From 355c86b0ff225bdc48b27fb4dfcb6232e4ec7b29 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 2 Aug 2016 10:03:28 -0400 Subject: apparmor --- Makefile.in | 2 + configure | 492 +++++++++++++++++++++++++---------------------- configure.ac | 23 +++ etc/firejail-default | 129 +++++++++++++ src/firejail/Makefile.in | 6 +- src/firejail/sandbox.c | 12 +- todo | 3 + 7 files changed, 438 insertions(+), 229 deletions(-) create mode 100644 etc/firejail-default diff --git a/Makefile.in b/Makefile.in index e47e109d3..4d7526826 100644 --- a/Makefile.in +++ b/Makefile.in @@ -85,6 +85,8 @@ realinstall: done sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" rm -fr .etc + # install apparmor profile + sh -c "if [ -d /etc/apparmor.d ]; then install -c -m 0644 etc/firejail-default /etc/apparmor.d/firejail-default; fi;" # man pages install -m 0755 -d $(DESTDIR)/$(mandir)/man1 install -m 0755 -d $(DESTDIR)/$(mandir)/man5 diff --git a/configure b/configure index 050b4df9c..0f6f8f7fb 100755 --- a/configure +++ b/configure @@ -625,9 +625,6 @@ ac_includes_default="\ ac_subst_vars='LTLIBOBJS LIBOBJS HAVE_SECCOMP_H -EGREP -GREP -CPP HAVE_FATAL_WARNINGS HAVE_WHITELIST HAVE_FILE_TRANSFER @@ -638,6 +635,11 @@ HAVE_GLOBALCFG HAVE_BIND HAVE_CHROOT HAVE_SECCOMP +EXTRA_LDFLAGS +EGREP +GREP +CPP +HAVE_APPARMOR RANLIB INSTALL_DATA INSTALL_SCRIPT @@ -690,6 +692,7 @@ SHELL' ac_subst_files='' ac_user_opts=' enable_option_checking +enable_apparmor enable_seccomp enable_chroot enable_bind @@ -1319,6 +1322,7 @@ Optional Features: --disable-option-checking ignore unrecognized --enable/--with options --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) --enable-FEATURE[=ARG] include FEATURE [ARG=yes] + --enable-apparmor enable apparmor --disable-seccomp disable seccomp --disable-chroot disable chroot --disable-bind disable bind @@ -1462,52 +1466,6 @@ fi } # ac_fn_c_try_compile -# ac_fn_c_try_link LINENO -# ----------------------- -# Try to link conftest.$ac_ext, and return whether this succeeded. -ac_fn_c_try_link () -{ - as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack - rm -f conftest.$ac_objext conftest$ac_exeext - if { { ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -$as_echo "$ac_try_echo"; } >&5 - (eval "$ac_link") 2>conftest.err - ac_status=$? - if test -s conftest.err; then - grep -v '^ *+' conftest.err >conftest.er1 - cat conftest.er1 >&5 - mv -f conftest.er1 conftest.err - fi - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest$ac_exeext && { - test "$cross_compiling" = yes || - test -x conftest$ac_exeext - }; then : - ac_retval=0 -else - $as_echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - ac_retval=1 -fi - # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information - # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would - # interfere with the next link command; also delete a directory that is - # left behind by Apple's compiler. We do this before executing the actions. - rm -rf conftest.dSYM conftest_ipa8_conftest.oo - eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno - as_fn_set_status $ac_retval - -} # ac_fn_c_try_link - # ac_fn_c_try_cpp LINENO # ---------------------- # Try to preprocess conftest.$ac_ext, and return whether this succeeded. @@ -1708,6 +1666,52 @@ $as_echo "$ac_res" >&6; } eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno } # ac_fn_c_check_header_compile + +# ac_fn_c_try_link LINENO +# ----------------------- +# Try to link conftest.$ac_ext, and return whether this succeeded. +ac_fn_c_try_link () +{ + as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack + rm -f conftest.$ac_objext conftest$ac_exeext + if { { ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 + (eval "$ac_link") 2>conftest.err + ac_status=$? + if test -s conftest.err; then + grep -v '^ *+' conftest.err >conftest.er1 + cat conftest.er1 >&5 + mv -f conftest.er1 conftest.err + fi + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + test -x conftest$ac_exeext + }; then : + ac_retval=0 +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_retval=1 +fi + # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information + # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would + # interfere with the next link command; also delete a directory that is + # left behind by Apple's compiler. We do this before executing the actions. + rm -rf conftest.dSYM conftest_ipa8_conftest.oo + eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno + as_fn_set_status $ac_retval + +} # ac_fn_c_try_link cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. @@ -3069,189 +3073,23 @@ else fi -HAVE_SECCOMP="" -# Check whether --enable-seccomp was given. -if test "${enable_seccomp+set}" = set; then : - enableval=$enable_seccomp; -fi - -if test "x$enable_seccomp" != "xno"; then : - - HAVE_SECCOMP="-DHAVE_SECCOMP" - - -fi - -HAVE_CHROOT="" -# Check whether --enable-chroot was given. -if test "${enable_chroot+set}" = set; then : - enableval=$enable_chroot; -fi - -if test "x$enable_chroot" != "xno"; then : - - HAVE_CHROOT="-DHAVE_CHROOT" - - -fi - -HAVE_BIND="" -# Check whether --enable-bind was given. -if test "${enable_bind+set}" = set; then : - enableval=$enable_bind; -fi - -if test "x$enable_bind" != "xno"; then : - - HAVE_BIND="-DHAVE_BIND" - - -fi - -HAVE_GLOBALCFG="" -# Check whether --enable-globalcfg was given. -if test "${enable_globalcfg+set}" = set; then : - enableval=$enable_globalcfg; -fi - -if test "x$enable_globalcfg" != "xno"; then : - - HAVE_GLOBALCFG="-DHAVE_GLOBALCFG" - - -fi - -HAVE_NETWORK="" -# Check whether --enable-network was given. -if test "${enable_network+set}" = set; then : - enableval=$enable_network; -fi - -# Check whether --enable-network was given. -if test "${enable_network+set}" = set; then : - enableval=$enable_network; -fi - -if test "x$enable_network" != "xno"; then : - - HAVE_NETWORK="-DHAVE_NETWORK" - if test "x$enable_network" = "xrestricted"; then : - - HAVE_NETWORK="$HAVE_NETWORK -DHAVE_NETWORK_RESTRICTED" - -fi - - -fi - -HAVE_USERNS="" -# Check whether --enable-userns was given. -if test "${enable_userns+set}" = set; then : - enableval=$enable_userns; -fi - -if test "x$enable_userns" != "xno"; then : - - HAVE_USERNS="-DHAVE_USERNS" - - -fi - -HAVE_X11="" -# Check whether --enable-x11 was given. -if test "${enable_x11+set}" = set; then : - enableval=$enable_x11; -fi - -if test "x$enable_x11" != "xno"; then : - - HAVE_X11="-DHAVE_X11" - - -fi - -HAVE_FILE_TRANSFER="" -# Check whether --enable-file-transfer was given. -if test "${enable_file_transfer+set}" = set; then : - enableval=$enable_file_transfer; -fi - -if test "x$enable_file_transfer" != "xno"; then : - - HAVE_FILE_TRANSFER="-DHAVE_FILE_TRANSFER" - - -fi - -HAVE_WHITELIST="" -# Check whether --enable-whitelist was given. -if test "${enable_whitelist+set}" = set; then : - enableval=$enable_whitelist; -fi - -if test "x$enable_whitelist" != "xno"; then : - - HAVE_WHITELIST="-DHAVE_WHITELIST" - - -fi - -HAVE_FATAL_WARNINGS="" -# Check whether --enable-fatal_warnings was given. -if test "${enable_fatal_warnings+set}" = set; then : - enableval=$enable_fatal_warnings; -fi - -if test "x$enable_fatal_warnings" = "xyes"; then : - - HAVE_FATAL_WARNINGS="-W -Wall -Werror" - - +# Allow to build without apparmor support by calling: +# ./configure --disable-apparmor +# This makes it possible to run snaps in devmode on almost any host, +# regardless of the kernel version. +HAVE_APPARMOR="" +# Check whether --enable-apparmor was given. +if test "${enable_apparmor+set}" = set; then : + enableval=$enable_apparmor; fi +if test "x$enable_apparmor" = "xyes"; then : -# checking pthread library - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpthread" >&5 -$as_echo_n "checking for main in -lpthread... " >&6; } -if ${ac_cv_lib_pthread_main+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lpthread $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ + HAVE_APPARMOR="-DHAVE_APPARMOR" -int -main () -{ -return main (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_pthread_main=yes -else - ac_cv_lib_pthread_main=no fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pthread_main" >&5 -$as_echo "$ac_cv_lib_pthread_main" >&6; } -if test "x$ac_cv_lib_pthread_main" = xyes; then : - cat >>confdefs.h <<_ACEOF -#define HAVE_LIBPTHREAD 1 -_ACEOF - LIBS="-lpthread $LIBS" - -else - as_fn_error $? "*** POSIX thread support not installed ***" "$LINENO" 5 -fi ac_ext=c ac_cpp='$CPP $CPPFLAGS' @@ -3650,6 +3488,208 @@ fi done +if test "x$enable_apparmor" = "xyes"; then : + + ac_fn_c_check_header_mongrel "$LINENO" "sys/apparmor.h" "ac_cv_header_sys_apparmor_h" "$ac_includes_default" +if test "x$ac_cv_header_sys_apparmor_h" = xyes; then : + +else + as_fn_error $? "Couldn't find sys/apparmor.h... please install apparmor user space library and development files " "$LINENO" 5 +fi + + + +fi +if test "x$enable_apparmor" = "xyes"; then : + + EXTRA_LDFLAGS="-lapparmor" + +fi + + +HAVE_SECCOMP="" +# Check whether --enable-seccomp was given. +if test "${enable_seccomp+set}" = set; then : + enableval=$enable_seccomp; +fi + +if test "x$enable_seccomp" != "xno"; then : + + HAVE_SECCOMP="-DHAVE_SECCOMP" + + +fi + +HAVE_CHROOT="" +# Check whether --enable-chroot was given. +if test "${enable_chroot+set}" = set; then : + enableval=$enable_chroot; +fi + +if test "x$enable_chroot" != "xno"; then : + + HAVE_CHROOT="-DHAVE_CHROOT" + + +fi + +HAVE_BIND="" +# Check whether --enable-bind was given. +if test "${enable_bind+set}" = set; then : + enableval=$enable_bind; +fi + +if test "x$enable_bind" != "xno"; then : + + HAVE_BIND="-DHAVE_BIND" + + +fi + +HAVE_GLOBALCFG="" +# Check whether --enable-globalcfg was given. +if test "${enable_globalcfg+set}" = set; then : + enableval=$enable_globalcfg; +fi + +if test "x$enable_globalcfg" != "xno"; then : + + HAVE_GLOBALCFG="-DHAVE_GLOBALCFG" + + +fi + +HAVE_NETWORK="" +# Check whether --enable-network was given. +if test "${enable_network+set}" = set; then : + enableval=$enable_network; +fi + +# Check whether --enable-network was given. +if test "${enable_network+set}" = set; then : + enableval=$enable_network; +fi + +if test "x$enable_network" != "xno"; then : + + HAVE_NETWORK="-DHAVE_NETWORK" + if test "x$enable_network" = "xrestricted"; then : + + HAVE_NETWORK="$HAVE_NETWORK -DHAVE_NETWORK_RESTRICTED" + +fi + + +fi + +HAVE_USERNS="" +# Check whether --enable-userns was given. +if test "${enable_userns+set}" = set; then : + enableval=$enable_userns; +fi + +if test "x$enable_userns" != "xno"; then : + + HAVE_USERNS="-DHAVE_USERNS" + + +fi + +HAVE_X11="" +# Check whether --enable-x11 was given. +if test "${enable_x11+set}" = set; then : + enableval=$enable_x11; +fi + +if test "x$enable_x11" != "xno"; then : + + HAVE_X11="-DHAVE_X11" + + +fi + +HAVE_FILE_TRANSFER="" +# Check whether --enable-file-transfer was given. +if test "${enable_file_transfer+set}" = set; then : + enableval=$enable_file_transfer; +fi + +if test "x$enable_file_transfer" != "xno"; then : + + HAVE_FILE_TRANSFER="-DHAVE_FILE_TRANSFER" + + +fi + +HAVE_WHITELIST="" +# Check whether --enable-whitelist was given. +if test "${enable_whitelist+set}" = set; then : + enableval=$enable_whitelist; +fi + +if test "x$enable_whitelist" != "xno"; then : + + HAVE_WHITELIST="-DHAVE_WHITELIST" + + +fi + +HAVE_FATAL_WARNINGS="" +# Check whether --enable-fatal_warnings was given. +if test "${enable_fatal_warnings+set}" = set; then : + enableval=$enable_fatal_warnings; +fi + +if test "x$enable_fatal_warnings" = "xyes"; then : + + HAVE_FATAL_WARNINGS="-W -Wall -Werror" + + +fi + + +# checking pthread library +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpthread" >&5 +$as_echo_n "checking for main in -lpthread... " >&6; } +if ${ac_cv_lib_pthread_main+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lpthread $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + + +int +main () +{ +return main (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_pthread_main=yes +else + ac_cv_lib_pthread_main=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pthread_main" >&5 +$as_echo "$ac_cv_lib_pthread_main" >&6; } +if test "x$ac_cv_lib_pthread_main" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBPTHREAD 1 +_ACEOF + + LIBS="-lpthread $LIBS" + +else + as_fn_error $? "*** POSIX thread support not installed ***" "$LINENO" 5 +fi + ac_fn_c_check_header_mongrel "$LINENO" "pthread.h" "ac_cv_header_pthread_h" "$ac_includes_default" if test "x$ac_cv_header_pthread_h" = xyes; then : @@ -4855,6 +4895,7 @@ echo " prefix: $prefix" echo " sysconfdir: $sysconfdir" echo " seccomp: $HAVE_SECCOMP" echo " : $HAVE_SECCOMP_H" +echo " apparmor: $HAVE_APPARMOR" echo " global config: $HAVE_GLOBALCFG" echo " chroot: $HAVE_CHROOT" echo " bind: $HAVE_BIND" @@ -4866,6 +4907,7 @@ echo " file transfer support: $HAVE_FILE_TRANSFER" echo " fatal warnings: $HAVE_FATAL_WARNINGS" printf " uid_min: "; grep UID_MIN uids.h printf " gid_min: "; grep GID_MIN uids.h +printf " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" echo diff --git a/configure.ac b/configure.ac index a84396ad4..315c25038 100644 --- a/configure.ac +++ b/configure.ac @@ -9,6 +9,27 @@ AC_PROG_CC AC_PROG_INSTALL AC_PROG_RANLIB +# Allow to build without apparmor support by calling: +# ./configure --disable-apparmor +# This makes it possible to run snaps in devmode on almost any host, +# regardless of the kernel version. +HAVE_APPARMOR="" +AC_ARG_ENABLE([apparmor], + AS_HELP_STRING([--enable-apparmor], [enable apparmor])) +AS_IF([test "x$enable_apparmor" = "xyes"], [ + HAVE_APPARMOR="-DHAVE_APPARMOR" + AC_SUBST(HAVE_APPARMOR) +]) + +AS_IF([test "x$enable_apparmor" = "xyes"], [ + AC_CHECK_HEADER(sys/apparmor.h, , [AC_MSG_ERROR( + [Couldn't find sys/apparmor.h... please install apparmor user space library and development files] )]) +]) +AS_IF([test "x$enable_apparmor" = "xyes"], [ + EXTRA_LDFLAGS="-lapparmor" +]) +AC_SUBST([EXTRA_LDFLAGS]) + HAVE_SECCOMP="" AC_ARG_ENABLE([seccomp], AS_HELP_STRING([--disable-seccomp], [disable seccomp])) @@ -117,6 +138,7 @@ echo " prefix: $prefix" echo " sysconfdir: $sysconfdir" echo " seccomp: $HAVE_SECCOMP" echo " : $HAVE_SECCOMP_H" +echo " apparmor: $HAVE_APPARMOR" echo " global config: $HAVE_GLOBALCFG" echo " chroot: $HAVE_CHROOT" echo " bind: $HAVE_BIND" @@ -128,6 +150,7 @@ echo " file transfer support: $HAVE_FILE_TRANSFER" echo " fatal warnings: $HAVE_FATAL_WARNINGS" printf " uid_min: "; grep UID_MIN uids.h printf " gid_min: "; grep GID_MIN uids.h +printf " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" echo diff --git a/etc/firejail-default b/etc/firejail-default new file mode 100644 index 000000000..609ab6c19 --- /dev/null +++ b/etc/firejail-default @@ -0,0 +1,129 @@ +#include + +profile firejail-default { + +##### +# D-Bus is a huge security hole, we disable it here. Uncomment this line if you +# need D-Bus functionality. +# +#dbus, + +##### +# Mask /proc and /sys information leakage. The configuration here is barely +# enough to run "top" or "ps aux". +# +/ r, +/[^proc,^sys]** mrwlk, + +/proc/ r, +/proc/meminfo r, +/proc/cpuinfo r, +/proc/filesystems r, +/proc/uptime r, +/proc/loadavg r, +/proc/stat r, +/proc/@{pid}/ r, +/proc/@{pid}/fd/ r, +/proc/@{pid}/task/ r, +/proc/@{pid}/cmdline r, +/proc/@{pid}/comm r, +/proc/@{pid}/stat r, +/proc/@{pid}/statm r, +/proc/@{pid}/status r, +/proc/sys/kernel/pid_max r, +/proc/sys/kernel/shmmax r, +/sys/ r, +/sys/bus/ r, +/sys/bus/** r, +/sys/class/ r, +/sys/class/** r, +/sys/devices/ r, +/sys/devices/** r, + +/proc/@{pid}/maps r, +/proc/@{pid}/mounts r, +/proc/@{pid}/mountinfo r, +/proc/@{pid}/oom_score_adj r, + +/{,var/}run/firejail/mnt/fslogger r, +/{,var/}run/user/**/dconf/ r, +/{,var/}run/user/**/dconf/user r, + +##### +# Allow running programs only from well-known system directories. If you need +# to run programs from your home directory, uncomment /home line. +# +/lib/** ix, +/lib64/** ix, +/bin/** ix, +/sbin/** ix, +/usr/bin/** ix, +/usr/sbin/** ix, +/usr/local/** ix, +/usr/lib/** ix, +/usr/games/** ix, +/opt/** ix, +#/home/** ix, + +##### +# Allow all networking functionality, and control it from Firejail. +# +network inet, +network inet6, +network unix, +network netlink, +network raw, + +##### +# There is no equivalent in Firejail for filtering signals. +# +signal, + +##### +# Disable all capabilities. If you run your sandbox as root, you might need to +# enable/uncomment some of them. +# +capability chown, +capability dac_override, +capability dac_read_search, +capability fowner, +capability fsetid, +capability kill, +capability setgid, +capability setuid, +capability setpcap, +capability linux_immutable, +capability net_bind_service, +capability net_broadcast, +capability net_admin, +capability net_raw, +capability ipc_lock, +capability ipc_owner, +capability sys_module, +capability sys_rawio, +capability sys_chroot, +capability sys_ptrace, +capability sys_pacct, +capability sys_admin, +capability sys_boot, +capability sys_nice, +capability sys_resource, +capability sys_time, +capability sys_tty_config, +capability mknod, +capability lease, +capability audit_write, +capability audit_control, +capability setfcap, +capability mac_override, +capability mac_admin, + +##### +# No mount/umount functionality when running as regular user. +# +mount, +remount, +umount, +pivot_root, + +} diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in index 21f415ba5..15253b5ab 100644 --- a/src/firejail/Makefile.in +++ b/src/firejail/Makefile.in @@ -18,19 +18,21 @@ HAVE_X11=@HAVE_X11@ HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@ HAVE_WHITELIST=@HAVE_WHITELIST@ HAVE_GLOBALCFG=@HAVE_GLOBALCFG@ +HAVE_APPARMOR=@HAVE_APPARMOR@ +EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ H_FILE_LIST = $(sort $(wildcard *.[h])) C_FILE_LIST = $(sort $(wildcard *.c)) OBJS = $(C_FILE_LIST:.c=.o) BINOBJS = $(foreach file, $(OBJS), $file) -CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security +CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_APPARMOR) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o - $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/libnetlink.o ../lib/common.o $(LIBS) + $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/libnetlink.o ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS) clean:; rm -f *.o firejail firejail.1 firejail.1.gz diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 0fd81979f..1502a0312 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -39,6 +39,9 @@ # define PR_SET_NO_NEW_PRIVS 38 #endif +#ifdef HAVE_APPARMOR +#include +#endif static int monitored_pid = 0; @@ -392,6 +395,7 @@ int sandbox(void* sandbox_arg) { if (arg_debug && child_pid == 1) printf("PID namespace installed\n"); + //**************************** // set hostname //**************************** @@ -503,7 +507,6 @@ int sandbox(void* sandbox_arg) { else fs_basic_fs(); - //**************************** // set hostname in /etc/hostname //**************************** @@ -798,8 +801,13 @@ int sandbox(void* sandbox_arg) { pid_t app_pid = fork(); if (app_pid == -1) errExit("fork"); - + if (app_pid == 0) { +#ifdef HAVE_APPARMOR + errno = 0; + if (aa_change_onexec("firejail-default")) + fprintf(stderr, "Warning: apparmor profile not loaded, errno %d\n", errno); +#endif prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died start_application(); // start app } diff --git a/todo b/todo index 009f9fe99..7a96bb2c4 100644 --- a/todo +++ b/todo @@ -251,6 +251,7 @@ References 23. AppArmor $ sudo apt-get install apparmor apparmor-profiles apparmor-utils apparmor-notify +$ sudo apt-get install libapparmor-dev $ sudo perl -pi -e 's,GRUB_CMDLINE_LINUX="(.*)"$,GRUB_CMDLINE_LINUX="$1 apparmor=1 security=apparmor",' /etc/default/grub $ sudo update-grub @@ -259,5 +260,7 @@ $ sudo reboot If you are using auditd, start aa-notify to get notification whenever a program causes a DENIED message. $ sudo aa-notify -p -f /var/log/audit/audit.log +/sys/module/apparmor/parameters/enabled +/sys/kernel/security/apparmor -- cgit v1.2.3-70-g09d2