diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/fbuilder/build_bin.c | 2 | ||||
-rw-r--r-- | src/fbuilder/build_fs.c | 12 | ||||
-rw-r--r-- | src/fbuilder/build_home.c | 2 | ||||
-rw-r--r-- | src/fbuilder/build_profile.c | 23 | ||||
-rw-r--r-- | src/firecfg/firecfg.config | 9 | ||||
-rw-r--r-- | src/firejail/fs_etc.c | 61 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 12 | ||||
-rw-r--r-- | src/man/firejail.txt | 14 |
8 files changed, 93 insertions, 42 deletions
diff --git a/src/fbuilder/build_bin.c b/src/fbuilder/build_bin.c index 96bd351f3..431aebee6 100644 --- a/src/fbuilder/build_bin.c +++ b/src/fbuilder/build_bin.c | |||
@@ -121,6 +121,6 @@ void build_bin(const char *fname, FILE *fp) { | |||
121 | ptr = ptr->next; | 121 | ptr = ptr->next; |
122 | } | 122 | } |
123 | fprintf(fp, "\n"); | 123 | fprintf(fp, "\n"); |
124 | fprintf(fp, "# private-lib\n"); | 124 | fprintf(fp, "#private-lib\n"); |
125 | } | 125 | } |
126 | } | 126 | } |
diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c index 495f71ab8..ac0cd455a 100644 --- a/src/fbuilder/build_fs.c +++ b/src/fbuilder/build_fs.c | |||
@@ -220,6 +220,10 @@ static void tmp_callback(char *ptr) { | |||
220 | // skip strace file | 220 | // skip strace file |
221 | if (strncmp(ptr, "/tmp/firejail-strace", 20) == 0) | 221 | if (strncmp(ptr, "/tmp/firejail-strace", 20) == 0) |
222 | return; | 222 | return; |
223 | if (strncmp(ptr, "/tmp/runtime-", 13) == 0) | ||
224 | return; | ||
225 | if (strcmp(ptr, "/tmp") == 0) | ||
226 | return; | ||
223 | 227 | ||
224 | tmp_out = filedb_add(tmp_out, ptr); | 228 | tmp_out = filedb_add(tmp_out, ptr); |
225 | } | 229 | } |
@@ -232,8 +236,7 @@ void build_tmp(const char *fname, FILE *fp) { | |||
232 | if (tmp_out == NULL) | 236 | if (tmp_out == NULL) |
233 | fprintf(fp, "private-tmp\n"); | 237 | fprintf(fp, "private-tmp\n"); |
234 | else { | 238 | else { |
235 | fprintf(fp, "\n"); | 239 | fprintf(fp, "#private-tmp\n"); |
236 | fprintf(fp, "# private-tmp\n"); | ||
237 | fprintf(fp, "# File accessed in /tmp directory:\n"); | 240 | fprintf(fp, "# File accessed in /tmp directory:\n"); |
238 | fprintf(fp, "# "); | 241 | fprintf(fp, "# "); |
239 | FileDB *ptr = tmp_out; | 242 | FileDB *ptr = tmp_out; |
@@ -310,9 +313,8 @@ void build_dev(const char *fname, FILE *fp) { | |||
310 | if (dev_out == NULL) | 313 | if (dev_out == NULL) |
311 | fprintf(fp, "private-dev\n"); | 314 | fprintf(fp, "private-dev\n"); |
312 | else { | 315 | else { |
313 | fprintf(fp, "\n"); | 316 | fprintf(fp, "#private-dev\n"); |
314 | fprintf(fp, "# private-dev\n"); | 317 | fprintf(fp, "# This is the list of devices accessed on top of regular private-dev devices:\n"); |
315 | fprintf(fp, "# This is the list of devices accessed (on top of regular private-dev devices:\n"); | ||
316 | fprintf(fp, "# "); | 318 | fprintf(fp, "# "); |
317 | FileDB *ptr = dev_out; | 319 | FileDB *ptr = dev_out; |
318 | while (ptr) { | 320 | while (ptr) { |
diff --git a/src/fbuilder/build_home.c b/src/fbuilder/build_home.c index 683009b71..d7706282a 100644 --- a/src/fbuilder/build_home.c +++ b/src/fbuilder/build_home.c | |||
@@ -141,7 +141,7 @@ void process_home(const char *fname, char *home, int home_len) { | |||
141 | } | 141 | } |
142 | 142 | ||
143 | // skip files and directories in whitelist-common.inc | 143 | // skip files and directories in whitelist-common.inc |
144 | if (filedb_find(db_skip, toadd)) { | 144 | if (strlen(toadd) == 0 || filedb_find(db_skip, toadd)) { |
145 | if (dir) | 145 | if (dir) |
146 | free(dir); | 146 | free(dir); |
147 | continue; | 147 | continue; |
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c index 96a83954d..0c1b57384 100644 --- a/src/fbuilder/build_profile.c +++ b/src/fbuilder/build_profile.c | |||
@@ -150,12 +150,12 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
150 | 150 | ||
151 | fprintf(fp, "### basic blacklisting\n"); | 151 | fprintf(fp, "### basic blacklisting\n"); |
152 | fprintf(fp, "include disable-common.inc\n"); | 152 | fprintf(fp, "include disable-common.inc\n"); |
153 | fprintf(fp, "# include disable-devel.inc\n"); | 153 | fprintf(fp, "#include disable-devel.inc\n"); |
154 | fprintf(fp, "# include disable-exec.inc\n"); | 154 | fprintf(fp, "#include disable-exec.inc\n"); |
155 | fprintf(fp, "# include disable-interpreters.inc\n"); | 155 | fprintf(fp, "#include disable-interpreters.inc\n"); |
156 | fprintf(fp, "include disable-passwdmgr.inc\n"); | 156 | fprintf(fp, "include disable-passwdmgr.inc\n"); |
157 | fprintf(fp, "# include disable-programs.inc\n"); | 157 | fprintf(fp, "#include disable-programs.inc\n"); |
158 | fprintf(fp, "# include disable-xdg.inc\n"); | 158 | fprintf(fp, "#include disable-xdg.inc\n"); |
159 | fprintf(fp, "\n"); | 159 | fprintf(fp, "\n"); |
160 | 160 | ||
161 | fprintf(fp, "### home directory whitelisting\n"); | 161 | fprintf(fp, "### home directory whitelisting\n"); |
@@ -163,18 +163,17 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
163 | fprintf(fp, "\n"); | 163 | fprintf(fp, "\n"); |
164 | 164 | ||
165 | fprintf(fp, "### filesystem\n"); | 165 | fprintf(fp, "### filesystem\n"); |
166 | fprintf(fp, "# /usr/share:\n"); | 166 | fprintf(fp, "### /usr/share:\n"); |
167 | build_share(trace_output, fp); | 167 | build_share(trace_output, fp); |
168 | fprintf(fp, "# /var:\n"); | 168 | fprintf(fp, "### /var:\n"); |
169 | build_var(trace_output, fp); | 169 | build_var(trace_output, fp); |
170 | fprintf(fp, "\n"); | 170 | fprintf(fp, "### /bin:\n"); |
171 | fprintf(fp, "# $PATH:\n"); | ||
172 | build_bin(trace_output, fp); | 171 | build_bin(trace_output, fp); |
173 | fprintf(fp, "# /dev:\n"); | 172 | fprintf(fp, "### /dev:\n"); |
174 | build_dev(trace_output, fp); | 173 | build_dev(trace_output, fp); |
175 | fprintf(fp, "# /etc:\n"); | 174 | fprintf(fp, "### /etc:\n"); |
176 | build_etc(trace_output, fp); | 175 | build_etc(trace_output, fp); |
177 | fprintf(fp, "# /tmp:\n"); | 176 | fprintf(fp, "### /tmp:\n"); |
178 | build_tmp(trace_output, fp); | 177 | build_tmp(trace_output, fp); |
179 | fprintf(fp, "\n"); | 178 | fprintf(fp, "\n"); |
180 | 179 | ||
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index be50d5f44..474904ebf 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -74,6 +74,7 @@ autokey-run | |||
74 | autokey-shell | 74 | autokey-shell |
75 | avidemux3_qt5 | 75 | avidemux3_qt5 |
76 | aweather | 76 | aweather |
77 | ballbuster | ||
77 | baloo_file | 78 | baloo_file |
78 | baloo_filemetadata_temp_extractor | 79 | baloo_filemetadata_temp_extractor |
79 | balsa | 80 | balsa |
@@ -147,6 +148,7 @@ cmus | |||
147 | code | 148 | code |
148 | code-oss | 149 | code-oss |
149 | cola | 150 | cola |
151 | colorful | ||
150 | com.github.bleakgrey.tootle | 152 | com.github.bleakgrey.tootle |
151 | com.github.dahenson.agenda | 153 | com.github.dahenson.agenda |
152 | com.github.johnfactotum.Foliate | 154 | com.github.johnfactotum.Foliate |
@@ -236,6 +238,7 @@ ffplay | |||
236 | ffprobe | 238 | ffprobe |
237 | file-roller | 239 | file-roller |
238 | filezilla | 240 | filezilla |
241 | firedragon | ||
239 | firefox | 242 | firefox |
240 | firefox-beta | 243 | firefox-beta |
241 | firefox-developer-edition | 244 | firefox-developer-edition |
@@ -293,6 +296,8 @@ git-cola | |||
293 | github-desktop | 296 | github-desktop |
294 | gitter | 297 | gitter |
295 | # gjs -- https://github.com/netblue30/firejail/issues/3333#issuecomment-612601102 | 298 | # gjs -- https://github.com/netblue30/firejail/issues/3333#issuecomment-612601102 |
299 | gl-117 | ||
300 | glaxium | ||
296 | globaltime | 301 | globaltime |
297 | gmpc | 302 | gmpc |
298 | gnome-2048 | 303 | gnome-2048 |
@@ -550,6 +555,7 @@ mypaint | |||
550 | mypaint-ora-thumbnailer | 555 | mypaint-ora-thumbnailer |
551 | natron | 556 | natron |
552 | ncdu | 557 | ncdu |
558 | neochat | ||
553 | neomutt | 559 | neomutt |
554 | netactview | 560 | netactview |
555 | nethack | 561 | nethack |
@@ -615,6 +621,7 @@ penguin-command | |||
615 | photoflare | 621 | photoflare |
616 | picard | 622 | picard |
617 | pidgin | 623 | pidgin |
624 | pinball | ||
618 | #ping - disabled until we fix #1912 | 625 | #ping - disabled until we fix #1912 |
619 | pingus | 626 | pingus |
620 | pinta | 627 | pinta |
@@ -673,7 +680,6 @@ runenpass.sh | |||
673 | sayonara | 680 | sayonara |
674 | scallion | 681 | scallion |
675 | scorched3d | 682 | scorched3d |
676 | scorched3d-wrapper | ||
677 | scorchwentbonkers | 683 | scorchwentbonkers |
678 | scribus | 684 | scribus |
679 | sdat2img | 685 | sdat2img |
@@ -867,7 +873,6 @@ xmr-stak | |||
867 | xonotic | 873 | xonotic |
868 | xonotic-glx | 874 | xonotic-glx |
869 | xonotic-sdl | 875 | xonotic-sdl |
870 | xonotic-sdl-wrapper | ||
871 | xournal | 876 | xournal |
872 | xournalpp | 877 | xournalpp |
873 | xpdf | 878 | xpdf |
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index abec25d45..8cb25a1ff 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c | |||
@@ -76,6 +76,44 @@ void fs_machineid(void) { | |||
76 | } | 76 | } |
77 | } | 77 | } |
78 | 78 | ||
79 | // Duplicate directory structure from src to dst by creating empty directories. | ||
80 | // The paths _must_ be identical after their respective prefixes. | ||
81 | // When finished, dst will point to the target directory. That is, if | ||
82 | // it starts out pointing to a file, it will instead be truncated so | ||
83 | // that it contains the parent directory instead. | ||
84 | static void build_dirs(char *src, char *dst, size_t src_prefix_len, size_t dst_prefix_len) { | ||
85 | char *p = src + src_prefix_len + 1; | ||
86 | char *q = dst + dst_prefix_len + 1; | ||
87 | char *r = dst + dst_prefix_len; | ||
88 | struct stat s; | ||
89 | bool last = false; | ||
90 | *r = '\0'; | ||
91 | for (; !last; p++, q++) { | ||
92 | if (*p == '\0') { | ||
93 | last = true; | ||
94 | } | ||
95 | if (*p == '\0' || (*p == '/' && *(p - 1) != '/')) { | ||
96 | // We found a new component of our src path. | ||
97 | // Null-terminate it temporarily here so that we can work | ||
98 | // with it. | ||
99 | *p = '\0'; | ||
100 | if (stat(src, &s) == 0 && S_ISDIR(s.st_mode)) { | ||
101 | // Null-terminate the dst path and undo its previous | ||
102 | // termination. | ||
103 | *q = '\0'; | ||
104 | *r = '/'; | ||
105 | r = q; | ||
106 | create_empty_dir_as_root(dst, s.st_mode); | ||
107 | } | ||
108 | if (!last) { | ||
109 | // If we're not at the final terminating null, restore | ||
110 | // the slash so that we can continue our traversal. | ||
111 | *p = '/'; | ||
112 | } | ||
113 | } | ||
114 | } | ||
115 | } | ||
116 | |||
79 | // return 0 if file not found, 1 if found | 117 | // return 0 if file not found, 1 if found |
80 | static int check_dir_or_file(const char *fname) { | 118 | static int check_dir_or_file(const char *fname) { |
81 | assert(fname); | 119 | assert(fname); |
@@ -103,7 +141,7 @@ errexit: | |||
103 | static void duplicate(const char *fname, const char *private_dir, const char *private_run_dir) { | 141 | static void duplicate(const char *fname, const char *private_dir, const char *private_run_dir) { |
104 | assert(fname); | 142 | assert(fname); |
105 | 143 | ||
106 | if (*fname == '~' || strchr(fname, '/') || strcmp(fname, "..") == 0) { | 144 | if (*fname == '~' || *fname == '/' || strncmp(fname, "..", 2) == 0) { |
107 | fprintf(stderr, "Error: \"%s\" is an invalid filename\n", fname); | 145 | fprintf(stderr, "Error: \"%s\" is an invalid filename\n", fname); |
108 | exit(1); | 146 | exit(1); |
109 | } | 147 | } |
@@ -119,21 +157,16 @@ static void duplicate(const char *fname, const char *private_dir, const char *pr | |||
119 | } | 157 | } |
120 | 158 | ||
121 | if (arg_debug) | 159 | if (arg_debug) |
122 | printf("copying %s to private %s\n", src, private_dir); | 160 | printf("Copying %s to private %s\n", src, private_dir); |
123 | 161 | ||
124 | struct stat s; | 162 | char *dst; |
125 | if (stat(src, &s) == 0 && S_ISDIR(s.st_mode)) { | 163 | if (asprintf(&dst, "%s/%s", private_run_dir, fname) == -1) |
126 | // create the directory in RUN_ETC_DIR | 164 | errExit("asprintf"); |
127 | char *dirname; | 165 | |
128 | if (asprintf(&dirname, "%s/%s", private_run_dir, fname) == -1) | 166 | build_dirs(src, dst, strlen(private_dir), strlen(private_run_dir)); |
129 | errExit("asprintf"); | 167 | sbox_run(SBOX_ROOT | SBOX_SECCOMP, 3, PATH_FCOPY, src, dst); |
130 | create_empty_dir_as_root(dirname, s.st_mode); | ||
131 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, src, dirname); | ||
132 | free(dirname); | ||
133 | } | ||
134 | else | ||
135 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, src, private_run_dir); | ||
136 | 168 | ||
169 | free(dst); | ||
137 | fs_logger2("clone", src); | 170 | fs_logger2("clone", src); |
138 | free(src); | 171 | free(src); |
139 | } | 172 | } |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index ddb736e81..9d11add06 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -295,7 +295,9 @@ Use the options no3d, nodvd, nosound, notv, nou2f and novideo for additional res | |||
295 | Build a new /etc in a temporary | 295 | Build a new /etc in a temporary |
296 | filesystem, and copy the files and directories in the list. | 296 | filesystem, and copy the files and directories in the list. |
297 | The files and directories in the list must be expressed as relative to | 297 | The files and directories in the list must be expressed as relative to |
298 | the /etc directory. | 298 | the /etc directory, and must not contain the / character |
299 | (e.g., /etc/foo must be expressed as foo, but /etc/foo/bar -- | ||
300 | expressed as foo/bar -- is disallowed). | ||
299 | All modifications are discarded when the sandbox is closed. | 301 | All modifications are discarded when the sandbox is closed. |
300 | #ifdef HAVE_PRIVATE_HOME | 302 | #ifdef HAVE_PRIVATE_HOME |
301 | .TP | 303 | .TP |
@@ -319,14 +321,18 @@ This feature is still under development, see \fBman 1 firejail\fR for some examp | |||
319 | Build a new /opt in a temporary | 321 | Build a new /opt in a temporary |
320 | filesystem, and copy the files and directories in the list. | 322 | filesystem, and copy the files and directories in the list. |
321 | The files and directories in the list must be expressed as relative to | 323 | The files and directories in the list must be expressed as relative to |
322 | the /opt directory. | 324 | the /opt directory, and must not contain the / character |
325 | (e.g., /opt/foo must be expressed as foo, but /opt/foo/bar -- | ||
326 | expressed as foo/bar -- is disallowed). | ||
323 | All modifications are discarded when the sandbox is closed. | 327 | All modifications are discarded when the sandbox is closed. |
324 | .TP | 328 | .TP |
325 | \fBprivate-srv file,directory | 329 | \fBprivate-srv file,directory |
326 | Build a new /srv in a temporary | 330 | Build a new /srv in a temporary |
327 | filesystem, and copy the files and directories in the list. | 331 | filesystem, and copy the files and directories in the list. |
328 | The files and directories in the list must be expressed as relative to | 332 | The files and directories in the list must be expressed as relative to |
329 | the /srv directory. | 333 | the /srv directory, and must not contain the / character |
334 | (e.g., /srv/foo must be expressed as foo, but /srv/foo/bar -- | ||
335 | expressed as foo/bar -- is disallowed). | ||
330 | All modifications are discarded when the sandbox is closed. | 336 | All modifications are discarded when the sandbox is closed. |
331 | .TP | 337 | .TP |
332 | \fBprivate-tmp | 338 | \fBprivate-tmp |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index c0640c404..23ec23fb1 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1892,7 +1892,9 @@ $ | |||
1892 | Build a new /etc in a temporary | 1892 | Build a new /etc in a temporary |
1893 | filesystem, and copy the files and directories in the list. | 1893 | filesystem, and copy the files and directories in the list. |
1894 | The files and directories in the list must be expressed as relative to | 1894 | The files and directories in the list must be expressed as relative to |
1895 | the /etc directory. | 1895 | the /etc directory, and must not contain the / character |
1896 | (e.g., /etc/foo must be expressed as foo, but /etc/foo/bar -- | ||
1897 | expressed as foo/bar -- is disallowed). | ||
1896 | If no listed file is found, /etc directory will be empty. | 1898 | If no listed file is found, /etc directory will be empty. |
1897 | All modifications are discarded when the sandbox is closed. | 1899 | All modifications are discarded when the sandbox is closed. |
1898 | .br | 1900 | .br |
@@ -1902,7 +1904,7 @@ Example: | |||
1902 | .br | 1904 | .br |
1903 | $ firejail --private-etc=group,hostname,localtime, \\ | 1905 | $ firejail --private-etc=group,hostname,localtime, \\ |
1904 | .br | 1906 | .br |
1905 | nsswitch.conf,passwd,resolv.conf,default/motd-news | 1907 | nsswitch.conf,passwd,resolv.conf |
1906 | #ifdef HAVE_PRIVATE_HOME | 1908 | #ifdef HAVE_PRIVATE_HOME |
1907 | .TP | 1909 | .TP |
1908 | \fB\-\-private-home=file,directory | 1910 | \fB\-\-private-home=file,directory |
@@ -1977,7 +1979,9 @@ $ | |||
1977 | Build a new /opt in a temporary | 1979 | Build a new /opt in a temporary |
1978 | filesystem, and copy the files and directories in the list. | 1980 | filesystem, and copy the files and directories in the list. |
1979 | The files and directories in the list must be expressed as relative to | 1981 | The files and directories in the list must be expressed as relative to |
1980 | the /opt directory. | 1982 | the /opt directory, and must not contain the / character |
1983 | (e.g., /opt/foo must be expressed as foo, but /opt/foo/bar -- | ||
1984 | expressed as foo/bar -- is disallowed). | ||
1981 | If no listed file is found, /opt directory will be empty. | 1985 | If no listed file is found, /opt directory will be empty. |
1982 | All modifications are discarded when the sandbox is closed. | 1986 | All modifications are discarded when the sandbox is closed. |
1983 | .br | 1987 | .br |
@@ -1992,7 +1996,9 @@ $ firejail --private-opt=firefox /opt/firefox/firefox | |||
1992 | Build a new /srv in a temporary | 1996 | Build a new /srv in a temporary |
1993 | filesystem, and copy the files and directories in the list. | 1997 | filesystem, and copy the files and directories in the list. |
1994 | The files and directories in the list must be expressed as relative to | 1998 | The files and directories in the list must be expressed as relative to |
1995 | the /srv directory. | 1999 | the /srv directory, and must not contain the / character |
2000 | (e.g., /opt/srv must be expressed as foo, but /srv/foo/bar -- | ||
2001 | expressed as srv/bar -- is disallowed). | ||
1996 | If no listed file is found, /srv directory will be empty. | 2002 | If no listed file is found, /srv directory will be empty. |
1997 | All modifications are discarded when the sandbox is closed. | 2003 | All modifications are discarded when the sandbox is closed. |
1998 | .br | 2004 | .br |