diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/bash_completion/firejail.bash_completion.in | 16 | ||||
-rw-r--r-- | src/firejail/checkcfg.c | 8 | ||||
-rw-r--r-- | src/firejail/firejail.h | 21 | ||||
-rw-r--r-- | src/firejail/join.c | 2 | ||||
-rw-r--r-- | src/firejail/landlock.c | 101 | ||||
-rw-r--r-- | src/firejail/main.c | 92 | ||||
-rw-r--r-- | src/firejail/profile.c | 84 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 27 | ||||
-rw-r--r-- | src/firejail/usage.c | 6 | ||||
-rw-r--r-- | src/firejail/util.c | 4 | ||||
-rw-r--r-- | src/fnettrace/static-ip-map | 75 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 29 | ||||
-rw-r--r-- | src/man/firejail.txt | 78 | ||||
-rw-r--r-- | src/zsh_completion/_firejail.in | 6 |
14 files changed, 102 insertions, 447 deletions
diff --git a/src/bash_completion/firejail.bash_completion.in b/src/bash_completion/firejail.bash_completion.in index 4829f1fde..8e047ce90 100644 --- a/src/bash_completion/firejail.bash_completion.in +++ b/src/bash_completion/firejail.bash_completion.in | |||
@@ -42,22 +42,6 @@ _firejail() | |||
42 | _filedir -d | 42 | _filedir -d |
43 | return 0 | 43 | return 0 |
44 | ;; | 44 | ;; |
45 | --landlock.read) | ||
46 | _filedir | ||
47 | return 0 | ||
48 | ;; | ||
49 | --landlock.write) | ||
50 | _filedir | ||
51 | return 0 | ||
52 | ;; | ||
53 | --landlock.special) | ||
54 | _filedir | ||
55 | return 0 | ||
56 | ;; | ||
57 | --landlock.execute) | ||
58 | _filedir | ||
59 | return 0 | ||
60 | ;; | ||
61 | --tmpfs) | 45 | --tmpfs) |
62 | _filedir | 46 | _filedir |
63 | return 0 | 47 | return 0 |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index fd2f3621e..62b8c4dc4 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -378,14 +378,6 @@ void print_compiletime_support(void) { | |||
378 | #endif | 378 | #endif |
379 | ); | 379 | ); |
380 | 380 | ||
381 | printf("\t- Landlock support is %s\n", | ||
382 | #ifdef HAVE_LANDLOCK | ||
383 | "enabled" | ||
384 | #else | ||
385 | "disabled" | ||
386 | #endif | ||
387 | ); | ||
388 | |||
389 | printf("\t- networking support is %s\n", | 381 | printf("\t- networking support is %s\n", |
390 | #ifdef HAVE_NETWORK | 382 | #ifdef HAVE_NETWORK |
391 | "enabled" | 383 | "enabled" |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index a3b38b5e0..94f970eb8 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -22,9 +22,6 @@ | |||
22 | #include "../include/common.h" | 22 | #include "../include/common.h" |
23 | #include "../include/euid_common.h" | 23 | #include "../include/euid_common.h" |
24 | #include "../include/rundefs.h" | 24 | #include "../include/rundefs.h" |
25 | #ifdef HAVE_LANDLOCK | ||
26 | #include <linux/landlock.h> | ||
27 | #endif | ||
28 | #include <linux/limits.h> // Note: Plain limits.h may break ARG_MAX (see #4583) | 25 | #include <linux/limits.h> // Note: Plain limits.h may break ARG_MAX (see #4583) |
29 | #include <stdarg.h> | 26 | #include <stdarg.h> |
30 | #include <sys/stat.h> | 27 | #include <sys/stat.h> |
@@ -33,6 +30,7 @@ | |||
33 | //#define DEBUG_RESTRICTED_SHELL | 30 | //#define DEBUG_RESTRICTED_SHELL |
34 | 31 | ||
35 | 32 | ||
33 | |||
36 | // profiles | 34 | // profiles |
37 | #define DEFAULT_USER_PROFILE "default" | 35 | #define DEFAULT_USER_PROFILE "default" |
38 | #define DEFAULT_ROOT_PROFILE "server" | 36 | #define DEFAULT_ROOT_PROFILE "server" |
@@ -288,11 +286,6 @@ extern int arg_seccomp32; // enable default seccomp filter for 32 bit arch | |||
288 | extern int arg_seccomp_postexec; // need postexec ld.preload library? | 286 | extern int arg_seccomp_postexec; // need postexec ld.preload library? |
289 | extern int arg_seccomp_block_secondary; // block any secondary architectures | 287 | extern int arg_seccomp_block_secondary; // block any secondary architectures |
290 | 288 | ||
291 | #ifdef HAVE_LANDLOCK | ||
292 | extern int arg_landlock; // Landlock ruleset file descriptor | ||
293 | extern int arg_landlock_proc; // Landlock rule for accessing /proc (0 for no access, 1 for read-only and 2 for read-write) | ||
294 | #endif | ||
295 | |||
296 | extern int arg_caps_default_filter; // enable default capabilities filter | 289 | extern int arg_caps_default_filter; // enable default capabilities filter |
297 | extern int arg_caps_drop; // drop list | 290 | extern int arg_caps_drop; // drop list |
298 | extern int arg_caps_drop_all; // drop all capabilities | 291 | extern int arg_caps_drop_all; // drop all capabilities |
@@ -945,16 +938,4 @@ void run_ids(int argc, char **argv); | |||
945 | // oom.c | 938 | // oom.c |
946 | void oom_set(const char *oom_string); | 939 | void oom_set(const char *oom_string); |
947 | 940 | ||
948 | // landlock.c | ||
949 | #ifdef HAVE_LANDLOCK | ||
950 | int landlock_create_ruleset(struct landlock_ruleset_attr *rsattr,size_t size,__u32 flags); | ||
951 | int landlock_add_rule(int fd,enum landlock_rule_type t,void *attr,__u32 flags); | ||
952 | int landlock_restrict_self(int fd,__u32 flags); | ||
953 | int create_full_ruleset(); | ||
954 | int add_read_access_rule_by_path(int rset_fd,char *allowed_path); | ||
955 | int add_write_access_rule_by_path(int rset_fd,char *allowed_path); | ||
956 | int add_create_special_rule_by_path(int rset_fd,char *allowed_path); | ||
957 | int add_execute_rule_by_path(int rset_fd,char *allowed_path); | ||
958 | #endif | ||
959 | |||
960 | #endif | 941 | #endif |
diff --git a/src/firejail/join.c b/src/firejail/join.c index 96d891a49..01fd6c41d 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -545,7 +545,7 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
545 | dbus_set_system_bus_env(); | 545 | dbus_set_system_bus_env(); |
546 | #endif | 546 | #endif |
547 | 547 | ||
548 | start_application(0, shfd, NULL); | 548 | start_application(arg_join_network || arg_join_filesystem, shfd, NULL); |
549 | 549 | ||
550 | __builtin_unreachable(); | 550 | __builtin_unreachable(); |
551 | } | 551 | } |
diff --git a/src/firejail/landlock.c b/src/firejail/landlock.c deleted file mode 100644 index e79d03280..000000000 --- a/src/firejail/landlock.c +++ /dev/null | |||
@@ -1,101 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2022 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | |||
21 | #ifdef HAVE_LANDLOCK | ||
22 | #define _GNU_SOURCE | ||
23 | #include <stdio.h> | ||
24 | #include <stddef.h> | ||
25 | #include <stdlib.h> | ||
26 | #include <unistd.h> | ||
27 | #include <fcntl.h> | ||
28 | #include <sys/syscall.h> | ||
29 | #include <sys/types.h> | ||
30 | #include <sys/prctl.h> | ||
31 | #include <linux/prctl.h> | ||
32 | #include <linux/landlock.h> | ||
33 | |||
34 | int landlock_create_ruleset(struct landlock_ruleset_attr *rsattr,size_t size,__u32 flags) { | ||
35 | return syscall(__NR_landlock_create_ruleset,rsattr,size,flags); | ||
36 | } | ||
37 | |||
38 | int landlock_add_rule(int fd,enum landlock_rule_type t,void *attr,__u32 flags) { | ||
39 | return syscall(__NR_landlock_add_rule,fd,t,attr,flags); | ||
40 | } | ||
41 | |||
42 | int landlock_restrict_self(int fd,__u32 flags) { | ||
43 | prctl(PR_SET_NO_NEW_PRIVS,1,0,0,0); | ||
44 | int result = syscall(__NR_landlock_restrict_self,fd,flags); | ||
45 | if (result!=0) return result; | ||
46 | else { | ||
47 | close(fd); | ||
48 | return 0; | ||
49 | } | ||
50 | } | ||
51 | |||
52 | int create_full_ruleset() { | ||
53 | struct landlock_ruleset_attr attr; | ||
54 | attr.handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR | LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SOCK | LANDLOCK_ACCESS_FS_MAKE_FIFO | LANDLOCK_ACCESS_FS_MAKE_BLOCK | LANDLOCK_ACCESS_FS_MAKE_SYM | LANDLOCK_ACCESS_FS_EXECUTE; | ||
55 | return landlock_create_ruleset(&attr,sizeof(attr),0); | ||
56 | } | ||
57 | |||
58 | int add_read_access_rule_by_path(int rset_fd,char *allowed_path) { | ||
59 | int result; | ||
60 | int allowed_fd = open(allowed_path,O_PATH | O_CLOEXEC); | ||
61 | struct landlock_path_beneath_attr target; | ||
62 | target.parent_fd = allowed_fd; | ||
63 | target.allowed_access = LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR; | ||
64 | result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0); | ||
65 | close(allowed_fd); | ||
66 | return result; | ||
67 | } | ||
68 | |||
69 | int add_write_access_rule_by_path(int rset_fd,char *allowed_path) { | ||
70 | int result; | ||
71 | int allowed_fd = open(allowed_path,O_PATH | O_CLOEXEC); | ||
72 | struct landlock_path_beneath_attr target; | ||
73 | target.parent_fd = allowed_fd; | ||
74 | target.allowed_access = LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SYM; | ||
75 | result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0); | ||
76 | close(allowed_fd); | ||
77 | return result; | ||
78 | } | ||
79 | |||
80 | int add_create_special_rule_by_path(int rset_fd,char *allowed_path) { | ||
81 | int result; | ||
82 | int allowed_fd = open(allowed_path,O_PATH | O_CLOEXEC); | ||
83 | struct landlock_path_beneath_attr target; | ||
84 | target.parent_fd = allowed_fd; | ||
85 | target.allowed_access = LANDLOCK_ACCESS_FS_MAKE_SOCK | LANDLOCK_ACCESS_FS_MAKE_FIFO | LANDLOCK_ACCESS_FS_MAKE_BLOCK; | ||
86 | result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0); | ||
87 | close(allowed_fd); | ||
88 | return result; | ||
89 | } | ||
90 | |||
91 | int add_execute_rule_by_path(int rset_fd,char *allowed_path) { | ||
92 | int result; | ||
93 | int allowed_fd = open(allowed_path,O_PATH | O_CLOEXEC); | ||
94 | struct landlock_path_beneath_attr target; | ||
95 | target.parent_fd = allowed_fd; | ||
96 | target.allowed_access = LANDLOCK_ACCESS_FS_EXECUTE; | ||
97 | result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0); | ||
98 | close(allowed_fd); | ||
99 | return result; | ||
100 | } | ||
101 | #endif | ||
diff --git a/src/firejail/main.c b/src/firejail/main.c index 1daf0da35..12c2cf02b 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -81,11 +81,6 @@ int arg_seccomp_postexec = 0; // need postexec ld.preload library? | |||
81 | int arg_seccomp_block_secondary = 0; // block any secondary architectures | 81 | int arg_seccomp_block_secondary = 0; // block any secondary architectures |
82 | int arg_seccomp_error_action = 0; | 82 | int arg_seccomp_error_action = 0; |
83 | 83 | ||
84 | #ifdef HAVE_LANDLOCK | ||
85 | int arg_landlock = -1; // Landlock ruleset file descriptor (-1 if it doesn't exist) | ||
86 | int arg_landlock_proc = 0; // Landlock rule for accessing /proc (0 for no access, 1 for read-only and 2 for read-write) | ||
87 | #endif | ||
88 | |||
89 | int arg_caps_default_filter = 0; // enable default capabilities filter | 84 | int arg_caps_default_filter = 0; // enable default capabilities filter |
90 | int arg_caps_drop = 0; // drop list | 85 | int arg_caps_drop = 0; // drop list |
91 | int arg_caps_drop_all = 0; // drop all capabilities | 86 | int arg_caps_drop_all = 0; // drop all capabilities |
@@ -829,7 +824,6 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
829 | // try to join by name only | 824 | // try to join by name only |
830 | pid_t pid; | 825 | pid_t pid; |
831 | if (!read_pid(argv[i] + 16, &pid)) { | 826 | if (!read_pid(argv[i] + 16, &pid)) { |
832 | |||
833 | join(pid, argc, argv, i + 1); | 827 | join(pid, argc, argv, i + 1); |
834 | exit(0); | 828 | exit(0); |
835 | } | 829 | } |
@@ -848,6 +842,10 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
848 | exit(1); | 842 | exit(1); |
849 | } | 843 | } |
850 | 844 | ||
845 | if (argc <= (i+1)) | ||
846 | just_run_the_shell = 1; | ||
847 | cfg.original_program_index = i + 1; | ||
848 | |||
851 | // join sandbox by pid or by name | 849 | // join sandbox by pid or by name |
852 | pid_t pid = require_pid(argv[i] + 15); | 850 | pid_t pid = require_pid(argv[i] + 15); |
853 | join(pid, argc, argv, i + 1); | 851 | join(pid, argc, argv, i + 1); |
@@ -865,6 +863,10 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
865 | exit(1); | 863 | exit(1); |
866 | } | 864 | } |
867 | 865 | ||
866 | if (argc <= (i+1)) | ||
867 | just_run_the_shell = 1; | ||
868 | cfg.original_program_index = i + 1; | ||
869 | |||
868 | // join sandbox by pid or by name | 870 | // join sandbox by pid or by name |
869 | pid_t pid = require_pid(argv[i] + 18); | 871 | pid_t pid = require_pid(argv[i] + 18); |
870 | join(pid, argc, argv, i + 1); | 872 | join(pid, argc, argv, i + 1); |
@@ -1407,82 +1409,6 @@ int main(int argc, char **argv, char **envp) { | |||
1407 | else | 1409 | else |
1408 | exit_err_feature("seccomp"); | 1410 | exit_err_feature("seccomp"); |
1409 | } | 1411 | } |
1410 | #ifdef HAVE_LANDLOCK | ||
1411 | else if (strcmp(argv[i], "--landlock") == 0) { | ||
1412 | if (arg_landlock == -1) arg_landlock = create_full_ruleset(); | ||
1413 | const char *home_dir = env_get("HOME"); | ||
1414 | int home_fd = open(home_dir,O_PATH | O_CLOEXEC); | ||
1415 | struct landlock_path_beneath_attr target; | ||
1416 | target.parent_fd = home_fd; | ||
1417 | target.allowed_access = LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR | LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SYM; | ||
1418 | if (landlock_add_rule(arg_landlock,LANDLOCK_RULE_PATH_BENEATH,&target,0)) { | ||
1419 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1420 | } | ||
1421 | close(home_fd); | ||
1422 | if (add_read_access_rule_by_path(arg_landlock, "/bin/")) { | ||
1423 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1424 | } | ||
1425 | if (add_execute_rule_by_path(arg_landlock, "/bin/")) { | ||
1426 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1427 | } | ||
1428 | if (add_read_access_rule_by_path(arg_landlock, "/dev/")) { | ||
1429 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1430 | } | ||
1431 | if (add_read_access_rule_by_path(arg_landlock, "/etc/")) { | ||
1432 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1433 | } | ||
1434 | if (add_read_access_rule_by_path(arg_landlock, "/lib/")) { | ||
1435 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1436 | } | ||
1437 | if (add_execute_rule_by_path(arg_landlock, "/lib/")) { | ||
1438 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1439 | } | ||
1440 | if (add_read_access_rule_by_path(arg_landlock, "/opt/")) { | ||
1441 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1442 | } | ||
1443 | if (add_execute_rule_by_path(arg_landlock, "/opt/")) { | ||
1444 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1445 | } | ||
1446 | if (add_read_access_rule_by_path(arg_landlock, "/usr/")) { | ||
1447 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1448 | } | ||
1449 | if (add_execute_rule_by_path(arg_landlock, "/usr/")) { | ||
1450 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1451 | } | ||
1452 | if (add_read_access_rule_by_path(arg_landlock, "/var/")) { | ||
1453 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1454 | } | ||
1455 | } | ||
1456 | else if (strncmp(argv[i], "--landlock.proc=", 16) == 0) { | ||
1457 | if (strncmp(argv[i]+16, "no", 2) == 0) arg_landlock_proc = 0; | ||
1458 | else if (strncmp(argv[i]+16, "ro", 2) == 0) arg_landlock_proc = 1; | ||
1459 | else if (strncmp(argv[i]+16, "rw", 2) == 0) arg_landlock_proc = 2; | ||
1460 | } | ||
1461 | else if (strncmp(argv[i], "--landlock.read=", 16) == 0) { | ||
1462 | if (arg_landlock == -1) arg_landlock = create_full_ruleset(); | ||
1463 | if (add_read_access_rule_by_path(arg_landlock, argv[i]+16)) { | ||
1464 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1465 | } | ||
1466 | } | ||
1467 | else if (strncmp(argv[i], "--landlock.write=", 17) == 0) { | ||
1468 | if (arg_landlock == -1) arg_landlock = create_full_ruleset(); | ||
1469 | if (add_write_access_rule_by_path(arg_landlock, argv[i]+17)) { | ||
1470 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1471 | } | ||
1472 | } | ||
1473 | else if (strncmp(argv[i], "--landlock.special=", 17) == 0) { | ||
1474 | if (arg_landlock == -1) arg_landlock = create_full_ruleset(); | ||
1475 | if (add_create_special_rule_by_path(arg_landlock, argv[i]+17)) { | ||
1476 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1477 | } | ||
1478 | } | ||
1479 | else if (strncmp(argv[i], "--landlock.execute=", 19) == 0) { | ||
1480 | if (arg_landlock == -1) arg_landlock = create_full_ruleset(); | ||
1481 | if (add_execute_rule_by_path(arg_landlock, argv[i]+19)) { | ||
1482 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1483 | } | ||
1484 | } | ||
1485 | #endif | ||
1486 | else if (strcmp(argv[i], "--memory-deny-write-execute") == 0) { | 1412 | else if (strcmp(argv[i], "--memory-deny-write-execute") == 0) { |
1487 | if (checkcfg(CFG_SECCOMP)) | 1413 | if (checkcfg(CFG_SECCOMP)) |
1488 | arg_memory_deny_write_execute = 1; | 1414 | arg_memory_deny_write_execute = 1; |
@@ -3301,7 +3227,7 @@ int main(int argc, char **argv, char **envp) { | |||
3301 | errExit("setresuid"); | 3227 | errExit("setresuid"); |
3302 | 3228 | ||
3303 | char arg[64]; | 3229 | char arg[64]; |
3304 | snprintf(arg, sizeof(arg), "--netlock=%d", getpid()); | 3230 | snprintf(arg, sizeof(arg), "--netlock=%d", sandbox_pid); |
3305 | 3231 | ||
3306 | char *cmd[3]; | 3232 | char *cmd[3]; |
3307 | cmd[0] = BINDIR "/firejail"; | 3233 | cmd[0] = BINDIR "/firejail"; |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 9f677c11d..641bb09b1 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -1047,90 +1047,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1047 | return 0; | 1047 | return 0; |
1048 | } | 1048 | } |
1049 | 1049 | ||
1050 | #ifdef HAVE_LANDLOCK | ||
1051 | // Landlock ruleset paths | ||
1052 | if (strcmp(ptr, "landlock") == 0) { | ||
1053 | if (arg_landlock == -1) arg_landlock = create_full_ruleset(); | ||
1054 | const char *home_dir = env_get("HOME"); | ||
1055 | int home_fd = open(home_dir,O_PATH | O_CLOEXEC); | ||
1056 | struct landlock_path_beneath_attr target; | ||
1057 | target.parent_fd = home_fd; | ||
1058 | target.allowed_access = LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR | LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SYM; | ||
1059 | if (landlock_add_rule(arg_landlock,LANDLOCK_RULE_PATH_BENEATH,&target,0)) { | ||
1060 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1061 | } | ||
1062 | close(home_fd); | ||
1063 | if (add_read_access_rule_by_path(arg_landlock, "/bin/")) { | ||
1064 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1065 | } | ||
1066 | if (add_execute_rule_by_path(arg_landlock, "/bin/")) { | ||
1067 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1068 | } | ||
1069 | if (add_read_access_rule_by_path(arg_landlock, "/dev/")) { | ||
1070 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1071 | } | ||
1072 | if (add_read_access_rule_by_path(arg_landlock, "/etc/")) { | ||
1073 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1074 | } | ||
1075 | if (add_read_access_rule_by_path(arg_landlock, "/lib/")) { | ||
1076 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1077 | } | ||
1078 | if (add_execute_rule_by_path(arg_landlock, "/lib/")) { | ||
1079 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1080 | } | ||
1081 | if (add_read_access_rule_by_path(arg_landlock, "/opt/")) { | ||
1082 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1083 | } | ||
1084 | if (add_execute_rule_by_path(arg_landlock, "/opt/")) { | ||
1085 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1086 | } | ||
1087 | if (add_read_access_rule_by_path(arg_landlock, "/usr/")) { | ||
1088 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1089 | } | ||
1090 | if (add_execute_rule_by_path(arg_landlock, "/usr/")) { | ||
1091 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1092 | } | ||
1093 | if (add_read_access_rule_by_path(arg_landlock, "/var/")) { | ||
1094 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1095 | } | ||
1096 | return 0; | ||
1097 | } | ||
1098 | if (strncmp(ptr, "landlock.proc ", 14) == 0) { | ||
1099 | if (strncmp(ptr+14, "no", 2) == 0) arg_landlock_proc = 0; | ||
1100 | else if (strncmp(ptr+14, "ro", 2) == 0) arg_landlock_proc = 1; | ||
1101 | else if (strncmp(ptr+14, "rw", 2) == 0) arg_landlock_proc = 2; | ||
1102 | return 0; | ||
1103 | } | ||
1104 | if (strncmp(ptr, "landlock.read ", 14) == 0) { | ||
1105 | if (arg_landlock == -1) arg_landlock = create_full_ruleset(); | ||
1106 | if (add_read_access_rule_by_path(arg_landlock, ptr+14)) { | ||
1107 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1108 | } | ||
1109 | return 0; | ||
1110 | } | ||
1111 | if (strncmp(ptr, "landlock.write ", 15) == 0) { | ||
1112 | if (arg_landlock == -1) arg_landlock = create_full_ruleset(); | ||
1113 | if (add_write_access_rule_by_path(arg_landlock, ptr+15)) { | ||
1114 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1115 | } | ||
1116 | return 0; | ||
1117 | } | ||
1118 | if (strncmp(ptr, "landlock.special ", 26) == 0) { | ||
1119 | if (arg_landlock == -1) arg_landlock = create_full_ruleset(); | ||
1120 | if (add_create_special_rule_by_path(arg_landlock, ptr+26)) { | ||
1121 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1122 | } | ||
1123 | return 0; | ||
1124 | } | ||
1125 | if (strncmp(ptr, "landlock.execute ", 17) == 0) { | ||
1126 | if (arg_landlock == -1) arg_landlock = create_full_ruleset(); | ||
1127 | if (add_execute_rule_by_path(arg_landlock, ptr+17)) { | ||
1128 | fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n"); | ||
1129 | } | ||
1130 | return 0; | ||
1131 | } | ||
1132 | #endif | ||
1133 | |||
1134 | // memory deny write&execute | 1050 | // memory deny write&execute |
1135 | if (strcmp(ptr, "memory-deny-write-execute") == 0) { | 1051 | if (strcmp(ptr, "memory-deny-write-execute") == 0) { |
1136 | if (checkcfg(CFG_SECCOMP)) | 1052 | if (checkcfg(CFG_SECCOMP)) |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 5fcccbd92..9299268a3 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -488,7 +488,6 @@ void start_application(int no_sandbox, int fd, char *set_sandbox_status) { | |||
488 | #ifdef HAVE_APPARMOR | 488 | #ifdef HAVE_APPARMOR |
489 | set_apparmor(); | 489 | set_apparmor(); |
490 | #endif | 490 | #endif |
491 | |||
492 | close_file_descriptors(); | 491 | close_file_descriptors(); |
493 | 492 | ||
494 | // set nice and rlimits | 493 | // set nice and rlimits |
@@ -510,16 +509,6 @@ void start_application(int no_sandbox, int fd, char *set_sandbox_status) { | |||
510 | printf("LD_PRELOAD=%s\n", getenv("LD_PRELOAD")); | 509 | printf("LD_PRELOAD=%s\n", getenv("LD_PRELOAD")); |
511 | } | 510 | } |
512 | 511 | ||
513 | #ifdef HAVE_LANDLOCK | ||
514 | // set Landlock | ||
515 | if (arg_landlock >= 0) { | ||
516 | if (landlock_restrict_self(arg_landlock,0)) { | ||
517 | fprintf(stderr,"An error has occured while enabling Landlock self-restriction. Exiting...\n"); | ||
518 | exit(1); // it isn't safe to continue if Landlock self-restriction was enabled and the "landlock_restrict_self" syscall has failed | ||
519 | } | ||
520 | } | ||
521 | #endif | ||
522 | |||
523 | if (just_run_the_shell) { | 512 | if (just_run_the_shell) { |
524 | char *arg[2]; | 513 | char *arg[2]; |
525 | arg[0] = cfg.usershell; | 514 | arg[0] = cfg.usershell; |
@@ -1010,15 +999,6 @@ int sandbox(void* sandbox_arg) { | |||
1010 | fs_proc_sys_dev_boot(); | 999 | fs_proc_sys_dev_boot(); |
1011 | 1000 | ||
1012 | //**************************** | 1001 | //**************************** |
1013 | // Allow access to /proc | ||
1014 | //**************************** | ||
1015 | #ifdef HAVE_LANDLOCK | ||
1016 | if (arg_landlock>-1) { | ||
1017 | if (arg_landlock_proc >= 1) add_read_access_rule_by_path(arg_landlock, "/proc/"); | ||
1018 | if (arg_landlock_proc == 2) add_write_access_rule_by_path(arg_landlock, "/proc/"); | ||
1019 | } | ||
1020 | #endif | ||
1021 | //**************************** | ||
1022 | // handle /mnt and /media | 1002 | // handle /mnt and /media |
1023 | //**************************** | 1003 | //**************************** |
1024 | if (checkcfg(CFG_DISABLE_MNT)) | 1004 | if (checkcfg(CFG_DISABLE_MNT)) |
@@ -1113,12 +1093,9 @@ int sandbox(void* sandbox_arg) { | |||
1113 | //**************************** | 1093 | //**************************** |
1114 | // rebuild etc directory, set dns | 1094 | // rebuild etc directory, set dns |
1115 | //**************************** | 1095 | //**************************** |
1116 | if (!arg_writable_etc){ | 1096 | if (!arg_writable_etc) |
1117 | fs_rebuild_etc(); | 1097 | fs_rebuild_etc(); |
1118 | #ifdef HAVE_LANDLOCK | 1098 | |
1119 | if (arg_landlock>-1) add_read_access_rule_by_path(arg_landlock, "/etc/"); | ||
1120 | #endif | ||
1121 | } | ||
1122 | //**************************** | 1099 | //**************************** |
1123 | // start dhcp client | 1100 | // start dhcp client |
1124 | //**************************** | 1101 | //**************************** |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index e0751ef5c..e11081eed 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -122,12 +122,6 @@ static char *usage_str = | |||
122 | " --keep-dev-shm - /dev/shm directory is untouched (even with --private-dev).\n" | 122 | " --keep-dev-shm - /dev/shm directory is untouched (even with --private-dev).\n" |
123 | " --keep-fd - inherit open file descriptors to sandbox.\n" | 123 | " --keep-fd - inherit open file descriptors to sandbox.\n" |
124 | " --keep-var-tmp - /var/tmp directory is untouched.\n" | 124 | " --keep-var-tmp - /var/tmp directory is untouched.\n" |
125 | " --landlock - add basic rules to the Landlock ruleset.\n" | ||
126 | " --landlock.proc=no|ro|rw - add an access rule for /proc to the Landlock ruleset.\n" | ||
127 | " --landlock.read=path - add a read access rule for the path to the Landlock ruleset.\n" | ||
128 | " --landlock.write=path - add a write access rule for the path to the Landlock ruleset.\n" | ||
129 | " --landlock.special=path - add an access rule for creating FIFO pipes, Unix domain sockets and block devices for the path to the Landlock ruleset.\n" | ||
130 | " --landlock.execute=path - add an execution-permitting rule for the path to the Landlock ruleset.\n" | ||
131 | " --list - list all sandboxes.\n" | 125 | " --list - list all sandboxes.\n" |
132 | #ifdef HAVE_FILE_TRANSFER | 126 | #ifdef HAVE_FILE_TRANSFER |
133 | " --ls=name|pid dir_or_filename - list files in sandbox container.\n" | 127 | " --ls=name|pid dir_or_filename - list files in sandbox container.\n" |
diff --git a/src/firejail/util.c b/src/firejail/util.c index b6a7ca08c..a01290cf2 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -1338,10 +1338,6 @@ void close_all(int *keep_list, size_t sz) { | |||
1338 | if (keep) | 1338 | if (keep) |
1339 | continue; | 1339 | continue; |
1340 | 1340 | ||
1341 | // don't close the file descriptor of the Landlock ruleset -- it will be automatically closed by the landlock_restrict_self wrapper function | ||
1342 | #ifdef HAVE_LANDLOCK | ||
1343 | if (fd == arg_landlock) continue; | ||
1344 | #endif | ||
1345 | close(fd); | 1341 | close(fd); |
1346 | } | 1342 | } |
1347 | closedir(dir); | 1343 | closedir(dir); |
diff --git a/src/fnettrace/static-ip-map b/src/fnettrace/static-ip-map index 97bed7a1f..d1ce29dac 100644 --- a/src/fnettrace/static-ip-map +++ b/src/fnettrace/static-ip-map | |||
@@ -33,6 +33,11 @@ | |||
33 | # | 33 | # |
34 | # | 34 | # |
35 | 35 | ||
36 | # | ||
37 | # The following list of addresses was compiled from various public sources. | ||
38 | # | ||
39 | |||
40 | |||
36 | # local network addresses | 41 | # local network addresses |
37 | 192.168.0.0/16 local network | 42 | 192.168.0.0/16 local network |
38 | 10.0.0.0/8 local network | 43 | 10.0.0.0/8 local network |
@@ -81,19 +86,89 @@ | |||
81 | 201.159.220.0/22 whois.lacnic.net Ecuador | 86 | 201.159.220.0/22 whois.lacnic.net Ecuador |
82 | 87 | ||
83 | # some popular websites | 88 | # some popular websites |
89 | 23.160.0.0/24 Twitch | ||
90 | 23.246.0.0/18, Netflix | ||
84 | 31.13.24.0/21 Facebook | 91 | 31.13.24.0/21 Facebook |
85 | 31.13.64.0/18 Facebook | 92 | 31.13.64.0/18 Facebook |
93 | 37.77.184.0/21 Netflix | ||
94 | 45.57.0.0/17 Netflix | ||
95 | 45.58.64.0/20 Dropbox | ||
96 | 45.113.128.0/22 Twitch | ||
97 | 52.223.192.0/18 Twitch | ||
98 | 63.245.208.0/23 Mozilla | ||
86 | 64.63.0.0/18 Twitter | 99 | 64.63.0.0/18 Twitter |
100 | 64.112.13.0/24 Dropbox | ||
101 | 64.120.128.0/17 Netflix | ||
102 | 66.197.128.0/17 Netflix | ||
103 | 69.53.224.0/19 Netflix | ||
87 | 69.171.224.0/19 Facebook | 104 | 69.171.224.0/19 Facebook |
105 | 91.105.192.0/23 Telegram | ||
106 | 91.108.4.0/22 Telegram | ||
107 | 91.108.8.0/21 Telegram | ||
108 | 91.108.16.0/21 Telegram | ||
109 | 91.108.56.0/22 Telegram | ||
110 | 91.189.88.0/24 Ubuntu One | ||
111 | 91.189.90.0/23 Ubuntu One | ||
112 | 91.189.92.0/23 Ubuntu One | ||
113 | 91.189.94.0/24 Ubuntu One | ||
114 | 95.161.64.0/20 Telegram | ||
115 | 99.181.64.0/18 Twitch | ||
116 | 103.53.48.0/23 Twitch | ||
88 | 104.244.40.0/21 Twitter | 117 | 104.244.40.0/21 Twitter |
89 | 129.134.0.0/16 Facebook | 118 | 129.134.0.0/16 Facebook |
90 | 140.82.112.0/20 GitHub | 119 | 140.82.112.0/20 GitHub |
120 | 103.10.124.0/23 Steam | ||
121 | 103.28.54.0/24 Steam | ||
122 | 108.160.160.0/20 Dropbox | ||
123 | 108.175.32.0/20 Netflix | ||
124 | 143.55.64.0/20 Github | ||
125 | 146.66.152.0/24 Steam | ||
126 | 146.66.155.0/24 Steam | ||
127 | 149.154.160.0/20 Telegram | ||
128 | 153.254.86.0/24 Steam | ||
129 | 155.133.224.0/22 Steam | ||
130 | 155.133.230.0/24 Steam | ||
131 | 155.133.232.0/23 Steam | ||
132 | 155.133.234.0/24 Steam | ||
133 | 155.133.236.0/22 Steam | ||
134 | 155.133.240.0/23 Steam | ||
135 | 155.133.245.0/24 Steam | ||
136 | 155.133.246.0/24 Steam | ||
137 | 155.133.248.0/21 Steam | ||
91 | 157.240.0.0/16 Facebook | 138 | 157.240.0.0/16 Facebook |
139 | 162.125.0.0/16 Dropbox | ||
140 | 162.213.32.0/22 Ubuntu One | ||
141 | 162.254.192.0/21 Steam | ||
142 | 185.2.220.0/22 Netflix | ||
143 | 185.9.188.0/22 Netflix | ||
144 | 185.25.182.0/23 Steam | ||
145 | 185.42.204.0/22 Twitch | ||
146 | 185.45.8.0/22 Dropbox | ||
147 | 185.76.151.0/24 Telegram | ||
148 | 185.105.164.0/24 Dropbox | ||
149 | 185.125.188.0/22 Ubuntu One | ||
92 | 185.199.108.0/22 GitHub | 150 | 185.199.108.0/22 GitHub |
93 | 188.64.224.0/21 Twitter | 151 | 188.64.224.0/21 Twitter |
152 | 190.217.33.0/24 Steam | ||
94 | 192.0.64.0/18 Wordpress | 153 | 192.0.64.0/18 Wordpress |
154 | 192.16.64.0/21 Twitch | ||
155 | 192.30.252.0/22 GitHub | ||
156 | 192.69.96.0/22 Steam | ||
157 | 192.108.239.0/24 Twitch | ||
158 | 192.173.64.0/18 Netflix | ||
159 | 192.189.200.0/23 Dropbox | ||
160 | 194.169.254.0/24 Ubuntu One | ||
161 | 198.38.96.0/19 Netflix | ||
162 | 198.45.48.0/20 Netflix | ||
163 | 199.9.248.0/21 Twitch | ||
95 | 199.16.156.0/22 Twitter | 164 | 199.16.156.0/22 Twitter |
96 | 199.59.148.0/22 Twitter | 165 | 199.59.148.0/22 Twitter |
166 | 205.185.194.0/24 Steam | ||
167 | 205.196.6.0/24 Steam | ||
168 | 207.45.72.0/22 Netflix | ||
169 | 208.64.200.0/22 Steam | ||
170 | 208.75.76.0/22 Netflix | ||
171 | 208.78.164.0/22 Steam | ||
97 | 208.80.152.0/22 Wikipedia | 172 | 208.80.152.0/22 Wikipedia |
98 | 173 | ||
99 | # StackPath | 174 | # StackPath |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 1f543980e..138aae8af 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -497,35 +497,6 @@ Blacklist all Linux capabilities. | |||
497 | .TP | 497 | .TP |
498 | \fBcaps.keep capability,capability,capability | 498 | \fBcaps.keep capability,capability,capability |
499 | Whitelist given Linux capabilities. | 499 | Whitelist given Linux capabilities. |
500 | #ifdef HAVE_LANDLOCK | ||
501 | .TP | ||
502 | \fBlandlock | ||
503 | Create a Landlock ruleset (if it doesn't already exist) and add basic access rules to it. | ||
504 | .br | ||
505 | .TP | ||
506 | \fBlandlock.proc no|ro|rw | ||
507 | Add an access rule for /proc directory (read-only if set to \fBro\fR and read-write if set to \fBrw\fR). The access rule for /proc is added after this directory is set up in the sandbox. Access rules for /proc set up with other Landlock-related profile options have no effect. | ||
508 | .br | ||
509 | .TP | ||
510 | \fBlandlock.read path | ||
511 | Create a Landlock ruleset (if it doesn't already exist) and add a read access rule for path. | ||
512 | .br | ||
513 | |||
514 | .TP | ||
515 | \fBlandlock.write path | ||
516 | Create a Landlock ruleset (if it doesn't already exist) and add a write access rule for path. | ||
517 | .br | ||
518 | |||
519 | .TP | ||
520 | \fBlandlock.special path | ||
521 | Create a Landlock ruleset (if it doesn't already exist) and add an access rule for creation of FIFO pipes, Unix-domain sockets and block devices beneath given path. | ||
522 | .br | ||
523 | |||
524 | .TP | ||
525 | \fBlandlock.execute path | ||
526 | Create a Landlock ruleset (if it doesn't already exist) and add an execution permission rule for path. | ||
527 | .br | ||
528 | #endif | ||
529 | .TP | 500 | .TP |
530 | \fBmemory-deny-write-execute | 501 | \fBmemory-deny-write-execute |
531 | Install a seccomp filter to block attempts to create memory mappings | 502 | Install a seccomp filter to block attempts to create memory mappings |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 0b78203d7..82eea3977 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -193,7 +193,7 @@ Blacklist directory or file. File globbing is supported, see \fBFILE GLOBBING\fR | |||
193 | .br | 193 | .br |
194 | Symbolic link handling: Blacklisting a path that is a symbolic link will also | 194 | Symbolic link handling: Blacklisting a path that is a symbolic link will also |
195 | blacklist the path that it points to. | 195 | blacklist the path that it points to. |
196 | For example, if ~/foo is blacklisted and it points to /foo, then /foo will also | 196 | For example, if ~/foo is blacklisted and it points to /bar, then /bar will also |
197 | be blacklisted. | 197 | be blacklisted. |
198 | .br | 198 | .br |
199 | 199 | ||
@@ -330,6 +330,11 @@ $ firejail \-\-chroot=/media/ubuntu warzone2100 | |||
330 | .br | 330 | .br |
331 | For automatic mounting of X11 and PulseAudio sockets set environment variables | 331 | For automatic mounting of X11 and PulseAudio sockets set environment variables |
332 | FIREJAIL_CHROOT_X11 and FIREJAIL_CHROOT_PULSE. | 332 | FIREJAIL_CHROOT_X11 and FIREJAIL_CHROOT_PULSE. |
333 | .br | ||
334 | |||
335 | .br | ||
336 | Note: Support for this command is controlled in firejail.config with the | ||
337 | \fBchroot\fR option. | ||
333 | #endif | 338 | #endif |
334 | .TP | 339 | .TP |
335 | \fB\-\-cpu=cpu-number,cpu-number,cpu-number | 340 | \fB\-\-cpu=cpu-number,cpu-number,cpu-number |
@@ -1151,41 +1156,6 @@ Example: | |||
1151 | .br | 1156 | .br |
1152 | $ firejail --keep-var-tmp | 1157 | $ firejail --keep-var-tmp |
1153 | 1158 | ||
1154 | #ifdef HAVE_LANDLOCK | ||
1155 | .TP | ||
1156 | \fB\-\-landlock | ||
1157 | Create a Landlock ruleset (if it doesn't already exist) and add basic access rules to it. See \fBLANDLOCK\fR section for more information. | ||
1158 | .br | ||
1159 | .TP | ||
1160 | \fB\-\-landlock.proc=no|ro|rw | ||
1161 | Add an access rule for /proc directory (read-only if set to \fBro\fR and read-write if set to \fBrw\fR). The access rule for /proc is added after this directory is set up in the sandbox. Access rules for /proc set up with other Landlock-related command-line options have no effect. | ||
1162 | .br | ||
1163 | .TP | ||
1164 | \fB\-\-landlock.read=path | ||
1165 | Create a Landlock ruleset (if it doesn't already exist) and add a read access rule for path. | ||
1166 | .br | ||
1167 | |||
1168 | .TP | ||
1169 | \fB\-\-landlock.write=path | ||
1170 | Create a Landlock ruleset (if it doesn't already exist) and add a write access rule for path. | ||
1171 | .br | ||
1172 | |||
1173 | .TP | ||
1174 | \fB\-\-landlock.special=path | ||
1175 | Create a Landlock ruleset (if it doesn't already exist) and add a permission rule to create FIFO pipes, Unix domain sockets and block devices beneath given path. | ||
1176 | .br | ||
1177 | |||
1178 | .TP | ||
1179 | \fB\-\-landlock.execute=path | ||
1180 | Create a Landlock ruleset (if it doesn't already exist) and add an execution permission rule for path. | ||
1181 | .br | ||
1182 | |||
1183 | .br | ||
1184 | Example: | ||
1185 | .br | ||
1186 | $ firejail \-\-landlock.read=/ \-\-landlock.write=/home \-\-landlock.execute=/usr | ||
1187 | #endif | ||
1188 | |||
1189 | .TP | 1159 | .TP |
1190 | \fB\-\-list | 1160 | \fB\-\-list |
1191 | List all sandboxes, see \fBMONITORING\fR section for more details. | 1161 | List all sandboxes, see \fBMONITORING\fR section for more details. |
@@ -1303,7 +1273,6 @@ $ firejail --list | |||
1303 | .br | 1273 | .br |
1304 | 1312:netblue:browser-1312:firejail --name=browser --private firefox --no-remote | 1274 | 1312:netblue:browser-1312:firejail --name=browser --private firefox --no-remote |
1305 | .br | 1275 | .br |
1306 | |||
1307 | #ifdef HAVE_NETWORK | 1276 | #ifdef HAVE_NETWORK |
1308 | .TP | 1277 | .TP |
1309 | \fB\-\-net=bridge_interface | 1278 | \fB\-\-net=bridge_interface |
@@ -2166,6 +2135,9 @@ $ ps | |||
2166 | $ | 2135 | $ |
2167 | .br | 2136 | .br |
2168 | 2137 | ||
2138 | .br | ||
2139 | Note: Support for this command is controlled in firejail.config with the | ||
2140 | \fBprivate-lib\fR option. | ||
2169 | .TP | 2141 | .TP |
2170 | \fB\-\-private-opt=file,directory | 2142 | \fB\-\-private-opt=file,directory |
2171 | Build a new /opt in a temporary | 2143 | Build a new /opt in a temporary |
@@ -2873,6 +2845,11 @@ Dec 3 11:43:25 debian firejail[70]: blacklist violation - sandbox 26370, exe fi | |||
2873 | Dec 3 11:46:17 debian firejail[70]: blacklist violation - sandbox 26370, exe firefox, syscall opendir, path /boot | 2845 | Dec 3 11:46:17 debian firejail[70]: blacklist violation - sandbox 26370, exe firefox, syscall opendir, path /boot |
2874 | .br | 2846 | .br |
2875 | [...] | 2847 | [...] |
2848 | .br | ||
2849 | |||
2850 | .br | ||
2851 | Note: Support for this command is controlled in firejail.config with the | ||
2852 | \fBtracelog\fR option. | ||
2876 | .TP | 2853 | .TP |
2877 | \fB\-\-tree | 2854 | \fB\-\-tree |
2878 | Print a tree of all sandboxed processes, see \fBMONITORING\fR section for more details. | 2855 | Print a tree of all sandboxed processes, see \fBMONITORING\fR section for more details. |
@@ -3237,34 +3214,7 @@ To enable AppArmor confinement on top of your current Firejail security features | |||
3237 | .br | 3214 | .br |
3238 | $ firejail --apparmor firefox | 3215 | $ firejail --apparmor firefox |
3239 | #endif | 3216 | #endif |
3240 | #ifdef HAVE_LANDLOCK | ||
3241 | .SH LANDLOCK | ||
3242 | .TP | ||
3243 | Landlock is a Linux security module first introduced in the 5.13 version of Linux kernel. It allows unprivileged processes to restrict their access to the filesystem. Once imposed, these restrictions can never be removed, and all child processes created by a Landlock-restricted processes inherit these restrictions. Firejail supports Landlock as an additional sandboxing feature. It can be used to ensure that a sandboxed application can only access files and directories that it was explicitly allowed to access. Firejail supports populating the ruleset with both basic set of rules and with custom set of rules. Basic set of rules allows read-only access to /bin, /dev, /etc, /lib, /opt, /proc, /usr and /var, read-write access to the home directory, and allows execution of binaries located in /bin, /opt and /usr. | ||
3244 | .br | ||
3245 | |||
3246 | .TP | ||
3247 | Important notes: | ||
3248 | .br | ||
3249 | 3217 | ||
3250 | .br | ||
3251 | - A process can install a Landlock ruleset only if it has either \fBCAP_SYS_ADMIN\fR in its effective capability set, or the "No New Privileges" restriction enabled. Because of this, enabling the Landlock feature will also cause Firejail to enable the "No New Privileges" restriction, regardless of the profile or the \fB\-\-no\-new\-privs\fR command line option. | ||
3252 | .br | ||
3253 | |||
3254 | .br | ||
3255 | - Access to the /proc directory is managed through the \fB\-\-landlock.proc\fR command line option. | ||
3256 | |||
3257 | .br | ||
3258 | - Access to the /etc directory is automatically allowed. To override this, use the \fB\-\-writable\-etc\fR command line option. You can also use the \fB\-\-private\-etc\fR option to restrict access to the /etc directory. | ||
3259 | .br | ||
3260 | |||
3261 | .TP | ||
3262 | To enable Landlock self-restriction on top of your current Firejail security features, pass \fB\-\-landlock\fR flag to Firejail command line. You can also use \fB\-\-landlock.read\fR, \fB\-\-landlock.write\fR, \fB\-\-landlock.special\fR and \fB\-\-landlock.execute\fR options together with \fB\-\-landlock\fR or instead of it. Example: | ||
3263 | .br | ||
3264 | |||
3265 | .br | ||
3266 | $ firejail --landlock --landlock.read=/media --landlock.proc=ro mc | ||
3267 | #endif | ||
3268 | .SH DESKTOP INTEGRATION | 3218 | .SH DESKTOP INTEGRATION |
3269 | A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox. | 3219 | A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox. |
3270 | The symbolic link should be placed in the first $PATH position. On most systems, a good place | 3220 | The symbolic link should be placed in the first $PATH position. On most systems, a good place |
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index ed7337762..2b67c2a00 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in | |||
@@ -105,12 +105,6 @@ _firejail_args=( | |||
105 | '--keep-dev-shm[/dev/shm directory is untouched (even with --private-dev)]' | 105 | '--keep-dev-shm[/dev/shm directory is untouched (even with --private-dev)]' |
106 | '--keep-fd[inherit open file descriptors to sandbox]: :' | 106 | '--keep-fd[inherit open file descriptors to sandbox]: :' |
107 | '--keep-var-tmp[/var/tmp directory is untouched]' | 107 | '--keep-var-tmp[/var/tmp directory is untouched]' |
108 | '--landlock[Basic Landlock ruleset]' | ||
109 | '--landlock.proc=-[Access to the /proc directory]: :(no ro rw)' | ||
110 | '--landlock.read=-[Landlock read access rule]: :_files' | ||
111 | '--landlock.write=-[Landlock write access rule]: :_files' | ||
112 | "--landlock.special=-[Landlock access rule for creation of FIFO pipes, sockets and block devices]: :_files" | ||
113 | '--landlock.execute=-[Landlock execution-permitting rule]: :_files' | ||
114 | '--machine-id[spoof /etc/machine-id with a random id]' | 108 | '--machine-id[spoof /etc/machine-id with a random id]' |
115 | '--memory-deny-write-execute[seccomp filter to block attempts to create memory mappings that are both writable and executable]' | 109 | '--memory-deny-write-execute[seccomp filter to block attempts to create memory mappings that are both writable and executable]' |
116 | '*--mkdir=-[create a directory]:' | 110 | '*--mkdir=-[create a directory]:' |