From eecf35c2f8249489a1d3e512bb07f0d427183134 Mon Sep 17 00:00:00 2001
From: smitsohu <smitsohu@gmail.com>
Date: Sat, 23 Mar 2019 22:32:30 +0000
Subject: mount runtime seccomp files read-only (#2602)

avoid creating locations in the file system that are both writable and
executable (in this case for processes with euid of the user).

for the same reason also remove user owned libfiles
when it is not needed any more
---
 src/firejail/firejail.h | 16 ++++++++--------
 src/firejail/fs_lib.c   |  1 +
 src/firejail/preproc.c  |  2 ++
 src/firejail/sandbox.c  |  8 +++++---
 4 files changed, 16 insertions(+), 11 deletions(-)

(limited to 'src')

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 5291361c8..4cb10c875 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -57,13 +57,14 @@
 #define RUN_LIB_FILE	"/run/firejail/mnt/libfiles"
 #define RUN_DNS_ETC	"/run/firejail/mnt/dns-etc"
 
-#define RUN_SECCOMP_LIST	"/run/firejail/mnt/seccomp.list"	// list of seccomp files installed
-#define RUN_SECCOMP_PROTOCOL	"/run/firejail/mnt/seccomp.protocol"	// protocol filter
-#define RUN_SECCOMP_CFG	"/run/firejail/mnt/seccomp"			// configured filter
-#define RUN_SECCOMP_32	"/run/firejail/mnt/seccomp.32"		// 32bit arch filter installed on 64bit architectures
-#define RUN_SECCOMP_MDWX	"/run/firejail/mnt/seccomp.mdwx"		// filter for memory-deny-write-execute
-#define RUN_SECCOMP_BLOCK_SECONDARY	"/run/firejail/mnt/seccomp.block_secondary"	// secondary arch blocking filter
-#define RUN_SECCOMP_POSTEXEC	"/run/firejail/mnt/seccomp.postexec"		// filter for post-exec library
+#define RUN_SECCOMP_DIR	"/run/firejail/mnt/seccomp"
+#define RUN_SECCOMP_LIST	"/run/firejail/mnt/seccomp/seccomp.list"	// list of seccomp files installed
+#define RUN_SECCOMP_PROTOCOL	"/run/firejail/mnt/seccomp/seccomp.protocol"	// protocol filter
+#define RUN_SECCOMP_CFG	"/run/firejail/mnt/seccomp/seccomp"			// configured filter
+#define RUN_SECCOMP_32		"/run/firejail/mnt/seccomp/seccomp.32"		// 32bit arch filter installed on 64bit architectures
+#define RUN_SECCOMP_MDWX	"/run/firejail/mnt/seccomp/seccomp.mdwx"		// filter for memory-deny-write-execute
+#define RUN_SECCOMP_BLOCK_SECONDARY	"/run/firejail/mnt/seccomp/seccomp.block_secondary"	// secondary arch blocking filter
+#define RUN_SECCOMP_POSTEXEC	"/run/firejail/mnt/seccomp/seccomp.postexec"		// filter for post-exec library
 #define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp")			// default filter built during make
 #define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug")	// default filter built during make
 #define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32")			// 32bit arch filter built during make
@@ -95,7 +96,6 @@
 #define RUN_ASOUNDRC_FILE	"/run/firejail/mnt/.asoundrc"
 #define RUN_HOSTNAME_FILE	"/run/firejail/mnt/hostname"
 #define RUN_HOSTS_FILE	"/run/firejail/mnt/hosts"
-#define RUN_RESOLVCONF_FILE	"/run/firejail/mnt/resolv.conf"
 #define RUN_MACHINEID	"/run/firejail/mnt/machine-id"
 #define RUN_LDPRELOAD_FILE	"/run/firejail/mnt/ld.so.preload"
 #define RUN_UTMP_FILE		"/run/firejail/mnt/utmp"
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c
index 808ead240..70c6ac88a 100644
--- a/src/firejail/fs_lib.c
+++ b/src/firejail/fs_lib.c
@@ -133,6 +133,7 @@ void fslib_copy_libs(const char *full_path) {
 		fslib_duplicate(buf);
 	}
 	fclose(fp);
+	unlink(RUN_LIB_FILE);
 }
 
 
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c
index 2effebbaa..a7af4b127 100644
--- a/src/firejail/preproc.c
+++ b/src/firejail/preproc.c
@@ -86,6 +86,8 @@ void preproc_mount_mnt_dir(void) {
 		fs_logger2("tmpfs", RUN_MNT_DIR);
 
 #ifdef HAVE_SECCOMP
+		create_empty_dir_as_root(RUN_SECCOMP_DIR, 0755);
+
 		if (arg_seccomp_block_secondary)
 			copy_file(PATH_SECCOMP_BLOCK_SECONDARY, RUN_SECCOMP_BLOCK_SECONDARY, getuid(), getgid(), 0644); // root needed
 		else {
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 2b5d30158..101a16d00 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -1053,9 +1053,6 @@ int sandbox(void* sandbox_arg) {
 	// save state of nonewprivs
 	save_nonewprivs();
 
-	// set capabilities
-	set_caps();
-
 	// save cpu affinity mask to CPU_CFG file
 	save_cpu();
 
@@ -1101,8 +1098,13 @@ int sandbox(void* sandbox_arg) {
 		int rv = unlink(RUN_SECCOMP_MDWX);
 		(void) rv;
 	}
+	// make seccomp filters read-only
+	fs_rdonly(RUN_SECCOMP_DIR);
 #endif
 
+	// set capabilities
+	set_caps();
+
 	//****************************************
 	// communicate progress of sandbox set up
 	// to --join
-- 
cgit v1.2.3-70-g09d2