From 1a03225b4407f1cf88410573c8fc67031de511c1 Mon Sep 17 00:00:00 2001 From: Tad Date: Mon, 5 Nov 2018 18:32:22 -0500 Subject: Add new config option to disable U2F in browsers, enabled by default --- src/firejail/checkcfg.c | 9 +++++++++ src/firejail/firejail.h | 1 + src/firejail/profile.c | 1 + src/man/firejail-profile.txt | 2 +- 4 files changed, 12 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 50f952e91..45e28fe40 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -371,6 +371,15 @@ int checkcfg(int val) { else goto errout; } + // browser-disable-u2f + else if (strncmp(ptr, "browser-disable-u2f ", 20) == 0) { + if (strcmp(ptr + 20, "yes") == 0) + cfg_val[CFG_BROWSER_DISABLE_U2F] = 1; + else if (strcmp(ptr + 20, "no") == 0) + cfg_val[CFG_BROWSER_DISABLE_U2F] = 0; + else + goto errout; + } else goto errout; diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 7f6ed2586..d996e1dac 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -771,6 +771,7 @@ enum { CFG_JOIN, CFG_ARP_PROBES, CFG_XPRA_ATTACH, + CFG_BROWSER_DISABLE_U2F, CFG_PRIVATE_LIB, CFG_APPARMOR, CFG_DBUS, diff --git a/src/firejail/profile.c b/src/firejail/profile.c index c7c8fd9fa..a85c8f815 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -139,6 +139,7 @@ int profile_check_conditional(char *ptr, int lineno, const char *fname) { bool value; // true if set } conditionals[] = { {"HAS_APPIMAGE", strlen("HAS_APPIMAGE"), arg_appimage!=0}, + {"BROWSER_DISABLE_U2F", strlen("BROWSER_DISABLE_U2F"), checkcfg(CFG_BROWSER_DISABLE_U2F)!=0}, NULL }, *cond = conditionals; char *tmp = ptr, *msg = NULL; diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index e26b5f989..251346bd5 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -94,7 +94,7 @@ Example: "?HAS_APPIMAGE: whitelist ${HOME}/special/appimage/dir" This example will load the whitelist profile line only if the \-\-appimage option has been specified on the command line. -Currently the only conditional supported is HAS_APPIMAGE. +Currently the only conditionals supported are HAS_APPIMAGE and BROWSER_DISABLE_U2F. The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines. -- cgit v1.2.3-54-g00ecf From 2acc910daf73c284965ca96bc70b4eb980c865cf Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 8 Nov 2018 10:49:44 -0500 Subject: profile parser testing --- README.md | 8 +++----- src/firejail/firejail.h | 3 +-- src/firejail/profile.c | 12 ++++++++++-- test/profiles/profile_appname.exp | 25 +++++++++++++++++++++++++ test/profiles/profile_noperm.exp | 2 +- test/profiles/profile_recursivity.exp | 25 +++++++++++++++++++++++++ test/profiles/profile_syntax2.exp | 27 +++------------------------ test/profiles/profiles.sh | 27 +++++++++++++++++++++++++++ test/profiles/test2.profile | 4 +++- test/profiles/test3.profile | 1 + 10 files changed, 99 insertions(+), 35 deletions(-) create mode 100755 test/profiles/profile_appname.exp create mode 100755 test/profiles/profile_recursivity.exp create mode 100644 test/profiles/test3.profile (limited to 'src') diff --git a/README.md b/README.md index d6a7877ca..9e61e5633 100644 --- a/README.md +++ b/README.md @@ -101,17 +101,15 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe ````` ## Current development version: 0.9.57 -## New Long Term Support (LTS) version +## New Long Term Support (0.9.56-LTS) version released -We are rebasing our Long Term Support branch of Firejail. The current LTS version (0.9.38.x) is more than two years old. The new version updates the code base to 0.9.56. We target a reduction of approx. 40% of the code by removing rarely used features (chroot, overlay, rlimits, cgroups), incomplete features (private-bin, private-lib), and a lot of instrumentation (build profile feature, tracing, auditing, etc). Sandbox-specific security features such as seccomp, capabilities, filesystem whitelist/blacklist and networking are updated and hardened. -We have an rc1 release out, the final version will follow in the next few weeks: ````` -firejail (0.9.56-LTS~rc1) baseline; urgency=low +firejail (0.9.56-LTS) baseline; urgency=low * code based on Firejail version 0.9.56 * much smaller code base for SUID executable * command line options removed: @@ -124,7 +122,7 @@ firejail (0.9.56-LTS~rc1) baseline; urgency=low --disable-globalcfg, --disable-network, --disable-userns, --disable-whitelist, --disable-suid, --enable-fatal-warnings, --enable-busybox-workaround - -- netblue30 Wed, 3 Oct 2018 08:00:00 -0500 + -- netblue30 Sun, 21 Oct 2018 08:00:00 -0500 ````` The new LTS branch is here: https://github.com/netblue30/firejail/tree/LTSbase diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index d996e1dac..46aea4bd4 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -461,8 +461,7 @@ void fs_mnt(const int enforce); // profile.c // find and read the profile specified by name from dir directory -int profile_find(const char *name, const char *dir, int add_ext); -int profile_find_firejail(const char *name, int add_ext); +//int profile_find_firejail(const char *name, int add_ext); // read a profile file void profile_read(const char *fname); // check profile line; if line == 0, this was generated from a command line option diff --git a/src/firejail/profile.c b/src/firejail/profile.c index a85c8f815..5f5d94ddf 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -25,7 +25,8 @@ extern char *xephyr_screen; #define MAX_READ 8192 // line buffer for profile files // find and read the profile specified by name from dir directory -int profile_find(const char *name, const char *dir, int add_ext) { +// return 1 if a profile was found +static int profile_find(const char *name, const char *dir, int add_ext) { EUID_ASSERT(); assert(name); assert(dir); @@ -64,6 +65,7 @@ int profile_find(const char *name, const char *dir, int add_ext) { } // search and read the profile specified by name from firejail directories +// return 1 if a profile was found int profile_find_firejail(const char *name, int add_ext) { // look for a profile in ~/.config/firejail directory char *usercfgdir; @@ -1438,7 +1440,13 @@ void profile_read(const char *fname) { ptr2++; // profile path contains no / chars, do a search if (*ptr2 == '\0') { - profile_find_firejail(newprofile, 0); + int rv = profile_find_firejail(newprofile, 0); // returns 1 if a profile was found in sysconfig directory + if (!rv) { + // maybe this is a file in the local working directory? + // it will stop the sandbox if not! + // Note: if the file ends in .local it will not stop the program + profile_read(newprofile); + } } else { profile_read(newprofile); diff --git a/test/profiles/profile_appname.exp b/test/profiles/profile_appname.exp new file mode 100755 index 000000000..c70e7ad57 --- /dev/null +++ b/test/profiles/profile_appname.exp @@ -0,0 +1,25 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2018 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --profile=firefox\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Reading profile /etc/firejail/firefox.profile" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Reading profile /etc/firejail/firefox-common.profile" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "shell=none configured, but no program specified" +} + +after 100 +puts "\nall done\n" diff --git a/test/profiles/profile_noperm.exp b/test/profiles/profile_noperm.exp index b3b031cb2..9f8cb54e2 100755 --- a/test/profiles/profile_noperm.exp +++ b/test/profiles/profile_noperm.exp @@ -7,7 +7,7 @@ match_max 100000 send -- "firejail --profile=/etc/shadow\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "cannot access profile" + "inaccessible profile file" } after 100 puts "\nall done\n" diff --git a/test/profiles/profile_recursivity.exp b/test/profiles/profile_recursivity.exp new file mode 100755 index 000000000..66e4510bf --- /dev/null +++ b/test/profiles/profile_recursivity.exp @@ -0,0 +1,25 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2018 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --profile=test3.profile\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Reading profile test3.profile" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Reading profile test3.profile" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "maximum profile include level was reached" +} + +after 100 +puts "\nall done\n" diff --git a/test/profiles/profile_syntax2.exp b/test/profiles/profile_syntax2.exp index 4d621f3ec..da34b67e8 100755 --- a/test/profiles/profile_syntax2.exp +++ b/test/profiles/profile_syntax2.exp @@ -7,7 +7,7 @@ set timeout 10 spawn $env(SHELL) match_max 100000 -send -- "firejail --debug --profile=test2.profile\r" +send -- "firejail --profile=test2.profile\r" expect { timeout {puts "TESTING ERROR 0\n";exit} "Reading profile test2.profile" @@ -18,29 +18,8 @@ expect { } expect { timeout {puts "TESTING ERROR 2\n";exit} - "Mounting a new /home directory" + "cannot access profile file" } -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "Disable /bin/rmdir" {puts "Most Linux platforms\n"} - "Disable /usr/bin/rmdir" { puts "OpenSUSE platform\n"} -} -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Drop CAP_SYS_MODULE" -} -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "seccomp entries in /run/firejail/mnt/seccomp" -} -expect { - timeout {puts "TESTING ERROR 7\n";exit} - "jeq mount" -} -expect { - timeout {puts "TESTING ERROR 8\n";exit} - "Child process initialized" -} -send -- "exit\r" + after 100 puts "\nall done\n" diff --git a/test/profiles/profiles.sh b/test/profiles/profiles.sh index 7c3549aea..a3d24ac0c 100755 --- a/test/profiles/profiles.sh +++ b/test/profiles/profiles.sh @@ -6,6 +6,33 @@ export MALLOC_CHECK_=3 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) +echo "TESTING: profile recursivity (test/profiles/profile_recursivity.exp)" +./profile_recursivity.exp + +echo "TESTING: profile application name (test/profiles/profile_appname.exp)" +./profile_appname.exp + +echo "TESTING: profile syntax (test/profiles/profile_syntax.exp)" +./profile_syntax.exp + +echo "TESTING: profile syntax 2 (test/profiles/profile_syntax2.exp)" +./profile_syntax2.exp + +echo "TESTING: ignore command (test/profiles/ignore.exp)" +./ignore.exp + +echo "TESTING: profile read-only (test/profiles/profile_readonly.exp)" +./profile_readonly.exp + +echo "TESTING: profile read-only links (test/profiles/profile_readonly.exp)" +./profile_followlnk.exp + +echo "TESTING: profile no permissions (test/profiles/profile_noperm.exp)" +./profile_noperm.exp + + + + echo "TESTING: default profiles installed in /etc" PROFILES=`ls /etc/firejail/*.profile` for PROFILE in $PROFILES diff --git a/test/profiles/test2.profile b/test/profiles/test2.profile index e219d800d..9fbd5219a 100644 --- a/test/profiles/test2.profile +++ b/test/profiles/test2.profile @@ -1,4 +1,6 @@ -caps +caps seccomp private include test.profile + include test.local + include test25.profile diff --git a/test/profiles/test3.profile b/test/profiles/test3.profile new file mode 100644 index 000000000..c28ddadb5 --- /dev/null +++ b/test/profiles/test3.profile @@ -0,0 +1 @@ +include test3.profile \ No newline at end of file -- cgit v1.2.3-54-g00ecf From 360ca718df24bda1f3565b24989b7d2562be33a3 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 8 Nov 2018 11:30:11 -0500 Subject: fix compile --- src/firejail/firejail.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 46aea4bd4..8a397e3d8 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -461,7 +461,7 @@ void fs_mnt(const int enforce); // profile.c // find and read the profile specified by name from dir directory -//int profile_find_firejail(const char *name, int add_ext); +int profile_find_firejail(const char *name, int add_ext); // read a profile file void profile_read(const char *fname); // check profile line; if line == 0, this was generated from a command line option -- cgit v1.2.3-54-g00ecf From cad533365168c418fbf4ac0984f7fa5893ef07e2 Mon Sep 17 00:00:00 2001 From: Glenn Washburn Date: Thu, 8 Nov 2018 13:52:33 -0600 Subject: Have appimage handling be the same with or with out special -- argument. --- src/firejail/main.c | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) (limited to 'src') diff --git a/src/firejail/main.c b/src/firejail/main.c index 23d9a1d51..4cb87aaa6 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -2244,21 +2244,18 @@ int main(int argc, char **argv) { return 1; } } - else if (strcmp(argv[i], "--") == 0) { + else { // double dash - positional params to follow - arg_doubledash = 1; - i++; - if (i >= argc) { - fprintf(stderr, "Error: program name not found\n"); - exit(1); + if (strcmp(argv[i], "--") == 0) { + arg_doubledash = 1; + i++; + if (i >= argc) { + fprintf(stderr, "Error: program name not found\n"); + exit(1); + } } - extract_command_name(i, argv); - prog_index = i; - break; - } - else { // is this an invalid option? - if (*argv[i] == '-') { + else if (*argv[i] == '-') { fprintf(stderr, "Error: invalid %s command line option\n", argv[i]); return 1; } -- cgit v1.2.3-54-g00ecf