From c22f9de02db17cb10b08f3d4893987228799ca89 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 9 Aug 2016 07:46:28 -0400 Subject: various fixes --- src/firejail/sandbox.c | 27 ++++++++++++++++++--------- src/firejail/seccomp.c | 12 ++++++++++++ test/features/1.2.exp | 24 ++++++++++++------------ test/features/3.6.exp | 11 ++++++++--- test/features/3.8.exp | 8 ++++++-- 5 files changed, 56 insertions(+), 26 deletions(-) diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index f37605e20..a131d9e91 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -460,8 +460,9 @@ int sandbox(void* sandbox_arg) { #ifdef HAVE_CHROOT if (cfg.chrootdir) { fs_chroot(cfg.chrootdir); - // redo cp command - fs_build_cp_command(); + +// // redo cp command +// fs_build_cp_command(); // force caps and seccomp if not started as root if (getuid() != 0) { @@ -482,7 +483,7 @@ int sandbox(void* sandbox_arg) { // disable all capabilities if (arg_caps_default_filter || arg_caps_list) - fprintf(stderr, "Warning: all capabilities disabled for a regular user during chroot\n"); + fprintf(stderr, "Warning: all capabilities disabled for a regular user in chroot\n"); arg_caps_drop_all = 1; // drop all supplementary groups; /etc/group file inside chroot @@ -530,13 +531,21 @@ int sandbox(void* sandbox_arg) { if (arg_private_dev) fs_private_dev(); if (arg_private_etc) { - fs_private_etc_list(); - // create /etc/ld.so.preload file again - if (arg_trace || arg_tracelog) - fs_trace_preload(); + if (cfg.chrootdir) + fprintf(stderr, "Warning: private-etc feature is disabled in chroot\n"); + else { + fs_private_etc_list(); + // create /etc/ld.so.preload file again + if (arg_trace || arg_tracelog) + fs_trace_preload(); + } + } + if (arg_private_bin) { + if (cfg.chrootdir) + fprintf(stderr, "Warning: private-bin feature is disabled in chroot\n"); + else + fs_private_bin_list(); } - if (arg_private_bin) - fs_private_bin_list(); if (arg_private_tmp) fs_private_tmp(); diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index efe24a211..88620d1dd 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c @@ -101,10 +101,22 @@ static void filter_init(void) { sfilter_alloc_size = SECSIZE; // copy the start entries +#if defined(__x86_64__) +#define X32_SYSCALL_BIT 0x40000000 + struct sock_filter filter[] = { + VALIDATE_ARCHITECTURE, + EXAMINE_SYSCALL, + // handle X32 ABI + BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, X32_SYSCALL_BIT, 1, 0), + BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, 0, 1, 0), + RETURN_ERRNO(EPERM) + }; +#else struct sock_filter filter[] = { VALIDATE_ARCHITECTURE, EXAMINE_SYSCALL }; +#endif sfilter_index = sizeof(filter) / sizeof(struct sock_filter); memcpy(sfilter, filter, sizeof(filter)); } diff --git a/test/features/1.2.exp b/test/features/1.2.exp index 685acf737..bcb227304 100755 --- a/test/features/1.2.exp +++ b/test/features/1.2.exp @@ -115,22 +115,22 @@ if { $chroot == "chroot" } { timeout {puts "TESTING ERROR 5.3\n";exit} "proc /proc/sys proc" } - expect { - timeout {puts "TESTING ERROR 5.4\n";exit} - "proc /proc/sysrq-trigger proc" - } +# expect { +# timeout {puts "TESTING ERROR 5.4\n";exit} +# "proc /proc/sysrq-trigger proc" +# } # expect { # timeout {puts "TESTING ERROR 5.5\n";exit} # "proc /proc/sys/kernel/hotplug" # } - expect { - timeout {puts "TESTING ERROR 5.6\n";exit} - "proc /proc/irq proc" - } - expect { - timeout {puts "TESTING ERROR 5.7\n";exit} - "proc /proc/bus proc" - } +# expect { +# timeout {puts "TESTING ERROR 5.6\n";exit} +# "proc /proc/irq proc" +# } +# expect { +# timeout {puts "TESTING ERROR 5.7\n";exit} +# "proc /proc/bus proc" +# } after 100 send -- "exit\r" sleep 1 diff --git a/test/features/3.6.exp b/test/features/3.6.exp index a00517716..389e63a1d 100755 --- a/test/features/3.6.exp +++ b/test/features/3.6.exp @@ -60,14 +60,19 @@ if { $chroot == "chroot" } { expect { timeout {puts "TESTING ERROR 4\n";exit} "chroot option is not available" {puts "grsecurity\n"; exit} + "private-etc feature is disabled in chroot" + } + expect { + timeout {puts "TESTING ERROR 5\n";exit} + "chroot option is not available" {puts "grsecurity\n"; exit} "Child process initialized" } sleep 1 - send -- "ls -al /etc | wc -l\r" + send -- "ls /etc | grep firejail\r" expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "10" + timeout {puts "TESTING ERROR 6\n";exit} + "firejail" } after 100 diff --git a/test/features/3.8.exp b/test/features/3.8.exp index 94a1abf67..d941fa9b7 100755 --- a/test/features/3.8.exp +++ b/test/features/3.8.exp @@ -61,14 +61,18 @@ if { $chroot == "chroot" } { send -- "firejail --noprofile --chroot=/tmp/chroot --private-bin=bash,cat,cp,ls,wc\r" expect { timeout {puts "TESTING ERROR 4\n";exit} + "private-bin feature is disabled in chroot" + } + expect { + timeout {puts "TESTING ERROR 5\n";exit} "Child process initialized" } sleep 1 send -- "ls -l /usr/bin | wc -l\r" expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "6" + timeout {puts "TESTING ERROR 6\n";exit} + "9" } after 100 -- cgit v1.2.3-54-g00ecf