diff options
author | netblue30 <netblue30@yahoo.com> | 2016-10-10 08:30:54 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-10-10 08:30:54 -0400 |
commit | 19302eb4a3f6d8594f87019018a434439ff4bde4 (patch) | |
tree | 1fe5ba70eaf958588ba6e0bb8b81179ae7b18bd5 | |
parent | github (diff) | |
download | firejail-19302eb4a3f6d8594f87019018a434439ff4bde4.tar.gz firejail-19302eb4a3f6d8594f87019018a434439ff4bde4.tar.zst firejail-19302eb4a3f6d8594f87019018a434439ff4bde4.zip |
0.9.38.4 testing0.9.38.4
-rw-r--r-- | RELNOTES | 4 | ||||
-rwxr-xr-x | configure | 18 | ||||
-rw-r--r-- | configure.ac | 2 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/join.c | 8 | ||||
-rw-r--r-- | src/firejail/main.c | 1 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 26 | ||||
-rw-r--r-- | src/firejail/util.c | 14 |
8 files changed, 37 insertions, 37 deletions
@@ -1,7 +1,7 @@ | |||
1 | firejail (0.9.38.3) baseline; urgency=low | 1 | firejail (0.9.38.3) baseline; urgency=low |
2 | * this is a development version for LTS branch | 2 | * CVE-2016-7545 submitted by Aleksey Manevich |
3 | * bugfixes | 3 | * bugfixes |
4 | -- netblue30 <netblue30@yahoo.com> Tue, 23 Aug 2016 10:00:00 -0500 | 4 | -- netblue30 <netblue30@yahoo.com> Mon, 10 Oct 2016 10:00:00 -0500 |
5 | 5 | ||
6 | firejail (0.9.38.2) baseline; urgency=low | 6 | firejail (0.9.38.2) baseline; urgency=low |
7 | * security: --whitelist deleted files, submitted by Vasya Novikov | 7 | * security: --whitelist deleted files, submitted by Vasya Novikov |
@@ -1,6 +1,6 @@ | |||
1 | #! /bin/sh | 1 | #! /bin/sh |
2 | # Guess values for system-dependent variables and create Makefiles. | 2 | # Guess values for system-dependent variables and create Makefiles. |
3 | # Generated by GNU Autoconf 2.69 for firejail 0.9.38.3. | 3 | # Generated by GNU Autoconf 2.69 for firejail 0.9.38.4. |
4 | # | 4 | # |
5 | # Report bugs to <netblue30@yahoo.com>. | 5 | # Report bugs to <netblue30@yahoo.com>. |
6 | # | 6 | # |
@@ -580,8 +580,8 @@ MAKEFLAGS= | |||
580 | # Identity of this package. | 580 | # Identity of this package. |
581 | PACKAGE_NAME='firejail' | 581 | PACKAGE_NAME='firejail' |
582 | PACKAGE_TARNAME='firejail' | 582 | PACKAGE_TARNAME='firejail' |
583 | PACKAGE_VERSION='0.9.38.3' | 583 | PACKAGE_VERSION='0.9.38.4' |
584 | PACKAGE_STRING='firejail 0.9.38.3' | 584 | PACKAGE_STRING='firejail 0.9.38.4' |
585 | PACKAGE_BUGREPORT='netblue30@yahoo.com' | 585 | PACKAGE_BUGREPORT='netblue30@yahoo.com' |
586 | PACKAGE_URL='http://firejail.wordpress.com' | 586 | PACKAGE_URL='http://firejail.wordpress.com' |
587 | 587 | ||
@@ -1242,7 +1242,7 @@ if test "$ac_init_help" = "long"; then | |||
1242 | # Omit some internal or obsolete options to make the list less imposing. | 1242 | # Omit some internal or obsolete options to make the list less imposing. |
1243 | # This message is too long to be a string in the A/UX 3.1 sh. | 1243 | # This message is too long to be a string in the A/UX 3.1 sh. |
1244 | cat <<_ACEOF | 1244 | cat <<_ACEOF |
1245 | \`configure' configures firejail 0.9.38.3 to adapt to many kinds of systems. | 1245 | \`configure' configures firejail 0.9.38.4 to adapt to many kinds of systems. |
1246 | 1246 | ||
1247 | Usage: $0 [OPTION]... [VAR=VALUE]... | 1247 | Usage: $0 [OPTION]... [VAR=VALUE]... |
1248 | 1248 | ||
@@ -1303,7 +1303,7 @@ fi | |||
1303 | 1303 | ||
1304 | if test -n "$ac_init_help"; then | 1304 | if test -n "$ac_init_help"; then |
1305 | case $ac_init_help in | 1305 | case $ac_init_help in |
1306 | short | recursive ) echo "Configuration of firejail 0.9.38.3:";; | 1306 | short | recursive ) echo "Configuration of firejail 0.9.38.4:";; |
1307 | esac | 1307 | esac |
1308 | cat <<\_ACEOF | 1308 | cat <<\_ACEOF |
1309 | 1309 | ||
@@ -1395,7 +1395,7 @@ fi | |||
1395 | test -n "$ac_init_help" && exit $ac_status | 1395 | test -n "$ac_init_help" && exit $ac_status |
1396 | if $ac_init_version; then | 1396 | if $ac_init_version; then |
1397 | cat <<\_ACEOF | 1397 | cat <<\_ACEOF |
1398 | firejail configure 0.9.38.3 | 1398 | firejail configure 0.9.38.4 |
1399 | generated by GNU Autoconf 2.69 | 1399 | generated by GNU Autoconf 2.69 |
1400 | 1400 | ||
1401 | Copyright (C) 2012 Free Software Foundation, Inc. | 1401 | Copyright (C) 2012 Free Software Foundation, Inc. |
@@ -1697,7 +1697,7 @@ cat >config.log <<_ACEOF | |||
1697 | This file contains any messages produced by compilers while | 1697 | This file contains any messages produced by compilers while |
1698 | running configure, to aid debugging if configure makes a mistake. | 1698 | running configure, to aid debugging if configure makes a mistake. |
1699 | 1699 | ||
1700 | It was created by firejail $as_me 0.9.38.3, which was | 1700 | It was created by firejail $as_me 0.9.38.4, which was |
1701 | generated by GNU Autoconf 2.69. Invocation command line was | 1701 | generated by GNU Autoconf 2.69. Invocation command line was |
1702 | 1702 | ||
1703 | $ $0 $@ | 1703 | $ $0 $@ |
@@ -4140,7 +4140,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 | |||
4140 | # report actual input values of CONFIG_FILES etc. instead of their | 4140 | # report actual input values of CONFIG_FILES etc. instead of their |
4141 | # values after options handling. | 4141 | # values after options handling. |
4142 | ac_log=" | 4142 | ac_log=" |
4143 | This file was extended by firejail $as_me 0.9.38.3, which was | 4143 | This file was extended by firejail $as_me 0.9.38.4, which was |
4144 | generated by GNU Autoconf 2.69. Invocation command line was | 4144 | generated by GNU Autoconf 2.69. Invocation command line was |
4145 | 4145 | ||
4146 | CONFIG_FILES = $CONFIG_FILES | 4146 | CONFIG_FILES = $CONFIG_FILES |
@@ -4194,7 +4194,7 @@ _ACEOF | |||
4194 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 | 4194 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 |
4195 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" | 4195 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" |
4196 | ac_cs_version="\\ | 4196 | ac_cs_version="\\ |
4197 | firejail config.status 0.9.38.3 | 4197 | firejail config.status 0.9.38.4 |
4198 | configured by $0, generated by GNU Autoconf 2.69, | 4198 | configured by $0, generated by GNU Autoconf 2.69, |
4199 | with options \\"\$ac_cs_config\\" | 4199 | with options \\"\$ac_cs_config\\" |
4200 | 4200 | ||
diff --git a/configure.ac b/configure.ac index 1ca50465d..718cfd3bd 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -1,5 +1,5 @@ | |||
1 | AC_PREREQ([2.68]) | 1 | AC_PREREQ([2.68]) |
2 | AC_INIT(firejail, 0.9.38.3, netblue30@yahoo.com, , http://firejail.wordpress.com) | 2 | AC_INIT(firejail, 0.9.38.4, netblue30@yahoo.com, , http://firejail.wordpress.com) |
3 | AC_CONFIG_SRCDIR([src/firejail/main.c]) | 3 | AC_CONFIG_SRCDIR([src/firejail/main.c]) |
4 | #AC_CONFIG_HEADERS([config.h]) | 4 | #AC_CONFIG_HEADERS([config.h]) |
5 | 5 | ||
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 5104bd688..759569cb4 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -358,6 +358,7 @@ const char *gnu_basename(const char *path); | |||
358 | uid_t pid_get_uid(pid_t pid); | 358 | uid_t pid_get_uid(pid_t pid); |
359 | void invalid_filename(const char *fname); | 359 | void invalid_filename(const char *fname); |
360 | int remove_directory(const char *path); | 360 | int remove_directory(const char *path); |
361 | void flush_stdin(void); | ||
361 | 362 | ||
362 | // fs_var.c | 363 | // fs_var.c |
363 | void fs_var_log(void); // mounting /var/log | 364 | void fs_var_log(void); // mounting /var/log |
diff --git a/src/firejail/join.c b/src/firejail/join.c index b05e25387..575baf71e 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -29,6 +29,12 @@ static uint64_t caps = 0; | |||
29 | static int apply_seccomp = 0; | 29 | static int apply_seccomp = 0; |
30 | #define BUFLEN 4096 | 30 | #define BUFLEN 4096 |
31 | 31 | ||
32 | static void signal_handler(int sig){ | ||
33 | flush_stdin(); | ||
34 | |||
35 | exit(sig); | ||
36 | } | ||
37 | |||
32 | static void extract_command(int argc, char **argv, int index) { | 38 | static void extract_command(int argc, char **argv, int index) { |
33 | if (index >= argc) | 39 | if (index >= argc) |
34 | return; | 40 | return; |
@@ -194,6 +200,7 @@ void join_name(const char *name, const char *homedir, int argc, char **argv, int | |||
194 | 200 | ||
195 | void join(pid_t pid, const char *homedir, int argc, char **argv, int index) { | 201 | void join(pid_t pid, const char *homedir, int argc, char **argv, int index) { |
196 | extract_command(argc, argv, index); | 202 | extract_command(argc, argv, index); |
203 | signal (SIGTERM, signal_handler); | ||
197 | 204 | ||
198 | // if the pid is that of a firejail process, use the pid of the first child process | 205 | // if the pid is that of a firejail process, use the pid of the first child process |
199 | char *comm = pid_proc_comm(pid); | 206 | char *comm = pid_proc_comm(pid); |
@@ -388,6 +395,7 @@ void join(pid_t pid, const char *homedir, int argc, char **argv, int index) { | |||
388 | 395 | ||
389 | // wait for the child to finish | 396 | // wait for the child to finish |
390 | waitpid(child, NULL, 0); | 397 | waitpid(child, NULL, 0); |
398 | flush_stdin(); | ||
391 | exit(0); | 399 | exit(0); |
392 | } | 400 | } |
393 | 401 | ||
diff --git a/src/firejail/main.c b/src/firejail/main.c index b945f504b..9e2aec4d5 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -111,6 +111,7 @@ static void myexit(int rv) { | |||
111 | bandwidth_shm_del_file(sandbox_pid); // bandwidth file | 111 | bandwidth_shm_del_file(sandbox_pid); // bandwidth file |
112 | network_shm_del_file(sandbox_pid); // network map file | 112 | network_shm_del_file(sandbox_pid); // network map file |
113 | 113 | ||
114 | flush_stdin(); | ||
114 | exit(rv); | 115 | exit(rv); |
115 | } | 116 | } |
116 | 117 | ||
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 9cb97187e..fc93e1eef 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -171,31 +171,6 @@ static void monitor_application(pid_t app_pid) { | |||
171 | printf("Sandbox monitor: monitoring %u\n", app_pid); | 171 | printf("Sandbox monitor: monitoring %u\n", app_pid); |
172 | } | 172 | } |
173 | 173 | ||
174 | #if 0 | ||
175 | // todo: find a way to shut down interfaces before closing the namespace | ||
176 | // the problem is we don't have enough privileges to shutdown interfaces in this moment | ||
177 | // shut down bridge/macvlan interfaces | ||
178 | if (any_bridge_configured()) { | ||
179 | |||
180 | if (cfg.bridge0.configured) { | ||
181 | printf("Shutting down %s\n", cfg.bridge0.devsandbox); | ||
182 | net_if_down( cfg.bridge0.devsandbox); | ||
183 | } | ||
184 | if (cfg.bridge1.configured) { | ||
185 | printf("Shutting down %s\n", cfg.bridge1.devsandbox); | ||
186 | net_if_down( cfg.bridge1.devsandbox); | ||
187 | } | ||
188 | if (cfg.bridge2.configured) { | ||
189 | printf("Shutting down %s\n", cfg.bridge2.devsandbox); | ||
190 | net_if_down( cfg.bridge2.devsandbox); | ||
191 | } | ||
192 | if (cfg.bridge3.configured) { | ||
193 | printf("Shutting down %s\n", cfg.bridge3.devsandbox); | ||
194 | net_if_down( cfg.bridge3.devsandbox); | ||
195 | } | ||
196 | usleep(20000); // 20 ms sleep | ||
197 | } | ||
198 | #endif | ||
199 | } | 174 | } |
200 | 175 | ||
201 | 176 | ||
@@ -672,6 +647,7 @@ int sandbox(void* sandbox_arg) { | |||
672 | } | 647 | } |
673 | 648 | ||
674 | monitor_application(app_pid); // monitor application | 649 | monitor_application(app_pid); // monitor application |
650 | flush_stdin(); | ||
675 | 651 | ||
676 | return 0; | 652 | return 0; |
677 | } | 653 | } |
diff --git a/src/firejail/util.c b/src/firejail/util.c index 7b871ae0d..9c2caaf74 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -25,6 +25,8 @@ | |||
25 | #include <dirent.h> | 25 | #include <dirent.h> |
26 | #include <grp.h> | 26 | #include <grp.h> |
27 | #include <ftw.h> | 27 | #include <ftw.h> |
28 | #include <sys/ioctl.h> | ||
29 | #include <termios.h> | ||
28 | 30 | ||
29 | #define MAX_GROUPS 1024 | 31 | #define MAX_GROUPS 1024 |
30 | // drop privileges | 32 | // drop privileges |
@@ -641,3 +643,15 @@ int remove_directory(const char *path) { | |||
641 | // FTW_PHYS - do not follow symbolic links | 643 | // FTW_PHYS - do not follow symbolic links |
642 | return nftw(path, remove_callback, 64, FTW_DEPTH | FTW_PHYS); | 644 | return nftw(path, remove_callback, 64, FTW_DEPTH | FTW_PHYS); |
643 | } | 645 | } |
646 | |||
647 | void flush_stdin(void) { | ||
648 | if (isatty(STDIN_FILENO)) { | ||
649 | int cnt = 0; | ||
650 | ioctl(STDIN_FILENO, FIONREAD, &cnt); | ||
651 | if (cnt) { | ||
652 | if (!arg_quiet) | ||
653 | printf("Warning: removing %d bytes from stdin\n", cnt); | ||
654 | ioctl(STDIN_FILENO, TCFLSH, TCIFLUSH); | ||
655 | } | ||
656 | } | ||
657 | } | ||