non-dumpable plugins

(hopefully) fixes the issues that led to reverting
commits 6abb65d328 and 98e42dc6da

Makefile.in

@@ -110,9 +110,9 @@ endif
 	install -m 0755 -d $(DESTDIR)$(libdir)/firejail
 	install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS) src/firecfg/firecfg.config
 	install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS)
-	# non-dumpable plugins
-	install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS_NON_DUMPABLE)
-	install -m 0755 -t $(DESTDIR)$(libdir)/firejail src/fshaper/fshaper.sh
+	# plugins w/o read permission (non-dumpable)
+	install -m 0711 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS_NON_DUMPABLE)
+	install -m 0711 -t $(DESTDIR)$(libdir)/firejail src/fshaper/fshaper.sh
 ifeq ($(HAVE_CONTRIB_INSTALL),yes)
 	# contrib scripts
 	install -m 0755 -t $(DESTDIR)$(libdir)/firejail contrib/*.py contrib/*.sh

src/fcopy/Makefile.in

@@ -5,8 +5,8 @@ include ../common.mk
 %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h
 	$(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
 
-fcopy: $(OBJS)
-	$(CC)  $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
+fcopy: $(OBJS) ../lib/common.o
+	$(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS)
 
 clean:; rm -fr *.o fcopy *.gcov *.gcda *.gcno *.plist
 

src/fcopy/main.c

@@ -23,7 +23,6 @@
 #include <ftw.h>
 #include <errno.h>
 #include <pwd.h>
-#include <sys/prctl.h>
 
 #if HAVE_SELINUX
 #include <sys/stat.h>
@@ -412,10 +411,7 @@ int main(int argc, char **argv) {
 		exit(1);
 	}
 
-#ifdef WARN_DUMPABLE
-	if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid())
-		fprintf(stderr, "Error fcopy: I am dumpable\n");
-#endif
+	warn_dumpable();
 
 	// trim trailing chars
 	if (src[strlen(src) - 1] == '/')

src/firejail/firejail.h

@@ -513,7 +513,6 @@ void check_private_dir(void);
 void update_map(char *mapping, char *map_file);
 void wait_for_other(int fd);
 void notify_other(int fd);
-const char *gnu_basename(const char *path);
 uid_t pid_get_uid(pid_t pid);
 uid_t get_group_id(const char *group);
 int remove_overlay_directory(void);

src/firejail/main.c

@@ -1231,11 +1231,6 @@ int main(int argc, char **argv, char **envp) {
 	}
 	EUID_ASSERT();
 
-#ifdef WARN_DUMPABLE
-	if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid())
-		fprintf(stderr, "Error: Firejail is dumpable\n");
-#endif
-
 	// check for force-nonewprivs in /etc/firejail/firejail.config file
 	if (checkcfg(CFG_FORCE_NONEWPRIVS))
 		arg_nonewprivs = 1;

src/firejail/util.c

@@ -820,20 +820,6 @@ void notify_other(int fd) {
 	fclose(stream);
 }
 
-
-
-
-// Equivalent to the GNU version of basename, which is incompatible with
-// the POSIX basename. A few lines of code saves any portability pain.
-// https://www.gnu.org/software/libc/manual/html_node/Finding-Tokens-in-a-String.html#index-basename
-const char *gnu_basename(const char *path) {
-	const char *last_slash = strrchr(path, '/');
-	if (!last_slash)
-		return path;
-	return last_slash+1;
-}
-
-
 uid_t pid_get_uid(pid_t pid) {
 	EUID_ASSERT();
 	uid_t rv = 0;

src/fldd/Makefile.in

@@ -5,8 +5,8 @@ include ../common.mk
 %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h ../include/ldd_utils.h
 	$(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
 
-fldd: $(OBJS) ../lib/ldd_utils.o
-	$(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/ldd_utils.o $(LIBS) $(EXTRA_LDFLAGS)
+fldd: $(OBJS) ../lib/common.o ../lib/ldd_utils.o
+	$(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/ldd_utils.o $(LIBS) $(EXTRA_LDFLAGS)
 
 clean:; rm -fr *.o fldd *.gcov *.gcda *.gcno *.plist
 

src/fldd/main.c

@@ -24,7 +24,6 @@
 #include <fcntl.h>
 #include <sys/mman.h>
 #include <sys/mount.h>
-#include <sys/prctl.h>
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <unistd.h>
@@ -303,10 +302,7 @@ printf("\n");
 		return 0;
 	}
 
-#ifdef WARN_DUMPABLE
-	if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid())
-		fprintf(stderr, "Error fldd: I am dumpable\n");
-#endif
+	warn_dumpable();
 
 	// check program access
 	if (access(argv[1], R_OK)) {

src/fnet/Makefile.in

@@ -5,8 +5,8 @@ include ../common.mk
 %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/libnetlink.h
 	$(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
 
-fnet: $(OBJS) ../lib/libnetlink.o
-	$(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/libnetlink.o $(LIBS) $(EXTRA_LDFLAGS)
+fnet: $(OBJS) ../lib/common.o ../lib/libnetlink.o
+	$(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/libnetlink.o $(LIBS) $(EXTRA_LDFLAGS)
 
 clean:; rm -fr *.o fnet *.gcov *.gcda *.gcno *.plist
 

src/fnet/main.c

@@ -21,7 +21,6 @@
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <sys/utsname.h>
-#include <sys/prctl.h>
 
 int arg_quiet = 0;
 
@@ -69,10 +68,9 @@ printf("\n");
 		usage();
 		return 0;
 	}
-#ifdef WARN_DUMPABLE
-	if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid())
-		fprintf(stderr, "Error fnet: I am dumpable\n");
-#endif
+
+	warn_dumpable();
+
 	char *quiet = getenv("FIREJAIL_QUIET");
 	if (quiet && strcmp(quiet, "yes") == 0)
 		arg_quiet = 1;

src/fnetfilter/Makefile.in

@@ -5,8 +5,8 @@ include ../common.mk
 %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h
 	$(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
 
-fnetfilter: $(OBJS)
-	$(CC)  $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
+fnetfilter: $(OBJS) ../lib/common.o
+	$(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS)
 
 clean:; rm -fr *.o fnetfilter *.gcov *.gcda *.gcno *.plist
 

src/fnetfilter/main.c

@@ -18,7 +18,6 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "../include/common.h"
-#include <sys/prctl.h>
 
 #define MAXBUF 4098
 #define MAXARGS 16
@@ -181,10 +180,9 @@ printf("\n");
 		usage();
 		return 1;
 	}
-#ifdef WARN_DUMPABLE
-	if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid())
-		fprintf(stderr, "Error fnetfilter: I am dumpable\n");
-#endif
+
+	warn_dumpable();
+
 	char *destfile = (argc == 3)? argv[2]: argv[1];
 	char *command = (argc == 3)? argv[1]: NULL;
 //printf("command %s\n", command);

src/fsec-optimize/Makefile.in

@@ -5,8 +5,8 @@ include ../common.mk
 %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/seccomp.h ../include/syscall.h
 	$(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
 
-fsec-optimize: $(OBJS) ../lib/libnetlink.o
-	$(CC)  $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
+fsec-optimize: $(OBJS) ../lib/common.o ../lib/libnetlink.o
+	$(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS)
 
 clean:; rm -fr *.o fsec-optimize *.gcov *.gcda *.gcno *.plist
 

src/fsec-optimize/fsec_optimize.h

@@ -22,7 +22,6 @@
 #include "../include/common.h"
 #include "../include/seccomp.h"
 #include <sys/mman.h>
-#include <sys/prctl.h>
 
 // optimize.c
 struct sock_filter *duplicate(struct sock_filter *filter, int entries);

src/fsec-optimize/main.c

@@ -44,11 +44,7 @@ printf("\n");
 		return 0;
 	}
 
-#ifdef WARN_DUMPABLE
-	// check FIREJAIL_PLUGIN in order to not print a warning during make
-	if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid() && getenv("FIREJAIL_PLUGIN"))
-		fprintf(stderr, "Error fsec-optimize: I am dumpable\n");
-#endif
+	warn_dumpable();
 
 	char *fname = argv[1];
 

src/fsec-print/Makefile.in

@@ -5,8 +5,8 @@ include ../common.mk
 %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/seccomp.h ../include/syscall.h
 	$(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
 
-fsec-print: $(OBJS) ../lib/libnetlink.o ../lib/errno.o ../lib/syscall.o
-	$(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS)
+fsec-print: $(OBJS) ../lib/common.o ../lib/libnetlink.o ../lib/errno.o ../lib/syscall.o
+	$(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS)
 
 clean:; rm -fr *.o fsec-print *.gcov *.gcda *.gcno *.plist
 

src/fsec-print/fsec_print.h

@@ -23,7 +23,6 @@
 #include "../include/seccomp.h"
 #include "../include/syscall.h"
 #include <sys/mman.h>
-#include <sys/prctl.h>
 
 // print.c
 void print(struct sock_filter *filter, int entries);

src/fsec-print/main.c

@@ -61,10 +61,7 @@ printf("\n");
 		return 0;
 	}
 
-#ifdef WARN_DUMPABLE
-	if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid())
-		fprintf(stderr, "Error fsec-print: I am dumpable\n");
-#endif
+	warn_dumpable();
 
 	char *fname = argv[1];
 

src/fseccomp/Makefile.in

@@ -5,8 +5,8 @@ include ../common.mk
 %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h
 	$(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
 
-fseccomp: $(OBJS) ../lib/errno.o ../lib/syscall.o
-	$(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS)
+fseccomp: $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o
+	$(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS)
 
 clean:; rm -fr *.o fseccomp *.gcov *.gcda *.gcno *.plist
 

src/fseccomp/fseccomp.h

@@ -23,7 +23,6 @@
 #include <stdlib.h>
 #include <string.h>
 #include <assert.h>
-#include <sys/prctl.h>
 #include "../include/common.h"
 #include "../include/syscall.h"
 

src/fseccomp/main.c

@@ -69,11 +69,7 @@ printf("\n");
 		return 0;
 	}
 
-#ifdef WARN_DUMPABLE
-	// check FIREJAIL_PLUGIN in order to not print a warning during make
-	if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid() && getenv("FIREJAIL_PLUGIN"))
-		fprintf(stderr, "Error fseccomp: I am dumpable\n");
-#endif
+	warn_dumpable();
 
 	char *quiet = getenv("FIREJAIL_QUIET");
 	if (quiet && strcmp(quiet, "yes") == 0)

src/include/common.h

@@ -38,11 +38,6 @@
 
 #define errExit(msg)    do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
 
-// check if processes run with dumpable flag set
-// currently we get "Error fseccomp: I am dumpable" every time we run a firejail build on Debian 8,
-// regardless what Debian version we run the build on
-//#define WARN_DUMPABLE
-
 // macro to print ip addresses in a printf statement
 #define PRINT_IP(A) \
 ((int) (((A) >> 24) & 0xFF)),  ((int) (((A) >> 16) & 0xFF)), ((int) (((A) >> 8) & 0xFF)), ((int) ( (A) & 0xFF))
@@ -126,4 +121,6 @@ char *pid_proc_comm(const pid_t pid);
 char *pid_proc_cmdline(const pid_t pid);
 int pid_proc_cmdline_x11_xpra_xephyr(const pid_t pid);
 int pid_hidepid(void);
+void warn_dumpable(void);
+const char *gnu_basename(const char *path);
 #endif

src/lib/common.c

@@ -267,7 +267,6 @@ int pid_proc_cmdline_x11_xpra_xephyr(const pid_t pid) {
 }
 
 // return 1 if /proc is mounted hidepid, or if /proc/mouns access is denied
-#define BUFLEN 4096
 int pid_hidepid(void) {
 	FILE *fp = fopen("/proc/mounts", "r");
 	if (!fp)
@@ -288,6 +287,39 @@ int pid_hidepid(void) {
 	return 0;
 }
 
+// print error if unprivileged users can trace the process
+void warn_dumpable(void) {
+	if (getuid() != 0 && prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getenv("FIREJAIL_PLUGIN")) {
+		fprintf(stderr, "Error: dumpable process\n");
+
+		// best effort to provide detailed debug information
+		// cannot use process name, it is just a file descriptor number
+		char path[BUFLEN];
+		ssize_t len = readlink("/proc/self/exe", path, BUFLEN - 1);
+		if (len < 0)
+			return;
+		path[len] = '\0';
+		// path can refer to a sandbox mount namespace, use basename only
+		const char *base = gnu_basename(path);
+
+		struct stat s;
+		if (stat("/proc/self/exe", &s) == 0 && s.st_uid != 0)
+			fprintf(stderr, "Change owner of %s executable to root\n", base);
+		else if (access("/proc/self/exe", R_OK) == 0)
+			fprintf(stderr, "Remove read permission on %s executable\n", base);
+	}
+}
+
+// Equivalent to the GNU version of basename, which is incompatible with
+// the POSIX basename. A few lines of code saves any portability pain.
+// https://www.gnu.org/software/libc/manual/html_node/Finding-Tokens-in-a-String.html#index-basename
+const char *gnu_basename(const char *path) {
+	const char *last_slash = strrchr(path, '/');
+	if (!last_slash)
+		return path;
+	return last_slash+1;
+}
+
 //**************************
 // time trace based on getticks function
 //**************************