From 123b2b1e256a17425afa32b238a9c448184f065b Mon Sep 17 00:00:00 2001 From: ಚಿರಾಗ್ ನಟರಾಜ್ Date: Tue, 31 Jul 2018 00:01:58 -0400 Subject: Add XDG variable support to blacklist and read-only. --- src/firejail/firejail.h | 9 ++ src/firejail/fs_whitelist.c | 269 ++++++++++++-------------------------------- src/firejail/util.c | 236 +++++++++++++++++++++++++++++++++++++- 3 files changed, 310 insertions(+), 204 deletions(-) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 0faf10340..9f7936174 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -491,6 +491,15 @@ int arp_check(const char *dev, uint32_t destaddr); uint32_t arp_assign(const char *dev, Bridge *br); // util.c +extern char *dentry[]; +extern char *mentry[]; +extern char *ventry[]; +extern char *pentry[]; +extern char *deentry[]; +extern char *doentry[]; + +char *resolve_xdg(int flags, const char *var, size_t length, const char *prnt); +char *resolve_hardcoded(int flags, char *entries[], const char *prnt); void errLogExit(char* fmt, ...); void fwarning(char* fmt, ...); void fmessage(char* fmt, ...); diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index bf839b524..0178e3c5b 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c @@ -33,159 +33,20 @@ // 3. run firejail --debug --whitelist=/tmp/etc //#define TEST_MOUNTINFO -static char *dentry[] = { - "Downloads", - "Загрузки", - "Téléchargement", - NULL -}; - -static char *mentry[] = { - "Music", - "Музыка", - "Musique", - NULL -}; - -static char *ventry[] = { - "Videos", - "Видео", - "Vidéos", - NULL -}; - -static char *pentry[] = { - "Pictures", - "Изображения", - "Photos", - NULL -}; - -static char *deentry[] = { - "Desktop", - "Рабочий стол", - "Bureau", - NULL -}; - -static char *doentry[] = { - "Documents", - "Документы", - "Documents", - NULL -}; - #define EMPTY_STRING ("") #define MAXBUF 4098 -static char *resolve_xdg(int nowhitelist_flag, const char *var, size_t length, const char *prnt) { - EUID_ASSERT(); - char *fname; - struct stat s; - - if (asprintf(&fname, "%s/.config/user-dirs.dirs", cfg.homedir) == -1) - errExit("asprintf"); - FILE *fp = fopen(fname, "r"); - if (!fp) { - free(fname); - return NULL; - } - free(fname); - - char buf[MAXBUF]; - while (fgets(buf, MAXBUF, fp)) { - char *ptr = buf; - - // skip blanks - while (*ptr == ' ' || *ptr == '\t') - ptr++; - if (*ptr == '\0' || *ptr == '\n' || *ptr == '#') - continue; - - if (strncmp(ptr, var, length) == 0) { - char *ptr1 = ptr + length; - char *ptr2 = strchr(ptr1, '"'); - if (ptr2) { - fclose(fp); - *ptr2 = '\0'; - if (arg_debug || arg_debug_whitelists) - printf("extracted %s from ~/.config/user-dirs.dirs\n", ptr1); - if (strlen(ptr1) != 0) { - if (arg_debug || arg_debug_whitelists) - printf("%s ",prnt); - printf("directory resolved as \"%s\"\n", ptr1); - - if (asprintf(&fname, "%s/%s", cfg.homedir, ptr1) == -1) - errExit("asprintf"); - - if (stat(fname, &s) == -1) { - free(fname); - goto errout; - } - - char *rv; - if (nowhitelist_flag) { - if (asprintf(&rv, "nowhitelist ~/%s", ptr + length) == -1) - errExit("asprintf"); - } - else { - if (asprintf(&rv, "whitelist ~/%s", ptr + length) == -1) - errExit("asprintf"); - } - return rv; - } - else - goto errout; - } - } - } - - fclose(fp); - return NULL; - - errout: - if (!arg_private) { - fprintf(stderr, "***\n"); - fprintf(stderr, "*** Error: %s directory was not found in user home.\n",prnt); - fprintf(stderr, "*** \tAny files saved by the program, will be lost when the sandbox is closed.\n"); - fprintf(stderr, "***\n"); +char *parse_nowhitelist(int nowhitelist_flag, char *ptr1) { + char *rv; + if (nowhitelist_flag) { + if (asprintf(&rv, "nowhitelist ~/%s", ptr1) == -1) + errExit("asprintf"); } - return NULL; -} - -static char *resolve_hardcoded(int nowhitelist_flag, char *entries[], const char *prnt) { - EUID_ASSERT(); - char *fname; - struct stat s; - - int i = 0; - while (entries[i] != NULL) { - if (asprintf(&fname, "%s/%s", cfg.homedir, entries[i]) == -1) + else { + if (asprintf(&rv, "whitelist ~/%s", ptr1) == -1) errExit("asprintf"); - - if (stat(fname, &s) == 0) { - if (arg_debug || arg_debug_whitelists) { - printf("%s ", prnt); - printf("directory resolved as \"%s\"\n", fname); - } - - char *rv; - if (nowhitelist_flag) { - if (asprintf(&rv, "nowhitelist ~/%s", entries[i]) == -1) - errExit("asprintf"); - } - else { - if (asprintf(&rv, "whitelist ~/%s", entries[i]) == -1) - errExit("asprintf"); - } - free(fname); - return rv; - } - free(fname); - i++; } - - return NULL; + return rv; } static int mkpath(const char* path, mode_t mode) { @@ -467,39 +328,43 @@ void fs_whitelist(void) { // resolve ${DOWNLOADS} if (strcmp(dataptr, "${DOWNLOADS}") == 0) { - char *tmp = resolve_xdg(nowhitelist_flag, "XDG_DOWNLOAD_DIR=\"$HOME/", 24, "Downloads"); - char *tmp2 = resolve_hardcoded(nowhitelist_flag, dentry, "Downloads"); - if (tmp) { - entry->data = tmp; - dataptr = (nowhitelist_flag)? entry->data + 12: entry->data + 10; - } - else if (tmp2) { - entry->data = tmp2; - dataptr = (nowhitelist_flag)? entry->data + 12: entry->data + 10; - } - else { - if (!nowhitelist_flag && !arg_quiet && !arg_private) { - fprintf(stderr, "***\n"); - fprintf(stderr, "*** Warning: cannot whitelist Downloads directory\n"); - fprintf(stderr, "*** \tAny file saved will be lost when the sandbox is closed.\n"); - fprintf(stderr, "*** \tPlease create a proper Downloads directory for your application.\n"); - fprintf(stderr, "***\n"); - } - entry->data = EMPTY_STRING; - continue; - } + char *tmp1 = resolve_xdg(arg_debug || arg_debug_whitelists, "XDG_DOWNLOAD_DIR=\"$HOME/", 24, "Downloads"); + char *tmpw1 = parse_nowhitelist(nowhitelist_flag, tmp1); + char *tmp2 = resolve_hardcoded(arg_debug || arg_debug_whitelists, dentry, "Downloads"); + char *tmpw2 = parse_nowhitelist(nowhitelist_flag, tmp2); + if (tmp1 && tmpw1) { + entry->data = tmpw1; + dataptr = (nowhitelist_flag)? entry->data + 12: entry->data + 10; + } + else if (tmp2 && tmpw2) { + entry->data = tmpw2; + dataptr = (nowhitelist_flag)? entry->data + 12: entry->data + 10; + } + else { + if (!nowhitelist_flag && !arg_quiet && !arg_private) { + fprintf(stderr, "***\n"); + fprintf(stderr, "*** Warning: cannot whitelist Downloads directory\n"); + fprintf(stderr, "*** \tAny file saved will be lost when the sandbox is closed.\n"); + fprintf(stderr, "*** \tPlease create a proper Downloads directory for your application.\n"); + fprintf(stderr, "***\n"); + } + entry->data = EMPTY_STRING; + continue; + } } // resolve ${MUSIC} if (strcmp(dataptr, "${MUSIC}") == 0) { - char *tmp = resolve_xdg(nowhitelist_flag, "XDG_MUSIC_DIR=\"$HOME/", 21, "Music"); - char *tmp2 = resolve_hardcoded(nowhitelist_flag, mentry, "Music"); - if (tmp) { - entry->data = tmp; + char *tmp1 = resolve_xdg(arg_debug || arg_debug_whitelists, "XDG_MUSIC_DIR=\"$HOME/", 21, "Music"); + char *tmpw1 = parse_nowhitelist(nowhitelist_flag, tmp1); + char *tmp2 = resolve_hardcoded(arg_debug || arg_debug_whitelists, mentry, "Music"); + char *tmpw2 = parse_nowhitelist(nowhitelist_flag, tmp2); + if (tmp1 && tmpw1) { + entry->data = tmpw1; dataptr = (nowhitelist_flag)? entry->data + 12: entry->data + 10; } - else if (tmp2) { - entry->data = tmp2; + else if (tmp2 && tmpw2) { + entry->data = tmpw2; dataptr = (nowhitelist_flag)? entry->data + 12: entry->data + 10; } else { @@ -517,14 +382,16 @@ void fs_whitelist(void) { // resolve ${VIDEOS} if (strcmp(dataptr, "${VIDEOS}") == 0) { - char *tmp = resolve_xdg(nowhitelist_flag, "XDG_VIDEOS_DIR=\"$HOME/", 22, "Videos"); - char *tmp2 = resolve_hardcoded(nowhitelist_flag, ventry, "Videos"); - if (tmp) { - entry->data = tmp; + char *tmp1 = resolve_xdg(arg_debug || arg_debug_whitelists, "XDG_VIDEOS_DIR=\"$HOME/", 22, "Videos"); + char *tmpw1 = parse_nowhitelist(nowhitelist_flag, tmp1); + char *tmp2 = resolve_hardcoded(arg_debug || arg_debug_whitelists, ventry, "Videos"); + char *tmpw2 = parse_nowhitelist(nowhitelist_flag, tmp2); + if (tmp1 && tmpw1) { + entry->data = tmpw1; dataptr = (nowhitelist_flag)? entry->data + 12: entry->data + 10; } - else if (tmp2) { - entry->data = tmp2; + else if (tmp2 && tmpw2) { + entry->data = tmpw2; dataptr = (nowhitelist_flag)? entry->data + 12: entry->data + 10; } else { @@ -542,14 +409,16 @@ void fs_whitelist(void) { // resolve ${PICTURES} if (strcmp(dataptr, "${PICTURES}") == 0) { - char *tmp = resolve_xdg(nowhitelist_flag, "XDG_PICTURES_DIR=\"$HOME/", 24, "Pictures"); - char *tmp2 = resolve_hardcoded(nowhitelist_flag, pentry, "Pictures"); - if (tmp) { - entry->data = tmp; + char *tmp1 = resolve_xdg(arg_debug || arg_debug_whitelists, "XDG_PICTURES_DIR=\"$HOME/", 24, "Pictures"); + char *tmpw1 = parse_nowhitelist(nowhitelist_flag, tmp1); + char *tmp2 = resolve_hardcoded(arg_debug || arg_debug_whitelists, pentry, "Pictures"); + char *tmpw2 = parse_nowhitelist(nowhitelist_flag, tmp2); + if (tmp1 && tmpw1) { + entry->data = tmpw1; dataptr = (nowhitelist_flag)? entry->data + 12: entry->data + 10; } - else if (tmp2) { - entry->data = tmp2; + else if (tmp2 && tmpw2) { + entry->data = tmpw2; dataptr = (nowhitelist_flag)? entry->data + 12: entry->data + 10; } else { @@ -567,14 +436,16 @@ void fs_whitelist(void) { // resolve ${DESKTOP} if (strcmp(dataptr, "${DESKTOP}") == 0) { - char *tmp = resolve_xdg(nowhitelist_flag, "XDG_DESKTOP_DIR=\"$HOME/", 24, "Desktop"); - char *tmp2 = resolve_hardcoded(nowhitelist_flag, deentry, "Desktop"); - if (tmp) { - entry->data = tmp; + char *tmp1 = resolve_xdg(arg_debug || arg_debug_whitelists, "XDG_DESKTOP_DIR=\"$HOME/", 24, "Desktop"); + char *tmpw1 = parse_nowhitelist(nowhitelist_flag, tmp1); + char *tmp2 = resolve_hardcoded(arg_debug || arg_debug_whitelists, deentry, "Desktop"); + char *tmpw2 = parse_nowhitelist(nowhitelist_flag, tmp2); + if (tmp1 && tmpw1) { + entry->data = tmpw1; dataptr = (nowhitelist_flag)? entry->data + 12: entry->data + 10; } - else if (tmp2) { - entry->data = tmp2; + else if (tmp2 && tmpw2) { + entry->data = tmpw2; dataptr = (nowhitelist_flag)? entry->data + 12: entry->data + 10; } else { @@ -592,14 +463,16 @@ void fs_whitelist(void) { // resolve ${DOCUMENTS} if (strcmp(dataptr, "${DOCUMENTS}") == 0) { - char *tmp = resolve_xdg(nowhitelist_flag, "XDG_DOCUMENTS_DIR=\"$HOME/", 25, "Documents"); - char *tmp2 = resolve_hardcoded(nowhitelist_flag, doentry, "Documents"); - if (tmp) { - entry->data = tmp; + char *tmp1 = resolve_xdg(arg_debug || arg_debug_whitelists, "XDG_DOCUMENTS_DIR=\"$HOME/", 25, "Documents"); + char *tmpw1 = parse_nowhitelist(nowhitelist_flag, tmp1); + char *tmp2 = resolve_hardcoded(arg_debug || arg_debug_whitelists, doentry, "Documents"); + char *tmpw2 = parse_nowhitelist(nowhitelist_flag, tmp2); + if (tmp1 && tmpw1) { + entry->data = tmpw1; dataptr = (nowhitelist_flag)? entry->data + 12: entry->data + 10; } - else if (tmp2) { - entry->data = tmp2; + else if (tmp2 && tmpw2) { + entry->data = tmpw2; dataptr = (nowhitelist_flag)? entry->data + 12: entry->data + 10; } else { diff --git a/src/firejail/util.c b/src/firejail/util.c index fa32ffcc8..0d6f5ea02 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c @@ -32,6 +32,140 @@ #include #define MAX_GROUPS 1024 +#define MAXBUF 4098 + +char *dentry[] = { + "Downloads", + "Загрузки", + "Téléchargement", + NULL +}; + +char *mentry[] = { + "Music", + "Музыка", + "Musique", + NULL +}; + +char *ventry[] = { + "Videos", + "Видео", + "Vidéos", + NULL +}; + +char *pentry[] = { + "Pictures", + "Изображения", + "Photos", + NULL +}; + +char *deentry[] = { + "Desktop", + "Рабочий стол", + "Bureau", + NULL +}; + +char *doentry[] = { + "Documents", + "Документы", + "Documents", + NULL +}; + +char *resolve_xdg(int flags, const char *var, size_t length, const char *prnt) { + /* EUID_ASSERT(); */ + char *fname; + struct stat s; + + if (asprintf(&fname, "%s/.config/user-dirs.dirs", cfg.homedir) == -1) + errExit("asprintf"); + FILE *fp = fopen(fname, "r"); + if (!fp) { + free(fname); + return NULL; + } + free(fname); + + char buf[MAXBUF]; + while (fgets(buf, MAXBUF, fp)) { + char *ptr = buf; + + // skip blanks + while (*ptr == ' ' || *ptr == '\t') + ptr++; + if (*ptr == '\0' || *ptr == '\n' || *ptr == '#') + continue; + + if (strncmp(ptr, var, length) == 0) { + char *ptr1 = ptr + length; + char *ptr2 = strchr(ptr1, '"'); + if (ptr2) { + fclose(fp); + *ptr2 = '\0'; + if (flags) + printf("extracted %s from ~/.config/user-dirs.dirs\n", ptr1); + if (strlen(ptr1) != 0) { + if (flags) + printf("%s ",prnt); + printf("directory resolved as \"%s\"\n", ptr1); + + if (asprintf(&fname, "%s/%s", cfg.homedir, ptr1) == -1) + errExit("asprintf"); + + if (stat(fname, &s) == -1) { + free(fname); + goto errout; + } + free(fname); + return ptr1; + } + else + goto errout; + } + } + } + + fclose(fp); + return NULL; + + errout: + if (!arg_private) { + fprintf(stderr, "***\n"); + fprintf(stderr, "*** Error: %s directory was not found in user home.\n",prnt); + fprintf(stderr, "*** \tAny files saved by the program, will be lost when the sandbox is closed.\n"); + fprintf(stderr, "***\n"); + } + return NULL; +} + +char *resolve_hardcoded(int flags, char *entries[], const char *prnt) { + /* EUID_ASSERT(); */ + char *fname; + struct stat s; + + int i = 0; + while (entries[i] != NULL) { + if (asprintf(&fname, "%s/%s", cfg.homedir, entries[i]) == -1) + errExit("asprintf"); + + if (stat(fname, &s) == 0) { + if (flags) { + printf("%s ", prnt); + printf("directory resolved as \"%s\"\n", fname); + } + free(fname); + return entries[i]; + } + free(fname); + i++; + } + + return NULL; +} // send the error to /var/log/auth.log and exit after a small delay void errLogExit(char* fmt, ...) { @@ -740,14 +874,104 @@ char *expand_home(const char *path, const char* homedir) { return new_name; } else if (*path == '~') { - if (asprintf(&new_name, "%s%s", homedir, path + 1) == -1) - errExit("asprintf"); - return new_name; + if (asprintf(&new_name, "%s%s", homedir, path + 1) == -1) + errExit("asprintf"); + return new_name; } else if (strncmp(path, "${CFG}", 6) == 0) { - if (asprintf(&new_name, "%s%s", SYSCONFDIR, path + 6) == -1) - errExit("asprintf"); - return new_name; + if (asprintf(&new_name, "%s%s", SYSCONFDIR, path + 6) == -1) + errExit("asprintf"); + return new_name; + } + + else if (strncmp(path, "${DOWNLOADS}", 12) == 0) { + char *tmp = resolve_xdg(arg_debug, "XDG_DOWNLOAD_DIR=\"$HOME/", 24, "Downloads"); + char *tmp2 = resolve_hardcoded(arg_debug, dentry, "Downloads"); + if(tmp) { + if (asprintf(&new_name, "%s/%s%s", homedir, tmp, path + 12) == -1) + errExit("asprintf"); + return new_name; + } + else if(tmp2) { + if (asprintf(&new_name, "%s/%s%s", homedir, tmp2, path + 12) == -1) + errExit("asprintf"); + return new_name; + } + } + + else if (strncmp(path, "${MUSIC}", 8) == 0) { + char *tmp = resolve_xdg(arg_debug, "XDG_MUSIC_DIR=\"$HOME/", 21, "Music"); + char *tmp2 = resolve_hardcoded(arg_debug, mentry, "Music"); + if(tmp) { + if (asprintf(&new_name, "%s/%s%s", homedir, tmp, path + 8) == -1) + errExit("asprintf"); + return new_name; + } + else if(tmp2) { + if (asprintf(&new_name, "%s/%s%s", homedir, tmp2, path + 8) == -1) + errExit("asprintf"); + return new_name; + } + } + + else if (strncmp(path, "${VIDEOS}", 9) == 0) { + char *tmp = resolve_xdg(arg_debug, "XDG_VIDEOS_DIR=\"$HOME/", 22, "Videos"); + char *tmp2 = resolve_hardcoded(arg_debug, ventry, "Videos"); + if(tmp) { + if (asprintf(&new_name, "%s/%s%s", homedir, tmp, path + 9) == -1) + errExit("asprintf"); + return new_name; + } + else if(tmp2) { + if (asprintf(&new_name, "%s/%s%s", homedir, tmp2, path + 9) == -1) + errExit("asprintf"); + return new_name; + } + } + + else if (strncmp(path, "${PICTURES}", 11) == 0) { + char *tmp = resolve_xdg(arg_debug, "XDG_PICTURES_DIR=\"$HOME/", 24, "Pictures"); + char *tmp2 = resolve_hardcoded(arg_debug, pentry, "Pictures"); + if(tmp) { + if (asprintf(&new_name, "%s/%s%s", homedir, tmp, path + 11) == -1) + errExit("asprintf"); + return new_name; + } + else if(tmp2) { + if (asprintf(&new_name, "%s/%s%s", homedir, tmp2, path + 11) == -1) + errExit("asprintf"); + return new_name; + } + } + + else if (strncmp(path, "${DESKTOP}", 10) == 0) { + char *tmp = resolve_xdg(arg_debug, "XDG_DESKTOP_DIR=\"$HOME/", 24, "Desktop"); + char *tmp2 = resolve_hardcoded(arg_debug, deentry, "Desktop"); + if(tmp) { + if (asprintf(&new_name, "%s/%s%s", homedir, tmp, path + 10) == -1) + errExit("asprintf"); + return new_name; + } + else if(tmp2) { + if (asprintf(&new_name, "%s/%s%s", homedir, tmp2, path + 10) == -1) + errExit("asprintf"); + return new_name; + } + } + + else if (strncmp(path, "${DOCUMENTS}", 12) == 0) { + char *tmp = resolve_xdg(arg_debug, "XDG_DOCUMENTS_DIR=\"$HOME/", 24, "Documents"); + char *tmp2 = resolve_hardcoded(arg_debug, doentry, "Documents"); + if(tmp) { + if (asprintf(&new_name, "%s/%s%s", homedir, tmp, path + 12) == -1) + errExit("asprintf"); + return new_name; + } + else if(tmp2) { + if (asprintf(&new_name, "%s/%s%s", homedir, tmp2, path + 12) == -1) + errExit("asprintf"); + return new_name; + } } char *rv = strdup(path); -- cgit v1.2.3-54-g00ecf From 3c2a7e4c91aa030218b5ad7fa6291d16f1d51b53 Mon Sep 17 00:00:00 2001 From: Tad Date: Tue, 31 Jul 2018 00:48:37 -0400 Subject: Sound fixes - Adds machine-id to all profiles with 'private-etc *pulse*' - This fixes sound under many profiles - This is related to #2037, except this adds etc machine-id not spoofed machine-id - Spoofed machine-id seems to break pulseaudio on some systems - We already do this in profiles like firefox-common (see the note in it) - pulseaudio's enable-shm set to yes or no doesn't fix this issue on systems where it occurs - We can revert this in the future if we find a fix - Command used: grep -e music -e videos -e audio -e pulse -e asound -il $(grep "machine-id" -iL $(grep "private-etc" . -Rl)) --- etc/Viber.profile | 2 +- etc/amarok.profile | 2 +- etc/ardour5.profile | 2 +- etc/cmus.profile | 2 +- etc/gnome-music.profile | 2 +- etc/goobox.profile | 2 +- etc/minetest.profile | 2 +- etc/musixmatch.profile | 2 +- etc/parole.profile | 2 +- etc/ppsspp.profile | 2 +- etc/qupzilla.profile | 2 +- etc/seamonkey.profile | 2 +- etc/slack.profile | 2 +- etc/totem.profile | 2 +- etc/xonotic.profile | 2 +- etc/xplayer.profile | 2 +- 16 files changed, 16 insertions(+), 16 deletions(-) diff --git a/etc/Viber.profile b/etc/Viber.profile index 6a58da8c9..cb9d01e03 100644 --- a/etc/Viber.profile +++ b/etc/Viber.profile @@ -32,7 +32,7 @@ shell none disable-mnt private-bin sh,bash,dig,awk,Viber -private-etc hosts,fonts,mailcap,resolv.conf,X11,pulse,alternatives,localtime,nsswitch.conf,ssl,proxychains.conf,pki,ca-certificates,crypto-policies +private-etc hosts,fonts,mailcap,resolv.conf,X11,pulse,alternatives,localtime,nsswitch.conf,ssl,proxychains.conf,pki,ca-certificates,crypto-policies,machine-id,asound.conf private-tmp noexec ${HOME} diff --git a/etc/amarok.profile b/etc/amarok.profile index aff78e210..dab23c218 100644 --- a/etc/amarok.profile +++ b/etc/amarok.profile @@ -29,5 +29,5 @@ shell none # private-bin amarok private-dev -# private-etc none +# private-etc none,machine-id,pulse,asound.conf private-tmp diff --git a/etc/ardour5.profile b/etc/ardour5.profile index aaac62bc8..99649cc3f 100644 --- a/etc/ardour5.profile +++ b/etc/ardour5.profile @@ -35,7 +35,7 @@ shell none #private-bin sh,ardour4,ardour5,ardour5-copy-mixer,ardour5-export,ardour5-fix_bbtppq,grep,sed,ldd,nm private-cache private-dev -#private-etc pulse,X11,alternatives,ardour4,ardour5,fonts +#private-etc pulse,X11,alternatives,ardour4,ardour5,fonts,machine-id,asound.conf private-tmp noexec ${HOME} diff --git a/etc/cmus.profile b/etc/cmus.profile index 3331bde22..36478ef85 100644 --- a/etc/cmus.profile +++ b/etc/cmus.profile @@ -26,4 +26,4 @@ seccomp shell none private-bin cmus -private-etc group +private-etc group,machine-id,pulse,asound.conf diff --git a/etc/gnome-music.profile b/etc/gnome-music.profile index 90fb9814f..15710b363 100644 --- a/etc/gnome-music.profile +++ b/etc/gnome-music.profile @@ -38,7 +38,7 @@ tracelog private-bin gnome-music,python* private-dev -# private-etc fonts +# private-etc fonts,machine-id,pulse,asound.conf private-tmp noexec ${HOME} diff --git a/etc/goobox.profile b/etc/goobox.profile index 5e5aad95b..680e14a49 100644 --- a/etc/goobox.profile +++ b/etc/goobox.profile @@ -29,5 +29,5 @@ tracelog # private-bin goobox private-dev -# private-etc fonts +# private-etc fonts,machine-id,pulse,asound.conf # private-tmp diff --git a/etc/minetest.profile b/etc/minetest.profile index cdbf21935..6497fa9ba 100644 --- a/etc/minetest.profile +++ b/etc/minetest.profile @@ -34,7 +34,7 @@ disable-mnt private-bin minetest private-dev # private-etc needs to be updated, see #1702 -#private-etc asound.conf,ca-certificates,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pulse,resolv.conf,ssl,pki,crypto-policies +#private-etc asound.conf,ca-certificates,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pulse,resolv.conf,ssl,pki,crypto-policies,machine-id private-tmp noexec ${HOME} diff --git a/etc/musixmatch.profile b/etc/musixmatch.profile index bc8965431..b572f13d2 100644 --- a/etc/musixmatch.profile +++ b/etc/musixmatch.profile @@ -30,7 +30,7 @@ seccomp disable-mnt private-dev -private-etc none +private-etc none,machine-id,pulse,asound.conf noexec ${HOME} noexec /tmp diff --git a/etc/parole.profile b/etc/parole.profile index f98703bd6..17d31af15 100644 --- a/etc/parole.profile +++ b/etc/parole.profile @@ -26,4 +26,4 @@ shell none private-bin parole,dbus-launch private-cache -private-etc passwd,group,fonts +private-etc passwd,group,fonts,machine-id,pulse,asound.conf diff --git a/etc/ppsspp.profile b/etc/ppsspp.profile index 073108464..3a40b6260 100644 --- a/etc/ppsspp.profile +++ b/etc/ppsspp.profile @@ -36,7 +36,7 @@ shell none # private-dev is disabled to allow controller support #private-dev -private-etc asound.conf,ca-certificates,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pulse,resolv.conf,ssl,pki,crypto-policies +private-etc asound.conf,ca-certificates,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pulse,resolv.conf,ssl,pki,crypto-policies,machine-id private-opt ppsspp private-tmp diff --git a/etc/qupzilla.profile b/etc/qupzilla.profile index 947689d96..da1ca2281 100644 --- a/etc/qupzilla.profile +++ b/etc/qupzilla.profile @@ -33,7 +33,7 @@ seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@res # tracelog private-dev -# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,adobe,mime.types,mailcap,asound.conf,pulse +# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,adobe,mime.types,mailcap,asound.conf,pulse,machine-id # private-tmp - interferes with the opening of downloaded files noexec ${HOME} diff --git a/etc/seamonkey.profile b/etc/seamonkey.profile index 423863cc2..dc2fd8e30 100644 --- a/etc/seamonkey.profile +++ b/etc/seamonkey.profile @@ -47,4 +47,4 @@ seccomp tracelog disable-mnt -# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse +# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse,machine-id diff --git a/etc/slack.profile b/etc/slack.profile index 13106255b..91bf0a722 100644 --- a/etc/slack.profile +++ b/etc/slack.profile @@ -37,5 +37,5 @@ shell none disable-mnt private-bin slack,locale private-dev -private-etc asound.conf,ca-certificates,fonts,group,passwd,pulse,resolv.conf,ssl,ld.so.conf,ld.so.cache,localtime,pki,crypto-policies +private-etc asound.conf,ca-certificates,fonts,group,passwd,pulse,resolv.conf,ssl,ld.so.conf,ld.so.cache,localtime,pki,crypto-policies,machine-id private-tmp diff --git a/etc/totem.profile b/etc/totem.profile index 3ac25440b..911999665 100644 --- a/etc/totem.profile +++ b/etc/totem.profile @@ -33,7 +33,7 @@ shell none private-bin totem private-cache private-dev -# private-etc fonts +# private-etc fonts,machine-id,pulse,asound.conf private-tmp noexec ${HOME} diff --git a/etc/xonotic.profile b/etc/xonotic.profile index 1d2493f36..30f5c735d 100644 --- a/etc/xonotic.profile +++ b/etc/xonotic.profile @@ -34,7 +34,7 @@ disable-mnt private-bin bash,blind-id,darkplaces-glx,darkplaces-sdl,dirname,grep,ldd,netstat,ps,readlink,sh,uname,xonotic,xonotic-glx,xonotic-linux32-dedicated,xonotic-linux32-glx,xonotic-linux32-sdl,xonotic-linux64-dedicated,xonotic-linux64-glx,xonotic-linux64-sdl,xonotic-sdl private-dev # private-etc breaks audio on some distros -#private-etc asound.conf,ca-certificates,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pulse,resolv.conf,ssl,pki,crypto-policies +#private-etc asound.conf,ca-certificates,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pulse,resolv.conf,ssl,pki,crypto-policies,machine-id private-tmp noexec ${HOME} diff --git a/etc/xplayer.profile b/etc/xplayer.profile index 46579ead8..5873e2436 100644 --- a/etc/xplayer.profile +++ b/etc/xplayer.profile @@ -39,7 +39,7 @@ tracelog private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer private-dev -# private-etc fonts +# private-etc fonts,machine-id,pulse,asound.conf private-tmp noexec ${HOME} -- cgit v1.2.3-54-g00ecf From 5deab9ef051e37156d445c7133843b6572809292 Mon Sep 17 00:00:00 2001 From: ಚಿರಾಗ್ ನಟರಾಜ್ Date: Tue, 31 Jul 2018 12:03:20 -0400 Subject: Check to see if expand_home is called as root and switch to user (and restore root at the end) --- src/firejail/util.c | 47 +++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 45 insertions(+), 2 deletions(-) diff --git a/src/firejail/util.c b/src/firejail/util.c index 0d6f5ea02..d501a469d 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c @@ -77,7 +77,6 @@ char *doentry[] = { }; char *resolve_xdg(int flags, const char *var, size_t length, const char *prnt) { - /* EUID_ASSERT(); */ char *fname; struct stat s; @@ -143,7 +142,6 @@ char *resolve_xdg(int flags, const char *var, size_t length, const char *prnt) { } char *resolve_hardcoded(int flags, char *entries[], const char *prnt) { - /* EUID_ASSERT(); */ char *fname; struct stat s; @@ -865,22 +863,39 @@ void notify_other(int fd) { char *expand_home(const char *path, const char* homedir) { assert(path); assert(homedir); + + int called_as_root = 0; + + if(geteuid() == 0) + called_as_root = 1; + + if(called_as_root) { + EUID_USER(); + } + + EUID_ASSERT(); // Replace home macro char *new_name = NULL; if (strncmp(path, "${HOME}", 7) == 0) { if (asprintf(&new_name, "%s%s", homedir, path + 7) == -1) errExit("asprintf"); + if(called_as_root) + EUID_ROOT(); return new_name; } else if (*path == '~') { if (asprintf(&new_name, "%s%s", homedir, path + 1) == -1) errExit("asprintf"); + if(called_as_root) + EUID_ROOT(); return new_name; } else if (strncmp(path, "${CFG}", 6) == 0) { if (asprintf(&new_name, "%s%s", SYSCONFDIR, path + 6) == -1) errExit("asprintf"); + if(called_as_root) + EUID_ROOT(); return new_name; } @@ -890,11 +905,15 @@ char *expand_home(const char *path, const char* homedir) { if(tmp) { if (asprintf(&new_name, "%s/%s%s", homedir, tmp, path + 12) == -1) errExit("asprintf"); + if(called_as_root) + EUID_ROOT(); return new_name; } else if(tmp2) { if (asprintf(&new_name, "%s/%s%s", homedir, tmp2, path + 12) == -1) errExit("asprintf"); + if(called_as_root) + EUID_ROOT(); return new_name; } } @@ -905,11 +924,15 @@ char *expand_home(const char *path, const char* homedir) { if(tmp) { if (asprintf(&new_name, "%s/%s%s", homedir, tmp, path + 8) == -1) errExit("asprintf"); + if(called_as_root) + EUID_ROOT(); return new_name; } else if(tmp2) { if (asprintf(&new_name, "%s/%s%s", homedir, tmp2, path + 8) == -1) errExit("asprintf"); + if(called_as_root) + EUID_ROOT(); return new_name; } } @@ -920,11 +943,15 @@ char *expand_home(const char *path, const char* homedir) { if(tmp) { if (asprintf(&new_name, "%s/%s%s", homedir, tmp, path + 9) == -1) errExit("asprintf"); + if(called_as_root) + EUID_ROOT(); return new_name; } else if(tmp2) { if (asprintf(&new_name, "%s/%s%s", homedir, tmp2, path + 9) == -1) errExit("asprintf"); + if(called_as_root) + EUID_ROOT(); return new_name; } } @@ -935,11 +962,15 @@ char *expand_home(const char *path, const char* homedir) { if(tmp) { if (asprintf(&new_name, "%s/%s%s", homedir, tmp, path + 11) == -1) errExit("asprintf"); + if(called_as_root) + EUID_ROOT(); return new_name; } else if(tmp2) { if (asprintf(&new_name, "%s/%s%s", homedir, tmp2, path + 11) == -1) errExit("asprintf"); + if(called_as_root) + EUID_ROOT(); return new_name; } } @@ -950,11 +981,15 @@ char *expand_home(const char *path, const char* homedir) { if(tmp) { if (asprintf(&new_name, "%s/%s%s", homedir, tmp, path + 10) == -1) errExit("asprintf"); + if(called_as_root) + EUID_ROOT(); return new_name; } else if(tmp2) { if (asprintf(&new_name, "%s/%s%s", homedir, tmp2, path + 10) == -1) errExit("asprintf"); + if(called_as_root) + EUID_ROOT(); return new_name; } } @@ -965,11 +1000,15 @@ char *expand_home(const char *path, const char* homedir) { if(tmp) { if (asprintf(&new_name, "%s/%s%s", homedir, tmp, path + 12) == -1) errExit("asprintf"); + if(called_as_root) + EUID_ROOT(); return new_name; } else if(tmp2) { if (asprintf(&new_name, "%s/%s%s", homedir, tmp2, path + 12) == -1) errExit("asprintf"); + if(called_as_root) + EUID_ROOT(); return new_name; } } @@ -977,6 +1016,10 @@ char *expand_home(const char *path, const char* homedir) { char *rv = strdup(path); if (!rv) errExit("strdup"); + + if(called_as_root) + EUID_ROOT(); + return rv; } -- cgit v1.2.3-54-g00ecf From ff9a5d6a9a97da326cac60cc73883e95e3d51ce2 Mon Sep 17 00:00:00 2001 From: ಚಿರಾಗ್ ನಟರಾಜ್ Date: Tue, 31 Jul 2018 14:37:22 -0400 Subject: Fixed Documents handling (consume trailing /) and hide XDG warnings unless --debug is enabled. --- src/firejail/util.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/firejail/util.c b/src/firejail/util.c index d501a469d..2aa4c26a7 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c @@ -132,7 +132,7 @@ char *resolve_xdg(int flags, const char *var, size_t length, const char *prnt) { return NULL; errout: - if (!arg_private) { + if (!arg_private && arg_debug) { fprintf(stderr, "***\n"); fprintf(stderr, "*** Error: %s directory was not found in user home.\n",prnt); fprintf(stderr, "*** \tAny files saved by the program, will be lost when the sandbox is closed.\n"); @@ -863,7 +863,7 @@ void notify_other(int fd) { char *expand_home(const char *path, const char* homedir) { assert(path); assert(homedir); - + int called_as_root = 0; if(geteuid() == 0) @@ -995,7 +995,7 @@ char *expand_home(const char *path, const char* homedir) { } else if (strncmp(path, "${DOCUMENTS}", 12) == 0) { - char *tmp = resolve_xdg(arg_debug, "XDG_DOCUMENTS_DIR=\"$HOME/", 24, "Documents"); + char *tmp = resolve_xdg(arg_debug, "XDG_DOCUMENTS_DIR=\"$HOME/", 25, "Documents"); char *tmp2 = resolve_hardcoded(arg_debug, doentry, "Documents"); if(tmp) { if (asprintf(&new_name, "%s/%s%s", homedir, tmp, path + 12) == -1) -- cgit v1.2.3-54-g00ecf