pool/firejail
SHA256
3
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- Update to version 0.9.44.4:

Browse Source 
* --bandwidth root shell found by Martin Carpenter (CVE-2017-5207)
  * disabled --allow-debuggers when running on kernel versions prior
    to 4.8; a kernel bug in ptrace system call allows a full bypass
    of seccomp filter; problem reported by Lizzie Dixon (CVE-2017-5206)
  * root exploit found by Sebastian Krahmer (CVE-2017-5180)
- Update to version 0.9.44.6:
  * new fix for CVE-2017-5180 reported by Sebastian Krahmer last week
  * major cleanup of file copying code
  * tightening the rules for --chroot and --overlay features
  * ported Gentoo compile patch
  * Nvidia drivers bug in --private-dev
  * fix ASSERT_PERMS_FD macro
  * allow local customization using .local files under /etc/firejail
    backported from our development branch
  * spoof machine-id backported from our development branch
- Remove obsoleted patches:
  firejail-CVE-2017-5180-fix1.patch
  firejail-CVE-2017-5180-fix2.patch

OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=6
This commit is contained in:
Takashi Iwai 2017-01-16 15:36:03 +00:00 committed by Git OBS Bridge
parent 7a7ff5e7fe
commit f1a8cd5699
6 changed files with 27 additions and 348 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
firejail-0.9.44.2.tar.xz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:c5adef1943daa33049c4c39e5a19a0d02b897f1b1581be094ec600490dde8851
size 213092

3
firejail-0.9.44.6.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:6f7b1c3e497d90a5ed21465991727a8099af3839b8642cc17c0664962cd55787
size 214564

72
firejail-CVE-2017-5180-fix1.patch
View File

@ -1,72 +0,0 @@
From 60d4b478f65c60bcc825bb56f85fd6c4fd48b250 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Wed, 4 Jan 2017 11:59:46 -0500
Subject: [PATCH] security fix
---
src/firejail/fs_home.c | 14 ++++++++++++++
src/firejail/pulseaudio.c | 15 +++++++++++++++
2 files changed, 29 insertions(+)
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -171,6 +171,13 @@ static void copy_xauthority(void) {
char *dest;
if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1)
errExit("asprintf");
+
+ // if destination is a symbolic link, exit the sandbox!!!
+ if (is_link(dest)) {
+ fprintf(stderr, "Error: %s is a symbolic link\n", dest);
+ exit(1);
+ }
+
// copy, set permissions and ownership
int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR);
if (rv)
@@ -189,6 +196,13 @@ static void copy_asoundrc(void) {
char *dest;
if (asprintf(&dest, "%s/.asoundrc", cfg.homedir) == -1)
errExit("asprintf");
+
+ // if destination is a symbolic link, exit the sandbox!!!
+ if (is_link(dest)) {
+ fprintf(stderr, "Error: %s is a symbolic link\n", dest);
+ exit(1);
+ }
+
// copy, set permissions and ownership
int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR);
if (rv)
--- a/src/firejail/pulseaudio.c
+++ b/src/firejail/pulseaudio.c
@@ -138,7 +138,15 @@ void pulseaudio_init(void) {
(void) rv;
}
}
+ else {
+ // make sure the directory is owned by the user
+ if (s.st_uid != getuid()) {
+ fprintf(stderr, "Error: user .config directory is not owned by the current user\n");
+ exit(1);
+ }
+ }
free(dir1);
+
if (asprintf(&dir1, "%s/.config/pulse", cfg.homedir) == -1)
errExit("asprintf");
if (stat(dir1, &s) == -1) {
@@ -150,6 +158,13 @@ void pulseaudio_init(void) {
(void) rv;
}
}
+ else {
+ // make sure the directory is owned by the user
+ if (s.st_uid != getuid()) {
+ fprintf(stderr, "Error: user .config/pulse directory is not owned by the current user\n");
+ exit(1);
+ }
+ }
free(dir1);

268
firejail-CVE-2017-5180-fix2.patch
View File

@ -1,268 +0,0 @@
From e74fdab5d2125ce8f058c1630ce7cce19cbdac16 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Wed, 4 Jan 2017 18:13:45 -0500
Subject: [PATCH] security fixes
---
src/firejail/fs_home.c | 118 +++++++++++++++++++++++++++++++++++++---------
src/firejail/pulseaudio.c | 47 +++++++++++++-----
src/firejail/util.c | 4 -
3 files changed, 134 insertions(+), 35 deletions(-)
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -108,6 +108,14 @@ static int store_xauthority(void) {
char *src;
char *dest = RUN_XAUTHORITY_FILE;
+ // create an empty file
+ FILE *fp = fopen(dest, "w");
+ if (fp) {
+ fprintf(fp, "\n");
+ SET_PERMS_STREAM(fp, getuid(), getgid(), 0600);
+ fclose(fp);
+ }
+
if (asprintf(&src, "%s/.Xauthority", cfg.homedir) == -1)
errExit("asprintf");
@@ -117,12 +125,28 @@ static int store_xauthority(void) {
fprintf(stderr, "Warning: invalid .Xauthority file\n");
return 0;
}
-
- int rv = copy_file(src, dest, -1, -1, 0600);
- if (rv) {
- fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n");
- return 0;
+
+ pid_t child = fork();
+ if (child < 0)
+ errExit("fork");
+ if (child == 0) {
+ // drop privileges
+ drop_privs(0);
+
+ // copy, set permissions and ownership
+ int rv = copy_file(src, dest, getuid(), getgid(), 0600);
+ if (rv)
+ fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n");
+ else {
+ fs_logger2("clone", dest);
+ }
+#ifdef HAVE_GCOV
+ __gcov_flush();
+#endif
+ _exit(0);
}
+ // wait for the child to finish
+ waitpid(child, NULL, 0);
return 1; // file copied
}
@@ -135,6 +159,14 @@ static int store_asoundrc(void) {
char *src;
char *dest = RUN_ASOUNDRC_FILE;
+ // create an empty file
+ FILE *fp = fopen(dest, "w");
+ if (fp) {
+ fprintf(fp, "\n");
+ SET_PERMS_STREAM(fp, getuid(), getgid(), 0644);
+ fclose(fp);
+ }
+
if (asprintf(&src, "%s/.asoundrc", cfg.homedir) == -1)
errExit("asprintf");
@@ -154,11 +186,27 @@ static int store_asoundrc(void) {
free(rp);
}
- int rv = copy_file(src, dest, -1, -1, -0644);
- if (rv) {
- fprintf(stderr, "Warning: cannot transfer .asoundrc in private home directory\n");
- return 0;
+ pid_t child = fork();
+ if (child < 0)
+ errExit("fork");
+ if (child == 0) {
+ // drop privileges
+ drop_privs(0);
+
+ // copy, set permissions and ownership
+ int rv = copy_file(src, dest, getuid(), getgid(), 0644);
+ if (rv)
+ fprintf(stderr, "Warning: cannot transfer .asoundrc in private home directory\n");
+ else {
+ fs_logger2("clone", dest);
+ }
+#ifdef HAVE_GCOV
+ __gcov_flush();
+#endif
+ _exit(0);
}
+ // wait for the child to finish
+ waitpid(child, NULL, 0);
return 1; // file copied
}
@@ -178,13 +226,27 @@ static void copy_xauthority(void) {
exit(1);
}
- // copy, set permissions and ownership
- int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR);
- if (rv)
- fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n");
- else {
- fs_logger2("clone", dest);
+ pid_t child = fork();
+ if (child < 0)
+ errExit("fork");
+ if (child == 0) {
+ // drop privileges
+ drop_privs(0);
+
+ // copy, set permissions and ownership
+ int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR);
+ if (rv)
+ fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n");
+ else {
+ fs_logger2("clone", dest);
+ }
+#ifdef HAVE_GCOV
+ __gcov_flush();
+#endif
+ _exit(0);
}
+ // wait for the child to finish
+ waitpid(child, NULL, 0);
// delete the temporary file
unlink(src);
@@ -203,13 +265,27 @@ static void copy_asoundrc(void) {
exit(1);
}
- // copy, set permissions and ownership
- int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR);
- if (rv)
- fprintf(stderr, "Warning: cannot transfer .asoundrc in private home directory\n");
- else {
- fs_logger2("clone", dest);
+ pid_t child = fork();
+ if (child < 0)
+ errExit("fork");
+ if (child == 0) {
+ // drop privileges
+ drop_privs(0);
+
+ // copy, set permissions and ownership
+ int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR);
+ if (rv)
+ fprintf(stderr, "Warning: cannot transfer .asoundrc in private home directory\n");
+ else {
+ fs_logger2("clone", dest);
+ }
+#ifdef HAVE_GCOV
+ __gcov_flush();
+#endif
+ _exit(0);
}
+ // wait for the child to finish
+ waitpid(child, NULL, 0);
// delete the temporary file
unlink(src);
--- a/src/firejail/pulseaudio.c
+++ b/src/firejail/pulseaudio.c
@@ -21,6 +21,7 @@
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/mount.h>
+#include <sys/wait.h>
#include <dirent.h>
static void disable_file(const char *path, const char *file) {
@@ -130,13 +131,24 @@ void pulseaudio_init(void) {
if (asprintf(&dir1, "%s/.config", cfg.homedir) == -1)
errExit("asprintf");
if (stat(dir1, &s) == -1) {
- int rv = mkdir(dir1, 0755);
- if (rv == 0) {
- rv = chown(dir1, getuid(), getgid());
- (void) rv;
- rv = chmod(dir1, 0755);
- (void) rv;
+ pid_t child = fork();
+ if (child < 0)
+ errExit("fork");
+ if (child == 0) {
+ // drop privileges
+ drop_privs(0);
+
+ int rv = mkdir(dir1, 0755);
+ if (rv == 0) {
+ rv = chown(dir1, getuid(), getgid());
+ (void) rv;
+ rv = chmod(dir1, 0755);
+ (void) rv;
+ }
+ _exit(0);
}
+ // wait for the child to finish
+ waitpid(child, NULL, 0);
}
else {
// make sure the directory is owned by the user
@@ -150,13 +162,24 @@ void pulseaudio_init(void) {
if (asprintf(&dir1, "%s/.config/pulse", cfg.homedir) == -1)
errExit("asprintf");
if (stat(dir1, &s) == -1) {
- int rv = mkdir(dir1, 0700);
- if (rv == 0) {
- rv = chown(dir1, getuid(), getgid());
- (void) rv;
- rv = chmod(dir1, 0700);
- (void) rv;
+ pid_t child = fork();
+ if (child < 0)
+ errExit("fork");
+ if (child == 0) {
+ // drop privileges
+ drop_privs(0);
+
+ int rv = mkdir(dir1, 0700);
+ if (rv == 0) {
+ rv = chown(dir1, getuid(), getgid());
+ (void) rv;
+ rv = chmod(dir1, 0700);
+ (void) rv;
+ }
+ _exit(0);
}
+ // wait for the child to finish
+ waitpid(child, NULL, 0);
}
else {
// make sure the directory is owned by the user
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -179,14 +179,14 @@ int copy_file(const char *srcname, const
// open source
int src = open(srcname, O_RDONLY);
if (src < 0) {
- fprintf(stderr, "Warning: cannot open %s, file not copied\n", srcname);
+ fprintf(stderr, "Warning: cannot open source file %s, file not copied\n", srcname);
return -1;
}
// open destination
int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
if (dst < 0) {
- fprintf(stderr, "Warning: cannot open %s, file not copied\n", destname);
+ fprintf(stderr, "Warning: cannot open destination file %s, file not copied\n", destname);
close(src);
return -1;
}

23
firejail.changes
View File

@ -1,3 +1,26 @@
-------------------------------------------------------------------
Mon Jan 16 16:33:59 CET 2017 - tiwai@suse.de
- Update to version 0.9.44.4:
* --bandwidth root shell found by Martin Carpenter (CVE-2017-5207)
* disabled --allow-debuggers when running on kernel versions prior
to 4.8; a kernel bug in ptrace system call allows a full bypass
of seccomp filter; problem reported by Lizzie Dixon (CVE-2017-5206)
* root exploit found by Sebastian Krahmer (CVE-2017-5180)
- Update to version 0.9.44.6:
* new fix for CVE-2017-5180 reported by Sebastian Krahmer last week
* major cleanup of file copying code
* tightening the rules for --chroot and --overlay features
* ported Gentoo compile patch
* Nvidia drivers bug in --private-dev
* fix ASSERT_PERMS_FD macro
* allow local customization using .local files under /etc/firejail
backported from our development branch
* spoof machine-id backported from our development branch
- Remove obsoleted patches:
firejail-CVE-2017-5180-fix1.patch
firejail-CVE-2017-5180-fix2.patch
-------------------------------------------------------------------
Thu Jan 5 10:38:43 CET 2017 - tiwai@suse.de

6
firejail.spec
View File

@ -17,7 +17,7 @@
Name: firejail
Version: 0.9.44.2
Version: 0.9.44.6
Release: 0
Summary: Linux namepaces sandbox program
License: GPL-2.0
@ -25,8 +25,6 @@ Group: Productivity/Security
Url: https://firejail.wordpress.com/
Source0: %{name}-%{version}.tar.xz
Source1: %{name}.rpmlintrc
Patch1: firejail-CVE-2017-5180-fix1.patch
Patch2: firejail-CVE-2017-5180-fix2.patch
BuildRequires: libapparmor-devel
BuildRequires: gcc-c++
Requires(pre): permissions
@ -42,8 +40,6 @@ Linux namespace support. It supports sandboxing specific users upon login.
%prep
%setup -q
%patch1 -p1
%patch2 -p1
%build
%configure --docdir=%{_docdir}/%{name} \