From f4171a91412f89d509e6d1371fd81b4ecd89c11d Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 11 Oct 2015 11:24:02 -0400 Subject: --private-bin --- Makefile.in | 4 ++- etc/firefox.profile | 1 - src/firejail/firejail.h | 4 +++ src/firejail/fs.c | 10 +++---- src/firejail/fs_bin.c | 5 ++-- src/firejail/fs_var.c | 2 +- src/firejail/profile.c | 8 ++++++ test/chromium.exp | 10 +++---- test/fscheck-shell.exp | 14 +++++----- test/private-bin.exp | 71 ++++++++++++++++++++++++++++++++++++++++++++++++ test/private-bin.profile | 1 + test/test.sh | 12 ++++++-- 12 files changed, 116 insertions(+), 26 deletions(-) create mode 100755 test/private-bin.exp create mode 100644 test/private-bin.profile diff --git a/Makefile.in b/Makefile.in index 4d00e3aef..14fbaa0bf 100644 --- a/Makefile.in +++ b/Makefile.in @@ -8,7 +8,9 @@ bindir=@bindir@ libdir=@libdir@ datarootdir=@datarootdir@ mandir=@mandir@ -sysconfdir=@sysconfdir@ +# todo: fix sysconfdir +# sysconfdir=@sysconfdir@ +sysconfdir=/etc VERSION=@PACKAGE_VERSION@ NAME=@PACKAGE_NAME@ diff --git a/etc/firefox.profile b/etc/firefox.profile index b31f25fc6..fae7d7ad4 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile @@ -8,6 +8,5 @@ caps.drop all seccomp netfilter noroot -shell none diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 64cf3ccef..cbc4086fb 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -407,5 +407,9 @@ void errno_print(void); // pulseaudio.c void pulseaudio_init(void); +// fs_bin.c +void fs_check_bin_list(void); +void fs_private_bin_list(void); + #endif diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 54086e0bb..b3748de51 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -435,23 +435,23 @@ void fs_proc_sys_dev_boot(void) { if (arg_debug) printf("Disable /sys/firmware directory\n"); if (mount("tmpfs", "/sys/firmware", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) - errExit("disable /sys/firmware directory"); + fprintf(stderr, "Warning: cannot disable /sys/firmware directory\n"); if (arg_debug) printf("Disable /sys/hypervisor directory\n"); if (mount("tmpfs", "/sys/hypervisor", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) - errExit("disable /sys/hypervisor directory"); + fprintf(stderr, "Warning: cannot disable /sys/hypervisor directory\n"); if (arg_debug) printf("Disable /sys/fs directory\n"); if (mount("tmpfs", "/sys/fs", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) - errExit("disable /sys/fs directory"); + fprintf(stderr, "Warning: cannot disable /sys/fs directory\n"); if (arg_debug) printf("Disable /sys/module directory\n"); if (mount("tmpfs", "/sys/module", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) - errExit("disable /sys/module directory"); + fprintf(stderr, "Warning: cannot disable /sys/module directory\n"); if (arg_debug) printf("Disable /sys/power directory\n"); if (mount("tmpfs", "/sys/power", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) - errExit("disable /sys/power directory"); + fprintf(stderr, "Warning: cannot disable /sys/power directory\n"); diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index 4b3292b6c..dcfdadb6b 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c @@ -44,9 +44,9 @@ static char *check_dir_or_file(const char *name) { errExit("asprintf"); if (arg_debug) printf("Checking %s/%s\n", paths[i], name); - if (stat(fname, &s) == 0) + if (stat(fname, &s) == 0 && !S_ISDIR(s.st_mode)) // do not allow directories break; // file found - + free(fname); fname = NULL; i++; @@ -99,7 +99,6 @@ void fs_check_bin_list(void) { else notfound = 1; } -printf("here %d: newlist #%s#\n", __LINE__, newlist); if (*newlist == '\0') { fprintf(stderr, "Warning: no --private-bin list executable found, option disabled\n"); diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c index 3200c5282..93625633a 100644 --- a/src/firejail/fs_var.c +++ b/src/firejail/fs_var.c @@ -146,7 +146,7 @@ void fs_var_log(void) { errExit("chmod"); } else - fprintf(stderr, "Warning: cannot mount tmpfs in top of /var/log\n"); + fprintf(stderr, "Warning: cannot mount tmpfs on top of /var/log\n"); } void fs_var_lib(void) { diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 2863b454e..5b18cc179 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -257,6 +257,14 @@ int profile_check_line(char *ptr, int lineno) { return 0; } + // private /bin list of files + if (strncmp(ptr, "private-bin ", 12) == 0) { + cfg.bin_private_keep = ptr + 12; + fs_check_bin_list(); + arg_private_bin = 1; + return 0; + } + // filesystem bind if (strncmp(ptr, "bind ", 5) == 0) { if (getuid() != 0) { diff --git a/test/chromium.exp b/test/chromium.exp index 020826f3d..77325d070 100755 --- a/test/chromium.exp +++ b/test/chromium.exp @@ -4,10 +4,10 @@ set timeout 10 spawn $env(SHELL) match_max 100000 -send -- "firejail chromium-browser www.gentoo.org\r" +send -- "firejail chromium www.gentoo.org\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Reading profile /etc/firejail/chromium-browser.profile" + "Reading profile /etc/firejail/chromium.profile" } expect { timeout {puts "TESTING ERROR 1\n";exit} @@ -23,7 +23,7 @@ expect { } expect { timeout {puts "TESTING ERROR 3.1\n";exit} - "chromium-browser" + "chromium" } sleep 1 @@ -38,7 +38,7 @@ spawn $env(SHELL) send -- "firemon --seccomp\r" expect { timeout {puts "TESTING ERROR 5\n";exit} - ":firejail chromium-browser" + ":firejail chromium" } expect { timeout {puts "TESTING ERROR 5.1\n";exit} @@ -52,7 +52,7 @@ sleep 1 send -- "firemon --caps\r" expect { timeout {puts "TESTING ERROR 6\n";exit} - ":firejail chromium-browser" + ":firejail chromium" } expect { timeout {puts "TESTING ERROR 6.1\n";exit} diff --git a/test/fscheck-shell.exp b/test/fscheck-shell.exp index d2320a4c3..548955e60 100755 --- a/test/fscheck-shell.exp +++ b/test/fscheck-shell.exp @@ -15,7 +15,7 @@ after 100 # .. send -- "firejail --net=br0 --shell=../test/fscheck-dir\r" expect { - timeout {puts "TESTING ERROR 0.1\n";exit} + timeout {puts "TESTING ERROR 1\n";exit} "Error" } after 100 @@ -23,7 +23,7 @@ after 100 # dir link send -- "firejail --net=br0 --shell=fscheck-dir-link\r" expect { - timeout {puts "TESTING ERROR 1\n";exit} + timeout {puts "TESTING ERROR 2\n";exit} "Error" } after 100 @@ -31,7 +31,7 @@ after 100 # .. send -- "firejail --net=br0 --shell=../test/fscheck-dir-link\r" expect { - timeout {puts "TESTING ERROR 1.1\n";exit} + timeout {puts "TESTING ERROR 3\n";exit} "Error" } after 100 @@ -39,7 +39,7 @@ after 100 # file link send -- "firejail --net=br0 --shell=fscheck-file-link\r" expect { - timeout {puts "TESTING ERROR 2\n";exit} + timeout {puts "TESTING ERROR 4\n";exit} "Error" } after 100 @@ -47,7 +47,7 @@ after 100 # .. send -- "firejail --net=br0 --shell=../test/fscheck-file-link\r" expect { - timeout {puts "TESTING ERROR 2\n";exit} + timeout {puts "TESTING ERROR 5\n";exit} "Error" } after 100 @@ -55,7 +55,7 @@ after 100 # no file send -- "firejail --net=br0 --shell=../test/nofile\r" expect { - timeout {puts "TESTING ERROR 3\n";exit} + timeout {puts "TESTING ERROR 6\n";exit} "Error" } after 100 @@ -63,7 +63,7 @@ after 100 # real GID/UID send -- "firejail --net=br0 --shell=/etc/shadow\r" expect { - timeout {puts "TESTING ERROR 4\n";exit} + timeout {puts "TESTING ERROR 7\n";exit} "Error" } after 100 diff --git a/test/private-bin.exp b/test/private-bin.exp new file mode 100755 index 000000000..cc5ea99c7 --- /dev/null +++ b/test/private-bin.exp @@ -0,0 +1,71 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --private-bin=bash,ls,sh\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "ls -al /bin\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "bash" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "ls" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "sh" +} + +send -- "ls -al /bin\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "ping" {puts "TESTING ERROR 6\n";exit} + "sh" +} +send -- "exit\r" +sleep 1 + +send -- "firejail --profile=private-bin.profile\r" +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "ls -al /bin\r" +expect { + timeout {puts "TESTING ERROR 8\n";exit} + "bash" +} +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "ls" +} +expect { + timeout {puts "TESTING ERROR 10\n";exit} + "sh" +} + +send -- "ls -al /bin\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "ping" {puts "TESTING ERROR 6\n";exit} + "sh" +} +send -- "exit\r" + + + + +sleep 1 +puts "\nall done\n" + diff --git a/test/private-bin.profile b/test/private-bin.profile new file mode 100644 index 000000000..24cf5929a --- /dev/null +++ b/test/private-bin.profile @@ -0,0 +1 @@ +private-bin bash,ls,sh diff --git a/test/test.sh b/test/test.sh index 6f198cd52..2e7b1e2bc 100755 --- a/test/test.sh +++ b/test/test.sh @@ -18,9 +18,15 @@ echo "TESTING: environment variables" echo "TESTING: private-etc" ./private-etc.exp +echo "TESTING: private-bin" +./private-bin.exp + +sleep 1 +rm -fr dir\ with\ space mkdir dir\ with\ space echo "TESTING: blacklist" ./blacklist.exp +sleep 1 rm -fr dir\ with\ space ln -s auto auto2 @@ -155,7 +161,7 @@ else echo "TESTING: midori not found" fi -which chromium-browser +which chromium if [ "$?" -eq 0 ]; then echo "TESTING: chromium" @@ -278,10 +284,10 @@ echo "TESTING: seccomp su" echo "TESTING: seccomp ptrace" ./seccomp-ptrace.exp -echo "TESTING: seccomp chmod (seccomp lists)" +echo "TESTING: seccomp chmod - seccomp lists" ./seccomp-chmod.exp -echo "TESTING: seccomp chmod profile (seccomp lists)" +echo "TESTING: seccomp chmod profile - seccomp lists" ./seccomp-chmod-profile.exp echo "TESTING: seccomp empty" -- cgit v1.2.3-54-g00ecf