add /dev/tpm* to private-dev

netblue30 · Jun 22, 2024 · fe6bcde · fe6bcde
1 parent b89ec81
commit fe6bcde
Show file tree

Hide file tree

Showing 9 changed files with 41 additions and 2 deletions.
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
@@ -176,6 +176,7 @@ include globals.local
 #noroot
 #nosound
 #notv
+#notpm
 #nou2f
 #novideo
 # Remove each unneeded protocol:

diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c
@@ -139,6 +139,7 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
 		fprintf(fp, "nonewprivs\n");
 		fprintf(fp, "noroot\n");
 		fprintf(fp, "#notv\t# disable DVB TV devices\n");
+		fprintf(fp, "#notpm\t# disable TPM devices\n");
 		fprintf(fp, "#nou2f\t# disable U2F devices\n");
 		fprintf(fp, "#novideo\t# disable video capture devices\n");
 		build_protocol(trace_output, fp);

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
@@ -368,6 +368,7 @@ extern int arg_noprofile;	// use default.profile if none other found/specified
 extern int arg_memory_deny_write_execute;	// block writable and executable memory
 extern int arg_notv;	// --notv
 extern int arg_nodvd;	// --nodvd
+extern int arg_notpm;	// --notpm
 extern int arg_nou2f;	// --nou2f
 extern int arg_noinput;	// --noinput
 extern int arg_deterministic_exit_code;	// always exit with first child's exit status
@@ -647,6 +648,7 @@ void fs_dev_disable_video(void);
 void fs_dev_disable_tv(void);
 void fs_dev_disable_dvd(void);
 void fs_dev_disable_u2f(void);
+void fs_dev_disable_tpm(void);
 void fs_dev_disable_input(void);
 
 // fs_home.c

diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
@@ -40,6 +40,7 @@ typedef enum {
 	DEV_TV,
 	DEV_DVD,
 	DEV_U2F,
+	DEV_TPM,
 	DEV_INPUT
 } DEV_TYPE;
 
@@ -91,6 +92,12 @@ static DevEntry dev[] = {
 	{"/dev/hidraw9", RUN_DEV_DIR "/hidraw9", DEV_U2F},
 	{"/dev/usb", RUN_DEV_DIR "/usb", DEV_U2F},	// USB devices such as Yubikey, U2F
 	{"/dev/input", RUN_DEV_DIR "/input", DEV_INPUT},
+	{"/dev/tpm0", RUN_DEV_DIR "/tpm0", DEV_TPM},	// Trusted Platform Module devices
+	{"/dev/tpm1", RUN_DEV_DIR "/tpm1", DEV_TPM},
+	{"/dev/tpm2", RUN_DEV_DIR "/tpm2", DEV_TPM},
+	{"/dev/tpm3", RUN_DEV_DIR "/tpm3", DEV_TPM},
+	{"/dev/tpm4", RUN_DEV_DIR "/tpm4", DEV_TPM},
+	{"/dev/tpm5", RUN_DEV_DIR "/tpm5", DEV_TPM},
 	{NULL, NULL, DEV_NONE}
 };
 
@@ -106,6 +113,7 @@ static void deventry_mount(void) {
 			    (dev[i].type == DEV_TV && arg_notv == 0) ||
 			    (dev[i].type == DEV_DVD && arg_nodvd == 0) ||
 			    (dev[i].type == DEV_U2F && arg_nou2f == 0) ||
+			    (dev[i].type == DEV_TPM && arg_notpm == 0) ||
 			    (dev[i].type == DEV_INPUT && arg_noinput == 0)) {
 
 				int dir = is_dir(dev[i].run_fname);
@@ -393,6 +401,15 @@ void fs_dev_disable_u2f(void) {
 	}
 }
 
+void fs_dev_disable_tpm(void) {
+	int i = 0;
+	while (dev[i].dev_fname != NULL) {
+		if (dev[i].type == DEV_TPM)
+			disable_file_or_dir(dev[i].dev_fname);
+		i++;
+	}
+}
+
 void fs_dev_disable_input(void) {
 	int i = 0;
 	while (dev[i].dev_fname != NULL) {

diff --git a/src/firejail/main.c b/src/firejail/main.c
@@ -156,6 +156,7 @@ int arg_memory_deny_write_execute = 0;		// block writable and executable memory
 int arg_notv = 0;	// --notv
 int arg_nodvd = 0; // --nodvd
 int arg_nou2f = 0; // --nou2f
+int arg_notpm = 0; // --notpm
 int arg_noinput = 0; // --noinput
 int arg_deterministic_exit_code = 0;	// always exit with first child's exit status
 int arg_deterministic_shutdown = 0;	// shut down the sandbox if first child dies
@@ -2211,6 +2212,8 @@ int main(int argc, char **argv, char **envp) {
 			arg_nodvd = 1;
 		else if (strcmp(argv[i], "--nou2f") == 0)
 			arg_nou2f = 1;
+		else if (strcmp(argv[i], "--notpm") == 0)
+			arg_notpm = 1;
 		else if (strcmp(argv[i], "--noinput") == 0)
 			arg_noinput = 1;
 		else if (strcmp(argv[i], "--nodbus") == 0) {

diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
@@ -1104,6 +1104,9 @@ int sandbox(void* sandbox_arg) {
 	if (arg_nou2f)
 		fs_dev_disable_u2f();
 
+	if (arg_notpm)
+		fs_dev_disable_tpm();
+
 	if (arg_novideo)
 		fs_dev_disable_video();
 

diff --git a/src/firejail/usage.c b/src/firejail/usage.c
@@ -192,6 +192,7 @@ static const char *const usage_str =
 	"    --noautopulse - disable automatic ~/.config/pulse init.\n"
 	"    --novideo - disable video devices.\n"
 	"    --nou2f - disable U2F devices.\n"
+	"    --notpm - disable TPM devices.\n"
 	"    --nowhitelist=filename - disable whitelist for file or directory.\n"
 	"    --oom=value - configure OutOfMemory killer for the sandbox\n"
 #ifdef HAVE_OUTPUT

diff --git a/src/man/firejail.1.in b/src/man/firejail.1.in
@@ -1928,6 +1928,16 @@ Example:
 .br
 $ firejail \-\-notv vlc
 
+.TP
+\fB\-\-notpm
+Disable TPM devices.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-notpm
+
 .TP
 \fB\-\-nou2f
 Disable U2F devices.
@@ -2172,8 +2182,8 @@ $ pwd
 
 .TP
 \fB\-\-private-dev
-Create a new /dev directory. Only disc, dri, dvb, hidraw, null, full, zero, tty, pts, ptmx, random, snd, urandom, video, log, shm and usb devices are available.
-Use the options --no3d, --nodvd, --nosound, --notv, --nou2f and --novideo for additional restrictions.
+Create a new /dev directory. Only disc, dri, dvb, hidraw, null, full, zero, tty, pts, ptmx, random, snd, urandom, video, log, shm, tpm and usb devices are available.
+Use the options --no3d, --nodvd, --nosound, --notv, --notpm, --nou2f and --novideo for additional restrictions.
 .br
 
 .br

diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in
@@ -134,6 +134,7 @@ _firejail_args=(
     '--nonewprivs[sets the NO_NEW_PRIVS prctl]'
     '--noprinters[disable printers]'
     '--nosound[disable sound system]'
+    '--notpm[disable TPM devices]'
     '--nou2f[disable U2F devices]'
     '--novideo[disable video devices]'
     '--private[temporary home directory]'