From 02d09e86293be87768e6f93560e012e4a02e8666 Mon Sep 17 00:00:00 2001
From: Kristóf Marussy <kris7topher@gmail.com>
Date: Sun, 29 Dec 2019 23:19:15 +0100
Subject: Add capability filter for network services, additive filter

The new capability filter SBOX_CAPS_NET_SERVICE allows forked processes
to bind to low ports (privileged network services).

Because dhcp clients require both low ports and network administration
privileges, this patch also allows (bitwise) combination of capability filters
(except SBOX_CAPS_NONE, which completely drops any capabilities)
to grant both SBOX_CAPS_NETWORK and SBOX_CAPS_NET_SERVICE to a dhcp client.
This way, fnet and fnetfilter calls still do not get CAP_NET_BIND_SERVICE.
---
 src/firejail/sbox.c | 35 +++++++++++++++++++++++------------
 1 file changed, 23 insertions(+), 12 deletions(-)

(limited to 'src')

diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c
index a90cb7668..a1e65cd3c 100644
--- a/src/firejail/sbox.c
+++ b/src/firejail/sbox.c
@@ -190,23 +190,34 @@ int sbox_run_v(unsigned filtermask, char * const arg[]) {
 		// apply filters
 		if (filtermask & SBOX_CAPS_NONE) {
 			caps_drop_all();
-		}
-		else if (filtermask & SBOX_CAPS_NETWORK) {
+		} else {
+      uint64_t set = 0;
+      if (filtermask & SBOX_CAPS_NETWORK) {
 #ifndef HAVE_GCOV // the following filter will prevent GCOV from saving info in .gcda files
-			uint64_t set = ((uint64_t) 1) << CAP_NET_ADMIN;
-			set |=  ((uint64_t) 1) << CAP_NET_RAW;
-			caps_set(set);
+        set |= ((uint64_t) 1) << CAP_NET_ADMIN;
+        set |= ((uint64_t) 1) << CAP_NET_RAW;
 #endif
-		}
-		else if (filtermask & SBOX_CAPS_HIDEPID) {
+      }
+      if (filtermask & SBOX_CAPS_HIDEPID) {
 #ifndef HAVE_GCOV // the following filter will prevent GCOV from saving info in .gcda files
-			uint64_t set = ((uint64_t) 1) << CAP_SYS_PTRACE;
-			set |=  ((uint64_t) 1) << CAP_SYS_PACCT;
-			caps_set(set);
+        set |= ((uint64_t) 1) << CAP_SYS_PTRACE;
+        set |= ((uint64_t) 1) << CAP_SYS_PACCT;
 #endif
-		}
+      }
+      if (filtermask & SBOX_CAPS_NET_SERVICE) {
+#ifndef HAVE_GCOV // the following filter will prevent GCOV from saving info in .gcda files
+        set |= ((uint64_t) 1) << CAP_NET_BIND_SERVICE;
+        set |= ((uint64_t) 1) << CAP_NET_BROADCAST;
+#endif
+      }
+      if (set != 0) { // some SBOX_CAPS_ flag was specified, drop all other capabilities
+#ifndef HAVE_GCOV // the following filter will prevent GCOV from saving info in .gcda files
+        caps_set(set);
+#endif
+      }
+    }
 
-		if (filtermask & SBOX_SECCOMP) {
+    if (filtermask & SBOX_SECCOMP) {
 			if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
 				perror("prctl(NO_NEW_PRIVS)");
 			}
-- 
cgit v1.2.3-70-g09d2