From 97a9d0186863f6afe1a003e7e390b1b369167531 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 17 Feb 2016 12:13:19 -0500 Subject: mkdir support in profile files --- README.md | 21 +++++++++++++ RELNOTES | 1 + etc/firefox.profile | 4 +++ src/firejail/firejail.h | 3 ++ src/firejail/fs_mkdir.c | 70 ++++++++++++++++++++++++++++++++++++++++++++ src/firejail/profile.c | 5 ++++ src/man/firejail-profile.txt | 19 ++++++++++++ 7 files changed, 123 insertions(+) create mode 100644 src/firejail/fs_mkdir.c diff --git a/README.md b/README.md index f502c8909..6769ad47e 100644 --- a/README.md +++ b/README.md @@ -79,6 +79,27 @@ $ firejail --net=eth0 firefox $ firejail --nice=-5 firefox ````` +## mkdir + +````` +$ man firejail-profile +[...] + mkdir directory + Create a directory in user home. Use this command for + whitelisted directories you need to preserve when the sandbox is + closed. Subdirectories also need to be created using mkdir. + Example from firefox profile: + + mkdir ~/.mozilla + whitelist ~/.mozilla + mkdir ~/.cache + mkdir ~/.cache/mozilla + mkdir ~/.cache/mozilla/firefox + whitelist ~/.cache/mozilla/firefox + +[...] +````` + ## New security profiles lxterminal, Epiphany, cherrytree diff --git a/RELNOTES b/RELNOTES index 8617ac659..86bb10b1a 100644 --- a/RELNOTES +++ b/RELNOTES @@ -3,6 +3,7 @@ firejail (0.9.39) baseline; urgency=low * default seccomp filter update * disable STUN/WebRTC in default netfilter configuration * added --nice option + * addded mkdir profile command * --version also prints compile options * build rpm packages using "make rpms" * new profiles: lxterminal, Epiphany, cherrytree diff --git a/etc/firefox.profile b/etc/firefox.profile index 0946ebfbe..0b082f216 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile @@ -12,7 +12,11 @@ netfilter tracelog noroot whitelist ${DOWNLOADS} +mkdir ~/.mozilla whitelist ~/.mozilla +mkdir ~/.cache +mkdir ~/.cache/mozilla +mkdir ~/.cache/mozilla/firefox whitelist ~/.cache/mozilla/firefox whitelist ~/dwhelper whitelist ~/.zotero diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index a754711b1..2662cc1d7 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -512,5 +512,8 @@ void check_user(int argc, char **argv); // paths.c char **build_paths(void); +// fs_mkdir.c +void fs_mkdir(const char *name); + #endif diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c new file mode 100644 index 000000000..7c2b108c6 --- /dev/null +++ b/src/firejail/fs_mkdir.c @@ -0,0 +1,70 @@ +/* + * Copyright (C) 2014-2016 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ +#include "firejail.h" +#include +#include +#include +#include + #include + +void fs_mkdir(const char *name) { + // check directory name + invalid_filename(name); + char *expanded = expand_home(name, cfg.homedir); + if (strncmp(expanded, cfg.homedir, strlen(cfg.homedir)) != 0) { + fprintf(stderr, "Error: only directories in user home are supported by mkdir\n"); + exit(1); + } + + struct stat s; + if (stat(expanded, &s) == 0) { + // file exists, do nothing + goto doexit; + } + + // fork a process, drop privileges, and create the directory + // no error recovery will be attempted + pid_t child = fork(); + if (child < 0) + errExit("fork"); + if (child == 0) { + if (arg_debug) + printf("Create %s directory\n", expanded); + + // drop privileges + if (setgroups(0, NULL) < 0) + errExit("setgroups"); + if (setgid(getgid()) < 0) + errExit("setgid/getgid"); + if (setuid(getuid()) < 0) + errExit("setuid/getuid"); + + // create directory + if (mkdir(expanded, 0755) == -1) + fprintf(stderr, "Warning: cannot create %s directory\n", expanded); + exit(0); + } + + // wait for the child to finish + waitpid(child, NULL, 0); + +doexit: + free(expanded); +} diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 70ec360ce..0c28eefd8 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -99,6 +99,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { return 0; } + if (strncmp(ptr, "mkdir ", 6) == 0) { + fs_mkdir(ptr + 6); + return 0; + } + // sandbox name if (strncmp(ptr, "name ", 5) == 0) { cfg.name = ptr + 5; diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 3ebb11549..b46958bd4 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -134,6 +134,25 @@ Mount-bind directory1 on top of directory2. This option is only available when r \fBbind file1,file2 Mount-bind file1 on top of file2. This option is only available when running as root. .TP +\fBmkdir directory +Create a directory in user home. Use this command for whitelisted directories you need to preserve +when the sandbox is closed. Subdirectories also need to be created using mkdir. Example from +firefox profile: +.br + +.br +mkdir ~/.mozilla +.br +whitelist ~/.mozilla +.br +mkdir ~/.cache +.br +mkdir ~/.cache/mozilla +.br +mkdir ~/.cache/mozilla/firefox +.br +whitelist ~/.cache/mozilla/firefox +.TP \fBprivate Mount new /root and /home/user directories in temporary filesystems. All modifications are discarded when the sandbox is -- cgit v1.2.3-70-g09d2