search

netblue30 / firejail

Linux namespaces and seccomp-bpf sandbox
https://firejail.wordpress.com
GNU General Public License v2.0
5.73k stars 561 forks source link

Losing internet access on blacklist /var #374

Closed msva closed 8 years ago

msva commented 8 years ago

Hi! I'm not sure if it is really issue, but since it is no place to just talk about firejail (like irc channel or xmpp muc), I'd ask here.

So, in previous versions of firejail I've profile, containing blacklist /var working fine, but with latest git master it leads to no internet access in jailed application. I've reproduced it with both $ firejail --private --blacklist=/var firefox and $ firejail --private --whitelist=/var/cache.

I guess, it needs /var/run/firejail there (isn't it?), but unfortunately, it is not possible to just whitelist /var/run/firejail (it says 'wrong path', because /var/run is a symlink to /run on my system (distro FHS policy), and you're checking path to be local in fs_whitelist.c). And noblacklist /var/run/firejail+blacklist /var seems to doesn't help in that situation too.

So, how is that possible to be in this situation?

And one thing more: not sure if should create separate issue, or can be discussed here: in git master (not sure starting from which commit) ping/ping6 stopped to work and saying operation not permitted (while both of them do have suid-bit on 65534 user (under which pid 1 (firejail) is running). Reproduceable even in clean $ firejail --private.

msva commented 8 years ago

Actually, talking about main question in the issue (not the ping issue): why do whitelist supports only several paths, but not allowing some random paths?

And also why don't allow to whitelist external symlinks? The only security issue I know about that is allowing to execute binaries from the "host", but it working only if there is some bugs at kernel level (see last overlayfs+namespaces bug). And I don't think possibility of such bugs is a reason for firejail to disallow such useful functionality ;)

netblue30 commented 8 years ago

Blacklisting /var is a very bad idea. Lots of software use /var, and usually they expect the files to be there read/write. Sometimes they just crash without any kind of error recovery.

For example, I run on a Ubuntu 10.04 "firejail --blacklist=/var firefox" and I get:

(firefox:2): IBUS-WARNING **: Unable to load /var/lib/dbus/machine-id: Failed to open file '/var/lib/dbus/machine-id': Permission denied

I still get network connectivity, but something is definitely broken - in this case IBus, using a foreign keyboard mapping will not work.

ping/ping6: SUID binaries are disabled in the sandbox, so ping will not work. For testing you can try to run with --noprofile. This will enable SUID binaries.

65534 is a user id without any privileges. The kernel uses it to replace unwanted users in a user namespace.

External symlinks in --whitelist open the sandbox to all kind of exploits, so I have to disable them.

Allowing external symlinks under

msva commented 8 years ago

Yeah, I know that some software _can_ use /var and it can brake something, but I doing that (white/blacklisting /var/*) only with properly testing and full responsibility for the result ;)

And I wanted very much to hide /var and some other "non-standard" directories from some proprietary software I forced to use. And whitelist would be ideal variant, because I want they don't know that such path exist at all, and not just be forbidden to open them.

//nb: your comment is cut on "under" word and looks unfinished.

netblue30 commented 8 years ago

OK, I think if I allow in --whitelist /var/run and /var/lock to point outside /var, all would be fine. I'll bring in a fix.

msva commented 8 years ago

By the way, isn't it a way to ask firejail to not whitelist, but create new /var/run inside?

And question about one more restriction:

Error: tmpfs available only when running the sandbox as root

But firejail do mount tmpfs on parent directories of whitelisted things. So, what is the point of such restriction?

And, also, can you share your thoughts, what can be the reason of the fact, that any jailed soft losing access to internet if it has no access to run? Was I right on suggestion, that jail need access to some files in firejail's directory for that?

And one more thing: I think, it will be nice to hide firejail mountpoints and other service things from jailed software. I think, this is security breach:

 firejail --private --quiet ls /var/run/firejail/name -l

итого 1
-rw-r--r-- 1 65534 65534 6 мар 22 20:41 31825
-rw-r--r-- 1 65534 65534 6 мар 22 15:30 32221
-rw-r--r-- 1 65534 65534 6 мар 22 12:18 3286

So, any jailed software 1) can suggest it is runned in firejail (by looking on PID1), 2) get real PIDs of another jailed software (including itself)

netblue30 commented 8 years ago

I think on your platform you have /etc/resolv.conf a symlink in /run. So, if /run disappears you will not get network connectivity. I would make /etc/resolv.conf a real file.

I'll bring in fixes for all the other issues, thanks.

msva commented 8 years ago

1) I do not have /etc/resolv.conf as symlink to /run/*. It is regular file I do, sorry. It is connman hijacked it :(. 2) thanks

netblue30 commented 8 years ago

I put a fix in for /var/run and /var/lock, you can whitelist them now. Also, I mounted tmpfs on top of /run/firejail/{bandwidth,name,network,x11}, so there won't be any information leaks.

tmps as user opens the door to some nice SUID exploits, so I had to remove it. Let me know if you find something else, thanks!