Merge branch 'master' of https://github.com/netblue30/firejail into a…

…pparmor

.github/workflows/build-extra.yml

@@ -4,7 +4,10 @@ on:
   push:
     branches: [ master ]
     paths-ignore:
+      - .git-blame-ignore-revs
+      - .gitignore
       - CONTRIBUTING.md
+      - COPYING
       - README
       - README.md
       - RELNOTES
@@ -16,7 +19,10 @@ on:
   pull_request:
     branches: [ master ]
     paths-ignore:
+      - .git-blame-ignore-revs
+      - .gitignore
       - CONTRIBUTING.md
+      - COPYING
       - README
       - README.md
       - RELNOTES
@@ -28,28 +34,40 @@ on:
 
 jobs:
   build-clang:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
     - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+    - name: install dependencies
+      run: sudo apt-get install libapparmor-dev libselinux1-dev
     - name: configure
-      run: CC=clang-11 ./configure --enable-fatal-warnings
+      run: CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor --enable-selinux
     - name: make
       run: make
     - name: make install
       run: sudo make install
     - name: print version
       run: command -V firejail && firejail --version
   scan-build:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
     - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
-    - name: install clang-tools-11
-      run: sudo apt-get install clang-tools-11
+    - name: install clang-tools-14 and dependencies
+      run: sudo apt-get install clang-tools-14 libapparmor-dev libselinux1-dev
     - name: configure
-      run: CC=clang-11 ./configure --enable-fatal-warnings
+      run: CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor --enable-selinux
     - name: scan-build
-      run: NO_EXTRA_CFLAGS="yes" scan-build-11 --status-bugs make
+      run: NO_EXTRA_CFLAGS="yes" scan-build-14 --status-bugs make
   cppcheck:
+    runs-on: ubuntu-22.04
+    steps:
+    - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+    - name: install cppcheck
+      run: sudo apt-get install cppcheck
+    - name: cppcheck
+      run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance -i src/firejail/checkcfg.c -i src/firejail/main.c .
+  # new cppcheck version currently chokes on checkcfg.c and main.c, therefore scan all files also
+  # with older cppcheck version from ubuntu 20.04.
+  cppcheck_old:
     runs-on: ubuntu-20.04
     steps:
     - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b

.github/workflows/build.yml

@@ -4,31 +4,37 @@ on:
   push:
     branches: [ master ]
     paths-ignore:
+      - .git-blame-ignore-revs
+      - .gitignore
       - CONTRIBUTING.md
+      - COPYING
       - README
       - README.md
       - RELNOTES
       - SECURITY.md
   pull_request:
     branches: [ master ]
     paths-ignore:
+      - .git-blame-ignore-revs
+      - .gitignore
       - CONTRIBUTING.md
+      - COPYING
       - README
       - README.md
       - RELNOTES
       - SECURITY.md
 
 jobs:
   build_and_test:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
     - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
     - name: update package information
       run: sudo apt-get update
     - name: install dependencies
-      run: sudo apt-get install gcc-11 libapparmor-dev libselinux1-dev expect xzdec
+      run: sudo apt-get install gcc-12 libapparmor-dev libselinux1-dev expect xzdec
     - name: configure
-      run: CC=gcc-11 ./configure --enable-fatal-warnings --enable-analyzer --enable-apparmor --enable-selinux --prefix=/usr
+      run: CC=gcc-12 ./configure --enable-fatal-warnings --enable-analyzer --enable-apparmor --enable-selinux --prefix=/usr
     - name: make
       run: make
     - name: make install

.github/workflows/codeql-analysis.yml

@@ -9,7 +9,10 @@ on:
   push:
     branches: [ master ]
     paths-ignore:
+      - .git-blame-ignore-revs
+      - .gitignore
       - CONTRIBUTING.md
+      - COPYING
       - README
       - README.md
       - RELNOTES
@@ -19,7 +22,10 @@ on:
     # The branches below must be a subset of the branches above
     branches: [ master ]
     paths-ignore:
+      - .git-blame-ignore-revs
+      - .gitignore
       - CONTRIBUTING.md
+      - COPYING
       - README
       - README.md
       - RELNOTES

.github/workflows/profile-checks.yml

@@ -18,7 +18,7 @@ on:
 
 jobs:
   profile-checks:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
     - name: sort.py

.gitignore

@@ -10,6 +10,7 @@
 .directory
 *.man
 .vscode
+/firejail-*/
 autom4te.cache/
 config.log
 config.mk

RELNOTES

@@ -1,8 +1,13 @@
 firejail (0.9.71) baseline; urgency=low
   * work in progress
+  * feat: On failing to remount a fuse filesystem, give warning instead of
+  * erroring out (#5240 #5242)
   * build: deduplicate configure-time vars into new config files (#5140)
   * build: fix file mode of shell scripts (644 -> 755) (#5206)
   * build: reduce autoconf input files from 32 to 2 (#5219)
+  * build: add dist build directory to .gitignore (#5248)
+  * build: add autoconf auto-generation comment to input files (#5251)
+  * ci: ignore git-related paths and the project license (#5249)
  -- netblue30 <netblue30@yahoo.com>  Sat, 11 Jun 2022 09:00:00 -0500
 
 firejail (0.9.70) baseline; urgency=low

config.mk.in

@@ -1,3 +1,5 @@
+# @configure_input@
+#
 # Configure-time variable definitions and any other common definition that can
 # be safely included by all makefiles.
 #

config.sh.in

@@ -1,2 +1,3 @@
+# @configure_input@
 NAME=@PACKAGE_NAME@
 VERSION=@PACKAGE_VERSION@

etc/profile-a-l/default.profile

@@ -60,3 +60,4 @@ seccomp
 # deterministic-shutdown
 # memory-deny-write-execute
 # read-only ${HOME}
+# restrict-namespaces

etc/profile-m-z/server.profile

@@ -90,6 +90,7 @@ dbus-user none
 # deterministic-shutdown
 # memory-deny-write-execute
 # read-only ${HOME}
+# restrict-namespaces
 # writable-run-user
 # writable-var
 # writable-var-log

etc/templates/profile.template

@@ -228,3 +228,4 @@ include globals.local
 ##noexec PATH
 ##read-only ${HOME}
 ##read-write ${HOME}
+#restrict-namespaces

m4/ax_check_compile_flag.m4

@@ -29,33 +29,12 @@
 #   Copyright (c) 2008 Guido U. Draheim <guidod@gmx.de>
 #   Copyright (c) 2011 Maarten Bosmans <mkbosmans@gmail.com>
 #
-#   This program is free software: you can redistribute it and/or modify it
-#   under the terms of the GNU General Public License as published by the
-#   Free Software Foundation, either version 3 of the License, or (at your
-#   option) any later version.
-#
-#   This program is distributed in the hope that it will be useful, but
-#   WITHOUT ANY WARRANTY; without even the implied warranty of
-#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
-#   Public License for more details.
-#
-#   You should have received a copy of the GNU General Public License along
-#   with this program. If not, see <https://www.gnu.org/licenses/>.
-#
-#   As a special exception, the respective Autoconf Macro's copyright owner
-#   gives unlimited permission to copy, distribute and modify the configure
-#   scripts that are the output of Autoconf when processing the Macro. You
-#   need not follow the terms of the GNU General Public License when using
-#   or distributing such scripts, even though portions of the text of the
-#   Macro appear in them. The GNU General Public License (GPL) does govern
-#   all other use of the material that constitutes the Autoconf Macro.
-#
-#   This special exception to the GPL applies to versions of the Autoconf
-#   Macro released by the Autoconf Archive. When you make and distribute a
-#   modified version of the Autoconf Macro, you may extend this special
-#   exception to the GPL to apply to your modified version as well.
+#   Copying and distribution of this file, with or without modification, are
+#   permitted in any medium without royalty provided the copyright notice
+#   and this notice are preserved.  This file is offered as-is, without any
+#   warranty.
 
-#serial 5
+#serial 6
 
 AC_DEFUN([AX_CHECK_COMPILE_FLAG],
 [AC_PREREQ(2.64)dnl for _AC_LANG_PREFIX and AS_VAR_IF

src/firejail/firejail.h

@@ -198,6 +198,7 @@ typedef struct config_t {
 	char *seccomp_list_drop, *seccomp_list_drop32;	// seccomp drop list
 	char *seccomp_list_keep, *seccomp_list_keep32;	// seccomp keep list
 	char *protocol;			// protocol list
+	char *restrict_namespaces;			// namespaces list
 	char *seccomp_error_action;			// error action: kill, log or errno
 
 	// rlimits
@@ -633,6 +634,7 @@ int seccomp_load(const char *fname);
 int seccomp_filter_drop(bool native);
 int seccomp_filter_keep(bool native);
 int seccomp_filter_mdwx(bool native);
+int seccomp_filter_namespaces(bool native, const char *list);
 void seccomp_print_filter(pid_t pid) __attribute__((noreturn));
 
 // caps.c

src/firejail/fs_bin.c

@@ -27,7 +27,7 @@
 
 static int prog_cnt = 0;
 
-static char *paths[] = {
+static const char * const paths[] = {
 	"/usr/local/bin",
 	"/usr/bin",
 	"/bin",
@@ -40,7 +40,7 @@ static char *paths[] = {
 };
 
 // return 1 if found, 0 if not found
-static char *check_dir_or_file(const char *name) {
+static const char *check_dir_or_file(const char *name) {
 	EUID_ASSERT();
 	assert(name);
 	struct stat s;
@@ -160,7 +160,7 @@ static void duplicate(char *fname) {
 	else {
 		// Find the standard directory (by looping through paths[])
 		// where the filename fname is located
-		char *path = check_dir_or_file(fname);
+		const char *path = check_dir_or_file(fname);
 		if (!path)
 			return;
 		if (asprintf(&full_path, "%s/%s", path, fname) == -1)

src/firejail/fs_var.c

@@ -300,7 +300,7 @@ void fs_var_utmp(void) {
 
 	// read current utmp
 	struct utmp *u;
-	struct utmp u_boot;
+	struct utmp u_boot = {0};
 	setutent();
 	while ((u = getutent()) != NULL) {
 		if (u->ut_type == BOOT_TIME) {

src/firejail/join.c

@@ -133,13 +133,17 @@ static void extract_nogroups(ProcessHandle sandbox) {
 
 	if (process_rootfs_stat(sandbox, RUN_GROUPS_CFG, &s) == 0)
 		arg_nogroups = 1;
+	else if (errno != ENOENT)
+		errExit("stat");
 }
 
 static void extract_nonewprivs(ProcessHandle sandbox) {
 	struct stat s;
 
 	if (process_rootfs_stat(sandbox, RUN_NONEWPRIVS_CFG, &s) == 0)
 		arg_nonewprivs = 1;
+	else if (errno != ENOENT)
+		errExit("stat");
 }
 
 static void extract_caps(ProcessHandle sandbox) {
@@ -477,13 +481,6 @@ void join(pid_t pid, int argc, char **argv, int index) {
 		EUID_USER();
 		unpin_process(sandbox);
 
-		// set nonewprivs
-		if (arg_nonewprivs == 1) {	// not available for uid 0
-			int rv = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
-			if (arg_debug && rv == 0)
-				printf("NO_NEW_PRIVS set\n");
-		}
-
 		int cwd = 0;
 		if (cfg.cwd) {
 			if (chdir(cfg.cwd) == 0)
@@ -503,6 +500,17 @@ void join(pid_t pid, int argc, char **argv, int index) {
 			}
 		}
 
+		// set nonewprivs
+#ifndef HAVE_FORCE_NONEWPRIVS
+		if (arg_nonewprivs == 1)	// not available for uid 0
+#endif
+		{
+			if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) != 0)
+				errExit("prctl");
+			if (arg_debug)
+				printf("NO_NEW_PRIVS set\n");
+		}
+
 		// drop privileges
 		drop_privs(arg_nogroups);
 

src/firejail/main.c

@@ -1240,7 +1240,8 @@ int main(int argc, char **argv, char **envp) {
 	if (check_arg(argc, argv, "--appimage", 1))
 		arg_appimage = 1;
 
-	// check for force-nonewprivs in /etc/firejail/firejail.config file
+	// load configuration file /etc/firejail/firejail.config
+	// and check for force-nonewprivs
 	if (checkcfg(CFG_FORCE_NONEWPRIVS))
 		arg_nonewprivs = 1;
 
@@ -1406,6 +1407,20 @@ int main(int argc, char **argv, char **envp) {
 			else
 				exit_err_feature("seccomp");
 		}
+		else if (strcmp(argv[i], "--restrict-namespaces") == 0) {
+			if (checkcfg(CFG_SECCOMP))
+				profile_list_augment(&cfg.restrict_namespaces, "cgroup,ipc,net,mnt,pid,time,user,uts");
+			else
+				exit_err_feature("seccomp");
+		}
+		else if (strncmp(argv[i], "--restrict-namespaces=", 22) == 0) {
+			if (checkcfg(CFG_SECCOMP)) {
+				const char *add = argv[i] + 22;
+				profile_list_augment(&cfg.restrict_namespaces, add);
+			}
+			else
+				exit_err_feature("seccomp");
+		}
 		else if (strncmp(argv[i], "--seccomp-error-action=", 23) == 0) {
 			if (checkcfg(CFG_SECCOMP)) {
 				int config_seccomp_error_action = checkcfg(CFG_SECCOMP_ERROR_ACTION);

src/firejail/preproc.c

@@ -91,10 +91,18 @@ void preproc_mount_mnt_dir(void) {
 			copy_file(PATH_SECCOMP_MDWX, RUN_SECCOMP_MDWX, getuid(), getgid(), 0644); // root needed
 			copy_file(PATH_SECCOMP_MDWX_32, RUN_SECCOMP_MDWX_32, getuid(), getgid(), 0644); // root needed
 		}
-		// as root, create empty RUN_SECCOMP_PROTOCOL and RUN_SECCOMP_POSTEXEC files
+		// as root, create empty RUN_SECCOMP_PROTOCOL, RUN_SECCOMP_NS and RUN_SECCOMP_POSTEXEC files
 		create_empty_file_as_root(RUN_SECCOMP_PROTOCOL, 0644);
 		if (set_perms(RUN_SECCOMP_PROTOCOL, getuid(), getgid(), 0644))
 			errExit("set_perms");
+		if (cfg.restrict_namespaces) {
+			create_empty_file_as_root(RUN_SECCOMP_NS, 0644);
+			if (set_perms(RUN_SECCOMP_NS, getuid(), getgid(), 0644))
+				errExit("set_perms");
+			create_empty_file_as_root(RUN_SECCOMP_NS_32, 0644);
+			if (set_perms(RUN_SECCOMP_NS_32, getuid(), getgid(), 0644))
+				errExit("set_perms");
+		}
 		create_empty_file_as_root(RUN_SECCOMP_POSTEXEC, 0644);
 		if (set_perms(RUN_SECCOMP_POSTEXEC, getuid(), getgid(), 0644))
 			errExit("set_perms");