From 81b2c7aa07e5a0657398a7a34a4dc01e87eeb6ac Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 6 Oct 2020 08:47:15 -0400 Subject: DHCP fixes --- src/firejail/dhcp.c | 26 +++++++++++++++++++++++++- src/firejail/firejail.h | 1 + src/firejail/main.c | 13 +++++++++++-- src/firejail/sandbox.c | 2 ++ src/include/rundefs.h | 2 +- 5 files changed, 40 insertions(+), 4 deletions(-) diff --git a/src/firejail/dhcp.c b/src/firejail/dhcp.c index 37547a985..456bba91b 100644 --- a/src/firejail/dhcp.c +++ b/src/firejail/dhcp.c @@ -130,7 +130,9 @@ static void dhcp_waitll_all() { dhcp_waitll(cfg.bridge3.devsandbox); } -void dhcp_start(void) { +// Temporarily copy dhclient executable under /run/firejail/mnt and start it from there +// in order to recognize it later in firemon and firetools +void dhcp_store_exec(void) { if (!any_dhcp()) return; @@ -144,6 +146,26 @@ void dhcp_start(void) { } } + sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", dhclient_path, RUN_MNT_DIR); +} + +void dhcp_start(void) { + if (!any_dhcp()) + return; + + char *dhclient_path = RUN_MNT_DIR "/dhclient";; + struct stat s; + if (stat(dhclient_path, &s) == -1) { + dhclient_path = "/usr/sbin/dhclient"; + if (stat(dhclient_path, &s) == -1) { + fprintf(stderr, "Error: dhclient was not found.\n"); + exit(1); + } + } + + sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", dhclient_path, RUN_MNT_DIR); + dhclient_path = RUN_MNT_DIR "/dhclient"; + EUID_ROOT(); if (mkdir(RUN_DHCLIENT_DIR, 0700)) errExit("mkdir"); @@ -163,4 +185,6 @@ void dhcp_start(void) { exit(1); } } + + unlink(dhclient_path); } diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 2bb8dd351..6c0ebcd43 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -867,6 +867,7 @@ void dbus_apply_policy(void); // dhcp.c extern pid_t dhclient4_pid; extern pid_t dhclient6_pid; +void dhcp_store_exec(void); void dhcp_start(void); // selinux.c diff --git a/src/firejail/main.c b/src/firejail/main.c index 5cc2d4123..daa924698 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -888,19 +888,20 @@ char *guess_shell(void) { return shell; } +// return argument index static int check_arg(int argc, char **argv, const char *argument, int strict) { int i; int found = 0; for (i = 1; i < argc; i++) { if (strict) { if (strcmp(argv[i], argument) == 0) { - found = 1; + found = i; break; } } else { if (strncmp(argv[i], argument, strlen(argument)) == 0) { - found = 1; + found = i; break; } } @@ -1046,6 +1047,14 @@ int main(int argc, char **argv, char **envp) { } EUID_USER(); + // --ip=dhcp - we need access to /sbin and /usr/sbin directories in order to run ISC DHCP client (dhclient) + // these paths are disabled in disable-common.inc + if ((i = check_arg(argc, argv, "--ip", 0)) != 0) { + if (strncmp(argv[i] + 4, "=dhcp", 5) == 0) { + profile_add("noblacklist /sbin"); + profile_add("noblacklist /usr/sbin"); + } + } // for appimages we need to remove "include disable-shell.inc from the profile // a --profile command can show up before --appimage diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index ff6be986f..3e8dbe5d9 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -651,6 +651,8 @@ int sandbox(void* sandbox_arg) { if (mount(LIBDIR "/firejail", RUN_FIREJAIL_LIB_DIR, NULL, MS_BIND, NULL) < 0 || mount(NULL, RUN_FIREJAIL_LIB_DIR, NULL, MS_RDONLY|MS_NOSUID|MS_NODEV|MS_BIND|MS_REMOUNT, NULL) < 0) errExit("mounting " RUN_FIREJAIL_LIB_DIR); + // keep a copy of dhclient executable before the filesystem is modified + dhcp_store_exec(); //**************************** // log sandbox data diff --git a/src/include/rundefs.h b/src/include/rundefs.h index 4da2db748..21aad66f7 100644 --- a/src/include/rundefs.h +++ b/src/include/rundefs.h @@ -51,7 +51,7 @@ #define RUN_LIB_DIR RUN_MNT_DIR "/lib" #define RUN_LIB_FILE RUN_MNT_DIR "/libfiles" #define RUN_DNS_ETC RUN_MNT_DIR "/dns-etc" -#define RUN_DHCLIENT_DIR RUN_MNT_DIR "/dhclient" +#define RUN_DHCLIENT_DIR RUN_MNT_DIR "/dhclient-dir" #define RUN_DHCLIENT_4_LEASES_FILE RUN_DHCLIENT_DIR "/dhclient.leases" #define RUN_DHCLIENT_6_LEASES_FILE RUN_DHCLIENT_DIR "/dhclient6.leases" #define RUN_DHCLIENT_4_LEASES_FILE RUN_DHCLIENT_DIR "/dhclient.leases" -- cgit v1.2.3-54-g00ecf