aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/firejail/checkcfg.c13
-rw-r--r--src/firejail/firejail.h4
-rw-r--r--src/firejail/main.c11
-rw-r--r--src/firejail/profile.c4
-rw-r--r--src/firejail/sandbox.c13
-rw-r--r--src/firejail/usage.c3
-rw-r--r--src/man/firejail-config.txt8
-rw-r--r--src/man/firejail-profile.txt6
-rw-r--r--src/man/firejail.txt7
9 files changed, 66 insertions, 3 deletions
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 430b0c5a6..3ea8caf5b 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -36,7 +36,9 @@ int checkcfg(int val) {
36 int i; 36 int i;
37 for (i = 0; i < CFG_MAX; i++) 37 for (i = 0; i < CFG_MAX; i++)
38 cfg_val[i] = 1; // most of them are enabled by default 38 cfg_val[i] = 1; // most of them are enabled by default
39
39 cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default 40 cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default
41 cfg_val[CFG_FORCE_NONEWPRIVS ] = 0; // disabled by default
40 42
41 // open configuration file 43 // open configuration file
42 char *fname; 44 char *fname;
@@ -45,7 +47,7 @@ int checkcfg(int val) {
45 47
46 FILE *fp = fopen(fname, "r"); 48 FILE *fp = fopen(fname, "r");
47 if (!fp) { 49 if (!fp) {
48 fprintf(stderr, "Error: Firejail configuration file %s not found\n", fname); 50 fprintf(stderr, "Warning: Firejail configuration file %s not found\n", fname);
49 exit(1); 51 exit(1);
50 } 52 }
51 53
@@ -106,6 +108,15 @@ int checkcfg(int val) {
106 else 108 else
107 goto errout; 109 goto errout;
108 } 110 }
111 // nonewprivs
112 else if (strncmp(ptr, "force-nonewprivs ", 17) == 0) {
113 if (strcmp(ptr + 17, "yes") == 0)
114 cfg_val[CFG_SECCOMP] = 1;
115 else if (strcmp(ptr + 17, "no") == 0)
116 cfg_val[CFG_SECCOMP] = 0;
117 else
118 goto errout;
119 }
109 // seccomp 120 // seccomp
110 else if (strncmp(ptr, "seccomp ", 8) == 0) { 121 else if (strncmp(ptr, "seccomp ", 8) == 0) {
111 if (strcmp(ptr + 8, "yes") == 0) 122 if (strcmp(ptr + 8, "yes") == 0)
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index f4a176caf..661073730 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -237,6 +237,7 @@ extern int arg_rlimit_nproc; // rlimit nproc
237extern int arg_rlimit_fsize; // rlimit fsize 237extern int arg_rlimit_fsize; // rlimit fsize
238extern int arg_rlimit_sigpending;// rlimit sigpending 238extern int arg_rlimit_sigpending;// rlimit sigpending
239extern int arg_nogroups; // disable supplementary groups 239extern int arg_nogroups; // disable supplementary groups
240extern int arg_nonewprivs; // set the NO_NEW_PRIVS prctl
240extern int arg_noroot; // create a new user namespace and disable root user 241extern int arg_noroot; // create a new user namespace and disable root user
241extern int arg_netfilter; // enable netfilter 242extern int arg_netfilter; // enable netfilter
242extern int arg_netfilter6; // enable netfilter6 243extern int arg_netfilter6; // enable netfilter6
@@ -565,7 +566,8 @@ void sandboxfs(int op, pid_t pid, const char *patqh);
565#define CFG_SECCOMP 5 566#define CFG_SECCOMP 5
566#define CFG_NETWORK 6 567#define CFG_NETWORK 6
567#define CFG_RESTRICTED_NETWORK 7 568#define CFG_RESTRICTED_NETWORK 7
568#define CFG_MAX 8 // this should always be the last entry 569#define CFG_FORCE_NONEWPRIVS 8
570#define CFG_MAX 9 // this should always be the last entry
569int checkcfg(int val); 571int checkcfg(int val);
570 572
571// fs_rdwr.c 573// fs_rdwr.c
diff --git a/src/firejail/main.c b/src/firejail/main.c
index a2342843b..955bd36bf 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -77,6 +77,7 @@ int arg_rlimit_nproc = 0; // rlimit nproc
77int arg_rlimit_fsize = 0; // rlimit fsize 77int arg_rlimit_fsize = 0; // rlimit fsize
78int arg_rlimit_sigpending = 0; // rlimit fsize 78int arg_rlimit_sigpending = 0; // rlimit fsize
79int arg_nogroups = 0; // disable supplementary groups 79int arg_nogroups = 0; // disable supplementary groups
80int arg_nonewprivs = 0; // set the NO_NEW_PRIVS prctl
80int arg_noroot = 0; // create a new user namespace and disable root user 81int arg_noroot = 0; // create a new user namespace and disable root user
81int arg_netfilter; // enable netfilter 82int arg_netfilter; // enable netfilter
82int arg_netfilter6; // enable netfilter6 83int arg_netfilter6; // enable netfilter6
@@ -805,7 +806,7 @@ int main(int argc, char **argv) {
805 } 806 }
806 } 807 }
807 808
808 // is this a login shell, or a command passed by sshd insert command line options from /etc/firejail/login.users 809 // is this a login shell, or a command passed by sshd, insert command line options from /etc/firejail/login.users
809 if (*argv[0] == '-' || parent_sshd) { 810 if (*argv[0] == '-' || parent_sshd) {
810 fullargc = restricted_shell(cfg.username); 811 fullargc = restricted_shell(cfg.username);
811 if (fullargc) { 812 if (fullargc) {
@@ -824,6 +825,11 @@ int main(int argc, char **argv) {
824 check_user(argc, argv); // the function will not return if --user option was found 825 check_user(argc, argv); // the function will not return if --user option was found
825 } 826 }
826 827
828
829 // check for force-nonewprivs in /etc/firejail/firejail.config file
830 if (!option_force && checkcfg(CFG_FORCE_NONEWPRIVS))
831 arg_nonewprivs = 1;
832
827 // parse arguments 833 // parse arguments
828 for (i = 1; i < argc; i++) { 834 for (i = 1; i < argc; i++) {
829 run_cmd_and_exit(i, argc, argv); // will exit if the command is recognized 835 run_cmd_and_exit(i, argc, argv); // will exit if the command is recognized
@@ -1367,6 +1373,9 @@ int main(int argc, char **argv) {
1367 } 1373 }
1368 } 1374 }
1369#endif 1375#endif
1376 else if (strcmp(argv[i], "--nonewprivs") == 0) {
1377 arg_nonewprivs = 1;
1378 }
1370 else if (strncmp(argv[i], "--env=", 6) == 0) 1379 else if (strncmp(argv[i], "--env=", 6) == 0)
1371 env_store(argv[i] + 6); 1380 env_store(argv[i] + 6);
1372 else if (strncmp(argv[i], "--nosound", 9) == 0) { 1381 else if (strncmp(argv[i], "--nosound", 9) == 0) {
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 3bf294e00..192f36974 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -131,6 +131,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
131 131
132 return 0; 132 return 0;
133 } 133 }
134 else if (strcmp(ptr, "nonewprivs") == 0) {
135 arg_nonewprivs = 1;
136 return 0;
137 }
134 else if (strcmp(ptr, "seccomp") == 0) { 138 else if (strcmp(ptr, "seccomp") == 0) {
135#ifdef HAVE_SECCOMP 139#ifdef HAVE_SECCOMP
136 if (checkcfg(CFG_SECCOMP)) 140 if (checkcfg(CFG_SECCOMP))
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 5cfee44d8..843c1efe5 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -748,6 +748,19 @@ int sandbox(void* sandbox_arg) {
748 } 748 }
749 749
750 //**************************************** 750 //****************************************
751 // Set NO_NEW_PRIVS if desired
752 //****************************************
753 if (arg_nonewprivs) {
754 int no_new_privs = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
755
756 if(no_new_privs != 0)
757 errExit("NO_NEW_PRIVS");
758 else if (arg_debug)
759 printf("NO_NEW_PRIVS set\n");
760 }
761
762
763 //****************************************
751 // fork the application and monitor it 764 // fork the application and monitor it
752 //**************************************** 765 //****************************************
753 pid_t app_pid = fork(); 766 pid_t app_pid = fork();
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index ef02c0d72..45bf2e3b1 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -157,6 +157,9 @@ void usage(void) {
157 printf("\tuser. root user does not exist in the new namespace. This option\n"); 157 printf("\tuser. root user does not exist in the new namespace. This option\n");
158 printf("\tis not supported for --chroot and --overlay configurations.\n\n"); 158 printf("\tis not supported for --chroot and --overlay configurations.\n\n");
159#endif 159#endif
160 printf(" --nonewprivs - sets the NO_NEW_PRIVS prctl - the child processes\n");
161 printf("\tcannot gain privileges using execve(2); in particular, this prevents\n");
162 printf("\tgaining privileges by calling a suid binary\n\n");
160 printf(" --nosound - disable sound system.\n\n"); 163 printf(" --nosound - disable sound system.\n\n");
161 164
162 printf(" --output=logfile - stdout logging and log rotation. Copy stdout and stderr\n"); 165 printf(" --output=logfile - stdout logging and log rotation. Copy stdout and stderr\n");
diff --git a/src/man/firejail-config.txt b/src/man/firejail-config.txt
index de89ff3eb..026765f1a 100644
--- a/src/man/firejail-config.txt
+++ b/src/man/firejail-config.txt
@@ -49,6 +49,14 @@ Enable or disable user namespace support, default enabled.
49Enable or disable X11 sandboxing support, default enabled. 49Enable or disable X11 sandboxing support, default enabled.
50 50
51.TP 51.TP
52\fBforce-nonewprivs
53Force use of nonewprivs. This mitigates the possibility of
54a user abusing firejail's features to trick a privileged (suid
55or file capabilities) process into loading code or configuration
56that is partially under their control. Default disabled.
57
58
59.TP
52\fBxephyr-screen 60\fBxephyr-screen
53Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for 61Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for
54a full list of resolutions available on your specific setup. Examples: 62a full list of resolutions available on your specific setup. Examples:
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 4d1de76f5..1f7c8beac 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -239,6 +239,12 @@ Enable seccomp filter and blacklist the system calls in the list.
239\fBseccomp.keep syscall,syscall,syscall 239\fBseccomp.keep syscall,syscall,syscall
240Enable seccomp filter and whitelist the system calls in the list. 240Enable seccomp filter and whitelist the system calls in the list.
241.TP 241.TP
242\fBnonewprivs
243Sets the NO_NEW_PRIVS prctl. This ensures that child processes
244cannot acquire new privileges using execve(2); in particular,
245this means that calling a suid binary (or one with file capabilities)
246does not results in an increase of privilege.
247.TP
242\fBnoroot 248\fBnoroot
243Use this command to enable an user namespace. The namespace has only one user, the current user. 249Use this command to enable an user namespace. The namespace has only one user, the current user.
244There is no root account (uid 0) defined in the namespace. 250There is no root account (uid 0) defined in the namespace.
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 2ea15ff2b..7b22a5bf2 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -904,6 +904,13 @@ ping: icmp open socket: Operation not permitted
904$ 904$
905 905
906.TP 906.TP
907\fB\-\-nonewprivs
908Sets the NO_NEW_PRIVS prctl. This ensures that child processes
909cannot acquire new privileges using execve(2); in particular,
910this means that calling a suid binary (or one with file capabilities)
911does not results in an increase of privilege.
912
913.TP
907\fB\-\-nosound 914\fB\-\-nosound
908Disable sound system. 915Disable sound system.
909.br 916.br