From 0688847fa8287752e2bdd209bde37029dff48dc5 Mon Sep 17 00:00:00 2001 From: The Fox in the Shell Date: Wed, 25 May 2016 02:19:02 +0200 Subject: Make NO_NEW_PRIVS configurable --- src/firejail/firejail.h | 1 + src/firejail/main.c | 4 ++++ src/firejail/profile.c | 4 ++++ src/firejail/sandbox.c | 13 ++++++++----- src/firejail/usage.c | 3 +++ 5 files changed, 20 insertions(+), 5 deletions(-) (limited to 'src') diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index f4a176caf..c9c090a97 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -237,6 +237,7 @@ extern int arg_rlimit_nproc; // rlimit nproc extern int arg_rlimit_fsize; // rlimit fsize extern int arg_rlimit_sigpending;// rlimit sigpending extern int arg_nogroups; // disable supplementary groups +extern int arg_nonewprivs; // set the NO_NEW_PRIVS prctl extern int arg_noroot; // create a new user namespace and disable root user extern int arg_netfilter; // enable netfilter extern int arg_netfilter6; // enable netfilter6 diff --git a/src/firejail/main.c b/src/firejail/main.c index a540d468b..2f4a78d4b 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -77,6 +77,7 @@ int arg_rlimit_nproc = 0; // rlimit nproc int arg_rlimit_fsize = 0; // rlimit fsize int arg_rlimit_sigpending = 0; // rlimit fsize int arg_nogroups = 0; // disable supplementary groups +int arg_nonewprivs = 0; // set the NO_NEW_PRIVS prctl int arg_noroot = 0; // create a new user namespace and disable root user int arg_netfilter; // enable netfilter int arg_netfilter6; // enable netfilter6 @@ -1367,6 +1368,9 @@ int main(int argc, char **argv) { } } #endif + else if (strcmp(argv[i], "--nonewprivs") == 0) { + arg_nonewprivs = 1; + } else if (strncmp(argv[i], "--env=", 6) == 0) env_store(argv[i] + 6); else if (strncmp(argv[i], "--nosound", 9) == 0) { diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 3bf294e00..192f36974 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -131,6 +131,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { return 0; } + else if (strcmp(ptr, "nonewprivs") == 0) { + arg_nonewprivs = 1; + return 0; + } else if (strcmp(ptr, "seccomp") == 0) { #ifdef HAVE_SECCOMP if (checkcfg(CFG_SECCOMP)) diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 109395b60..843c1efe5 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -750,11 +750,14 @@ int sandbox(void* sandbox_arg) { //**************************************** // Set NO_NEW_PRIVS if desired //**************************************** - int no_new_privs = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); - if(no_new_privs != 0) { - errExit("NO_NEW_PRIVS"); - } else - printf("No new privileges from this point on\n"); + if (arg_nonewprivs) { + int no_new_privs = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); + + if(no_new_privs != 0) + errExit("NO_NEW_PRIVS"); + else if (arg_debug) + printf("NO_NEW_PRIVS set\n"); + } //**************************************** diff --git a/src/firejail/usage.c b/src/firejail/usage.c index ef02c0d72..45bf2e3b1 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -157,6 +157,9 @@ void usage(void) { printf("\tuser. root user does not exist in the new namespace. This option\n"); printf("\tis not supported for --chroot and --overlay configurations.\n\n"); #endif + printf(" --nonewprivs - sets the NO_NEW_PRIVS prctl - the child processes\n"); + printf("\tcannot gain privileges using execve(2); in particular, this prevents\n"); + printf("\tgaining privileges by calling a suid binary\n\n"); printf(" --nosound - disable sound system.\n\n"); printf(" --output=logfile - stdout logging and log rotation. Copy stdout and stderr\n"); -- cgit v1.2.3-70-g09d2