diff options
author | 2018-08-21 09:12:44 -0400 | |
---|---|---|
committer | 2018-08-21 09:12:44 -0400 | |
commit | 7b9792c40fae4d4fc2f896bb4c7264fd59d5aa4e (patch) | |
tree | 1066b61be3fd46a574a063eaabc7ef388891e033 | |
parent | autoconf (diff) | |
download | firejail-7b9792c40fae4d4fc2f896bb4c7264fd59d5aa4e.tar.gz firejail-7b9792c40fae4d4fc2f896bb4c7264fd59d5aa4e.tar.zst firejail-7b9792c40fae4d4fc2f896bb4c7264fd59d5aa4e.zip |
removed --ls, --get, --put
-rwxr-xr-x | configure | 17 | ||||
-rw-r--r-- | configure.ac | 9 | ||||
-rw-r--r-- | src/common.mk.in | 3 | ||||
-rw-r--r-- | src/firejail/checkcfg.c | 13 | ||||
-rw-r--r-- | src/firejail/ls.c | 479 | ||||
-rw-r--r-- | src/firejail/main.c | 2 | ||||
-rw-r--r-- | status | 2 | ||||
-rwxr-xr-x | test/utils/ls.exp | 69 | ||||
-rwxr-xr-x | test/utils/utils.sh | 3 |
9 files changed, 16 insertions, 581 deletions
@@ -630,7 +630,6 @@ BUSYBOX_WORKAROUND | |||
630 | HAVE_FATAL_WARNINGS | 630 | HAVE_FATAL_WARNINGS |
631 | HAVE_SUID | 631 | HAVE_SUID |
632 | HAVE_WHITELIST | 632 | HAVE_WHITELIST |
633 | HAVE_FILE_TRANSFER | ||
634 | HAVE_USERNS | 633 | HAVE_USERNS |
635 | HAVE_NETWORK | 634 | HAVE_NETWORK |
636 | HAVE_GLOBALCFG | 635 | HAVE_GLOBALCFG |
@@ -701,7 +700,6 @@ enable_bind | |||
701 | enable_globalcfg | 700 | enable_globalcfg |
702 | enable_network | 701 | enable_network |
703 | enable_userns | 702 | enable_userns |
704 | enable_file_transfer | ||
705 | enable_whitelist | 703 | enable_whitelist |
706 | enable_suid | 704 | enable_suid |
707 | enable_fatal_warnings | 705 | enable_fatal_warnings |
@@ -1344,7 +1342,6 @@ Optional Features: | |||
1344 | present, continue the program using defaults | 1342 | present, continue the program using defaults |
1345 | --disable-network disable network | 1343 | --disable-network disable network |
1346 | --disable-userns disable user namespace | 1344 | --disable-userns disable user namespace |
1347 | --disable-file-transfer disable file transfer | ||
1348 | --disable-whitelist disable whitelist | 1345 | --disable-whitelist disable whitelist |
1349 | --disable-suid install as a non-SUID executable | 1346 | --disable-suid install as a non-SUID executable |
1350 | --enable-fatal-warnings -W -Wall -Werror | 1347 | --enable-fatal-warnings -W -Wall -Werror |
@@ -3627,19 +3624,6 @@ if test "x$enable_userns" != "xno"; then : | |||
3627 | 3624 | ||
3628 | fi | 3625 | fi |
3629 | 3626 | ||
3630 | HAVE_FILE_TRANSFER="" | ||
3631 | # Check whether --enable-file-transfer was given. | ||
3632 | if test "${enable_file_transfer+set}" = set; then : | ||
3633 | enableval=$enable_file_transfer; | ||
3634 | fi | ||
3635 | |||
3636 | if test "x$enable_file_transfer" != "xno"; then : | ||
3637 | |||
3638 | HAVE_FILE_TRANSFER="-DHAVE_FILE_TRANSFER" | ||
3639 | |||
3640 | |||
3641 | fi | ||
3642 | |||
3643 | HAVE_WHITELIST="" | 3627 | HAVE_WHITELIST="" |
3644 | # Check whether --enable-whitelist was given. | 3628 | # Check whether --enable-whitelist was given. |
3645 | if test "${enable_whitelist+set}" = set; then : | 3629 | if test "${enable_whitelist+set}" = set; then : |
@@ -4961,7 +4945,6 @@ echo " bind: $HAVE_BIND" | |||
4961 | echo " network: $HAVE_NETWORK" | 4945 | echo " network: $HAVE_NETWORK" |
4962 | echo " user namespace: $HAVE_USERNS" | 4946 | echo " user namespace: $HAVE_USERNS" |
4963 | echo " whitelisting: $HAVE_WHITELIST" | 4947 | echo " whitelisting: $HAVE_WHITELIST" |
4964 | echo " file transfer support: $HAVE_FILE_TRANSFER" | ||
4965 | echo " busybox workaround: $BUSYBOX_WORKAROUND" | 4948 | echo " busybox workaround: $BUSYBOX_WORKAROUND" |
4966 | echo " Spectre compiler patch: $HAVE_SPECTRE" | 4949 | echo " Spectre compiler patch: $HAVE_SPECTRE" |
4967 | echo " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" | 4950 | echo " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" |
diff --git a/configure.ac b/configure.ac index 0cd5c7dd0..a6bc44318 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -95,14 +95,6 @@ AS_IF([test "x$enable_userns" != "xno"], [ | |||
95 | AC_SUBST(HAVE_USERNS) | 95 | AC_SUBST(HAVE_USERNS) |
96 | ]) | 96 | ]) |
97 | 97 | ||
98 | HAVE_FILE_TRANSFER="" | ||
99 | AC_ARG_ENABLE([file-transfer], | ||
100 | AS_HELP_STRING([--disable-file-transfer], [disable file transfer])) | ||
101 | AS_IF([test "x$enable_file_transfer" != "xno"], [ | ||
102 | HAVE_FILE_TRANSFER="-DHAVE_FILE_TRANSFER" | ||
103 | AC_SUBST(HAVE_FILE_TRANSFER) | ||
104 | ]) | ||
105 | |||
106 | HAVE_WHITELIST="" | 98 | HAVE_WHITELIST="" |
107 | AC_ARG_ENABLE([whitelist], | 99 | AC_ARG_ENABLE([whitelist], |
108 | AS_HELP_STRING([--disable-whitelist], [disable whitelist])) | 100 | AS_HELP_STRING([--disable-whitelist], [disable whitelist])) |
@@ -173,7 +165,6 @@ echo " bind: $HAVE_BIND" | |||
173 | echo " network: $HAVE_NETWORK" | 165 | echo " network: $HAVE_NETWORK" |
174 | echo " user namespace: $HAVE_USERNS" | 166 | echo " user namespace: $HAVE_USERNS" |
175 | echo " whitelisting: $HAVE_WHITELIST" | 167 | echo " whitelisting: $HAVE_WHITELIST" |
176 | echo " file transfer support: $HAVE_FILE_TRANSFER" | ||
177 | echo " busybox workaround: $BUSYBOX_WORKAROUND" | 168 | echo " busybox workaround: $BUSYBOX_WORKAROUND" |
178 | echo " Spectre compiler patch: $HAVE_SPECTRE" | 169 | echo " Spectre compiler patch: $HAVE_SPECTRE" |
179 | echo " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" | 170 | echo " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" |
diff --git a/src/common.mk.in b/src/common.mk.in index 7440b7b45..64fe2b85a 100644 --- a/src/common.mk.in +++ b/src/common.mk.in | |||
@@ -14,7 +14,6 @@ HAVE_BIND=@HAVE_BIND@ | |||
14 | HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ | 14 | HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ |
15 | HAVE_NETWORK=@HAVE_NETWORK@ | 15 | HAVE_NETWORK=@HAVE_NETWORK@ |
16 | HAVE_USERNS=@HAVE_USERNS@ | 16 | HAVE_USERNS=@HAVE_USERNS@ |
17 | HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@ | ||
18 | HAVE_WHITELIST=@HAVE_WHITELIST@ | 17 | HAVE_WHITELIST=@HAVE_WHITELIST@ |
19 | HAVE_GLOBALCFG=@HAVE_GLOBALCFG@ | 18 | HAVE_GLOBALCFG=@HAVE_GLOBALCFG@ |
20 | HAVE_APPARMOR=@HAVE_APPARMOR@ | 19 | HAVE_APPARMOR=@HAVE_APPARMOR@ |
@@ -25,7 +24,7 @@ C_FILE_LIST = $(sort $(wildcard *.c)) | |||
25 | OBJS = $(C_FILE_LIST:.c=.o) | 24 | OBJS = $(C_FILE_LIST:.c=.o) |
26 | BINOBJS = $(foreach file, $(OBJS), $file) | 25 | BINOBJS = $(foreach file, $(OBJS), $file) |
27 | 26 | ||
28 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_APPARMOR) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security | 27 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_APPARMOR) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security |
29 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread | 28 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread |
30 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ | 29 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ |
31 | EXTRA_CFLAGS +=@EXTRA_CFLAGS@ | 30 | EXTRA_CFLAGS +=@EXTRA_CFLAGS@ |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 7483136f4..0cceea17b 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -76,6 +76,7 @@ int checkcfg(int val) { | |||
76 | if (!ptr) | 76 | if (!ptr) |
77 | continue; | 77 | continue; |
78 | 78 | ||
79 | #ifndef LTS | ||
79 | // file transfer | 80 | // file transfer |
80 | else if (strncmp(ptr, "file-transfer ", 14) == 0) { | 81 | else if (strncmp(ptr, "file-transfer ", 14) == 0) { |
81 | if (strcmp(ptr + 14, "yes") == 0) | 82 | if (strcmp(ptr + 14, "yes") == 0) |
@@ -85,6 +86,7 @@ int checkcfg(int val) { | |||
85 | else | 86 | else |
86 | goto errout; | 87 | goto errout; |
87 | } | 88 | } |
89 | #endif | ||
88 | // dbus | 90 | // dbus |
89 | else if (strncmp(ptr, "dbus ", 5) == 0) { | 91 | else if (strncmp(ptr, "dbus ", 5) == 0) { |
90 | if (strcmp(ptr + 5, "yes") == 0) | 92 | if (strcmp(ptr + 5, "yes") == 0) |
@@ -103,6 +105,7 @@ int checkcfg(int val) { | |||
103 | else | 105 | else |
104 | goto errout; | 106 | goto errout; |
105 | } | 107 | } |
108 | #ifndef LTS | ||
106 | // x11 | 109 | // x11 |
107 | else if (strncmp(ptr, "x11 ", 4) == 0) { | 110 | else if (strncmp(ptr, "x11 ", 4) == 0) { |
108 | if (strcmp(ptr + 4, "yes") == 0) | 111 | if (strcmp(ptr + 4, "yes") == 0) |
@@ -112,6 +115,7 @@ int checkcfg(int val) { | |||
112 | else | 115 | else |
113 | goto errout; | 116 | goto errout; |
114 | } | 117 | } |
118 | #endif | ||
115 | // apparmor | 119 | // apparmor |
116 | else if (strncmp(ptr, "apparmor ", 9) == 0) { | 120 | else if (strncmp(ptr, "apparmor ", 9) == 0) { |
117 | if (strcmp(ptr + 9, "yes") == 0) | 121 | if (strcmp(ptr + 9, "yes") == 0) |
@@ -139,6 +143,7 @@ int checkcfg(int val) { | |||
139 | else | 143 | else |
140 | goto errout; | 144 | goto errout; |
141 | } | 145 | } |
146 | #ifndef LTS | ||
142 | // chroot | 147 | // chroot |
143 | else if (strncmp(ptr, "chroot ", 7) == 0) { | 148 | else if (strncmp(ptr, "chroot ", 7) == 0) { |
144 | if (strcmp(ptr + 7, "yes") == 0) | 149 | if (strcmp(ptr + 7, "yes") == 0) |
@@ -148,6 +153,7 @@ int checkcfg(int val) { | |||
148 | else | 153 | else |
149 | goto errout; | 154 | goto errout; |
150 | } | 155 | } |
156 | #endif | ||
151 | // prompt | 157 | // prompt |
152 | else if (strncmp(ptr, "firejail-prompt ", 16) == 0) { | 158 | else if (strncmp(ptr, "firejail-prompt ", 16) == 0) { |
153 | if (strcmp(ptr + 16, "yes") == 0) | 159 | if (strcmp(ptr + 16, "yes") == 0) |
@@ -236,6 +242,7 @@ int checkcfg(int val) { | |||
236 | printf("netfilter default file %s\n", fname); | 242 | printf("netfilter default file %s\n", fname); |
237 | } | 243 | } |
238 | 244 | ||
245 | #ifndef LTS | ||
239 | // Xephyr screen size | 246 | // Xephyr screen size |
240 | else if (strncmp(ptr, "xephyr-screen ", 14) == 0) { | 247 | else if (strncmp(ptr, "xephyr-screen ", 14) == 0) { |
241 | // expecting two numbers and an x between them | 248 | // expecting two numbers and an x between them |
@@ -297,7 +304,7 @@ int checkcfg(int val) { | |||
297 | if (!xvfb_extra_params) | 304 | if (!xvfb_extra_params) |
298 | errExit("strdup"); | 305 | errExit("strdup"); |
299 | } | 306 | } |
300 | 307 | #endif | |
301 | // quiet by default | 308 | // quiet by default |
302 | else if (strncmp(ptr, "quiet-by-default ", 17) == 0) { | 309 | else if (strncmp(ptr, "quiet-by-default ", 17) == 0) { |
303 | if (strcmp(ptr + 17, "yes") == 0) | 310 | if (strcmp(ptr + 17, "yes") == 0) |
@@ -307,6 +314,7 @@ int checkcfg(int val) { | |||
307 | else | 314 | else |
308 | goto errout; | 315 | goto errout; |
309 | } | 316 | } |
317 | #ifndef LTS | ||
310 | else if (strncmp(ptr, "overlayfs ", 10) == 0) { | 318 | else if (strncmp(ptr, "overlayfs ", 10) == 0) { |
311 | if (strcmp(ptr + 10, "yes") == 0) | 319 | if (strcmp(ptr + 10, "yes") == 0) |
312 | cfg_val[CFG_OVERLAYFS] = 1; | 320 | cfg_val[CFG_OVERLAYFS] = 1; |
@@ -339,6 +347,7 @@ int checkcfg(int val) { | |||
339 | else | 347 | else |
340 | goto errout; | 348 | goto errout; |
341 | } | 349 | } |
350 | #endif | ||
342 | else if (strncmp(ptr, "disable-mnt ", 12) == 0) { | 351 | else if (strncmp(ptr, "disable-mnt ", 12) == 0) { |
343 | if (strcmp(ptr + 12, "yes") == 0) | 352 | if (strcmp(ptr + 12, "yes") == 0) |
344 | cfg_val[CFG_DISABLE_MNT] = 1; | 353 | cfg_val[CFG_DISABLE_MNT] = 1; |
@@ -354,6 +363,7 @@ int checkcfg(int val) { | |||
354 | goto errout; | 363 | goto errout; |
355 | cfg_val[CFG_ARP_PROBES] = arp_probes; | 364 | cfg_val[CFG_ARP_PROBES] = arp_probes; |
356 | } | 365 | } |
366 | #ifndef LTS | ||
357 | // xpra-attach | 367 | // xpra-attach |
358 | else if (strncmp(ptr, "xpra-attach ", 12) == 0) { | 368 | else if (strncmp(ptr, "xpra-attach ", 12) == 0) { |
359 | if (strcmp(ptr + 12, "yes") == 0) | 369 | if (strcmp(ptr + 12, "yes") == 0) |
@@ -363,6 +373,7 @@ int checkcfg(int val) { | |||
363 | else | 373 | else |
364 | goto errout; | 374 | goto errout; |
365 | } | 375 | } |
376 | #endif | ||
366 | else | 377 | else |
367 | goto errout; | 378 | goto errout; |
368 | 379 | ||
diff --git a/src/firejail/ls.c b/src/firejail/ls.c deleted file mode 100644 index 601cab4f8..000000000 --- a/src/firejail/ls.c +++ /dev/null | |||
@@ -1,479 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2018 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | |||
21 | #include "firejail.h" | ||
22 | #include <sys/types.h> | ||
23 | #include <sys/stat.h> | ||
24 | #include <sys/wait.h> | ||
25 | #include <unistd.h> | ||
26 | #include <dirent.h> | ||
27 | #include <pwd.h> | ||
28 | #include <grp.h> | ||
29 | //#include <dirent.h> | ||
30 | //#include <stdio.h> | ||
31 | //#include <stdlib.h> | ||
32 | |||
33 | // uid/gid cache | ||
34 | static uid_t c_uid = 0; | ||
35 | static char *c_uid_name = NULL; | ||
36 | |||
37 | static void print_file_or_dir(const char *path, const char *fname, int separator) { | ||
38 | assert(fname); | ||
39 | |||
40 | char *name; | ||
41 | if (separator) { | ||
42 | if (asprintf(&name, "%s/%s", path, fname) == -1) | ||
43 | errExit("asprintf"); | ||
44 | } | ||
45 | else { | ||
46 | if (asprintf(&name, "%s%s", path, fname) == -1) | ||
47 | errExit("asprintf"); | ||
48 | } | ||
49 | |||
50 | struct stat s; | ||
51 | if (stat(name, &s) == -1) { | ||
52 | if (lstat(name, &s) == -1) { | ||
53 | printf("Error: cannot access %s\n", name); | ||
54 | return; | ||
55 | } | ||
56 | } | ||
57 | |||
58 | // permissions | ||
59 | if (S_ISLNK(s.st_mode)) | ||
60 | printf("l"); | ||
61 | else if (S_ISDIR(s.st_mode)) | ||
62 | printf("d"); | ||
63 | else if (S_ISCHR(s.st_mode)) | ||
64 | printf("c"); | ||
65 | else if (S_ISBLK(s.st_mode)) | ||
66 | printf("b"); | ||
67 | else if (S_ISSOCK(s.st_mode)) | ||
68 | printf("s"); | ||
69 | else | ||
70 | printf("-"); | ||
71 | printf( (s.st_mode & S_IRUSR) ? "r" : "-"); | ||
72 | printf( (s.st_mode & S_IWUSR) ? "w" : "-"); | ||
73 | printf( (s.st_mode & S_IXUSR) ? "x" : "-"); | ||
74 | printf( (s.st_mode & S_IRGRP) ? "r" : "-"); | ||
75 | printf( (s.st_mode & S_IWGRP) ? "w" : "-"); | ||
76 | printf( (s.st_mode & S_IXGRP) ? "x" : "-"); | ||
77 | printf( (s.st_mode & S_IROTH) ? "r" : "-"); | ||
78 | printf( (s.st_mode & S_IWOTH) ? "w" : "-"); | ||
79 | printf( (s.st_mode & S_IXOTH) ? "x" : "-"); | ||
80 | printf(" "); | ||
81 | |||
82 | // user name | ||
83 | char *username; | ||
84 | int allocated = 0; | ||
85 | if (s.st_uid == 0) | ||
86 | username = "root"; | ||
87 | else if (s.st_uid == c_uid) { | ||
88 | assert(c_uid_name); | ||
89 | username = c_uid_name; | ||
90 | } | ||
91 | else { | ||
92 | struct passwd *pw = getpwuid(s.st_uid); | ||
93 | allocated = 1; | ||
94 | if (!pw) { | ||
95 | if (asprintf(&username, "%d", s.st_uid) == -1) | ||
96 | errExit("asprintf"); | ||
97 | } | ||
98 | else { | ||
99 | username = strdup(pw->pw_name); | ||
100 | if (!username) | ||
101 | errExit("asprintf"); | ||
102 | } | ||
103 | |||
104 | if (c_uid == 0) { | ||
105 | c_uid = s.st_uid; | ||
106 | c_uid_name = strdup(username); | ||
107 | if (!c_uid_name) | ||
108 | errExit("asprintf"); | ||
109 | } | ||
110 | } | ||
111 | |||
112 | // print user name, 8 chars maximum | ||
113 | int len = strlen(username); | ||
114 | if (len > 8) { | ||
115 | username[8] = '\0'; | ||
116 | len = 8; | ||
117 | } | ||
118 | printf("%s ", username); | ||
119 | int i; | ||
120 | for (i = len; i < 8; i++) | ||
121 | printf(" "); | ||
122 | if (allocated) | ||
123 | free(username); | ||
124 | |||
125 | |||
126 | // group name | ||
127 | char *groupname; | ||
128 | allocated = 0; | ||
129 | if (s.st_uid == 0) | ||
130 | groupname = "root"; | ||
131 | else { | ||
132 | struct group *g = getgrgid(s.st_gid); | ||
133 | allocated = 1; | ||
134 | if (!g) { | ||
135 | if (asprintf(&groupname, "%d", s.st_gid) == -1) | ||
136 | errExit("asprintf"); | ||
137 | } | ||
138 | else { | ||
139 | groupname = strdup(g->gr_name); | ||
140 | if (!groupname) | ||
141 | errExit("asprintf"); | ||
142 | } | ||
143 | } | ||
144 | |||
145 | // print grup name, 8 chars maximum | ||
146 | len = strlen(groupname); | ||
147 | if (len > 8) { | ||
148 | groupname[8] = '\0'; | ||
149 | len = 8; | ||
150 | } | ||
151 | printf("%s ", groupname); | ||
152 | for (i = len; i < 8; i++) | ||
153 | printf(" "); | ||
154 | if (allocated) | ||
155 | free(groupname); | ||
156 | |||
157 | char *sz; | ||
158 | if (asprintf(&sz, "%d", (int) s.st_size) == -1) | ||
159 | errExit("asprintf"); | ||
160 | printf("%11.10s %s\n", sz, fname); | ||
161 | free(sz); | ||
162 | |||
163 | } | ||
164 | |||
165 | static void print_directory(const char *path) { | ||
166 | assert(path); | ||
167 | struct stat s; | ||
168 | if (stat(path, &s) == -1) | ||
169 | return; | ||
170 | assert(S_ISDIR(s.st_mode)); | ||
171 | |||
172 | struct dirent **namelist; | ||
173 | int i; | ||
174 | int n; | ||
175 | |||
176 | n = scandir(path, &namelist, 0, alphasort); | ||
177 | if (n < 0) | ||
178 | errExit("scandir"); | ||
179 | else { | ||
180 | for (i = 0; i < n; i++) { | ||
181 | print_file_or_dir(path, namelist[i]->d_name, 0); | ||
182 | free(namelist[i]); | ||
183 | } | ||
184 | } | ||
185 | free(namelist); | ||
186 | } | ||
187 | |||
188 | char *expand_path(const char *path) { | ||
189 | char *fname = NULL; | ||
190 | if (*path == '/') { | ||
191 | fname = strdup(path); | ||
192 | if (!fname) | ||
193 | errExit("strdup"); | ||
194 | } | ||
195 | else if (*path == '~') { | ||
196 | if (asprintf(&fname, "%s%s", cfg.homedir, path + 1) == -1) | ||
197 | errExit("asprintf"); | ||
198 | } | ||
199 | else { | ||
200 | // assume the file is in current working directory | ||
201 | if (!cfg.cwd) { | ||
202 | fprintf(stderr, "Error: current working directory has been deleted\n"); | ||
203 | exit(1); | ||
204 | } | ||
205 | if (asprintf(&fname, "%s/%s", cfg.cwd, path) == -1) | ||
206 | errExit("asprintf"); | ||
207 | } | ||
208 | return fname; | ||
209 | } | ||
210 | |||
211 | void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { | ||
212 | EUID_ASSERT(); | ||
213 | assert(path1); | ||
214 | |||
215 | // if the pid is that of a firejail process, use the pid of the first child process | ||
216 | EUID_ROOT(); | ||
217 | char *comm = pid_proc_comm(pid); | ||
218 | EUID_USER(); | ||
219 | if (comm) { | ||
220 | if (strcmp(comm, "firejail") == 0) { | ||
221 | pid_t child; | ||
222 | if (find_child(pid, &child) == 0) { | ||
223 | pid = child; | ||
224 | } | ||
225 | } | ||
226 | free(comm); | ||
227 | } | ||
228 | |||
229 | // check privileges for non-root users | ||
230 | uid_t uid = getuid(); | ||
231 | if (uid != 0) { | ||
232 | uid_t sandbox_uid = pid_get_uid(pid); | ||
233 | if (uid != sandbox_uid) { | ||
234 | fprintf(stderr, "Error: permission denied.\n"); | ||
235 | exit(1); | ||
236 | } | ||
237 | } | ||
238 | |||
239 | // expand paths | ||
240 | char *fname1 = expand_path(path1);; | ||
241 | char *fname2 = NULL; | ||
242 | if (path2 != NULL) { | ||
243 | fname2 = expand_path(path2); | ||
244 | } | ||
245 | if (arg_debug) { | ||
246 | printf("file1 %s\n", fname1); | ||
247 | printf("file2 %s\n", fname2); | ||
248 | } | ||
249 | |||
250 | // sandbox root directory | ||
251 | char *rootdir; | ||
252 | if (asprintf(&rootdir, "/proc/%d/root", pid) == -1) | ||
253 | errExit("asprintf"); | ||
254 | |||
255 | if (op == SANDBOX_FS_LS) { | ||
256 | EUID_ROOT(); | ||
257 | // chroot | ||
258 | if (chroot(rootdir) < 0) | ||
259 | errExit("chroot"); | ||
260 | if (chdir("/") < 0) | ||
261 | errExit("chdir"); | ||
262 | |||
263 | // drop privileges | ||
264 | drop_privs(0); | ||
265 | |||
266 | // check access | ||
267 | if (access(fname1, R_OK) == -1) { | ||
268 | fprintf(stderr, "Error: Cannot access %s\n", fname1); | ||
269 | exit(1); | ||
270 | } | ||
271 | /* coverity[toctou] */ | ||
272 | char *rp = realpath(fname1, NULL); | ||
273 | if (!rp) { | ||
274 | fprintf(stderr, "Error: Cannot access %s\n", fname1); | ||
275 | exit(1); | ||
276 | } | ||
277 | if (arg_debug) | ||
278 | printf("realpath %s\n", rp); | ||
279 | |||
280 | |||
281 | // list directory contents | ||
282 | struct stat s; | ||
283 | if (stat(rp, &s) == -1) { | ||
284 | fprintf(stderr, "Error: Cannot access %s\n", rp); | ||
285 | exit(1); | ||
286 | } | ||
287 | if (S_ISDIR(s.st_mode)) { | ||
288 | char *dir; | ||
289 | if (asprintf(&dir, "%s/", rp) == -1) | ||
290 | errExit("asprintf"); | ||
291 | |||
292 | print_directory(dir); | ||
293 | free(dir); | ||
294 | } | ||
295 | else { | ||
296 | char *split = strrchr(rp, '/'); | ||
297 | if (split) { | ||
298 | *split = '\0'; | ||
299 | char *rp2 = split + 1; | ||
300 | if (arg_debug) | ||
301 | printf("path %s, file %s\n", rp, rp2); | ||
302 | print_file_or_dir(rp, rp2, 1); | ||
303 | } | ||
304 | } | ||
305 | free(rp); | ||
306 | } | ||
307 | |||
308 | // get file from sandbox and store it in the current directory | ||
309 | else if (op == SANDBOX_FS_GET) { | ||
310 | char *src_fname =fname1; | ||
311 | char *dest_fname = strrchr(fname1, '/'); | ||
312 | if (!dest_fname || *(++dest_fname) == '\0') { | ||
313 | fprintf(stderr, "Error: invalid file name %s\n", fname1); | ||
314 | exit(1); | ||
315 | } | ||
316 | |||
317 | EUID_ROOT(); | ||
318 | if (arg_debug) | ||
319 | printf("copy %s to %s\n", src_fname, dest_fname); | ||
320 | |||
321 | // create a user-owned temporary file in /run/firejail directory | ||
322 | char tmp_fname[] = "/run/firejail/tmpget-XXXXXX"; | ||
323 | int fd = mkstemp(tmp_fname); | ||
324 | if (fd != -1) { | ||
325 | SET_PERMS_FD(fd, getuid(), getgid(), 0600); | ||
326 | close(fd); | ||
327 | } | ||
328 | |||
329 | // copy the source file into the temporary file - we need to chroot | ||
330 | pid_t child = fork(); | ||
331 | if (child < 0) | ||
332 | errExit("fork"); | ||
333 | if (child == 0) { | ||
334 | // chroot | ||
335 | if (chroot(rootdir) < 0) | ||
336 | errExit("chroot"); | ||
337 | if (chdir("/") < 0) | ||
338 | errExit("chdir"); | ||
339 | |||
340 | // drop privileges | ||
341 | drop_privs(0); | ||
342 | |||
343 | // copy the file | ||
344 | if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600)) // already a regular user | ||
345 | _exit(1); | ||
346 | #ifdef HAVE_GCOV | ||
347 | __gcov_flush(); | ||
348 | #endif | ||
349 | _exit(0); | ||
350 | } | ||
351 | |||
352 | // wait for the child to finish | ||
353 | int status = 0; | ||
354 | waitpid(child, &status, 0); | ||
355 | if (WIFEXITED(status) && WEXITSTATUS(status) == 0); | ||
356 | else { | ||
357 | unlink(tmp_fname); | ||
358 | exit(1); | ||
359 | } | ||
360 | |||
361 | // copy the temporary file into the destionation file | ||
362 | child = fork(); | ||
363 | if (child < 0) | ||
364 | errExit("fork"); | ||
365 | if (child == 0) { | ||
366 | // drop privileges | ||
367 | drop_privs(0); | ||
368 | |||
369 | // copy the file | ||
370 | if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600)) // already a regular user | ||
371 | _exit(1); | ||
372 | #ifdef HAVE_GCOV | ||
373 | __gcov_flush(); | ||
374 | #endif | ||
375 | _exit(0); | ||
376 | } | ||
377 | |||
378 | // wait for the child to finish | ||
379 | status = 0; | ||
380 | waitpid(child, &status, 0); | ||
381 | if (WIFEXITED(status) && WEXITSTATUS(status) == 0); | ||
382 | else { | ||
383 | unlink(tmp_fname); | ||
384 | exit(1); | ||
385 | } | ||
386 | |||
387 | // remove the temporary file | ||
388 | unlink(tmp_fname); | ||
389 | EUID_USER(); | ||
390 | } | ||
391 | // get file from host and store it in the sandbox | ||
392 | else if (op == SANDBOX_FS_PUT && path2) { | ||
393 | char *src_fname =fname1; | ||
394 | char *dest_fname = fname2; | ||
395 | |||
396 | EUID_ROOT(); | ||
397 | if (arg_debug) | ||
398 | printf("copy %s to %s\n", src_fname, dest_fname); | ||
399 | |||
400 | // create a user-owned temporary file in /run/firejail directory | ||
401 | char tmp_fname[] = "/run/firejail/tmpget-XXXXXX"; | ||
402 | int fd = mkstemp(tmp_fname); | ||
403 | if (fd == -1) { | ||
404 | fprintf(stderr, "Error: cannot create temporary file %s\n", tmp_fname); | ||
405 | exit(1); | ||
406 | } | ||
407 | SET_PERMS_FD(fd, getuid(), getgid(), 0600); | ||
408 | close(fd); | ||
409 | |||
410 | // copy the source file into the temporary file - we need to chroot | ||
411 | pid_t child = fork(); | ||
412 | if (child < 0) | ||
413 | errExit("fork"); | ||
414 | if (child == 0) { | ||
415 | // drop privileges | ||
416 | drop_privs(0); | ||
417 | |||
418 | // copy the file | ||
419 | if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600)) // already a regular user | ||
420 | _exit(1); | ||
421 | #ifdef HAVE_GCOV | ||
422 | __gcov_flush(); | ||
423 | #endif | ||
424 | _exit(0); | ||
425 | } | ||
426 | |||
427 | // wait for the child to finish | ||
428 | int status = 0; | ||
429 | waitpid(child, &status, 0); | ||
430 | if (WIFEXITED(status) && WEXITSTATUS(status) == 0); | ||
431 | else { | ||
432 | unlink(tmp_fname); | ||
433 | exit(1); | ||
434 | } | ||
435 | |||
436 | // copy the temporary file into the destionation file | ||
437 | child = fork(); | ||
438 | if (child < 0) | ||
439 | errExit("fork"); | ||
440 | if (child == 0) { | ||
441 | // chroot | ||
442 | if (chroot(rootdir) < 0) | ||
443 | errExit("chroot"); | ||
444 | if (chdir("/") < 0) | ||
445 | errExit("chdir"); | ||
446 | |||
447 | // drop privileges | ||
448 | drop_privs(0); | ||
449 | |||
450 | // copy the file | ||
451 | if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600)) // already a regular user | ||
452 | _exit(1); | ||
453 | #ifdef HAVE_GCOV | ||
454 | __gcov_flush(); | ||
455 | #endif | ||
456 | _exit(0); | ||
457 | } | ||
458 | |||
459 | // wait for the child to finish | ||
460 | status = 0; | ||
461 | waitpid(child, &status, 0); | ||
462 | if (WIFEXITED(status) && WEXITSTATUS(status) == 0); | ||
463 | else { | ||
464 | unlink(tmp_fname); | ||
465 | exit(1); | ||
466 | } | ||
467 | |||
468 | // remove the temporary file | ||
469 | unlink(tmp_fname); | ||
470 | EUID_USER(); | ||
471 | } | ||
472 | |||
473 | if (fname2) | ||
474 | free(fname2); | ||
475 | free(fname1); | ||
476 | free(rootdir); | ||
477 | |||
478 | exit(0); | ||
479 | } | ||
diff --git a/src/firejail/main.c b/src/firejail/main.c index 9b406b4b9..4212edd9b 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -598,6 +598,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
598 | exit_err_feature("networking"); | 598 | exit_err_feature("networking"); |
599 | } | 599 | } |
600 | #endif | 600 | #endif |
601 | #ifndef LTS | ||
601 | #ifdef HAVE_FILE_TRANSFER | 602 | #ifdef HAVE_FILE_TRANSFER |
602 | else if (strncmp(argv[i], "--get=", 6) == 0) { | 603 | else if (strncmp(argv[i], "--get=", 6) == 0) { |
603 | if (checkcfg(CFG_FILE_TRANSFER)) { | 604 | if (checkcfg(CFG_FILE_TRANSFER)) { |
@@ -678,6 +679,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
678 | exit_err_feature("file transfer"); | 679 | exit_err_feature("file transfer"); |
679 | } | 680 | } |
680 | #endif | 681 | #endif |
682 | #endif | ||
681 | else if (strncmp(argv[i], "--join=", 7) == 0) { | 683 | else if (strncmp(argv[i], "--join=", 7) == 0) { |
682 | if (checkcfg(CFG_JOIN) || getuid() == 0) { | 684 | if (checkcfg(CFG_JOIN) || getuid() == 0) { |
683 | logargs(argc, argv); | 685 | logargs(argc, argv); |
@@ -1,7 +1,7 @@ | |||
1 | Phase 2 | 1 | Phase 2 |
2 | - Aug 21 | 2 | - Aug 21 |
3 | - remove --output --libtrace --libtracelog | 3 | - remove --output --libtrace --libtracelog |
4 | 4 | - remove --ls, --get, --put | |
5 | 5 | ||
6 | Phase 1 | 6 | Phase 1 |
7 | - starting from main as of Jul 27 | 7 | - starting from main as of Jul 27 |
diff --git a/test/utils/ls.exp b/test/utils/ls.exp deleted file mode 100755 index ff6867c51..000000000 --- a/test/utils/ls.exp +++ /dev/null | |||
@@ -1,69 +0,0 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | |||
3 | set timeout 10 | ||
4 | spawn $env(SHELL) | ||
5 | match_max 100000 | ||
6 | set firstspawn $spawn_id | ||
7 | |||
8 | |||
9 | send -- "rm -f lstesting\r" | ||
10 | sleep 1 | ||
11 | send -- "firejail --private --name=test\r" | ||
12 | expect { | ||
13 | timeout {puts "TESTING ERROR 0\n";exit} | ||
14 | "Child process initialized" | ||
15 | } | ||
16 | sleep 1 | ||
17 | send -- "echo my_testing > ~/lstesting\r" | ||
18 | after 100 | ||
19 | |||
20 | # ls | ||
21 | spawn $env(SHELL) | ||
22 | send -- "firejail --ls=test ~/.\r" | ||
23 | expect { | ||
24 | timeout {puts "TESTING ERROR 1\n";exit} | ||
25 | "lstesting" | ||
26 | } | ||
27 | sleep 1 | ||
28 | |||
29 | # get | ||
30 | send -- "firejail --get=test ~/lstesting\r" | ||
31 | sleep 1 | ||
32 | send -- "cat lstesting\r" | ||
33 | expect { | ||
34 | timeout {puts "TESTING ERROR 2n";exit} | ||
35 | "my_testing" | ||
36 | } | ||
37 | after 100 | ||
38 | |||
39 | # put | ||
40 | send -- "echo put_test > ~/lstesting\r" | ||
41 | after 100 | ||
42 | send -- "firejail --put=test ~/lstesting ~/lstesting_2\r" | ||
43 | sleep 1 | ||
44 | |||
45 | set spawn_id $firstspawn | ||
46 | send -- "ls -al ~\r" | ||
47 | expect { | ||
48 | timeout {puts "TESTING ERROR 3\n";exit} | ||
49 | "lstesting_2" | ||
50 | } | ||
51 | |||
52 | after 100 | ||
53 | send -- "cat ~/lstesting_2\r" | ||
54 | expect { | ||
55 | timeout {puts "TESTING ERROR 4\n";exit} | ||
56 | "put_test" | ||
57 | } | ||
58 | after 100 | ||
59 | send -- "exit\r" | ||
60 | sleep 1 | ||
61 | |||
62 | |||
63 | |||
64 | |||
65 | |||
66 | send -- "rm -f lstesting\r" | ||
67 | |||
68 | after 100 | ||
69 | puts "\nall done\n" | ||
diff --git a/test/utils/utils.sh b/test/utils/utils.sh index f12698f0a..c4958094e 100755 --- a/test/utils/utils.sh +++ b/test/utils/utils.sh | |||
@@ -95,9 +95,6 @@ echo "TESTING: join profile (test/utils/join-profile.exp)" | |||
95 | echo "TESTING: top (test/utils/top.exp)" | 95 | echo "TESTING: top (test/utils/top.exp)" |
96 | ./top.exp | 96 | ./top.exp |
97 | 97 | ||
98 | echo "TESTING: file transfer (test/utils/ls.exp)" | ||
99 | ./ls.exp | ||
100 | |||
101 | echo "TESTING: firemon seccomp (test/utils/firemon-seccomp.exp)" | 98 | echo "TESTING: firemon seccomp (test/utils/firemon-seccomp.exp)" |
102 | ./firemon-seccomp.exp | 99 | ./firemon-seccomp.exp |
103 | 100 | ||