-
Notifications
You must be signed in to change notification settings - Fork 584
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feature: add keep-xattrs option #5136
base: master
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🎉
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The argument is being named inconsistently:
xattr
xattr_name
xattrs
It would be better to pick just one and stick with it.
Since the command accepts multiple options, I would just use "xattrs"
everywhere for simplicity and clarity. That is:
keep-xattr
->keep-xattrs
xattr
/xattr_name
->xattrs
By the way, I noticed that xattr(7) uses "xattr" to refer both to a single
extended attribute and to the "extended attributes" functionality in general,
but I find it clearer to use "xattrs" in the latter case.
On the documentation side, it would be clearer that it takes multiple arguments
if commas were used, for example:
--keep-xattrs=name,name,name
Similar existing options:
--caps.drop=capability,capability,capability
--caps.keep=capability,capability,capability
--cpu=cpu-number,cpu-number,cpu-number
--private-bin=file,file
--protocol=protocol,protocol,protocol
src/fcopy/main.c
Outdated
@@ -100,6 +103,79 @@ static void selinux_relabel_path(const char *path, const char *inside_path) { | |||
#endif | |||
} | |||
|
|||
// Convert string of comma separated values to NULL-terminated string array. | |||
// Original string is modified in-place. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// Original string is modified in-place.
It already returns the list, so why do that?
Why not e.g.: work on a copy of clist
in the function?
Given the way that this is called on fcopy's main()
:
keep_xattr = csv_to_strv(argv[++i]);
That appears to effectively result in modifying the argv item from something
like "name1,name2,name3" to point to the first item on the resulting list
(which would be "name1" in this case).
Allowing unprivileged users to turn arbitrary strings into globally-accessible
string arrays doesn't sound like a good idea to me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It already returns the list, so why do that?
Why not e.g.: work on a copy of
clist
in the function?
To reduce unnecessary allocations and copying.
Given the way that this is called on fcopy's
main()
:keep_xattr = csv_to_strv(argv[++i]);
That appears to effectively result in modifying the argv item from something like "name1,name2,name3" to point to the first item on the resulting list (which would be "name1" in this case).
It is. But it seems okay since this argument will not be used by anyone else after the call to csv_to_strv
.
Allowing unprivileged users to turn arbitrary strings into globally-accessible
string arrays doesn't sound like a good idea to me.
The only thing that I have on my mind is that /proc/pid/cmdline
will not reflect the actual argv the process was called with. It doesn't seem like a big issue in a helper tool.
Firejail copies SELinux xattrs unconditionally because they are needed for SELinux rules to work. How about copying other xattrs too? There could be instead 'no-keep-xattr' option to disable copying if needed. |
SELinux xattrs are copied only if SELinux is enabled, so it does not happen unconditionally. I am not sure that it's worth copying all of the attributes. It feels like it's better to be explicit in what is copied to be sure that no extra data is leaking into the sandbox. |
It sounds like a good idea to avoid leaking unnecessarily by default. One Instead of copying all the attributes, how about just the Or, why not do the same conditional copying as SELinux for the other |
This includes |
|
|
@rusty-snake commented on May 10:
How about copying just the security attributes that only serve restrict (such @rusty-snake commented on May 10:
In this case, it seems that adding option would be warranted, as hardcoding the |
How can this be detected? |
The filename could unintentionally leaking data. Not talking about the file content ... What do you think to happen here? I don't understand you point. |
By default, firejail preserves only xattrs for bind-mounted files. To preserve xattrs on copied files (produced by private-bin, private-etc and private-home options) it's possible to use keep-xattrs option. keep-xattrs is very useful in systems with signature-based IMA appraisal enabled (especially, when IMA policy prohibits running unsigned binaries).
This will require adding extra checks, which are different for each attribute. Unconditional copying of well-known attributes will be easier both for verification and maintenance. So, maybe proceed with The list of xattrs might include following:
Also, by copying SELinux context with plain xattr copy it would be possible to remove libselinux dependency from fcopy, as fcopy is only used for regular files anyway. |
What about adding an |
@rusty-snake commented on May 10:
I mean, if it is known a priori that a given extended attribute has no way of If Any idea if that's indeed the case? What about for the other 2 attributes?
Now re-reading the first post:
It seems that So how about copying each of them if the respective feature is enabled (like it
If that does not work, then how about just unconditionally copying the 3
Not sure about this, but if a hardcoding were to be implemented for a
If the other approaches do not work out and a
Interesting; that would be an improvement (though could be tricky to implement @rusty-snake commented on May 14:
If this is only intended to affect system/read-only paths as stated in the With all that said, the following is what looks like the most obvious solution
But would such checks require additional IMA/SMACK dependencies? If the above does not work, I have the following questions:
|
|
No, this wouldn't require any additional dependencies. But there is a problem: IMA status (enabled or not) is determined by the presence of a SELinux detection works fine after remount because it also checks
I see no harm,
SMACK behaves just like the SELinux (but in a simplified manner), so it harmless as well.
In SELinux and SMACK, directories and files under them may have different attributes, so xattr should be applied on every single file or directory. IMA has no xattrs on directories, and each file has its distinct xattr value. |
@rusty-snake commented on May 15:
Thanks; looks like that part didn't register with me at all.
Nice.
The issue of checking for paths after bind-mounting them has bitten me before To fix this, I created a function (in a WIP branch) that does path-related
Thanks for the detailed explanations. One thing that I am still unsure about is if the xattr copy is currently done For example, given the following directory structure:
If Skimming through fs_etc.c and fcopy/main.c, at first glance it looks like it |
Copying will be recursive. The following will get done, considering your case:
|
By default, firejail preserves only xattrs for bind-mounted files. To preserve xattrs on copied files (produced by private-bin, private-etc and private-home options) it's possible to use keep-xattrs option.
keep-xattrs is very useful in systems with signature-based IMA appraisal enabled (especially, when IMA policy prohibits running unsigned binaries).
New command checklist:
Edit by @kmk3: Add new command checklist