From b24e0e4049229c7772b067c97b439622804112bb Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 13 Nov 2017 10:53:04 -0500 Subject: netfilter split --- Makefile.in | 4 ++- configure | 3 ++- configure.ac | 2 +- src/firejail/firejail.h | 1 + src/firejail/fs_lib.c | 1 + src/firejail/netfilter.c | 65 +++++++++++++++--------------------------------- 6 files changed, 28 insertions(+), 48 deletions(-) diff --git a/Makefile.in b/Makefile.in index 88ed1f476..54b924288 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,6 +1,6 @@ all: apps man filters MYLIBS = src/lib -APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fbuilder src/fcopy src/fldd src/libpostexecseccomp +APPS = src/firejail src/firemon src/firecfg src/fnetfilter src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fbuilder src/fcopy src/fldd src/libpostexecseccomp MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.64 seccomp.block_secondary seccomp.mdwx @@ -97,6 +97,7 @@ endif install -c -m 0644 src/firecfg/firecfg.config $(DESTDIR)/$(libdir)/firejail/. install -c -m 0755 src/faudit/faudit $(DESTDIR)/$(libdir)/firejail/. install -c -m 0755 src/fnet/fnet $(DESTDIR)/$(libdir)/firejail/. + install -c -m 0755 src/fnetfilter/fnetfilter $(DESTDIR)/$(libdir)/firejail/. install -c -m 0755 src/fcopy/fcopy $(DESTDIR)/$(libdir)/firejail/. install -c -m 0755 src/fldd/fldd $(DESTDIR)/$(libdir)/firejail/. install -c -m 0755 src/fbuilder/fbuilder $(DESTDIR)/$(libdir)/firejail/. @@ -167,6 +168,7 @@ install-strip: all strip src/ftee/ftee strip src/faudit/faudit strip src/fnet/fnet + strip src/fnet/fnetfilter strip src/fseccomp/fseccomp strip src/fcopy/fcopy strip src/fldd/fldd diff --git a/configure b/configure index f64aa2dac..cd46ad8fd 100755 --- a/configure +++ b/configure @@ -3823,7 +3823,7 @@ if test "$prefix" = /usr; then sysconfdir="/etc" fi -ac_config_files="$ac_config_files Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile" +ac_config_files="$ac_config_files Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile" cat >confcache <<\_ACEOF # This file is a shell script that caches the results of configure @@ -4537,6 +4537,7 @@ do "src/fcopy/Makefile") CONFIG_FILES="$CONFIG_FILES src/fcopy/Makefile" ;; "src/fnet/Makefile") CONFIG_FILES="$CONFIG_FILES src/fnet/Makefile" ;; "src/firejail/Makefile") CONFIG_FILES="$CONFIG_FILES src/firejail/Makefile" ;; + "src/fnetfilter/Makefile") CONFIG_FILES="$CONFIG_FILES src/fnetfilter/Makefile" ;; "src/firemon/Makefile") CONFIG_FILES="$CONFIG_FILES src/firemon/Makefile" ;; "src/libtrace/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtrace/Makefile" ;; "src/libtracelog/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtracelog/Makefile" ;; diff --git a/configure.ac b/configure.ac index 900c8b959..9254a3ee2 100644 --- a/configure.ac +++ b/configure.ac @@ -175,7 +175,7 @@ if test "$prefix" = /usr; then sysconfdir="/etc" fi -AC_OUTPUT(Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile \ +AC_OUTPUT(Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \ src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile \ src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 59bd4b959..ade23d89e 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -766,6 +766,7 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc, // sbox.c // programs #define PATH_FNET (LIBDIR "/firejail/fnet") +#define PATH_FNETFILTER (LIBDIR "/firejail/fnetfilter") #define PATH_FIREMON (PREFIX "/bin/firemon") #define PATH_FIREJAIL (PREFIX "/bin/firejail") #define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp") diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c index 23fdb8a6a..46ee22bf3 100644 --- a/src/firejail/fs_lib.c +++ b/src/firejail/fs_lib.c @@ -387,6 +387,7 @@ void fs_private_lib(void) { fslib_copy_libs(LIBDIR "/firejail/fcopy"); fslib_copy_libs(LIBDIR "/firejail/fldd"); fslib_copy_libs(LIBDIR "/firejail/fnet"); + fslib_copy_libs(LIBDIR "/firejail/fnetfilter"); fslib_copy_libs(LIBDIR "/firejail/fseccomp"); fslib_copy_libs(LIBDIR "/firejail/ftee"); // mount lib filesystem diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c index 7246be8cf..517d0462f 100644 --- a/src/firejail/netfilter.c +++ b/src/firejail/netfilter.c @@ -24,33 +24,24 @@ #include #include -static char *client_filter = -"*filter\n" -":INPUT DROP [0:0]\n" -":FORWARD DROP [0:0]\n" -":OUTPUT ACCEPT [0:0]\n" -"-A INPUT -i lo -j ACCEPT\n" -"-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n" -"# echo replay is handled by -m state RELATED/ESTABLISHED below\n" -"#-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT\n" -"-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT\n" -"-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT\n" -"-A INPUT -p icmp --icmp-type echo-request -j ACCEPT \n" -"# disable STUN\n" -"-A OUTPUT -p udp --dport 3478 -j DROP\n" -"-A OUTPUT -p udp --dport 3479 -j DROP\n" -"-A OUTPUT -p tcp --dport 3478 -j DROP\n" -"-A OUTPUT -p tcp --dport 3479 -j DROP\n" -"COMMIT\n"; void check_netfilter_file(const char *fname) { EUID_ASSERT(); - invalid_filename(fname, 0); // no globbing - if (is_dir(fname) || is_link(fname) || strstr(fname, "..") || access(fname, R_OK )) { - fprintf(stderr, "Error: invalid network filter file %s\n", fname); + char *tmp = strdup(fname); + if (!tmp) + errExit("strdup"); + char *ptr = strchr(tmp, ','); + if (ptr) + *ptr = '\0'; + + invalid_filename(tmp, 0); // no globbing + + if (is_dir(tmp) || is_link(tmp) || strstr(tmp, "..") || access(tmp, R_OK )) { + fprintf(stderr, "Error: invalid network filter file %s\n", tmp); exit(1); } + free(tmp); } @@ -72,29 +63,15 @@ void netfilter(const char *fname) { return; } - // read filter - char *filter = client_filter; - int allocated = 0; - if (netfilter_default) - fname = netfilter_default; - if (fname) { - filter = read_text_file_or_exit(fname); - allocated = 1; - } + // create an empty user-owned SBOX_STDIN_FILE + create_empty_file_as_root(SBOX_STDIN_FILE, 0644); + if (set_perms(SBOX_STDIN_FILE, getuid(), getgid(), 0644)) + errExit("set_perms"); - // create the filter file - FILE *fp = fopen(SBOX_STDIN_FILE, "w"); - if (!fp) { - fprintf(stderr, "Error: cannot open %s\n", SBOX_STDIN_FILE); - exit(1); - } - fprintf(fp, "%s\n", filter); - fclose(fp); - - - // push filter - if (arg_debug) - printf("Installing network filter:\n%s\n", filter); + if (fname == NULL) + sbox_run(SBOX_USER| SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FNETFILTER, SBOX_STDIN_FILE); + else + sbox_run(SBOX_USER| SBOX_CAPS_NONE | SBOX_SECCOMP, 3, PATH_FNETFILTER, fname, SBOX_STDIN_FILE); // first run of iptables on this platform installs a number of kernel modules such as ip_tables, x_tables, iptable_filter // we run this command with caps and seccomp disabled in order to allow the loading of these modules @@ -105,8 +82,6 @@ void netfilter(const char *fname) { if (arg_debug) sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 2, iptables, "-vL"); - if (allocated) - free(filter); return; } -- cgit v1.2.3-54-g00ecf