From bb6c744fd4f59d0f407c37955ba36f8d40cc60cf Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 17 Oct 2016 08:41:39 -0400 Subject: [PATCH] allow user access to /sys/fs (--noblacklist=/sys/fs) --- RELNOTES | 1 + configure | 18 +++++++++--------- configure.ac | 2 +- src/firejail/fs.c | 6 +++++- test/fs/fs.sh | 3 +++ test/fs/sys_fs.exp | 44 ++++++++++++++++++++++++++++++++++++++++++++ 6 files changed, 63 insertions(+), 11 deletions(-) create mode 100755 test/fs/sys_fs.exp diff --git a/RELNOTES b/RELNOTES index 0206e5433..23e44a14f 100644 --- a/RELNOTES +++ b/RELNOTES @@ -5,6 +5,7 @@ firejail (0.9.44~rc1) baseline; urgency=low * modifs: --private-tmp whitelists /tmp/.X11-unix directory * modifs: Nvidia drivers added to --private-dev * modifs: /srv supported by --whitelist + * feature: allow user access to /sys/fs (--noblacklist=/sys/fs) * feature: support starting/joining sandbox is a single command (--join-or-start) * feature: X11 detection support for --audit diff --git a/configure b/configure index 48b891c40..9a33f0401 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for firejail 0.9.44~rc1. +# Generated by GNU Autoconf 2.69 for firejail 0.9.44~rc2. # # Report bugs to . # @@ -580,8 +580,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='firejail' PACKAGE_TARNAME='firejail' -PACKAGE_VERSION='0.9.44~rc1' -PACKAGE_STRING='firejail 0.9.44~rc1' +PACKAGE_VERSION='0.9.44~rc2' +PACKAGE_STRING='firejail 0.9.44~rc2' PACKAGE_BUGREPORT='netblue30@yahoo.com' PACKAGE_URL='http://firejail.wordpress.com' @@ -1259,7 +1259,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures firejail 0.9.44~rc1 to adapt to many kinds of systems. +\`configure' configures firejail 0.9.44~rc2 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1320,7 +1320,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of firejail 0.9.44~rc1:";; + short | recursive ) echo "Configuration of firejail 0.9.44~rc2:";; esac cat <<\_ACEOF @@ -1424,7 +1424,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -firejail configure 0.9.44~rc1 +firejail configure 0.9.44~rc2 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1726,7 +1726,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by firejail $as_me 0.9.44~rc1, which was +It was created by firejail $as_me 0.9.44~rc2, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -4303,7 +4303,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by firejail $as_me 0.9.44~rc1, which was +This file was extended by firejail $as_me 0.9.44~rc2, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -4357,7 +4357,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -firejail config.status 0.9.44~rc1 +firejail config.status 0.9.44~rc2 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/configure.ac b/configure.ac index 108b558d4..4496550fd 100644 --- a/configure.ac +++ b/configure.ac @@ -1,5 +1,5 @@ AC_PREREQ([2.68]) -AC_INIT(firejail, 0.9.44~rc1, netblue30@yahoo.com, , http://firejail.wordpress.com) +AC_INIT(firejail, 0.9.44~rc2, netblue30@yahoo.com, , http://firejail.wordpress.com) AC_CONFIG_SRCDIR([src/firejail/main.c]) #AC_CONFIG_HEADERS([config.h]) diff --git a/src/firejail/fs.c b/src/firejail/fs.c index a5f12c7df..6c566bd90 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -649,7 +649,11 @@ void fs_proc_sys_dev_boot(void) { disable_file(BLACKLIST_FILE, "/sys/firmware"); disable_file(BLACKLIST_FILE, "/sys/hypervisor"); - disable_file(BLACKLIST_FILE, "/sys/fs"); + { // allow user access to /sys/fs if "--noblacklist=/sys/fs" is present on the command line + EUID_USER(); + profile_add("blacklist /sys/fs"); + EUID_ROOT(); + } disable_file(BLACKLIST_FILE, "/sys/module"); disable_file(BLACKLIST_FILE, "/sys/power"); disable_file(BLACKLIST_FILE, "/sys/kernel/debug"); diff --git a/test/fs/fs.sh b/test/fs/fs.sh index d45ef48bd..3139b8eae 100755 --- a/test/fs/fs.sh +++ b/test/fs/fs.sh @@ -6,6 +6,9 @@ export MALLOC_CHECK_=3 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) +echo "TESTING: /sys/fs access (test/fs/sys_fs.exp)" +./sys_fs.exp + echo "TESTING: kmsg access (test/fs/kmsg.exp)" ./kmsg.exp diff --git a/test/fs/sys_fs.exp b/test/fs/sys_fs.exp new file mode 100755 index 000000000..f512776d9 --- /dev/null +++ b/test/fs/sys_fs.exp @@ -0,0 +1,44 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "ls /sys/fs\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Permission denied" +} +after 100 + +send -- "exit\r" +sleep 1 + +send -- "firejail --noblacklist=/sys/fs\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "ls /sys/fs\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "cgroup" +} +after 100 +send -- "exit\r" +after 100 + +puts "\nall done\n" +