non-dumpable plugins

(hopefully) fixes the issues that led to reverting commits 6abb65d328af61d67361890743190bd4c57f8e3c and 98e42dc6da4e4b1e47ed2aa020012d4dedc1e80e
author: smitsohu <smitsohu@gmail.com> 2021-01-04 18:48:35 +0100
committer: smitsohu <smitsohu@gmail.com> 2021-01-04 19:02:41 +0100
commit: 18e806cf6033697cefca58a2be55377c8d92dbd4 (patch)
tree: 9eb7191f9534affa7586ce598ab54c4630f011fb
parent: fix #3859 (#3863) (diff)
download: firejail-18e806cf6033697cefca58a2be55377c8d92dbd4.tar.gz
firejail-18e806cf6033697cefca58a2be55377c8d92dbd4.tar.zst
firejail-18e806cf6033697cefca58a2be55377c8d92dbd4.zip
23 files changed, 63 insertions, 80 deletions
diff --git a/Makefile.in b/Makefile.in
index 623c8bd39..925f702ae 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -110,9 +110,9 @@ endif
        install -m 0755 -d $(DESTDIR)$(libdir)/firejail
        install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS) src/firecfg/firecfg.config
        install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS)
-        # non-dumpable plugins
+        # plugins w/o read permission (non-dumpable)
-        install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS_NON_DUMPABLE)
+        install -m 0711 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS_NON_DUMPABLE)
-        install -m 0755 -t $(DESTDIR)$(libdir)/firejail src/fshaper/fshaper.sh
+        install -m 0711 -t $(DESTDIR)$(libdir)/firejail src/fshaper/fshaper.sh
 ifeq ($(HAVE_CONTRIB_INSTALL),yes)
        # contrib scripts
        install -m 0755 -t $(DESTDIR)$(libdir)/firejail contrib/*.py contrib/*.sh
diff --git a/src/fcopy/Makefile.in b/src/fcopy/Makefile.in
index 64e277e2d..85f84aa32 100644
--- a/src/fcopy/Makefile.in
+++ b/src/fcopy/Makefile.in
@@ -5,8 +5,8 @@ include ../common.mk
 %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h
        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
-fcopy: $(OBJS)
+fcopy: $(OBJS) ../lib/common.o
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS)
 clean:; rm -fr *.o fcopy *.gcov *.gcda *.gcno *.plist
diff --git a/src/fcopy/main.c b/src/fcopy/main.c
index 67237b4ea..0a4a61e2a 100644
--- a/src/fcopy/main.c
+++ b/src/fcopy/main.c
@@ -23,7 +23,6 @@
 #include <ftw.h>
 #include <errno.h>
 #include <pwd.h>
-#include <sys/prctl.h>
 #if HAVE_SELINUX
 #include <sys/stat.h>
@@ -412,10 +411,7 @@ int main(int argc, char **argv) {
                exit(1);
        }
-#ifdef WARN_DUMPABLE
+        warn_dumpable();
-        if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid())
-                fprintf(stderr, "Error fcopy: I am dumpable\n");
-#endif
        // trim trailing chars
        if (src[strlen(src) - 1] == '/')
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 80987e494..9ea3edcd0 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -513,7 +513,6 @@ void check_private_dir(void);
 void update_map(char *mapping, char *map_file);
 void wait_for_other(int fd);
 void notify_other(int fd);
-const char *gnu_basename(const char *path);
 uid_t pid_get_uid(pid_t pid);
 uid_t get_group_id(const char *group);
 int remove_overlay_directory(void);
diff --git a/src/firejail/main.c b/src/firejail/main.c
index e5d8a4720..0f0086a6e 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1231,11 +1231,6 @@ int main(int argc, char **argv, char **envp) {
        }
        EUID_ASSERT();
-#ifdef WARN_DUMPABLE
-        if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid())
-                fprintf(stderr, "Error: Firejail is dumpable\n");
-#endif
        // check for force-nonewprivs in /etc/firejail/firejail.config file
        if (checkcfg(CFG_FORCE_NONEWPRIVS))
                arg_nonewprivs = 1;
diff --git a/src/firejail/util.c b/src/firejail/util.c
index a3927cc88..0b095e1be 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -820,20 +820,6 @@ void notify_other(int fd) {
        fclose(stream);
 }
-// Equivalent to the GNU version of basename, which is incompatible with
-// the POSIX basename. A few lines of code saves any portability pain.
-// https://www.gnu.org/software/libc/manual/html_node/Finding-Tokens-in-a-String.html#index-basename
-const char *gnu_basename(const char *path) {
-        const char *last_slash = strrchr(path, '/');
-        if (!last_slash)
-                return path;
-        return last_slash+1;
-}
 uid_t pid_get_uid(pid_t pid) {
        EUID_ASSERT();
        uid_t rv = 0;
diff --git a/src/fldd/Makefile.in b/src/fldd/Makefile.in
index 53382c2df..37b139d38 100644
--- a/src/fldd/Makefile.in
+++ b/src/fldd/Makefile.in
@@ -5,8 +5,8 @@ include ../common.mk
 %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h ../include/ldd_utils.h
        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
-fldd: $(OBJS) ../lib/ldd_utils.o
+fldd: $(OBJS) ../lib/common.o ../lib/ldd_utils.o
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/ldd_utils.o $(LIBS) $(EXTRA_LDFLAGS)
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/ldd_utils.o $(LIBS) $(EXTRA_LDFLAGS)
 clean:; rm -fr *.o fldd *.gcov *.gcda *.gcno *.plist
diff --git a/src/fldd/main.c b/src/fldd/main.c
index d68504f6b..55a0dfcce 100644
--- a/src/fldd/main.c
+++ b/src/fldd/main.c
@@ -24,7 +24,6 @@
 #include <fcntl.h>
 #include <sys/mman.h>
 #include <sys/mount.h>
-#include <sys/prctl.h>
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <unistd.h>
@@ -303,10 +302,7 @@ printf("\n");
                return 0;
        }
-#ifdef WARN_DUMPABLE
+        warn_dumpable();
-        if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid())
-                fprintf(stderr, "Error fldd: I am dumpable\n");
-#endif
        // check program access
        if (access(argv[1], R_OK)) {
diff --git a/src/fnet/Makefile.in b/src/fnet/Makefile.in
index 37566db72..bd5fe9e7a 100644
--- a/src/fnet/Makefile.in
+++ b/src/fnet/Makefile.in
@@ -5,8 +5,8 @@ include ../common.mk
 %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/libnetlink.h
        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
-fnet: $(OBJS) ../lib/libnetlink.o
+fnet: $(OBJS) ../lib/common.o ../lib/libnetlink.o
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/libnetlink.o $(LIBS) $(EXTRA_LDFLAGS)
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/libnetlink.o $(LIBS) $(EXTRA_LDFLAGS)
 clean:; rm -fr *.o fnet *.gcov *.gcda *.gcno *.plist
diff --git a/src/fnet/main.c b/src/fnet/main.c
index f6316a7fe..db090fb95 100644
--- a/src/fnet/main.c
+++ b/src/fnet/main.c
@@ -21,7 +21,6 @@
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <sys/utsname.h>
-#include <sys/prctl.h>
 int arg_quiet = 0;
@@ -69,10 +68,9 @@ printf("\n");
                usage();
                return 0;
        }
-#ifdef WARN_DUMPABLE
-        if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid())
+        warn_dumpable();
-                fprintf(stderr, "Error fnet: I am dumpable\n");
-#endif
        char *quiet = getenv("FIREJAIL_QUIET");
        if (quiet && strcmp(quiet, "yes") == 0)
                arg_quiet = 1;
diff --git a/src/fnetfilter/Makefile.in b/src/fnetfilter/Makefile.in
index 055167192..6fe650a17 100644
--- a/src/fnetfilter/Makefile.in
+++ b/src/fnetfilter/Makefile.in
@@ -5,8 +5,8 @@ include ../common.mk
 %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h
        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
-fnetfilter: $(OBJS)
+fnetfilter: $(OBJS) ../lib/common.o
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS)
 clean:; rm -fr *.o fnetfilter *.gcov *.gcda *.gcno *.plist
diff --git a/src/fnetfilter/main.c b/src/fnetfilter/main.c
index 1ca35ab56..381d0d36e 100644
--- a/src/fnetfilter/main.c
+++ b/src/fnetfilter/main.c
@@ -18,7 +18,6 @@
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "../include/common.h"
-#include <sys/prctl.h>
 #define MAXBUF 4098
 #define MAXARGS 16
@@ -181,10 +180,9 @@ printf("\n");
                usage();
                return 1;
        }
-#ifdef WARN_DUMPABLE
-        if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid())
+        warn_dumpable();
-                fprintf(stderr, "Error fnetfilter: I am dumpable\n");
-#endif
        char *destfile = (argc == 3)? argv[2]: argv[1];
        char *command = (argc == 3)? argv[1]: NULL;
 //printf("command %s\n", command);
diff --git a/src/fsec-optimize/Makefile.in b/src/fsec-optimize/Makefile.in
index 0387f7ec7..b6a28fdd8 100644
--- a/src/fsec-optimize/Makefile.in
+++ b/src/fsec-optimize/Makefile.in
@@ -5,8 +5,8 @@ include ../common.mk
 %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/seccomp.h ../include/syscall.h
        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
-fsec-optimize: $(OBJS) ../lib/libnetlink.o
+fsec-optimize: $(OBJS) ../lib/common.o ../lib/libnetlink.o
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS)
 clean:; rm -fr *.o fsec-optimize *.gcov *.gcda *.gcno *.plist
diff --git a/src/fsec-optimize/fsec_optimize.h b/src/fsec-optimize/fsec_optimize.h
index 034fde2ac..211111641 100644
--- a/src/fsec-optimize/fsec_optimize.h
+++ b/src/fsec-optimize/fsec_optimize.h
@@ -22,7 +22,6 @@
 #include "../include/common.h"
 #include "../include/seccomp.h"
 #include <sys/mman.h>
-#include <sys/prctl.h>
 // optimize.c
 struct sock_filter *duplicate(struct sock_filter *filter, int entries);
diff --git a/src/fsec-optimize/main.c b/src/fsec-optimize/main.c
index fb13eeca8..74aebc9e0 100644
--- a/src/fsec-optimize/main.c
+++ b/src/fsec-optimize/main.c
@@ -44,11 +44,7 @@ printf("\n");
                return 0;
        }
-#ifdef WARN_DUMPABLE
+        warn_dumpable();
-        // check FIREJAIL_PLUGIN in order to not print a warning during make
-        if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid() && getenv("FIREJAIL_PLUGIN"))
-                fprintf(stderr, "Error fsec-optimize: I am dumpable\n");
-#endif
        char *fname = argv[1];
diff --git a/src/fsec-print/Makefile.in b/src/fsec-print/Makefile.in
index a30ff4ba3..bf39a8c77 100644
--- a/src/fsec-print/Makefile.in
+++ b/src/fsec-print/Makefile.in
@@ -5,8 +5,8 @@ include ../common.mk
 %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/seccomp.h ../include/syscall.h
        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
-fsec-print: $(OBJS) ../lib/libnetlink.o ../lib/errno.o ../lib/syscall.o
+fsec-print: $(OBJS) ../lib/common.o ../lib/libnetlink.o ../lib/errno.o ../lib/syscall.o
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS)
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS)
 clean:; rm -fr *.o fsec-print *.gcov *.gcda *.gcno *.plist
diff --git a/src/fsec-print/fsec_print.h b/src/fsec-print/fsec_print.h
index 9d17e3f18..337199288 100644
--- a/src/fsec-print/fsec_print.h
+++ b/src/fsec-print/fsec_print.h
@@ -23,7 +23,6 @@
 #include "../include/seccomp.h"
 #include "../include/syscall.h"
 #include <sys/mman.h>
-#include <sys/prctl.h>
 // print.c
 void print(struct sock_filter *filter, int entries);
diff --git a/src/fsec-print/main.c b/src/fsec-print/main.c
index d1f056e47..ed030db21 100644
--- a/src/fsec-print/main.c
+++ b/src/fsec-print/main.c
@@ -61,10 +61,7 @@ printf("\n");
                return 0;
        }
-#ifdef WARN_DUMPABLE
+        warn_dumpable();
-        if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid())
-                fprintf(stderr, "Error fsec-print: I am dumpable\n");
-#endif
        char *fname = argv[1];
diff --git a/src/fseccomp/Makefile.in b/src/fseccomp/Makefile.in
index 8623db6f8..b776a73ce 100644
--- a/src/fseccomp/Makefile.in
+++ b/src/fseccomp/Makefile.in
@@ -5,8 +5,8 @@ include ../common.mk
 %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h
        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
-fseccomp: $(OBJS) ../lib/errno.o ../lib/syscall.o
+fseccomp: $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS)
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS)
 clean:; rm -fr *.o fseccomp *.gcov *.gcda *.gcno *.plist
diff --git a/src/fseccomp/fseccomp.h b/src/fseccomp/fseccomp.h
index e40999938..e8dd083b6 100644
--- a/src/fseccomp/fseccomp.h
+++ b/src/fseccomp/fseccomp.h
@@ -23,7 +23,6 @@
 #include <stdlib.h>
 #include <string.h>
 #include <assert.h>
-#include <sys/prctl.h>
 #include "../include/common.h"
 #include "../include/syscall.h"
diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c
index f505ca0f3..c8259b079 100644
--- a/src/fseccomp/main.c
+++ b/src/fseccomp/main.c
@@ -69,11 +69,7 @@ printf("\n");
                return 0;
        }
-#ifdef WARN_DUMPABLE
+        warn_dumpable();
-        // check FIREJAIL_PLUGIN in order to not print a warning during make
-        if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid() && getenv("FIREJAIL_PLUGIN"))
-                fprintf(stderr, "Error fseccomp: I am dumpable\n");
-#endif
        char *quiet = getenv("FIREJAIL_QUIET");
        if (quiet && strcmp(quiet, "yes") == 0)
diff --git a/src/include/common.h b/src/include/common.h
index 5df51c5a9..5497929c7 100644
--- a/src/include/common.h
+++ b/src/include/common.h
@@ -38,11 +38,6 @@
 #define errExit(msg)    do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
-// check if processes run with dumpable flag set
-// currently we get "Error fseccomp: I am dumpable" every time we run a firejail build on Debian 8,
-// regardless what Debian version we run the build on
-//#define WARN_DUMPABLE
 // macro to print ip addresses in a printf statement
 #define PRINT_IP(A) \
 ((int) (((A) >> 24) & 0xFF)),  ((int) (((A) >> 16) & 0xFF)), ((int) (((A) >> 8) & 0xFF)), ((int) ( (A) & 0xFF))
@@ -126,4 +121,6 @@ char *pid_proc_comm(const pid_t pid);
 char *pid_proc_cmdline(const pid_t pid);
 int pid_proc_cmdline_x11_xpra_xephyr(const pid_t pid);
 int pid_hidepid(void);
+void warn_dumpable(void);
+const char *gnu_basename(const char *path);
 #endif
diff --git a/src/lib/common.c b/src/lib/common.c
index 823442835..ace5cb87e 100644
--- a/src/lib/common.c
+++ b/src/lib/common.c
@@ -267,7 +267,6 @@ int pid_proc_cmdline_x11_xpra_xephyr(const pid_t pid) {
 }
 // return 1 if /proc is mounted hidepid, or if /proc/mouns access is denied
-#define BUFLEN 4096
 int pid_hidepid(void) {
        FILE *fp = fopen("/proc/mounts", "r");
        if (!fp)
@@ -288,6 +287,39 @@ int pid_hidepid(void) {
        return 0;
 }
+// print error if unprivileged users can trace the process
+void warn_dumpable(void) {
+        if (getuid() != 0 && prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getenv("FIREJAIL_PLUGIN")) {
+                fprintf(stderr, "Error: dumpable process\n");
+                // best effort to provide detailed debug information
+                // cannot use process name, it is just a file descriptor number
+                char path[BUFLEN];
+                ssize_t len = readlink("/proc/self/exe", path, BUFLEN - 1);
+                if (len < 0)
+                        return;
+                path[len] = '\0';
+                // path can refer to a sandbox mount namespace, use basename only
+                const char *base = gnu_basename(path);
+                struct stat s;
+                if (stat("/proc/self/exe", &s) == 0 && s.st_uid != 0)
+                        fprintf(stderr, "Change owner of %s executable to root\n", base);
+                else if (access("/proc/self/exe", R_OK) == 0)
+                        fprintf(stderr, "Remove read permission on %s executable\n", base);
+        }
+}
+// Equivalent to the GNU version of basename, which is incompatible with
+// the POSIX basename. A few lines of code saves any portability pain.
+// https://www.gnu.org/software/libc/manual/html_node/Finding-Tokens-in-a-String.html#index-basename
+const char *gnu_basename(const char *path) {
+        const char *last_slash = strrchr(path, '/');
+        if (!last_slash)
+                return path;
+        return last_slash+1;
+}
 //**************************
 // time trace based on getticks function
 //**************************
author	smitsohu <smitsohu@gmail.com>	2021-01-04 18:48:35 +0100
committer	smitsohu <smitsohu@gmail.com>	2021-01-04 19:02:41 +0100
commit	18e806cf6033697cefca58a2be55377c8d92dbd4 (patch)
tree	9eb7191f9534affa7586ce598ab54c4630f011fb
parent	fix #3859 (#3863) (diff)
download	firejail-18e806cf6033697cefca58a2be55377c8d92dbd4.tar.gz firejail-18e806cf6033697cefca58a2be55377c8d92dbd4.tar.zst firejail-18e806cf6033697cefca58a2be55377c8d92dbd4.zip

diff --git a/Makefile.in b/Makefile.in index 623c8bd39..925f702ae 100644 --- a/Makefile.in +++ b/Makefile.in
@@ -110,9 +110,9 @@ endif
110	install -m 0755 -d $(DESTDIR)$(libdir)/firejail	110	install -m 0755 -d $(DESTDIR)$(libdir)/firejail
111	install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS) src/firecfg/firecfg.config	111	install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS) src/firecfg/firecfg.config
112	install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS)	112	install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS)
113	# non-dumpable plugins	113	# plugins w/o read permission (non-dumpable)
114	install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS_NON_DUMPABLE)	114	install -m 0711 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS_NON_DUMPABLE)
115	install -m 0755 -t $(DESTDIR)$(libdir)/firejail src/fshaper/fshaper.sh	115	install -m 0711 -t $(DESTDIR)$(libdir)/firejail src/fshaper/fshaper.sh
116	ifeq ($(HAVE_CONTRIB_INSTALL),yes)	116	ifeq ($(HAVE_CONTRIB_INSTALL),yes)
117	# contrib scripts	117	# contrib scripts
118	install -m 0755 -t $(DESTDIR)$(libdir)/firejail contrib/.py contrib/.sh	118	install -m 0755 -t $(DESTDIR)$(libdir)/firejail contrib/.py contrib/.sh


diff --git a/src/fcopy/Makefile.in b/src/fcopy/Makefile.in index 64e277e2d..85f84aa32 100644 --- a/src/fcopy/Makefile.in +++ b/src/fcopy/Makefile.in
@@ -5,8 +5,8 @@ include ../common.mk
5	%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h	5	%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h
6	$(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@	6	$(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
7		7
8	fcopy: $(OBJS)	8	fcopy: $(OBJS) ../lib/common.o
9	$(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)	9	$(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS)
10		10
11	clean:; rm -fr .o fcopy .gcov .gcda .gcno *.plist	11	clean:; rm -fr .o fcopy .gcov .gcda .gcno *.plist
12		12


diff --git a/src/fcopy/main.c b/src/fcopy/main.c index 67237b4ea..0a4a61e2a 100644 --- a/src/fcopy/main.c +++ b/src/fcopy/main.c
@@ -23,7 +23,6 @@
23	#include <ftw.h>	23	#include <ftw.h>
24	#include <errno.h>	24	#include <errno.h>
25	#include <pwd.h>	25	#include <pwd.h>
26	#include <sys/prctl.h>
27		26
28	#if HAVE_SELINUX	27	#if HAVE_SELINUX
29	#include <sys/stat.h>	28	#include <sys/stat.h>
@@ -412,10 +411,7 @@ int main(int argc, char **argv) {
412	exit(1);	411	exit(1);
413	}	412	}
414		413
415	#ifdef WARN_DUMPABLE	414	warn_dumpable();
416	if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid())
417	fprintf(stderr, "Error fcopy: I am dumpable\n");
418	#endif
419		415
420	// trim trailing chars	416	// trim trailing chars
421	if (src[strlen(src) - 1] == '/')	417	if (src[strlen(src) - 1] == '/')


diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 80987e494..9ea3edcd0 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -513,7 +513,6 @@ void check_private_dir(void);
513	void update_map(char mapping, char map_file);	513	void update_map(char mapping, char map_file);
514	void wait_for_other(int fd);	514	void wait_for_other(int fd);
515	void notify_other(int fd);	515	void notify_other(int fd);
516	const char gnu_basename(const char path);
517	uid_t pid_get_uid(pid_t pid);	516	uid_t pid_get_uid(pid_t pid);
518	uid_t get_group_id(const char *group);	517	uid_t get_group_id(const char *group);
519	int remove_overlay_directory(void);	518	int remove_overlay_directory(void);


diff --git a/src/firejail/main.c b/src/firejail/main.c index e5d8a4720..0f0086a6e 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -1231,11 +1231,6 @@ int main(int argc, char argv, char envp) {
1231	}	1231	}
1232	EUID_ASSERT();	1232	EUID_ASSERT();
1233		1233
1234	#ifdef WARN_DUMPABLE
1235	if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid())
1236	fprintf(stderr, "Error: Firejail is dumpable\n");
1237	#endif
1238
1239	// check for force-nonewprivs in /etc/firejail/firejail.config file	1234	// check for force-nonewprivs in /etc/firejail/firejail.config file
1240	if (checkcfg(CFG_FORCE_NONEWPRIVS))	1235	if (checkcfg(CFG_FORCE_NONEWPRIVS))
1241	arg_nonewprivs = 1;	1236	arg_nonewprivs = 1;


diff --git a/src/firejail/util.c b/src/firejail/util.c index a3927cc88..0b095e1be 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c
@@ -820,20 +820,6 @@ void notify_other(int fd) {
820	fclose(stream);	820	fclose(stream);
821	}	821	}
822		822
823
824
825
826	// Equivalent to the GNU version of basename, which is incompatible with
827	// the POSIX basename. A few lines of code saves any portability pain.
828	// https://www.gnu.org/software/libc/manual/html_node/Finding-Tokens-in-a-String.html#index-basename
829	const char gnu_basename(const char path) {
830	const char *last_slash = strrchr(path, '/');
831	if (!last_slash)
832	return path;
833	return last_slash+1;
834	}
835
836
837	uid_t pid_get_uid(pid_t pid) {	823	uid_t pid_get_uid(pid_t pid) {
838	EUID_ASSERT();	824	EUID_ASSERT();
839	uid_t rv = 0;	825	uid_t rv = 0;


diff --git a/src/fldd/Makefile.in b/src/fldd/Makefile.in index 53382c2df..37b139d38 100644 --- a/src/fldd/Makefile.in +++ b/src/fldd/Makefile.in
@@ -5,8 +5,8 @@ include ../common.mk
5	%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h ../include/ldd_utils.h	5	%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h ../include/ldd_utils.h
6	$(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@	6	$(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
7		7
8	fldd: $(OBJS) ../lib/ldd_utils.o	8	fldd: $(OBJS) ../lib/common.o ../lib/ldd_utils.o
9	$(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/ldd_utils.o $(LIBS) $(EXTRA_LDFLAGS)	9	$(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/ldd_utils.o $(LIBS) $(EXTRA_LDFLAGS)
10		10
11	clean:; rm -fr .o fldd .gcov .gcda .gcno *.plist	11	clean:; rm -fr .o fldd .gcov .gcda .gcno *.plist
12		12


diff --git a/src/fldd/main.c b/src/fldd/main.c index d68504f6b..55a0dfcce 100644 --- a/src/fldd/main.c +++ b/src/fldd/main.c
@@ -24,7 +24,6 @@
24	#include <fcntl.h>	24	#include <fcntl.h>
25	#include <sys/mman.h>	25	#include <sys/mman.h>
26	#include <sys/mount.h>	26	#include <sys/mount.h>
27	#include <sys/prctl.h>
28	#include <sys/stat.h>	27	#include <sys/stat.h>
29	#include <sys/types.h>	28	#include <sys/types.h>
30	#include <unistd.h>	29	#include <unistd.h>
@@ -303,10 +302,7 @@ printf("\n");
303	return 0;	302	return 0;
304	}	303	}
305		304
306	#ifdef WARN_DUMPABLE	305	warn_dumpable();
307	if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid())
308	fprintf(stderr, "Error fldd: I am dumpable\n");
309	#endif
310		306
311	// check program access	307	// check program access
312	if (access(argv[1], R_OK)) {	308	if (access(argv[1], R_OK)) {


diff --git a/src/fnet/Makefile.in b/src/fnet/Makefile.in index 37566db72..bd5fe9e7a 100644 --- a/src/fnet/Makefile.in +++ b/src/fnet/Makefile.in
@@ -5,8 +5,8 @@ include ../common.mk
5	%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/libnetlink.h	5	%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/libnetlink.h
6	$(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@	6	$(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
7		7
8	fnet: $(OBJS) ../lib/libnetlink.o	8	fnet: $(OBJS) ../lib/common.o ../lib/libnetlink.o
9	$(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/libnetlink.o $(LIBS) $(EXTRA_LDFLAGS)	9	$(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/libnetlink.o $(LIBS) $(EXTRA_LDFLAGS)
10		10
11	clean:; rm -fr .o fnet .gcov .gcda .gcno *.plist	11	clean:; rm -fr .o fnet .gcov .gcda .gcno *.plist
12		12


diff --git a/src/fnet/main.c b/src/fnet/main.c index f6316a7fe..db090fb95 100644 --- a/src/fnet/main.c +++ b/src/fnet/main.c
@@ -21,7 +21,6 @@
21	#include <sys/types.h>	21	#include <sys/types.h>
22	#include <sys/stat.h>	22	#include <sys/stat.h>
23	#include <sys/utsname.h>	23	#include <sys/utsname.h>
24	#include <sys/prctl.h>
25		24
26	int arg_quiet = 0;	25	int arg_quiet = 0;
27		26
@@ -69,10 +68,9 @@ printf("\n");
69	usage();	68	usage();
70	return 0;	69	return 0;
71	}	70	}
72	#ifdef WARN_DUMPABLE	71
73	if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid())	72	warn_dumpable();
74	fprintf(stderr, "Error fnet: I am dumpable\n");	73
75	#endif
76	char *quiet = getenv("FIREJAIL_QUIET");	74	char *quiet = getenv("FIREJAIL_QUIET");
77	if (quiet && strcmp(quiet, "yes") == 0)	75	if (quiet && strcmp(quiet, "yes") == 0)
78	arg_quiet = 1;	76	arg_quiet = 1;


diff --git a/src/fnetfilter/Makefile.in b/src/fnetfilter/Makefile.in index 055167192..6fe650a17 100644 --- a/src/fnetfilter/Makefile.in +++ b/src/fnetfilter/Makefile.in
@@ -5,8 +5,8 @@ include ../common.mk
5	%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h	5	%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h
6	$(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@	6	$(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
7		7
8	fnetfilter: $(OBJS)	8	fnetfilter: $(OBJS) ../lib/common.o
9	$(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)	9	$(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS)
10		10
11	clean:; rm -fr .o fnetfilter .gcov .gcda .gcno *.plist	11	clean:; rm -fr .o fnetfilter .gcov .gcda .gcno *.plist
12		12


diff --git a/src/fnetfilter/main.c b/src/fnetfilter/main.c index 1ca35ab56..381d0d36e 100644 --- a/src/fnetfilter/main.c +++ b/src/fnetfilter/main.c
@@ -18,7 +18,6 @@
18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.	18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
19	*/	19	*/
20	#include "../include/common.h"	20	#include "../include/common.h"
21	#include <sys/prctl.h>
22		21
23	#define MAXBUF 4098	22	#define MAXBUF 4098
24	#define MAXARGS 16	23	#define MAXARGS 16
@@ -181,10 +180,9 @@ printf("\n");
181	usage();	180	usage();
182	return 1;	181	return 1;
183	}	182	}
184	#ifdef WARN_DUMPABLE	183
185	if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid())	184	warn_dumpable();
186	fprintf(stderr, "Error fnetfilter: I am dumpable\n");	185
187	#endif
188	char *destfile = (argc == 3)? argv[2]: argv[1];	186	char *destfile = (argc == 3)? argv[2]: argv[1];
189	char *command = (argc == 3)? argv[1]: NULL;	187	char *command = (argc == 3)? argv[1]: NULL;
190	//printf("command %s\n", command);	188	//printf("command %s\n", command);


diff --git a/src/fsec-optimize/Makefile.in b/src/fsec-optimize/Makefile.in index 0387f7ec7..b6a28fdd8 100644 --- a/src/fsec-optimize/Makefile.in +++ b/src/fsec-optimize/Makefile.in
@@ -5,8 +5,8 @@ include ../common.mk
5	%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/seccomp.h ../include/syscall.h	5	%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/seccomp.h ../include/syscall.h
6	$(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@	6	$(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
7		7
8	fsec-optimize: $(OBJS) ../lib/libnetlink.o	8	fsec-optimize: $(OBJS) ../lib/common.o ../lib/libnetlink.o
9	$(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)	9	$(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS)
10		10
11	clean:; rm -fr .o fsec-optimize .gcov .gcda .gcno *.plist	11	clean:; rm -fr .o fsec-optimize .gcov .gcda .gcno *.plist
12		12


diff --git a/src/fsec-optimize/fsec_optimize.h b/src/fsec-optimize/fsec_optimize.h index 034fde2ac..211111641 100644 --- a/src/fsec-optimize/fsec_optimize.h +++ b/src/fsec-optimize/fsec_optimize.h
@@ -22,7 +22,6 @@
22	#include "../include/common.h"	22	#include "../include/common.h"
23	#include "../include/seccomp.h"	23	#include "../include/seccomp.h"
24	#include <sys/mman.h>	24	#include <sys/mman.h>
25	#include <sys/prctl.h>
26		25
27	// optimize.c	26	// optimize.c
28	struct sock_filter duplicate(struct sock_filter filter, int entries);	27	struct sock_filter duplicate(struct sock_filter filter, int entries);


diff --git a/src/fsec-optimize/main.c b/src/fsec-optimize/main.c index fb13eeca8..74aebc9e0 100644 --- a/src/fsec-optimize/main.c +++ b/src/fsec-optimize/main.c
@@ -44,11 +44,7 @@ printf("\n");
44	return 0;	44	return 0;
45	}	45	}
46		46
47	#ifdef WARN_DUMPABLE	47	warn_dumpable();
48	// check FIREJAIL_PLUGIN in order to not print a warning during make
49	if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid() && getenv("FIREJAIL_PLUGIN"))
50	fprintf(stderr, "Error fsec-optimize: I am dumpable\n");
51	#endif
52		48
53	char *fname = argv[1];	49	char *fname = argv[1];
54		50


diff --git a/src/fsec-print/Makefile.in b/src/fsec-print/Makefile.in index a30ff4ba3..bf39a8c77 100644 --- a/src/fsec-print/Makefile.in +++ b/src/fsec-print/Makefile.in
@@ -5,8 +5,8 @@ include ../common.mk
5	%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/seccomp.h ../include/syscall.h	5	%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/seccomp.h ../include/syscall.h
6	$(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@	6	$(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
7		7
8	fsec-print: $(OBJS) ../lib/libnetlink.o ../lib/errno.o ../lib/syscall.o	8	fsec-print: $(OBJS) ../lib/common.o ../lib/libnetlink.o ../lib/errno.o ../lib/syscall.o
9	$(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS)	9	$(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS)
10		10
11	clean:; rm -fr .o fsec-print .gcov .gcda .gcno *.plist	11	clean:; rm -fr .o fsec-print .gcov .gcda .gcno *.plist
12		12


diff --git a/src/fsec-print/fsec_print.h b/src/fsec-print/fsec_print.h index 9d17e3f18..337199288 100644 --- a/src/fsec-print/fsec_print.h +++ b/src/fsec-print/fsec_print.h
@@ -23,7 +23,6 @@
23	#include "../include/seccomp.h"	23	#include "../include/seccomp.h"
24	#include "../include/syscall.h"	24	#include "../include/syscall.h"
25	#include <sys/mman.h>	25	#include <sys/mman.h>
26	#include <sys/prctl.h>
27		26
28	// print.c	27	// print.c
29	void print(struct sock_filter *filter, int entries);	28	void print(struct sock_filter *filter, int entries);


diff --git a/src/fsec-print/main.c b/src/fsec-print/main.c index d1f056e47..ed030db21 100644 --- a/src/fsec-print/main.c +++ b/src/fsec-print/main.c
@@ -61,10 +61,7 @@ printf("\n");
61	return 0;	61	return 0;
62	}	62	}
63		63
64	#ifdef WARN_DUMPABLE	64	warn_dumpable();
65	if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid())
66	fprintf(stderr, "Error fsec-print: I am dumpable\n");
67	#endif
68		65
69	char *fname = argv[1];	66	char *fname = argv[1];
70		67


diff --git a/src/fseccomp/Makefile.in b/src/fseccomp/Makefile.in index 8623db6f8..b776a73ce 100644 --- a/src/fseccomp/Makefile.in +++ b/src/fseccomp/Makefile.in
@@ -5,8 +5,8 @@ include ../common.mk
5	%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h	5	%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h
6	$(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@	6	$(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
7		7
8	fseccomp: $(OBJS) ../lib/errno.o ../lib/syscall.o	8	fseccomp: $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o
9	$(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS)	9	$(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS)
10		10
11	clean:; rm -fr .o fseccomp .gcov .gcda .gcno *.plist	11	clean:; rm -fr .o fseccomp .gcov .gcda .gcno *.plist
12		12


diff --git a/src/fseccomp/fseccomp.h b/src/fseccomp/fseccomp.h index e40999938..e8dd083b6 100644 --- a/src/fseccomp/fseccomp.h +++ b/src/fseccomp/fseccomp.h
@@ -23,7 +23,6 @@
23	#include <stdlib.h>	23	#include <stdlib.h>
24	#include <string.h>	24	#include <string.h>
25	#include <assert.h>	25	#include <assert.h>
26	#include <sys/prctl.h>
27	#include "../include/common.h"	26	#include "../include/common.h"
28	#include "../include/syscall.h"	27	#include "../include/syscall.h"
29		28


diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c index f505ca0f3..c8259b079 100644 --- a/src/fseccomp/main.c +++ b/src/fseccomp/main.c
@@ -69,11 +69,7 @@ printf("\n");
69	return 0;	69	return 0;
70	}	70	}
71		71
72	#ifdef WARN_DUMPABLE	72	warn_dumpable();
73	// check FIREJAIL_PLUGIN in order to not print a warning during make
74	if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid() && getenv("FIREJAIL_PLUGIN"))
75	fprintf(stderr, "Error fseccomp: I am dumpable\n");
76	#endif
77		73
78	char *quiet = getenv("FIREJAIL_QUIET");	74	char *quiet = getenv("FIREJAIL_QUIET");
79	if (quiet && strcmp(quiet, "yes") == 0)	75	if (quiet && strcmp(quiet, "yes") == 0)


diff --git a/src/include/common.h b/src/include/common.h index 5df51c5a9..5497929c7 100644 --- a/src/include/common.h +++ b/src/include/common.h
@@ -38,11 +38,6 @@
38		38
39	#define errExit(msg) do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)	39	#define errExit(msg) do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
40		40
41	// check if processes run with dumpable flag set
42	// currently we get "Error fseccomp: I am dumpable" every time we run a firejail build on Debian 8,
43	// regardless what Debian version we run the build on
44	//#define WARN_DUMPABLE
45
46	// macro to print ip addresses in a printf statement	41	// macro to print ip addresses in a printf statement
47	#define PRINT_IP(A) \	42	#define PRINT_IP(A) \
48	((int) (((A) >> 24) & 0xFF)), ((int) (((A) >> 16) & 0xFF)), ((int) (((A) >> 8) & 0xFF)), ((int) ( (A) & 0xFF))	43	((int) (((A) >> 24) & 0xFF)), ((int) (((A) >> 16) & 0xFF)), ((int) (((A) >> 8) & 0xFF)), ((int) ( (A) & 0xFF))
@@ -126,4 +121,6 @@ char *pid_proc_comm(const pid_t pid);
126	char *pid_proc_cmdline(const pid_t pid);	121	char *pid_proc_cmdline(const pid_t pid);
127	int pid_proc_cmdline_x11_xpra_xephyr(const pid_t pid);	122	int pid_proc_cmdline_x11_xpra_xephyr(const pid_t pid);
128	int pid_hidepid(void);	123	int pid_hidepid(void);
		124	void warn_dumpable(void);
		125	const char gnu_basename(const char path);
129	#endif	126	#endif


diff --git a/src/lib/common.c b/src/lib/common.c index 823442835..ace5cb87e 100644 --- a/src/lib/common.c +++ b/src/lib/common.c
@@ -267,7 +267,6 @@ int pid_proc_cmdline_x11_xpra_xephyr(const pid_t pid) {
267	}	267	}
268		268
269	// return 1 if /proc is mounted hidepid, or if /proc/mouns access is denied	269	// return 1 if /proc is mounted hidepid, or if /proc/mouns access is denied
270	#define BUFLEN 4096
271	int pid_hidepid(void) {	270	int pid_hidepid(void) {
272	FILE *fp = fopen("/proc/mounts", "r");	271	FILE *fp = fopen("/proc/mounts", "r");
273	if (!fp)	272	if (!fp)
@@ -288,6 +287,39 @@ int pid_hidepid(void) {
288	return 0;	287	return 0;
289	}	288	}
290		289
		290	// print error if unprivileged users can trace the process
		291	void warn_dumpable(void) {
		292	if (getuid() != 0 && prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getenv("FIREJAIL_PLUGIN")) {
		293	fprintf(stderr, "Error: dumpable process\n");
		294
		295	// best effort to provide detailed debug information
		296	// cannot use process name, it is just a file descriptor number
		297	char path[BUFLEN];
		298	ssize_t len = readlink("/proc/self/exe", path, BUFLEN - 1);
		299	if (len < 0)
		300	return;
		301	path[len] = '\0';
		302	// path can refer to a sandbox mount namespace, use basename only
		303	const char *base = gnu_basename(path);
		304
		305	struct stat s;
		306	if (stat("/proc/self/exe", &s) == 0 && s.st_uid != 0)
		307	fprintf(stderr, "Change owner of %s executable to root\n", base);
		308	else if (access("/proc/self/exe", R_OK) == 0)
		309	fprintf(stderr, "Remove read permission on %s executable\n", base);
		310	}
		311	}
		312
		313	// Equivalent to the GNU version of basename, which is incompatible with
		314	// the POSIX basename. A few lines of code saves any portability pain.
		315	// https://www.gnu.org/software/libc/manual/html_node/Finding-Tokens-in-a-String.html#index-basename
		316	const char gnu_basename(const char path) {
		317	const char *last_slash = strrchr(path, '/');
		318	if (!last_slash)
		319	return path;
		320	return last_slash+1;
		321	}
		322
291	//**************************	323	//**************************
292	// time trace based on getticks function	324	// time trace based on getticks function
293	//**************************	325	//**************************