From ded50200e0dcc0e79adf0158669791a4c7d5f911 Mon Sep 17 00:00:00 2001 From: smitsohu Date: Sun, 15 Jan 2023 16:21:52 +0100 Subject: opt-in: skip blacklisted files in private-etc - #5010, #5230 --- etc/firejail.config | 3 +++ src/firejail/checkcfg.c | 2 ++ src/firejail/firejail.h | 1 + src/firejail/fs.c | 2 +- src/firejail/fs_etc.c | 7 ++++++- 5 files changed, 13 insertions(+), 2 deletions(-) diff --git a/etc/firejail.config b/etc/firejail.config index e8bf45751..26125e4b6 100644 --- a/etc/firejail.config +++ b/etc/firejail.config @@ -78,6 +78,9 @@ # Enable or disable overlayfs features, default enabled. # overlayfs yes +# Hide blacklisted files in /etc directory, default disabled. +# etc-no-blacklisted no + # Set the limit for file copy in several --private-* options. The size is set # in megabytes. By default we allow up to 500MB. # Note: the files are copied in RAM. diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 62b8c4dc4..590543217 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -51,6 +51,7 @@ int checkcfg(int val) { cfg_val[i] = 1; // most of them are enabled by default cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default cfg_val[CFG_FORCE_NONEWPRIVS] = 0; + cfg_val[CFG_ETC_NO_BLACKLISTED] = 0; cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 0; cfg_val[CFG_FIREJAIL_PROMPT] = 0; cfg_val[CFG_DISABLE_MNT] = 0; @@ -115,6 +116,7 @@ int checkcfg(int val) { PARSE_YESNO(CFG_TRACELOG, "tracelog") PARSE_YESNO(CFG_XEPHYR_WINDOW_TITLE, "xephyr-window-title") PARSE_YESNO(CFG_OVERLAYFS, "overlayfs") + PARSE_YESNO(CFG_ETC_NO_BLACKLISTED, "etc-no-blacklisted") PARSE_YESNO(CFG_PRIVATE_BIN, "private-bin") PARSE_YESNO(CFG_PRIVATE_BIN_NO_LOCAL, "private-bin-no-local") PARSE_YESNO(CFG_PRIVATE_CACHE, "private-cache") diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 4fe3a5974..cf5c5b2fa 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -811,6 +811,7 @@ enum { CFG_FORCE_NONEWPRIVS, CFG_XEPHYR_WINDOW_TITLE, CFG_OVERLAYFS, + CFG_ETC_NO_BLACKLISTED, CFG_PRIVATE_BIN, CFG_PRIVATE_BIN_NO_LOCAL, CFG_PRIVATE_CACHE, diff --git a/src/firejail/fs.c b/src/firejail/fs.c index b44eb65ee..3066c50ed 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -162,7 +162,7 @@ static void disable_file(OPERATION op, const char *filename) { fs_logger2("blacklist-nolog", fname); // files in /etc will be reprocessed during /etc rebuild - if (strncmp(fname, "/etc/", 5) == 0) { + if (checkcfg(CFG_ETC_NO_BLACKLISTED) && strncmp(fname, "/etc/", 5) == 0) { ProfileEntry *prf = malloc(sizeof(ProfileEntry)); if (!prf) errExit("malloc"); diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index 77fa00d6b..e58537e49 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c @@ -264,8 +264,13 @@ void fs_private_dir_list(const char *private_dir, const char *private_run_dir, c void fs_rebuild_etc(void) { int have_dhcp = 1; - if (cfg.dns1 == NULL && !any_dhcp()) + if (cfg.dns1 == NULL && !any_dhcp()) { + // this function has the effect that updates to files using rename(2) don't propagate into the sandbox + // avoid this in the default setting, in order to not break /etc/resolv.conf (issue #5010) + if (!checkcfg(CFG_ETC_NO_BLACKLISTED)) + return; have_dhcp = 0; + } if (arg_debug) printf("rebuilding /etc directory\n"); -- cgit v1.2.3-70-g09d2 From f754fd99e5555f982f20dbc80c68e5c9b82dfcf7 Mon Sep 17 00:00:00 2001 From: smitsohu Date: Sun, 15 Jan 2023 19:45:51 +0100 Subject: testing --- test/fs/option_blacklist_file.exp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/fs/option_blacklist_file.exp b/test/fs/option_blacklist_file.exp index 93284a140..9b4d3ed83 100755 --- a/test/fs/option_blacklist_file.exp +++ b/test/fs/option_blacklist_file.exp @@ -22,7 +22,7 @@ sleep 1 send -- "cat /etc/passwd;echo done\r" expect { timeout {puts "TESTING ERROR 1\n";exit} - "No such file or directory" + "Permission denied" } expect { timeout {puts "TESTING ERROR 2\n";exit} -- cgit v1.2.3-70-g09d2