Skip to content

Commit

Permalink
prevent leaking user information by modifying /home directory, /etc/p…
Browse files Browse the repository at this point in the history
…asswd and /etc/group
  • Loading branch information
netblue30 committed Nov 19, 2015
1 parent bd16cb3 commit 4f003da
Show file tree
Hide file tree
Showing 4 changed files with 344 additions and 54 deletions.
4 changes: 3 additions & 1 deletion RELNOTES
Original file line number Diff line number Diff line change
@@ -1,7 +1,9 @@
firejail (0.9.34) baseline; urgency=low
firejail (0.9.35) baseline; urgency=low
* added unbound and dnscrypt-proxy profiles
* added --noblacklist option
* whitelist command enhancements
* prevent leaking user information by modifying /home directory,
/etc/passwd and /etc/group
* bugfixes
-- netblue30 <[email protected]> ongoing development

Expand Down
7 changes: 7 additions & 0 deletions src/firejail/firejail.h
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,8 @@
#define RESOLVCONF_FILE "/run/firejail/mnt/resolv.conf"
#define LDPRELOAD_FILE "/run/firejail/mnt/ld.so.preload"
#define UTMP_FILE "/run/firejail/mnt/utmp"
#define PASSWD_FILE "/run/firejail/mnt/passwd"
#define GROUP_FILE "/run/firejail/mnt/group"

// profiles
#define DEFAULT_USER_PROFILE "generic"
Expand Down Expand Up @@ -468,5 +470,10 @@ void protocol_store(const char *prlist);
void protocol_filter(void);
void protocol_filter_save(void);
void protocol_filter_load(const char *fname);

// restrict_users.c
void restrict_users(void);


#endif

59 changes: 6 additions & 53 deletions src/firejail/fs.c
Original file line number Diff line number Diff line change
Expand Up @@ -539,49 +539,6 @@ void fs_proc_sys_dev_boot(void) {
}
}

static void sanitize_home(void) {
assert(getuid() != 0); // this code works only for regular users

if (arg_debug)
printf("Cleaning /home directory\n");

struct stat s;
if (stat(cfg.homedir, &s) == -1) {
// cannot find home directory, just return
fprintf(stderr, "Warning: cannot find home directory\n");
return;
}

fs_build_mnt_dir();
if (mkdir(WHITELIST_HOME_DIR, 0755) == -1)
errExit("mkdir");

// keep a copy of the user home directory
if (mount(cfg.homedir, WHITELIST_HOME_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
errExit("mount bind");

// mount tmpfs in the new home
if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0)
errExit("mount tmpfs");

// create user home directory
if (mkdir(cfg.homedir, 0755) == -1)
errExit("mkdir");

// set mode and ownership
if (chown(cfg.homedir, s.st_uid, s.st_gid) == -1)
errExit("chown");
if (chmod(cfg.homedir, s.st_mode) == -1)
errExit("chmod");

// mount user home directory
if (mount(WHITELIST_HOME_DIR, cfg.homedir, NULL, MS_BIND|MS_REC, NULL) < 0)
errExit("mount bind");

// mask home dir under /run
if (mount("tmpfs", WHITELIST_HOME_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0)
errExit("mount tmpfs");
}

// build a basic read-only filesystem
void fs_basic_fs(void) {
Expand All @@ -605,9 +562,8 @@ void fs_basic_fs(void) {
fs_var_cache();
fs_var_utmp();

// only in user mode
if (getuid())
sanitize_home();
// don't leak user information
restrict_users();
}


Expand Down Expand Up @@ -751,9 +707,8 @@ void fs_overlayfs(void) {
fs_var_cache();
fs_var_utmp();

// only in user mode
if (getuid())
sanitize_home();
// don't leak user information
restrict_users();

// cleanup and exit
free(option);
Expand Down Expand Up @@ -874,10 +829,8 @@ void fs_chroot(const char *rootdir) {
fs_var_cache();
fs_var_utmp();

// only in user mode
if (getuid())
sanitize_home();

// don't leak user information
restrict_users();
}
#endif

Expand Down
Loading

0 comments on commit 4f003da

Please sign in to comment.