From bbb098e082e4d7493733b49c610859ac93ede8a5 Mon Sep 17 00:00:00 2001 From: valoq Date: Sun, 11 Dec 2016 19:06:18 +0100 Subject: fixed ipc blacklist --- src/firejail/fs.c | 27 +++++++++++++++++++-------- src/firejail/fs_var.c | 2 ++ 2 files changed, 21 insertions(+), 8 deletions(-) diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 84dc9046c..f469cba0a 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -531,17 +531,16 @@ void fs_proc_sys_dev_boot(void) { // disable /dev/port disable_file(BLACKLIST_FILE, "/dev/port"); - - // WARNING: this is not reliable. When services like gpg-agent are started after the jail, the sockets are not blacklisted - // disable various ipc sockets - struct stat s; - + /* // disable various ipc sockets */ + struct stat s; // disable /run/user/{uid}/gnupg char *fnamegpg; if (asprintf(&fnamegpg, "/run/user/%d/gnupg", getuid()) == -1) errExit("asprintf"); + if (stat(fnamegpg, &s) == -1) + mkdir_attr(fnamegpg, 0700, getuid(), getgid()); if (stat(fnamegpg, &s) == 0) disable_file(BLACKLIST_FILE, fnamegpg); free(fnamegpg); @@ -550,10 +549,13 @@ void fs_proc_sys_dev_boot(void) { char *fnamesysd; if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1) errExit("asprintf"); + if (stat(fnamesysd, &s) == -1) + mkdir_attr(fnamesysd, 0755, getuid(), getgid()); if (stat(fnamesysd, &s) == 0) disable_file(BLACKLIST_FILE, fnamesysd); free(fnamesysd); + // todo: investigate #if 0 // breaks too many applications, option needed @@ -591,12 +593,21 @@ void fs_proc_sys_dev_boot(void) { /* disable_file(BLACKLIST_FILE, fnamedconf); */ /* free(fnamedconf); */ - + + // dirs in /run/user/{uid}/ + // using gnome: + // bus, dconf, gdm, gnome-shell, gnupg, gvfs, keyring, pulse, systemd + + // using kde: + // kdeinit__0, ... + //more files with sockets to be blacklisted // /run/dbus /run/systemd /run/udev /run/lvm -#endif - + + // /run/user/{uid} does not exist on some systems, usually used and created by desktop applications +#endif + if (getuid() != 0) { // disable /dev/kmsg and /proc/kmsg disable_file(BLACKLIST_FILE, "/dev/kmsg"); diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c index bdc5ecaf3..86122e1c0 100644 --- a/src/firejail/fs_var.c +++ b/src/firejail/fs_var.c @@ -106,6 +106,8 @@ static void build_dirs(void) { void fs_var_log(void) { build_list("/var/log"); + // note: /var/log is not created here, if it does not exist, this section fails. Intended? + // create /var/log if it doesn't exit if (is_dir("/var/log")) { // extract group id for /var/log/wtmp -- cgit v1.2.3-70-g09d2 From 9a415a34dd3ce2b69b780fb9884dc15b61dcfd96 Mon Sep 17 00:00:00 2001 From: valoq Date: Sun, 11 Dec 2016 19:18:09 +0100 Subject: fix comment --- src/firejail/fs.c | 6 +++--- src/man/firejail.txt | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/firejail/fs.c b/src/firejail/fs.c index f469cba0a..adddf626b 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -532,7 +532,7 @@ void fs_proc_sys_dev_boot(void) { disable_file(BLACKLIST_FILE, "/dev/port"); - /* // disable various ipc sockets */ + // disable various ipc sockets struct stat s; // disable /run/user/{uid}/gnupg @@ -601,8 +601,8 @@ void fs_proc_sys_dev_boot(void) { // using kde: // kdeinit__0, ... - //more files with sockets to be blacklisted - // /run/dbus /run/systemd /run/udev /run/lvm + // more files with sockets to be blacklisted + // /run/dbus /run/systemd /run/udev /run/lvm // /run/user/{uid} does not exist on some systems, usually used and created by desktop applications diff --git a/src/man/firejail.txt b/src/man/firejail.txt index fdeb9ea3f..5b43b1ca5 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -85,7 +85,7 @@ Example: $ firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox .TP \fB\-\-allusers -All user home directories are visible inside the sandbox. By default, only current user home directory is visible. +All directories under /home are visible inside the sandbox. By default, only current user home directory is visible. .br .br -- cgit v1.2.3-70-g09d2