diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/caps.c | 2 | ||||
-rw-r--r-- | src/firejail/fs.c | 8 | ||||
-rw-r--r-- | src/firejail/main.c | 48 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 5 | ||||
-rw-r--r-- | src/firejail/seccomp.c | 16 |
5 files changed, 45 insertions, 34 deletions
diff --git a/src/firejail/caps.c b/src/firejail/caps.c index f63d17e02..cd7dbee74 100644 --- a/src/firejail/caps.c +++ b/src/firejail/caps.c | |||
@@ -377,7 +377,7 @@ static uint64_t extract_caps(int pid) { | |||
377 | 377 | ||
378 | char buf[MAXBUF]; | 378 | char buf[MAXBUF]; |
379 | while (fgets(buf, MAXBUF, fp)) { | 379 | while (fgets(buf, MAXBUF, fp)) { |
380 | if (strncmp(buf, "CapBnd:", 7) == 0) { | 380 | if (strncmp(buf, "CapBnd:\t", 8) == 0) { |
381 | char *ptr = buf + 8; | 381 | char *ptr = buf + 8; |
382 | unsigned long long val; | 382 | unsigned long long val; |
383 | sscanf(ptr, "%llx", &val); | 383 | sscanf(ptr, "%llx", &val); |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 8491537b8..8a6dfc674 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -246,7 +246,7 @@ void fs_blacklist(const char *homedir) { | |||
246 | char *ptr; | 246 | char *ptr; |
247 | 247 | ||
248 | // process blacklist command | 248 | // process blacklist command |
249 | if (strncmp(entry->data, "bind", 4) == 0) { | 249 | if (strncmp(entry->data, "bind ", 5) == 0) { |
250 | char *dname1 = entry->data + 5; | 250 | char *dname1 = entry->data + 5; |
251 | char *dname2 = split_comma(dname1); | 251 | char *dname2 = split_comma(dname1); |
252 | if (dname2 == NULL) { | 252 | if (dname2 == NULL) { |
@@ -284,15 +284,15 @@ void fs_blacklist(const char *homedir) { | |||
284 | } | 284 | } |
285 | 285 | ||
286 | // process blacklist command | 286 | // process blacklist command |
287 | if (strncmp(entry->data, "blacklist", 9) == 0) { | 287 | if (strncmp(entry->data, "blacklist ", 10) == 0) { |
288 | ptr = entry->data + 10; | 288 | ptr = entry->data + 10; |
289 | op = BLACKLIST_FILE; | 289 | op = BLACKLIST_FILE; |
290 | } | 290 | } |
291 | else if (strncmp(entry->data, "read-only", 9) == 0) { | 291 | else if (strncmp(entry->data, "read-only ", 10) == 0) { |
292 | ptr = entry->data + 10; | 292 | ptr = entry->data + 10; |
293 | op = MOUNT_READONLY; | 293 | op = MOUNT_READONLY; |
294 | } | 294 | } |
295 | else if (strncmp(entry->data, "tmpfs", 5) == 0) { | 295 | else if (strncmp(entry->data, "tmpfs ", 6) == 0) { |
296 | ptr = entry->data + 6; | 296 | ptr = entry->data + 6; |
297 | op = MOUNT_TMPFS; | 297 | op = MOUNT_TMPFS; |
298 | } | 298 | } |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 9d635436d..3b2e7e4d9 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -695,7 +695,6 @@ int main(int argc, char **argv) { | |||
695 | } | 695 | } |
696 | 696 | ||
697 | // extract private home dirname | 697 | // extract private home dirname |
698 | printf("here %s:%d\n", __FILE__, __LINE__); | ||
699 | cfg.home_private = argv[i] + 10; | 698 | cfg.home_private = argv[i] + 10; |
700 | fs_check_private_dir(); | 699 | fs_check_private_dir(); |
701 | arg_private = 1; | 700 | arg_private = 1; |
@@ -1058,26 +1057,35 @@ printf("here %s:%d\n", __FILE__, __LINE__); | |||
1058 | 1057 | ||
1059 | // use generic.profile as the default | 1058 | // use generic.profile as the default |
1060 | if (!custom_profile && !arg_noprofile) { | 1059 | if (!custom_profile && !arg_noprofile) { |
1061 | char *profile_name = DEFAULT_USER_PROFILE; | 1060 | if (cfg.chrootdir) |
1062 | if (getuid() == 0) | 1061 | fprintf(stderr, "Warning: default profile disabled by --chroot option\n"); |
1063 | profile_name = DEFAULT_ROOT_PROFILE; | 1062 | else if (arg_overlay) |
1064 | if (arg_debug) | 1063 | fprintf(stderr, "Warning: default profile disabled by --overlay option\n"); |
1065 | printf("Attempting to find %s.profile...", profile_name); | 1064 | else if (cfg.home_private_keep) |
1066 | 1065 | fprintf(stderr, "Warning: default profile disabled by --private-home option\n"); | |
1067 | // look for the profile in ~/.config/firejail directory | 1066 | else { |
1068 | char *usercfgdir; | 1067 | // try to load a default profile |
1069 | if (asprintf(&usercfgdir, "%s/.config/firejail", cfg.homedir) == -1) | 1068 | char *profile_name = DEFAULT_USER_PROFILE; |
1070 | errExit("asprintf"); | 1069 | if (getuid() == 0) |
1071 | custom_profile = profile_find(profile_name, usercfgdir); | 1070 | profile_name = DEFAULT_ROOT_PROFILE; |
1072 | free(usercfgdir); | 1071 | if (arg_debug) |
1073 | 1072 | printf("Attempting to find %s.profile...\n", profile_name); | |
1074 | if (!custom_profile) { | 1073 | |
1075 | // look for the profile in /etc/firejail directory | 1074 | // look for the profile in ~/.config/firejail directory |
1076 | custom_profile = profile_find(profile_name, "/etc/firejail"); | 1075 | char *usercfgdir; |
1076 | if (asprintf(&usercfgdir, "%s/.config/firejail", cfg.homedir) == -1) | ||
1077 | errExit("asprintf"); | ||
1078 | custom_profile = profile_find(profile_name, usercfgdir); | ||
1079 | free(usercfgdir); | ||
1080 | |||
1081 | if (!custom_profile) { | ||
1082 | // look for the profile in /etc/firejail directory | ||
1083 | custom_profile = profile_find(profile_name, "/etc/firejail"); | ||
1084 | } | ||
1085 | |||
1086 | if (custom_profile) | ||
1087 | printf("\n** Note: %s profile can be disabled by --noprofile option **\n\n", profile_name); | ||
1077 | } | 1088 | } |
1078 | |||
1079 | if (custom_profile) | ||
1080 | printf("Note: %s profile can be disabled by --noprofile option.\n", profile_name); | ||
1081 | } | 1089 | } |
1082 | 1090 | ||
1083 | // check and assign an IP address - for macvlan it will be done again in the sandbox! | 1091 | // check and assign an IP address - for macvlan it will be done again in the sandbox! |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 46cb03da7..53782a288 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -179,6 +179,7 @@ int sandbox(void* sandbox_arg) { | |||
179 | //**************************** | 179 | //**************************** |
180 | // configure filesystem | 180 | // configure filesystem |
181 | //**************************** | 181 | //**************************** |
182 | |||
182 | #ifdef HAVE_CHROOT | 183 | #ifdef HAVE_CHROOT |
183 | if (cfg.chrootdir) { | 184 | if (cfg.chrootdir) { |
184 | fs_chroot(cfg.chrootdir); | 185 | fs_chroot(cfg.chrootdir); |
@@ -267,6 +268,8 @@ int sandbox(void* sandbox_arg) { | |||
267 | //**************************** | 268 | //**************************** |
268 | if (arg_nonetwork) { | 269 | if (arg_nonetwork) { |
269 | net_if_up("lo"); | 270 | net_if_up("lo"); |
271 | if (arg_debug) | ||
272 | printf("Network namespace enabled, only loopback interface available\n"); | ||
270 | } | 273 | } |
271 | else if (any_bridge_configured()) { | 274 | else if (any_bridge_configured()) { |
272 | // configure lo and eth0...eth3 | 275 | // configure lo and eth0...eth3 |
@@ -397,7 +400,7 @@ int sandbox(void* sandbox_arg) { | |||
397 | if (arg_noroot) { | 400 | if (arg_noroot) { |
398 | int rv = unshare(CLONE_NEWUSER); | 401 | int rv = unshare(CLONE_NEWUSER); |
399 | if (rv == -1) { | 402 | if (rv == -1) { |
400 | fprintf(stderr, "Warning: cannot mount a new user namespace\n"); | 403 | fprintf(stderr, "Error: cannot mount a new user namespace\n"); |
401 | perror("unshare"); | 404 | perror("unshare"); |
402 | drop_privs(arg_nogroups); | 405 | drop_privs(arg_nogroups); |
403 | } | 406 | } |
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 17f038a2e..47988dbf4 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -179,8 +179,8 @@ static void filter_init(void) { | |||
179 | return; | 179 | return; |
180 | } | 180 | } |
181 | 181 | ||
182 | if (arg_debug) | 182 | // if (arg_debug) |
183 | printf("Initialize seccomp filter\n"); | 183 | // printf("Initialize seccomp filter\n"); |
184 | // allocate a filter of SECSIZE | 184 | // allocate a filter of SECSIZE |
185 | sfilter = malloc(sizeof(struct sock_filter) * SECSIZE); | 185 | sfilter = malloc(sizeof(struct sock_filter) * SECSIZE); |
186 | if (!sfilter) | 186 | if (!sfilter) |
@@ -220,8 +220,8 @@ static void filter_add_whitelist(int syscall) { | |||
220 | assert(sfilter); | 220 | assert(sfilter); |
221 | assert(sfilter_alloc_size); | 221 | assert(sfilter_alloc_size); |
222 | assert(sfilter_index); | 222 | assert(sfilter_index); |
223 | if (arg_debug) | 223 | // if (arg_debug) |
224 | printf("Whitelisting syscall %d %s\n", syscall, syscall_find_nr(syscall)); | 224 | // printf("Whitelisting syscall %d %s\n", syscall, syscall_find_nr(syscall)); |
225 | 225 | ||
226 | if ((sfilter_index + 2) > sfilter_alloc_size) | 226 | if ((sfilter_index + 2) > sfilter_alloc_size) |
227 | filter_realloc(); | 227 | filter_realloc(); |
@@ -246,8 +246,8 @@ static void filter_add_blacklist(int syscall) { | |||
246 | assert(sfilter); | 246 | assert(sfilter); |
247 | assert(sfilter_alloc_size); | 247 | assert(sfilter_alloc_size); |
248 | assert(sfilter_index); | 248 | assert(sfilter_index); |
249 | if (arg_debug) | 249 | // if (arg_debug) |
250 | printf("Blacklisting syscall %d %s\n", syscall, syscall_find_nr(syscall)); | 250 | // printf("Blacklisting syscall %d %s\n", syscall, syscall_find_nr(syscall)); |
251 | 251 | ||
252 | if ((sfilter_index + 2) > sfilter_alloc_size) | 252 | if ((sfilter_index + 2) > sfilter_alloc_size) |
253 | filter_realloc(); | 253 | filter_realloc(); |
@@ -272,8 +272,8 @@ static void filter_end_blacklist(void) { | |||
272 | assert(sfilter); | 272 | assert(sfilter); |
273 | assert(sfilter_alloc_size); | 273 | assert(sfilter_alloc_size); |
274 | assert(sfilter_index); | 274 | assert(sfilter_index); |
275 | if (arg_debug) | 275 | // if (arg_debug) |
276 | printf("Ending syscall filter\n"); | 276 | // printf("Ending syscall filter\n"); |
277 | 277 | ||
278 | if ((sfilter_index + 2) > sfilter_alloc_size) | 278 | if ((sfilter_index + 2) > sfilter_alloc_size) |
279 | filter_realloc(); | 279 | filter_realloc(); |