From 13e699fe26cc0eda1d7cd1f214d2909e08a1dc58 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 12 May 2021 15:59:31 -0400 Subject: more --build --- src/fbuilder/build_profile.c | 44 ++++++++++++++-------- src/fbuilder/main.c | 12 ++++-- src/man/firejail-profile.txt | 90 +++++++++++++++++++++++++++++++++++++++++--- src/profstats/main.c | 11 ++++++ 4 files changed, 133 insertions(+), 24 deletions(-) diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c index fb53f70a6..1726b4dbb 100644 --- a/src/fbuilder/build_profile.c +++ b/src/fbuilder/build_profile.c @@ -145,9 +145,9 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { fprintf(fp, "# program name) in ~/.config/firejail directory. Firejail will find it\n"); fprintf(fp, "# automatically every time you sandbox your application.\n#\n"); fprintf(fp, "# Run \"firejail application\" to test it. In the file there are\n"); - fprintf(fp, "# some other commands you can try. Enable them by removing the \"#\".\n"); + fprintf(fp, "# some other commands you can try. Enable them by removing the \"#\".\n\n"); - fprintf(fp, "\n# Firejail profile for %s\n", argv[index]); + fprintf(fp, "# Firejail profile for %s\n", argv[index]); fprintf(fp, "# Persistent local customizations\n"); fprintf(fp, "#include %s.local\n", argv[index]); fprintf(fp, "# Persistent global definitions\n"); @@ -164,6 +164,7 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { fprintf(fp, "#include disable-interpreters.inc\n"); fprintf(fp, "include disable-passwdmgr.inc\n"); fprintf(fp, "include disable-programs.inc\n"); + fprintf(fp, "#include disable-shell.inc\n"); fprintf(fp, "#include disable-xdg.inc\n"); fprintf(fp, "\n"); @@ -171,29 +172,27 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { fprintf(fp, "### If something goes wrong, this section is the first one to comment out.\n"); fprintf(fp, "### Instead, you'll have to relay on the basic blacklisting above.\n"); build_home(trace_output, fp); + fprintf(fp, "\n"); - fprintf(fp, "\n### The Rest of the Filesystem ###\n"); + fprintf(fp, "### Filesystem Whitelisting ###\n"); build_share(trace_output, fp); + //todo: include whitelist-runuser-common.inc build_var(trace_output, fp); - build_bin(trace_output, fp); - build_dev(trace_output, fp); - fprintf(fp, "#nodvd\n"); - fprintf(fp, "#noinput\n"); - fprintf(fp, "#notv\n"); - fprintf(fp, "#nou2f\n"); - fprintf(fp, "#novideo\n"); - build_etc(trace_output, fp); - build_tmp(trace_output, fp); + fprintf(fp, "\n"); - fprintf(fp, "\n### Security Filters ###\n"); fprintf(fp, "#apparmor\n"); fprintf(fp, "caps.drop all\n"); + fprintf(fp, "ipc-namespace\n"); fprintf(fp, "netfilter\n"); + fprintf(fp, "#nodvd\n"); fprintf(fp, "#nogroups\n"); - fprintf(fp, "#noroot\n"); + fprintf(fp, "#noinput\n"); fprintf(fp, "nonewprivs\n"); + fprintf(fp, "noroot\n"); + fprintf(fp, "#notv\n"); + fprintf(fp, "#nou2f\n"); + fprintf(fp, "#novideo\n"); build_protocol(trace_output, fp); - fprintf(fp, "seccomp\n"); if (!have_strace) { fprintf(fp, "### If you install strace on your system, Firejail will also create a\n"); @@ -203,8 +202,21 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { fprintf(fp, "### Yama security module prevents creation of a whitelisted seccomp filter\n"); else build_seccomp(strace_output, fp); - fprintf(fp, "#shell none\n"); + fprintf(fp, "shell none\n"); fprintf(fp, "#tracelog\n"); + fprintf(fp, "\n"); + + fprintf(fp, "#disable-mnt\n"); + build_bin(trace_output, fp); + fprintf(fp, "#private-lib\n"); + build_dev(trace_output, fp); + build_etc(trace_output, fp); + build_tmp(trace_output, fp); + fprintf(fp, "\n"); + + fprintf(fp, "#dbus-user none\n"); + fprintf(fp, "#dbus-system none\n"); + fprintf(fp, "#memory-deny-write-execute\n"); if (!arg_debug) { unlink(trace_output); diff --git a/src/fbuilder/main.c b/src/fbuilder/main.c index f4917aefc..35ec49519 100644 --- a/src/fbuilder/main.c +++ b/src/fbuilder/main.c @@ -58,10 +58,16 @@ printf("\n"); exit(1); } + // don't run if the file exists + if (access(argv[i] + 8, F_OK) == 0) { + fprintf(stderr, "Error: the profile file already exists. Please use a different file name.\n"); + exit(1); + } + // check file access fp = fopen(argv[i] + 8, "w"); if (!fp) { - fprintf(stderr, "Error fbuild: cannot open profile file.\n"); + fprintf(stderr, "Error: cannot open profile file.\n"); exit(1); } prof_file = 1; @@ -69,7 +75,7 @@ printf("\n"); } else { if (*argv[i] == '-') { - fprintf(stderr, "Error fbuilder: invalid program\n"); + fprintf(stderr, "Error: invalid program\n"); usage(); exit(1); } @@ -79,7 +85,7 @@ printf("\n"); } if (prog_index == 0) { - fprintf(stderr, "Error fbuilder: program and arguments required\n"); + fprintf(stderr, "Error : program and arguments required\n"); usage(); if (prof_file) fclose(fp); diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 9d11add06..9d59328f5 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -1,12 +1,78 @@ .TH FIREJAIL-PROFILE 5 "MONTH YEAR" "VERSION" "firejail profiles man page" .SH NAME -profile \- Security profile file syntax for Firejail +profile \- Security profile file syntax, and information about building new application profiles. -.SH USAGE +.SH SYNOPSIS + +Using a specific profile: +.PP +.RS +.TP +\fBfirejail \-\-profile=filename.profile +.br + +.br +Example: +.br +$ firejail --profile=/etc/firejail/kdenlive.profile --appimage kdenlive.appimage +.br + +.br +.TP +\fBfirejail \-\-profile=profile_name +.br + +.br +Example: +.br +$ firejail --profile=kdenlive --appimage kdenlive.appimage +.br + +.br +.RE +.PP + + + +Building a profile manually: +.PP +.RS +Start with the template in /usr/share/doc/firejail/profile.template and modify it in a text editor. +To integrate the program in your desktop environment copy the profile file in ~/.config/firejail +directory and run "sudo firecfg". +.RE +.PP + +Aliases and redirections: +.PP +.RS +In some cases the same profile can be used for several applications. +One such example is LibreOffice. +Build a regular profile for the main application, and for the rest use +/usr/share/doc/firejail/redirect_alias-profile.template. +.RE +.PP + +Running the profile builder: +.PP +.RS .TP -firejail \-\-profile=filename.profile +\fBfirejail \-\-build=appname.profile appname +.br + +.br +Example: +.br +$ firejail --build=blobby.profile blobby +.br + +.br +Run the program in "firejail \-\-build" and try to exercise as many program features as possible. +The profile is extracted and saved in the current directory. Open it in a text editor and add or remove +sandboxing options as necessary. Test again after modifying the profile. To integrate the program +in your desktop environment copy the profile file in ~/.config/firejail directory and run "sudo firecfg". .RE -firejail \-\-profile=profile_name +.PP .SH DESCRIPTION Several command line options can be passed to the program using @@ -891,7 +957,21 @@ Join the sandbox identified by name or start a new one. Same as "firejail --join=sandboxname" command if sandbox with specified name exists, otherwise same as "name sandboxname". .SH FILES -/etc/firejail/filename.profile, $HOME/.config/firejail/filename.profile +.TP +\fB/etc/firejail/appname.profile +Global Firejail configuration consisting mainly of profiles for each application supported by default. + +.TP +\fB$HOME/.config/firejail/appname.profile +User application profiles, will take precedence over the global profiles. + +.TP +\fB/usr/share/doc/firejail/profile.template +Template for building new profiles. + +.TP +\fB/usr/share/doc/firejail/redirect_alias-profile.template +Template for aliasing/redirecting profiles. .SH LICENSE Firejail is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. diff --git a/src/profstats/main.c b/src/profstats/main.c index 5035280b1..10e44bd65 100644 --- a/src/profstats/main.c +++ b/src/profstats/main.c @@ -46,6 +46,7 @@ static int cnt_whitelistusrshare = 0; // include whitelist-usr-share-common.inc static int cnt_ssh = 0; static int cnt_mdwx = 0; static int cnt_whitelisthome = 0; +static int cnt_noroot = 0; static int level = 0; static int arg_debug = 0; @@ -65,6 +66,7 @@ static int arg_mdwx = 0; static int arg_dbus_system_none = 0; static int arg_dbus_user_none = 0; static int arg_whitelisthome = 0; +static int arg_noroot = 0; static char *profile = NULL; @@ -80,6 +82,7 @@ static void usage(void) { printf(" --dbus-user-none - profiles without \"dbus-user none\"\n"); printf(" --ssh - print profiles without \"include disable-common.inc\"\n"); printf(" --noexec - print profiles without \"include disable-exec.inc\"\n"); + printf(" --noroot - print profiles without \"noroot\"\n"); printf(" --private-bin - print profiles without private-bin\n"); printf(" --private-dev - print profiles without private-dev\n"); printf(" --private-etc - print profiles without private-etc\n"); @@ -128,6 +131,8 @@ void process_file(const char *fname) { cnt_caps++; else if (strncmp(ptr, "include disable-exec.inc", 24) == 0) cnt_noexec++; + else if (strncmp(ptr, "noroot", 6) == 0) + cnt_noroot++; else if (strncmp(ptr, "include whitelist-var-common.inc", 32) == 0) cnt_whitelistvar++; else if (strncmp(ptr, "include whitelist-runuser-common.inc", 36) == 0 || @@ -212,6 +217,8 @@ int main(int argc, char **argv) { arg_mdwx = 1; else if (strcmp(argv[i], "--noexec") == 0) arg_noexec = 1; + else if (strcmp(argv[i], "--noroot") == 0) + arg_noroot = 1; else if (strcmp(argv[i], "--private-bin") == 0) arg_privatebin = 1; else if (strcmp(argv[i], "--private-dev") == 0) @@ -256,6 +263,7 @@ int main(int argc, char **argv) { int caps = cnt_caps; int apparmor = cnt_apparmor; int noexec = cnt_noexec; + int noroot = cnt_noroot; int privatebin = cnt_privatebin; int privatetmp = cnt_privatetmp; int privatedev = cnt_privatedev; @@ -313,6 +321,8 @@ int main(int argc, char **argv) { printf("No seccomp found in %s\n", argv[i]); if (arg_noexec && noexec == cnt_noexec) printf("No include disable-exec.inc found in %s\n", argv[i]); + if (arg_noroot && noroot == cnt_noroot) + printf("No noroot found in %s\n", argv[i]); if (arg_privatedev && privatedev == cnt_privatedev) printf("No private-dev found in %s\n", argv[i]); if (arg_privatebin && privatebin == cnt_privatebin) @@ -346,6 +356,7 @@ int main(int argc, char **argv) { printf(" seccomp\t\t\t%d\n", cnt_seccomp); printf(" capabilities\t\t%d\n", cnt_caps); printf(" noexec\t\t\t%d (include disable-exec.inc)\n", cnt_noexec); + printf(" noroot\t\t\t%d\n", cnt_noroot); printf(" memory-deny-write-execute\t%d\n", cnt_mdwx); printf(" apparmor\t\t\t%d\n", cnt_apparmor); printf(" private-bin\t\t\t%d\n", cnt_privatebin); -- cgit v1.2.3-70-g09d2