diff --git a/.gitignore b/.gitignore index 9b9935b9392..89bf3c4fa44 100644 --- a/.gitignore +++ b/.gitignore @@ -24,3 +24,8 @@ src/fnet/fnet src/fseccomp/fseccomp src/fcopy/fcopy uids.h +seccomp +seccomp.debug +seccomp.i386 +seccomp.amd64 + diff --git a/Makefile.in b/Makefile.in index 772dc8c0685..d1f03c7884c 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,7 +1,8 @@ -all: apps man +all: apps man filters MYLIBS = src/lib APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/libconnect src/fnet src/fseccomp src/fcopy MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 +SECCOMP_FILTERS = seccomp seccomp.i386 seccomp.amd64 prefix=@prefix@ exec_prefix=@exec_prefix@ @@ -35,11 +36,18 @@ $(MANPAGES): $(wildcard src/man/*.txt) man: $(MANPAGES) +filters: src/fseccomp + src/fseccomp/fseccomp default seccomp + src/fseccomp/fseccomp default seccomp.debug allow-debuggers + src/fseccomp/fseccomp secondary 32 seccomp.i386 + src/fseccomp/fseccomp secondary 64 seccomp.amd64 + clean: for dir in $(APPS) $(MYLIBS); do \ $(MAKE) -C $$dir clean; \ done rm -f $(MANPAGES) $(MANPAGES:%=%.gz) firejail*.rpm + rm -f seccomp seccomp.debug seccomp.i386 seccomp.amd64 rm -f test/utils/index.html* rm -f test/utils/wget-log rm -f test/utils/lstesting @@ -79,6 +87,10 @@ realinstall: install -c -m 0755 src/fnet/fnet $(DESTDIR)/$(libdir)/firejail/. install -c -m 0755 src/fseccomp/fseccomp $(DESTDIR)/$(libdir)/firejail/. install -c -m 0755 src/fcopy/fcopy $(DESTDIR)/$(libdir)/firejail/. + install -c -m 0644 seccomp $(DESTDIR)/$(libdir)/firejail/. + install -c -m 0644 seccomp.debug $(DESTDIR)/$(libdir)/firejail/. + install -c -m 0644 seccomp.i386 $(DESTDIR)/$(libdir)/firejail/. + install -c -m 0644 seccomp.amd64 $(DESTDIR)/$(libdir)/firejail/. # documents install -m 0755 -d $(DESTDIR)/$(DOCDIR) install -c -m 0644 COPYING $(DESTDIR)/$(DOCDIR)/. diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 2562094d32e..2e031ce0496 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -47,10 +47,14 @@ #define RUN_BIN_DIR "/run/firejail/mnt/bin" #define RUN_PULSE_DIR "/run/firejail/mnt/pulse" -#define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp" // configured filter #define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp.protocol" // protocol filter +#define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp" // configured filter #define RUN_SECCOMP_AMD64 "/run/firejail/mnt/seccomp.amd64" // amd64 filter installed on i386 architectures #define RUN_SECCOMP_I386 "/run/firejail/mnt/seccomp.i386" // i386 filter installed on amd64 architectures +#define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make +#define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make +#define PATH_SECCOMP_AMD64 (LIBDIR "/firejail/seccomp.amd64") // amd64 filter built during make +#define PATH_SECCOMP_I386 (LIBDIR "/firejail/seccomp.i386") // i386 filter built during make #define RUN_DEV_DIR "/run/firejail/mnt/dev" @@ -374,9 +378,6 @@ void net_config_interface(const char *dev, uint32_t ip, uint32_t mask, int mtu); // preproc.c void preproc_build_firejail_dir(void); void preproc_mount_mnt_dir(void); -void preproc_build_cp_command(void); -void preproc_delete_cp_command(void) ; -void preproc_remount_mnt_dir(void); // fs.c // blacklist files or directoies by mounting empty files on top of them diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index ea4e6743fdf..d2db7d3dd91 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c @@ -56,9 +56,9 @@ void preproc_build_firejail_dir(void) { create_empty_dir_as_root(RUN_FIREJAIL_APPIMAGE_DIR, 0755); } - if (stat(RUN_MNT_DIR, &s)) { - create_empty_dir_as_root(RUN_MNT_DIR, 0755); - } + if (stat(RUN_MNT_DIR, &s)) { + create_empty_dir_as_root(RUN_MNT_DIR, 0755); + } create_empty_file_as_root(RUN_RO_FILE, S_IRUSR); create_empty_dir_as_root(RUN_RO_DIR, S_IRUSR); @@ -75,51 +75,17 @@ void preproc_mount_mnt_dir(void) { tmpfs_mounted = 1; fs_logger2("tmpfs", RUN_MNT_DIR); - // create all seccomp files - // as root, create RUN_SECCOMP_I386 file - create_empty_file_as_root(RUN_SECCOMP_I386, 0644); - if (set_perms(RUN_SECCOMP_I386, getuid(), getgid(), 0644)) - errExit("set_perms"); - - // as root, create RUN_SECCOMP_AMD64 file - create_empty_file_as_root(RUN_SECCOMP_AMD64, 0644); - if (set_perms(RUN_SECCOMP_AMD64, getuid(), getgid(), 0644)) - errExit("set_perms"); - - // as root, create RUN_SECCOMP file - create_empty_file_as_root(RUN_SECCOMP_CFG, 0644); - if (set_perms(RUN_SECCOMP_CFG, getuid(), getgid(), 0644)) - errExit("set_perms"); - - // as root, create RUN_SECCOMP_PROTOCOL file + //copy defaultl seccomp files + copy_file(PATH_SECCOMP_I386, RUN_SECCOMP_I386, getuid(), getgid(), 0644); + copy_file(PATH_SECCOMP_AMD64, RUN_SECCOMP_AMD64, getuid(), getgid(), 0644); + if (arg_allow_debuggers) + copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); + else + copy_file(PATH_SECCOMP_DEFAULT, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); + + // as root, create an empty RUN_SECCOMP_PROTOCOL file create_empty_file_as_root(RUN_SECCOMP_PROTOCOL, 0644); if (set_perms(RUN_SECCOMP_PROTOCOL, getuid(), getgid(), 0644)) errExit("set_perms"); } } - -// grab a copy of cp command -void preproc_build_cp_command(void) { - struct stat s; - preproc_mount_mnt_dir(); - if (stat(RUN_CP_COMMAND, &s)) { - char* fname = realpath("/bin/cp", NULL); - if (fname == NULL || stat(fname, &s) || is_link(fname)) { - fprintf(stderr, "Error: invalid /bin/cp\n"); - exit(1); - } - int rv = copy_file(fname, RUN_CP_COMMAND, 0, 0, 0755); - if (rv) { - fprintf(stderr, "Error: cannot access /bin/cp\n"); - exit(1); - } - ASSERT_PERMS(RUN_CP_COMMAND, 0, 0, 0755); - - free(fname); - } -} - -// delete the temporary cp command -void preproc_delete_cp_command(void) { - unlink(RUN_CP_COMMAND); -} diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index c2e053b0c68..ad77caeb2d7 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -555,12 +555,9 @@ int sandbox(void* sandbox_arg) { //**************************** // fs pre-processing: - // - copy some commands under /run // - build seccomp filters // - create an empty /etc/ld.so.preload //**************************** - preproc_build_cp_command(); - #ifdef HAVE_SECCOMP if (cfg.protocol) { if (arg_debug) @@ -765,7 +762,6 @@ int sandbox(void* sandbox_arg) { //**************************** // fs post-processing //**************************** - preproc_delete_cp_command(); fs_logger_print(); fs_logger_change_owner(); diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 4a2221e98fd..30c63d73411 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c @@ -92,11 +92,9 @@ int seccomp_load(const char *fname) { return 0; } - - - // i386 filter installed on amd64 architectures void seccomp_filter_32(void) { +#if 0 if (arg_debug) printf("Build secondary 32-bit filter\n"); @@ -105,7 +103,7 @@ void seccomp_filter_32(void) { PATH_FSECCOMP, "secondary", "32", RUN_SECCOMP_I386); if (rv) exit(rv); - +#endif if (seccomp_load(RUN_SECCOMP_I386) == 0) { if (arg_debug) printf("Dual i386/amd64 seccomp filter configured\n"); @@ -114,6 +112,7 @@ void seccomp_filter_32(void) { // amd64 filter installed on i386 architectures void seccomp_filter_64(void) { +#if 0 if (arg_debug) printf("Build secondary 64-bit filter\n"); @@ -122,6 +121,7 @@ void seccomp_filter_64(void) { PATH_FSECCOMP, "secondary", "64", RUN_SECCOMP_AMD64); if (rv) exit(rv); +#endif if (seccomp_load(RUN_SECCOMP_AMD64) == 0) { if (arg_debug) @@ -129,7 +129,6 @@ void seccomp_filter_64(void) { } } - // drop filter for seccomp option int seccomp_filter_drop(int enforce_seccomp) { // default seccomp @@ -140,6 +139,8 @@ int seccomp_filter_drop(int enforce_seccomp) { #if defined(__i386__) seccomp_filter_64(); #endif + +#if 0 if (arg_debug) printf("Build default seccomp filter\n"); // build the seccomp filter as a regular user @@ -152,8 +153,8 @@ int seccomp_filter_drop(int enforce_seccomp) { PATH_FSECCOMP, "default", RUN_SECCOMP_CFG); if (rv) exit(rv); +#endif } - // default seccomp filter with additional drop list else if (cfg.seccomp_list && cfg.seccomp_list_drop == NULL) { #if defined(__x86_64__) diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c index 2f85a786beb..471e0b193eb 100644 --- a/src/fseccomp/main.c +++ b/src/fseccomp/main.c @@ -38,7 +38,7 @@ static void usage(void) { } int main(int argc, char **argv) { -#if 0 +//#if 0 { //system("cat /proc/self/status"); int i; @@ -46,7 +46,7 @@ for (i = 0; i < argc; i++) printf("*%s* ", argv[i]); printf("\n"); } -#endif +//#endif if (argc < 2) { usage(); return 1;