| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are reports of firejail sandboxed applications occasionally
taking a long time (12 seconds) to start up. When this happens, it
affects all sandboxed applications until the device is rebooted.
The reason for the slowdown seems to be a timing hazard in the way
remounts under /run/firejail are handled. This gets triggered when
multiple firejail processes are launched in parallel as part of user
session bring up and results in some, dozens, hundreds, or even
thousands of stray /run/firejail/xxx mounts. The amount of mount
points then affects every mount operation that is done during sandbox
filesystem construction.
To stop this from happening, arrange it so that only one firejail
process at time is inspecting and/or modifying mountpoints under
/run/firejail by doing:
1. Create /run/firejail directory (without locking)
2. Create and obtain a lock for /run/firejail/firejail-run.lock
3. Setup files, directories and mounts under /run/firejail
4. Release /run/firejail/firejail-run.lock
|
|
|
|
|
|
|
|
|
|
| |
Changes:
* Centralize flock handling in preproc.c
* Add debug and error logging
* Abort if anything fails
Co-authored-by: Kelvin M. Klann <kmk3.code@protonmail.com>
|
|
|
|
| |
To enable using them outside of src/firejail/main.c.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changes:
* Always declare public landlock functions, regardless of
`HAVE_LANDLOCK`
* Make the other public landlock functions (besides `ll_add_profile`)
also be empty when `HAVE_LANDLOCK` is not defined
* Clarify related comments
This amends commit 8259f66e1 ("landlock fix for old kernel versions",
2024-04-06).
For clarity, landlock-common.inc is included by default.profile and the
issue that the aforementioned commit fixes is that if profile.c is built
without the part that parses landlock commands (that is, when
`HAVE_LANDLOCK` is not defined), using default.profile would cause
firejail to abort due to "invalid lines".
Note that the issue would only occur when firejail is built with an
older kernel (or with --disable-landlock), not when simply running on an
older kernel.
See also commit b02a7a337 ("landlock: remove empty functions",
2023-12-07).
Relates to #6078.
|
|
|
|
| |
Relates to #6078.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As discussed with @topimiettinen[1], it is unlikely that an unprivileged
process would need to directly create block or character devices. Also,
`landlock.special` is not very descriptive of what it allows.
So split `landlock.special` into:
* `landlock.makeipc`: allow creating named pipes and sockets (which are
usually used for inter-process communication)
* `landlock.makedev`: allow creating block and character devices
Misc: The `makedev` name is based on `nodev` from mount(8), which makes
mount not interpret block and character devices. `ipc` was suggested by
@rusty-snake[2].
Relates to #6078.
[1] https://github.com/netblue30/firejail/pull/6078#pullrequestreview-1740569786
[2] https://github.com/netblue30/firejail/pull/6187#issuecomment-1924107294
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Unlike the rest of the normal startup output (which goes to stderr), the
version number is being printed to stdout, which makes it harder to
ignore all of firejail's output. Example:
$ firejail --noprofile /usr/bin/true --version 2>/dev/null
firejail version 0.9.73
true (GNU coreutils) 9.4
Copyright (C) 2023 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Written by Jim Meyering.
So make the normal startup version output go to stderr and keep the
other occurrences (such as in `firejail --version`) going to stdout, to
make it easier to grep things in the output.
Added on commit f019f0ec3 ("Print version on startup for
firejail/firecfg", 2023-05-11) / PR #5829.
Reported by @rusty-snake[1].
[1] https://github.com/netblue30/firejail/issues/6171#issuecomment-1912768721
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changes:
* Move commands from --landlock and --landlock.proc= into
etc/inc/landlock-common.inc
* Remove --landlock and --landlock.proc=
* Add --landlock.enforce
Instead of hard-coding the default commands (and having a separate
command just for /proc), move them into a dedicated profile to make it
easier for users to interact with the entries (view, copy, add ignore
entries, etc).
Only enforce the Landlock commands if --landlock.enforce is supplied.
This allows safely adding Landlock commands to (upstream) profiles while
keeping their enforcement opt-in. It also makes it simpler to
effectively disable all Landlock commands, by using
`--ignore=landlock.enforce`.
Relates to #6078.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The build on Alpine fails due to `__u32` not being defined. It seems
that musl itself does not define it, so linux/types.h would have to be
included (for example, by including linux/landlock.h).
Error from `build_src_package`[1]:
make -C src/firejail/
make[1]: Entering directory '/builds/Firejail/firejail_ci/src/firejail'
gcc [...] -DMOD_DIR='"src/firejail"' [...] -c appimage.c -o appimage.o
In file included from appimage.c:23:
firejail.h:977:17: error: unknown type name '__u32'
977 | int ll_restrict(__u32 flags);
| ^~~~~
make[1]: Leaving directory '/builds/Firejail/firejail_ci/src/firejail'
make[1]: *** [../../src/prog.mk:16: appimage.o] Error 1
make: *** [Makefile:58: src/firejail/firejail] Error 2
This amends commit 13b2c566d ("feature: add Landlock support",
2023-10-24) / PR #6078.
[1] https://gitlab.com/Firejail/firejail_ci/-/jobs/5729692038
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Functions with `...` as the first parameter appear to be unsupported in
older versions of gcc, as they fail to compile. Examples:
Error from gcc 9.5.0-1ubuntu1~16.04.sav1 on Ubuntu 16.04:
[...]
In file included from appimage.c:23:
firejail.h:981:27: error: ISO C requires a named argument before ‘...’
981 | static inline int ll_read(...) { return 0; }
| ^~~
Warning from gcc 13.2.1-3 on Artix Linux:
$ ./configure --disable-landlock >/dev/null && make clean >/dev/null &&
make EXTRA_CFLAGS+='-std=c99 -Wpedantic -Wno-error'
[...]
gcc -ggdb -O2 -DVERSION='"0.9.73"' -DMOD_DIR='"src/firejail"' [...]
In file included from appimage.c:23:
firejail.h:982:27: warning: ISO C requires a named argument before ‘...’ before C2X [-Wpedantic]
982 | static inline int ll_read(...) { return 0; }
| ^~~
Fixes #6115.
Relates to #6078.
|
|
|
|
|
| |
This amends commit d10bf154a ("landlock: detect support at runtime",
2023-11-06) / PR #6078.
|
|
|
|
|
| |
And ignore landlock-related commands if Landlock is unsupported at
runtime.
|
| |
|
|
|
|
| |
Apply rules in the sandbox thread before the application is started.
|
|
|
|
|
|
|
|
|
|
| |
Based on 5315 by ChrysoliteAzalea.
It is based on the same underlying structure, but with a lot of
refactoring/simplification and with bugfixes and improvements.
Co-authored-by: Kelvin M. Klann <kmk3.code@protonmail.com>
Co-authored-by: Азалия Смарагдова <charming.flurry@yandex.ru>
|
| |
|
|
|
|
|
|
|
| |
Split print_version into two functions:
* print_version: only prints the version line
* print_version_full: also prints compile-time support
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The "invalid_name" function claims to "allow strict ASCII letters and
numbers".
However, it uses isalnum(3) and isdigit(3), which may take the current
locale into account and thus return 1 for non-ASCII characters.
So add the following functions:
* ascii_isalnum
* ascii_isalpha
* ascii_isdigit
* ascii_islower
* ascii_isupper
* ascii_isxdigit
And use the applicable ones in "invalid_name" so that it actually uses
strictly ASCII in its comparisons.
Added on commit b4ffaa207 ("merges; more on cleaning up esc chars",
2023-02-14).
Relates to #5578.
Kind of relates to #5708.
|
|
|
|
|
|
|
| |
Follow the same order as on util.c.
Added on commit b4ffaa207 ("merges; more on cleaning up esc chars",
2023-02-14).
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changes:
* Fix spaces being used for indentation in some lines in C
* Remove leading spaces before some goto labels
* Remove leading spaces before the start of some multiline comments
* Change leading spaces to tabs in some multiline macros
* Add missing asterisk to some multiline comments (to match other
multiline comments and because they are false positives in the
commands below)
Note: Leading spaces can be used for alignment (such as in function
parameters and function arguments in C) and for line continuation (such
as in long commands in shell scripts). However, in the above changes
the leading spaces are used for other reasons and do not seem to fit
with the style used.
Commands used to search for errors:
$ git grep -In '^ [^*]' | grep -E -v \
-e '(COPYING|README|RELNOTES|configure(.ac)?):' \
-e '^[^:]+.(md|yml|py):' -e '(bash|zsh)_completion/' \
-e '^contrib/syntax/' -e '^etc/templates/.*\.txt:' -e '^m4/' \
-e '^platform/debian/' -e '^src/man/.*\.txt:' \
-e '.*mkrpm.sh:' -e '.*extract_errnos.sh:'
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
This fixes #1127.
This allow a user to provide their own zshrc/bashrc inside the jail.
This is very useful when using firejail to develop and prevent bad pip
packages to access your system.
|
| |
|
| |
|
|
|
|
| |
feature
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To avoid boolean confusion (`no-foo no` / `no-foo yes`) in
firejail.config:
etc-no-blacklisted no
etc-no-blacklisted yes
Commands used to search and replace:
git grep -Ilz -i 'etc.no.blacklisted' -- etc src |
xargs -0 -I '{}' sh -c "printf '%s\n' \"\$(sed \
-e 's/etc-no-blacklisted/etc-hide-blacklisted/' \
-e 's/ETC_NO_BLACKLISTED/ETC_HIDE_BLACKLISTED/' \
'{}')\" >'{}'"
Added on commit ded50200e ("opt-in: skip blacklisted files in
private-etc - #5010, #5230", 2023-01-15) / PR #5591.
|
| |
|
|\
| |
| | |
A temporary fix to the bug caused by apparmor profiles stacking.
|
| | |
|
|/ |
|
| |
|
|
|
|
|
|
| |
Committer note: This is the same as commit 6e687c301 ("tracelog disabled
by default in /etc/firejail/firejail.config file", 2022-08-29) but
without the Landlock-related changes.
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 54cb3e741e972c754e595d56de0bca0792299f83, reversing
changes made to 97b1e02d5f4dca4261dc9928f8a5ebf8966682d7.
There were many issues and requests for changes raised in the pull
request (both code-wise and design-wise) and most of them are still
unresolved[1].
[1] https://github.com/netblue30/firejail/pull/5315
|
|
|
|
|
|
| |
This reverts commit 6e687c30110a52f267c1779c4eeab82bded9cb77.
Part of reverting commits with Landlock-related changes.
|
| |
|
| |
|
|
|
|
| |
dependency on tinyLL
|
| |
|
| |
|
|\
| |
| | |
introduce new option restrict-namespaces
|
| | |
|
|/ |
|
| |
|
| |
|