From 12b37e696c7f7ad77cfddc92205801397010a256 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Tue, 5 Feb 2019 02:26:09 +0000 Subject: Retain local apparmor customizations This fixes https://github.com/netblue30/firejail/issues/2388. --- Makefile.in | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Makefile.in b/Makefile.in index 4e87d4ae0..0cbbb374c 100644 --- a/Makefile.in +++ b/Makefile.in @@ -134,7 +134,8 @@ ifeq ($(HAVE_APPARMOR),-DHAVE_APPARMOR) sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d; fi;" install -c -m 0644 etc/firejail-default $(DESTDIR)/$(sysconfdir)/apparmor.d/. sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/local ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/local; fi;" - install -c -m 0644 etc/firejail-local $(DESTDIR)/$(sysconfdir)/apparmor.d/local/. + # install apparmor profile customization file + sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/apparmor.d/local/firejail-local ]; then install -c -m 0644 etc/firejail-local $(DESTDIR)/$(sysconfdir)/apparmor.d/local/.; fi;" endif # man pages install -m 0755 -d $(DESTDIR)/$(mandir)/man1 -- cgit v1.2.3-54-g00ecf From 83f7c7199abcb7d2e643d04b0e4831628b6d91e4 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Tue, 5 Feb 2019 08:47:47 +0000 Subject: Stress apparmor local overrides As per discussion on https://github.com/netblue30/firejail/pull/2390, we better use slightly stronger/less optional wording when it comes to where local apparmor overrides need to be done. --- src/man/firejail.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 16004193d..052aeb56b 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -2527,7 +2527,7 @@ AppArmor support is disabled by default at compile time. Use --enable-apparmor c .br $ ./configure --prefix=/usr --enable-apparmor .TP -During software install, a generic AppArmor profile file, firejail-default, is placed in /etc/apparmor.d directory. The local customizations can be placed in /etc/apparmor.d/local/firejail-local. The profile needs to be loaded into the kernel by reloading apparmor.service, rebooting the system or running the following command as root: +During software install, a generic AppArmor profile file, firejail-default, is placed in /etc/apparmor.d directory. The local customizations must be placed in /etc/apparmor.d/local/firejail-local. The profile needs to be loaded into the kernel by reloading apparmor.service, rebooting the system or running the following command as root: .br .br -- cgit v1.2.3-54-g00ecf From 96e4715421b3a1aecd4ca728db98587611ba0d77 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Tue, 5 Feb 2019 08:53:28 +0000 Subject: Update firejail-local --- etc/firejail-local | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/etc/firejail-local b/etc/firejail-local index cddf44f13..f086653f8 100644 --- a/etc/firejail-local +++ b/etc/firejail-local @@ -1 +1,2 @@ -# Site-specific additions and overrides for 'firejail-default' +# Site-specific additions and overrides for 'firejail-default'. +# For more details, please see /etc/apparmor.d/local/README. -- cgit v1.2.3-54-g00ecf From ddecf21901663f5042f6683309a8202c18b56ef5 Mon Sep 17 00:00:00 2001 From: Patrik Flykt Date: Tue, 5 Feb 2019 19:48:23 +0100 Subject: profiles: grant zoom access to its configuration https://bugs.debian.org/921454 --- etc/zoom.profile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/zoom.profile b/etc/zoom.profile index 4fbf7ca01..456b197f3 100644 --- a/etc/zoom.profile +++ b/etc/zoom.profile @@ -6,6 +6,7 @@ include zoom.local include globals.local noblacklist ${HOME}/.config/zoomus.conf +noblacklist ${HOME}/.zoom include disable-common.inc include disable-devel.inc @@ -14,6 +15,7 @@ include disable-programs.inc mkdir ${HOME}/.zoom whitelist ${HOME}/.cache/zoom +whitelist ${HOME}/.config/zoomus.conf whitelist ${HOME}/.zoom include whitelist-common.inc -- cgit v1.2.3-54-g00ecf From a18be1a612505530e097faf14678088d5da748b7 Mon Sep 17 00:00:00 2001 From: Reiner Herrmann Date: Tue, 5 Feb 2019 19:59:52 +0100 Subject: simplify yes/no option parsing --- src/firejail/checkcfg.c | 268 +++++++----------------------------------------- 1 file changed, 38 insertions(+), 230 deletions(-) diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 0a3c5dd08..167bd591d 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -71,164 +71,48 @@ int checkcfg(int val) { if (*buf == '#' || *buf == '\n') continue; +#define PARSE_YESNO(key, string) \ + else if (strncmp(ptr, string " ", strlen(string)+1) == 0) { \ + if (strcmp(ptr + strlen(string) + 1, "yes") == 0) \ + cfg_val[key] = 1; \ + else if (strcmp(ptr + strlen(string) + 1, "no") == 0) \ + cfg_val[key] = 0; \ + else \ + goto errout; \ + } + // parse line ptr = line_remove_spaces(buf); if (!ptr) continue; + PARSE_YESNO(CFG_FILE_TRANSFER, "file-transfer") + PARSE_YESNO(CFG_DBUS, "dbus") + PARSE_YESNO(CFG_JOIN, "join") + PARSE_YESNO(CFG_X11, "x11") + PARSE_YESNO(CFG_APPARMOR, "apparmor") + PARSE_YESNO(CFG_BIND, "bind") + PARSE_YESNO(CFG_CGROUP, "cgroup") + PARSE_YESNO(CFG_NAME_CHANGE, "name-change") + PARSE_YESNO(CFG_USERNS, "userns") + PARSE_YESNO(CFG_CHROOT, "chroot") + PARSE_YESNO(CFG_FIREJAIL_PROMPT, "firejail-prompt") + PARSE_YESNO(CFG_FOLLOW_SYMLINK_AS_USER, "follow-symlink-as-user") + PARSE_YESNO(CFG_FORCE_NONEWPRIVS, "force-nonewprivs") + PARSE_YESNO(CFG_SECCOMP, "seccomp") + PARSE_YESNO(CFG_WHITELIST, "whitelist") + PARSE_YESNO(CFG_NETWORK, "network") + PARSE_YESNO(CFG_RESTRICTED_NETWORK, "restricted-network") + PARSE_YESNO(CFG_XEPHYR_WINDOW_TITLE, "xephyr-window-title") + PARSE_YESNO(CFG_OVERLAYFS, "overlayfs") + PARSE_YESNO(CFG_PRIVATE_HOME, "private-home") + PARSE_YESNO(CFG_PRIVATE_CACHE, "private-cache") + PARSE_YESNO(CFG_PRIVATE_LIB, "private-lib") + PARSE_YESNO(CFG_PRIVATE_BIN_NO_LOCAL, "private-bin-no-local") + PARSE_YESNO(CFG_DISABLE_MNT, "disable-mnt") + PARSE_YESNO(CFG_XPRA_ATTACH, "xpra-attach") + PARSE_YESNO(CFG_BROWSER_DISABLE_U2F, "browser-disable-u2f") +#undef PARSE_YESNO - // file transfer - else if (strncmp(ptr, "file-transfer ", 14) == 0) { - if (strcmp(ptr + 14, "yes") == 0) - cfg_val[CFG_FILE_TRANSFER] = 1; - else if (strcmp(ptr + 14, "no") == 0) - cfg_val[CFG_FILE_TRANSFER] = 0; - else - goto errout; - } - // dbus - else if (strncmp(ptr, "dbus ", 5) == 0) { - if (strcmp(ptr + 5, "yes") == 0) - cfg_val[CFG_DBUS] = 1; - else if (strcmp(ptr + 5, "no") == 0) - cfg_val[CFG_DBUS] = 0; - else - goto errout; - } - // join - else if (strncmp(ptr, "join ", 5) == 0) { - if (strcmp(ptr + 5, "yes") == 0) - cfg_val[CFG_JOIN] = 1; - else if (strcmp(ptr + 5, "no") == 0) - cfg_val[CFG_JOIN] = 0; - else - goto errout; - } - // x11 - else if (strncmp(ptr, "x11 ", 4) == 0) { - if (strcmp(ptr + 4, "yes") == 0) - cfg_val[CFG_X11] = 1; - else if (strcmp(ptr + 4, "no") == 0) - cfg_val[CFG_X11] = 0; - else - goto errout; - } - // apparmor - else if (strncmp(ptr, "apparmor ", 9) == 0) { - if (strcmp(ptr + 9, "yes") == 0) - cfg_val[CFG_APPARMOR] = 1; - else if (strcmp(ptr + 9, "no") == 0) - cfg_val[CFG_APPARMOR] = 0; - else - goto errout; - } - // bind - else if (strncmp(ptr, "bind ", 5) == 0) { - if (strcmp(ptr + 5, "yes") == 0) - cfg_val[CFG_BIND] = 1; - else if (strcmp(ptr + 5, "no") == 0) - cfg_val[CFG_BIND] = 0; - else - goto errout; - } - // cgroup - else if (strncmp(ptr, "cgroup ", 7) == 0) { - if (strcmp(ptr + 7, "yes") == 0) - cfg_val[CFG_CGROUP] = 1; - else if (strcmp(ptr + 7, "no") == 0) - cfg_val[CFG_CGROUP] = 0; - else - goto errout; - } - // name change - else if (strncmp(ptr, "name-change ", 12) == 0) { - if (strcmp(ptr + 12, "yes") == 0) - cfg_val[CFG_NAME_CHANGE] = 1; - else if (strcmp(ptr + 12, "no") == 0) - cfg_val[CFG_NAME_CHANGE] = 0; - else - goto errout; - } - // user namespace - else if (strncmp(ptr, "userns ", 7) == 0) { - if (strcmp(ptr + 7, "yes") == 0) - cfg_val[CFG_USERNS] = 1; - else if (strcmp(ptr + 7, "no") == 0) - cfg_val[CFG_USERNS] = 0; - else - goto errout; - } - // chroot - else if (strncmp(ptr, "chroot ", 7) == 0) { - if (strcmp(ptr + 7, "yes") == 0) - cfg_val[CFG_CHROOT] = 1; - else if (strcmp(ptr + 7, "no") == 0) - cfg_val[CFG_CHROOT] = 0; - else - goto errout; - } - // prompt - else if (strncmp(ptr, "firejail-prompt ", 16) == 0) { - if (strcmp(ptr + 16, "yes") == 0) - cfg_val[CFG_FIREJAIL_PROMPT] = 1; - else if (strcmp(ptr + 16, "no") == 0) - cfg_val[CFG_FIREJAIL_PROMPT] = 0; - else - goto errout; - } - // follow symlink as user - else if (strncmp(ptr, "follow-symlink-as-user ", 23) == 0) { - if (strcmp(ptr + 23, "yes") == 0) - cfg_val[CFG_FOLLOW_SYMLINK_AS_USER] = 1; - else if (strcmp(ptr + 23, "no") == 0) - cfg_val[CFG_FOLLOW_SYMLINK_AS_USER] = 0; - else - goto errout; - } - // nonewprivs - else if (strncmp(ptr, "force-nonewprivs ", 17) == 0) { - if (strcmp(ptr + 17, "yes") == 0) - cfg_val[CFG_FORCE_NONEWPRIVS] = 1; - else if (strcmp(ptr + 17, "no") == 0) - cfg_val[CFG_FORCE_NONEWPRIVS] = 0; - else - goto errout; - } - // seccomp - else if (strncmp(ptr, "seccomp ", 8) == 0) { - if (strcmp(ptr + 8, "yes") == 0) - cfg_val[CFG_SECCOMP] = 1; - else if (strcmp(ptr + 8, "no") == 0) - cfg_val[CFG_SECCOMP] = 0; - else - goto errout; - } - // whitelist - else if (strncmp(ptr, "whitelist ", 10) == 0) { - if (strcmp(ptr + 10, "yes") == 0) - cfg_val[CFG_WHITELIST] = 1; - else if (strcmp(ptr + 10, "no") == 0) - cfg_val[CFG_WHITELIST] = 0; - else - goto errout; - } - // network - else if (strncmp(ptr, "network ", 8) == 0) { - if (strcmp(ptr + 8, "yes") == 0) - cfg_val[CFG_NETWORK] = 1; - else if (strcmp(ptr + 8, "no") == 0) - cfg_val[CFG_NETWORK] = 0; - else - goto errout; - } - // network - else if (strncmp(ptr, "restricted-network ", 19) == 0) { - if (strcmp(ptr + 19, "yes") == 0) - cfg_val[CFG_RESTRICTED_NETWORK] = 1; - else if (strcmp(ptr + 19, "no") == 0) - cfg_val[CFG_RESTRICTED_NETWORK] = 0; - else - goto errout; - } // netfilter else if (strncmp(ptr, "netfilter-default ", 18) == 0) { char *fname = ptr + 18; @@ -266,16 +150,6 @@ int checkcfg(int val) { errExit("asprintf"); } - // xephyr window title - else if (strncmp(ptr, "xephyr-window-title ", 20) == 0) { - if (strcmp(ptr + 20, "yes") == 0) - cfg_val[CFG_XEPHYR_WINDOW_TITLE] = 1; - else if (strcmp(ptr + 20, "no") == 0) - cfg_val[CFG_XEPHYR_WINDOW_TITLE] = 0; - else - goto errout; - } - // Xephyr command extra parameters else if (strncmp(ptr, "xephyr-extra-params ", 20) == 0) { if (*xephyr_extra_params != '\0') @@ -295,7 +169,7 @@ int checkcfg(int val) { } // Xvfb screen size - else if (strncmp(ptr, "xvfb-screen ", 12) == 0) { + else if (strncmp(ptr, "xvfb-screen ", 12) == 0) { // expecting three numbers separated by x's unsigned int n1; unsigned int n2; @@ -325,54 +199,6 @@ int checkcfg(int val) { else goto errout; } - else if (strncmp(ptr, "overlayfs ", 10) == 0) { - if (strcmp(ptr + 10, "yes") == 0) - cfg_val[CFG_OVERLAYFS] = 1; - else if (strcmp(ptr + 10, "no") == 0) - cfg_val[CFG_OVERLAYFS] = 0; - else - goto errout; - } - else if (strncmp(ptr, "private-home ", 13) == 0) { - if (strcmp(ptr + 13, "yes") == 0) - cfg_val[CFG_PRIVATE_HOME] = 1; - else if (strcmp(ptr + 13, "no") == 0) - cfg_val[CFG_PRIVATE_HOME] = 0; - else - goto errout; - } - else if (strncmp(ptr, "private-cache ", 14) == 0) { - if (strcmp(ptr + 14, "yes") == 0) - cfg_val[CFG_PRIVATE_CACHE] = 1; - else if (strcmp(ptr + 14, "no") == 0) - cfg_val[CFG_PRIVATE_CACHE] = 0; - else - goto errout; - } - else if (strncmp(ptr, "private-lib ", 12) == 0) { - if (strcmp(ptr + 12, "yes") == 0) - cfg_val[CFG_PRIVATE_LIB] = 1; - else if (strcmp(ptr + 12, "no") == 0) - cfg_val[CFG_PRIVATE_LIB] = 0; - else - goto errout; - } - else if (strncmp(ptr, "private-bin-no-local ", 21) == 0) { - if (strcmp(ptr + 21, "yes") == 0) - cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 1; - else if (strcmp(ptr + 21, "no") == 0) - cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 0; - else - goto errout; - } - else if (strncmp(ptr, "disable-mnt ", 12) == 0) { - if (strcmp(ptr + 12, "yes") == 0) - cfg_val[CFG_DISABLE_MNT] = 1; - else if (strcmp(ptr + 12, "no") == 0) - cfg_val[CFG_DISABLE_MNT] = 0; - else - goto errout; - } // arp probes else if (strncmp(ptr, "arp-probes ", 11) == 0) { int arp_probes = atoi(ptr + 11); @@ -380,24 +206,6 @@ int checkcfg(int val) { goto errout; cfg_val[CFG_ARP_PROBES] = arp_probes; } - // xpra-attach - else if (strncmp(ptr, "xpra-attach ", 12) == 0) { - if (strcmp(ptr + 12, "yes") == 0) - cfg_val[CFG_XPRA_ATTACH] = 1; - else if (strcmp(ptr + 12, "no") == 0) - cfg_val[CFG_XPRA_ATTACH] = 0; - else - goto errout; - } - // browser-disable-u2f - else if (strncmp(ptr, "browser-disable-u2f ", 20) == 0) { - if (strcmp(ptr + 20, "yes") == 0) - cfg_val[CFG_BROWSER_DISABLE_U2F] = 1; - else if (strcmp(ptr + 20, "no") == 0) - cfg_val[CFG_BROWSER_DISABLE_U2F] = 0; - else - goto errout; - } else goto errout; -- cgit v1.2.3-54-g00ecf From 373d91148d714f7c2fae95aeb6fcb850a215163c Mon Sep 17 00:00:00 2001 From: Reiner Herrmann Date: Tue, 5 Feb 2019 21:49:33 +0100 Subject: use correct struct member for offset Fixes: #2381 --- src/fsec-print/print.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/fsec-print/print.c b/src/fsec-print/print.c index 1042f0c3e..1756d60dc 100644 --- a/src/fsec-print/print.c +++ b/src/fsec-print/print.c @@ -206,7 +206,7 @@ static void bpf_decode_args(const struct sock_filter *bpf, unsigned int line) { printf("data.syscall-number"); syscall_loaded = 1; } - else if (bpf->k == offsetof(struct seccomp_data, nr)) + else if (bpf->k == offsetof(struct seccomp_data, instruction_pointer)) printf("data.instruction_pointer"); else { int index = bpf->k - offsetof(struct seccomp_data, args); -- cgit v1.2.3-54-g00ecf From fb34781d8d006a38363c73b0d6688338b85efa7e Mon Sep 17 00:00:00 2001 From: Reiner Herrmann Date: Tue, 5 Feb 2019 22:15:53 +0100 Subject: move usage check to single place --- src/fldd/main.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/src/fldd/main.c b/src/fldd/main.c index d9adcdcf6..566763ff4 100644 --- a/src/fldd/main.c +++ b/src/fldd/main.c @@ -297,7 +297,7 @@ printf("\n"); } - if (strcmp(argv[1], "--help") == 0) { + if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") == 0) { usage(); return 0; } @@ -312,11 +312,6 @@ printf("\n"); if (quiet && strcmp(quiet, "yes") == 0) arg_quiet = 1; - if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") ==0) { - usage(); - return 0; - } - int fd = STDOUT_FILENO; // attempt to open the file if (argc == 3) { -- cgit v1.2.3-54-g00ecf From 68306a2009350c8e1e64971e06f15ae1f62e5de8 Mon Sep 17 00:00:00 2001 From: Reiner Herrmann Date: Tue, 5 Feb 2019 22:19:44 +0100 Subject: cnt only used for debugging --- src/libtracelog/libtracelog.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/libtracelog/libtracelog.c b/src/libtracelog/libtracelog.c index 0f8d5a00d..3e74051f8 100644 --- a/src/libtracelog/libtracelog.c +++ b/src/libtracelog/libtracelog.c @@ -181,7 +181,9 @@ static void load_blacklist(void) { // extract blacklists char buf[MAXBUF]; +#ifdef DEBUG int cnt = 0; +#endif while (fgets(buf, MAXBUF, fp)) { if (strncmp(buf, "sandbox pid: ", 13) == 0) { char *ptr = strchr(buf, '\n'); @@ -202,7 +204,9 @@ static void load_blacklist(void) { if (ptr) *ptr = '\0'; storage_add(buf + 10); +#ifdef DEBUG cnt++; +#endif } } fclose(fp); -- cgit v1.2.3-54-g00ecf From e0d0ec7dd066d8f80c963d20127b23ed80744ce9 Mon Sep 17 00:00:00 2001 From: Reiner Herrmann Date: Tue, 5 Feb 2019 22:22:32 +0100 Subject: variable only used when whitelisting enabled --- src/firejail/profile.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/firejail/profile.c b/src/firejail/profile.c index bc66aca78..26b915602 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -241,7 +241,9 @@ error: // return 1 if the command is to be added to the linked list of profile commands // return 0 if the command was already executed inside the function int profile_check_line(char *ptr, int lineno, const char *fname) { +#ifdef HAVE_WHITELIST static int whitelist_warning_printed = 0; +#endif EUID_ASSERT(); // check and process conditional profile lines -- cgit v1.2.3-54-g00ecf From 040c81a61187af6fe3e2f92a38d019a699971a01 Mon Sep 17 00:00:00 2001 From: Reiner Herrmann Date: Tue, 5 Feb 2019 22:24:35 +0100 Subject: fix small memleak --- src/fseccomp/syscall.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c index 3f5fbbbfa..7ea1e749d 100644 --- a/src/fseccomp/syscall.c +++ b/src/fseccomp/syscall.c @@ -546,7 +546,7 @@ static void syscall_in_list(int fd, int syscall, int arg, void *ptrarg) { } else { // no problem, add to pre-exec list // build syscall:error_no - char *newcall; + char *newcall = NULL; if (arg != 0) { if (asprintf(&newcall, "%s:%s", syscall_find_nr(syscall), errno_find_nr(arg)) == -1) errExit("asprintf"); @@ -560,6 +560,7 @@ static void syscall_in_list(int fd, int syscall, int arg, void *ptrarg) { if (ptr->prelist) { if (asprintf(&ptr->prelist, "%s,%s", ptr->prelist, newcall) == -1) errExit("asprintf"); + free(newcall); } else ptr->prelist = newcall; -- cgit v1.2.3-54-g00ecf