github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-21 06:45:29 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 1

Merge branch 'master' of https://github.com/netblue30/firejail

Browse source
This commit is contained in:
netblue30 2020-09-01 16:10:41 -04:00
commit 18348b2749
21 changed files with 207 additions and 177 deletions
Download patch file Download diff file Expand all files Collapse all files

4
.gitignore vendored
View file

@ -8,6 +8,7 @@
*.gcno
*.DS_Store
.directory
*.man
Makefile
autom4te.cache/
config.log
@ -35,7 +36,8 @@ src/fsec-optimize/fsec-optimize
src/fcopy/fcopy
src/fldd/fldd
src/fbuilder/fbuilder
etc/profstats
src/profstats/profstats
src/man/preproc
uids.h
seccomp
seccomp.debug

14
Makefile.in
View file

@ -10,23 +10,20 @@ VERSION=@PACKAGE_VERSION@
NAME=@PACKAGE_NAME@
PACKAGE_TARNAME=@PACKAGE_TARNAME@
DOCDIR=@docdir@
HAVE_SECCOMP=@HAVE_SECCOMP@
HAVE_APPARMOR=@HAVE_APPARMOR@
HAVE_CONTRIB_INSTALL=@HAVE_CONTRIB_INSTALL@
BUSYBOX_WORKAROUND=@BUSYBOX_WORKAROUND@
HAVE_SUID=@HAVE_SUID@
all: all_items man filters
APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats
APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats src/man/preproc
SBOX_APPS = src/faudit/faudit src/fbuilder/fbuilder src/ftee/ftee
SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter
MYDIRS = src/lib
MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so
MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5
ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP)
SBOX_APPS_NON_DUMPABLE += src/fsec-optimize/fsec-optimize src/fsec-print/fsec-print src/fseccomp/fseccomp
SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32
endif
ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS)
.PHONY: all_items $(ALL_ITEMS)
@ -39,13 +36,13 @@ mydirs: mydirs $(MYDIRS)
$(MYDIRS):
$(MAKE) -C $@
$(MANPAGES): $(wildcard src/man/*.txt)
./mkman.sh $(VERSION) src/man/$(basename $@).txt $@
$(MANPAGES): $(wildcard src/man/*.man)
./mkman.sh $(VERSION) src/man/$(basename $@).man $@
man: $(MANPAGES)
filters: $(SECCOMP_FILTERS) $(SBOX_APPS_NON_DUMPABLE)
ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP)
seccomp: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize
src/fseccomp/fseccomp default seccomp
src/fsec-optimize/fsec-optimize seccomp
@ -66,7 +63,6 @@ seccomp.mdwx: src/fseccomp/fseccomp
seccomp.mdwx.32: src/fseccomp/fseccomp
src/fseccomp/fseccomp memory-deny-write-execute.32 seccomp.mdwx.32
endif
clean:
for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \
@ -249,9 +245,7 @@ test-environment:
cd test/environment; ./environment.sh | grep TESTING
test-filters:
ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP)
cd test/filters; ./filters.sh | grep TESTING
endif
test-arguments:
cd test/arguments; ./arguments.sh | grep TESTING

29
configure vendored
View file

@ -624,7 +624,6 @@ ac_includes_default="\
ac_subst_vars='LTLIBOBJS
LIBOBJS
HAVE_SECCOMP_H
EGREP
GREP
CPP
@ -641,7 +640,6 @@ HAVE_USERNS
HAVE_NETWORK
HAVE_GLOBALCFG
HAVE_CHROOT
HAVE_SECCOMP
HAVE_PRIVATE_HOME
HAVE_FIRETUNNEL
HAVE_OVERLAYFS
@ -710,7 +708,6 @@ enable_apparmor
enable_overlayfs
enable_firetunnel
enable_private_home
enable_seccomp
enable_chroot
enable_globalcfg
enable_network
@ -1363,7 +1360,6 @@ Optional Features:
--disable-overlayfs disable overlayfs
--disable-firetunnel disable firetunnel
--disable-private-home disable private home feature
--disable-seccomp disable seccomp
--disable-chroot disable chroot
--disable-globalcfg if the global config file firejail.cfg is not
present, continue the program using defaults
@ -3535,19 +3531,6 @@ if test "x$enable_private_home" != "xno"; then :
HAVE_PRIVATE_HOME="-DHAVE_PRIVATE_HOME"
fi
HAVE_SECCOMP=""
# Check whether --enable-seccomp was given.
if test "${enable_seccomp+set}" = set; then :
enableval=$enable_seccomp;
fi
if test "x$enable_seccomp" != "xno"; then :
HAVE_SECCOMP="-DHAVE_SECCOMP"
fi
HAVE_CHROOT=""
@ -4173,11 +4156,10 @@ fi
ac_fn_c_check_header_mongrel "$LINENO" "linux/seccomp.h" "ac_cv_header_linux_seccomp_h" "$ac_includes_default"
if test "x$ac_cv_header_linux_seccomp_h" = xyes; then :
HAVE_SECCOMP_H="-DHAVE_SECCOMP_H"
else
HAVE_SECCOMP_H=""
fi
else
as_fn_error $? "*** SECCOMP support is not installed (/usr/include/linux/seccomp.h missing) ***" "$LINENO" 5
fi
@ -4188,7 +4170,7 @@ fi
ac_config_files="$ac_config_files mkdeb.sh"
ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile"
ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile src/man/Makefile"
cat >confcache <<\_ACEOF
# This file is a shell script that caches the results of configure
@ -4918,6 +4900,7 @@ do
"src/libpostexecseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libpostexecseccomp/Makefile" ;;
"src/fsec-optimize/Makefile") CONFIG_FILES="$CONFIG_FILES src/fsec-optimize/Makefile" ;;
"src/profstats/Makefile") CONFIG_FILES="$CONFIG_FILES src/profstats/Makefile" ;;
"src/man/Makefile") CONFIG_FILES="$CONFIG_FILES src/man/Makefile" ;;
*) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;;
esac
@ -5382,8 +5365,6 @@ echo
echo "Configuration options:"
echo " prefix: $prefix"
echo " sysconfdir: $sysconfdir"
echo " seccomp: $HAVE_SECCOMP"
echo " <linux/seccomp.h>: $HAVE_SECCOMP_H"
echo " apparmor: $HAVE_APPARMOR"
echo " global config: $HAVE_GLOBALCFG"
echo " chroot: $HAVE_CHROOT"

15
configure.ac
View file

@ -76,14 +76,6 @@ AS_IF([test "x$enable_private_home" != "xno"], [
AC_SUBST(HAVE_PRIVATE_HOME)
])
HAVE_SECCOMP=""
AC_ARG_ENABLE([seccomp],
AS_HELP_STRING([--disable-seccomp], [disable seccomp]))
AS_IF([test "x$enable_seccomp" != "xno"], [
HAVE_SECCOMP="-DHAVE_SECCOMP"
AC_SUBST(HAVE_SECCOMP)
])
HAVE_CHROOT=""
AC_ARG_ENABLE([chroot],
AS_HELP_STRING([--disable-chroot], [disable chroot]))
@ -196,8 +188,7 @@ AS_IF([test "x$enable_selinux" = "xyes"], [
# checking pthread library
AC_CHECK_LIB([pthread], [main], [], AC_MSG_ERROR([*** POSIX thread support not installed ***]))
AC_CHECK_HEADER(pthread.h,,AC_MSG_ERROR([*** POSIX thread support not installed ***]))
AC_CHECK_HEADER([linux/seccomp.h], HAVE_SECCOMP_H="-DHAVE_SECCOMP_H", HAVE_SECCOMP_H="")
AC_SUBST(HAVE_SECCOMP_H)
AC_CHECK_HEADER([linux/seccomp.h],,AC_MSG_ERROR([*** SECCOMP support is not installed (/usr/include/linux/seccomp.h missing) ***]))
# set sysconfdir
if test "$prefix" = /usr; then
@ -208,14 +199,12 @@ AC_CONFIG_FILES([mkdeb.sh], [chmod +x mkdeb.sh])
AC_OUTPUT(Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \
src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile \
src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile \
src/profstats/Makefile)
src/profstats/Makefile src/man/Makefile)
echo
echo "Configuration options:"
echo " prefix: $prefix"
echo " sysconfdir: $sysconfdir"
echo " seccomp: $HAVE_SECCOMP"
echo " <linux/seccomp.h>: $HAVE_SECCOMP_H"
echo " apparmor: $HAVE_APPARMOR"
echo " global config: $HAVE_GLOBALCFG"
echo " chroot: $HAVE_CHROOT"

7
etc/templates/syscalls.txt
View file

@ -33,7 +33,7 @@ Definition of groups
@clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime
@cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old
@debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext
@default=@clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,umount,userfaultfd,acct,bpf,chroot,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup
@default=@clock,@cpu-emulation,@debug,@module,@mount,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,userfaultfd,acct,bpf,nfsservctl,setdomainname,sethostname,vhangup
@default-nodebuggers=@default,ptrace,personality,process_vm_readv
@default-keep=execve,prctl
@file-system=access,chdir,chmod,close,creat,faccessat,fallocate,fchdir,fchmod,fchmodat,fcntl,fcntl64,fgetxattr,flistxattr,fremovexattr,fsetxattr,fstat,fstat64,fstatat64,fstatfs,fstatfs64,ftruncate,ftruncate64,futimesat,getcwd,getdents,getdents64,getxattr,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,lgetxattr,link,linkat,listxattr,llistxattr,lremovexattr,lsetxattr,lstat,lstat64,mkdir,mkdirat,mknod,mknodat,mmap,mmap2,munmap,newfstatat,oldfstat,oldlstat,oldstat,open,openat,readlink,readlinkat,removexattr,rename,renameat,renameat2,rmdir,setxattr,stat,stat64,statfs,statfs64,statx,symlink,symlinkat,truncate,truncate64,unlink,unlinkat,utime,utimensat,utimes
@ -62,15 +62,14 @@ Inheritance of groups
+---------------+
| @default-keep |
| @mount |
+---------------+
+----------------+ +---------+ +--------+ +--------------+
| @cpu-emulation | | @clock | | @chown | | @aio |
| @debug | | @module | +--------+ | @basic-io |
| @obsolete | | @raw-io | : : | @file-system |
+----------------+ | @reboot | : : | @io-event |
: | @swap | : : | @ipc |
| @mount | | @reboot | : : | @io-event |
+----------------+ | @swap | : : | @ipc |
: +---------+ : : | @keyring |
: : : : : | @memlock |
: ..............: : : : | @network-io |

5
src/common.mk.in
View file

@ -9,8 +9,6 @@ sysconfdir=@sysconfdir@
VERSION=@PACKAGE_VERSION@
NAME=@PACKAGE_NAME@
HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
HAVE_SECCOMP=@HAVE_SECCOMP@
HAVE_CHROOT=@HAVE_CHROOT@
HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
HAVE_NETWORK=@HAVE_NETWORK@
@ -34,7 +32,8 @@ BINOBJS = $(foreach file, $(OBJS), $file)
CFLAGS = @CFLAGS@
CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV)
CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"'
CFLAGS += $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_FIRETUNNEL) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX)
MANFLAGS = $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX)
CFLAGS += $(MANFLAGS)
CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@

12
src/firejail/checkcfg.c
View file

@ -226,7 +226,6 @@ int checkcfg(int val) {
// seccomp error action
else if (strncmp(ptr, "seccomp-error-action ", 21) == 0) {
#ifdef HAVE_SECCOMP
if (strcmp(ptr + 21, "kill") == 0)
cfg_val[CFG_SECCOMP_ERROR_ACTION] = SECCOMP_RET_KILL;
else if (strcmp(ptr + 21, "log") == 0)
@ -239,9 +238,6 @@ int checkcfg(int val) {
config_seccomp_error_action_str = strdup(ptr + 21);
if (!config_seccomp_error_action_str)
errExit("strdup");
#else
warning_feature_disabled("seccomp");
#endif
}
else
@ -347,14 +343,6 @@ void print_compiletime_support(void) {
#endif
);
printf("\t- seccomp-bpf support is %s\n",
#ifdef HAVE_SECCOMP
"enabled"
#else
"disabled"
#endif
);
printf("\t- SELinux support is %s\n",
#ifdef HAVE_SELINUX
"enabled"

2
src/firejail/dbus.c
View file

@ -555,10 +555,8 @@ void dbus_apply_policy(void) {
return;
// --protocol=unix
#ifdef HAVE_SECCOMP
if (cfg.protocol && !strstr(cfg.protocol, "unix"))
return;
#endif
fwarning("An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.\n");
}

2
src/firejail/join.c
View file

@ -465,10 +465,8 @@ void join(pid_t pid, int argc, char **argv, int index) {
EUID_ROOT();
if (apply_caps == 1) // not available for uid 0
caps_set(caps);
#ifdef HAVE_SECCOMP
if (getuid() != 0)
seccomp_load_file_list();
#endif
// mount user namespace or drop privileges
if (arg_noroot) { // not available for uid 0

9
src/firejail/main.c
View file

@ -479,7 +479,6 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
//*************************************
// independent commands - the program will exit!
//*************************************
#ifdef HAVE_SECCOMP
else if (strcmp(argv[i], "--debug-syscalls") == 0) {
if (checkcfg(CFG_SECCOMP)) {
int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSECCOMP_MAIN, "debug-syscalls");
@ -529,7 +528,6 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
exit_err_feature("seccomp");
exit(0);
}
#endif
else if (strncmp(argv[i], "--profile.print=", 16) == 0) {
pid_t pid = require_pid(argv[i] + 16);
@ -950,7 +948,6 @@ void filter_add_blacklist_override(int fd, int syscall, int arg, void *ptrarg, b
(void) native;
}
#ifdef HAVE_SECCOMP
static int check_postexec(const char *list) {
char *prelist, *postlist;
@ -961,7 +958,6 @@ static int check_postexec(const char *list) {
}
return 0;
}
#endif
//*******************************************
// Main program
@ -1264,7 +1260,6 @@ int main(int argc, char **argv, char **envp) {
else if (strcmp(argv[i], "--apparmor") == 0)
arg_apparmor = 1;
#endif
#ifdef HAVE_SECCOMP
else if (strncmp(argv[i], "--protocol=", 11) == 0) {
if (checkcfg(CFG_SECCOMP)) {
if (cfg.protocol) {
@ -1402,7 +1397,6 @@ int main(int argc, char **argv, char **envp) {
} else
exit_err_feature("seccomp");
}
#endif
else if (strcmp(argv[i], "--caps") == 0) {
arg_caps_default_filter = 1;
arg_caps_cmdline = 1;
@ -2783,10 +2777,9 @@ int main(int argc, char **argv, char **envp) {
// check network configuration options - it will exit if anything went wrong
net_check_cfg();
#ifdef HAVE_SECCOMP
if (arg_seccomp)
arg_seccomp_postexec = check_postexec(cfg.seccomp_list) || check_postexec(cfg.seccomp_list_drop);
#endif
bool need_preload = arg_trace || arg_tracelog || arg_seccomp_postexec;
if (need_preload && (cfg.seccomp_list32 || cfg.seccomp_list_drop32 || cfg.seccomp_list_keep32))
fwarning("preload libraries (trace, tracelog, postexecseccomp due to seccomp.drop=execve etc.) are incompatible with 32 bit filters\n");

2
src/firejail/preproc.c
View file

@ -103,7 +103,6 @@ void preproc_mount_mnt_dir(void) {
if (arg_tracefile)
fs_tracefile();
#ifdef HAVE_SECCOMP
create_empty_dir_as_root(RUN_SECCOMP_DIR, 0755);
if (arg_seccomp_block_secondary)
@ -132,7 +131,6 @@ void preproc_mount_mnt_dir(void) {
create_empty_file_as_root(RUN_SECCOMP_POSTEXEC_32, 0644);
if (set_perms(RUN_SECCOMP_POSTEXEC_32, getuid(), getgid(), 0644))
errExit("set_perms");
#endif
}
}

22
src/firejail/profile.c
View file

@ -327,12 +327,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
return 0;
}
else if (strcmp(ptr, "seccomp") == 0) {
#ifdef HAVE_SECCOMP
if (checkcfg(CFG_SECCOMP))
arg_seccomp = 1;
else
warning_feature_disabled("seccomp");
#endif
return 0;
}
else if (strcmp(ptr, "caps") == 0) {
@ -861,7 +859,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
}
if (strncmp(ptr, "protocol ", 9) == 0) {
#ifdef HAVE_SECCOMP
if (checkcfg(CFG_SECCOMP)) {
if (cfg.protocol) {
fwarning("two protocol lists are present, \"%s\" will be installed\n", cfg.protocol);
@ -875,7 +872,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
}
else
warning_feature_disabled("seccomp");
#endif
return 0;
}
@ -890,102 +886,85 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
// seccomp drop list on top of default list
if (strncmp(ptr, "seccomp ", 8) == 0) {
#ifdef HAVE_SECCOMP
if (checkcfg(CFG_SECCOMP)) {
arg_seccomp = 1;
cfg.seccomp_list = seccomp_check_list(ptr + 8);
}
else if (!arg_quiet)
warning_feature_disabled("seccomp");
#endif
return 0;
}
if (strncmp(ptr, "seccomp.32 ", 11) == 0) {
#ifdef HAVE_SECCOMP
if (checkcfg(CFG_SECCOMP)) {
arg_seccomp32 = 1;
cfg.seccomp_list32 = seccomp_check_list(ptr + 11);
}
else if (!arg_quiet)
warning_feature_disabled("seccomp");
#endif
return 0;
}
if (strcmp(ptr, "seccomp.block-secondary") == 0) {
#ifdef HAVE_SECCOMP
if (checkcfg(CFG_SECCOMP)) {
arg_seccomp_block_secondary = 1;
}
else
warning_feature_disabled("seccomp");
#endif
return 0;
}
// seccomp drop list without default list
if (strncmp(ptr, "seccomp.drop ", 13) == 0) {
#ifdef HAVE_SECCOMP
if (checkcfg(CFG_SECCOMP)) {
arg_seccomp = 1;
cfg.seccomp_list_drop = seccomp_check_list(ptr + 13);
}
else
warning_feature_disabled("seccomp");
#endif
return 0;
}
if (strncmp(ptr, "seccomp.32.drop ", 13) == 0) {
#ifdef HAVE_SECCOMP
if (checkcfg(CFG_SECCOMP)) {
arg_seccomp32 = 1;
cfg.seccomp_list_drop32 = seccomp_check_list(ptr + 13);
}
else
warning_feature_disabled("seccomp");
#endif
return 0;
}
// seccomp keep list
if (strncmp(ptr, "seccomp.keep ", 13) == 0) {
#ifdef HAVE_SECCOMP
if (checkcfg(CFG_SECCOMP)) {
arg_seccomp = 1;
cfg.seccomp_list_keep= seccomp_check_list(ptr + 13);
}
else
warning_feature_disabled("seccomp");
#endif
return 0;
}
if (strncmp(ptr, "seccomp.32.keep ", 13) == 0) {
#ifdef HAVE_SECCOMP
if (checkcfg(CFG_SECCOMP)) {
arg_seccomp32 = 1;
cfg.seccomp_list_keep32 = seccomp_check_list(ptr + 13);
}
else
warning_feature_disabled("seccomp");
#endif
return 0;
}
// memory deny write&execute
if (strcmp(ptr, "memory-deny-write-execute") == 0) {
#ifdef HAVE_SECCOMP
if (checkcfg(CFG_SECCOMP))
arg_memory_deny_write_execute = 1;
else
warning_feature_disabled("seccomp");
#endif
return 0;
}
// seccomp error action
if (strncmp(ptr, "seccomp-error-action ", 21) == 0) {
#ifdef HAVE_SECCOMP
if (checkcfg(CFG_SECCOMP)) {
int config_seccomp_error_action = checkcfg(CFG_SECCOMP_ERROR_ACTION);
if (config_seccomp_error_action == -1) {
@ -1008,7 +987,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
}
} else
warning_feature_disabled("seccomp");
#endif
return 0;
}

4
src/firejail/protocol.c
View file

@ -18,7 +18,6 @@
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_SECCOMP
#include "firejail.h"
#include "../include/seccomp.h"
@ -93,6 +92,3 @@ void protocol_print_filter(pid_t pid) {
exit(1);
#endif
}
#endif // HAVE_SECCOMP

14
src/firejail/sandbox.c
View file

@ -141,7 +141,6 @@ void set_apparmor(void) {
}
#endif
#ifdef HAVE_SECCOMP
void seccomp_debug(void) {
if (arg_debug == 0)
return;
@ -158,7 +157,6 @@ void seccomp_debug(void) {
printf("No active seccomp files\n");
EUID_ROOT();
}
#endif
static void save_nogroups(void) {
if (arg_nogroups == 0)
@ -497,9 +495,7 @@ void start_application(int no_sandbox, char *set_sandbox_status) {
#ifdef HAVE_GCOV
__gcov_dump();
#endif
#ifdef HAVE_SECCOMP
seccomp_install_filters();
#endif
if (set_sandbox_status)
*set_sandbox_status = SANDBOX_DONE;
execl(arg_audit_prog, arg_audit_prog, NULL);
@ -536,9 +532,8 @@ void start_application(int no_sandbox, char *set_sandbox_status) {
#ifdef HAVE_GCOV
__gcov_dump();
#endif
#ifdef HAVE_SECCOMP
seccomp_install_filters();
#endif
if (set_sandbox_status)
*set_sandbox_status = SANDBOX_DONE;
execvp(cfg.original_argv[cfg.original_program_index], &cfg.original_argv[cfg.original_program_index]);
@ -591,9 +586,8 @@ void start_application(int no_sandbox, char *set_sandbox_status) {
#ifdef HAVE_GCOV
__gcov_dump();
#endif
#ifdef HAVE_SECCOMP
seccomp_install_filters();
#endif
if (set_sandbox_status)
*set_sandbox_status = SANDBOX_DONE;
execvp(arg[0], arg);
@ -797,7 +791,6 @@ int sandbox(void* sandbox_arg) {
// - build seccomp filters
// - create an empty /etc/ld.so.preload
//****************************
#ifdef HAVE_SECCOMP
if (cfg.protocol) {
if (arg_debug)
printf("Build protocol filter: %s\n", cfg.protocol);
@ -808,7 +801,6 @@ int sandbox(void* sandbox_arg) {
if (rv)
exit(rv);
}
#endif
// need ld.so.preload if tracing or seccomp with any non-default lists
bool need_preload = arg_trace || arg_tracelog || arg_seccomp_postexec;
@ -1107,7 +1099,6 @@ int sandbox(void* sandbox_arg) {
save_cgroup();
// set seccomp
#ifdef HAVE_SECCOMP
// install protocol filter
#ifdef SYS_socket
if (cfg.protocol) {
@ -1151,7 +1142,6 @@ int sandbox(void* sandbox_arg) {
// make seccomp filters read-only
fs_remount(RUN_SECCOMP_DIR, MOUNT_READONLY, 0);
seccomp_debug();
#endif
// set capabilities
set_caps();

3
src/firejail/seccomp.c
View file

@ -18,7 +18,6 @@
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_SECCOMP
#include "firejail.h"
#include "../include/seccomp.h"
#include <sys/mman.h>
@ -445,5 +444,3 @@ errexit:
printf("Cannot access seccomp filter.\n");
exit(1);
}
#endif // HAVE_SECCOMP

4
src/firejail/usage.c
View file

@ -123,10 +123,8 @@ static char *usage_str =
" --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n"
#endif
" --machine-id - preserve /etc/machine-id\n"
#ifdef HAVE_SECCOMP
" --memory-deny-write-execute - seccomp filter to block attempts to create\n"
"\tmemory mappings that are both writable and executable.\n"
#endif
#ifdef HAVE_NETWORK
" --mtu=number - set interface MTU.\n"
#endif
@ -215,7 +213,6 @@ static char *usage_str =
#ifdef HAVE_NETWORK
" --scan - ARP-scan all the networks from inside a network namespace.\n"
#endif
#ifdef HAVE_SECCOMP
" --seccomp - enable seccomp filter and apply the default blacklist.\n"
" --seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n"
"\tdefault syscall list and the syscalls specified by the command.\n"
@ -229,7 +226,6 @@ static char *usage_str =
" --seccomp.32[.drop,.keep][=syscall] - like above but for 32 bit architecture.\n"
" --seccomp-error-action=errno|kill|log - change error code, kill process\n"
"\tor log the attempt.\n"
#endif
" --shell=none - run the program directly without a user shell.\n"
" --shell=program - set default user shell.\n"
" --shutdown=name|pid - shutdown the sandbox identified by name or PID.\n"

17
src/include/seccomp.h
View file

@ -96,24 +96,7 @@
# define PR_SET_NO_NEW_PRIVS 38
#endif
#if HAVE_SECCOMP_H
#include <linux/seccomp.h>
#else
#define SECCOMP_MODE_FILTER 2
#define SECCOMP_RET_KILL 0x00000000U
#define SECCOMP_RET_TRAP 0x00030000U
#define SECCOMP_RET_ALLOW 0x7fff0000U
#define SECCOMP_RET_ERRNO 0x00050000U
#define SECCOMP_RET_DATA 0x0000ffffU
struct seccomp_data {
int nr;
__u32 arch;
__u64 instruction_pointer;
__u64 args[6];
};
#endif
#ifndef SECCOMP_RET_LOG
#define SECCOMP_RET_LOG 0x7ffc0000U
#endif

16
src/lib/syscall.c
View file

@ -230,6 +230,7 @@ static const SyscallGroupList sysgroups[] = {
"@cpu-emulation,"
"@debug,"
"@module,"
"@mount,"
"@obsolete,"
"@raw-io,"
"@reboot,"
@ -297,9 +298,6 @@ static const SyscallGroupList sysgroups[] = {
#ifdef SYS_vmsplice
"vmsplice,"
#endif
#ifdef SYS_umount
"umount,"
#endif
#ifdef SYS_userfaultfd
"userfaultfd,"
#endif
@ -309,27 +307,15 @@ static const SyscallGroupList sysgroups[] = {
#ifdef SYS_bpf
"bpf,"
#endif
#ifdef SYS_chroot
"chroot,"
#endif
#ifdef SYS_mount
"mount,"
#endif
#ifdef SYS_nfsservctl
"nfsservctl,"
#endif
#ifdef SYS_pivot_root
"pivot_root,"
#endif
#ifdef SYS_setdomainname
"setdomainname,"
#endif
#ifdef SYS_sethostname
"sethostname,"
#endif
#ifdef SYS_umount2
"umount2,"
#endif
#ifdef SYS_vhangup
"vhangup"
#endif

17
src/man/Makefile.in Normal file
View file

@ -0,0 +1,17 @@
all: firecfg.man firejail.man firejail-login.man firejail-users.man firejail-profile.man firemon.man
include ../common.mk
%.o : %.c $(H_FILE_LIST)
$(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
preproc: $(OBJS)
$(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
%.man: %.txt preproc
./preproc $(MANFLAGS) $<
clean:; rm -fr *.o preproc *.gcov *.gcda *.gcno *.plist *.man alldone
distclean: clean
rm -fr Makefile

146
src/man/preproc.c Normal file
View file

@ -0,0 +1,146 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <assert.h>
#define MAXBUF 4096
#define MAXMACROS 64
static char *macro[MAXMACROS] = {NULL};
static void add_macro(char *m) {
assert(m);
int i;
for (i = 0; i < MAXMACROS && macro[i]; i++);
if (i == MAXMACROS) {
fprintf(stderr, "Error: maximum number of marcros (%d) exceeded\n", MAXMACROS);
exit(1);
}
macro[i] = m;
}
static char *find_macro(char *m) {
assert(m);
int i = 0;
while (i < MAXMACROS && macro[i]) {
if (strcmp(macro[i], m) == 0)
return m;
i++;
}
return NULL;
}
static void usage(void) {
printf("Simple preprocessor for man pages. It supports:\n");
printf("\t#if 0 ... #endif\n");
printf("\t#ifdef macro ... #endif\n");
printf("Usage: preproc [--help] [-Dmacro] manpage.txt\n");
return;
}
int main(int argc, char **argv) {
if (argc == 1) {
fprintf(stderr, "Error: no files/arguments provided\n");
usage();
exit(1);
}
int i;
for (i = 1; i < argc; i++) {
if (strncmp(argv[i], "-D", 2) == 0)
add_macro(argv[i] + 2);
else if (strcmp(argv[i], "--help") == 0) {
usage();
return 0;
}
else if (*argv[i] == '-') {
fprintf(stderr, "Error: invalid argument %s\n", argv[i]);
exit(1);
}
else
break;
}
char *ptr = strstr(argv[i], ".txt");
if (!ptr || strlen(ptr) != 4) {
fprintf(stderr, "Error: input file needs to have a .txt extension\n"),
exit(1);
}
FILE *fp = fopen(argv[i], "r");
if (!fp) {
fprintf(stderr, "Error: cannot open %s\n", argv[i]);
exit(1);
}
char *outfile = strdup(argv[i]);
if (!outfile)
goto errout;
ptr = strstr(outfile, ".txt");
assert(ptr);
strcpy(ptr, ".man");
FILE *fpout = fopen(outfile, "w");
if (!fpout)
goto errout;
char buf[MAXBUF];
int disabled = 0;
int enabled = 0;
int line = 0;;
while (fgets(buf, MAXBUF, fp)) {
line++;
if (disabled && strncmp(buf, "#if", 3) == 0) {
fprintf(stderr, "Error %d: already in a #if block on line %d\n", __LINE__, line);
exit(1);
}
if ((!disabled && !enabled) && strncmp(buf, "#endif", 6) == 0) {
fprintf(stderr, "Error %d: unmatched #endif on line %d\n", __LINE__, line);
exit(1);
}
char *ptr = strchr(buf, '\n');
if (ptr)
*ptr = '\0';
if (strncmp(buf, "#if 0", 5) == 0) {
disabled = 1;
continue;
}
if (strncmp(buf, "#ifdef", 6) == 0) {
char *ptr = buf + 6;
if (*ptr != ' ' && *ptr != '\t') {
fprintf(stderr, "Error %d: invalid macro on line %d\n", __LINE__, line);
exit(1);
}
while (*ptr == ' ' || *ptr == '\t')
ptr++;
if (!find_macro(ptr))
disabled = 1;
else
enabled = 1;
continue;
}
if (strncmp(buf, "#endif", 6) == 0) {
disabled = 0;
enabled = 1;
continue;
}
if (!disabled) {
// printf("%s\n", buf);
fprintf(fpout, "%s\n", buf);
}
}
fclose(fp);
return 0;
errout:
fclose(fp);
fprintf(stderr, "Error: cannot open output file\n");
exit(1);
}

40
test/compile/compile.sh
View file

@ -4,7 +4,7 @@
# License GPL v2
arr[1]="TEST 1: standard compilation"
arr[2]="TEST 2: compile seccomp disabled"
arr[2]="deprecated"
arr[3]="TEST 3: compile chroot disabled"
arr[4]="TEST 4: compile firetunnel disabled"
arr[5]="TEST 5: compile user namespace disabled"
@ -24,6 +24,8 @@ cleanup() {
rm -f report*
rm -fr firejail
rm -f oc* om*
rm -f output-configure
rm -f output-make
}
print_title() {
@ -74,23 +76,23 @@ cp output-make om1
rm output-configure output-make
#*****************************************************************
# TEST 2
#*****************************************************************
# - disable seccomp configuration
#*****************************************************************
print_title "${arr[2]}"
# seccomp
cd firejail
make distclean
./configure --prefix=/usr --disable-seccomp --enable-fatal-warnings 2>&1 | tee ../output-configure
make -j4 2>&1 | tee ../output-make
cd ..
grep Warning output-configure output-make > ./report-test2
grep Error output-configure output-make >> ./report-test2
cp output-configure oc2
cp output-make om2
rm output-configure output-make
##*****************************************************************
## TEST 2
##*****************************************************************
## - disable seccomp configuration
##*****************************************************************
#print_title "${arr[2]}"
## seccomp
#cd firejail
#make distclean
#./configure --prefix=/usr --disable-seccomp --enable-fatal-warnings 2>&1 | tee ../output-configure
#make -j4 2>&1 | tee ../output-make
#cd ..
#grep Warning output-configure output-make > ./report-test2
#grep Error output-configure output-make >> ./report-test2
#cp output-configure oc2
#cp output-make om2
#rm output-configure output-make
#*****************************************************************
# TEST 3
@ -342,7 +344,7 @@ wc -l report-test*
echo
echo "Legend:"
echo ${arr[1]}
echo ${arr[2]}
#echo ${arr[2]}
echo ${arr[3]}
echo ${arr[4]}
echo ${arr[5]}