Skip to content
Permalink
Browse files

mount runtime seccomp files read-only (#2602)

avoid creating locations in the file system that are both writable and
executable (in this case for processes with euid of the user).

for the same reason also remove user owned libfiles
when it is not needed any more
  • Loading branch information...
smitsohu committed Mar 23, 2019
1 parent 98ea844 commit eecf35c2f8249489a1d3e512bb07f0d427183134
Showing with 16 additions and 11 deletions.
  1. +8 −8 src/firejail/firejail.h
  2. +1 −0 src/firejail/fs_lib.c
  3. +2 −0 src/firejail/preproc.c
  4. +5 −3 src/firejail/sandbox.c
@@ -57,13 +57,14 @@
#define RUN_LIB_FILE "/run/firejail/mnt/libfiles"
#define RUN_DNS_ETC "/run/firejail/mnt/dns-etc"

#define RUN_SECCOMP_LIST "/run/firejail/mnt/seccomp.list" // list of seccomp files installed
#define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp.protocol" // protocol filter
#define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp" // configured filter
#define RUN_SECCOMP_32 "/run/firejail/mnt/seccomp.32" // 32bit arch filter installed on 64bit architectures
#define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp.mdwx" // filter for memory-deny-write-execute
#define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp.block_secondary" // secondary arch blocking filter
#define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp.postexec" // filter for post-exec library
#define RUN_SECCOMP_DIR "/run/firejail/mnt/seccomp"
#define RUN_SECCOMP_LIST "/run/firejail/mnt/seccomp/seccomp.list" // list of seccomp files installed
#define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp/seccomp.protocol" // protocol filter
#define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp/seccomp" // configured filter
#define RUN_SECCOMP_32 "/run/firejail/mnt/seccomp/seccomp.32" // 32bit arch filter installed on 64bit architectures
#define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp/seccomp.mdwx" // filter for memory-deny-write-execute
#define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp/seccomp.block_secondary" // secondary arch blocking filter
#define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp/seccomp.postexec" // filter for post-exec library
#define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make
#define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make
#define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32") // 32bit arch filter built during make
@@ -95,7 +96,6 @@
#define RUN_ASOUNDRC_FILE "/run/firejail/mnt/.asoundrc"
#define RUN_HOSTNAME_FILE "/run/firejail/mnt/hostname"
#define RUN_HOSTS_FILE "/run/firejail/mnt/hosts"
#define RUN_RESOLVCONF_FILE "/run/firejail/mnt/resolv.conf"
#define RUN_MACHINEID "/run/firejail/mnt/machine-id"
#define RUN_LDPRELOAD_FILE "/run/firejail/mnt/ld.so.preload"
#define RUN_UTMP_FILE "/run/firejail/mnt/utmp"
@@ -133,6 +133,7 @@ void fslib_copy_libs(const char *full_path) {
fslib_duplicate(buf);
}
fclose(fp);
unlink(RUN_LIB_FILE);
}


@@ -86,6 +86,8 @@ void preproc_mount_mnt_dir(void) {
fs_logger2("tmpfs", RUN_MNT_DIR);

#ifdef HAVE_SECCOMP
create_empty_dir_as_root(RUN_SECCOMP_DIR, 0755);

if (arg_seccomp_block_secondary)
copy_file(PATH_SECCOMP_BLOCK_SECONDARY, RUN_SECCOMP_BLOCK_SECONDARY, getuid(), getgid(), 0644); // root needed
else {
@@ -1053,9 +1053,6 @@ int sandbox(void* sandbox_arg) {
// save state of nonewprivs
save_nonewprivs();

// set capabilities
set_caps();

// save cpu affinity mask to CPU_CFG file
save_cpu();

@@ -1101,8 +1098,13 @@ int sandbox(void* sandbox_arg) {
int rv = unlink(RUN_SECCOMP_MDWX);
(void) rv;
}
// make seccomp filters read-only
fs_rdonly(RUN_SECCOMP_DIR);
#endif

// set capabilities
set_caps();

//****************************************
// communicate progress of sandbox set up
// to --join

0 comments on commit eecf35c

Please sign in to comment.
You can’t perform that action at this time.