aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLibravatar netblue30 <netblue30@yahoo.com>2018-08-21 09:12:44 -0400
committerLibravatar netblue30 <netblue30@yahoo.com>2018-08-21 09:12:44 -0400
commit7b9792c40fae4d4fc2f896bb4c7264fd59d5aa4e (patch)
tree1066b61be3fd46a574a063eaabc7ef388891e033
parentautoconf (diff)
downloadfirejail-7b9792c40fae4d4fc2f896bb4c7264fd59d5aa4e.tar.gz
firejail-7b9792c40fae4d4fc2f896bb4c7264fd59d5aa4e.tar.zst
firejail-7b9792c40fae4d4fc2f896bb4c7264fd59d5aa4e.zip
removed --ls, --get, --put
Diffstat
-rwxr-xr-xconfigure17
-rw-r--r--configure.ac9
-rw-r--r--src/common.mk.in3
-rw-r--r--src/firejail/checkcfg.c13
-rw-r--r--src/firejail/ls.c479
-rw-r--r--src/firejail/main.c2
-rw-r--r--status2
-rwxr-xr-xtest/utils/ls.exp69
-rwxr-xr-xtest/utils/utils.sh3
9 files changed, 16 insertions, 581 deletions
diff --git a/configure b/configure
index b15f649df..089615384 100755
--- a/configure
+++ b/configure
@@ -630,7 +630,6 @@ BUSYBOX_WORKAROUND
630HAVE_FATAL_WARNINGS 630HAVE_FATAL_WARNINGS
631HAVE_SUID 631HAVE_SUID
632HAVE_WHITELIST 632HAVE_WHITELIST
633HAVE_FILE_TRANSFER
634HAVE_USERNS 633HAVE_USERNS
635HAVE_NETWORK 634HAVE_NETWORK
636HAVE_GLOBALCFG 635HAVE_GLOBALCFG
@@ -701,7 +700,6 @@ enable_bind
701enable_globalcfg 700enable_globalcfg
702enable_network 701enable_network
703enable_userns 702enable_userns
704enable_file_transfer
705enable_whitelist 703enable_whitelist
706enable_suid 704enable_suid
707enable_fatal_warnings 705enable_fatal_warnings
@@ -1344,7 +1342,6 @@ Optional Features:
1344 present, continue the program using defaults 1342 present, continue the program using defaults
1345 --disable-network disable network 1343 --disable-network disable network
1346 --disable-userns disable user namespace 1344 --disable-userns disable user namespace
1347 --disable-file-transfer disable file transfer
1348 --disable-whitelist disable whitelist 1345 --disable-whitelist disable whitelist
1349 --disable-suid install as a non-SUID executable 1346 --disable-suid install as a non-SUID executable
1350 --enable-fatal-warnings -W -Wall -Werror 1347 --enable-fatal-warnings -W -Wall -Werror
@@ -3627,19 +3624,6 @@ if test "x$enable_userns" != "xno"; then :
3627 3624
3628fi 3625fi
3629 3626
3630HAVE_FILE_TRANSFER=""
3631# Check whether --enable-file-transfer was given.
3632if test "${enable_file_transfer+set}" = set; then :
3633 enableval=$enable_file_transfer;
3634fi
3635
3636if test "x$enable_file_transfer" != "xno"; then :
3637
3638 HAVE_FILE_TRANSFER="-DHAVE_FILE_TRANSFER"
3639
3640
3641fi
3642
3643HAVE_WHITELIST="" 3627HAVE_WHITELIST=""
3644# Check whether --enable-whitelist was given. 3628# Check whether --enable-whitelist was given.
3645if test "${enable_whitelist+set}" = set; then : 3629if test "${enable_whitelist+set}" = set; then :
@@ -4961,7 +4945,6 @@ echo " bind: $HAVE_BIND"
4961echo " network: $HAVE_NETWORK" 4945echo " network: $HAVE_NETWORK"
4962echo " user namespace: $HAVE_USERNS" 4946echo " user namespace: $HAVE_USERNS"
4963echo " whitelisting: $HAVE_WHITELIST" 4947echo " whitelisting: $HAVE_WHITELIST"
4964echo " file transfer support: $HAVE_FILE_TRANSFER"
4965echo " busybox workaround: $BUSYBOX_WORKAROUND" 4948echo " busybox workaround: $BUSYBOX_WORKAROUND"
4966echo " Spectre compiler patch: $HAVE_SPECTRE" 4949echo " Spectre compiler patch: $HAVE_SPECTRE"
4967echo " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" 4950echo " EXTRA_LDFLAGS: $EXTRA_LDFLAGS"
diff --git a/configure.ac b/configure.ac
index 0cd5c7dd0..a6bc44318 100644
--- a/configure.ac
+++ b/configure.ac
@@ -95,14 +95,6 @@ AS_IF([test "x$enable_userns" != "xno"], [
95 AC_SUBST(HAVE_USERNS) 95 AC_SUBST(HAVE_USERNS)
96]) 96])
97 97
98HAVE_FILE_TRANSFER=""
99AC_ARG_ENABLE([file-transfer],
100 AS_HELP_STRING([--disable-file-transfer], [disable file transfer]))
101AS_IF([test "x$enable_file_transfer" != "xno"], [
102 HAVE_FILE_TRANSFER="-DHAVE_FILE_TRANSFER"
103 AC_SUBST(HAVE_FILE_TRANSFER)
104])
105
106HAVE_WHITELIST="" 98HAVE_WHITELIST=""
107AC_ARG_ENABLE([whitelist], 99AC_ARG_ENABLE([whitelist],
108 AS_HELP_STRING([--disable-whitelist], [disable whitelist])) 100 AS_HELP_STRING([--disable-whitelist], [disable whitelist]))
@@ -173,7 +165,6 @@ echo " bind: $HAVE_BIND"
173echo " network: $HAVE_NETWORK" 165echo " network: $HAVE_NETWORK"
174echo " user namespace: $HAVE_USERNS" 166echo " user namespace: $HAVE_USERNS"
175echo " whitelisting: $HAVE_WHITELIST" 167echo " whitelisting: $HAVE_WHITELIST"
176echo " file transfer support: $HAVE_FILE_TRANSFER"
177echo " busybox workaround: $BUSYBOX_WORKAROUND" 168echo " busybox workaround: $BUSYBOX_WORKAROUND"
178echo " Spectre compiler patch: $HAVE_SPECTRE" 169echo " Spectre compiler patch: $HAVE_SPECTRE"
179echo " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" 170echo " EXTRA_LDFLAGS: $EXTRA_LDFLAGS"
diff --git a/src/common.mk.in b/src/common.mk.in
index 7440b7b45..64fe2b85a 100644
--- a/src/common.mk.in
+++ b/src/common.mk.in
@@ -14,7 +14,6 @@ HAVE_BIND=@HAVE_BIND@
14HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ 14HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
15HAVE_NETWORK=@HAVE_NETWORK@ 15HAVE_NETWORK=@HAVE_NETWORK@
16HAVE_USERNS=@HAVE_USERNS@ 16HAVE_USERNS=@HAVE_USERNS@
17HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
18HAVE_WHITELIST=@HAVE_WHITELIST@ 17HAVE_WHITELIST=@HAVE_WHITELIST@
19HAVE_GLOBALCFG=@HAVE_GLOBALCFG@ 18HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
20HAVE_APPARMOR=@HAVE_APPARMOR@ 19HAVE_APPARMOR=@HAVE_APPARMOR@
@@ -25,7 +24,7 @@ C_FILE_LIST = $(sort $(wildcard *.c))
25OBJS = $(C_FILE_LIST:.c=.o) 24OBJS = $(C_FILE_LIST:.c=.o)
26BINOBJS = $(foreach file, $(OBJS), $file) 25BINOBJS = $(foreach file, $(OBJS), $file)
27 26
28CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_APPARMOR) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security 27CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_APPARMOR) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
29LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread 28LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
30EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ 29EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
31EXTRA_CFLAGS +=@EXTRA_CFLAGS@ 30EXTRA_CFLAGS +=@EXTRA_CFLAGS@
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 7483136f4..0cceea17b 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -76,6 +76,7 @@ int checkcfg(int val) {
76 if (!ptr) 76 if (!ptr)
77 continue; 77 continue;
78 78
79#ifndef LTS
79 // file transfer 80 // file transfer
80 else if (strncmp(ptr, "file-transfer ", 14) == 0) { 81 else if (strncmp(ptr, "file-transfer ", 14) == 0) {
81 if (strcmp(ptr + 14, "yes") == 0) 82 if (strcmp(ptr + 14, "yes") == 0)
@@ -85,6 +86,7 @@ int checkcfg(int val) {
85 else 86 else
86 goto errout; 87 goto errout;
87 } 88 }
89#endif
88 // dbus 90 // dbus
89 else if (strncmp(ptr, "dbus ", 5) == 0) { 91 else if (strncmp(ptr, "dbus ", 5) == 0) {
90 if (strcmp(ptr + 5, "yes") == 0) 92 if (strcmp(ptr + 5, "yes") == 0)
@@ -103,6 +105,7 @@ int checkcfg(int val) {
103 else 105 else
104 goto errout; 106 goto errout;
105 } 107 }
108#ifndef LTS
106 // x11 109 // x11
107 else if (strncmp(ptr, "x11 ", 4) == 0) { 110 else if (strncmp(ptr, "x11 ", 4) == 0) {
108 if (strcmp(ptr + 4, "yes") == 0) 111 if (strcmp(ptr + 4, "yes") == 0)
@@ -112,6 +115,7 @@ int checkcfg(int val) {
112 else 115 else
113 goto errout; 116 goto errout;
114 } 117 }
118#endif
115 // apparmor 119 // apparmor
116 else if (strncmp(ptr, "apparmor ", 9) == 0) { 120 else if (strncmp(ptr, "apparmor ", 9) == 0) {
117 if (strcmp(ptr + 9, "yes") == 0) 121 if (strcmp(ptr + 9, "yes") == 0)
@@ -139,6 +143,7 @@ int checkcfg(int val) {
139 else 143 else
140 goto errout; 144 goto errout;
141 } 145 }
146#ifndef LTS
142 // chroot 147 // chroot
143 else if (strncmp(ptr, "chroot ", 7) == 0) { 148 else if (strncmp(ptr, "chroot ", 7) == 0) {
144 if (strcmp(ptr + 7, "yes") == 0) 149 if (strcmp(ptr + 7, "yes") == 0)
@@ -148,6 +153,7 @@ int checkcfg(int val) {
148 else 153 else
149 goto errout; 154 goto errout;
150 } 155 }
156#endif
151 // prompt 157 // prompt
152 else if (strncmp(ptr, "firejail-prompt ", 16) == 0) { 158 else if (strncmp(ptr, "firejail-prompt ", 16) == 0) {
153 if (strcmp(ptr + 16, "yes") == 0) 159 if (strcmp(ptr + 16, "yes") == 0)
@@ -236,6 +242,7 @@ int checkcfg(int val) {
236 printf("netfilter default file %s\n", fname); 242 printf("netfilter default file %s\n", fname);
237 } 243 }
238 244
245#ifndef LTS
239 // Xephyr screen size 246 // Xephyr screen size
240 else if (strncmp(ptr, "xephyr-screen ", 14) == 0) { 247 else if (strncmp(ptr, "xephyr-screen ", 14) == 0) {
241 // expecting two numbers and an x between them 248 // expecting two numbers and an x between them
@@ -297,7 +304,7 @@ int checkcfg(int val) {
297 if (!xvfb_extra_params) 304 if (!xvfb_extra_params)
298 errExit("strdup"); 305 errExit("strdup");
299 } 306 }
300 307#endif
301 // quiet by default 308 // quiet by default
302 else if (strncmp(ptr, "quiet-by-default ", 17) == 0) { 309 else if (strncmp(ptr, "quiet-by-default ", 17) == 0) {
303 if (strcmp(ptr + 17, "yes") == 0) 310 if (strcmp(ptr + 17, "yes") == 0)
@@ -307,6 +314,7 @@ int checkcfg(int val) {
307 else 314 else
308 goto errout; 315 goto errout;
309 } 316 }
317#ifndef LTS
310 else if (strncmp(ptr, "overlayfs ", 10) == 0) { 318 else if (strncmp(ptr, "overlayfs ", 10) == 0) {
311 if (strcmp(ptr + 10, "yes") == 0) 319 if (strcmp(ptr + 10, "yes") == 0)
312 cfg_val[CFG_OVERLAYFS] = 1; 320 cfg_val[CFG_OVERLAYFS] = 1;
@@ -339,6 +347,7 @@ int checkcfg(int val) {
339 else 347 else
340 goto errout; 348 goto errout;
341 } 349 }
350#endif
342 else if (strncmp(ptr, "disable-mnt ", 12) == 0) { 351 else if (strncmp(ptr, "disable-mnt ", 12) == 0) {
343 if (strcmp(ptr + 12, "yes") == 0) 352 if (strcmp(ptr + 12, "yes") == 0)
344 cfg_val[CFG_DISABLE_MNT] = 1; 353 cfg_val[CFG_DISABLE_MNT] = 1;
@@ -354,6 +363,7 @@ int checkcfg(int val) {
354 goto errout; 363 goto errout;
355 cfg_val[CFG_ARP_PROBES] = arp_probes; 364 cfg_val[CFG_ARP_PROBES] = arp_probes;
356 } 365 }
366#ifndef LTS
357 // xpra-attach 367 // xpra-attach
358 else if (strncmp(ptr, "xpra-attach ", 12) == 0) { 368 else if (strncmp(ptr, "xpra-attach ", 12) == 0) {
359 if (strcmp(ptr + 12, "yes") == 0) 369 if (strcmp(ptr + 12, "yes") == 0)
@@ -363,6 +373,7 @@ int checkcfg(int val) {
363 else 373 else
364 goto errout; 374 goto errout;
365 } 375 }
376#endif
366 else 377 else
367 goto errout; 378 goto errout;
368 379
diff --git a/src/firejail/ls.c b/src/firejail/ls.c
deleted file mode 100644
index 601cab4f8..000000000
--- a/src/firejail/ls.c
+++ /dev/null
@@ -1,479 +0,0 @@
1/*
2 * Copyright (C) 2014-2018 Firejail Authors
3 *
4 * This file is part of firejail project
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License along
17 * with this program; if not, write to the Free Software Foundation, Inc.,
18 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
19*/
20
21#include "firejail.h"
22#include <sys/types.h>
23#include <sys/stat.h>
24#include <sys/wait.h>
25#include <unistd.h>
26#include <dirent.h>
27#include <pwd.h>
28#include <grp.h>
29//#include <dirent.h>
30//#include <stdio.h>
31//#include <stdlib.h>
32
33// uid/gid cache
34static uid_t c_uid = 0;
35static char *c_uid_name = NULL;
36
37static void print_file_or_dir(const char *path, const char *fname, int separator) {
38 assert(fname);
39
40 char *name;
41 if (separator) {
42 if (asprintf(&name, "%s/%s", path, fname) == -1)
43 errExit("asprintf");
44 }
45 else {
46 if (asprintf(&name, "%s%s", path, fname) == -1)
47 errExit("asprintf");
48 }
49
50 struct stat s;
51 if (stat(name, &s) == -1) {
52 if (lstat(name, &s) == -1) {
53 printf("Error: cannot access %s\n", name);
54 return;
55 }
56 }
57
58 // permissions
59 if (S_ISLNK(s.st_mode))
60 printf("l");
61 else if (S_ISDIR(s.st_mode))
62 printf("d");
63 else if (S_ISCHR(s.st_mode))
64 printf("c");
65 else if (S_ISBLK(s.st_mode))
66 printf("b");
67 else if (S_ISSOCK(s.st_mode))
68 printf("s");
69 else
70 printf("-");
71 printf( (s.st_mode & S_IRUSR) ? "r" : "-");
72 printf( (s.st_mode & S_IWUSR) ? "w" : "-");
73 printf( (s.st_mode & S_IXUSR) ? "x" : "-");
74 printf( (s.st_mode & S_IRGRP) ? "r" : "-");
75 printf( (s.st_mode & S_IWGRP) ? "w" : "-");
76 printf( (s.st_mode & S_IXGRP) ? "x" : "-");
77 printf( (s.st_mode & S_IROTH) ? "r" : "-");
78 printf( (s.st_mode & S_IWOTH) ? "w" : "-");
79 printf( (s.st_mode & S_IXOTH) ? "x" : "-");
80 printf(" ");
81
82 // user name
83 char *username;
84 int allocated = 0;
85 if (s.st_uid == 0)
86 username = "root";
87 else if (s.st_uid == c_uid) {
88 assert(c_uid_name);
89 username = c_uid_name;
90 }
91 else {
92 struct passwd *pw = getpwuid(s.st_uid);
93 allocated = 1;
94 if (!pw) {
95 if (asprintf(&username, "%d", s.st_uid) == -1)
96 errExit("asprintf");
97 }
98 else {
99 username = strdup(pw->pw_name);
100 if (!username)
101 errExit("asprintf");
102 }
103
104 if (c_uid == 0) {
105 c_uid = s.st_uid;
106 c_uid_name = strdup(username);
107 if (!c_uid_name)
108 errExit("asprintf");
109 }
110 }
111
112 // print user name, 8 chars maximum
113 int len = strlen(username);
114 if (len > 8) {
115 username[8] = '\0';
116 len = 8;
117 }
118 printf("%s ", username);
119 int i;
120 for (i = len; i < 8; i++)
121 printf(" ");
122 if (allocated)
123 free(username);
124
125
126 // group name
127 char *groupname;
128 allocated = 0;
129 if (s.st_uid == 0)
130 groupname = "root";
131 else {
132 struct group *g = getgrgid(s.st_gid);
133 allocated = 1;
134 if (!g) {
135 if (asprintf(&groupname, "%d", s.st_gid) == -1)
136 errExit("asprintf");
137 }
138 else {
139 groupname = strdup(g->gr_name);
140 if (!groupname)
141 errExit("asprintf");
142 }
143 }
144
145 // print grup name, 8 chars maximum
146 len = strlen(groupname);
147 if (len > 8) {
148 groupname[8] = '\0';
149 len = 8;
150 }
151 printf("%s ", groupname);
152 for (i = len; i < 8; i++)
153 printf(" ");
154 if (allocated)
155 free(groupname);
156
157 char *sz;
158 if (asprintf(&sz, "%d", (int) s.st_size) == -1)
159 errExit("asprintf");
160 printf("%11.10s %s\n", sz, fname);
161 free(sz);
162
163}
164
165static void print_directory(const char *path) {
166 assert(path);
167 struct stat s;
168 if (stat(path, &s) == -1)
169 return;
170 assert(S_ISDIR(s.st_mode));
171
172 struct dirent **namelist;
173 int i;
174 int n;
175
176 n = scandir(path, &namelist, 0, alphasort);
177 if (n < 0)
178 errExit("scandir");
179 else {
180 for (i = 0; i < n; i++) {
181 print_file_or_dir(path, namelist[i]->d_name, 0);
182 free(namelist[i]);
183 }
184 }
185 free(namelist);
186}
187
188char *expand_path(const char *path) {
189 char *fname = NULL;
190 if (*path == '/') {
191 fname = strdup(path);
192 if (!fname)
193 errExit("strdup");
194 }
195 else if (*path == '~') {
196 if (asprintf(&fname, "%s%s", cfg.homedir, path + 1) == -1)
197 errExit("asprintf");
198 }
199 else {
200 // assume the file is in current working directory
201 if (!cfg.cwd) {
202 fprintf(stderr, "Error: current working directory has been deleted\n");
203 exit(1);
204 }
205 if (asprintf(&fname, "%s/%s", cfg.cwd, path) == -1)
206 errExit("asprintf");
207 }
208 return fname;
209}
210
211void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
212 EUID_ASSERT();
213 assert(path1);
214
215 // if the pid is that of a firejail process, use the pid of the first child process
216 EUID_ROOT();
217 char *comm = pid_proc_comm(pid);
218 EUID_USER();
219 if (comm) {
220 if (strcmp(comm, "firejail") == 0) {
221 pid_t child;
222 if (find_child(pid, &child) == 0) {
223 pid = child;
224 }
225 }
226 free(comm);
227 }
228
229 // check privileges for non-root users
230 uid_t uid = getuid();
231 if (uid != 0) {
232 uid_t sandbox_uid = pid_get_uid(pid);
233 if (uid != sandbox_uid) {
234 fprintf(stderr, "Error: permission denied.\n");
235 exit(1);
236 }
237 }
238
239 // expand paths
240 char *fname1 = expand_path(path1);;
241 char *fname2 = NULL;
242 if (path2 != NULL) {
243 fname2 = expand_path(path2);
244 }
245 if (arg_debug) {
246 printf("file1 %s\n", fname1);
247 printf("file2 %s\n", fname2);
248 }
249
250 // sandbox root directory
251 char *rootdir;
252 if (asprintf(&rootdir, "/proc/%d/root", pid) == -1)
253 errExit("asprintf");
254
255 if (op == SANDBOX_FS_LS) {
256 EUID_ROOT();
257 // chroot
258 if (chroot(rootdir) < 0)
259 errExit("chroot");
260 if (chdir("/") < 0)
261 errExit("chdir");
262
263 // drop privileges
264 drop_privs(0);
265
266 // check access
267 if (access(fname1, R_OK) == -1) {
268 fprintf(stderr, "Error: Cannot access %s\n", fname1);
269 exit(1);
270 }
271 /* coverity[toctou] */
272 char *rp = realpath(fname1, NULL);
273 if (!rp) {
274 fprintf(stderr, "Error: Cannot access %s\n", fname1);
275 exit(1);
276 }
277 if (arg_debug)
278 printf("realpath %s\n", rp);
279
280
281 // list directory contents
282 struct stat s;
283 if (stat(rp, &s) == -1) {
284 fprintf(stderr, "Error: Cannot access %s\n", rp);
285 exit(1);
286 }
287 if (S_ISDIR(s.st_mode)) {
288 char *dir;
289 if (asprintf(&dir, "%s/", rp) == -1)
290 errExit("asprintf");
291
292 print_directory(dir);
293 free(dir);
294 }
295 else {
296 char *split = strrchr(rp, '/');
297 if (split) {
298 *split = '\0';
299 char *rp2 = split + 1;
300 if (arg_debug)
301 printf("path %s, file %s\n", rp, rp2);
302 print_file_or_dir(rp, rp2, 1);
303 }
304 }
305 free(rp);
306 }
307
308 // get file from sandbox and store it in the current directory
309 else if (op == SANDBOX_FS_GET) {
310 char *src_fname =fname1;
311 char *dest_fname = strrchr(fname1, '/');
312 if (!dest_fname || *(++dest_fname) == '\0') {
313 fprintf(stderr, "Error: invalid file name %s\n", fname1);
314 exit(1);
315 }
316
317 EUID_ROOT();
318 if (arg_debug)
319 printf("copy %s to %s\n", src_fname, dest_fname);
320
321 // create a user-owned temporary file in /run/firejail directory
322 char tmp_fname[] = "/run/firejail/tmpget-XXXXXX";
323 int fd = mkstemp(tmp_fname);
324 if (fd != -1) {
325 SET_PERMS_FD(fd, getuid(), getgid(), 0600);
326 close(fd);
327 }
328
329 // copy the source file into the temporary file - we need to chroot
330 pid_t child = fork();
331 if (child < 0)
332 errExit("fork");
333 if (child == 0) {
334 // chroot
335 if (chroot(rootdir) < 0)
336 errExit("chroot");
337 if (chdir("/") < 0)
338 errExit("chdir");
339
340 // drop privileges
341 drop_privs(0);
342
343 // copy the file
344 if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600)) // already a regular user
345 _exit(1);
346#ifdef HAVE_GCOV
347 __gcov_flush();
348#endif
349 _exit(0);
350 }
351
352 // wait for the child to finish
353 int status = 0;
354 waitpid(child, &status, 0);
355 if (WIFEXITED(status) && WEXITSTATUS(status) == 0);
356 else {
357 unlink(tmp_fname);
358 exit(1);
359 }
360
361 // copy the temporary file into the destionation file
362 child = fork();
363 if (child < 0)
364 errExit("fork");
365 if (child == 0) {
366 // drop privileges
367 drop_privs(0);
368
369 // copy the file
370 if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600)) // already a regular user
371 _exit(1);
372#ifdef HAVE_GCOV
373 __gcov_flush();
374#endif
375 _exit(0);
376 }
377
378 // wait for the child to finish
379 status = 0;
380 waitpid(child, &status, 0);
381 if (WIFEXITED(status) && WEXITSTATUS(status) == 0);
382 else {
383 unlink(tmp_fname);
384 exit(1);
385 }
386
387 // remove the temporary file
388 unlink(tmp_fname);
389 EUID_USER();
390 }
391 // get file from host and store it in the sandbox
392 else if (op == SANDBOX_FS_PUT && path2) {
393 char *src_fname =fname1;
394 char *dest_fname = fname2;
395
396 EUID_ROOT();
397 if (arg_debug)
398 printf("copy %s to %s\n", src_fname, dest_fname);
399
400 // create a user-owned temporary file in /run/firejail directory
401 char tmp_fname[] = "/run/firejail/tmpget-XXXXXX";
402 int fd = mkstemp(tmp_fname);
403 if (fd == -1) {
404 fprintf(stderr, "Error: cannot create temporary file %s\n", tmp_fname);
405 exit(1);
406 }
407 SET_PERMS_FD(fd, getuid(), getgid(), 0600);
408 close(fd);
409
410 // copy the source file into the temporary file - we need to chroot
411 pid_t child = fork();
412 if (child < 0)
413 errExit("fork");
414 if (child == 0) {
415 // drop privileges
416 drop_privs(0);
417
418 // copy the file
419 if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600)) // already a regular user
420 _exit(1);
421#ifdef HAVE_GCOV
422 __gcov_flush();
423#endif
424 _exit(0);
425 }
426
427 // wait for the child to finish
428 int status = 0;
429 waitpid(child, &status, 0);
430 if (WIFEXITED(status) && WEXITSTATUS(status) == 0);
431 else {
432 unlink(tmp_fname);
433 exit(1);
434 }
435
436 // copy the temporary file into the destionation file
437 child = fork();
438 if (child < 0)
439 errExit("fork");
440 if (child == 0) {
441 // chroot
442 if (chroot(rootdir) < 0)
443 errExit("chroot");
444 if (chdir("/") < 0)
445 errExit("chdir");
446
447 // drop privileges
448 drop_privs(0);
449
450 // copy the file
451 if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600)) // already a regular user
452 _exit(1);
453#ifdef HAVE_GCOV
454 __gcov_flush();
455#endif
456 _exit(0);
457 }
458
459 // wait for the child to finish
460 status = 0;
461 waitpid(child, &status, 0);
462 if (WIFEXITED(status) && WEXITSTATUS(status) == 0);
463 else {
464 unlink(tmp_fname);
465 exit(1);
466 }
467
468 // remove the temporary file
469 unlink(tmp_fname);
470 EUID_USER();
471 }
472
473 if (fname2)
474 free(fname2);
475 free(fname1);
476 free(rootdir);
477
478 exit(0);
479}
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 9b406b4b9..4212edd9b 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -598,6 +598,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
598 exit_err_feature("networking"); 598 exit_err_feature("networking");
599 } 599 }
600#endif 600#endif
601#ifndef LTS
601#ifdef HAVE_FILE_TRANSFER 602#ifdef HAVE_FILE_TRANSFER
602 else if (strncmp(argv[i], "--get=", 6) == 0) { 603 else if (strncmp(argv[i], "--get=", 6) == 0) {
603 if (checkcfg(CFG_FILE_TRANSFER)) { 604 if (checkcfg(CFG_FILE_TRANSFER)) {
@@ -678,6 +679,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
678 exit_err_feature("file transfer"); 679 exit_err_feature("file transfer");
679 } 680 }
680#endif 681#endif
682#endif
681 else if (strncmp(argv[i], "--join=", 7) == 0) { 683 else if (strncmp(argv[i], "--join=", 7) == 0) {
682 if (checkcfg(CFG_JOIN) || getuid() == 0) { 684 if (checkcfg(CFG_JOIN) || getuid() == 0) {
683 logargs(argc, argv); 685 logargs(argc, argv);
diff --git a/status b/status
index d423a9326..44f9318f8 100644
--- a/status
+++ b/status
@@ -1,7 +1,7 @@
1Phase 2 1Phase 2
2- Aug 21 2- Aug 21
3- remove --output --libtrace --libtracelog 3- remove --output --libtrace --libtracelog
4 4- remove --ls, --get, --put
5 5
6Phase 1 6Phase 1
7- starting from main as of Jul 27 7- starting from main as of Jul 27
diff --git a/test/utils/ls.exp b/test/utils/ls.exp
deleted file mode 100755
index ff6867c51..000000000
--- a/test/utils/ls.exp
+++ /dev/null
@@ -1,69 +0,0 @@
1#!/usr/bin/expect -f
2
3set timeout 10
4spawn $env(SHELL)
5match_max 100000
6set firstspawn $spawn_id
7
8
9send -- "rm -f lstesting\r"
10sleep 1
11send -- "firejail --private --name=test\r"
12expect {
13 timeout {puts "TESTING ERROR 0\n";exit}
14 "Child process initialized"
15}
16sleep 1
17send -- "echo my_testing > ~/lstesting\r"
18after 100
19
20# ls
21spawn $env(SHELL)
22send -- "firejail --ls=test ~/.\r"
23expect {
24 timeout {puts "TESTING ERROR 1\n";exit}
25 "lstesting"
26}
27sleep 1
28
29# get
30send -- "firejail --get=test ~/lstesting\r"
31sleep 1
32send -- "cat lstesting\r"
33expect {
34 timeout {puts "TESTING ERROR 2n";exit}
35 "my_testing"
36}
37after 100
38
39# put
40send -- "echo put_test > ~/lstesting\r"
41after 100
42send -- "firejail --put=test ~/lstesting ~/lstesting_2\r"
43sleep 1
44
45set spawn_id $firstspawn
46send -- "ls -al ~\r"
47expect {
48 timeout {puts "TESTING ERROR 3\n";exit}
49 "lstesting_2"
50}
51
52after 100
53send -- "cat ~/lstesting_2\r"
54expect {
55 timeout {puts "TESTING ERROR 4\n";exit}
56 "put_test"
57}
58after 100
59send -- "exit\r"
60sleep 1
61
62
63
64
65
66send -- "rm -f lstesting\r"
67
68after 100
69puts "\nall done\n"
diff --git a/test/utils/utils.sh b/test/utils/utils.sh
index f12698f0a..c4958094e 100755
--- a/test/utils/utils.sh
+++ b/test/utils/utils.sh
@@ -95,9 +95,6 @@ echo "TESTING: join profile (test/utils/join-profile.exp)"
95echo "TESTING: top (test/utils/top.exp)" 95echo "TESTING: top (test/utils/top.exp)"
96./top.exp 96./top.exp
97 97
98echo "TESTING: file transfer (test/utils/ls.exp)"
99./ls.exp
100
101echo "TESTING: firemon seccomp (test/utils/firemon-seccomp.exp)" 98echo "TESTING: firemon seccomp (test/utils/firemon-seccomp.exp)"
102./firemon-seccomp.exp 99./firemon-seccomp.exp
103 100
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-06-30 19:57:59 +0000