allow user access to /sys/fs (--noblacklist=/sys/fs)

onny · Oct 17, 2016 · bb6c744 · bb6c744
1 parent f88f8c6
commit bb6c744
Show file tree

Hide file tree

Showing 6 changed files with 63 additions and 11 deletions.
diff --git a/RELNOTES b/RELNOTES
@@ -5,6 +5,7 @@ firejail (0.9.44~rc1) baseline; urgency=low
  * modifs: --private-tmp whitelists /tmp/.X11-unix directory
  * modifs: Nvidia drivers added to --private-dev
  * modifs: /srv supported by --whitelist
+ * feature: allow user access to /sys/fs (--noblacklist=/sys/fs)
  * feature: support starting/joining sandbox is a single command
  (--join-or-start)
  * feature: X11 detection support for --audit

diff --git a/configure b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for firejail 0.9.44~rc1.
+# Generated by GNU Autoconf 2.69 for firejail 0.9.44~rc2.
 #
 # Report bugs to <[email protected]>.
 #
@@ -580,8 +580,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='firejail'
 PACKAGE_TARNAME='firejail'
-PACKAGE_VERSION='0.9.44~rc1'
-PACKAGE_STRING='firejail 0.9.44~rc1'
+PACKAGE_VERSION='0.9.44~rc2'
+PACKAGE_STRING='firejail 0.9.44~rc2'
 PACKAGE_BUGREPORT='[email protected]'
 PACKAGE_URL='http:https://firejail.wordpress.com'
 
@@ -1259,7 +1259,7 @@ if test "$ac_init_help" = "long"; then
  # Omit some internal or obsolete options to make the list less imposing.
  # This message is too long to be a string in the A/UX 3.1 sh.
  cat <<_ACEOF
-\`configure' configures firejail 0.9.44~rc1 to adapt to many kinds of systems.
+\`configure' configures firejail 0.9.44~rc2 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1320,7 +1320,7 @@ fi
 
 if test -n "$ac_init_help"; then
  case $ac_init_help in
- short | recursive ) echo "Configuration of firejail 0.9.44~rc1:";;
+ short | recursive ) echo "Configuration of firejail 0.9.44~rc2:";;
  esac
  cat <<\_ACEOF
 
@@ -1424,7 +1424,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
  cat <<\_ACEOF
-firejail configure 0.9.44~rc1
+firejail configure 0.9.44~rc2
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1726,7 +1726,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by firejail $as_me 0.9.44~rc1, which was
+It was created by firejail $as_me 0.9.44~rc2, which was
 generated by GNU Autoconf 2.69. Invocation command line was
 
  $ $0 $@
@@ -4303,7 +4303,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by firejail $as_me 0.9.44~rc1, which was
+This file was extended by firejail $as_me 0.9.44~rc2, which was
 generated by GNU Autoconf 2.69. Invocation command line was
 
  CONFIG_FILES = $CONFIG_FILES
@@ -4357,7 +4357,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-firejail config.status 0.9.44~rc1
+firejail config.status 0.9.44~rc2
 configured by $0, generated by GNU Autoconf 2.69,
  with options \\"\$ac_cs_config\\"
 

diff --git a/configure.ac b/configure.ac
@@ -1,5 +1,5 @@
 AC_PREREQ([2.68])
-AC_INIT(firejail, 0.9.44~rc1, [email protected], , http:https://firejail.wordpress.com)
+AC_INIT(firejail, 0.9.44~rc2, [email protected], , http:https://firejail.wordpress.com)
 AC_CONFIG_SRCDIR([src/firejail/main.c])
 #AC_CONFIG_HEADERS([config.h])
 

diff --git a/src/firejail/fs.c b/src/firejail/fs.c
@@ -649,7 +649,11 @@ void fs_proc_sys_dev_boot(void) {
 
  disable_file(BLACKLIST_FILE, "/sys/firmware");
  disable_file(BLACKLIST_FILE, "/sys/hypervisor");
- disable_file(BLACKLIST_FILE, "/sys/fs");
+ { // allow user access to /sys/fs if "--noblacklist=/sys/fs" is present on the command line
+ EUID_USER(); 
+ profile_add("blacklist /sys/fs");
+ EUID_ROOT();
+ }
  disable_file(BLACKLIST_FILE, "/sys/module");
  disable_file(BLACKLIST_FILE, "/sys/power");
  disable_file(BLACKLIST_FILE, "/sys/kernel/debug");

diff --git a/test/fs/fs.sh b/test/fs/fs.sh
@@ -6,6 +6,9 @@
 export MALLOC_CHECK_=3
 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
 
+echo "TESTING: /sys/fs access (test/fs/sys_fs.exp)"
+./sys_fs.exp
+
 echo "TESTING: kmsg access (test/fs/kmsg.exp)"
 ./kmsg.exp
 

diff --git a/test/fs/sys_fs.exp b/test/fs/sys_fs.exp
@@ -0,0 +1,44 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail\r"
+expect {
+ timeout {puts "TESTING ERROR 1\n";exit}
+ "Child process initialized"
+}
+sleep 1
+
+send -- "ls /sys/fs\r"
+expect {
+ timeout {puts "TESTING ERROR 2\n";exit}
+ "Permission denied"
+}
+after 100
+
+send -- "exit\r"
+sleep 1
+
+send -- "firejail --noblacklist=/sys/fs\r"
+expect {
+ timeout {puts "TESTING ERROR 1\n";exit}
+ "Child process initialized"
+}
+sleep 1
+
+send -- "ls /sys/fs\r"
+expect {
+ timeout {puts "TESTING ERROR 2\n";exit}
+ "cgroup"
+}
+after 100
+send -- "exit\r"
+after 100
+
+puts "\nall done\n"
+