mainline merge: fix --bandwidth command

author: startx2017 <vradu.startx@yandex.com> 2018-11-06 10:22:57 -0500
committer: startx2017 <vradu.startx@yandex.com> 2018-11-06 10:22:57 -0500
commit: ecc72f4b71d18433ba6bc42aa8e890cda37c0a31 (patch)
tree: 6ff99f6c4f512d761a0c51ec2198a03bb8b3b871
parent: mainline merge: fs_whitelist: minor mountinfo check improvement, cleanup (diff)
download: firejail-ecc72f4b71d18433ba6bc42aa8e890cda37c0a31.tar.gz
firejail-ecc72f4b71d18433ba6bc42aa8e890cda37c0a31.tar.zst
firejail-ecc72f4b71d18433ba6bc42aa8e890cda37c0a31.zip
1 files changed, 17 insertions, 63 deletions
diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c
index d0487d49a..112afff69 100644
--- a/src/firejail/bandwidth.c
+++ b/src/firejail/bandwidth.c
@@ -296,69 +296,7 @@ void bandwidth_set(pid_t pid, const char *dev, int down, int up) {
 //***********************************
 void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, int up) {
        EUID_ASSERT();
-        //************************
+        enter_network_namespace(pid);
-        // verify sandbox
-        //************************
-        EUID_ROOT();
-        char *comm = pid_proc_comm(pid);
-        EUID_USER();
-        if (!comm) {
-                fprintf(stderr, "Error: cannot find sandbox\n");
-                exit(1);
-        }
-        // check for firejail sandbox
-        if (strcmp(comm, "firejail") != 0) {
-                fprintf(stderr, "Error: cannot find sandbox\n");
-                exit(1);
-        }
-        free(comm);
-        // check network namespace
-        char *name;
-        if (asprintf(&name, "/run/firejail/network/%d-netmap", pid) == -1)
-                errExit("asprintf");
-        struct stat s;
-        if (stat(name, &s) == -1) {
-                fprintf(stderr, "Error: the sandbox doesn't use a new network namespace\n");
-                exit(1);
-        }
-        //************************
-        // join the network namespace
-        //************************
-        pid_t child;
-        if (find_child(pid, &child) == 1) {
-                fprintf(stderr, "Error: cannot join the network namespace\n");
-                exit(1);
-        }
-        if (invalid_sandbox(child)) {
-                fprintf(stderr, "Error: cannot join the network namespace\n");
-                exit(1);
-        }
-        // check privileges for non-root users
-        uid_t uid = getuid();
-        if (uid != 0) {
-                uid_t sandbox_uid = pid_get_uid(pid);
-                if (uid != sandbox_uid) {
-                        fprintf(stderr, "Error: permission is denied to join a sandbox created by a different user.\n");
-                        exit(1);
-                }
-        }
-        EUID_ROOT();
-        if (join_namespace(child, "net")) {
-                fprintf(stderr, "Error: cannot join the network namespace\n");
-                exit(1);
-        }
-        // set run file
-        if (strcmp(command, "set") == 0)
-                bandwidth_set(pid, dev, down, up);
-        else if (strcmp(command, "clear") == 0)
-                bandwidth_remove(pid, dev);
        //************************
        // build command
@@ -401,6 +339,22 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in
                fclose(fp);
        }
+        // set run file
+        if (strcmp(command, "set") == 0) {
+                if (devname == NULL) {
+                        fprintf(stderr, "Error: cannot find a %s interface inside the sandbox\n", dev);
+                        exit(1);
+                }
+                bandwidth_set(pid, devname, down, up);
+        }
+        else if (strcmp(command, "clear") == 0) {
+                if (devname == NULL) {
+                        fprintf(stderr, "Error: cannot find a %s interface inside the sandbox\n", dev);
+                        exit(1);
+                }
+                bandwidth_remove(pid, devname);
+        }
        // build fshaper.sh command
        char *cmd = NULL;
        if (devname) {
author	startx2017 <vradu.startx@yandex.com>	2018-11-06 10:22:57 -0500
committer	startx2017 <vradu.startx@yandex.com>	2018-11-06 10:22:57 -0500
commit	ecc72f4b71d18433ba6bc42aa8e890cda37c0a31 (patch)
tree	6ff99f6c4f512d761a0c51ec2198a03bb8b3b871
parent	mainline merge: fs_whitelist: minor mountinfo check improvement, cleanup (diff)
download	firejail-ecc72f4b71d18433ba6bc42aa8e890cda37c0a31.tar.gz firejail-ecc72f4b71d18433ba6bc42aa8e890cda37c0a31.tar.zst firejail-ecc72f4b71d18433ba6bc42aa8e890cda37c0a31.zip

diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c index d0487d49a..112afff69 100644 --- a/src/firejail/bandwidth.c +++ b/src/firejail/bandwidth.c
@@ -296,69 +296,7 @@ void bandwidth_set(pid_t pid, const char *dev, int down, int up) {
296	//***********************************	296	//***********************************
297	void bandwidth_pid(pid_t pid, const char command, const char dev, int down, int up) {	297	void bandwidth_pid(pid_t pid, const char command, const char dev, int down, int up) {
298	EUID_ASSERT();	298	EUID_ASSERT();
299	//************************	299	enter_network_namespace(pid);
300	// verify sandbox
301	//************************
302	EUID_ROOT();
303	char *comm = pid_proc_comm(pid);
304	EUID_USER();
305	if (!comm) {
306	fprintf(stderr, "Error: cannot find sandbox\n");
307	exit(1);
308	}
309
310	// check for firejail sandbox
311	if (strcmp(comm, "firejail") != 0) {
312	fprintf(stderr, "Error: cannot find sandbox\n");
313	exit(1);
314	}
315	free(comm);
316
317	// check network namespace
318	char *name;
319	if (asprintf(&name, "/run/firejail/network/%d-netmap", pid) == -1)
320	errExit("asprintf");
321	struct stat s;
322	if (stat(name, &s) == -1) {
323	fprintf(stderr, "Error: the sandbox doesn't use a new network namespace\n");
324	exit(1);
325	}
326
327	//************************
328	// join the network namespace
329	//************************
330	pid_t child;
331	if (find_child(pid, &child) == 1) {
332	fprintf(stderr, "Error: cannot join the network namespace\n");
333	exit(1);
334	}
335
336	if (invalid_sandbox(child)) {
337	fprintf(stderr, "Error: cannot join the network namespace\n");
338	exit(1);
339	}
340
341	// check privileges for non-root users
342	uid_t uid = getuid();
343	if (uid != 0) {
344	uid_t sandbox_uid = pid_get_uid(pid);
345	if (uid != sandbox_uid) {
346	fprintf(stderr, "Error: permission is denied to join a sandbox created by a different user.\n");
347	exit(1);
348	}
349	}
350
351	EUID_ROOT();
352	if (join_namespace(child, "net")) {
353	fprintf(stderr, "Error: cannot join the network namespace\n");
354	exit(1);
355	}
356
357	// set run file
358	if (strcmp(command, "set") == 0)
359	bandwidth_set(pid, dev, down, up);
360	else if (strcmp(command, "clear") == 0)
361	bandwidth_remove(pid, dev);
362		300
363	//************************	301	//************************
364	// build command	302	// build command
@@ -401,6 +339,22 @@ void bandwidth_pid(pid_t pid, const char command, const char dev, int down, in
401	fclose(fp);	339	fclose(fp);
402	}	340	}
403		341
		342	// set run file
		343	if (strcmp(command, "set") == 0) {
		344	if (devname == NULL) {
		345	fprintf(stderr, "Error: cannot find a %s interface inside the sandbox\n", dev);
		346	exit(1);
		347	}
		348	bandwidth_set(pid, devname, down, up);
		349	}
		350	else if (strcmp(command, "clear") == 0) {
		351	if (devname == NULL) {
		352	fprintf(stderr, "Error: cannot find a %s interface inside the sandbox\n", dev);
		353	exit(1);
		354	}
		355	bandwidth_remove(pid, devname);
		356	}
		357
404	// build fshaper.sh command	358	// build fshaper.sh command
405	char *cmd = NULL;	359	char *cmd = NULL;
406	if (devname) {	360	if (devname) {