diff options
| author |  smitsohu <smitsohu@gmail.com> | 2020-07-14 16:15:35 +0200 |
|---|---|---|
| committer |  GitHub <noreply@github.com> | 2020-07-14 16:15:35 +0200 |
| commit | 94c5abc5015ba6a2dd239e9af2eeac4b1084e9c4 (patch) | |
| tree | 7f9e9654d9632bc3e354c9b2c37a8171e39cc087 | |
| parent | Merge pull request #3241 from kris7t/sbox-harden-exec (diff) | |
| download | firejail-94c5abc5015ba6a2dd239e9af2eeac4b1084e9c4.tar.gz firejail-94c5abc5015ba6a2dd239e9af2eeac4b1084e9c4.tar.zst firejail-94c5abc5015ba6a2dd239e9af2eeac4b1084e9c4.zip | |
harden bandwidth command
add extra checks to defend against command injection (respective strings are controlled by Firejail, so this should be redundant and only for the paranoid), run shell in a minimal sandbox
| -rw-r--r-- | src/firejail/bandwidth.c | 24 |
1 files changed, 12 insertions, 12 deletions
diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c index edef823fd..6fd0b53ef 100644 --- a/src/firejail/bandwidth.c +++ b/src/firejail/bandwidth.c | |||
| @@ -327,6 +327,15 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in | |||
| 327 | devname = strdup(buf + len + 1); | 327 | devname = strdup(buf + len + 1); |
| 328 | if (!devname) | 328 | if (!devname) |
| 329 | errExit("strdup"); | 329 | errExit("strdup"); |
| 330 | // double-check device name | ||
| 331 | size_t i; | ||
| 332 | for (i = 0; devname[i]; i++) { | ||
| 333 | if (isalnum((unsigned char) devname[i]) == 0 && | ||
| 334 | devname[i] != '-') { | ||
| 335 | fprintf(stderr, "Error: name of network device is invalid\n"); | ||
| 336 | exit(1); | ||
| 337 | } | ||
| 338 | } | ||
| 330 | // check device in namespace | 339 | // check device in namespace |
| 331 | if (if_nametoindex(devname) == 0) { | 340 | if (if_nametoindex(devname) == 0) { |
| 332 | fprintf(stderr, "Error: cannot find network device %s\n", devname); | 341 | fprintf(stderr, "Error: cannot find network device %s\n", devname); |
| @@ -354,6 +363,7 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in | |||
| 354 | } | 363 | } |
| 355 | bandwidth_remove(pid, devname); | 364 | bandwidth_remove(pid, devname); |
| 356 | } | 365 | } |
| 366 | else assert(strcmp(command, "status") == 0); | ||
| 357 | 367 | ||
| 358 | // build fshaper.sh command | 368 | // build fshaper.sh command |
| 359 | char *cmd = NULL; | 369 | char *cmd = NULL; |
| @@ -375,26 +385,16 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in | |||
| 375 | } | 385 | } |
| 376 | assert(cmd); | 386 | assert(cmd); |
| 377 | 387 | ||
| 378 | // wipe out environment variables | ||
| 379 | environ = NULL; | ||
| 380 | |||
| 381 | //************************ | 388 | //************************ |
| 382 | // build command | 389 | // build command |
| 383 | //************************ | 390 | //************************ |
| 384 | // elevate privileges | ||
| 385 | if (setreuid(0, 0)) | ||
| 386 | errExit("setreuid"); | ||
| 387 | if (setregid(0, 0)) | ||
| 388 | errExit("setregid"); | ||
| 389 | |||
| 390 | char *arg[4]; | 391 | char *arg[4]; |
| 391 | arg[0] = "/bin/sh"; | 392 | arg[0] = "/bin/sh"; |
| 392 | arg[1] = "-c"; | 393 | arg[1] = "-c"; |
| 393 | arg[2] = cmd; | 394 | arg[2] = cmd; |
| 394 | arg[3] = NULL; | 395 | arg[3] = NULL; |
| 395 | clearenv(); | 396 | clearenv(); |
| 396 | execvp(arg[0], arg); | 397 | sbox_exec_v(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, arg); |
| 397 | 398 | ||
| 398 | // it will never get here | 399 | // it will never get here!! |
| 399 | errExit("execvp"); | ||
| 400 | } | 400 | } |