From 0f1a12da2881727a2e1c214e0d48aa10b546f5fc Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 22 Nov 2015 13:37:36 -0500 Subject: [PATCH] disable firejail configuration by default --- RELNOTES | 2 ++ etc/disable-mgmt.inc | 3 --- src/firejail/fs.c | 19 +++++++++++++++++++ test/configure | 2 ++ test/features/1.1.exp | 4 ++-- test/features/1.5.exp | 4 ++-- test/features/1.6.exp | 4 ++-- test/features/1.7.exp | 4 ++-- test/features/1.8.exp | 38 +++++++++++++++++++++++++++----------- test/features/test.sh | 10 +++++----- 10 files changed, 63 insertions(+), 27 deletions(-) diff --git a/RELNOTES b/RELNOTES index d8dec685e..a093df2e5 100644 --- a/RELNOTES +++ b/RELNOTES @@ -6,6 +6,8 @@ firejail (0.9.35) baseline; urgency=low /etc/passwd and /etc/group * added /etc/firejail/nolocal.net network filter * added /etc/firejail/webserver.net network filter + * manipulation of firejail configuration disabled by default + * added automated feature testing framework * bugfixes -- netblue30 ongoing development diff --git a/etc/disable-mgmt.inc b/etc/disable-mgmt.inc index ab9fe3cb1..4a8994a03 100644 --- a/etc/disable-mgmt.inc +++ b/etc/disable-mgmt.inc @@ -14,6 +14,3 @@ blacklist ${PATH}/xev blacklist ${PATH}/strace blacklist ${PATH}/nc -# Prevent manipulation of firejail configuration -blacklist /etc/firejail -blacklist ${HOME}/.config/firejail diff --git a/src/firejail/fs.c b/src/firejail/fs.c index c6dfdec30..a0a7d9342 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -552,6 +552,19 @@ void fs_proc_sys_dev_boot(void) { } } +// disable firejail configuration in /etc/firejail and in ~/.config/firejail +static void disable_firejail_config(void) { + struct stat s; + if (stat("/etc/firejail", &s) == 0) + disable_file(BLACKLIST_FILE, "/etc/firejail"); + + char *fname; + if (asprintf(&fname, "%s/.config/firejail", cfg.homedir) == -1) + errExit("asprintf"); + disable_file(BLACKLIST_FILE, fname); + free(fname); +} + // build a basic read-only filesystem void fs_basic_fs(void) { @@ -577,6 +590,8 @@ void fs_basic_fs(void) { // don't leak user information restrict_users(); + + disable_firejail_config(); } @@ -723,6 +738,8 @@ void fs_overlayfs(void) { // don't leak user information restrict_users(); + disable_firejail_config(); + // cleanup and exit free(option); free(oroot); @@ -846,6 +863,8 @@ void fs_chroot(const char *rootdir) { // don't leak user information restrict_users(); + + disable_firejail_config(); } #endif diff --git a/test/configure b/test/configure index 21844bb7e..b46b97985 100755 --- a/test/configure +++ b/test/configure @@ -26,6 +26,8 @@ DEFAULT_FILES+=" /bin/cp /bin/ls /bin/cat /bin/ps /bin/grep /usr/bin/id /usr/bin rm -fr $ROOTDIR mkdir -p $ROOTDIR/{root,bin,lib,lib64,usr,home,etc,dev/shm,tmp,var/run,var/tmp,var/lock,var/log,proc} +mkdir -p $ROOTDIR/etc/firejail +mkdir -p $ROOTDIR/home/netblue/.config/firejail touch $ROOTDIR/var/log/syslog touch $ROOTDIR/var/tmp/somefile SORTED=`for FILE in $* $DEFAULT_FILES; do echo " $FILE "; ldd $FILE | grep -v dynamic | cut -d " " -f 3; done | sort -u` diff --git a/test/features/1.1.exp b/test/features/1.1.exp index 41443a080..5ba123107 100755 --- a/test/features/1.1.exp +++ b/test/features/1.1.exp @@ -51,14 +51,14 @@ sleep 1 # send -- "firejail --noprofile --chroot=/tmp/chroot\r" expect { - timeout {puts "TESTING ERROR 3\n";exit} + timeout {puts "TESTING ERROR 4\n";exit} "Child process initialized" } sleep 1 send -- "ls -l /boot | wc -l\r" expect { - timeout {puts "TESTING ERROR 4\n";exit} + timeout {puts "TESTING ERROR 5\n";exit} "1" } after 100 diff --git a/test/features/1.5.exp b/test/features/1.5.exp index d722c5811..84c00937f 100755 --- a/test/features/1.5.exp +++ b/test/features/1.5.exp @@ -51,14 +51,14 @@ sleep 1 # send -- "firejail --noprofile --chroot=/tmp/chroot\r" expect { - timeout {puts "TESTING ERROR 3\n";exit} + timeout {puts "TESTING ERROR 4\n";exit} "Child process initialized" } sleep 1 send -- "ps aux | wc -l \r" expect { - timeout {puts "TESTING ERROR 4\n";exit} + timeout {puts "TESTING ERROR 5\n";exit} "5" } after 100 diff --git a/test/features/1.6.exp b/test/features/1.6.exp index a9c8f2a19..0a4b788b8 100755 --- a/test/features/1.6.exp +++ b/test/features/1.6.exp @@ -51,14 +51,14 @@ sleep 1 # send -- "firejail --noprofile --chroot=/tmp/chroot\r" expect { - timeout {puts "TESTING ERROR 3\n";exit} + timeout {puts "TESTING ERROR 4\n";exit} "Child process initialized" } sleep 1 send -- "ls -l /var/log/syslog | wc -l\r" expect { - timeout {puts "TESTING ERROR 4\n";exit} + timeout {puts "TESTING ERROR 5\n";exit} "0" } after 100 diff --git a/test/features/1.7.exp b/test/features/1.7.exp index 0de3e224d..c95184fd1 100755 --- a/test/features/1.7.exp +++ b/test/features/1.7.exp @@ -53,14 +53,14 @@ sleep 1 # send -- "firejail --noprofile --chroot=/tmp/chroot\r" expect { - timeout {puts "TESTING ERROR 3\n";exit} + timeout {puts "TESTING ERROR 4\n";exit} "Child process initialized" } sleep 1 send -- "ls -l /var/tmp/somefile | wc -l\r" expect { - timeout {puts "TESTING ERROR 4\n";exit} + timeout {puts "TESTING ERROR 5\n";exit} "0" } after 100 diff --git a/test/features/1.8.exp b/test/features/1.8.exp index 514dd3b81..aefe9d8c5 100755 --- a/test/features/1.8.exp +++ b/test/features/1.8.exp @@ -10,7 +10,6 @@ match_max 100000 # # N # -send -- "touch /var/tmp/somefile\r" sleep 1 send -- "firejail --noprofile\r" expect { @@ -19,10 +18,16 @@ expect { } sleep 1 -send -- "ls -l /var/tmp/somefile | wc -l\r" +send -- "ls /etc/firejail\r" expect { timeout {puts "TESTING ERROR 1\n";exit} - "0" + "Permission denied" +} +after 100 +send -- "ls ~/.config/firejail\r" +expect { + timeout {puts "TESTING ERROR 1.1\n";exit} + "Permission denied" } after 100 send -- "exit\r" @@ -38,13 +43,19 @@ expect { "Child process initialized" } sleep 1 - -send -- "ls -l /var/tmp/somefile | wc -l\r" +send -- "ls /etc/firejail\r" expect { timeout {puts "TESTING ERROR 3\n";exit} - "0" + "Permission denied" } after 100 +send -- "ls ~/.config/firejail\r" +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "Permission denied" +} +after 100 + send -- "exit\r" sleep 1 @@ -53,15 +64,20 @@ sleep 1 # send -- "firejail --noprofile --chroot=/tmp/chroot\r" expect { - timeout {puts "TESTING ERROR 3\n";exit} + timeout {puts "TESTING ERROR 4\n";exit} "Child process initialized" } sleep 1 - -send -- "ls -l /var/tmp/somefile | wc -l\r" +send -- "ls /etc/firejail\r" expect { - timeout {puts "TESTING ERROR 4\n";exit} - "0" + timeout {puts "TESTING ERROR 5\n";exit} + "Permission denied" +} +after 100 +send -- "ls ~/.config/firejail\r" +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + "Permission denied" } after 100 send -- "exit\r" diff --git a/test/features/test.sh b/test/features/test.sh index b4ef6503a..1fb7557c8 100755 --- a/test/features/test.sh +++ b/test/features/test.sh @@ -4,13 +4,13 @@ # Feature testing # -echo "TESTING: 1.1. new /boot" +echo "TESTING: 1.1 new /boot" ./1.1.exp -echo "TESTING: 1.2. new /proc" +echo "TESTING: 1.2 new /proc" ./1.2.exp -echo "TESTING: 1.5. PID namespace" +echo "TESTING: 1.5 PID namespace" ./1.5.exp echo "TESTING: 1.6 new /var/log" @@ -19,6 +19,6 @@ echo "TESTING: 1.6 new /var/log" echo "TESTING: 1.7 new /var/tmp" ./1.7.exp -#echo "TESTING: " -#./1..exp +echo "TESTING: 1.8 disable /etc/firejail and ~/.config/firejail" +./1.8.exp