From c2b6b6b1a348d70b776983051851e42ba66ab271 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 20 Jan 2023 20:06:06 -0500 Subject: private-etc rework: remove hiding blacklisted files in private-etc directory feature --- Makefile | 2 +- etc/firejail.config | 4 ---- src/firejail/checkcfg.c | 2 -- src/firejail/firejail.h | 1 - src/firejail/fs.c | 4 ++-- src/firejail/fs_etc.c | 37 +++++++++++++++++++++++++++++++++++++ src/firejail/sandbox.c | 6 +++--- src/include/rundefs.h | 2 ++ 8 files changed, 45 insertions(+), 13 deletions(-) diff --git a/Makefile b/Makefile index f2cd3aa75..b1f4a1fbc 100644 --- a/Makefile +++ b/Makefile @@ -276,7 +276,7 @@ $(TEST_TARGETS): # extract some data about the testing setup: kernel, network connectivity, user -lab-setup:; uname -r; pwd; whoami; cat /etc/resolv.conf; cat /etc/hosts; dig dns.quad9.net; +lab-setup:; uname -r; pwd; whoami; cat /etc/resolv.conf; cat /etc/hosts test: lab-setup test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters echo "TEST COMPLETE" diff --git a/etc/firejail.config b/etc/firejail.config index 13db32f1e..e8bf45751 100644 --- a/etc/firejail.config +++ b/etc/firejail.config @@ -78,10 +78,6 @@ # Enable or disable overlayfs features, default enabled. # overlayfs yes -# Hide blacklisted files in /etc directory (enabling this may break -# /etc/resolv.conf; see #5010), default disabled. -# etc-hide-blacklisted no - # Set the limit for file copy in several --private-* options. The size is set # in megabytes. By default we allow up to 500MB. # Note: the files are copied in RAM. diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index ce8446cc8..62b8c4dc4 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -51,7 +51,6 @@ int checkcfg(int val) { cfg_val[i] = 1; // most of them are enabled by default cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default cfg_val[CFG_FORCE_NONEWPRIVS] = 0; - cfg_val[CFG_ETC_HIDE_BLACKLISTED] = 0; cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 0; cfg_val[CFG_FIREJAIL_PROMPT] = 0; cfg_val[CFG_DISABLE_MNT] = 0; @@ -116,7 +115,6 @@ int checkcfg(int val) { PARSE_YESNO(CFG_TRACELOG, "tracelog") PARSE_YESNO(CFG_XEPHYR_WINDOW_TITLE, "xephyr-window-title") PARSE_YESNO(CFG_OVERLAYFS, "overlayfs") - PARSE_YESNO(CFG_ETC_HIDE_BLACKLISTED, "etc-hide-blacklisted") PARSE_YESNO(CFG_PRIVATE_BIN, "private-bin") PARSE_YESNO(CFG_PRIVATE_BIN_NO_LOCAL, "private-bin-no-local") PARSE_YESNO(CFG_PRIVATE_CACHE, "private-cache") diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 13ee573ad..4fe3a5974 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -811,7 +811,6 @@ enum { CFG_FORCE_NONEWPRIVS, CFG_XEPHYR_WINDOW_TITLE, CFG_OVERLAYFS, - CFG_ETC_HIDE_BLACKLISTED, CFG_PRIVATE_BIN, CFG_PRIVATE_BIN_NO_LOCAL, CFG_PRIVATE_CACHE, diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 74f7bddd9..89a67f686 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -67,7 +67,7 @@ static void disable_file(OPERATION op, const char *filename) { // they don't seem to like a uid of 0 // force mounting int fd = open(filename, O_PATH|O_CLOEXEC); - if (fd < 0) + if (fd < 0) return; EUID_ROOT(); @@ -159,7 +159,7 @@ static void disable_file(OPERATION op, const char *filename) { fs_logger2("blacklist-nolog", fname); // files in /etc will be reprocessed during /etc rebuild - if (checkcfg(CFG_ETC_HIDE_BLACKLISTED) && strncmp(fname, "/etc/", 5) == 0) { + if (strncmp(fname, "/etc/", 5) == 0) { ProfileEntry *prf = malloc(sizeof(ProfileEntry)); if (!prf) errExit("malloc"); diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index aa4d76431..5eb3e34e0 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c @@ -26,6 +26,41 @@ #include #include +void fs_resolvconf(void) { + if (arg_debug) + printf("Creating a new /etc/resolv.conf file\n"); + FILE *fp = fopen(RUN_RESOLVCONF_FILE, "wxe"); + if (!fp) { + fprintf(stderr, "Error: cannot create /etc/resolv.conf file\n"); + exit(1); + } + + if (cfg.dns1) { + if (any_dhcp()) + fwarning("network setup uses DHCP, nameservers will likely be overwritten\n"); + fprintf(fp, "nameserver %s\n", cfg.dns1); + } + if (cfg.dns2) + fprintf(fp, "nameserver %s\n", cfg.dns2); + if (cfg.dns3) + fprintf(fp, "nameserver %s\n", cfg.dns3); + if (cfg.dns4) + fprintf(fp, "nameserver %s\n", cfg.dns4); + + // mode and owner + SET_PERMS_STREAM(fp, 0, 0, 0644); + + fclose(fp); + selinux_relabel_path(RUN_RESOLVCONF_FILE, "/etc/resolv.conf"); + + + if (mount(RUN_RESOLVCONF_FILE, "/etc/resolv.conf", "none", MS_BIND, "mode=644,gid=0") < 0) + errExit("mount"); + + fs_logger("create /etc/resolv.conf"); +} + + // spoof /etc/machine_id void fs_machineid(void) { union machineid_t { @@ -262,6 +297,7 @@ void fs_private_dir_list(const char *private_dir, const char *private_run_dir, c fmessage("Private %s installed in %0.2f ms\n", private_dir, timetrace_end()); } +#if 0 void fs_rebuild_etc(void) { int have_dhcp = 1; if (cfg.dns1 == NULL && !any_dhcp()) { @@ -392,3 +428,4 @@ void fs_rebuild_etc(void) { fs_logger("create /etc/resolv.conf"); } +#endif \ No newline at end of file diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 1afb3a293..3d0d43965 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -1096,10 +1096,10 @@ int sandbox(void* sandbox_arg) { fs_dev_disable_input(); //**************************** - // rebuild etc directory, set dns + // set DNS //**************************** - if (!arg_writable_etc) - fs_rebuild_etc(); + if (cfg.dns1 != NULL || any_dhcp()) + fs_resolvconf(); //**************************** // start dhcp client diff --git a/src/include/rundefs.h b/src/include/rundefs.h index 079670f10..b3ad564ac 100644 --- a/src/include/rundefs.h +++ b/src/include/rundefs.h @@ -99,5 +99,7 @@ #define RUN_UMASK_FILE RUN_MNT_DIR "/umask" #define RUN_JOIN_FILE RUN_MNT_DIR "/join" #define RUN_OVERLAY_ROOT RUN_MNT_DIR "/oroot" +#define RUN_RESOLVCONF_FILE RUN_MNT_DIR "/resolv.conf" + #endif -- cgit v1.2.3-54-g00ecf