sbox

.gitignore

@@ -18,4 +18,5 @@ src/firecfg/firecfg
 src/ftee/ftee
 src/tags
 src/faudit/faudit
+src/fnet/fnet
 uids.h

src/firejail/Makefile.in

@@ -30,7 +30,7 @@ BINOBJS = $(foreach file, $(OBJS), $file)
 CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
 LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
 
-%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/pid.h
+%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h
  $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
 
 firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o

src/firejail/firejail.h

@@ -25,6 +25,7 @@
 // debug restricted shell
 //#define DEBUG_RESTRICTED_SHELL
 
+
 // filesystem
 #define RUN_FIREJAIL_BASEDIR "/run"
 #define RUN_FIREJAIL_DIR "/run/firejail"
@@ -681,6 +682,17 @@ long unsigned int appimage2_size(const char *fname);
 // cmdline.c
 void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index);
 
+// sbox.c
+// programs
+#define PATH_FNET (LIBDIR "/firejail/fnet")
+#define PATH_FIREMON (PREFIX "/bin/firemon")
+// bitmapped filters for sbox_run
+#define SBOX_ROOT 1
+#define SBOX_USER 2
+#define SBOX_CAPS 4
+#define SBOX_SECCOMP 8
+int sbox_run(unsigned filter, int num, ...);
+
 
 #endif
 

src/firejail/main.c

@@ -54,9 +54,9 @@ Config cfg; // configuration
 int arg_private = 0; // mount private /home and /tmp directoryu
 int arg_private_template = 0; // mount private /home using a template
 int arg_debug = 0; // print debug messages
-int arg_debug_check_filename; // print debug messages for filename checking
-int arg_debug_blacklists; // print debug messages for blacklists
-int arg_debug_whitelists; // print debug messages for whitelists
+int arg_debug_check_filename = 0; // print debug messages for filename checking
+int arg_debug_blacklists = 0; // print debug messages for blacklists
+int arg_debug_whitelists = 0; // print debug messages for whitelists
 int arg_nonetwork = 0; // --net=none
 int arg_command = 0; // -c
 int arg_overlay = 0; // overlay option
@@ -498,27 +498,32 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
  exit(0);
  }
  else if (strcmp(argv[i], "--list") == 0) {
- list();
- exit(0);
+ int rv = sbox_run(SBOX_USER | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FIREMON, "--list");
+ exit(rv);
  }
  else if (strcmp(argv[i], "--tree") == 0) {
- tree();
- exit(0);
+ int rv = sbox_run(SBOX_USER | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FIREMON, "--tree");
+ exit(rv);
  }
  else if (strcmp(argv[i], "--top") == 0) {
- top();
- exit(0);
+ int rv = sbox_run(SBOX_USER | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FIREMON, "--top");
+ exit(rv);
  }
 #ifdef HAVE_NETWORK 
  else if (strcmp(argv[i], "--netstats") == 0) {
  if (checkcfg(CFG_NETWORK)) {
- netstats();
+ struct stat s;
+ int rv;
+ if (stat("/proc/sys/kernel/grsecurity", &s) == 0)
+ rv = sbox_run(SBOX_ROOT | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FIREMON, "--netstats");
+ else
+ rv = sbox_run(SBOX_USER | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FIREMON, "--netstats");
+ exit(rv);
  }
  else {
  fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n");
  exit(1);
  }
- exit(0);
  }
 #endif 
 #ifdef HAVE_FILE_TRANSFER

src/firejail/network_main.c

@@ -25,49 +25,6 @@
 #include <net/if.h>
 #include <stdarg.h>
 
-static void fnet_run(int num, ...) {
- int i;
- va_list valist;
- va_start(valist, num);
-
- char *fnet;
- if (asprintf(&fnet, "%s/firejail/fnet", LIBDIR) == -1)
- errExit("asprintf");
-
- char *arg[num + 2];
- arg[0] = fnet;
- for (i = 0; i < num; i++)
- arg[i + 1] = va_arg(valist, char*);
- arg[i + 1] = NULL;
-
- pid_t child = fork();
- if (child < 0)
- errExit("fork");
- if (child == 0) {
- // elevate privileges in order to get grsecurity working
- if (setreuid(0, 0))
- errExit("setreuid");
- if (setregid(0, 0))
- errExit("setregid");
-
- execvp(arg[0], arg);
- perror("execl");
- _exit(1);
- }
-
- int status;
- if (waitpid(child, &status, 0) == -1 ) {
- errExit("waitpid");
- }
- if (WIFEXITED(status) && status != 0) {
- fprintf(stderr, "Error: cannot run fnet\n");
- exit(1);
- }
-
- va_end(valist);
- free(fnet);
-}
-
 // configure bridge structure
 // - extract ip address and mask from the bridge interface
 void net_configure_bridge(Bridge *br, char *dev_name) {
@@ -175,7 +132,7 @@ void net_configure_veth_pair(Bridge *br, const char *ifname, pid_t child) {
  char *cstr;
  if (asprintf(&cstr, "%d", child) == -1)
  errExit("asprintf");
- fnet_run(6, "create", "veth", dev, ifname, br->dev, cstr);
+ sbox_run(SBOX_ROOT | SBOX_SECCOMP, 7, PATH_FNET, "create", "veth", dev, ifname, br->dev, cstr);
  free(cstr);
 
  char *msg;
@@ -344,49 +301,49 @@ void network_main(pid_t child) {
  }
  else
 // net_create_macvlan(cfg.bridge0.devsandbox, cfg.bridge0.dev, child);
- fnet_run(5, "create", "macvlan", cfg.bridge0.devsandbox, cfg.bridge0.dev, cstr);
+ sbox_run(SBOX_ROOT | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge0.devsandbox, cfg.bridge0.dev, cstr);
  }
 
  if (cfg.bridge1.configured) {
  if (cfg.bridge1.macvlan == 0)
  net_configure_veth_pair(&cfg.bridge1, "eth1", child);
  else
 // net_create_macvlan(cfg.bridge1.devsandbox, cfg.bridge1.dev, child);
- fnet_run(5, "create", "macvlan", cfg.bridge1.devsandbox, cfg.bridge1.dev, cstr);
+ sbox_run(SBOX_ROOT | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge1.devsandbox, cfg.bridge1.dev, cstr);
  }
 
  if (cfg.bridge2.configured) {
  if (cfg.bridge2.macvlan == 0)
  net_configure_veth_pair(&cfg.bridge2, "eth2", child);
  else
 // net_create_macvlan(cfg.bridge2.devsandbox, cfg.bridge2.dev, child);
- fnet_run(5, "create", "macvlan", cfg.bridge2.devsandbox, cfg.bridge2.dev, cstr);
+ sbox_run(SBOX_ROOT | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge2.devsandbox, cfg.bridge2.dev, cstr);
  }
 
  if (cfg.bridge3.configured) {
  if (cfg.bridge3.macvlan == 0)
  net_configure_veth_pair(&cfg.bridge3, "eth3", child);
  else
 // net_create_macvlan(cfg.bridge3.devsandbox, cfg.bridge3.dev, child);
- fnet_run(5, "create", "macvlan", cfg.bridge3.devsandbox, cfg.bridge3.dev, cstr);
+ sbox_run(SBOX_ROOT | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge3.devsandbox, cfg.bridge3.dev, cstr);
  }
 
  // move interfaces in sandbox
  if (cfg.interface0.configured) {
 // net_move_interface(cfg.interface0.dev, child);
- fnet_run(3, "moveif", cfg.interface0.dev, cstr);
+ sbox_run(SBOX_ROOT | SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface0.dev, cstr);
  }
  if (cfg.interface1.configured) {
 // net_move_interface(cfg.interface1.dev, child);
- fnet_run(3, "moveif", cfg.interface1.dev, cstr);
+ sbox_run(SBOX_ROOT | SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface1.dev, cstr);
  }
  if (cfg.interface2.configured) {
 // net_move_interface(cfg.interface2.dev, child);
- fnet_run(3, "moveif", cfg.interface3.dev, cstr);
+ sbox_run(SBOX_ROOT | SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface3.dev, cstr);
  }
  if (cfg.interface3.configured) {
 // net_move_interface(cfg.interface3.dev, child);
- fnet_run(3, "moveif", cfg.interface3.dev, cstr);
+ sbox_run(SBOX_ROOT | SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface3.dev, cstr);
  }
 
  free(cstr);

src/firejail/protocol.c

@@ -47,7 +47,7 @@
 
 #ifdef HAVE_SECCOMP
 #include "firejail.h"
-#include "seccomp.h"
+#include "../include/seccomp.h"
 #include <sys/types.h>
 #include <sys/socket.h>