github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-21 06:45:29 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 1

netfilter split

Browse source
This commit is contained in:
netblue30 2017-11-13 10:53:04 -05:00
parent 39a175d692
commit b24e0e4049
6 changed files with 28 additions and 48 deletions
Download patch file Download diff file Expand all files Collapse all files

4
Makefile.in
View file

@ -1,6 +1,6 @@
all: apps man filters
MYLIBS = src/lib
APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fbuilder src/fcopy src/fldd src/libpostexecseccomp
APPS = src/firejail src/firemon src/firecfg src/fnetfilter src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fbuilder src/fcopy src/fldd src/libpostexecseccomp
MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5
SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.64 seccomp.block_secondary seccomp.mdwx
@ -97,6 +97,7 @@ endif
install -c -m 0644 src/firecfg/firecfg.config $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0755 src/faudit/faudit $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0755 src/fnet/fnet $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0755 src/fnetfilter/fnetfilter $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0755 src/fcopy/fcopy $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0755 src/fldd/fldd $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0755 src/fbuilder/fbuilder $(DESTDIR)/$(libdir)/firejail/.
@ -167,6 +168,7 @@ install-strip: all
strip src/ftee/ftee
strip src/faudit/faudit
strip src/fnet/fnet
strip src/fnet/fnetfilter
strip src/fseccomp/fseccomp
strip src/fcopy/fcopy
strip src/fldd/fldd

3
configure vendored
View file

@ -3823,7 +3823,7 @@ if test "$prefix" = /usr; then
sysconfdir="/etc"
fi
ac_config_files="$ac_config_files Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile"
ac_config_files="$ac_config_files Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile"
cat >confcache <<\_ACEOF
# This file is a shell script that caches the results of configure
@ -4537,6 +4537,7 @@ do
"src/fcopy/Makefile") CONFIG_FILES="$CONFIG_FILES src/fcopy/Makefile" ;;
"src/fnet/Makefile") CONFIG_FILES="$CONFIG_FILES src/fnet/Makefile" ;;
"src/firejail/Makefile") CONFIG_FILES="$CONFIG_FILES src/firejail/Makefile" ;;
"src/fnetfilter/Makefile") CONFIG_FILES="$CONFIG_FILES src/fnetfilter/Makefile" ;;
"src/firemon/Makefile") CONFIG_FILES="$CONFIG_FILES src/firemon/Makefile" ;;
"src/libtrace/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtrace/Makefile" ;;
"src/libtracelog/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtracelog/Makefile" ;;

2
configure.ac
View file

@ -175,7 +175,7 @@ if test "$prefix" = /usr; then
sysconfdir="/etc"
fi
AC_OUTPUT(Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile \
AC_OUTPUT(Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \
src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile \
src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile)

1
src/firejail/firejail.h
View file

@ -766,6 +766,7 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc,
// sbox.c
// programs
#define PATH_FNET (LIBDIR "/firejail/fnet")
#define PATH_FNETFILTER (LIBDIR "/firejail/fnetfilter")
#define PATH_FIREMON (PREFIX "/bin/firemon")
#define PATH_FIREJAIL (PREFIX "/bin/firejail")
#define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp")

1
src/firejail/fs_lib.c
View file

@ -387,6 +387,7 @@ void fs_private_lib(void) {
fslib_copy_libs(LIBDIR "/firejail/fcopy");
fslib_copy_libs(LIBDIR "/firejail/fldd");
fslib_copy_libs(LIBDIR "/firejail/fnet");
fslib_copy_libs(LIBDIR "/firejail/fnetfilter");
fslib_copy_libs(LIBDIR "/firejail/fseccomp");
fslib_copy_libs(LIBDIR "/firejail/ftee");
// mount lib filesystem

65
src/firejail/netfilter.c
View file

@ -24,33 +24,24 @@
#include <sys/wait.h>
#include <fcntl.h>
static char *client_filter =
"*filter\n"
":INPUT DROP [0:0]\n"
":FORWARD DROP [0:0]\n"
":OUTPUT ACCEPT [0:0]\n"
"-A INPUT -i lo -j ACCEPT\n"
"-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n"
"# echo replay is handled by -m state RELATED/ESTABLISHED below\n"
"#-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT\n"
"-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT\n"
"-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT\n"
"-A INPUT -p icmp --icmp-type echo-request -j ACCEPT \n"
"# disable STUN\n"
"-A OUTPUT -p udp --dport 3478 -j DROP\n"
"-A OUTPUT -p udp --dport 3479 -j DROP\n"
"-A OUTPUT -p tcp --dport 3478 -j DROP\n"
"-A OUTPUT -p tcp --dport 3479 -j DROP\n"
"COMMIT\n";
void check_netfilter_file(const char *fname) {
EUID_ASSERT();
invalid_filename(fname, 0); // no globbing
if (is_dir(fname) || is_link(fname) || strstr(fname, "..") || access(fname, R_OK )) {
fprintf(stderr, "Error: invalid network filter file %s\n", fname);
char *tmp = strdup(fname);
if (!tmp)
errExit("strdup");
char *ptr = strchr(tmp, ',');
if (ptr)
*ptr = '\0';
invalid_filename(tmp, 0); // no globbing
if (is_dir(tmp) || is_link(tmp) || strstr(tmp, "..") || access(tmp, R_OK )) {
fprintf(stderr, "Error: invalid network filter file %s\n", tmp);
exit(1);
}
free(tmp);
}
@ -72,29 +63,15 @@ void netfilter(const char *fname) {
return;
}
// read filter
char *filter = client_filter;
int allocated = 0;
if (netfilter_default)
fname = netfilter_default;
if (fname) {
filter = read_text_file_or_exit(fname);
allocated = 1;
}
// create an empty user-owned SBOX_STDIN_FILE
create_empty_file_as_root(SBOX_STDIN_FILE, 0644);
if (set_perms(SBOX_STDIN_FILE, getuid(), getgid(), 0644))
errExit("set_perms");
// create the filter file
FILE *fp = fopen(SBOX_STDIN_FILE, "w");
if (!fp) {
fprintf(stderr, "Error: cannot open %s\n", SBOX_STDIN_FILE);
exit(1);
}
fprintf(fp, "%s\n", filter);
fclose(fp);
// push filter
if (arg_debug)
printf("Installing network filter:\n%s\n", filter);
if (fname == NULL)
sbox_run(SBOX_USER| SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FNETFILTER, SBOX_STDIN_FILE);
else
sbox_run(SBOX_USER| SBOX_CAPS_NONE | SBOX_SECCOMP, 3, PATH_FNETFILTER, fname, SBOX_STDIN_FILE);
// first run of iptables on this platform installs a number of kernel modules such as ip_tables, x_tables, iptable_filter
// we run this command with caps and seccomp disabled in order to allow the loading of these modules
@ -105,8 +82,6 @@ void netfilter(const char *fname) {
if (arg_debug)
sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 2, iptables, "-vL");
if (allocated)
free(filter);
return;
}