From f7b22a4764de898eef9ada813baa5c7f4a8f2c07 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 10 Sep 2018 09:00:39 -0400 Subject: cleanup --- etc/firejail.config | 49 ------------------ src/firejail/checkcfg.c | 118 ++++++++++++++++++++----------------------- src/firejail/firejail.h | 35 ++++--------- src/firejail/main.c | 27 ++++++++++ src/firejail/usage.c | 2 + src/fseccomp/syscall.c | 5 +- src/man/firejail.txt | 19 +++++++ test/blacklist-link.exp | 82 ------------------------------ test/blacklist.exp | 75 --------------------------- test/blacklist1.profile | 1 - test/blacklist2.profile | 1 - test/blacklist3.profile | 1 - test/fs/private-home-dir.exp | 2 +- 13 files changed, 115 insertions(+), 302 deletions(-) delete mode 100755 test/blacklist-link.exp delete mode 100755 test/blacklist.exp delete mode 100644 test/blacklist1.profile delete mode 100644 test/blacklist2.profile delete mode 100644 test/blacklist3.profile diff --git a/etc/firejail.config b/etc/firejail.config index 1f47f77d0..f4acfe7f8 100644 --- a/etc/firejail.config +++ b/etc/firejail.config @@ -15,9 +15,6 @@ # Enable or disable bind support, default enabled. # bind yes -# Enable or disable chroot support, default enabled. -# chroot yes - # Enable or disable dbus handling by --nodbus flag, default enabled. # dbus yes @@ -50,18 +47,6 @@ # Enable or disable networking features, default enabled. # network yes -# Enable or disable overlayfs features, default enabled. -# overlayfs yes - -# Remove /usr/local directories from private-bin list, default disabled. -# private-bin-no-local no - -# Enable or disable private-home feature, default enabled -# private-home yes - -# Enable or disable private-lib feature, default enabled -# private-lib yes - # Enable --quiet as default every time the sandbox is started. Default disabled. # quiet-by-default no @@ -86,37 +71,3 @@ # Enable or disable whitelisting support, default enabled. # whitelist yes - -# Enable or disable X11 sandboxing support, default enabled. -# x11 yes - -# Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for -# a full list of resolutions available on your specific setup. -# xephyr-screen 640x480 -# xephyr-screen 800x600 -# xephyr-screen 1024x768 -# xephyr-screen 1280x1024 - -# Firejail window title in Xephyr, default enabled. -# xephyr-window-title yes - -# Xephyr command extra parameters. None by default; these are examples. -# xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev -# xephyr-extra-params -grayscale - -# Xpra server command extra parameters. None by default; this is an example. -# xpra-extra-params --dpi 96 - -# Enable this option if you have a version of Xpra that supports --attach switch -# for start command, default disabled. -# xpra-attach no - -# Screen size for --x11=xvfb, default 800x600x24. The third dimension is -# color depth; use 24 unless you know exactly what you're doing. -# xvfb-screen 640x480x24 -# xvfb-screen 800x600x24 -# xvfb-screen 1024x768x24 -# xvfb-screen 1280x1024x24 - -# Xvfb command extra parameters. None by default; this is an example. -# xvfb-extra-params -pixdepths 8 24 32 diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 430771a13..8786c018e 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -25,11 +25,6 @@ static int initialized = 0; static int cfg_val[CFG_MAX]; -char *xephyr_screen = "800x600"; -char *xephyr_extra_params = ""; -char *xpra_extra_params = ""; -char *xvfb_screen = "800x600x24"; -char *xvfb_extra_params = ""; char *netfilter_default = NULL; int checkcfg(int val) { @@ -45,11 +40,9 @@ int checkcfg(int val) { cfg_val[i] = 1; // most of them are enabled by default cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default cfg_val[CFG_FORCE_NONEWPRIVS] = 0; - cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 0; cfg_val[CFG_FIREJAIL_PROMPT] = 0; cfg_val[CFG_DISABLE_MNT] = 0; cfg_val[CFG_ARP_PROBES] = DEFAULT_ARP_PROBES; - cfg_val[CFG_XPRA_ATTACH] = 0; // open configuration file const char *fname = SYSCONFDIR "/firejail.config"; @@ -75,25 +68,6 @@ int checkcfg(int val) { ptr = line_remove_spaces(buf); if (!ptr) continue; - - // dbus - else if (strncmp(ptr, "dbus ", 5) == 0) { - if (strcmp(ptr + 5, "yes") == 0) - cfg_val[CFG_DBUS] = 1; - else if (strcmp(ptr + 5, "no") == 0) - cfg_val[CFG_DBUS] = 0; - else - goto errout; - } - // join - else if (strncmp(ptr, "join ", 5) == 0) { - if (strcmp(ptr + 5, "yes") == 0) - cfg_val[CFG_JOIN] = 1; - else if (strcmp(ptr + 5, "no") == 0) - cfg_val[CFG_JOIN] = 0; - else - goto errout; - } // apparmor else if (strncmp(ptr, "apparmor ", 9) == 0) { if (strcmp(ptr + 9, "yes") == 0) @@ -103,6 +77,13 @@ int checkcfg(int val) { else goto errout; } + // arp probes + else if (strncmp(ptr, "arp-probes ", 11) == 0) { + int arp_probes = atoi(ptr + 11); + if (arp_probes <= 1 || arp_probes > 30) + goto errout; + cfg_val[CFG_ARP_PROBES] = arp_probes; + } // bind else if (strncmp(ptr, "bind ", 5) == 0) { if (strcmp(ptr + 5, "yes") == 0) @@ -112,12 +93,20 @@ int checkcfg(int val) { else goto errout; } - // user namespace - else if (strncmp(ptr, "userns ", 7) == 0) { - if (strcmp(ptr + 7, "yes") == 0) - cfg_val[CFG_USERNS] = 1; - else if (strcmp(ptr + 7, "no") == 0) - cfg_val[CFG_USERNS] = 0; + // dbus + else if (strncmp(ptr, "dbus ", 5) == 0) { + if (strcmp(ptr + 5, "yes") == 0) + cfg_val[CFG_DBUS] = 1; + else if (strcmp(ptr + 5, "no") == 0) + cfg_val[CFG_DBUS] = 0; + else + goto errout; + } + else if (strncmp(ptr, "disable-mnt ", 12) == 0) { + if (strcmp(ptr + 12, "yes") == 0) + cfg_val[CFG_DISABLE_MNT] = 1; + else if (strcmp(ptr + 12, "no") == 0) + cfg_val[CFG_DISABLE_MNT] = 0; else goto errout; } @@ -148,21 +137,12 @@ int checkcfg(int val) { else goto errout; } - // seccomp - else if (strncmp(ptr, "seccomp ", 8) == 0) { - if (strcmp(ptr + 8, "yes") == 0) - cfg_val[CFG_SECCOMP] = 1; - else if (strcmp(ptr + 8, "no") == 0) - cfg_val[CFG_SECCOMP] = 0; - else - goto errout; - } - // whitelist - else if (strncmp(ptr, "whitelist ", 10) == 0) { - if (strcmp(ptr + 10, "yes") == 0) - cfg_val[CFG_WHITELIST] = 1; - else if (strcmp(ptr + 10, "no") == 0) - cfg_val[CFG_WHITELIST] = 0; + // join + else if (strncmp(ptr, "join ", 5) == 0) { + if (strcmp(ptr + 5, "yes") == 0) + cfg_val[CFG_JOIN] = 1; + else if (strcmp(ptr + 5, "no") == 0) + cfg_val[CFG_JOIN] = 0; else goto errout; } @@ -175,6 +155,15 @@ int checkcfg(int val) { else goto errout; } + // quiet by default + else if (strncmp(ptr, "quiet-by-default ", 17) == 0) { + if (strcmp(ptr + 17, "yes") == 0) + arg_quiet = 1; + else if (strcmp(ptr + 17, "no") == 0) + arg_quiet = 0; + else + goto errout; + } // network else if (strncmp(ptr, "restricted-network ", 19) == 0) { if (strcmp(ptr + 19, "yes") == 0) @@ -208,29 +197,32 @@ int checkcfg(int val) { if (arg_debug) printf("netfilter default file %s\n", fname); } - // quiet by default - else if (strncmp(ptr, "quiet-by-default ", 17) == 0) { - if (strcmp(ptr + 17, "yes") == 0) - arg_quiet = 1; - else if (strcmp(ptr + 17, "no") == 0) - arg_quiet = 0; + // seccomp + else if (strncmp(ptr, "seccomp ", 8) == 0) { + if (strcmp(ptr + 8, "yes") == 0) + cfg_val[CFG_SECCOMP] = 1; + else if (strcmp(ptr + 8, "no") == 0) + cfg_val[CFG_SECCOMP] = 0; else goto errout; } - else if (strncmp(ptr, "disable-mnt ", 12) == 0) { - if (strcmp(ptr + 12, "yes") == 0) - cfg_val[CFG_DISABLE_MNT] = 1; - else if (strcmp(ptr + 12, "no") == 0) - cfg_val[CFG_DISABLE_MNT] = 0; + // user namespace + else if (strncmp(ptr, "userns ", 7) == 0) { + if (strcmp(ptr + 7, "yes") == 0) + cfg_val[CFG_USERNS] = 1; + else if (strcmp(ptr + 7, "no") == 0) + cfg_val[CFG_USERNS] = 0; else goto errout; } - // arp probes - else if (strncmp(ptr, "arp-probes ", 11) == 0) { - int arp_probes = atoi(ptr + 11); - if (arp_probes <= 1 || arp_probes > 30) + // whitelist + else if (strncmp(ptr, "whitelist ", 10) == 0) { + if (strcmp(ptr + 10, "yes") == 0) + cfg_val[CFG_WHITELIST] = 1; + else if (strcmp(ptr + 10, "no") == 0) + cfg_val[CFG_WHITELIST] = 0; + else goto errout; - cfg_val[CFG_ARP_PROBES] = arp_probes; } else goto errout; diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 2ab4a0b85..533ed880a 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -650,40 +650,25 @@ void restrict_users(void); // checkcfg.c #define DEFAULT_ARP_PROBES 2 enum { - CFG_FILE_TRANSFER = 0, - CFG_X11, + CFG_APPARMOR = 0, + CFG_ARP_PROBES, CFG_BIND, - CFG_USERNS, - CFG_CHROOT, - CFG_SECCOMP, - CFG_NETWORK, - CFG_RESTRICTED_NETWORK, - CFG_FORCE_NONEWPRIVS, - CFG_WHITELIST, - CFG_XEPHYR_WINDOW_TITLE, - CFG_OVERLAYFS, - CFG_PRIVATE_HOME, - CFG_PRIVATE_BIN_NO_LOCAL, + CFG_DBUS, + CFG_DISABLE_MNT, CFG_FIREJAIL_PROMPT, CFG_FOLLOW_SYMLINK_AS_USER, - CFG_DISABLE_MNT, + CFG_FORCE_NONEWPRIVS, CFG_JOIN, - CFG_ARP_PROBES, - CFG_XPRA_ATTACH, - CFG_PRIVATE_LIB, - CFG_APPARMOR, - CFG_DBUS, + CFG_NETWORK, + CFG_RESTRICTED_NETWORK, + CFG_SECCOMP, + CFG_USERNS, + CFG_WHITELIST, CFG_MAX // this should always be the last entry }; -extern char *xephyr_screen; -extern char *xephyr_extra_params; -extern char *xpra_extra_params; -extern char *xvfb_screen; -extern char *xvfb_extra_params; extern char *netfilter_default; int checkcfg(int val); void print_compiletime_support(void); -void x11_xorg(void); // appimage.c void appimage_set(const char *appimage_path); diff --git a/src/firejail/main.c b/src/firejail/main.c index 594a6d83c..c4944c7d5 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1011,6 +1011,33 @@ int main(int argc, char **argv) { } else if (strcmp(argv[i], "--disable-mnt") == 0) arg_disable_mnt = 1; + else if (strcmp(argv[i], "--tunnel") == 0) { + // try to connect to the default client side of the tunnel + // if this fails, try the default server side of the tunnel + if (access("/run/firetunnel/ftc", R_OK) == 0) + profile_read("/run/firetunnel/ftc"); + else if (access("/run/firetunnel/fts", R_OK) == 0) + profile_read("/run/firetunnel/fts"); + else { + fprintf(stderr, "Error: no default firetunnel found, please specify it using --tunnel=devname option\n"); + exit(1); + } + } + else if (strncmp(argv[i], "--tunnel=", 9) == 0) { + char *fname; + if (asprintf(&fname, "/run/firetunnel/%s", argv[i] + 9) == -1) + errExit("asprintf"); + invalid_filename(fname, 0); // no globbing + if (access(fname, R_OK) == 0) + profile_read(fname); + else { + fprintf(stderr, "Error: tunnel not found\n"); + exit(1); + } + } + + + else if (strncmp(argv[i], "--profile=", 10) == 0) { // multiple profile files are allowed! diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 73af66be2..d5033c4a1 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -171,6 +171,8 @@ static char *usage_str = " --tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n" " --top - monitor the most CPU-intensive sandboxes.\n" " --tree - print a tree of all sandboxed processes.\n" + " --tunnel[=devname] - connect the sandbox to a tunnel created by\n" + "\tfiretunnel utility.\n" " --version - print program version and exit.\n" #ifdef HAVE_NETWORK " --veth-name=name - use this name for the interface connected to the bridge.\n" diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c index bc51d04f6..3b10c4473 100644 --- a/src/fseccomp/syscall.c +++ b/src/fseccomp/syscall.c @@ -495,10 +495,7 @@ int syscall_check_list(const char *slist, void (*callback)(int fd, int syscall, } else { syscall_process_name(ptr, &syscall_nr, &error_nr); - if (syscall_nr == -1) { - if (!arg_quiet) - fprintf(stderr, "Warning fseccomp: syscall \"%s\" not available on this platform\n", ptr); - } + if (syscall_nr == -1) {;} else if (callback != NULL) { if (error_nr != -1 && fd != 0) { filter_add_errno(fd, syscall_nr, error_nr, ptrarg); diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 11dedbf35..0bc1c1b5d 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1787,6 +1787,25 @@ $ firejail \-\-tree .br 11970:netblue:transmission-gtk +.TP +\fB\-\-tunnel[=devname] +Connect the sandbox to a network overlay/VPN tunnel created by firetunnel utility. This options +tries first the client side of the tunnel. If this fails, it tries the server side. If multiple tunnels are active, +please specify the tunnel device using \-\-tunnel=devname. +.br +.br +The available tunnel devices are listed in /etc/firetunnel directory, one file for each device. +The files are regular firejail profile files containing the network configuration, +and are created and managed by firetunnel utility. +By default ftc is the client-side device and fts is the server-side device. For more information +please see man 1 firetunnel. +.br +.br +Example: +.br +$ firejail --tunnel firefox +.br + .TP \fB\-\-version Print program version and exit. diff --git a/test/blacklist-link.exp b/test/blacklist-link.exp deleted file mode 100755 index 4252f875a..000000000 --- a/test/blacklist-link.exp +++ /dev/null @@ -1,82 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -# blacklist a directory symlink -send -- "firejail --blacklist=auto2\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "ls auto2\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "cannot open directory" -} -send -- "exit\r" -sleep 1 - -# blacklist a directory symlink from a profile file -send -- "firejail --profile=blacklist3.profile\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "ls auto2\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "cannot open directory" -} -send -- "exit\r" -sleep 1 - -# do not blacklist /bin -send -- "firejail --blacklist=auto3\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "auto3 directory link was not blacklisted" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "ls auto3; pwd\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - "cannot open directory" {puts "TESTING ERROR 6.1\n";exit} - "home" -} -send -- "exit\r" -sleep 1 - -# do not blacklist /usr/bin -send -- "firejail --blacklist=auto3\r" -expect { - timeout {puts "TESTING ERROR 7\n";exit} - "auto3 directory link was not blacklisted" -} -expect { - timeout {puts "TESTING ERROR 7.1\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "ls auto3; pwd\r" -expect { - timeout {puts "TESTING ERROR 8\n";exit} - "cannot open directory" {puts "TESTING ERROR 9.1\n";exit} - "home" -} -send -- "exit\r" -sleep 1 - - -puts "all done\n" diff --git a/test/blacklist.exp b/test/blacklist.exp deleted file mode 100755 index 9c3dddf1f..000000000 --- a/test/blacklist.exp +++ /dev/null @@ -1,75 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -# directory with ~ -send -- "firejail --blacklist=~/.config\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "ls -al ~/.config\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "cannot open directory" -} - -send -- "exit\r" -sleep 1 - -# directory with ~ in profile file -send -- "firejail --profile=blacklist1.profile\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "ls -al ~/.config\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "cannot open directory" -} - -send -- "exit\r" -sleep 1 - - -# directory with space -send -- "firejail \"--blacklist=dir with space\"\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "ls -al \"dir with space\"\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - "cannot open directory" -} - -send -- "exit\r" -sleep 1 - -# directory with space in profile -send -- "firejail --profile=blacklist2.profile\r" -expect { - timeout {puts "TESTING ERROR 7\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "ls -al \"dir with space\"\r" -expect { - timeout {puts "TESTING ERROR 8\n";exit} - "cannot open directory" -} - - - -puts "\n" diff --git a/test/blacklist1.profile b/test/blacklist1.profile deleted file mode 100644 index f12facd05..000000000 --- a/test/blacklist1.profile +++ /dev/null @@ -1 +0,0 @@ -blacklist ~/.config diff --git a/test/blacklist2.profile b/test/blacklist2.profile deleted file mode 100644 index 4bb603db2..000000000 --- a/test/blacklist2.profile +++ /dev/null @@ -1 +0,0 @@ -blacklist dir with space diff --git a/test/blacklist3.profile b/test/blacklist3.profile deleted file mode 100644 index 08f754f3f..000000000 --- a/test/blacklist3.profile +++ /dev/null @@ -1 +0,0 @@ -blacklist auto2 diff --git a/test/fs/private-home-dir.exp b/test/fs/private-home-dir.exp index 320fb73fa..41820b919 100755 --- a/test/fs/private-home-dir.exp +++ b/test/fs/private-home-dir.exp @@ -64,7 +64,7 @@ sleep 1 send -- "firejail --private=/etc\r" expect { timeout {puts "TESTING ERROR 5\n";exit} - "private directory should be owned by the current user" + "private directory is not owned by the current user" } sleep 1 send -- "mkdir ~/_firejail_test_dir_/test_dir_2\r" -- cgit v1.2.3-54-g00ecf