Skip to content

Commit

Permalink
sbox
Browse files Browse the repository at this point in the history
  • Loading branch information
netblue30 committed Oct 28, 2016
1 parent 0963337 commit 196a857
Show file tree
Hide file tree
Showing 11 changed files with 229 additions and 167 deletions.
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -18,4 +18,5 @@ src/firecfg/firecfg
src/ftee/ftee
src/tags
src/faudit/faudit
src/fnet/fnet
uids.h
2 changes: 1 addition & 1 deletion src/firejail/Makefile.in
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ BINOBJS = $(foreach file, $(OBJS), $file)
CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread

%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/pid.h
%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h
$(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@

firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o
Expand Down
12 changes: 12 additions & 0 deletions src/firejail/firejail.h
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@
// debug restricted shell
//#define DEBUG_RESTRICTED_SHELL


// filesystem
#define RUN_FIREJAIL_BASEDIR "/run"
#define RUN_FIREJAIL_DIR "/run/firejail"
Expand Down Expand Up @@ -681,6 +682,17 @@ long unsigned int appimage2_size(const char *fname);
// cmdline.c
void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index);

// sbox.c
// programs
#define PATH_FNET (LIBDIR "/firejail/fnet")
#define PATH_FIREMON (PREFIX "/bin/firemon")
// bitmapped filters for sbox_run
#define SBOX_ROOT 1
#define SBOX_USER 2
#define SBOX_CAPS 4
#define SBOX_SECCOMP 8
int sbox_run(unsigned filter, int num, ...);


#endif

101 changes: 0 additions & 101 deletions src/firejail/list.c

This file was deleted.

27 changes: 16 additions & 11 deletions src/firejail/main.c
Original file line number Diff line number Diff line change
Expand Up @@ -54,9 +54,9 @@ Config cfg; // configuration
int arg_private = 0; // mount private /home and /tmp directoryu
int arg_private_template = 0; // mount private /home using a template
int arg_debug = 0; // print debug messages
int arg_debug_check_filename; // print debug messages for filename checking
int arg_debug_blacklists; // print debug messages for blacklists
int arg_debug_whitelists; // print debug messages for whitelists
int arg_debug_check_filename = 0; // print debug messages for filename checking
int arg_debug_blacklists = 0; // print debug messages for blacklists
int arg_debug_whitelists = 0; // print debug messages for whitelists
int arg_nonetwork = 0; // --net=none
int arg_command = 0; // -c
int arg_overlay = 0; // overlay option
Expand Down Expand Up @@ -498,27 +498,32 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
exit(0);
}
else if (strcmp(argv[i], "--list") == 0) {
list();
exit(0);
int rv = sbox_run(SBOX_USER | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FIREMON, "--list");
exit(rv);
}
else if (strcmp(argv[i], "--tree") == 0) {
tree();
exit(0);
int rv = sbox_run(SBOX_USER | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FIREMON, "--tree");
exit(rv);
}
else if (strcmp(argv[i], "--top") == 0) {
top();
exit(0);
int rv = sbox_run(SBOX_USER | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FIREMON, "--top");
exit(rv);
}
#ifdef HAVE_NETWORK
else if (strcmp(argv[i], "--netstats") == 0) {
if (checkcfg(CFG_NETWORK)) {
netstats();
struct stat s;
int rv;
if (stat("/proc/sys/kernel/grsecurity", &s) == 0)
rv = sbox_run(SBOX_ROOT | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FIREMON, "--netstats");
else
rv = sbox_run(SBOX_USER | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FIREMON, "--netstats");
exit(rv);
}
else {
fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n");
exit(1);
}
exit(0);
}
#endif
#ifdef HAVE_FILE_TRANSFER
Expand Down
61 changes: 9 additions & 52 deletions src/firejail/network_main.c
Original file line number Diff line number Diff line change
Expand Up @@ -25,49 +25,6 @@
#include <net/if.h>
#include <stdarg.h>

static void fnet_run(int num, ...) {
int i;
va_list valist;
va_start(valist, num);

char *fnet;
if (asprintf(&fnet, "%s/firejail/fnet", LIBDIR) == -1)
errExit("asprintf");

char *arg[num + 2];
arg[0] = fnet;
for (i = 0; i < num; i++)
arg[i + 1] = va_arg(valist, char*);
arg[i + 1] = NULL;

pid_t child = fork();
if (child < 0)
errExit("fork");
if (child == 0) {
// elevate privileges in order to get grsecurity working
if (setreuid(0, 0))
errExit("setreuid");
if (setregid(0, 0))
errExit("setregid");

execvp(arg[0], arg);
perror("execl");
_exit(1);
}

int status;
if (waitpid(child, &status, 0) == -1 ) {
errExit("waitpid");
}
if (WIFEXITED(status) && status != 0) {
fprintf(stderr, "Error: cannot run fnet\n");
exit(1);
}

va_end(valist);
free(fnet);
}

// configure bridge structure
// - extract ip address and mask from the bridge interface
void net_configure_bridge(Bridge *br, char *dev_name) {
Expand Down Expand Up @@ -175,7 +132,7 @@ void net_configure_veth_pair(Bridge *br, const char *ifname, pid_t child) {
char *cstr;
if (asprintf(&cstr, "%d", child) == -1)
errExit("asprintf");
fnet_run(6, "create", "veth", dev, ifname, br->dev, cstr);
sbox_run(SBOX_ROOT | SBOX_SECCOMP, 7, PATH_FNET, "create", "veth", dev, ifname, br->dev, cstr);
free(cstr);

char *msg;
Expand Down Expand Up @@ -344,49 +301,49 @@ void network_main(pid_t child) {
}
else
// net_create_macvlan(cfg.bridge0.devsandbox, cfg.bridge0.dev, child);
fnet_run(5, "create", "macvlan", cfg.bridge0.devsandbox, cfg.bridge0.dev, cstr);
sbox_run(SBOX_ROOT | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge0.devsandbox, cfg.bridge0.dev, cstr);
}

if (cfg.bridge1.configured) {
if (cfg.bridge1.macvlan == 0)
net_configure_veth_pair(&cfg.bridge1, "eth1", child);
else
// net_create_macvlan(cfg.bridge1.devsandbox, cfg.bridge1.dev, child);
fnet_run(5, "create", "macvlan", cfg.bridge1.devsandbox, cfg.bridge1.dev, cstr);
sbox_run(SBOX_ROOT | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge1.devsandbox, cfg.bridge1.dev, cstr);
}

if (cfg.bridge2.configured) {
if (cfg.bridge2.macvlan == 0)
net_configure_veth_pair(&cfg.bridge2, "eth2", child);
else
// net_create_macvlan(cfg.bridge2.devsandbox, cfg.bridge2.dev, child);
fnet_run(5, "create", "macvlan", cfg.bridge2.devsandbox, cfg.bridge2.dev, cstr);
sbox_run(SBOX_ROOT | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge2.devsandbox, cfg.bridge2.dev, cstr);
}

if (cfg.bridge3.configured) {
if (cfg.bridge3.macvlan == 0)
net_configure_veth_pair(&cfg.bridge3, "eth3", child);
else
// net_create_macvlan(cfg.bridge3.devsandbox, cfg.bridge3.dev, child);
fnet_run(5, "create", "macvlan", cfg.bridge3.devsandbox, cfg.bridge3.dev, cstr);
sbox_run(SBOX_ROOT | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge3.devsandbox, cfg.bridge3.dev, cstr);
}

// move interfaces in sandbox
if (cfg.interface0.configured) {
// net_move_interface(cfg.interface0.dev, child);
fnet_run(3, "moveif", cfg.interface0.dev, cstr);
sbox_run(SBOX_ROOT | SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface0.dev, cstr);
}
if (cfg.interface1.configured) {
// net_move_interface(cfg.interface1.dev, child);
fnet_run(3, "moveif", cfg.interface1.dev, cstr);
sbox_run(SBOX_ROOT | SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface1.dev, cstr);
}
if (cfg.interface2.configured) {
// net_move_interface(cfg.interface2.dev, child);
fnet_run(3, "moveif", cfg.interface3.dev, cstr);
sbox_run(SBOX_ROOT | SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface3.dev, cstr);
}
if (cfg.interface3.configured) {
// net_move_interface(cfg.interface3.dev, child);
fnet_run(3, "moveif", cfg.interface3.dev, cstr);
sbox_run(SBOX_ROOT | SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface3.dev, cstr);
}

free(cstr);
Expand Down
2 changes: 1 addition & 1 deletion src/firejail/protocol.c
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@

#ifdef HAVE_SECCOMP
#include "firejail.h"
#include "seccomp.h"
#include "../include/seccomp.h"
#include <sys/types.h>
#include <sys/socket.h>

Expand Down
Loading

0 comments on commit 196a857

Please sign in to comment.