Permalink
Browse files

spoof machine-id

  • Loading branch information...
1 parent 3a88d1d commit d0cc960c9cd3bdab63dde02367bb9646134a7e28 @netblue30 committed Dec 5, 2016
Showing with 92 additions and 1 deletion.
  1. +7 −0 README.md
  2. +1 −0 RELNOTES
  3. +2 −0 src/firejail/firejail.h
  4. +4 −1 src/firejail/fs.c
  5. +51 −0 src/firejail/fs_etc.c
  6. +4 −0 src/firejail/main.c
  7. +4 −0 src/firejail/profile.c
  8. +3 −0 src/firejail/usage.c
  9. +4 −0 src/man/firejail-profile.txt
  10. +10 −0 src/man/firejail.txt
  11. +2 −0 todo
View
@@ -74,6 +74,13 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is
Example:
# firejail --private-srv=www /etc/init.d/apache2 start
+
+ --machine-id
+ Preserve id number in /etc/machine-id file. By default a new
+ random id is generated inside the sandbox.
+
+ Example:
+ $ firejail --machine-id
`````
## New Profiles
xiphos, Tor Browser Bundle, display (imagemagik), Wire, mumble, zoom, Guayadeque, qemu, keypass2,
View
@@ -11,6 +11,7 @@ firejail (0.9.45) baseline; urgency=low
* feature: test coverage (gcov) support
* feature: private /opt directory (--private-opt, profile support)
* feature: private /srv directory (--private-srv, profile support)
+ * feature: spoof machine-id
* new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire,
* new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma,
* new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator,
@@ -78,6 +78,7 @@
#define RUN_HOSTNAME_FILE "/run/firejail/mnt/hostname"
#define RUN_HOSTS_FILE "/run/firejail/mnt/hosts"
#define RUN_RESOLVCONF_FILE "/run/firejail/mnt/resolv.conf"
+#define RUN_MACHINEID "/run/firejail/mnt/machine-id"
#define RUN_LDPRELOAD_FILE "/run/firejail/mnt/ld.so.preload"
#define RUN_UTMP_FILE "/run/firejail/mnt/utmp"
#define RUN_PASSWD_FILE "/run/firejail/mnt/passwd"
@@ -342,6 +343,7 @@ extern int arg_allow_debuggers; // allow debuggers
extern int arg_x11_block; // block X11
extern int arg_x11_xorg; // use X11 security extention
extern int arg_allusers; // all user home directories visible
+extern int arg_machineid; // preserve /etc/machine-id
extern int login_shell;
extern int parent_to_child_fds[2];
View
@@ -597,7 +597,8 @@ void fs_basic_fs(void) {
fs_var_lib();
fs_var_cache();
fs_var_utmp();
-
+ fs_machineid();
+
// don't leak user information
restrict_users();
@@ -880,6 +881,7 @@ void fs_overlayfs(void) {
fs_var_lib();
fs_var_cache();
fs_var_utmp();
+ fs_machineid();
// don't leak user information
restrict_users();
@@ -1061,6 +1063,7 @@ void fs_chroot(const char *rootdir) {
fs_var_lib();
fs_var_cache();
fs_var_utmp();
+ fs_machineid();
// don't leak user information
restrict_users();
View
@@ -23,6 +23,57 @@
#include <sys/types.h>
#include <unistd.h>
+// spoof /etc/machine_id
+void fs_machineid(void) {
+ union machineid_t {
+ uint8_t u8[16];
+ uint32_t u32[4];
+ } mid;
+
+ // if --machine-id flag is active, do nothing
+ if (arg_machineid)
+ return;
+
+ // init random number generator
+ srand(time(NULL));
+
+ // generate random id
+ mid.u32[0] = rand();
+ mid.u32[1] = rand();
+ mid.u32[2] = rand();
+ mid.u32[3] = rand();
+
+ // UUID version 4 and DCE variant
+ mid.u8[6] = (mid.u8[6] & 0x0F) | 0x40;
+ mid.u8[8] = (mid.u8[8] & 0x3F) | 0x80;
+
+ // write it in a file
+ FILE *fp = fopen(RUN_MACHINEID, "w");
+ if (!fp)
+ errExit("fopen");
+ fprintf(fp, "%08x%08x%08x%08x\n", mid.u32[0], mid.u32[1], mid.u32[2], mid.u32[3]);
+ fclose(fp);
+ if (set_perms(RUN_MACHINEID, 0, 0, 0444))
+ errExit("set_perms");
+
+
+ struct stat s;
+ // mount-bind
+ if (stat("/etc/machine-id", &s) == 0) {
+ if (arg_debug)
+ printf("installing a new /etc/machine-id\n");
+
+ if (mount(RUN_MACHINEID, "/etc/machine-id", "none", MS_BIND, "mode=444,gid=0"))
+ errExit("mount");
+ }
+//#if 0 // todo: investigate
+ if (stat("/var/lib/dbus/machine-id", &s) == 0) {
+ if (mount(RUN_MACHINEID, "/etc/machine-id", "none", MS_BIND, "mode=444,gid=0"))
+ errExit("mount");
+ }
+//#endif
+}
+
// return 0 if file not found, 1 if found
static int check_dir_or_file(const char *fname) {
assert(fname);
View
@@ -111,6 +111,7 @@ int arg_allow_debuggers = 0; // allow debuggers
int arg_x11_block = 0; // block X11
int arg_x11_xorg = 0; // use X11 security extention
int arg_allusers = 0; // all user home directories visible
+int arg_machineid = 0; // preserve /etc/machine-id
int login_shell = 0;
@@ -1520,6 +1521,9 @@ int main(int argc, char **argv) {
else if (strcmp(argv[i], "--writable-var") == 0) {
arg_writable_var = 1;
}
+ else if (strcmp(argv[i], "--machine-id") == 0) {
+ arg_machineid = 1;
+ }
else if (strcmp(argv[i], "--private") == 0) {
arg_private = 1;
}
@@ -650,6 +650,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
return 0;
}
+ if (strcmp(ptr, "machine-id") == 0) {
+ arg_machineid = 1;
+ return 0;
+ }
// writable-var
if (strcmp(ptr, "writable-var") == 0) {
arg_writable_var = 1;
@@ -94,6 +94,9 @@ void usage(void) {
printf(" --ls=name|pid dir_or_filename - list files in sandbox container.\n");
#ifdef HAVE_NETWORK
printf(" --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n");
+#endif
+ printf(" --machine-id - preserve /etc/machine-id\n");
+#ifdef HAVE_NETWORK
printf(" --mtu=number - set interface MTU.\n");
#endif
printf(" --name=name - set sandbox name.\n");
@@ -447,6 +447,10 @@ iprange 192.168.1.150,192.168.1.160
Assign MAC addresses to the last network interface defined by a net command.
.TP
+\fBmachine-id
+Preserve id number in /etc/machine-id file. By default a new random id is generated inside the sandbox.
+
+.TP
\fBmtu number
Assign a MTU value to the last network interface defined by a net command.
View
@@ -666,6 +666,16 @@ Example:
$ firejail \-\-net=eth0 \-\-mac=00:11:22:33:44:55 firefox
.TP
+\fB\-\-machine-id
+Preserve id number in /etc/machine-id file. By default a new random id is generated inside the sandbox.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-machine-id
+
+.TP
\fB\-\-mtu=number
Assign a MTU value to the last network interface defined by a \-\-net option.
.br
View
@@ -299,3 +299,5 @@ read-only /var
read-only /bin
31. --private and --allusers are coliding
+
+32. machine-id defined in rfc4122

0 comments on commit d0cc960

Please sign in to comment.