modif: block TPM devices & turn notpm command into keep-dev-tpm

kmk3 · kmk3 · commit fcbc1c14c2f1 · 2025-04-04T04:04:35.000-03:00
Instead of having a `notpm` command and potentially adding it to almost all profiles (as few programs should need direct access to TPM devices), add a `keep-dev-tpm` command and use it only in profiles that need access to TPM devices. Changes: * Turn `notpm` command into `keep-dev-tpm` command * Warn and ignore if `notpm` is used * Block `/dev/tpm*` devices by default * Allow `/dev/tpm*` devices with `keep-dev-tpm` (even if `private-dev` is used) Added on commit 0013202 ("feature: add notpm command & keep tpm devices in private-dev (netblue30#6390)", 2024-07-09). See also commit ee1c264 ("feature: block /dev/ntsync & add keep-dev-ntsync command (netblue30#6660)", 2025-03-06) and the discussion at PR netblue30#6660. This is a follow-up to netblue30#6687.
diff --git a/contrib/syntax/lists/profile_commands_arg0.list b/contrib/syntax/lists/profile_commands_arg0.list
@@ -11,6 +11,7 @@ ipc-namespace
 keep-config-pulse
 keep-dev-ntsync
 keep-dev-shm
+keep-dev-tpm
 keep-shell-rc
 keep-var-tmp
 landlock.enforce
@@ -28,7 +29,6 @@ nonewprivs
 noprinters
 noroot
 nosound
-notpm
 notv
 nou2f
 novideo
diff --git a/etc/profile-a-l/default.profile b/etc/profile-a-l/default.profile
@@ -37,7 +37,6 @@ noinput
 nonewprivs
 noroot
 #nosound
-#notpm
 notv
 #nou2f
 novideo
diff --git a/etc/profile-m-z/noprofile.profile b/etc/profile-m-z/noprofile.profile
@@ -23,6 +23,7 @@ allusers
 keep-config-pulse
 keep-dev-ntsync
 keep-dev-shm
+keep-dev-tpm
 keep-fd all
 keep-shell-rc
 keep-var-tmp
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
@@ -162,6 +162,7 @@ include globals.local
 ##keep-config-pulse
 ##keep-dev-ntsync
 ##keep-dev-shm
+##keep-dev-tpm
 ##keep-fd all
 ##keep-shell-rc
 ##keep-var-tmp
@@ -191,7 +192,6 @@ include globals.local
 #noprinters
 #noroot
 #nosound
-#notpm
 #notv
 #nou2f
 #novideo
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c
@@ -138,7 +138,6 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
 		fprintf(fp, "#noinput\t# disable input devices\n");
 		fprintf(fp, "nonewprivs\n");
 		fprintf(fp, "noroot\n");
-		fprintf(fp, "#notpm\t# disable TPM devices\n");
 		fprintf(fp, "#notv\t# disable DVB TV devices\n");
 		fprintf(fp, "#nou2f\t# disable U2F devices\n");
 		fprintf(fp, "#novideo\t# disable video capture devices\n");
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
@@ -329,6 +329,7 @@ extern char *arg_netns;		// "ip netns"-created network namespace to use
 extern int arg_doubledash;	// double dash
 extern int arg_private_dev;	// private dev directory
 extern int arg_keep_dev_ntsync; // preserve /dev/ntsync
+extern int arg_keep_dev_tpm;    // preserve /dev/tpm*
 extern int arg_keep_dev_shm;    // preserve /dev/shm
 extern int arg_private_etc;	// private etc directory
 extern int arg_private_opt;	// private opt directory
@@ -369,7 +370,6 @@ extern int arg_noprofile;	// use default.profile if none other found/specified
 extern int arg_memory_deny_write_execute;	// block writable and executable memory
 extern int arg_notv;	// --notv
 extern int arg_nodvd;	// --nodvd
-extern int arg_notpm;	// --notpm
 extern int arg_nou2f;	// --nou2f
 extern int arg_noinput;	// --noinput
 extern int arg_deterministic_exit_code;	// always exit with first child's exit status
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
@@ -114,7 +114,7 @@ static void deventry_mount(void) {
 			    (dev[i].type == DEV_VIDEO && arg_novideo == 0) ||
 			    (dev[i].type == DEV_TV && arg_notv == 0) ||
 			    (dev[i].type == DEV_DVD && arg_nodvd == 0) ||
-			    (dev[i].type == DEV_TPM && arg_notpm == 0) ||
+			    (dev[i].type == DEV_TPM && arg_keep_dev_tpm == 1) ||
 			    (dev[i].type == DEV_U2F && arg_nou2f == 0) ||
 			    (dev[i].type == DEV_INPUT && arg_noinput == 0) ||
 			    (dev[i].type == DEV_NTSYNC && arg_keep_dev_ntsync == 1)) {
diff --git a/src/firejail/main.c b/src/firejail/main.c
@@ -115,6 +115,7 @@ char *arg_netns = NULL;			// "ip netns"-created network namespace to use
 int arg_doubledash = 0;			// double dash
 int arg_private_dev = 0;			// private dev directory
 int arg_keep_dev_ntsync = 0;			// preserve /dev/ntsync
+int arg_keep_dev_tpm = 0;			// preserve /dev/tpm*
 int arg_keep_dev_shm = 0;			// preserve /dev/shm
 int arg_private_etc = 0;			// private etc directory
 int arg_private_opt = 0;			// private opt directory
@@ -156,7 +157,6 @@ int arg_noprofile = 0; // use default.profile if none other found/specified
 int arg_memory_deny_write_execute = 0;		// block writable and executable memory
 int arg_notv = 0;	// --notv
 int arg_nodvd = 0; // --nodvd
-int arg_notpm = 0; // --notpm
 int arg_nou2f = 0; // --nou2f
 int arg_noinput = 0; // --noinput
 int arg_deterministic_exit_code = 0;	// always exit with first child's exit status
@@ -2037,6 +2037,9 @@ int main(int argc, char **argv, char **envp) {
 		else if (strcmp(argv[i], "--keep-dev-ntsync") == 0) {
 			arg_keep_dev_ntsync = 1;
 		}
+		else if (strcmp(argv[i], "--keep-dev-tpm") == 0) {
+			arg_keep_dev_tpm = 1;
+		}
 		else if (strcmp(argv[i], "--keep-dev-shm") == 0) {
 			arg_keep_dev_shm = 1;
 		}
@@ -2224,8 +2227,9 @@ int main(int argc, char **argv, char **envp) {
 			arg_notv = 1;
 		else if (strcmp(argv[i], "--nodvd") == 0)
 			arg_nodvd = 1;
+		// TODO: Fully remove notpm after 0.9.76.
 		else if (strcmp(argv[i], "--notpm") == 0)
-			arg_notpm = 1;
+			fwarning("ignoring removed command: --notpm (see --keep-dev-tpm)\n");
 		else if (strcmp(argv[i], "--nou2f") == 0)
 			arg_nou2f = 1;
 		else if (strcmp(argv[i], "--noinput") == 0)
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
@@ -435,6 +435,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 		arg_keep_dev_ntsync = 1;
 		return 0;
 	}
+	else if (strcmp(ptr, "keep-dev-tpm") == 0) {
+		arg_keep_dev_tpm = 1;
+		return 0;
+	}
 	else if (strcmp(ptr, "keep-dev-shm") == 0) {
 		arg_keep_dev_shm = 1;
 		return 0;
@@ -622,8 +626,9 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 #endif
 		return 1;
 	}
+	// TODO: Fully remove notpm after 0.9.76.
 	else if (strcmp(ptr, "notpm") == 0) {
-		arg_notpm = 1;
+		fwarning("ignoring removed command: notpm (see keep-dev-tpm)\n");
 		return 0;
 	}
 	else if (strcmp(ptr, "nou2f") == 0) {
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
@@ -1101,7 +1101,7 @@ int sandbox(void* sandbox_arg) {
 	if (arg_nodvd)
 		fs_dev_disable_dvd();
 
-	if (arg_notpm)
+	if (!arg_keep_dev_tpm)
 		fs_dev_disable_tpm();
 
 	if (arg_nou2f)
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
@@ -130,6 +130,7 @@ static const char *const usage_str =
 	"    --join-or-start=name|pid - join the sandbox or start a new one.\n"
 	"    --keep-config-pulse - disable automatic ~/.config/pulse init.\n"
 	"    --keep-dev-ntsync - /dev/ntsync character device is untouched (even with --private-dev).\n"
+	"    --keep-dev-tpm - /dev/tpm* devices are untouched (even with --private-dev).\n"
 	"    --keep-dev-shm - /dev/shm directory is untouched (even with --private-dev).\n"
 	"    --keep-fd - inherit open file descriptors to sandbox.\n"
 	"    --keep-shell-rc - do not copy shell rc files from /etc/skel\n"
@@ -191,7 +192,6 @@ static const char *const usage_str =
 #endif
 	"    --nosound - disable sound system.\n"
 	"    --novideo - disable video devices.\n"
-	"    --notpm - disable TPM devices.\n"
 	"    --nou2f - disable U2F devices.\n"
 	"    --nowhitelist=filename - disable whitelist for file or directory.\n"
 	"    --oom=value - configure OutOfMemory killer for the sandbox\n"
diff --git a/src/man/firejail-profile.5.in b/src/man/firejail-profile.5.in
@@ -305,6 +305,10 @@ which is blocked by default.
 This device is mostly intended to increase performance and compatibility when
 running certain programs through Wine.
 .TP
+\fBkeep-dev-tpm
+Allow access to the /dev/tpm* Trusted Platform Module (TPM) devices (even with
+\fBprivate-dev\fR), which are blocked by default.
+.TP
 \fBkeep-dev-shm
 /dev/shm directory is untouched (even with private-dev).
 .TP
@@ -403,11 +407,10 @@ Set working directory inside the jail. Full directory path is required. Symbolic
 .TP
 \fBprivate-dev
 Create a new /dev directory.
-Only disc, dri, dvb, full, hidraw, log, null, ptmx, pts, random, shm, snd, tpm,
-tty, urandom, usb, video and zero devices are available.
-Use the options no3d, nodvd, nosound, notpm, notv, nou2f and novideo for
-additional restrictions.
-
+Only disc, dri, dvb, full, hidraw, log, null, ptmx, pts, random, shm, snd, tty,
+urandom, usb, video and zero devices are available.
+Use the options no3d, nodvd, nosound, notv, nou2f and novideo for additional
+restrictions.
 .TP
 \fBprivate-etc file,directory
 Build a new /etc in a temporary
@@ -858,9 +861,12 @@ Disable input devices.
 .TP
 \fBnosound
 Disable sound system.
+.\" TODO: Fully remove notpm after 0.9.76.
 .TP
-\fBnotpm
-Disable Trusted Platform Module (TPM) devices.
+\fBnotpm\fR (deprecated)
+Ignored for compatibility.
+.br
+TPM devices are now blocked by default, see \fBkeep-dev-tpm\fR.
 .TP
 \fBnotv
 Disable DVB (Digital Video Broadcasting) TV devices.
diff --git a/src/man/firejail.1.in b/src/man/firejail.1.in
@@ -1231,6 +1231,17 @@ Example:
 .br
 $ firejail --keep-dev-ntsync --private-dev
 
+.TP
+\fB\-\-keep-dev-tpm
+Allow access to the /dev/tpm* Trusted Platform Module (TPM) devices (even with
+\fBprivate-dev\fR), which are blocked by default.
+.br
+
+.br
+Example:
+.br
+$ firejail --keep-dev-tpm --private-dev
+
 .TP
 \fB\-\-keep-dev-shm
 /dev/shm directory is untouched (even with --private-dev)
@@ -1959,17 +1970,12 @@ Disable sound system.
 Example:
 .br
 $ firejail \-\-nosound firefox
-
+.\" TODO: Fully remove notpm after 0.9.76.
 .TP
-\fB\-\-notpm
-Disable Trusted Platform Module (TPM) devices.
-.br
-
+\fB\-\-notpm\fR (deprecated)
+Ignored for compatibility.
 .br
-Example:
-.br
-$ firejail \-\-notpm
-
+TPM devices are now blocked by default, see \fB\-\-keep-dev-tpm\fR.
 .TP
 \fB\-\-notv
 Disable DVB (Digital Video Broadcasting) TV devices.
@@ -2225,10 +2231,10 @@ $ pwd
 .TP
 \fB\-\-private-dev
 Create a new /dev directory.
-Only disc, dri, dvb, full, hidraw, log, null, ptmx, pts, random, shm, snd, tpm,
-tty, urandom, usb, video and zero devices are available.
-Use the options \-\-no3d, \-\-nodvd, \-\-nosound, \-\-notpm, \-\-notv,
-\-\-nou2f and \-\-novideo for additional restrictions.
+Only disc, dri, dvb, full, hidraw, log, null, ptmx, pts, random, shm, snd, tty,
+urandom, usb, video and zero devices are available.
+Use the options \-\-no3d, \-\-nodvd, \-\-nosound, \-\-notv, \-\-nou2f and
+\-\-novideo for additional restrictions.
 .br
 
 .br
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in
@@ -103,6 +103,7 @@ _firejail_args=(
     '--join-or-start=-[join the sandbox or start a new one name|pid]: :_all_firejails'
     '--keep-config-pulse[disable automatic ~/.config/pulse init]'
     '--keep-dev-ntsync[/dev/ntsync character device is untouched (even with --private-dev)]'
+    '--keep-dev-tpm[/dev/tpm* devices are untouched (even with --private-dev)]'
     '--keep-dev-shm[/dev/shm directory is untouched (even with --private-dev)]'
     '--keep-fd[inherit open file descriptors to sandbox]: :'
     '--keep-shell-rc[do not copy shell rc files from /etc/skel]'
@@ -134,7 +135,6 @@ _firejail_args=(
     '--nonewprivs[sets the NO_NEW_PRIVS prctl]'
     '--noprinters[disable printers]'
     '--nosound[disable sound system]'
-    '--notpm[disable TPM devices]'
     '--nou2f[disable U2F devices]'
     '--novideo[disable video devices]'
     '--private[temporary home directory]'
