Merge branch 'netblue30:master' into gnome-logs-fix

.github/pull_request_template.md

@@ -1,17 +1,17 @@
 If your PR isn't about profiles or you have no idea how to do one of these, skip the following and go ahead with this PR.
 
 If you submit a PR for new profiles or changing profiles, please do the following:
-- The ordering of options follow the rules described in [/usr/share/doc/firejail/profile.template](https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template).
-> Hint: The profile-template is very new. If you install firejail with your package manager, it may be missing. In order to follow the latest rules, it is recommended to use the template from the repository.
-- Order the arguments of options alphabetically. You can easily do this with [sort.py](https://github.com/netblue30/firejail/tree/master/contrib/sort.py).
-The path to it depends on your distro:
+ - The ordering of options follow the rules described in [/usr/share/doc/firejail/profile.template](https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template).
+   > Hint: The profile-template is very new. If you install firejail with your package manager, it may be missing. In order to follow the latest rules, it is recommended to use the template from the repository.
+ - Order the arguments of options alphabetically. You can easily do this with [sort.py](https://github.com/netblue30/firejail/tree/master/contrib/sort.py).
+ The path to it depends on your distro:
 
-| Distro | Path |
-| ------ | ---- |
-| Arch/Fedora | `/usr/lib64/firejail/sort.py` |
-| Debian/Ubuntu/Mint | `/usr/lib/x86_64-linux-gnu/firejail/sort.py` |
-| local git clone | `contrib/sort.py` |
+   | Distro | Path |
+   | ------ | ---- |
+   | Arch/Fedora | `/usr/lib64/firejail/sort.py` |
+   | Debian/Ubuntu/Mint | `/usr/lib/x86_64-linux-gnu/firejail/sort.py` |
+   | local git clone | `contrib/sort.py` |
 
-Note also that the sort.py script exists only since firejail `0.9.61`.
+   Note also that the sort.py script exists only since firejail `0.9.61`.
 
 See also [CONTRIBUTING.md](/CONTRIBUTING.md).

.github/workflows/build-extra.yml

@@ -54,7 +54,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@18bf8ad2ca49c14cbb28b91346d626ccfb00c518
+      uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57
       with:
         egress-policy: block
         allowed-endpoints: >
@@ -75,7 +75,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@18bf8ad2ca49c14cbb28b91346d626ccfb00c518
+      uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57
       with:
         egress-policy: block
         allowed-endpoints: >
@@ -92,7 +92,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@18bf8ad2ca49c14cbb28b91346d626ccfb00c518
+      uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57
       with:
         egress-policy: block
         allowed-endpoints: >
@@ -109,7 +109,7 @@ jobs:
     runs-on: ubuntu-20.04
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@18bf8ad2ca49c14cbb28b91346d626ccfb00c518
+      uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57
       with:
         egress-policy: block
         allowed-endpoints: >

.github/workflows/build.yml

@@ -44,7 +44,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@18bf8ad2ca49c14cbb28b91346d626ccfb00c518
+      uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57
       with:
         egress-policy: block
         allowed-endpoints: >
@@ -71,6 +71,8 @@ jobs:
       run: command -V firejail && firejail --version
     - name: lab setup
       run: SHELL=/bin/bash make lab-setup
+    - name: run chroot tests
+      run: SHELL=/bin/bash make test-chroot
     - name: run sysutils tests
       run: SHELL=/bin/bash make test-sysutils
     - name: run private-etc tests

.github/workflows/codeql-analysis.yml

@@ -74,7 +74,7 @@ jobs:
 
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@18bf8ad2ca49c14cbb28b91346d626ccfb00c518
+      uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57
       with:
         disable-sudo: true
         egress-policy: block
@@ -88,7 +88,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@17573ee1cc1b9d061760f3a006fc4aac4f944fd5
+      uses: github/codeql-action/init@32dc499307d133bb5085bae78498c0ac2cf762d5
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -99,7 +99,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@17573ee1cc1b9d061760f3a006fc4aac4f944fd5
+      uses: github/codeql-action/autobuild@32dc499307d133bb5085bae78498c0ac2cf762d5
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -113,4 +113,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@17573ee1cc1b9d061760f3a006fc4aac4f944fd5
+      uses: github/codeql-action/analyze@32dc499307d133bb5085bae78498c0ac2cf762d5

.github/workflows/profile-checks.yml

@@ -26,7 +26,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@18bf8ad2ca49c14cbb28b91346d626ccfb00c518
+      uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57
       with:
         disable-sudo: true
         egress-policy: block

Makefile

@@ -393,10 +393,6 @@ test-github: lab-setup test-profiles test-fcopy test-fnetfilter test-fs test-uti
 test-private-lib:
 	$(MAKE) -C test $(subst test-,,$@)
 
-# a firejail-test account is required, public/private key setup
-test-ssh:
-	$(MAKE) -C test $(subst test-,,$@)
-
 # requires root access
 test-chroot:
 	$(MAKE) -C test $(subst test-,,$@)
@@ -410,19 +406,8 @@ test-appimage:
 test-network:
 	$(MAKE) -C test $(subst test-,,$@)
 
-# requires the same setup as test-network
-test-stress:
-	$(MAKE) -C test $(subst test-,,$@)
-
-# Tests running a root user
-test-root:
-	$(MAKE) -C test $(subst test-,,$@)
-
 # OverlayFS is not available on all platforms
 test-overlay:
 	$(MAKE) -C test $(subst test-,,$@)
 
 # For testing hidepid system, the command to set it up is "mount -o remount,rw,hidepid=2 /proc"
-
-test-all: test-root test-chroot test-network test-appimage test-overlay
-	echo "TEST COMPLETE"

RELNOTES

@@ -1,6 +1,7 @@
 firejail (0.9.73) baseline; urgency=low
   * work in progress
   * feature: Add "keep-shell-rc" command and option (#1127 #5634)
+  * feature: Print the argument when failing with "too long arguments" (#5677)
   * modif: Stop forwarding own double-dash to the shell (#5599 #5600)
   * modif: Prevent sandbox name (--name=) and host name (--hostname=)
     from containing only digits (#5578)
@@ -13,6 +14,7 @@ firejail (0.9.73) baseline; urgency=low
   * build: mark most phony targets as such (#5637)
   * build: mkdeb.sh: pass all arguments to ./configure (#5654)
   * build: deb: enable apparmor by default & remove deb-apparmor (#5668)
+  * build: Fix whitespace and add .editorconfig (#5674)
   * docs: remove apparmor options in --help when building without apparmor
     support (#5589)
   * docs: selinux.c: Split Copyright notice & use same license as upstream
@@ -320,7 +322,7 @@ firejail (0.9.62) baseline; urgency=low
   * compiler flags autodetection
   * move chroot entirely from path based to file descriptor based mounts
   * whitelisting /usr/share in a large number of profiles
-  * new scripts in conrib: gdb-firejail.sh and sort.py
+  * new scripts in contrib: gdb-firejail.sh and sort.py
   * enhancement: whitelist /usr/share in some profiles
   * added signal mediation ot apparmor profile
   * new conditions: HAS_X11, HAS_NET

etc/profile-a-l/chromium-common.profile

@@ -37,7 +37,9 @@ include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
-# Add the next line to your chromium-common.local if your kernel allows unprivileged userns clone.
+# If your kernel allows the creation of user namespaces by unprivileged users
+# (for example, if running `unshare -U echo enabled` prints "enabled"), you
+# can add the next line to your chromium-common.local.
 #include chromium-common-hardened.inc.profile
 
 apparmor

etc/profile-a-l/electron.profile

@@ -22,7 +22,9 @@ include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
-# Add the next line to your electron.local if your kernel allows unprivileged userns clone.
+# If your kernel allows the creation of user namespaces by unprivileged users
+# (for example, if running `unshare -U echo enabled` prints "enabled"), you
+# can add the next line to your electron.local.
 #include electron-hardened.inc.profile
 
 apparmor

etc/profile-m-z/parsecd.profile

@@ -22,17 +22,17 @@ mkdir ${HOME}/.parsec
 whitelist ${HOME}/.parsec
 whitelist /usr/share/parsec
 include whitelist-common.inc
-include whitelist-usr-share-common.inc
 include whitelist-run-common.inc
 include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 # Due to the nature of parsec, the following directives will not work:
 # - no3d
-# - novideo
-# - nosound
 # - noinput (it does remote passthrough stuff for gamepads)
-# - private-dev (because of the above)
+# - nosound
+# - novideo
+# - private-dev (same as noinput)
 apparmor
 caps.drop all
 nodvd

etc/profile-m-z/ping.profile

@@ -24,7 +24,9 @@ include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
-# Add the next line to your ping.local if your kernel allows unprivileged userns clone.
+# If your kernel allows the creation of user namespaces by unprivileged users
+# (for example, if running `unshare -U echo enabled` prints "enabled"), you
+# can add the next line to your ping.local.
 #include ping-hardened.inc.profile
 
 apparmor

etc/profile-m-z/rsync-download_only.profile

@@ -3,7 +3,7 @@
 # This file is overwritten after every install/update
 quiet
 # Persistent local customizations
-include rsync.local
+include rsync-download_only.local
 # Persistent global definitions
 include globals.local
 

src/firejail/firejail.h

@@ -660,7 +660,7 @@ void fs_tracefile(void);
 void fs_trace(void);
 
 // fs_hostname.c
-void fs_hostname(const char *hostname);
+void fs_hostname(void);
 char *fs_check_hosts_file(const char *fname);
 void fs_store_hosts_file(void);
 void fs_mount_hosts_file(void);

src/firejail/fs_hostname.c

@@ -24,7 +24,37 @@
 #include <dirent.h>
 #include <fcntl.h>
 
-void fs_hostname(const char *hostname) {
+// build a random host name
+static char *random_hostname(void) {
+	char vowels[] = { 'a', 'e', 'i', 'o', 'u'};
+	char consonants[] = {'b', 'c', 'c', 'c', 'g', 'h', 'h', 'h', 'h', 'h',
+		'j', 'j', 'k', 'k', 'k', 'k', 'k', 'k', 'k', 'k', 'k', 'k', 'm', 'm', 'm', 'm', 'n', 'n', 'n', 'n', 'n',
+		'r', 'r', 's', 's', 's', 's', 's', 's', 's', 's', 't', 't', 't', 't',
+		'w', 'y', 'y', 'y', 'y', 'z', 'z'};
+	char *ending[] = {"hiko", "hiko", "suke", "suke",  "suke", "shi", "shi", "ro", "ro",
+		"rou", "hito", "hito","ka"};
+
+	char *name = malloc(20);
+	if (!name)
+		errExit("malloc");
+
+	int i = 0;
+	name[i++] = consonants[rand() % sizeof(consonants)];
+	name[i++] = vowels[rand() % sizeof(vowels)];
+	name[i++] = consonants[rand() % sizeof(consonants)];
+	name[i++] = vowels[rand() % sizeof(vowels)];
+	if (rand() % 2) {
+		name[i++] = consonants[rand() % sizeof(consonants)];
+		name[i++] = vowels[rand() % sizeof(vowels)];
+	}
+	char *ptr = 	ending[rand() % (sizeof(ending) / sizeof(char *))];
+	strcpy(name + i, ptr);
+	return name;
+}
+
+void fs_hostname(void) {
+	if (!cfg.hostname)
+		cfg.hostname = random_hostname();
 	struct stat s;
 
 	// create a new /etc/hostname
@@ -33,6 +63,12 @@ void fs_hostname(const char *hostname) {
 			printf("Creating a new /etc/hostname file\n");
 
 		create_empty_file_as_root(RUN_HOSTNAME_FILE, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+		FILE *fp = fopen(RUN_HOSTNAME_FILE, "we");
+		if (!fp)
+			goto errexit;
+		fprintf(fp, "%s\n", cfg.hostname);
+		SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+		fclose(fp);
 
 		// bind-mount the file on top of /etc/hostname
 		if (mount(RUN_HOSTNAME_FILE, "/etc/hostname", NULL, MS_BIND|MS_REC, NULL) < 0)
@@ -41,12 +77,12 @@ void fs_hostname(const char *hostname) {
 	}
 
 	// create a new /etc/hosts
-	if (cfg.hosts_file == NULL && stat("/etc/hosts", &s) == 0) {
+	if (stat(RUN_HOSTS_FILE2, &s) == 0) {
 		if (arg_debug)
 			printf("Creating a new /etc/hosts file\n");
 		// copy /etc/host into our new file, and modify it on the fly
 		/* coverity[toctou] */
-		FILE *fp1 = fopen("/etc/hosts", "re");
+		FILE *fp1 = fopen(RUN_HOSTS_FILE2, "re");
 		if (!fp1)
 			goto errexit;
 
@@ -67,7 +103,7 @@ void fs_hostname(const char *hostname) {
 			// copy line
 			if (strstr(buf, "127.0.0.1") && done == 0) {
 				done = 1;
-				fprintf(fp2, "%s %s\n", buf, hostname);
+				fprintf(fp2, "127.0.0.1 %s\n", cfg.hostname);
 			}
 			else
 				fprintf(fp2, "%s\n", buf);
@@ -83,7 +119,7 @@ void fs_hostname(const char *hostname) {
 	return;
 
 errexit:
-	fprintf(stderr, "Error: cannot create hostname file\n");
+	fprintf(stderr, "Error: cannot create /etc/hostname and /etc/hosts files\n");
 	exit(1);
 }
 
@@ -103,7 +139,10 @@ char *fs_check_hosts_file(const char *fname) {
 }
 
 void fs_store_hosts_file(void) {
-	copy_file_from_user_to_root(cfg.hosts_file, RUN_HOSTS_FILE, 0, 0, 0644); // root needed
+	if (cfg.hosts_file)
+		copy_file_from_user_to_root(cfg.hosts_file, RUN_HOSTS_FILE2, 0, 0, 0644); // root needed
+	else
+		copy_file_from_user_to_root("/etc/hosts", RUN_HOSTS_FILE2, 0, 0, 0644); // root needed
 }
 
 void fs_mount_hosts_file(void) {

src/firejail/sandbox.c

@@ -848,8 +848,7 @@ int sandbox(void* sandbox_arg) {
 		fs_trace_touch_or_store_preload();
 
 	// store hosts file
-	if (cfg.hosts_file)
-		fs_store_hosts_file();
+	fs_store_hosts_file();
 
 	//****************************
 	// configure filesystem
@@ -986,11 +985,11 @@ int sandbox(void* sandbox_arg) {
 	//****************************
 	// hosts and hostname
 	//****************************
-	if (cfg.hostname)
-		fs_hostname(cfg.hostname);
+//	if (cfg.hostname)
+	fs_hostname();
 
-	if (cfg.hosts_file)
-		fs_mount_hosts_file();
+//	if (cfg.hosts_file)
+//		fs_mount_hosts_file();
 
 	//****************************
 	// /etc overrides from the network namespace

src/include/rundefs.h

@@ -89,6 +89,7 @@
 #define RUN_ASOUNDRC_FILE		RUN_MNT_DIR "/.asoundrc"
 #define RUN_HOSTNAME_FILE		RUN_MNT_DIR "/hostname"
 #define RUN_HOSTS_FILE			RUN_MNT_DIR "/hosts"
+#define RUN_HOSTS_FILE2			RUN_MNT_DIR "/hosts2"
 #define RUN_MACHINEID			RUN_MNT_DIR "/machine-id"
 #define RUN_LDPRELOAD_FILE		RUN_MNT_DIR "/ld.so.preload"
 #define RUN_UTMP_FILE			RUN_MNT_DIR "/utmp"