From 7d0800682ab3a74e3d463836cd2ca5cd697d542c Mon Sep 17 00:00:00 2001
From: smitsohu <smitsohu@gmail.com>
Date: Mon, 17 Aug 2020 16:40:52 +0200
Subject: various x11 xorg enhancements

1) copy xauth binary into the sandbox and set mode to 0711, so it runs
with cleared dumpable flag for unprivileged users

2) run xauth in an sbox sandbox

3) generate Xauthority file in runtime directory instead of /tmp;
this way xauth is able to connect to the X11 socket even if the
abstract socket doesn't exist, for example because a new network
namespace was instantiated
---
 src/include/rundefs.h | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'src/include')

diff --git a/src/include/rundefs.h b/src/include/rundefs.h
index f8bcdec52..d56623907 100644
--- a/src/include/rundefs.h
+++ b/src/include/rundefs.h
@@ -99,8 +99,9 @@
 #define RUN_WHITELIST_SHARE_DIR		RUN_MNT_DIR "/orig-share"
 #define RUN_WHITELIST_MODULE_DIR	RUN_MNT_DIR "/orig-module"
 
-#define RUN_XAUTHORITY_FILE		RUN_MNT_DIR "/.Xauthority"
-#define RUN_XAUTHORITY_SEC_FILE		RUN_MNT_DIR "/sec.Xauthority"
+#define RUN_XAUTHORITY_FILE		RUN_MNT_DIR "/.Xauthority"		// private options
+#define RUN_XAUTH_FILE			RUN_MNT_DIR "/xauth"			// x11=xorg
+#define RUN_XAUTHORITY_SEC_DIR		RUN_MNT_DIR "/.sec.Xauthority"		// x11=xorg
 #define RUN_ASOUNDRC_FILE		RUN_MNT_DIR "/.asoundrc"
 #define RUN_HOSTNAME_FILE		RUN_MNT_DIR "/hostname"
 #define RUN_HOSTS_FILE			RUN_MNT_DIR "/hosts"
-- 
cgit v1.2.3-54-g00ecf


From 9e3b7b90cf9aad35fc8db2eabdeb9e1ed038acea Mon Sep 17 00:00:00 2001
From: smitsohu <smitsohu@gmail.com>
Date: Mon, 17 Aug 2020 17:08:43 +0200
Subject: add dumpable warnings

---
 src/fcopy/main.c                  |  6 ++++++
 src/firejail/main.c               |  4 ++++
 src/firejail/sbox.c               |  1 +
 src/fldd/main.c                   |  6 ++++++
 src/fnet/main.c                   | 16 ++++++++++------
 src/fnetfilter/main.c             |  6 +++++-
 src/fsec-optimize/fsec_optimize.h |  1 +
 src/fsec-optimize/main.c          |  5 +++++
 src/fsec-print/fsec_print.h       |  1 +
 src/fsec-print/main.c             |  5 +++++
 src/fseccomp/fseccomp.h           |  1 +
 src/fseccomp/main.c               | 15 ++++++++++-----
 src/include/common.h              |  3 +++
 13 files changed, 58 insertions(+), 12 deletions(-)

(limited to 'src/include')

diff --git a/src/fcopy/main.c b/src/fcopy/main.c
index 83d9c17e6..bda7e2f1b 100644
--- a/src/fcopy/main.c
+++ b/src/fcopy/main.c
@@ -23,6 +23,7 @@
 #include <ftw.h>
 #include <errno.h>
 #include <pwd.h>
+#include <sys/prctl.h>
 
 #if HAVE_SELINUX
 #include <sys/stat.h>
@@ -411,6 +412,11 @@ int main(int argc, char **argv) {
 		exit(1);
 	}
 
+#ifdef WARN_DUMPABLE
+	if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid() && getenv("FIREJAIL_PLUGIN"))
+		fprintf(stderr, "Error fcopy: I am dumpable\n");
+#endif
+
 	// trim trailing chars
 	if (src[strlen(src) - 1] == '/')
 		src[strlen(src) - 1] = '\0';
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 79e39b669..4aa5311a2 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1275,6 +1275,10 @@ int main(int argc, char **argv, char **envp) {
 	}
 	EUID_ASSERT();
 
+#ifdef WARN_DUMPABLE
+	if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid())
+		fprintf(stderr, "Error: Firejail is dumpable\n");
+#endif
 
 	// check for force-nonewprivs in /etc/firejail/firejail.config file
 	if (checkcfg(CFG_FORCE_NONEWPRIVS))
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c
index 99f11a246..cf3d3aeed 100644
--- a/src/firejail/sbox.c
+++ b/src/firejail/sbox.c
@@ -48,6 +48,7 @@ static int sbox_do_exec_v(unsigned filtermask, char * const arg[]) {
 	if (cfg.seccomp_error_action)
 		if (asprintf(&new_environment[env_index++], "FIREJAIL_SECCOMP_ERROR_ACTION=%s", cfg.seccomp_error_action) == -1)
 			errExit("asprintf");
+	new_environment[env_index++] = "FIREJAIL_PLUGIN="; // always set
 
 	if (filtermask & SBOX_STDIN_FROM_FILE) {
 		int fd;
diff --git a/src/fldd/main.c b/src/fldd/main.c
index dd22e601e..567f6c566 100644
--- a/src/fldd/main.c
+++ b/src/fldd/main.c
@@ -24,6 +24,7 @@
 #include <fcntl.h>
 #include <sys/mman.h>
 #include <sys/mount.h>
+#include <sys/prctl.h>
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <unistd.h>
@@ -302,6 +303,11 @@ printf("\n");
 		return 0;
 	}
 
+#ifdef WARN_DUMPABLE
+	if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid() && getenv("FIREJAIL_PLUGIN"))
+		fprintf(stderr, "Error fldd: I am dumpable\n");
+#endif
+
 	// check program access
 	if (access(argv[1], R_OK)) {
 		fprintf(stderr, "Error fldd: cannot access %s\n", argv[1]);
diff --git a/src/fnet/main.c b/src/fnet/main.c
index 95e12164e..22879b8ce 100644
--- a/src/fnet/main.c
+++ b/src/fnet/main.c
@@ -21,6 +21,7 @@
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <sys/utsname.h>
+#include <sys/prctl.h>
 
 int arg_quiet = 0;
 
@@ -64,16 +65,19 @@ printf("\n");
 		usage();
 		return 1;
 	}
-
-	char *quiet = getenv("FIREJAIL_QUIET");
-	if (quiet && strcmp(quiet, "yes") == 0)
-		arg_quiet = 1;
-
 	if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") ==0) {
 		usage();
 		return 0;
 	}
-	else if (argc == 3 && strcmp(argv[1], "ifup") == 0) {
+#ifdef WARN_DUMPABLE
+	if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid() && getenv("FIREJAIL_PLUGIN"))
+		fprintf(stderr, "Error fnet: I am dumpable\n");
+#endif
+	char *quiet = getenv("FIREJAIL_QUIET");
+	if (quiet && strcmp(quiet, "yes") == 0)
+		arg_quiet = 1;
+
+	if (argc == 3 && strcmp(argv[1], "ifup") == 0) {
 		net_if_up(argv[2]);
 	}
 	else if (argc == 2 && strcmp(argv[1], "printif") == 0) {
diff --git a/src/fnetfilter/main.c b/src/fnetfilter/main.c
index 8124beb1a..bac60cbec 100644
--- a/src/fnetfilter/main.c
+++ b/src/fnetfilter/main.c
@@ -18,6 +18,7 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "../include/common.h"
+#include <sys/prctl.h>
 
 #define MAXBUF 4098
 #define MAXARGS 16
@@ -180,7 +181,10 @@ printf("\n");
 		usage();
 		return 1;
 	}
-
+#ifdef WARN_DUMPABLE
+	if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid() && getenv("FIREJAIL_PLUGIN"))
+		fprintf(stderr, "Error fnetfilter: I am dumpable\n");
+#endif
 	char *destfile = (argc == 3)? argv[2]: argv[1];
 	char *command = (argc == 3)? argv[1]: NULL;
 //printf("command %s\n", command);
diff --git a/src/fsec-optimize/fsec_optimize.h b/src/fsec-optimize/fsec_optimize.h
index 211111641..034fde2ac 100644
--- a/src/fsec-optimize/fsec_optimize.h
+++ b/src/fsec-optimize/fsec_optimize.h
@@ -22,6 +22,7 @@
 #include "../include/common.h"
 #include "../include/seccomp.h"
 #include <sys/mman.h>
+#include <sys/prctl.h>
 
 // optimize.c
 struct sock_filter *duplicate(struct sock_filter *filter, int entries);
diff --git a/src/fsec-optimize/main.c b/src/fsec-optimize/main.c
index 416d85b88..4da110583 100644
--- a/src/fsec-optimize/main.c
+++ b/src/fsec-optimize/main.c
@@ -44,6 +44,11 @@ printf("\n");
 		return 0;
 	}
 
+#ifdef WARN_DUMPABLE
+	if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid() && getenv("FIREJAIL_PLUGIN"))
+		fprintf(stderr, "Error fsec-optimize: I am dumpable\n");
+#endif
+
 	char *fname = argv[1];
 
 	// open input file
diff --git a/src/fsec-print/fsec_print.h b/src/fsec-print/fsec_print.h
index 337199288..9d17e3f18 100644
--- a/src/fsec-print/fsec_print.h
+++ b/src/fsec-print/fsec_print.h
@@ -23,6 +23,7 @@
 #include "../include/seccomp.h"
 #include "../include/syscall.h"
 #include <sys/mman.h>
+#include <sys/prctl.h>
 
 // print.c
 void print(struct sock_filter *filter, int entries);
diff --git a/src/fsec-print/main.c b/src/fsec-print/main.c
index ade45c881..858289767 100644
--- a/src/fsec-print/main.c
+++ b/src/fsec-print/main.c
@@ -61,6 +61,11 @@ printf("\n");
 		return 0;
 	}
 
+#ifdef WARN_DUMPABLE
+	if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid() && getenv("FIREJAIL_PLUGIN"))
+		fprintf(stderr, "Error fsec-print: I am dumpable\n");
+#endif
+
 	char *fname = argv[1];
 
 	// open input file
diff --git a/src/fseccomp/fseccomp.h b/src/fseccomp/fseccomp.h
index e8dd083b6..e40999938 100644
--- a/src/fseccomp/fseccomp.h
+++ b/src/fseccomp/fseccomp.h
@@ -23,6 +23,7 @@
 #include <stdlib.h>
 #include <string.h>
 #include <assert.h>
+#include <sys/prctl.h>
 #include "../include/common.h"
 #include "../include/syscall.h"
 
diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c
index 892a88e25..6b7800f35 100644
--- a/src/fseccomp/main.c
+++ b/src/fseccomp/main.c
@@ -64,6 +64,15 @@ printf("\n");
 		usage();
 		return 1;
 	}
+	if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") ==0) {
+		usage();
+		return 0;
+	}
+
+#ifdef WARN_DUMPABLE
+	if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid() && getenv("FIREJAIL_PLUGIN"))
+		fprintf(stderr, "Error fseccomp: I am dumpable\n");
+#endif
 
 	char *quiet = getenv("FIREJAIL_QUIET");
 	if (quiet && strcmp(quiet, "yes") == 0)
@@ -81,11 +90,7 @@ printf("\n");
 		}
 	}
 
-	if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") ==0) {
-		usage();
-		return 0;
-	}
-	else if (argc == 2 && strcmp(argv[1], "debug-syscalls") == 0)
+	if (argc == 2 && strcmp(argv[1], "debug-syscalls") == 0)
 		syscall_print();
 	else if (argc == 2 && strcmp(argv[1], "debug-syscalls32") == 0)
 		syscall_print_32();
diff --git a/src/include/common.h b/src/include/common.h
index c65ba0d55..025f3c247 100644
--- a/src/include/common.h
+++ b/src/include/common.h
@@ -34,6 +34,9 @@
 
 #define errExit(msg)    do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
 
+// check if processes run with dumpable flag set
+#define WARN_DUMPABLE
+
 // macro to print ip addresses in a printf statement
 #define PRINT_IP(A) \
 ((int) (((A) >> 24) & 0xFF)),  ((int) (((A) >> 16) & 0xFF)), ((int) (((A) >> 8) & 0xFF)), ((int) ( (A) & 0xFF))
-- 
cgit v1.2.3-54-g00ecf