| Commit message (Collapse) | Author | Age |
|---|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
feature
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
mount without stash locations, only using the file descriptors
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
1) close #3612
2) remove an implicit limitation on rlimit-fsize option
(could not set limit to smaller than 6 bytes without affecting
the ability to join a sandbox)
3) rename 'join-or-start' file to just 'join'
4) when waiting for a sandbox that is not fully configured yet,
increase polling frequency from 10 per second to 100 per second
|
| |
|
|
|
|
|
|
|
|
|
|
| |
1) copy xauth binary into the sandbox and set mode to 0711, so it runs
with cleared dumpable flag for unprivileged users
2) run xauth in an sbox sandbox
3) generate Xauthority file in runtime directory instead of /tmp;
this way xauth is able to connect to the X11 socket even if the
abstract socket doesn't exist, for example because a new network
namespace was instantiated
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To avoid race conditions, the proxy sockets from /run/firejail/dbus/ are
bind-mounted to /run/firejail/mnt/dbus/, which is controlled by root.
Instead of relying on the default locations of the DBus sockets, the environment
variables DBUS_SESSION_BUS_ADDRESS and DBUS_SYSTEM_BUS_ADDRESS are set
accordingly.
User sockets are tried in the following order when starting the proxy:
* DBUS_SESSION_BUS_ADDRES
* /run/user/<pid>/bus
* /run/user/<pid>/dbus/user_bus_socket
These are all blocked (including DBUS_SESSION_BUS_ADDRESS if it points at a
socket in the filesystem) when the filtering or blocking policy is active.
System sockets are tried in the following order:
* DBUS_SYSTEM_BUS_ADDRESS
* /run/dbus/system_bus_socket
These are all blocked (including DBUS_SYSTEM_BUS_ADDRESS if it points at a
socket in the filesystem) when the filtering or blocking policy is active.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* The proxy is forked off outside the sandbox namespace to protect the
fds of the original buses from the sandboxed process.
* The /run/firejail/dbus directory (with the sticky bit set) holds the proxy
sockets. The sockets are <parent pid>-user and <parent pid>-system for the
user and system buses, respectively. Each socket is owned by the sandbox user.
* The sockets are bind-mounted over their expected locations and the
/run/firejail/dbus directory is subsequently hidden from the sandbox.
* Upon sandbox exit, the xdg-dbus-proxy instance is terminated and the sockets
are cleaned up.
* Filter rules will be added in a future commit.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
System calls (names and numbers) are not exactly the same for 32 bit
and 64 bit architectures. Let's allow defining separate filters for
32-bit arch using seccomp.32, seccomp.32.drop, seccomp.32.keep. This
is useful for mixed 64/32 bit application environments like Steam and
Wine.
Implement protocol and mdwx filtering also for 32 bit arch. It's still
better to block secondary archs completely if not needed.
Lists of supported system calls are also updated.
Warn if preload libraries would be needed due to trace, tracelog or
postexecseccomp (seccomp.drop=execve etc), because a 32-bit dynamic
linker does not understand the 64 bit preload libraries.
Closes #3267.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
|
| |
|
|
| |
see issue #3145
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
* move copyright statement to 2020
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* In order to ensure that network interfaces are already configured when
the sandboxed launches, we run dhclient in forking mode (no -d switch),
which makes the dhclient command exit when it successfully acquired a lease.
The dhclient daemon process keeps running in the background.
* We read the pid file for dhclient to find out the pid of the daemon process.
Because dhclient only writes the pid file in the child process potentially
after the forking parent process exits, there is some handling for possible
race conditions.
* All lease files and pid files are under /run/firejail/dhclient/
* The v4 and v6 dhclient has a separate lease as recommended.
* The v4 client is set to generate a DUID, which is also used by the v6 client
so that the server can associate the two leases if needed.
* /etc/resolv.conf is created in the sandbox just like with the --dns option,
by mirroring /etc. When DHCP is used, /etc/resolv.conf is normally empty so
that dhclient can overwrite it the nameservers from the DHCP server.
Current limitations:
* The dhclient processes in the background are not terminated properly
(by SIGTERM or dhclient -x), nor is the DHCP lease released (by dclient -r).
The reason for this is that firejail drops all capabilities and privileges
before the application in the sandbox is launched, which makes it impossible
to launch dhclient to release the lease or kill the dhclient processes still
running with the effective user id of root. Instead the dhclient daemons
die with the sandbox. According to the dhclient man page, releasing the lease
is not required by the DHCP specification, so this is not a problem, however
some ISPs may require releasing leases.
A possible workaround would be to fork another process upon sandbox
initialization that invokes dhclient -r when the sandbox is ready to exit.
This would require communication with the main firejail process through
a pipe, while keeping and required privileges. As this would add some
complexity but the benefits have limited applicability (compatibility with
esoteric DHCP server configurations), I chose not to implement this.
* When only an IPv6 address is requested, the interface may possible not have
a link-local address when we run dhclient. This causes dhclient -6 fail,
since DHCPv6 uses link-local addressing instead of layer 2 addressing,
see e.g., https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783387
In a future commit, waiting for a link-local address will be added.
|
| |
|
|
| |
by the environment variable FIREJAIL_TRACEFILE or as the RUN_TRACE_FILE if it exists ortherwise use the console as before.
|
| | |
|
| | |
|
| |
|
netblue30
David Fetter
smitsohu
startx2017
netblue30
Kristóf Marussy
Topi Miettinen
glitsj16
Glenn Washburn
Reiner Herrmann