From d0cc960c9cd3bdab63dde02367bb9646134a7e28 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 5 Dec 2016 08:21:32 -0500 Subject: spoof machine-id --- src/firejail/firejail.h | 2 ++ src/firejail/fs.c | 5 ++++- src/firejail/fs_etc.c | 51 ++++++++++++++++++++++++++++++++++++++++++++ src/firejail/main.c | 4 ++++ src/firejail/profile.c | 4 ++++ src/firejail/usage.c | 3 +++ src/man/firejail-profile.txt | 4 ++++ src/man/firejail.txt | 10 +++++++++ 8 files changed, 82 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index d172efce1..368e0d88d 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -78,6 +78,7 @@ #define RUN_HOSTNAME_FILE "/run/firejail/mnt/hostname" #define RUN_HOSTS_FILE "/run/firejail/mnt/hosts" #define RUN_RESOLVCONF_FILE "/run/firejail/mnt/resolv.conf" +#define RUN_MACHINEID "/run/firejail/mnt/machine-id" #define RUN_LDPRELOAD_FILE "/run/firejail/mnt/ld.so.preload" #define RUN_UTMP_FILE "/run/firejail/mnt/utmp" #define RUN_PASSWD_FILE "/run/firejail/mnt/passwd" @@ -342,6 +343,7 @@ extern int arg_allow_debuggers; // allow debuggers extern int arg_x11_block; // block X11 extern int arg_x11_xorg; // use X11 security extention extern int arg_allusers; // all user home directories visible +extern int arg_machineid; // preserve /etc/machine-id extern int login_shell; extern int parent_to_child_fds[2]; diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 9a2f4facc..53d63a108 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -597,7 +597,8 @@ void fs_basic_fs(void) { fs_var_lib(); fs_var_cache(); fs_var_utmp(); - + fs_machineid(); + // don't leak user information restrict_users(); @@ -880,6 +881,7 @@ void fs_overlayfs(void) { fs_var_lib(); fs_var_cache(); fs_var_utmp(); + fs_machineid(); // don't leak user information restrict_users(); @@ -1061,6 +1063,7 @@ void fs_chroot(const char *rootdir) { fs_var_lib(); fs_var_cache(); fs_var_utmp(); + fs_machineid(); // don't leak user information restrict_users(); diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index 9a28ac601..a04bf6725 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c @@ -23,6 +23,57 @@ #include #include +// spoof /etc/machine_id +void fs_machineid(void) { + union machineid_t { + uint8_t u8[16]; + uint32_t u32[4]; + } mid; + + // if --machine-id flag is active, do nothing + if (arg_machineid) + return; + + // init random number generator + srand(time(NULL)); + + // generate random id + mid.u32[0] = rand(); + mid.u32[1] = rand(); + mid.u32[2] = rand(); + mid.u32[3] = rand(); + + // UUID version 4 and DCE variant + mid.u8[6] = (mid.u8[6] & 0x0F) | 0x40; + mid.u8[8] = (mid.u8[8] & 0x3F) | 0x80; + + // write it in a file + FILE *fp = fopen(RUN_MACHINEID, "w"); + if (!fp) + errExit("fopen"); + fprintf(fp, "%08x%08x%08x%08x\n", mid.u32[0], mid.u32[1], mid.u32[2], mid.u32[3]); + fclose(fp); + if (set_perms(RUN_MACHINEID, 0, 0, 0444)) + errExit("set_perms"); + + + struct stat s; + // mount-bind + if (stat("/etc/machine-id", &s) == 0) { + if (arg_debug) + printf("installing a new /etc/machine-id\n"); + + if (mount(RUN_MACHINEID, "/etc/machine-id", "none", MS_BIND, "mode=444,gid=0")) + errExit("mount"); + } +//#if 0 // todo: investigate + if (stat("/var/lib/dbus/machine-id", &s) == 0) { + if (mount(RUN_MACHINEID, "/etc/machine-id", "none", MS_BIND, "mode=444,gid=0")) + errExit("mount"); + } +//#endif +} + // return 0 if file not found, 1 if found static int check_dir_or_file(const char *fname) { assert(fname); diff --git a/src/firejail/main.c b/src/firejail/main.c index aa855b7eb..32769845d 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -111,6 +111,7 @@ int arg_allow_debuggers = 0; // allow debuggers int arg_x11_block = 0; // block X11 int arg_x11_xorg = 0; // use X11 security extention int arg_allusers = 0; // all user home directories visible +int arg_machineid = 0; // preserve /etc/machine-id int login_shell = 0; @@ -1520,6 +1521,9 @@ int main(int argc, char **argv) { else if (strcmp(argv[i], "--writable-var") == 0) { arg_writable_var = 1; } + else if (strcmp(argv[i], "--machine-id") == 0) { + arg_machineid = 1; + } else if (strcmp(argv[i], "--private") == 0) { arg_private = 1; } diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 3697b54b9..63678514f 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -650,6 +650,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { return 0; } + if (strcmp(ptr, "machine-id") == 0) { + arg_machineid = 1; + return 0; + } // writable-var if (strcmp(ptr, "writable-var") == 0) { arg_writable_var = 1; diff --git a/src/firejail/usage.c b/src/firejail/usage.c index c8bed06e3..db3c25a5a 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -94,6 +94,9 @@ void usage(void) { printf(" --ls=name|pid dir_or_filename - list files in sandbox container.\n"); #ifdef HAVE_NETWORK printf(" --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n"); +#endif + printf(" --machine-id - preserve /etc/machine-id\n"); +#ifdef HAVE_NETWORK printf(" --mtu=number - set interface MTU.\n"); #endif printf(" --name=name - set sandbox name.\n"); diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 007374c75..fa522c154 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -446,6 +446,10 @@ iprange 192.168.1.150,192.168.1.160 \fBmac address Assign MAC addresses to the last network interface defined by a net command. +.TP +\fBmachine-id +Preserve id number in /etc/machine-id file. By default a new random id is generated inside the sandbox. + .TP \fBmtu number Assign a MTU value to the last network interface defined by a net command. diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 450f30c68..fdeb9ea3f 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -665,6 +665,16 @@ Example: .br $ firejail \-\-net=eth0 \-\-mac=00:11:22:33:44:55 firefox +.TP +\fB\-\-machine-id +Preserve id number in /etc/machine-id file. By default a new random id is generated inside the sandbox. +.br + +.br +Example: +.br +$ firejail \-\-machine-id + .TP \fB\-\-mtu=number Assign a MTU value to the last network interface defined by a \-\-net option. -- cgit v1.2.3-54-g00ecf