diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/firejail.h | 2 | ||||
-rw-r--r-- | src/firejail/fs.c | 11 | ||||
-rw-r--r-- | src/firejail/main.c | 36 | ||||
-rw-r--r-- | src/firejail/x11.c | 19 | ||||
-rw-r--r-- | src/firemon/firemon.c | 6 | ||||
-rw-r--r-- | src/firemon/x11.c | 60 | ||||
-rw-r--r-- | src/man/firejail.txt | 15 | ||||
-rw-r--r-- | src/man/firemon.txt | 4 |
8 files changed, 149 insertions, 4 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index acb49d246..b37c3aba8 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -27,6 +27,7 @@ | |||
27 | #define RUN_FIREJAIL_BASEDIR "/run" | 27 | #define RUN_FIREJAIL_BASEDIR "/run" |
28 | #define RUN_FIREJAIL_DIR "/run/firejail" | 28 | #define RUN_FIREJAIL_DIR "/run/firejail" |
29 | #define RUN_FIREJAIL_NAME_DIR "/run/firejail/name" | 29 | #define RUN_FIREJAIL_NAME_DIR "/run/firejail/name" |
30 | #define RUN_FIREJAIL_X11_DIR "/run/firejail/x11" | ||
30 | #define RUN_FIREJAIL_NETWORK_DIR "/run/firejail/network" | 31 | #define RUN_FIREJAIL_NETWORK_DIR "/run/firejail/network" |
31 | #define RUN_FIREJAIL_BANDWIDTH_DIR "/run/firejail/bandwidth" | 32 | #define RUN_FIREJAIL_BANDWIDTH_DIR "/run/firejail/bandwidth" |
32 | #define RUN_NETWORK_LOCK_FILE "/run/firejail/firejail.lock" | 33 | #define RUN_NETWORK_LOCK_FILE "/run/firejail/firejail.lock" |
@@ -524,6 +525,7 @@ void fs_mkdir(const char *name); | |||
524 | // x11.c | 525 | // x11.c |
525 | void fs_x11(void); | 526 | void fs_x11(void); |
526 | void x11_start(int argc, char **argv); | 527 | void x11_start(int argc, char **argv); |
528 | int x11_display(void); | ||
527 | 529 | ||
528 | #endif | 530 | #endif |
529 | 531 | ||
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index df5e8410b..6505177d0 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -127,6 +127,17 @@ void fs_build_firejail_dir(void) { | |||
127 | errExit("chmod"); | 127 | errExit("chmod"); |
128 | } | 128 | } |
129 | 129 | ||
130 | if (stat(RUN_FIREJAIL_X11_DIR, &s)) { | ||
131 | if (arg_debug) | ||
132 | printf("Creating %s directory\n", RUN_FIREJAIL_X11_DIR); | ||
133 | if (mkdir(RUN_FIREJAIL_X11_DIR, 0755) == -1) | ||
134 | errExit("mkdir"); | ||
135 | if (chown(RUN_FIREJAIL_X11_DIR, 0, 0) < 0) | ||
136 | errExit("chown"); | ||
137 | if (chmod(RUN_FIREJAIL_X11_DIR, 0755) < 0) | ||
138 | errExit("chmod"); | ||
139 | } | ||
140 | |||
130 | create_empty_dir(); | 141 | create_empty_dir(); |
131 | create_empty_file(); | 142 | create_empty_file(); |
132 | } | 143 | } |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 5a8f564f4..9e0be7bfa 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -106,6 +106,8 @@ pid_t sandbox_pid; | |||
106 | 106 | ||
107 | static void set_name_file(uid_t pid); | 107 | static void set_name_file(uid_t pid); |
108 | static void delete_name_file(uid_t pid); | 108 | static void delete_name_file(uid_t pid); |
109 | static void set_x11_file(uid_t pid, int display); | ||
110 | static void delete_x11_file(uid_t pid); | ||
109 | 111 | ||
110 | static void myexit(int rv) { | 112 | static void myexit(int rv) { |
111 | logmsg("exiting..."); | 113 | logmsg("exiting..."); |
@@ -116,6 +118,7 @@ static void myexit(int rv) { | |||
116 | bandwidth_shm_del_file(sandbox_pid); // bandwidth file | 118 | bandwidth_shm_del_file(sandbox_pid); // bandwidth file |
117 | network_shm_del_file(sandbox_pid); // network map file | 119 | network_shm_del_file(sandbox_pid); // network map file |
118 | delete_name_file(sandbox_pid); | 120 | delete_name_file(sandbox_pid); |
121 | delete_x11_file(sandbox_pid); | ||
119 | 122 | ||
120 | exit(rv); | 123 | exit(rv); |
121 | } | 124 | } |
@@ -511,6 +514,36 @@ static void delete_name_file(uid_t pid) { | |||
511 | (void) rv; | 514 | (void) rv; |
512 | } | 515 | } |
513 | 516 | ||
517 | static void set_x11_file(uid_t pid, int display) { | ||
518 | char *fname; | ||
519 | if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_X11_DIR, pid) == -1) | ||
520 | errExit("asprintf"); | ||
521 | |||
522 | // the file is deleted first | ||
523 | FILE *fp = fopen(fname, "w"); | ||
524 | if (!fp) { | ||
525 | fprintf(stderr, "Error: cannot create %s\n", fname); | ||
526 | exit(1); | ||
527 | } | ||
528 | fprintf(fp, "%d\n", display); | ||
529 | fclose(fp); | ||
530 | |||
531 | // mode and ownership | ||
532 | if (chown(fname, 0, 0) == -1) | ||
533 | errExit("chown"); | ||
534 | if (chmod(fname, 0644) == -1) | ||
535 | errExit("chmod"); | ||
536 | |||
537 | } | ||
538 | |||
539 | static void delete_x11_file(uid_t pid) { | ||
540 | char *fname; | ||
541 | if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_X11_DIR, pid) == -1) | ||
542 | errExit("asprintf"); | ||
543 | int rv = unlink(fname); | ||
544 | (void) rv; | ||
545 | } | ||
546 | |||
514 | //******************************************* | 547 | //******************************************* |
515 | // Main program | 548 | // Main program |
516 | //******************************************* | 549 | //******************************************* |
@@ -1554,6 +1587,9 @@ int main(int argc, char **argv) { | |||
1554 | EUID_ROOT(); | 1587 | EUID_ROOT(); |
1555 | if (cfg.name) | 1588 | if (cfg.name) |
1556 | set_name_file(sandbox_pid); | 1589 | set_name_file(sandbox_pid); |
1590 | int display = x11_display(); | ||
1591 | if (display > 0) | ||
1592 | set_x11_file(sandbox_pid, display); | ||
1557 | EUID_USER(); | 1593 | EUID_USER(); |
1558 | 1594 | ||
1559 | // clone environment | 1595 | // clone environment |
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index c3515cc82..980a4dbca 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
@@ -26,12 +26,12 @@ | |||
26 | #include <dirent.h> | 26 | #include <dirent.h> |
27 | #include <sys/mount.h> | 27 | #include <sys/mount.h> |
28 | 28 | ||
29 | void fs_x11(void) { | 29 | // return display number, -1 if not configured |
30 | #ifdef HAVE_X11 | 30 | int x11_display(void) { |
31 | // extract display | 31 | // extract display |
32 | char *d = getenv("DISPLAY"); | 32 | char *d = getenv("DISPLAY"); |
33 | if (!d) | 33 | if (!d) |
34 | return; | 34 | return - 1; |
35 | 35 | ||
36 | int display; | 36 | int display; |
37 | int rv = sscanf(d, ":%d", &display); | 37 | int rv = sscanf(d, ":%d", &display); |
@@ -39,6 +39,15 @@ void fs_x11(void) { | |||
39 | return; | 39 | return; |
40 | if (arg_debug) | 40 | if (arg_debug) |
41 | printf("DISPLAY %s, %d\n", d, display); | 41 | printf("DISPLAY %s, %d\n", d, display); |
42 | |||
43 | return display; | ||
44 | } | ||
45 | |||
46 | void fs_x11(void) { | ||
47 | #ifdef HAVE_X11 | ||
48 | int display = x11_display(); | ||
49 | if (display <= 0) | ||
50 | return; | ||
42 | 51 | ||
43 | char *x11file; | 52 | char *x11file; |
44 | if (asprintf(&x11file, "/tmp/.X11-unix/X%d", display) == -1) | 53 | if (asprintf(&x11file, "/tmp/.X11-unix/X%d", display) == -1) |
@@ -48,7 +57,7 @@ void fs_x11(void) { | |||
48 | return; | 57 | return; |
49 | 58 | ||
50 | // keep a copy of real /tmp/.X11-unix directory in WHITELIST_TMP_DIR | 59 | // keep a copy of real /tmp/.X11-unix directory in WHITELIST_TMP_DIR |
51 | rv = mkdir(RUN_WHITELIST_X11_DIR, 1777); | 60 | int rv = mkdir(RUN_WHITELIST_X11_DIR, 1777); |
52 | if (rv == -1) | 61 | if (rv == -1) |
53 | errExit("mkdir"); | 62 | errExit("mkdir"); |
54 | if (chown(RUN_WHITELIST_X11_DIR, 0, 0) < 0) | 63 | if (chown(RUN_WHITELIST_X11_DIR, 0, 0) < 0) |
@@ -178,6 +187,7 @@ void x11_start(int argc, char **argv) { | |||
178 | exit(1); | 187 | exit(1); |
179 | } | 188 | } |
180 | sleep(1); | 189 | sleep(1); |
190 | |||
181 | if (arg_debug) { | 191 | if (arg_debug) { |
182 | printf("X11 sockets: "); fflush(0); | 192 | printf("X11 sockets: "); fflush(0); |
183 | int rv = system("ls /tmp/.X11-unix"); | 193 | int rv = system("ls /tmp/.X11-unix"); |
@@ -213,6 +223,7 @@ void x11_start(int argc, char **argv) { | |||
213 | 223 | ||
214 | if (!arg_quiet) | 224 | if (!arg_quiet) |
215 | printf("Xpra server pid %d, client pid %d\n", server, client); | 225 | printf("Xpra server pid %d, client pid %d\n", server, client); |
226 | |||
216 | exit(0); | 227 | exit(0); |
217 | } | 228 | } |
218 | #endif | 229 | #endif |
diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c index 679c5a3e9..c19c344b0 100644 --- a/src/firemon/firemon.c +++ b/src/firemon/firemon.c | |||
@@ -33,6 +33,7 @@ static int arg_seccomp = 0; | |||
33 | static int arg_caps = 0; | 33 | static int arg_caps = 0; |
34 | static int arg_cpu = 0; | 34 | static int arg_cpu = 0; |
35 | static int arg_cgroup = 0; | 35 | static int arg_cgroup = 0; |
36 | static int arg_x11 = 0; | ||
36 | int arg_nowrap = 0; | 37 | int arg_nowrap = 0; |
37 | 38 | ||
38 | static struct termios tlocal; // startup terminal setting | 39 | static struct termios tlocal; // startup terminal setting |
@@ -141,6 +142,9 @@ int main(int argc, char **argv) { | |||
141 | 142 | ||
142 | 143 | ||
143 | // cumulative options with or without a pid argument | 144 | // cumulative options with or without a pid argument |
145 | else if (strcmp(argv[i], "--x11") == 0) { | ||
146 | arg_x11 = 1; | ||
147 | } | ||
144 | else if (strcmp(argv[i], "--cgroup") == 0) { | 148 | else if (strcmp(argv[i], "--cgroup") == 0) { |
145 | arg_cgroup = 1; | 149 | arg_cgroup = 1; |
146 | } | 150 | } |
@@ -217,6 +221,8 @@ int main(int argc, char **argv) { | |||
217 | cpu((pid_t) pid); | 221 | cpu((pid_t) pid); |
218 | if (arg_cgroup) | 222 | if (arg_cgroup) |
219 | cgroup((pid_t) pid); | 223 | cgroup((pid_t) pid); |
224 | if (arg_x11) | ||
225 | x11((pid_t) pid); | ||
220 | 226 | ||
221 | if (!arg_route && !arg_arp && !arg_interface && !arg_tree && !arg_caps && !arg_seccomp) | 227 | if (!arg_route && !arg_arp && !arg_interface && !arg_tree && !arg_caps && !arg_seccomp) |
222 | procevent((pid_t) pid); // never to return | 228 | procevent((pid_t) pid); // never to return |
diff --git a/src/firemon/x11.c b/src/firemon/x11.c new file mode 100644 index 000000000..e30c2d78b --- /dev/null +++ b/src/firemon/x11.c | |||
@@ -0,0 +1,60 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com) | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "firemon.h" | ||
21 | #include <sys/types.h> | ||
22 | #include <sys/stat.h> | ||
23 | #include <unistd.h> | ||
24 | |||
25 | void x11(pid_t pid) { | ||
26 | if (getuid() == 0) | ||
27 | firemon_drop_privs(); | ||
28 | |||
29 | pid_read(pid); | ||
30 | |||
31 | // print processes | ||
32 | int i; | ||
33 | for (i = 0; i < max_pids; i++) { | ||
34 | if (pids[i].level == 1) { | ||
35 | pid_print_list(i, 0); | ||
36 | |||
37 | char *x11file; | ||
38 | // todo: use macro from src/firejail/firejail.h for /run/firejail/x11 directory | ||
39 | if (asprintf(&x11file, "/run/firejail/x11/%d", i) == -1) | ||
40 | errExit("asprintf"); | ||
41 | |||
42 | struct stat s; | ||
43 | if (stat(x11file, &s) == 0) { | ||
44 | FILE *fp = fopen(x11file, "r"); | ||
45 | if (!fp) { | ||
46 | free(x11file); | ||
47 | continue; | ||
48 | } | ||
49 | int display; | ||
50 | int rv = fscanf(fp, "%d", &display); | ||
51 | if (rv == 1) | ||
52 | printf(" DISPLAY :%d\n", display); | ||
53 | fclose(fp); | ||
54 | } | ||
55 | |||
56 | free(x11file); | ||
57 | } | ||
58 | } | ||
59 | } | ||
60 | |||
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 681a105af..c6931af12 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1505,6 +1505,20 @@ $ firejail \-\-whitelist=~/.mozilla \-\-whitelist=~/Downloads | |||
1505 | $ firejail \-\-whitelist=/tmp/.X11-unix --whitelist=/dev/null | 1505 | $ firejail \-\-whitelist=/tmp/.X11-unix --whitelist=/dev/null |
1506 | .br | 1506 | .br |
1507 | $ firejail "\-\-whitelist=/home/username/My Virtual Machines" | 1507 | $ firejail "\-\-whitelist=/home/username/My Virtual Machines" |
1508 | |||
1509 | .TP | ||
1510 | \fB\-\-x11 | ||
1511 | Start a new X11 server using Xpra (http://xpra.org) and attach the sandbox to this server. | ||
1512 | Xpra is a persistent remote display server and client for forwarding X11 applications and desktop screens. | ||
1513 | The regular X11 server (display 0) is not visible in the sandbox. This prevents screenshot and keylogger | ||
1514 | applications started in the sandbox from accessing display 0. | ||
1515 | .br | ||
1516 | |||
1517 | .br | ||
1518 | Example: | ||
1519 | .br | ||
1520 | $ firejail \-\-x11 firefox | ||
1521 | |||
1508 | .TP | 1522 | .TP |
1509 | \fB\-\-zsh | 1523 | \fB\-\-zsh |
1510 | Use /usr/bin/zsh as default user shell. | 1524 | Use /usr/bin/zsh as default user shell. |
@@ -1514,6 +1528,7 @@ Use /usr/bin/zsh as default user shell. | |||
1514 | Example: | 1528 | Example: |
1515 | .br | 1529 | .br |
1516 | $ firejail \-\-zsh | 1530 | $ firejail \-\-zsh |
1531 | |||
1517 | .SH TRAFFIC SHAPING | 1532 | .SH TRAFFIC SHAPING |
1518 | Network bandwidth is an expensive resource shared among all sandboxes running on a system. | 1533 | Network bandwidth is an expensive resource shared among all sandboxes running on a system. |
1519 | Traffic shaping allows the user to increase network performance by controlling | 1534 | Traffic shaping allows the user to increase network performance by controlling |
diff --git a/src/man/firemon.txt b/src/man/firemon.txt index 2a69b1de5..88b2ce59f 100644 --- a/src/man/firemon.txt +++ b/src/man/firemon.txt | |||
@@ -51,6 +51,10 @@ Print a tree of all sandboxed processes. | |||
51 | \fB\-\-version | 51 | \fB\-\-version |
52 | Print program version and exit. | 52 | Print program version and exit. |
53 | 53 | ||
54 | .TP | ||
55 | \fB\-\-x11 | ||
56 | Print X11 display number. | ||
57 | |||
54 | .PP | 58 | .PP |
55 | Option \-\-list prints a list of all sandboxes. The format | 59 | Option \-\-list prints a list of all sandboxes. The format |
56 | for each entry is as follows: | 60 | for each entry is as follows: |