Commit b286a6bc authored by netblue30's avatar netblue30

merge #1100 from zackw: removed libconnect

parent 68e10f17
......@@ -6,6 +6,7 @@
*.gcda
*.gcno
Makefile
autom4te.cache/
config.log
config.status
firejail-login.5
......
all: apps man filters
MYLIBS = src/lib
APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/libconnect src/fnet src/fseccomp src/fcopy
APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fcopy
MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5
SECCOMP_FILTERS = seccomp seccomp.i386 seccomp.amd64
......@@ -79,7 +79,6 @@ realinstall:
install -m 0755 -d $(DESTDIR)/$(libdir)/firejail
install -c -m 0644 src/libtrace/libtrace.so $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0644 src/libtracelog/libtracelog.so $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0644 src/libconnect/libconnect.so $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0755 src/ftee/ftee $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0755 src/fshaper/fshaper.sh $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0755 src/fgit/fgit-install.sh $(DESTDIR)/$(libdir)/firejail/.
......@@ -142,7 +141,6 @@ install-strip: all
strip src/firecfg/firecfg
strip src/libtrace/libtrace.so
strip src/libtracelog/libtracelog.so
strip src/libconnect/libconnect.so
strip src/ftee/ftee
strip src/faudit/faudit
strip src/fnet/fnet
......
......@@ -101,6 +101,8 @@ valoq (https://github.com/valoq)
- added wget profile
- disable gnupg and systemd directories under /run/user
- added iridium browser profile
Zack Weinberg (https://github.com/zackw)
- removed libconnect
Igor Bukanov (https://github.com/ibukanov)
- found/fiixed privilege escalation in --hosts-file option
Cat (https://github.com/ecat3)
......
......@@ -3793,7 +3793,7 @@ if test "$prefix" = /usr; then
sysconfdir="/etc"
fi
ac_config_files="$ac_config_files Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile src/libconnect/Makefile src/fseccomp/Makefile"
ac_config_files="$ac_config_files Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile"
cat >confcache <<\_ACEOF
# This file is a shell script that caches the results of configure
......@@ -4513,7 +4513,6 @@ do
"src/firecfg/Makefile") CONFIG_FILES="$CONFIG_FILES src/firecfg/Makefile" ;;
"src/ftee/Makefile") CONFIG_FILES="$CONFIG_FILES src/ftee/Makefile" ;;
"src/faudit/Makefile") CONFIG_FILES="$CONFIG_FILES src/faudit/Makefile" ;;
"src/libconnect/Makefile") CONFIG_FILES="$CONFIG_FILES src/libconnect/Makefile" ;;
"src/fseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/fseccomp/Makefile" ;;
*) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;;
......
......@@ -168,7 +168,7 @@ fi
AC_OUTPUT(Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile \
src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile \
src/ftee/Makefile src/faudit/Makefile src/libconnect/Makefile src/fseccomp/Makefile)
src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile)
echo
echo "Configuration options:"
......
......@@ -85,6 +85,6 @@
# Firejail window title in Xephyr, default enabled.
# xephyr-window-title yes
# Xephyr command extra parameters. None by default, and the declaration is commented out.
# Xephyr command extra parameters. None by default; these are examples.
# xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev
# xephyr-extra-params -grayscale
......@@ -24,7 +24,6 @@ install -m 755 /usr/lib/firejail/fshaper.sh firejail-$VERSION/usr/lib/firejail/
install -m 755 /usr/lib/firejail/ftee firejail-$VERSION/usr/lib/firejail/.
install -m 644 /usr/lib/firejail/libtrace.so firejail-$VERSION/usr/lib/firejail/.
install -m 644 /usr/lib/firejail/libtracelog.so firejail-$VERSION/usr/lib/firejail/.
install -m 644 /usr/lib/firejail/libconnect.so firejail-$VERSION/usr/lib/firejail/.
mkdir -p firejail-$VERSION/usr/share/man/man1
install -m 644 /usr/share/man/man1/firejail.1.gz firejail-$VERSION/usr/share/man/man1/.
......@@ -436,7 +435,6 @@ rm -rf %{buildroot}
/usr/lib/firejail/libtrace.so
/usr/lib/firejail/libtracelog.so
/usr/lib/firejail/libconnect.so
/usr/lib/firejail/faudit
/usr/lib/firejail/ftee
/usr/lib/firejail/firecfg.config
......
......@@ -60,9 +60,6 @@ void fs_trace(void) {
printf("Blacklist violations are logged to syslog\n");
}
if (mask_x11_abstract_socket)
fprintf(fp, "%s/firejail/libconnect.so\n", LIBDIR);
SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
fclose(fp);
......
......@@ -585,7 +585,7 @@ int sandbox(void* sandbox_arg) {
#endif
// trace pre-install
if (arg_trace || arg_tracelog || mask_x11_abstract_socket)
if (arg_trace || arg_tracelog)
fs_trace_preload();
// store hosts file
......@@ -622,7 +622,7 @@ int sandbox(void* sandbox_arg) {
//****************************
// trace pre-install, this time inside chroot
//****************************
if (arg_trace || arg_tracelog || mask_x11_abstract_socket)
if (arg_trace || arg_tracelog)
fs_trace_preload();
}
else
......@@ -685,7 +685,7 @@ int sandbox(void* sandbox_arg) {
else {
fs_private_dir_list("/etc", RUN_ETC_DIR, cfg.etc_private_keep);
// create /etc/ld.so.preload file again
if (arg_trace || arg_tracelog || mask_x11_abstract_socket)
if (arg_trace || arg_tracelog)
fs_trace_preload();
}
}
......@@ -781,7 +781,7 @@ int sandbox(void* sandbox_arg) {
//****************************
// install trace
//****************************
if (arg_trace || arg_tracelog || mask_x11_abstract_socket)
if (arg_trace || arg_tracelog)
fs_trace();
//****************************
......
PREFIX=@prefix@
VERSION=@PACKAGE_VERSION@
NAME=@PACKAGE_NAME@
HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
H_FILE_LIST = $(sort $(wildcard *.[h]))
C_FILE_LIST = $(sort $(wildcard *.c))
OBJS = $(C_FILE_LIST:.c=.o)
BINOBJS = $(foreach file, $(OBJS), $file)
CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security
LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now
all: libconnect.so
%.o : %.c $(H_FILE_LIST)
$(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
libconnect.so: $(OBJS)
$(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl
clean:; rm -f $(OBJS) libconnect.so
distclean: clean
rm -fr Makefile
/*
* Copyright (C) 2014-2017 Firejail Authors
*
* This file is part of firejail project
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, write to the Free Software Foundation, Inc.,
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <dlfcn.h>
#include <sys/types.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/un.h>
#include <sys/stat.h>
#include <dirent.h>
#include <errno.h>
//#define DEBUG
//static int check_sockaddr(int sockfd, const char *call, const struct sockaddr *addr, int rv) {
static int check_sockaddr(const struct sockaddr *addr) {
if (addr->sa_family == AF_UNIX) {
struct sockaddr_un *a = (struct sockaddr_un *) addr;
if (a->sun_path[0] == '\0' && strstr(a->sun_path + 1, "X11-unix")) {
// printf("@%s\n", a->sun_path + 1);
errno = ENOENT;
return -1;
}
}
return 0;
}
//
// syscalls
//
// connect
typedef int (*orig_connect_t)(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
static orig_connect_t orig_connect = NULL;
int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen) {
if (!orig_connect)
orig_connect = (orig_connect_t)dlsym(RTLD_NEXT, "connect");
if (check_sockaddr(addr) == -1)
return -1;
return orig_connect(sockfd, addr, addrlen);
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment