Bug#929736: unblock: firejail/0.9.58.2-2

[Reiner Herrmann <reiner@reiner-h.de>]

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package firejail

The version in unstable fixes two security issues:

#929732 (debian/patches/seccomp-join.patch):
This issue allowed someone to run a program inside a jail that is protected
by seccomp filters without any seccomp filtering.
The location of the filters inside the jail was writable, so it could
be overwritten/deleted, so programs that were afterwards joined into the jail
had no filter applied.

#929733 (debian/patches/truncation.patch):
A race was possible that allowed someone inside the jail to truncate
the firejail binary outside the jail under certain conditions.
(The jailed program needs to be run as root, and it needs to be terminated
from the outside as root.)

Thanks in advance.

Kind regards,
   Reiner

unblock firejail/0.9.58.2-2

diff -Nru firejail-0.9.58.2/debian/changelog firejail-0.9.58.2/debian/changelog
--- firejail-0.9.58.2/debian/changelog	2019-02-08 20:06:02.000000000 +0100
+++ firejail-0.9.58.2/debian/changelog	2019-05-29 21:06:42.000000000 +0200
@@ -1,3 +1,16 @@
+firejail (0.9.58.2-2) unstable; urgency=high
+
+  * Cherry-pick security fix for seccomp bypass issue. (Closes: #929732)
+    Seccomp filters were writable inside the jail, so they could be
+    overwritten/truncated. Another jail that was then joined with the first
+    one, had no seccomp filters applied.
+  * Cherry-pick security fix for binary truncation issue. (Closes: #929733)
+    When the jailed program was running as root, and firejail was killed
+    from the outside (as root), the jailed program had the possibility to
+    truncate the firejail binary outside the jail.
+
+ -- Reiner Herrmann <reiner@reiner-h.de>  Wed, 29 May 2019 21:06:42 +0200
+
 firejail (0.9.58.2-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru firejail-0.9.58.2/debian/patches/seccomp-join.patch firejail-0.9.58.2/debian/patches/seccomp-join.patch
--- firejail-0.9.58.2/debian/patches/seccomp-join.patch	1970-01-01 01:00:00.000000000 +0100
+++ firejail-0.9.58.2/debian/patches/seccomp-join.patch	2019-05-29 18:57:28.000000000 +0200
@@ -0,0 +1,91 @@
+From: smitsohu <smitsohu@gmail.com>
+Subject: [PATCH] mount runtime seccomp files read-only (#2602)
+Bug: https://github.com/netblue30/firejail/issues/2718
+Bug-Debian: https://bugs.debian.org/929732
+Origin: upstream, https://github.com/netblue30/firejail/commit/eecf35c
+
+avoid creating locations in the file system that are both writable and
+executable (in this case for processes with euid of the user).
+
+for the same reason also remove user owned libfiles
+when it is not needed any more
+
+--- a/src/firejail/firejail.h
++++ b/src/firejail/firejail.h
+@@ -57,13 +57,14 @@
+ #define RUN_LIB_FILE	"/run/firejail/mnt/libfiles"
+ #define RUN_DNS_ETC	"/run/firejail/mnt/dns-etc"
+ 
+-#define RUN_SECCOMP_LIST	"/run/firejail/mnt/seccomp.list"	// list of seccomp files installed
+-#define RUN_SECCOMP_PROTOCOL	"/run/firejail/mnt/seccomp.protocol"	// protocol filter
+-#define RUN_SECCOMP_CFG	"/run/firejail/mnt/seccomp"			// configured filter
+-#define RUN_SECCOMP_32	"/run/firejail/mnt/seccomp.32"		// 32bit arch filter installed on 64bit architectures
+-#define RUN_SECCOMP_MDWX	"/run/firejail/mnt/seccomp.mdwx"		// filter for memory-deny-write-execute
+-#define RUN_SECCOMP_BLOCK_SECONDARY	"/run/firejail/mnt/seccomp.block_secondary"	// secondary arch blocking filter
+-#define RUN_SECCOMP_POSTEXEC	"/run/firejail/mnt/seccomp.postexec"		// filter for post-exec library
++#define RUN_SECCOMP_DIR	"/run/firejail/mnt/seccomp"
++#define RUN_SECCOMP_LIST	"/run/firejail/mnt/seccomp/seccomp.list"	// list of seccomp files installed
++#define RUN_SECCOMP_PROTOCOL	"/run/firejail/mnt/seccomp/seccomp.protocol"	// protocol filter
++#define RUN_SECCOMP_CFG	"/run/firejail/mnt/seccomp/seccomp"			// configured filter
++#define RUN_SECCOMP_32		"/run/firejail/mnt/seccomp/seccomp.32"		// 32bit arch filter installed on 64bit architectures
++#define RUN_SECCOMP_MDWX	"/run/firejail/mnt/seccomp/seccomp.mdwx"		// filter for memory-deny-write-execute
++#define RUN_SECCOMP_BLOCK_SECONDARY	"/run/firejail/mnt/seccomp/seccomp.block_secondary"	// secondary arch blocking filter
++#define RUN_SECCOMP_POSTEXEC	"/run/firejail/mnt/seccomp/seccomp.postexec"		// filter for post-exec library
+ #define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp")			// default filter built during make
+ #define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug")	// default filter built during make
+ #define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32")			// 32bit arch filter built during make
+@@ -94,7 +95,6 @@
+ #define RUN_ASOUNDRC_FILE	"/run/firejail/mnt/.asoundrc"
+ #define RUN_HOSTNAME_FILE	"/run/firejail/mnt/hostname"
+ #define RUN_HOSTS_FILE	"/run/firejail/mnt/hosts"
+-#define RUN_RESOLVCONF_FILE	"/run/firejail/mnt/resolv.conf"
+ #define RUN_MACHINEID	"/run/firejail/mnt/machine-id"
+ #define RUN_LDPRELOAD_FILE	"/run/firejail/mnt/ld.so.preload"
+ #define RUN_UTMP_FILE		"/run/firejail/mnt/utmp"
+--- a/src/firejail/fs_lib.c
++++ b/src/firejail/fs_lib.c
+@@ -133,6 +133,7 @@
+ 		fslib_duplicate(buf);
+ 	}
+ 	fclose(fp);
++	unlink(RUN_LIB_FILE);
+ }
+ 
+ 
+--- a/src/firejail/preproc.c
++++ b/src/firejail/preproc.c
+@@ -86,6 +86,8 @@
+ 		fs_logger2("tmpfs", RUN_MNT_DIR);
+ 
+ #ifdef HAVE_SECCOMP
++		create_empty_dir_as_root(RUN_SECCOMP_DIR, 0755);
++
+ 		if (arg_seccomp_block_secondary)
+ 			copy_file(PATH_SECCOMP_BLOCK_SECONDARY, RUN_SECCOMP_BLOCK_SECONDARY, getuid(), getgid(), 0644); // root needed
+ 		else {
+--- a/src/firejail/sandbox.c
++++ b/src/firejail/sandbox.c
+@@ -1064,9 +1064,6 @@
+ 	// save state of nonewprivs
+ 	save_nonewprivs();
+ 
+-	// set capabilities
+-	set_caps();
+-
+ 	// set cpu affinity
+ 	if (cfg.cpus) {
+ 		save_cpu(); // save cpu affinity mask to CPU_CFG file
+@@ -1118,8 +1115,13 @@
+ 		int rv = unlink(RUN_SECCOMP_MDWX);
+ 		(void) rv;
+ 	}
++	// make seccomp filters read-only
++	fs_rdonly(RUN_SECCOMP_DIR);
+ #endif
+ 
++	// set capabilities
++	set_caps();
++
+ 	//****************************************
+ 	// communicate progress of sandbox set up
+ 	// to --join
diff -Nru firejail-0.9.58.2/debian/patches/series firejail-0.9.58.2/debian/patches/series
--- firejail-0.9.58.2/debian/patches/series	2019-02-08 19:34:04.000000000 +0100
+++ firejail-0.9.58.2/debian/patches/series	2019-05-29 20:50:09.000000000 +0200
@@ -1,3 +1,5 @@
 disable-internet-tests.patch
 config-hardening.patch
 apparmor-include.patch
+seccomp-join.patch
+truncation.patch
diff -Nru firejail-0.9.58.2/debian/patches/truncation.patch firejail-0.9.58.2/debian/patches/truncation.patch
--- firejail-0.9.58.2/debian/patches/truncation.patch	1970-01-01 01:00:00.000000000 +0100
+++ firejail-0.9.58.2/debian/patches/truncation.patch	2019-05-29 21:05:54.000000000 +0200
@@ -0,0 +1,44 @@
+From: smitsohu <smitsohu@gmail.com>
+Subject: [PATCH] shutdown option: give sandbox time to terminate
+Bug: https://github.com/netblue30/firejail/issues/2401
+Bug-Debian: https://bugs.debian.org/929733
+Origin: upstream, https://github.com/netblue30/firejail/commit/fcba07c and faa1ec7
+
+Similarly to CVE-2019-5736, the binary (firejail) could be truncated outside the
+jail from the inside under certain conditions.
+This was possible if the jailed program was running as root, and it was killed
+from the outside (as root), e.g. with SIGKILL or --shutdown.
+
+--- a/src/firejail/shutdown.c
++++ b/src/firejail/shutdown.c
+@@ -52,15 +52,17 @@
+ 	printf("Sending SIGTERM to %u\n", pid);
+ 	kill(pid, SIGTERM);
+ 
+-	// wait for not more than 10 seconds
+-	sleep(2);
+-	int monsec = 8;
++	// wait for not more than 11 seconds
++	int monsec = 11;
+ 	char *monfile;
+ 	if (asprintf(&monfile, "/proc/%d/cmdline", pid) == -1)
+ 		errExit("asprintf");
+ 	int killdone = 0;
+ 
+ 	while (monsec) {
++		sleep(1);
++		monsec--;
++		
+ 		FILE *fp = fopen(monfile, "r");
+ 		if (!fp) {
+ 			killdone = 1;
+@@ -75,9 +77,6 @@
+ 			killdone = 1;
+ 			break;
+ 		}
+-
+-		sleep(1);
+-		monsec--;
+ 	}
+ 	free(monfile);
+