | extern int arg_allusers; // all user home directories visible | 345 | extern int arg_allusers; // all user home directories visible |
346 | extern int arg_machineid; // preserve /etc/machine-id | ||
345 | 347 | ||
346 | extern int login_shell; | 348 | extern int login_shell; |
347 | extern int parent_to_child_fds[2]; | 349 | extern int parent_to_child_fds[2]; |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 9a2f4facc..53d63a108 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -597,7 +597,8 @@ void fs_basic_fs(void) { | |||
597 | fs_var_lib(); | 597 | fs_var_lib(); |
598 | fs_var_cache(); | 598 | fs_var_cache(); |
599 | fs_var_utmp(); | 599 | fs_var_utmp(); |
600 | 600 | fs_machineid(); | |
601 | |||
601 | // don't leak user information | 602 | // don't leak user information |
602 | restrict_users(); | 603 | restrict_users(); |
603 | 604 | ||
@@ -880,6 +881,7 @@ void fs_overlayfs(void) { | |||
880 | fs_var_lib(); | 881 | fs_var_lib(); |
881 | fs_var_cache(); | 882 | fs_var_cache(); |
882 | fs_var_utmp(); | 883 | fs_var_utmp(); |
884 | fs_machineid(); | ||
883 | 885 | ||
884 | // don't leak user information | 886 | // don't leak user information |
885 | restrict_users(); | 887 | restrict_users(); |
@@ -1061,6 +1063,7 @@ void fs_chroot(const char *rootdir) { | |||
1061 | fs_var_lib(); | 1063 | fs_var_lib(); |
1062 | fs_var_cache(); | 1064 | fs_var_cache(); |
1063 | fs_var_utmp(); | 1065 | fs_var_utmp(); |
1066 | fs_machineid(); | ||
1064 | 1067 | ||
1065 | // don't leak user information | 1068 | // don't leak user information |
1066 | restrict_users(); | 1069 | restrict_users(); |
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index 9a28ac601..a04bf6725 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c | |||
@@ -23,6 +23,57 @@ | |||
23 | #include <sys/types.h> | 23 | #include <sys/types.h> |
24 | #include <unistd.h> | 24 | #include <unistd.h> |
25 | 25 | ||
26 | // spoof /etc/machine_id | ||
27 | void fs_machineid(void) { | ||
28 | union machineid_t { | ||
29 | uint8_t u8[16]; | ||
30 | uint32_t u32[4]; | ||
31 | } mid; | ||
32 | |||
33 | // if --machine-id flag is active, do nothing | ||
34 | if (arg_machineid) | ||
35 | return; | ||
36 | |||
37 | // init random number generator | ||
38 | srand(time(NULL)); | ||
39 | |||
40 | // generate random id | ||
41 | mid.u32[0] = rand(); | ||
42 | mid.u32[1] = rand(); | ||
43 | mid.u32[2] = rand(); | ||
44 | mid.u32[3] = rand(); | ||
45 | |||
46 | // UUID version 4 and DCE variant | ||
47 | mid.u8[6] = (mid.u8[6] & 0x0F) | 0x40; | ||
48 | mid.u8[8] = (mid.u8[8] & 0x3F) | 0x80; | ||
49 | |||
50 | // write it in a file | ||
51 | FILE *fp = fopen(RUN_MACHINEID, "w"); | ||
52 | if (!fp) | ||
53 | errExit("fopen"); | ||
54 | fprintf(fp, "%08x%08x%08x%08x\n", mid.u32[0], mid.u32[1], mid.u32[2], mid.u32[3]); | ||
55 | fclose(fp); | ||
56 | if (set_perms(RUN_MACHINEID, 0, 0, 0444)) | ||
57 | errExit("set_perms"); | ||
58 | |||
59 | |||
60 | struct stat s; | ||
61 | // mount-bind | ||
62 | if (stat("/etc/machine-id", &s) == 0) { | ||
63 | if (arg_debug) | ||
64 | printf("installing a new /etc/machine-id\n"); | ||
65 | |||
66 | if (mount(RUN_MACHINEID, "/etc/machine-id", "none", MS_BIND, "mode=444,gid=0")) | ||
67 | errExit("mount"); | ||
68 | } | ||
69 | //#if 0 // todo: investigate | ||
70 | if (stat("/var/lib/dbus/machine-id", &s) == 0) { | ||
71 | if (mount(RUN_MACHINEID, "/etc/machine-id", "none", MS_BIND, "mode=444,gid=0")) | ||
72 | errExit("mount"); | ||
73 | } | ||
74 | //#endif | ||
75 | } | ||
76 | |||
26 | // return 0 if file not found, 1 if found | 77 | // return 0 if file not found, 1 if found |
27 | static int check_dir_or_file(const char *fname) { | 78 | static int check_dir_or_file(const char *fname) { |
28 | assert(fname); | 79 | assert(fname); |
diff --git a/src/firejail/main.c b/src/firejail/main.c index aa855b7eb..32769845d 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -111,6 +111,7 @@ int arg_allow_debuggers = 0; // allow debuggers | |||
111 | int arg_x11_block = 0; // block X11 | 111 | int arg_x11_block = 0; // block X11 |
112 | int arg_x11_xorg = 0; // use X11 security extention | 112 | int arg_x11_xorg = 0; // use X11 security extention |
113 | int arg_allusers = 0; // all user home directories visible | 113 | int arg_allusers = 0; // all user home directories visible |
114 | int arg_machineid = 0; // preserve /etc/machine-id | ||
114 | 115 | ||
115 | int login_shell = 0; | 116 | int login_shell = 0; |
116 | 117 | ||
@@ -1520,6 +1521,9 @@ int main(int argc, char **argv) { | |||
1520 | else if (strcmp(argv[i], "--writable-var") == 0) { | 1521 | else if (strcmp(argv[i], "--writable-var") == 0) { |
1521 | arg_writable_var = 1; | 1522 | arg_writable_var = 1; |
1522 | } | 1523 | } |
1524 | else if (strcmp(argv[i], "--machine-id") == 0) { | ||
1525 | arg_machineid = 1; | ||
1526 | } | ||
1523 | else if (strcmp(argv[i], "--private") == 0) { | 1527 | else if (strcmp(argv[i], "--private") == 0) { |
1524 | arg_private = 1; | 1528 | arg_private = 1; |
1525 | } | 1529 | } |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 3697b54b9..63678514f 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -650,6 +650,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
650 | return 0; | 650 | return 0; |
651 | } | 651 | } |
652 | 652 | ||
653 | if (strcmp(ptr, "machine-id") == 0) { | ||
654 | arg_machineid = 1; | ||
655 | return 0; | ||
656 | } | ||
653 | // writable-var | 657 | // writable-var |
654 | if (strcmp(ptr, "writable-var") == 0) { | 658 | if (strcmp(ptr, "writable-var") == 0) { |
655 | arg_writable_var = 1; | 659 | arg_writable_var = 1; |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index c8bed06e3..db3c25a5a 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -94,6 +94,9 @@ void usage(void) { | |||
94 | printf(" --ls=name|pid dir_or_filename - list files in sandbox container.\n"); | 94 | printf(" --ls=name|pid dir_or_filename - list files in sandbox container.\n"); |
95 | #ifdef HAVE_NETWORK | 95 | #ifdef HAVE_NETWORK |
96 | printf(" --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n"); | 96 | printf(" --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n"); |
97 | #endif | ||
98 | printf(" --machine-id - preserve /etc/machine-id\n"); | ||
99 | #ifdef HAVE_NETWORK | ||
97 | printf(" --mtu=number - set interface MTU.\n"); | 100 | printf(" --mtu=number - set interface MTU.\n"); |
98 | #endif | 101 | #endif |
99 | printf(" --name=name - set sandbox name.\n"); | 102 | printf(" --name=name - set sandbox name.\n"); |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 007374c75..fa522c154 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -447,6 +447,10 @@ iprange 192.168.1.150,192.168.1.160 | |||
447 | Assign MAC addresses to the last network interface defined by a net command. | 447 | Assign MAC addresses to the last network interface defined by a net command. |
448 | 448 | ||
449 | .TP | 449 | .TP |
450 | \fBmachine-id | ||
451 | Preserve id number in /etc/machine-id file. By default a new random id is generated inside the sandbox. | ||
452 | |||
453 | .TP | ||
450 | \fBmtu number | 454 | \fBmtu number |
451 | Assign a MTU value to the last network interface defined by a net command. | 455 | Assign a MTU value to the last network interface defined by a net command. |
452 | 456 | ||
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 450f30c68..fdeb9ea3f 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -666,6 +666,16 @@ Example: | |||
666 | $ firejail \-\-net=eth0 \-\-mac=00:11:22:33:44:55 firefox | 666 | $ firejail \-\-net=eth0 \-\-mac=00:11:22:33:44:55 firefox |
667 | 667 | ||
668 | .TP | 668 | .TP |
669 | \fB\-\-machine-id | ||
670 | Preserve id number in /etc/machine-id file. By default a new random id is generated inside the sandbox. | ||
671 | .br | ||
672 | |||
673 | .br | ||
674 | Example: | ||
675 | .br | ||
676 | $ firejail \-\-machine-id | ||
677 | |||
678 | .TP | ||
669 | \fB\-\-mtu=number | 679 | \fB\-\-mtu=number |
670 | Assign a MTU value to the last network interface defined by a \-\-net option. | 680 | Assign a MTU value to the last network interface defined by a \-\-net option. |
671 | .br | 681 | .br |