From 2b76cea1106462268b975ee68480796ba900d37f Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 22 Aug 2016 08:59:00 -0400 Subject: --allow-debuggers --- src/firejail/firejail.h | 1 + src/firejail/main.c | 35 +++++++++++++++++++++++++++++++++-- src/firejail/profile.c | 10 ++++++++++ src/firejail/seccomp.c | 13 +++++++++++-- src/firejail/usage.c | 1 + src/man/firejail.txt | 9 +++++++++ 6 files changed, 65 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 98ba8ee3b..8e30e929a 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -267,6 +267,7 @@ extern int arg_appimage; // appimage extern int arg_audit; // audit extern char *arg_audit_prog; // audit extern int arg_apparmor; // apparmor +extern int arg_allow_debuggers; // allow debuggers extern int login_shell; extern int parent_to_child_fds[2]; diff --git a/src/firejail/main.c b/src/firejail/main.c index 1824765eb..bdb8e0df5 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -101,8 +101,9 @@ int arg_writable_etc = 0; // writable etc int arg_writable_var = 0; // writable var int arg_appimage = 0; // appimage int arg_audit = 0; // audit -char *arg_audit_prog; // audit -int arg_apparmor; // apparmor +char *arg_audit_prog = NULL; // audit +int arg_apparmor = 0; // apparmor +int arg_allow_debuggers = 0; // allow debuggers int login_shell = 0; int parent_to_child_fds[2]; @@ -730,6 +731,24 @@ static void detect_quiet(int argc, char **argv) { } } +static void detect_allow_debuggers(int argc, char **argv) { + int i; + + // detect --allow-debuggers + for (i = 1; i < argc; i++) { + if (strcmp(argv[i], "--allow-debuggers") == 0) { + arg_allow_debuggers = 1; + break; + } + + // detect end of firejail params + if (strcmp(argv[i], "--") == 0) + break; + if (strncmp(argv[i], "--", 2) != 0) + break; + } +} + char *guess_shell(void) { char *shell = NULL; // shells in order of preference @@ -766,11 +785,13 @@ int main(int argc, char **argv) { #endif detect_quiet(argc, argv); + detect_allow_debuggers(argc, argv); // drop permissions by default and rise them when required EUID_INIT(); EUID_USER(); + // check argv[0] symlink wrapper if this is not a login shell if (*argv[0] != '-') run_symlink(argc, argv); @@ -982,6 +1003,13 @@ int main(int argc, char **argv) { if (checkcfg(CFG_FORCE_NONEWPRIVS)) arg_nonewprivs = 1; + if (arg_allow_debuggers) { + char *cmd = strdup("noblacklist ${PATH}/strace"); + if (!cmd) + errExit("strdup"); + profile_add(cmd); + } + // parse arguments for (i = 1; i < argc; i++) { run_cmd_and_exit(i, argc, argv); // will exit if the command is recognized @@ -1005,6 +1033,9 @@ int main(int argc, char **argv) { } else if (strcmp(argv[i], "--force") == 0) ; + else if (strcmp(argv[i], "--allow-debuggers") == 0) { + // already handled + } //************************************* // filtering diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 1403db704..26f434f3b 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -828,6 +828,16 @@ void profile_read(const char *fname) { exit(1); } + // allow debuggers + if (arg_allow_debuggers) { + char *tmp = strrchr(fname, '/'); + if (tmp && *(tmp + 1) != '\0') { + tmp++; + if (strcmp(tmp, "disable-devel.inc") == 0) + return; + } + } + // open profile file: FILE *fp = fopen(fname, "r"); if (fp == NULL) { diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 88620d1dd..7aaf1a5cd 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c @@ -344,6 +344,7 @@ void seccomp_filter_32(void) { EXAMINE_SYSCALL, BLACKLIST(21), // mount BLACKLIST(52), // umount2 +// todo: implement --allow-debuggers BLACKLIST(26), // ptrace BLACKLIST(283), // kexec_load BLACKLIST(341), // name_to_handle_at @@ -416,6 +417,7 @@ void seccomp_filter_64(void) { EXAMINE_SYSCALL, BLACKLIST(165), // mount BLACKLIST(166), // umount2 +// todo: implement --allow-debuggers BLACKLIST(101), // ptrace BLACKLIST(246), // kexec_load BLACKLIST(304), // open_by_handle_at @@ -501,9 +503,13 @@ int seccomp_filter_drop(int enforce_seccomp) { #ifdef SYS_umount2 filter_add_blacklist(SYS_umount2, 0); #endif + + if (!arg_allow_debuggers) { #ifdef SYS_ptrace - filter_add_blacklist(SYS_ptrace, 0); + filter_add_blacklist(SYS_ptrace, 0); #endif + } + #ifdef SYS_kexec_load filter_add_blacklist(SYS_kexec_load, 0); #endif @@ -549,9 +555,12 @@ int seccomp_filter_drop(int enforce_seccomp) { #ifdef SYS_syslog filter_add_blacklist(SYS_syslog, 0); #endif + if (!arg_allow_debuggers) { #ifdef SYS_process_vm_readv - filter_add_blacklist(SYS_process_vm_readv, 0); + filter_add_blacklist(SYS_process_vm_readv, 0); #endif + } + #ifdef SYS_process_vm_writev filter_add_blacklist(SYS_process_vm_writev, 0); #endif diff --git a/src/firejail/usage.c b/src/firejail/usage.c index ed6d22e69..ebe1c8830 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -34,6 +34,7 @@ void usage(void) { printf("\n"); printf("Options:\n\n"); printf(" -- - signal the end of options and disables further option processing.\n\n"); + printf(" --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n\n"); printf(" --apparmor - enable AppArmor confinement\n\n"); printf(" --appimage - sandbox an AppImage application\n\n"); printf(" --audit - audit the sandbox, see Audit section for more details\n\n"); diff --git a/src/man/firejail.txt b/src/man/firejail.txt index d08b244f7..cc47e3dc6 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -75,6 +75,15 @@ $ firejail [OPTIONS] firefox # starting Mozilla Firefox \fB\-\- Signal the end of options and disables further option processing. .TP +\fB\-\-allow-debuggers +Allow tools such as strace and gdb inside the sandbox. +.br + +.br +Example: +.br +$ firejail --allow-debuggers --profile=/etc/firejail/firefox.profile --allow-debuggers strace -f firefox +.TP \fB\-\-apparmor Enable AppArmor confinement. Formore information, please see \fBAPPARMOR\fR section below. .TP -- cgit v1.2.3-70-g09d2