diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/fs_hostname.c | 2 | ||||
-rw-r--r-- | src/firejail/main.c | 5 | ||||
-rw-r--r-- | src/firejail/preproc.c | 4 | ||||
-rw-r--r-- | src/firejail/profile.c | 4 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 18 | ||||
-rw-r--r-- | src/fnettrace/Makefile | 3 | ||||
-rw-r--r-- | src/fnettrace/static-ip-map.txt | 1 | ||||
-rw-r--r-- | src/include/rundefs.h | 2 | ||||
-rw-r--r-- | src/man/Makefile | 25 | ||||
-rw-r--r-- | src/man/firecfg.1.in (renamed from src/man/firecfg.txt) | 0 | ||||
-rw-r--r-- | src/man/firejail-login.5.in (renamed from src/man/firejail-login.txt) | 0 | ||||
-rw-r--r-- | src/man/firejail-profile.5.in (renamed from src/man/firejail-profile.txt) | 0 | ||||
-rw-r--r-- | src/man/firejail-users.5.in (renamed from src/man/firejail-users.txt) | 0 | ||||
-rw-r--r-- | src/man/firejail.1.in (renamed from src/man/firejail.txt) | 0 | ||||
-rw-r--r-- | src/man/firemon.1.in (renamed from src/man/firemon.txt) | 0 | ||||
-rw-r--r-- | src/man/jailcheck.1.in (renamed from src/man/jailcheck.txt) | 0 | ||||
-rwxr-xr-x | src/man/mkman.sh | 14 |
18 files changed, 61 insertions, 18 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index d85b470e6..c791913ea 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -357,6 +357,7 @@ extern int arg_deterministic_exit_code; // always exit with first child's exit s | |||
357 | extern int arg_deterministic_shutdown; // shut down the sandbox if first child dies | 357 | extern int arg_deterministic_shutdown; // shut down the sandbox if first child dies |
358 | extern int arg_keep_fd_all; // inherit all file descriptors to sandbox | 358 | extern int arg_keep_fd_all; // inherit all file descriptors to sandbox |
359 | extern int arg_netlock; // netlocker | 359 | extern int arg_netlock; // netlocker |
360 | extern int arg_restrict_namespaces; | ||
360 | 361 | ||
361 | typedef enum { | 362 | typedef enum { |
362 | DBUS_POLICY_ALLOW, // Allow unrestricted access to the bus | 363 | DBUS_POLICY_ALLOW, // Allow unrestricted access to the bus |
diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c index cddf3c903..29f805e1a 100644 --- a/src/firejail/fs_hostname.c +++ b/src/firejail/fs_hostname.c | |||
@@ -152,7 +152,7 @@ void fs_mount_hosts_file(void) { | |||
152 | // check /etc/hosts file | 152 | // check /etc/hosts file |
153 | struct stat s; | 153 | struct stat s; |
154 | if (stat("/etc/hosts", &s) == -1) | 154 | if (stat("/etc/hosts", &s) == -1) |
155 | goto errexit; | 155 | return; |
156 | // owned by root | 156 | // owned by root |
157 | if (s.st_uid != 0) | 157 | if (s.st_uid != 0) |
158 | goto errexit; | 158 | goto errexit; |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 732ca93c2..45b199db4 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -165,6 +165,7 @@ int arg_tab = 0; | |||
165 | int login_shell = 0; | 165 | int login_shell = 0; |
166 | int just_run_the_shell = 0; | 166 | int just_run_the_shell = 0; |
167 | int arg_netlock = 0; | 167 | int arg_netlock = 0; |
168 | int arg_restrict_namespaces = 0; | ||
168 | 169 | ||
169 | int parent_to_child_fds[2]; | 170 | int parent_to_child_fds[2]; |
170 | int child_to_parent_fds[2]; | 171 | int child_to_parent_fds[2]; |
@@ -1508,8 +1509,10 @@ int main(int argc, char **argv, char **envp) { | |||
1508 | exit_err_feature("seccomp"); | 1509 | exit_err_feature("seccomp"); |
1509 | } | 1510 | } |
1510 | else if (strcmp(argv[i], "--restrict-namespaces") == 0) { | 1511 | else if (strcmp(argv[i], "--restrict-namespaces") == 0) { |
1511 | if (checkcfg(CFG_SECCOMP)) | 1512 | if (checkcfg(CFG_SECCOMP)) { |
1513 | arg_restrict_namespaces = 1; | ||
1512 | profile_list_augment(&cfg.restrict_namespaces, "cgroup,ipc,net,mnt,pid,time,user,uts"); | 1514 | profile_list_augment(&cfg.restrict_namespaces, "cgroup,ipc,net,mnt,pid,time,user,uts"); |
1515 | } | ||
1513 | else | 1516 | else |
1514 | exit_err_feature("seccomp"); | 1517 | exit_err_feature("seccomp"); |
1515 | } | 1518 | } |
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index 6055ec95b..e0c11a005 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c | |||
@@ -96,12 +96,16 @@ void preproc_mount_mnt_dir(void) { | |||
96 | if (set_perms(RUN_SECCOMP_PROTOCOL, getuid(), getgid(), 0644)) | 96 | if (set_perms(RUN_SECCOMP_PROTOCOL, getuid(), getgid(), 0644)) |
97 | errExit("set_perms"); | 97 | errExit("set_perms"); |
98 | if (cfg.restrict_namespaces) { | 98 | if (cfg.restrict_namespaces) { |
99 | copy_file(PATH_SECCOMP_NAMESPACES, RUN_SECCOMP_NS, getuid(), getgid(), 0644); // root needed | ||
100 | copy_file(PATH_SECCOMP_NAMESPACES_32, RUN_SECCOMP_NS_32, getuid(), getgid(), 0644); // root needed | ||
101 | #if 0 | ||
99 | create_empty_file_as_root(RUN_SECCOMP_NS, 0644); | 102 | create_empty_file_as_root(RUN_SECCOMP_NS, 0644); |
100 | if (set_perms(RUN_SECCOMP_NS, getuid(), getgid(), 0644)) | 103 | if (set_perms(RUN_SECCOMP_NS, getuid(), getgid(), 0644)) |
101 | errExit("set_perms"); | 104 | errExit("set_perms"); |
102 | create_empty_file_as_root(RUN_SECCOMP_NS_32, 0644); | 105 | create_empty_file_as_root(RUN_SECCOMP_NS_32, 0644); |
103 | if (set_perms(RUN_SECCOMP_NS_32, getuid(), getgid(), 0644)) | 106 | if (set_perms(RUN_SECCOMP_NS_32, getuid(), getgid(), 0644)) |
104 | errExit("set_perms"); | 107 | errExit("set_perms"); |
108 | #endif | ||
105 | } | 109 | } |
106 | create_empty_file_as_root(RUN_SECCOMP_POSTEXEC, 0644); | 110 | create_empty_file_as_root(RUN_SECCOMP_POSTEXEC, 0644); |
107 | if (set_perms(RUN_SECCOMP_POSTEXEC, getuid(), getgid(), 0644)) | 111 | if (set_perms(RUN_SECCOMP_POSTEXEC, getuid(), getgid(), 0644)) |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index ae881664b..07449f646 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -1088,8 +1088,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1088 | 1088 | ||
1089 | // restrict-namespaces | 1089 | // restrict-namespaces |
1090 | if (strcmp(ptr, "restrict-namespaces") == 0) { | 1090 | if (strcmp(ptr, "restrict-namespaces") == 0) { |
1091 | if (checkcfg(CFG_SECCOMP)) | 1091 | if (checkcfg(CFG_SECCOMP)) { |
1092 | arg_restrict_namespaces = 1; | ||
1092 | profile_list_augment(&cfg.restrict_namespaces, "cgroup,ipc,net,mnt,pid,time,user,uts"); | 1093 | profile_list_augment(&cfg.restrict_namespaces, "cgroup,ipc,net,mnt,pid,time,user,uts"); |
1094 | } | ||
1093 | else | 1095 | else |
1094 | warning_feature_disabled("seccomp"); | 1096 | warning_feature_disabled("seccomp"); |
1095 | return 0; | 1097 | return 0; |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 19ac8d9ec..538f5be67 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -987,12 +987,8 @@ int sandbox(void* sandbox_arg) { | |||
987 | //**************************** | 987 | //**************************** |
988 | // hosts and hostname | 988 | // hosts and hostname |
989 | //**************************** | 989 | //**************************** |
990 | // if (cfg.hostname) | ||
991 | fs_hostname(); | 990 | fs_hostname(); |
992 | 991 | ||
993 | // if (cfg.hosts_file) | ||
994 | // fs_mount_hosts_file(); | ||
995 | |||
996 | //**************************** | 992 | //**************************** |
997 | // /etc overrides from the network namespace | 993 | // /etc overrides from the network namespace |
998 | //**************************** | 994 | //**************************** |
@@ -1215,7 +1211,19 @@ int sandbox(void* sandbox_arg) { | |||
1215 | seccomp_load(RUN_SECCOMP_MDWX_32); | 1211 | seccomp_load(RUN_SECCOMP_MDWX_32); |
1216 | } | 1212 | } |
1217 | 1213 | ||
1218 | if (cfg.restrict_namespaces) { | 1214 | if (arg_restrict_namespaces) { |
1215 | if (arg_seccomp_error_action != EPERM) { | ||
1216 | seccomp_filter_namespaces(true, cfg.restrict_namespaces); | ||
1217 | seccomp_filter_namespaces(false, cfg.restrict_namespaces); | ||
1218 | } | ||
1219 | |||
1220 | if (arg_debug) | ||
1221 | printf("Install namespaces filter\n"); | ||
1222 | seccomp_load(RUN_SECCOMP_NS); // install filter | ||
1223 | seccomp_load(RUN_SECCOMP_NS_32); | ||
1224 | |||
1225 | } | ||
1226 | else if (cfg.restrict_namespaces) { | ||
1219 | seccomp_filter_namespaces(true, cfg.restrict_namespaces); | 1227 | seccomp_filter_namespaces(true, cfg.restrict_namespaces); |
1220 | seccomp_filter_namespaces(false, cfg.restrict_namespaces); | 1228 | seccomp_filter_namespaces(false, cfg.restrict_namespaces); |
1221 | 1229 | ||
diff --git a/src/fnettrace/Makefile b/src/fnettrace/Makefile index 9748a3b47..68a4cbdc0 100644 --- a/src/fnettrace/Makefile +++ b/src/fnettrace/Makefile | |||
@@ -11,6 +11,3 @@ include $(ROOT)/src/prog.mk | |||
11 | all: $(TARGET) static-ip-map | 11 | all: $(TARGET) static-ip-map |
12 | static-ip-map: static-ip-map.txt fnettrace | 12 | static-ip-map: static-ip-map.txt fnettrace |
13 | ./fnettrace --squash-map=static-ip-map.txt > static-ip-map | 13 | ./fnettrace --squash-map=static-ip-map.txt > static-ip-map |
14 | |||
15 | |||
16 | |||
diff --git a/src/fnettrace/static-ip-map.txt b/src/fnettrace/static-ip-map.txt index 92c55d148..2742e71c5 100644 --- a/src/fnettrace/static-ip-map.txt +++ b/src/fnettrace/static-ip-map.txt | |||
@@ -359,6 +359,7 @@ | |||
359 | 172.105.128.0/23 Linode | 359 | 172.105.128.0/23 Linode |
360 | 360 | ||
361 | # Akamai | 361 | # Akamai |
362 | 2.16.0.0/13 Akamai | ||
362 | 23.0.0.0/12 Akamai | 363 | 23.0.0.0/12 Akamai |
363 | 23.32.0.0/11 Akamai | 364 | 23.32.0.0/11 Akamai |
364 | 23.64.0.0/14 Akamai | 365 | 23.64.0.0/14 Akamai |
diff --git a/src/include/rundefs.h b/src/include/rundefs.h index 7fc0f21f3..d36851a4e 100644 --- a/src/include/rundefs.h +++ b/src/include/rundefs.h | |||
@@ -79,6 +79,8 @@ | |||
79 | #define PATH_SECCOMP_DEBUG_32 LIBDIR "/firejail/seccomp.debug32" // 32bit arch debug filter built during make | 79 | #define PATH_SECCOMP_DEBUG_32 LIBDIR "/firejail/seccomp.debug32" // 32bit arch debug filter built during make |
80 | #define PATH_SECCOMP_MDWX LIBDIR "/firejail/seccomp.mdwx" // filter for memory-deny-write-execute built during make | 80 | #define PATH_SECCOMP_MDWX LIBDIR "/firejail/seccomp.mdwx" // filter for memory-deny-write-execute built during make |
81 | #define PATH_SECCOMP_MDWX_32 LIBDIR "/firejail/seccomp.mdwx.32" | 81 | #define PATH_SECCOMP_MDWX_32 LIBDIR "/firejail/seccomp.mdwx.32" |
82 | #define PATH_SECCOMP_NAMESPACES LIBDIR "/firejail/seccomp.namespaces" // filter for restrict-namespaces | ||
83 | #define PATH_SECCOMP_NAMESPACES_32 LIBDIR "/firejail/seccomp.namespaces.32" | ||
82 | #define PATH_SECCOMP_BLOCK_SECONDARY LIBDIR "/firejail/seccomp.block_secondary" // secondary arch blocking filter built during make | 84 | #define PATH_SECCOMP_BLOCK_SECONDARY LIBDIR "/firejail/seccomp.block_secondary" // secondary arch blocking filter built during make |
83 | 85 | ||
84 | #define RUN_DEV_DIR RUN_MNT_DIR "/dev" | 86 | #define RUN_DEV_DIR RUN_MNT_DIR "/dev" |
diff --git a/src/man/Makefile b/src/man/Makefile index 197f76192..526ed7fcb 100644 --- a/src/man/Makefile +++ b/src/man/Makefile | |||
@@ -2,14 +2,25 @@ | |||
2 | ROOT = ../.. | 2 | ROOT = ../.. |
3 | -include $(ROOT)/config.mk | 3 | -include $(ROOT)/config.mk |
4 | 4 | ||
5 | MOD_DIR := $(ROOT)/src/man | ||
6 | MANPAGES_IN := $(sort $(wildcard $(MOD_DIR)/*.in)) | ||
7 | MANPAGES_GZ := $(MANPAGES_IN:.in=.gz) | ||
8 | TARGET = $(MANPAGES_GZ) | ||
9 | |||
5 | .PHONY: all | 10 | .PHONY: all |
6 | all: firecfg.man firejail.man firejail-login.man firejail-users.man firejail-profile.man firemon.man jailcheck.man | 11 | all: $(TARGET) |
7 | 12 | ||
8 | %.man: %.txt $(ROOT)/config.mk | 13 | # foo.1: foo.1.in |
9 | gawk -f ./preproc.awk -- $(MANFLAGS) < $< > $@ | 14 | $(MOD_DIR)/%: $(MOD_DIR)/%.in $(ROOT)/config.mk |
15 | @printf 'Generating %s from %s\n' $@ $< | ||
16 | @gawk -f $(MOD_DIR)/preproc.awk -- $(MANFLAGS) <$< | \ | ||
17 | $(MOD_DIR)/mkman.sh $(VERSION) >$@ | ||
10 | 18 | ||
11 | .PHONY: clean | 19 | # foo.1.gz: foo.1 |
12 | clean:; rm -fr *.man | 20 | $(MOD_DIR)/%.gz: $(MOD_DIR)/% |
21 | @printf 'Generating %s from %s\n' $@ $< | ||
22 | @rm -f $@ | ||
23 | @gzip -n9 $< | ||
13 | 24 | ||
14 | .PHONY: distclean | 25 | .PHONY: clean |
15 | distclean: clean | 26 | clean:; rm -f *.1 *.5 *.gz |
diff --git a/src/man/firecfg.txt b/src/man/firecfg.1.in index 42add6a41..42add6a41 100644 --- a/src/man/firecfg.txt +++ b/src/man/firecfg.1.in | |||
diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.5.in index f03fc3c37..f03fc3c37 100644 --- a/src/man/firejail-login.txt +++ b/src/man/firejail-login.5.in | |||
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.5.in index fa294d888..fa294d888 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.5.in | |||
diff --git a/src/man/firejail-users.txt b/src/man/firejail-users.5.in index 7aa151680..7aa151680 100644 --- a/src/man/firejail-users.txt +++ b/src/man/firejail-users.5.in | |||
diff --git a/src/man/firejail.txt b/src/man/firejail.1.in index 19fc94ebd..19fc94ebd 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.1.in | |||
diff --git a/src/man/firemon.txt b/src/man/firemon.1.in index fb0cf1175..fb0cf1175 100644 --- a/src/man/firemon.txt +++ b/src/man/firemon.1.in | |||
diff --git a/src/man/jailcheck.txt b/src/man/jailcheck.1.in index e889ea91b..e889ea91b 100644 --- a/src/man/jailcheck.txt +++ b/src/man/jailcheck.1.in | |||
diff --git a/src/man/mkman.sh b/src/man/mkman.sh new file mode 100755 index 000000000..0302e0778 --- /dev/null +++ b/src/man/mkman.sh | |||
@@ -0,0 +1,14 @@ | |||
1 | #!/bin/sh | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2023 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set -e | ||
7 | |||
8 | MONTH="$(LC_ALL=C date -u --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%b)" | ||
9 | YEAR="$(LC_ALL=C date -u --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%Y)" | ||
10 | |||
11 | sed \ | ||
12 | -e "s/VERSION/$1/g" \ | ||
13 | -e "s/MONTH/$MONTH/g" \ | ||
14 | -e "s/YEAR/$YEAR/g" | ||