From 7c305841e68d39f19ee5c0093fdfc8ca2e65e215 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 13 Nov 2017 11:04:40 -0500 Subject: netfilter split --- src/firejail/firejail.h | 2 +- src/fnetfilter/Makefile.in | 45 ++++++++++++++++++ src/fnetfilter/main.c | 115 +++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 161 insertions(+), 1 deletion(-) create mode 100644 src/fnetfilter/Makefile.in create mode 100644 src/fnetfilter/main.c (limited to 'src') diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index ade23d89e..ab3c13598 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -766,7 +766,7 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc, // sbox.c // programs #define PATH_FNET (LIBDIR "/firejail/fnet") -#define PATH_FNETFILTER (LIBDIR "/firejail/fnetfilter") +#define PATH_FNETFILTER (LIBDIR "/firejail/fnetfilter#define PATH_FNET (LIBDIR "/firejail/fnet") #define PATH_FIREMON (PREFIX "/bin/firemon") #define PATH_FIREJAIL (PREFIX "/bin/firejail") #define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp") diff --git a/src/fnetfilter/Makefile.in b/src/fnetfilter/Makefile.in new file mode 100644 index 000000000..1063737e1 --- /dev/null +++ b/src/fnetfilter/Makefile.in @@ -0,0 +1,45 @@ +all: fnetfilter + +CC=@CC@ +prefix=@prefix@ +exec_prefix=@exec_prefix@ +libdir=@libdir@ +sysconfdir=@sysconfdir@ + +VERSION=@PACKAGE_VERSION@ +NAME=@PACKAGE_NAME@ +HAVE_SECCOMP_H=@HAVE_SECCOMP_H@ +HAVE_SECCOMP=@HAVE_SECCOMP@ +HAVE_CHROOT=@HAVE_CHROOT@ +HAVE_BIND=@HAVE_BIND@ +HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ +HAVE_NETWORK=@HAVE_NETWORK@ +HAVE_USERNS=@HAVE_USERNS@ +HAVE_X11=@HAVE_X11@ +HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@ +HAVE_WHITELIST=@HAVE_WHITELIST@ +HAVE_GLOBALCFG=@HAVE_GLOBALCFG@ +HAVE_APPARMOR=@HAVE_APPARMOR@ +HAVE_OVERLAYFS=@HAVE_OVERLAYFS@ +HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@ +EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ +HAVE_GCOV=@HAVE_GCOV@ +EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ + +H_FILE_LIST = $(sort $(wildcard *.[h])) +C_FILE_LIST = $(sort $(wildcard *.c)) +OBJS = $(C_FILE_LIST:.c=.o) +BINOBJS = $(foreach file, $(OBJS), $file) +CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security +LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread + +%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h + $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ + +fnetfilter: $(OBJS) + $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) + +clean:; rm -f *.o fnetfilter *.gcov *.gcda *.gcno + +distclean: clean + rm -fr Makefile diff --git a/src/fnetfilter/main.c b/src/fnetfilter/main.c new file mode 100644 index 000000000..67ab31832 --- /dev/null +++ b/src/fnetfilter/main.c @@ -0,0 +1,115 @@ + /* + * Copyright (C) 2014-2017 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#include "../include/common.h" + +#define MAXBUF 4098 +int arg_quiet = 0; + +static char *default_filter = +"*filter\n" +":INPUT DROP [0:0]\n" +":FORWARD DROP [0:0]\n" +":OUTPUT ACCEPT [0:0]\n" +"-A INPUT -i lo -j ACCEPT\n" +"-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n" +"# echo replay is handled by -m state RELATED/ESTABLISHED below\n" +"#-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT\n" +"-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT\n" +"-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT\n" +"-A INPUT -p icmp --icmp-type echo-request -j ACCEPT \n" +"# disable STUN\n" +"-A OUTPUT -p udp --dport 3478 -j DROP\n" +"-A OUTPUT -p udp --dport 3479 -j DROP\n" +"-A OUTPUT -p tcp --dport 3478 -j DROP\n" +"-A OUTPUT -p tcp --dport 3479 -j DROP\n" +"COMMIT\n"; + +static void usage(void) { + printf("Usage:\n"); + printf("\tfnetfilter netfilter-command destination-file\n"); +} + +int main(int argc, char **argv) { +#if 0 +{ +system("cat /proc/self/status"); +int i; +for (i = 0; i < argc; i++) + printf("*%s* ", argv[i]); +printf("\n"); +} +#endif + + char *quiet = getenv("FIREJAIL_QUIET"); + if (quiet && strcmp(quiet, "yes") == 0) + arg_quiet = 1; + + if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") ==0) { + usage(); + return 0; + } + + if (argc != 2 && argc != 3) { + usage(); + return 1; + } + + char *destfile = (argc == 3)? argv[2]: argv[1]; + char *command = (argc == 3)? argv[1]: NULL; +//printf("command %s\n", command); +//printf("destfile %s\n", destfile); + + // handle default config (command = NULL, destfile) + if (command == NULL) { + // create a default filter file + FILE *fp = fopen(destfile, "w"); + if (!fp) { + fprintf(stderr, "Error fnetfilter: cannot open %s\n", destfile); + exit(1); + } + fprintf(fp, "%s\n", default_filter); + fclose(fp); + } + else { + // copy the file + FILE *fp1 = fopen(command, "r"); + if (!fp1) { + fprintf(stderr, "Error fnetfilter: cannot open %s\n", command); + exit(1); + } + + FILE *fp2 = fopen(destfile, "w"); + if (!fp2) { + fprintf(stderr, "Error fnetfilter: cannot open %s\n", destfile); + exit(1); + } + + char buf[MAXBUF]; + while (fgets(buf, MAXBUF, fp1)) + fprintf(fp2, "%s", buf); + + fclose(fp1); + fclose(fp2); + } + + +printf("fnetfilter running\n"); + return 0; +} -- cgit v1.2.3-70-g09d2