0.9.38.4 testing0.9.38.4

8 files changed, 37 insertions, 37 deletions

diff --git a/RELNOTES b/RELNOTES
index 493f411ff..4b5b66287 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,7 +1,7 @@
 firejail (0.9.38.3) baseline; urgency=low
-  * this is a development version for LTS branch
+  * CVE-2016-7545 submitted by Aleksey Manevich
   * bugfixes 
- -- netblue30 <netblue30@yahoo.com>  Tue, 23 Aug 2016 10:00:00 -0500
+ -- netblue30 <netblue30@yahoo.com>  Mon, 10 Oct 2016 10:00:00 -0500
 
 firejail (0.9.38.2) baseline; urgency=low
   * security: --whitelist deleted files, submitted by Vasya Novikov
diff --git a/configure b/configure
index 625ccbcbe..2f3b7a9b7 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for firejail 0.9.38.3.
+# Generated by GNU Autoconf 2.69 for firejail 0.9.38.4.
 #
 # Report bugs to <netblue30@yahoo.com>.
 #
@@ -580,8 +580,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='firejail'
 PACKAGE_TARNAME='firejail'
-PACKAGE_VERSION='0.9.38.3'
-PACKAGE_STRING='firejail 0.9.38.3'
+PACKAGE_VERSION='0.9.38.4'
+PACKAGE_STRING='firejail 0.9.38.4'
 PACKAGE_BUGREPORT='netblue30@yahoo.com'
 PACKAGE_URL='http://firejail.wordpress.com'
 
@@ -1242,7 +1242,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures firejail 0.9.38.3 to adapt to many kinds of systems.
+\`configure' configures firejail 0.9.38.4 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1303,7 +1303,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of firejail 0.9.38.3:";;
+     short | recursive ) echo "Configuration of firejail 0.9.38.4:";;
    esac
   cat <<\_ACEOF
 
@@ -1395,7 +1395,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-firejail configure 0.9.38.3
+firejail configure 0.9.38.4
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1697,7 +1697,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by firejail $as_me 0.9.38.3, which was
+It was created by firejail $as_me 0.9.38.4, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -4140,7 +4140,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by firejail $as_me 0.9.38.3, which was
+This file was extended by firejail $as_me 0.9.38.4, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -4194,7 +4194,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-firejail config.status 0.9.38.3
+firejail config.status 0.9.38.4
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff --git a/configure.ac b/configure.ac
index 1ca50465d..718cfd3bd 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,5 +1,5 @@
 AC_PREREQ([2.68])
-AC_INIT(firejail, 0.9.38.3, netblue30@yahoo.com, , http://firejail.wordpress.com)
+AC_INIT(firejail, 0.9.38.4, netblue30@yahoo.com, , http://firejail.wordpress.com)
 AC_CONFIG_SRCDIR([src/firejail/main.c])
 #AC_CONFIG_HEADERS([config.h])
 
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 5104bd688..759569cb4 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -358,6 +358,7 @@ const char *gnu_basename(const char *path);
 uid_t pid_get_uid(pid_t pid);
 void invalid_filename(const char *fname);
 int remove_directory(const char *path);
+void flush_stdin(void);
 
 // fs_var.c
 void fs_var_log(void);  // mounting /var/log
diff --git a/src/firejail/join.c b/src/firejail/join.c
index b05e25387..575baf71e 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -29,6 +29,12 @@ static uint64_t caps = 0;
 static int apply_seccomp = 0;
 #define BUFLEN 4096
 
+static void signal_handler(int sig){
+        flush_stdin();
+
+        exit(sig);
+}
+
 static void extract_command(int argc, char **argv, int index) {
         if (index >= argc)
                 return;
@@ -194,6 +200,7 @@ void join_name(const char *name, const char *homedir, int argc, char **argv, int
 
 void join(pid_t pid, const char *homedir, int argc, char **argv, int index) {
         extract_command(argc, argv, index);
+        signal (SIGTERM, signal_handler);
 
         // if the pid is that of a firejail  process, use the pid of the first child process
         char *comm = pid_proc_comm(pid);
@@ -388,6 +395,7 @@ void join(pid_t pid, const char *homedir, int argc, char **argv, int index) {
 
         // wait for the child to finish
         waitpid(child, NULL, 0);
+        flush_stdin();
         exit(0);
 }
 
diff --git a/src/firejail/main.c b/src/firejail/main.c
index b945f504b..9e2aec4d5 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -111,6 +111,7 @@ static void myexit(int rv) {
         bandwidth_shm_del_file(sandbox_pid);            // bandwidth file
         network_shm_del_file(sandbox_pid);              // network map file
         
+        flush_stdin();
         exit(rv); 
 }
 
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 9cb97187e..fc93e1eef 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -171,31 +171,6 @@ static void monitor_application(pid_t app_pid) {
                         printf("Sandbox monitor: monitoring %u\n", app_pid);
         }
 
-#if 0
-// todo: find a way to shut down interfaces before closing the namespace
-// the problem is we don't have enough privileges to shutdown interfaces in this moment
-        // shut down bridge/macvlan interfaces
-        if (any_bridge_configured()) {
-                
-                if (cfg.bridge0.configured) {
-                        printf("Shutting down %s\n", cfg.bridge0.devsandbox);
-                        net_if_down( cfg.bridge0.devsandbox);
-                }
-                if (cfg.bridge1.configured) {
-                        printf("Shutting down %s\n", cfg.bridge1.devsandbox);
-                        net_if_down( cfg.bridge1.devsandbox);
-                }
-                if (cfg.bridge2.configured) {
-                        printf("Shutting down %s\n", cfg.bridge2.devsandbox);
-                        net_if_down( cfg.bridge2.devsandbox);
-                }
-                if (cfg.bridge3.configured) {
-                        printf("Shutting down %s\n", cfg.bridge3.devsandbox);
-                        net_if_down( cfg.bridge3.devsandbox);
-                }
-                usleep(20000);  // 20 ms sleep
-        }       
-#endif  
 }
 
 
@@ -672,6 +647,7 @@ int sandbox(void* sandbox_arg) {
         }
 
         monitor_application(app_pid);   // monitor application
+        flush_stdin();
         
         return 0;
 }
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 7b871ae0d..9c2caaf74 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -25,6 +25,8 @@
 #include <dirent.h>
 #include <grp.h>
 #include <ftw.h>
+#include <sys/ioctl.h>
+#include <termios.h>
 
 #define MAX_GROUPS 1024
 // drop privileges
@@ -641,3 +643,15 @@ int remove_directory(const char *path) {
         // FTW_PHYS - do not follow symbolic links
         return nftw(path, remove_callback, 64, FTW_DEPTH | FTW_PHYS);
 }
+
+void flush_stdin(void) {
+        if (isatty(STDIN_FILENO)) {
+                int cnt = 0;
+                ioctl(STDIN_FILENO, FIONREAD, &cnt);
+                if (cnt) {
+                        if (!arg_quiet)
+                                printf("Warning: removing %d bytes from stdin\n", cnt);
+                        ioctl(STDIN_FILENO, TCFLSH, TCIFLUSH);
+                }
+        }
+}