From 7f84ed7a38a5f83deaab94522978cbf5b5c89465 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 22 Aug 2015 07:21:50 -0400 Subject: support net none in profile files --- RELNOTES | 5 ++++- etc/evince.profile | 2 +- src/firejail/profile.c | 8 ++++++++ src/man/firejail-profile.txt | 7 +++++++ src/man/firejail.txt | 4 ++++ test/net_none.exp | 32 ++++++++++++++++++++++++++++++++ test/net_none.profile | 1 + 7 files changed, 57 insertions(+), 2 deletions(-) create mode 100644 test/net_none.profile diff --git a/RELNOTES b/RELNOTES index 19c3b6a00..acbac2275 100644 --- a/RELNOTES +++ b/RELNOTES @@ -5,8 +5,11 @@ firejail (0.9.29) baseline; urgency=low * added --private-etc option * support ${HOME} token in include directive in profile files * --private.keep is transitioned to --private-home + * support ~ and blanks in blacklist option + * support "net none" command in profile files + * added "net none" to Evince PDF viewer * bugfixes - -- netblue30 Sat, 12 Aug 2015 20:25:00 -0500 + -- netblue30 Sat, 22 Aug 2015 20:25:00 -0500 firejail (0.9.28) baseline; urgency=low * network scanning, --scan option diff --git a/etc/evince.profile b/etc/evince.profile index e81044314..c90317ed8 100644 --- a/etc/evince.profile +++ b/etc/evince.profile @@ -5,5 +5,5 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-history.inc caps.drop all seccomp -netfilter +net none noroot diff --git a/src/firejail/profile.c b/src/firejail/profile.c index e9a2e55a3..86db82da0 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -128,6 +128,14 @@ int profile_check_line(char *ptr, int lineno) { check_netfilter_file(arg_netfilter_file); return 0; } + else if (strcmp(ptr, "net none") == 0) { + arg_nonetwork = 1; + cfg.bridge0.configured = 0; + cfg.bridge1.configured = 0; + cfg.bridge2.configured = 0; + cfg.bridge3.configured = 0; + return 0; + } // seccomp drop list on top of default list if (strncmp(ptr, "seccomp ", 8) == 0) { diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 7be5304c1..58ba39b00 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -179,6 +179,13 @@ If a new network namespace is created, enabled default network filter. netfilter filename If a new network namespace is created, enabled the network filter in filename. +.TP +net none +Enable a new, unconnected network namespace. The only interface +available in the new namespace is a new loopback interface (lo). +Use this option to deny network access to programs that don't +really need network access. + .TP dns address Set a DNS server for the sandbox. Up to three DNS servers can be defined. diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 0b7ed1434..ffc698edd 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -97,6 +97,10 @@ Blacklist directory or file. Example: .br $ firejail \-\-blacklist=/sbin \-\-blacklist=/usr/sbin +.br +$ firejail \-\-blacklist=~/.mozilla +.br +$ firejail "\-\-blacklist=My Virtual Machines" .TP \fB\-c Execute command and exit. diff --git a/test/net_none.exp b/test/net_none.exp index dfa14a211..54b6cb946 100755 --- a/test/net_none.exp +++ b/test/net_none.exp @@ -4,6 +4,7 @@ set timeout 10 spawn $env(SHELL) match_max 100000 +# options send -- "firejail --net=none\r" expect { timeout {puts "TESTING ERROR 0\n";exit} @@ -30,7 +31,38 @@ expect { "eth0" {puts "TESTING ERROR 2.1\n";exit} "home" } +send -- "exit\r" +sleep 1 +send -- "exit\r" +sleep 1 + +# profile +send -- "firejail --profile=net_none.profile\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "eth0" {puts "TESTING ERROR 3.1\n";exit} + "Child process initialized" +} sleep 1 +# test default gw +send -- "bash\r" +sleep 1 +send -- "netstat -rn; pwd\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "0.0.0.0" {puts "TESTING ERROR 4.1\n";exit} + "home" +} +sleep 1 + +# check again devices +send -- "cat /proc/1/net/dev;pwd\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "eth0" {puts "TESTING ERROR 5.1\n";exit} + "home" +} +sleep 1 puts "\n" diff --git a/test/net_none.profile b/test/net_none.profile new file mode 100644 index 000000000..079c08ea8 --- /dev/null +++ b/test/net_none.profile @@ -0,0 +1 @@ +net none -- cgit v1.2.3-70-g09d2