Skip to content
Permalink
Browse files Browse the repository at this point in the history
security fix
  • Loading branch information
netblue30 committed Jan 6, 2017
1 parent d37421f commit 6b8dba2
Show file tree
Hide file tree
Showing 3 changed files with 25 additions and 1 deletion.
3 changes: 3 additions & 0 deletions RELNOTES
@@ -1,5 +1,8 @@
firejail (0.9.44.3) baseline; urgency=low
* development version
* security: disabled --allow-debuggers when running on kernel
versions prior to 4.8; a kernel bug in ptrace system call
allows a full bypass of seccomp filter; problem reported by Lizzie Dixon
* security: root exploit found by Sebastian Krahmer
-- netblue30 <netblue30@yahoo.com> Wed, 4 Jan 2017 11:00:00 -0500

Expand Down
19 changes: 19 additions & 0 deletions src/firejail/main.c
Expand Up @@ -35,6 +35,7 @@
#include <signal.h>
#include <time.h>
#include <net/if.h>
#include <sys/utsname.h>

#if 0
#include <sys/times.h>
Expand Down Expand Up @@ -802,6 +803,24 @@ static void detect_allow_debuggers(int argc, char **argv) {
// detect --allow-debuggers
for (i = 1; i < argc; i++) {
if (strcmp(argv[i], "--allow-debuggers") == 0) {
// check kernel version
struct utsname u;
int rv = uname(&u);
if (rv != 0)
errExit("uname");
int major;
int minor;
if (2 != sscanf(u.release, "%d.%d", &major, &minor)) {
fprintf(stderr, "Error: cannot extract Linux kernel version: %s\n", u.version);
exit(1);
}
if (major < 4 || (major == 4 && minor < 8)) {
fprintf(stderr, "Error: --allow-debuggers is disabled on Linux kernels prior to 4.8. "
"A bug in ptrace call allows a full bypass of the seccomp filter. "
"Your current kernel version is %d.%d.\n", major, minor);
exit(1);
}

arg_allow_debuggers = 1;
break;
}
Expand Down
4 changes: 3 additions & 1 deletion src/man/firejail.txt
Expand Up @@ -76,7 +76,9 @@ $ firejail [OPTIONS] firefox # starting Mozilla Firefox
Signal the end of options and disables further option processing.
.TP
\fB\-\-allow-debuggers
Allow tools such as strace and gdb inside the sandbox.
Allow tools such as strace and gdb inside the sandbox. This option is only available
when running on Linux kernels 4.8 or newer - a kernel bug in ptrace system call allows a full
bypass of the seccomp filter.
.br

.br
Expand Down

0 comments on commit 6b8dba2

Please sign in to comment.