| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Dumb patch that adds O_CLOEXEC to all open/fopen
calls, even where it is obviously pointless.
While at it, also add O_EXCL where it might be
considered useful, for example to clear Coverity
warnings, or on files that subsequently are used
to configure a join sandbox.
Pure defense in depth, this patch should have no
observable effects.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* The proxy is forked off outside the sandbox namespace to protect the
fds of the original buses from the sandboxed process.
* The /run/firejail/dbus directory (with the sticky bit set) holds the proxy
sockets. The sockets are <parent pid>-user and <parent pid>-system for the
user and system buses, respectively. Each socket is owned by the sandbox user.
* The sockets are bind-mounted over their expected locations and the
/run/firejail/dbus directory is subsequently hidden from the sandbox.
* Upon sandbox exit, the xdg-dbus-proxy instance is terminated and the sockets
are cleaned up.
* Filter rules will be added in a future commit.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
System calls (names and numbers) are not exactly the same for 32 bit
and 64 bit architectures. Let's allow defining separate filters for
32-bit arch using seccomp.32, seccomp.32.drop, seccomp.32.keep. This
is useful for mixed 64/32 bit application environments like Steam and
Wine.
Implement protocol and mdwx filtering also for 32 bit arch. It's still
better to block secondary archs completely if not needed.
Lists of supported system calls are also updated.
Warn if preload libraries would be needed due to trace, tracelog or
postexecseccomp (seccomp.drop=execve etc), because a 32-bit dynamic
linker does not understand the 64 bit preload libraries.
Closes #3267.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
|
| | |
|
| |
|
|
|
|
|
| |
avoid creating locations in the file system that are both writable and
executable (in this case for processes with euid of the user).
for the same reason also remove user owned libfiles
when it is not needed any more
|
| | |
|
| |
|
|
|
| |
Make sure all files end with a newline
Strip extra newlines and trailing whitespace from files
|
| | |
|
| |
|
|
| |
from crass)
|
| |
|
|
|
|
|
|
|
| |
sandbox regardless of options."
This reverts commit 4017e8a1359208e149b2eac10900987acd4a6f9e.
I am running into some problems with the initial unshare/mount in main.c.
I'll bring in the files one by one.
|
| |
|
|
| |
regardless of options.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Add a feature for a new (opt-in) command line switch and config file
option to block secondary architectures entirely. Also block changing
Linux execution domain with personality() system call for the primary
architecture.
Closes #1479
|
| |
|
|
|
|
|
| |
Allow any syscall to be blacklisted with aid of LD_PRELOAD library,
libpostexecseccomp.so.
Closes: #1447
|
| |
|
|
| |
Feature to block attempts to create writable and executable memory.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
smitsohu
startx2017
startx2017
Kristóf Marussy
Topi Miettinen
glitsj16
Fred-Barclay
netblue30
Glenn Washburn