spoof machine-id

README.md

@@ -74,6 +74,13 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is
 
               Example:
               # firejail --private-srv=www /etc/init.d/apache2 start
+
+       --machine-id
+              Preserve  id  number  in  /etc/machine-id file. By default a new
+              random id is generated inside the sandbox.
+
+              Example:
+              $ firejail --machine-id
 `````
 ## New Profiles
 xiphos, Tor Browser Bundle, display (imagemagik), Wire, mumble, zoom, Guayadeque, qemu, keypass2,

RELNOTES

@@ -11,6 +11,7 @@ firejail (0.9.45) baseline; urgency=low
   * feature: test coverage (gcov) support
   * feature: private /opt directory (--private-opt, profile support)
   * feature: private /srv directory (--private-srv, profile support)
+  * feature: spoof machine-id
   * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire,
   * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma,
   * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator, 

src/firejail/firejail.h

@@ -78,6 +78,7 @@
 #define RUN_HOSTNAME_FILE	"/run/firejail/mnt/hostname"
 #define RUN_HOSTS_FILE	"/run/firejail/mnt/hosts"
 #define RUN_RESOLVCONF_FILE	"/run/firejail/mnt/resolv.conf"
+#define RUN_MACHINEID	"/run/firejail/mnt/machine-id"
 #define RUN_LDPRELOAD_FILE	"/run/firejail/mnt/ld.so.preload"
 #define RUN_UTMP_FILE		"/run/firejail/mnt/utmp"
 #define RUN_PASSWD_FILE		"/run/firejail/mnt/passwd"
@@ -342,6 +343,7 @@ extern int arg_allow_debuggers;	// allow debuggers
 extern int arg_x11_block;	// block X11
 extern int arg_x11_xorg;	// use X11 security extention
 extern int arg_allusers;	// all user home directories visible
+extern int arg_machineid;	// preserve /etc/machine-id
 
 extern int login_shell;
 extern int parent_to_child_fds[2];

src/firejail/fs.c

@@ -597,7 +597,8 @@ void fs_basic_fs(void) {
 	fs_var_lib();
 	fs_var_cache();
 	fs_var_utmp();
-
+	fs_machineid();
+	
 	// don't leak user information
 	restrict_users();
 	
@@ -880,6 +881,7 @@ void fs_overlayfs(void) {
 	fs_var_lib();
 	fs_var_cache();
 	fs_var_utmp();
+	fs_machineid();
 
 	// don't leak user information
 	restrict_users();
@@ -1061,6 +1063,7 @@ void fs_chroot(const char *rootdir) {
 		fs_var_lib();
 		fs_var_cache();
 		fs_var_utmp();
+		fs_machineid();
 	
 		// don't leak user information
 		restrict_users();

src/firejail/fs_etc.c

@@ -23,6 +23,57 @@
 #include <sys/types.h>
 #include <unistd.h>
 
+// spoof /etc/machine_id
+void fs_machineid(void) {
+	union machineid_t {
+		uint8_t u8[16];
+		uint32_t u32[4];
+	} mid;
+
+	// if --machine-id flag is active, do nothing
+	if (arg_machineid)
+		return;
+
+	// init random number generator
+	srand(time(NULL));
+	
+	// generate random id
+	mid.u32[0] = rand();
+	mid.u32[1] = rand();
+	mid.u32[2] = rand();
+	mid.u32[3] = rand();
+	
+	// UUID version 4 and DCE variant
+	mid.u8[6] = (mid.u8[6] & 0x0F) | 0x40;
+	mid.u8[8] = (mid.u8[8] & 0x3F) | 0x80;
+	
+	// write it in a file
+	FILE *fp = fopen(RUN_MACHINEID, "w");
+	if (!fp)
+		errExit("fopen");
+	fprintf(fp, "%08x%08x%08x%08x\n", mid.u32[0], mid.u32[1], mid.u32[2], mid.u32[3]);
+	fclose(fp);
+	if (set_perms(RUN_MACHINEID, 0, 0, 0444))
+		errExit("set_perms");
+		
+
+	struct stat s;
+	// mount-bind 
+	if (stat("/etc/machine-id", &s) == 0) {
+		if (arg_debug)
+			printf("installing a new /etc/machine-id\n");
+
+		if (mount(RUN_MACHINEID, "/etc/machine-id", "none", MS_BIND, "mode=444,gid=0"))
+			errExit("mount");
+	}
+//#if 0 // todo: investigate	
+	if (stat("/var/lib/dbus/machine-id", &s) == 0) {
+		if (mount(RUN_MACHINEID, "/etc/machine-id", "none", MS_BIND, "mode=444,gid=0"))
+			errExit("mount");
+	}
+//#endif
+}
+
 // return 0 if file not found, 1 if found
 static int check_dir_or_file(const char *fname) {
 	assert(fname);

src/firejail/main.c

@@ -111,6 +111,7 @@ int arg_allow_debuggers = 0;			// allow debuggers
 int arg_x11_block = 0;				// block X11
 int arg_x11_xorg = 0;				// use X11 security extention
 int arg_allusers = 0;				// all user home directories visible
+int arg_machineid = 0;				// preserve /etc/machine-id
 
 int login_shell = 0;
 
@@ -1520,6 +1521,9 @@ int main(int argc, char **argv) {
 		else if (strcmp(argv[i], "--writable-var") == 0) {
 			arg_writable_var = 1;
 		}
+		else if (strcmp(argv[i], "--machine-id") == 0) {
+			arg_machineid = 1;
+		}
 		else if (strcmp(argv[i], "--private") == 0) {
 			arg_private = 1;
 		}

src/firejail/profile.c

@@ -650,6 +650,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 		return 0;
 	}
 	
+	if (strcmp(ptr, "machine-id") == 0) {
+		arg_machineid = 1;
+		return 0;
+	}
 	// writable-var
 	if (strcmp(ptr, "writable-var") == 0) {
 		arg_writable_var = 1;

src/firejail/usage.c

@@ -94,6 +94,9 @@ void usage(void) {
 	printf("    --ls=name|pid dir_or_filename - list files in sandbox container.\n");
 #ifdef HAVE_NETWORK	
 	printf("    --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n");
+#endif
+	printf("    --machine-id - preserve /etc/machine-id\n");
+#ifdef HAVE_NETWORK	
 	printf("    --mtu=number - set interface MTU.\n");
 #endif
 	printf("    --name=name - set sandbox name.\n");

src/man/firejail-profile.txt

@@ -446,6 +446,10 @@ iprange 192.168.1.150,192.168.1.160
 \fBmac address
 Assign MAC addresses to the last network interface defined by a net command.
 
+.TP
+\fBmachine-id
+Preserve id number in /etc/machine-id file. By default a new random id is generated inside the sandbox.
+
 .TP
 \fBmtu number
 Assign a MTU value to the last network interface defined by a net command.

src/man/firejail.txt

@@ -665,6 +665,16 @@ Example:
 .br
 $ firejail \-\-net=eth0 \-\-mac=00:11:22:33:44:55 firefox
 
+.TP
+\fB\-\-machine-id
+Preserve id number in /etc/machine-id file. By default a new random id is generated inside the sandbox.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-machine-id
+
 .TP
 \fB\-\-mtu=number
 Assign a MTU value to the last network interface defined by a \-\-net option.

todo

@@ -299,3 +299,5 @@ read-only /var
 read-only /bin
 
 31. --private and --allusers are coliding
+
+32. machine-id defined in rfc4122