From 0169ebe193abdfeddbd17a764688d5f9e7a3cb78 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 20 Aug 2016 21:06:21 -0400 Subject: run time support to disable remounting of /proc and /sys --- README | 1 + RELNOTES | 1 + etc/firejail.config | 3 +++ src/firejail/checkcfg.c | 11 +++++++++-- src/firejail/firejail.h | 3 ++- src/firejail/sandbox.c | 9 ++++++++- 6 files changed, 24 insertions(+), 4 deletions(-) diff --git a/README b/README index 51adbaf86..fe9ddaaae 100644 --- a/README +++ b/README @@ -41,6 +41,7 @@ Aleksey Manevich (https://github.com/manevich) - gether shell selection code in one place greigdp (https://github.com/greigdp) - Gajim IM client profile + - fix Slack profile Icaro Perseo (https://github.com/icaroperseo) - Icecat profile - several profile fixes diff --git a/RELNOTES b/RELNOTES index 52eef6a0e..d9e4314ba 100644 --- a/RELNOTES +++ b/RELNOTES @@ -24,6 +24,7 @@ firejail (0.9.42~rc2) baseline; urgency=low * seccomp filter updated * compile time and run time support to disable whitelists * compile time support to disable global configuration file + * run time support to disable remounting of /proc and /sys * added quiet-by-default config option in /etc/firejail/firejail.config * added netfilter-default config option in /etc/firejail/firejail.config * new profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice diff --git a/etc/firejail.config b/etc/firejail.config index 82fe65ac7..1b8d5f4e3 100644 --- a/etc/firejail.config +++ b/etc/firejail.config @@ -3,6 +3,9 @@ # Most features are enabled by default. Use 'yes' or 'no' as configuration # values. +# Remount /proc and /sys inside the sandbox, default enabled. +# remount-proc-sys yes + # Enable or disable bind support, default enabled. # bind yes diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index f5ea7439b..c4a6888a9 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -29,7 +29,6 @@ char *xephyr_extra_params = ""; char *netfilter_default = NULL; int checkcfg(int val) { - EUID_ASSERT(); assert(val < CFG_MAX); int line = 0; @@ -38,7 +37,6 @@ int checkcfg(int val) { int i; for (i = 0; i < CFG_MAX; i++) cfg_val[i] = 1; // most of them are enabled by default - cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default cfg_val[CFG_FORCE_NONEWPRIVS] = 0; // disabled by default @@ -226,6 +224,15 @@ int checkcfg(int val) { if (strcmp(ptr + 17, "yes") == 0) arg_quiet = 1; } + // remount /proc and /sys + else if (strncmp(ptr, "remount-proc-sys ", 17) == 0) { + if (strcmp(ptr + 17, "yes") == 0) + cfg_val[CFG_REMOUNT_PROC_SYS] = 1; + else if (strcmp(ptr + 17, "no") == 0) + cfg_val[CFG_REMOUNT_PROC_SYS] = 0; + else + goto errout; + } else goto errout; diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 8301a79a0..067d788a6 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -590,7 +590,8 @@ void sandboxfs(int op, pid_t pid, const char *patqh); #define CFG_FORCE_NONEWPRIVS 8 #define CFG_WHITELIST 9 #define CFG_XEPHYR_WINDOW_TITLE 10 -#define CFG_MAX 11 // this should always be the last entry +#define CFG_REMOUNT_PROC_SYS 11 +#define CFG_MAX 12 // this should always be the last entry extern char *xephyr_screen; extern char *xephyr_extra_params; extern char *netfilter_default; diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index a33c81937..0818bf450 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -208,6 +208,12 @@ static int monitor_application(pid_t app_pid) { if (arg_debug) printf("Sandbox monitor: waitpid %u retval %d status %d\n", monitored_pid, rv, status); + // if /proc is not remounted, we cannot check /proc directory, + // for now we just get out of here + // todo: find another way of checking child processes! + if (!checkcfg(CFG_REMOUNT_PROC_SYS)) + break; + DIR *dir; if (!(dir = opendir("/proc"))) { // sleep 2 seconds and try again @@ -551,7 +557,8 @@ int sandbox(void* sandbox_arg) { //**************************** // update /proc, /sys, /dev, /boot directorymy //**************************** - fs_proc_sys_dev_boot(); + if (checkcfg(CFG_REMOUNT_PROC_SYS)) + fs_proc_sys_dev_boot(); //**************************** // apply the profile file -- cgit v1.2.3-70-g09d2