github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

adding apparmor profiles for --nettrace option

Browse source
This commit is contained in:
netblue30 2026-02-11 09:17:22 -05:00
parent 8248f1eb5d
commit c13331305c
9 changed files with 163 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

6
Makefile
View file

@ -260,9 +260,13 @@ ifeq ($(BUSYBOX_WORKAROUND),yes)
./mketc.sh $(DESTDIR)$(sysconfdir)/firejail/disable-common.inc
endif
ifeq ($(HAVE_APPARMOR),-DHAVE_APPARMOR)
# install apparmor profile
# install apparmor profiles
$(INSTALL) -m 0755 -d $(DESTDIR)$(sysconfdir)/apparmor.d
$(INSTALL) -m 0644 -t $(DESTDIR)$(sysconfdir)/apparmor.d etc/apparmor/firejail-default
$(INSTALL) -m 0644 -t $(DESTDIR)$(sysconfdir)/apparmor.d etc/apparmor/usr.lib.firejail.fnettrace
$(INSTALL) -m 0644 -t $(DESTDIR)$(sysconfdir)/apparmor.d etc/apparmor/usr.lib.firejail.fnettrace-dns
$(INSTALL) -m 0644 -t $(DESTDIR)$(sysconfdir)/apparmor.d etc/apparmor/usr.lib.firejail.fnettrace-icmp
$(INSTALL) -m 0644 -t $(DESTDIR)$(sysconfdir)/apparmor.d etc/apparmor/usr.lib.firejail.fnettrace-sni
# install apparmor profile customization file
$(INSTALL) -m 0755 -d $(DESTDIR)$(sysconfdir)/apparmor.d/local
sh -c "if [ ! -f $(DESTDIR)$(sysconfdir)/apparmor.d/local/firejail-default ]; then \

37
etc/apparmor/usr.lib.firejail.fnettrace Normal file
View file

@ -0,0 +1,37 @@
#include <tunables/global>
/usr/lib/firejail/fnettrace {
signal (send) peer=@{profile_name}//&unconfined,
signal (send) peer=@{profile_name},
signal (receive),
/{dev,etc,tmp,proc,sys,usr}/{,**} rklm,
/tmp/** rwl,
/usr/bin/** ix,
/usr/lib/firejail/** ix,
deny /tmp/.X11-unix/* mrwkl,
deny /tmp/.XIM-unix/* mrwkl,
deny /tmp/.ICE-unix/* mrwkl,
deny /tmp/.font-unix/* mrwkl,
deny /tmp/.tX[0-9]*-lock mrwkl,
deny /tmp/.X[0-9]*-lock mrwkl,
deny /tmp/systemd* mrwkl,
deny /tmp/ssh* mrwkl,
deny /etc/ssh/{,**} mrwkl,
deny /etc/ssl/{,**} mrwkl,
deny /etc/ca-certificates/{,**} mrwkl,
deny /{etc,usr/share}/pki/{,**} mrwkl,
deny /etc/certbot/{,**} mrwkl,
deny /etc/X11/{,**} mrwkl,
deny /usr/share/{,**} mrwkl,
deny /usr/local/{,**} mrwkl,
capability net_raw,
capability net_admin,
network packet,
network raw,
}

14
etc/apparmor/usr.lib.firejail.fnettrace-dns Normal file
View file

@ -0,0 +1,14 @@
include <tunables/global>
/usr/lib/firejail/fnettrace-dns {
signal (send) peer=@{profile_name}//&unconfined,
signal (send) peer=@{profile_name},
signal (receive),
/{dev,etc,proc,sys,usr,**} rklm,
capability net_raw,
capability net_admin,
network packet,
network raw,
}

15
etc/apparmor/usr.lib.firejail.fnettrace-icmp Normal file
View file

@ -0,0 +1,15 @@
include <tunables/global>
/usr/lib/firejail/fnettrace-icmp {
signal (send) peer=@{profile_name}//&unconfined,
signal (send) peer=@{profile_name},
signal (receive),
/{dev,etc,proc,sys,usr,**} rklm,
capability net_raw,
capability net_admin,
network packet,
network raw,
}

14
etc/apparmor/usr.lib.firejail.fnettrace-sni Normal file
View file

@ -0,0 +1,14 @@
include <tunables/global>
/usr/lib/firejail/fnettrace-sni {
signal (send) peer=@{profile_name}//&unconfined,
signal (send) peer=@{profile_name},
signal (receive),
/{dev,etc,proc,sys,usr,**} rklm,
capability net_raw,
capability net_admin,
network packet,
network raw,
}

6
src/firejail/netfilter.c
View file

@ -43,12 +43,14 @@ void netfilter_netlock(pid_t pid) {
char *terminal = NULL;
if (access("/usr/bin/xterm", X_OK) == 0)
terminal = "/usr/bin/xterm";
else if (access("/usr/bin/lxterminal", X_OK) == 0)
terminal = "/usr/bin/lxterminal";
else if (access("/usr/bin/mate-terminal", X_OK) == 0)
terminal = "/usr/bin/mate-terminal";
else if (access("/usr/bin/xfce4-terminal", X_OK) == 0)
terminal = "/usr/bin/xfce4-terminal";
else if (access("/usr/bin/konsole", X_OK) == 0)
terminal = "/usr/bin/konsole";
else if (access("/usr/bin/qterminal", X_OK) == 0)
terminal = "/usr/bin/qterminal";
// problem: newer gnome-terminal versions don't support -e command line option???
// same for mate-terminal

1
src/fnettrace/fnettrace.h
View file

@ -98,6 +98,7 @@ void terminal_restore(void);
// runprog.c
int runprog(const char *program);
void killprogs(void);
// event.c
extern int ev_cnt;

29
src/fnettrace/main.c
View file

@ -24,6 +24,8 @@
#include <sys/ioctl.h>
#include <sys/prctl.h>
#include <signal.h>
#include <fcntl.h>
#include <sys/stat.h>
#define MAX_BUF_SIZE (64 * 1024)
// only 0 or negative values; positive values as defined in RFC
@ -533,6 +535,7 @@ static void run_trace(void) {
errExit("socket");
prctl(PR_SET_PDEATHSIG, SIGHUP);
int p1 = runprog(LIBDIR "/firejail/fnettrace-sni");
if (p1 != -1)
printf("loading snitrace...");
@ -622,19 +625,35 @@ static void run_trace(void) {
char *ptr = strchr(buf, '\n');
if (!ptr) { // we should have a '\n'
printf("Error: invalid file name\n");
sleep(5);
sleep(4);
continue;
}
*ptr = '\0';
if (strstr(buf, "/../") ||
strstr(buf, "/./") ||
strstr(buf, "//") ||
strchr(buf, '~')) {
printf("Error: invalid file name\n");
sleep(4);
continue;
}
struct stat s;
if (stat(buf, &s) == 0) {
printf("Error: a file with this name is already present in /tmp directory\n");
sleep(4);
continue;
}
FILE *fp = fopen(buf, "w");
if (!fp) {
printf("Error: cannot open file %s\n", buf);
perror("fopen");
sleep(5);
sleep(4);
continue;
}
printf("Saving stats in %s file...\n", buf);
print_stats(fp);
fclose(fp);
@ -643,8 +662,10 @@ static void run_trace(void) {
sleep(1);
continue;
}
else if (c == 'x' || c == 'X')
else if (c == 'x' || c == 'X') {
killprogs();
break;
}
continue;
}
else if (FD_ISSET(p1, &rfds)) {

55
src/fnettrace/runprog.c
View file

@ -18,14 +18,55 @@
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#include "fnettrace.h"
#include <signal.h>
typedef struct pidlist_t {
struct pidlist_t *next;
pid_t pid;
} PidList;
static PidList *pidlist = NULL;
static void add(pid_t pid) {
assert(pid);
PidList *p = malloc(sizeof(PidList));
if (!p)
errExit("malloc");
p->pid = pid;
p->next = pidlist;
pidlist = p;
}
int runprog(const char *program) {
assert(program);
FILE *fp = popen(program, "r");
if (!fp) {
fprintf(stderr, "Error: cannot run %s\n", program);
return -1;
}
int fd[2]; // child tx on fd[1], parent rx on fd[0]
if (pipe(fd))
errExit("pipe");
return fileno(fp);
pid_t pid = fork();
if(pid == -1)
errExit("fork");
else if (pid == 0) {
close(fd[0]);
dup2(fd[1], 1); // connect child stdout to fd[1]
execl(program, program, NULL);
exit(0);
}
else {
close(fd[1]);
add(pid);
}
return fd[0];
}
void killprogs(void) {
PidList *p = pidlist;
while (p) {
assert(p->pid);
kill(p->pid, SIGKILL);
p = p->next;
}
}