diff options
author | smitsohu <smitsohu@gmail.com> | 2020-07-14 16:15:35 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-07-14 16:15:35 +0200 |
commit | 94c5abc5015ba6a2dd239e9af2eeac4b1084e9c4 (patch) | |
tree | 7f9e9654d9632bc3e354c9b2c37a8171e39cc087 | |
parent | Merge pull request #3241 from kris7t/sbox-harden-exec (diff) | |
download | firejail-94c5abc5015ba6a2dd239e9af2eeac4b1084e9c4.tar.gz firejail-94c5abc5015ba6a2dd239e9af2eeac4b1084e9c4.tar.zst firejail-94c5abc5015ba6a2dd239e9af2eeac4b1084e9c4.zip |
harden bandwidth command
add extra checks to defend against command injection (respective strings are controlled by Firejail, so this should be redundant and only for the paranoid), run shell in a minimal sandbox
-rw-r--r-- | src/firejail/bandwidth.c | 24 |
1 files changed, 12 insertions, 12 deletions
diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c index edef823fd..6fd0b53ef 100644 --- a/src/firejail/bandwidth.c +++ b/src/firejail/bandwidth.c | |||
@@ -327,6 +327,15 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in | |||
327 | devname = strdup(buf + len + 1); | 327 | devname = strdup(buf + len + 1); |
328 | if (!devname) | 328 | if (!devname) |
329 | errExit("strdup"); | 329 | errExit("strdup"); |
330 | // double-check device name | ||
331 | size_t i; | ||
332 | for (i = 0; devname[i]; i++) { | ||
333 | if (isalnum((unsigned char) devname[i]) == 0 && | ||
334 | devname[i] != '-') { | ||
335 | fprintf(stderr, "Error: name of network device is invalid\n"); | ||
336 | exit(1); | ||
337 | } | ||
338 | } | ||
330 | // check device in namespace | 339 | // check device in namespace |
331 | if (if_nametoindex(devname) == 0) { | 340 | if (if_nametoindex(devname) == 0) { |
332 | fprintf(stderr, "Error: cannot find network device %s\n", devname); | 341 | fprintf(stderr, "Error: cannot find network device %s\n", devname); |
@@ -354,6 +363,7 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in | |||
354 | } | 363 | } |
355 | bandwidth_remove(pid, devname); | 364 | bandwidth_remove(pid, devname); |
356 | } | 365 | } |
366 | else assert(strcmp(command, "status") == 0); | ||
357 | 367 | ||
358 | // build fshaper.sh command | 368 | // build fshaper.sh command |
359 | char *cmd = NULL; | 369 | char *cmd = NULL; |
@@ -375,26 +385,16 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in | |||
375 | } | 385 | } |
376 | assert(cmd); | 386 | assert(cmd); |
377 | 387 | ||
378 | // wipe out environment variables | ||
379 | environ = NULL; | ||
380 | |||
381 | //************************ | 388 | //************************ |
382 | // build command | 389 | // build command |
383 | //************************ | 390 | //************************ |
384 | // elevate privileges | ||
385 | if (setreuid(0, 0)) | ||
386 | errExit("setreuid"); | ||
387 | if (setregid(0, 0)) | ||
388 | errExit("setregid"); | ||
389 | |||
390 | char *arg[4]; | 391 | char *arg[4]; |
391 | arg[0] = "/bin/sh"; | 392 | arg[0] = "/bin/sh"; |
392 | arg[1] = "-c"; | 393 | arg[1] = "-c"; |
393 | arg[2] = cmd; | 394 | arg[2] = cmd; |
394 | arg[3] = NULL; | 395 | arg[3] = NULL; |
395 | clearenv(); | 396 | clearenv(); |
396 | execvp(arg[0], arg); | 397 | sbox_exec_v(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, arg); |
397 | 398 | ||
398 | // it will never get here | 399 | // it will never get here!! |
399 | errExit("execvp"); | ||
400 | } | 400 | } |