diff options
author | netblue30 <netblue30@yahoo.com> | 2017-03-28 15:31:50 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2017-03-28 15:31:50 -0400 |
commit | cf5559df5e168fd57a2757776f182704572c6941 (patch) | |
tree | 332db150b3496cfffadd19be1afe65b82ef73874 | |
parent | Merge pull request #1166 from SYN-cook/patch-1 (diff) | |
download | firejail-cf5559df5e168fd57a2757776f182704572c6941.tar.gz firejail-cf5559df5e168fd57a2757776f182704572c6941.tar.zst firejail-cf5559df5e168fd57a2757776f182704572c6941.zip |
rlimit fixes; ~/.cache cleanup
-rw-r--r-- | src/firejail/checkcfg.c | 9 | ||||
-rw-r--r-- | src/firejail/firejail.h | 2 | ||||
-rw-r--r-- | src/firejail/fs.c | 20 | ||||
-rw-r--r-- | src/firejail/profile.c | 12 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 7 | ||||
-rw-r--r-- | src/firejail/util.c | 1 | ||||
-rwxr-xr-x | test/environment/rlimit-bad-profile.exp | 8 | ||||
-rwxr-xr-x | test/environment/rlimit-bad.exp | 8 | ||||
-rwxr-xr-x | test/environment/rlimit.exp | 2 |
9 files changed, 13 insertions, 56 deletions
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index f76f83d85..24d8d0381 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -74,15 +74,6 @@ int checkcfg(int val) { | |||
74 | if (!ptr) | 74 | if (!ptr) |
75 | continue; | 75 | continue; |
76 | 76 | ||
77 | // mount tmpfs on top of ~/.cache directory | ||
78 | if (strncmp(ptr, "cache-tmpfs ", 12) == 0) { | ||
79 | if (strcmp(ptr + 12, "yes") == 0) | ||
80 | cfg_val[CFG_CACHE_TMPFS] = 1; | ||
81 | else if (strcmp(ptr + 12, "no") == 0) | ||
82 | cfg_val[CFG_CACHE_TMPFS] = 0; | ||
83 | else | ||
84 | goto errout; | ||
85 | } | ||
86 | // file transfer | 77 | // file transfer |
87 | else if (strncmp(ptr, "file-transfer ", 14) == 0) { | 78 | else if (strncmp(ptr, "file-transfer ", 14) == 0) { |
88 | if (strcmp(ptr + 14, "yes") == 0) | 79 | if (strcmp(ptr + 14, "yes") == 0) |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index a981c8759..7258dd2f8 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -407,7 +407,6 @@ void fs_overlayfs(void); | |||
407 | // chroot into an existing directory; mount exiting /dev and update /etc/resolv.conf | 407 | // chroot into an existing directory; mount exiting /dev and update /etc/resolv.conf |
408 | void fs_chroot(const char *rootdir); | 408 | void fs_chroot(const char *rootdir); |
409 | void fs_check_chroot_dir(const char *rootdir); | 409 | void fs_check_chroot_dir(const char *rootdir); |
410 | void fs_cache(void); | ||
411 | 410 | ||
412 | // profile.c | 411 | // profile.c |
413 | // find and read the profile specified by name from dir directory | 412 | // find and read the profile specified by name from dir directory |
@@ -685,7 +684,6 @@ enum { | |||
685 | CFG_FOLLOW_SYMLINK_AS_USER, | 684 | CFG_FOLLOW_SYMLINK_AS_USER, |
686 | CFG_FOLLOW_SYMLINK_PRIVATE_BIN, | 685 | CFG_FOLLOW_SYMLINK_PRIVATE_BIN, |
687 | CFG_DISABLE_MNT, | 686 | CFG_DISABLE_MNT, |
688 | CFG_CACHE_TMPFS, | ||
689 | CFG_JOIN, | 687 | CFG_JOIN, |
690 | CFG_MAX // this should always be the last entry | 688 | CFG_MAX // this should always be the last entry |
691 | }; | 689 | }; |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 451a946b7..0ebed61db 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -480,26 +480,6 @@ void fs_mnt(void) { | |||
480 | } | 480 | } |
481 | 481 | ||
482 | 482 | ||
483 | void fs_cache(void) { | ||
484 | #if 0 | ||
485 | if (arg_debug) | ||
486 | printf("Deploy ~/.cache tmpfs\n"); | ||
487 | char *cache; | ||
488 | if (asprintf(&cache, "%s/.cache", cfg.homedir) == -1) | ||
489 | errExit("asprintf"); | ||
490 | if (is_link(cache)) { | ||
491 | fprintf(stderr, "Error: ~/.cache directory is a symbolik link\n"); | ||
492 | exit(1); | ||
493 | } | ||
494 | disable_file(MOUNT_TMPFS, cache); | ||
495 | if (is_link(cache)) { | ||
496 | fprintf(stderr, "Error: ~/.cache directory is a symbolik link\n"); | ||
497 | exit(1); | ||
498 | } | ||
499 | free(cache); | ||
500 | #endif | ||
501 | } | ||
502 | |||
503 | // mount /proc and /sys directories | 483 | // mount /proc and /sys directories |
504 | void fs_proc_sys_dev_boot(void) { | 484 | void fs_proc_sys_dev_boot(void) { |
505 | if (arg_debug) | 485 | if (arg_debug) |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 8f98fd397..53fa38845 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -874,27 +874,23 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
874 | // rlimit | 874 | // rlimit |
875 | if (strncmp(ptr, "rlimit", 6) == 0) { | 875 | if (strncmp(ptr, "rlimit", 6) == 0) { |
876 | if (strncmp(ptr, "rlimit-nofile ", 14) == 0) { | 876 | if (strncmp(ptr, "rlimit-nofile ", 14) == 0) { |
877 | ptr += 14; | ||
878 | check_unsigned(ptr + 14, "Error: invalid rlimit in profile file: "); | 877 | check_unsigned(ptr + 14, "Error: invalid rlimit in profile file: "); |
879 | sscanf(ptr, "%llu", &cfg.rlimit_nofile); | 878 | sscanf(ptr + 14, "%llu", &cfg.rlimit_nofile); |
880 | arg_rlimit_nofile = 1; | 879 | arg_rlimit_nofile = 1; |
881 | } | 880 | } |
882 | else if (strncmp(ptr, "rlimit-nproc ", 13) == 0) { | 881 | else if (strncmp(ptr, "rlimit-nproc ", 13) == 0) { |
883 | ptr += 13; | ||
884 | check_unsigned(ptr + 13, "Error: invalid rlimit in profile file: "); | 882 | check_unsigned(ptr + 13, "Error: invalid rlimit in profile file: "); |
885 | sscanf(ptr, "%llu", &cfg.rlimit_nproc); | 883 | sscanf(ptr + 13, "%llu", &cfg.rlimit_nproc); |
886 | arg_rlimit_nproc = 1; | 884 | arg_rlimit_nproc = 1; |
887 | } | 885 | } |
888 | else if (strncmp(ptr, "rlimit-fsize ", 13) == 0) { | 886 | else if (strncmp(ptr, "rlimit-fsize ", 13) == 0) { |
889 | ptr += 13; | ||
890 | check_unsigned(ptr + 13, "Error: invalid rlimit in profile file: "); | 887 | check_unsigned(ptr + 13, "Error: invalid rlimit in profile file: "); |
891 | sscanf(ptr, "%llu", &cfg.rlimit_fsize); | 888 | sscanf(ptr + 13, "%llu", &cfg.rlimit_fsize); |
892 | arg_rlimit_fsize = 1; | 889 | arg_rlimit_fsize = 1; |
893 | } | 890 | } |
894 | else if (strncmp(ptr, "rlimit-sigpending ", 18) == 0) { | 891 | else if (strncmp(ptr, "rlimit-sigpending ", 18) == 0) { |
895 | ptr += 18; | ||
896 | check_unsigned(ptr + 18, "Error: invalid rlimit in profile file: "); | 892 | check_unsigned(ptr + 18, "Error: invalid rlimit in profile file: "); |
897 | sscanf(ptr, "%llu", &cfg.rlimit_sigpending); | 893 | sscanf(ptr + 18, "%llu", &cfg.rlimit_sigpending); |
898 | arg_rlimit_sigpending = 1; | 894 | arg_rlimit_sigpending = 1; |
899 | } | 895 | } |
900 | else { | 896 | else { |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index f9e59f1ed..6cb1aca28 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -790,13 +790,6 @@ int sandbox(void* sandbox_arg) { | |||
790 | fs_mnt(); | 790 | fs_mnt(); |
791 | 791 | ||
792 | //**************************** | 792 | //**************************** |
793 | // deploy a tmpfs on ~/.cache directory | ||
794 | //**************************** | ||
795 | if (checkcfg(CFG_CACHE_TMPFS)) | ||
796 | fs_cache(); | ||
797 | |||
798 | |||
799 | //**************************** | ||
800 | // apply the profile file | 793 | // apply the profile file |
801 | //**************************** | 794 | //**************************** |
802 | // apply all whitelist commands ... | 795 | // apply all whitelist commands ... |
diff --git a/src/firejail/util.c b/src/firejail/util.c index 93eabec65..88fa67183 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -421,7 +421,6 @@ char *split_comma(char *str) { | |||
421 | 421 | ||
422 | void check_unsigned(const char *str, const char *msg) { | 422 | void check_unsigned(const char *str, const char *msg) { |
423 | EUID_ASSERT(); | 423 | EUID_ASSERT(); |
424 | |||
425 | int rv = 0; | 424 | int rv = 0; |
426 | const char *ptr = str; | 425 | const char *ptr = str; |
427 | while (*ptr != ' ' && *ptr != '\t' && *ptr != '\0') { | 426 | while (*ptr != ' ' && *ptr != '\t' && *ptr != '\0') { |
diff --git a/test/environment/rlimit-bad-profile.exp b/test/environment/rlimit-bad-profile.exp index 80693a4a0..cd77402fd 100755 --- a/test/environment/rlimit-bad-profile.exp +++ b/test/environment/rlimit-bad-profile.exp | |||
@@ -8,27 +8,27 @@ match_max 100000 | |||
8 | send -- "firejail --profile=rlimit-bad1.profile\r" | 8 | send -- "firejail --profile=rlimit-bad1.profile\r" |
9 | expect { | 9 | expect { |
10 | timeout {puts "TESTING ERROR 4\n";exit} | 10 | timeout {puts "TESTING ERROR 4\n";exit} |
11 | "Invalid rlimit option" | 11 | "invalid rlimit" |
12 | } | 12 | } |
13 | after 100 | 13 | after 100 |
14 | 14 | ||
15 | send -- "firejail --profile=rlimit-bad2.profile\r" | 15 | send -- "firejail --profile=rlimit-bad2.profile\r" |
16 | expect { | 16 | expect { |
17 | timeout {puts "TESTING ERROR 5\n";exit} | 17 | timeout {puts "TESTING ERROR 5\n";exit} |
18 | "Invalid rlimit option" | 18 | "invalid rlimit" |
19 | } | 19 | } |
20 | after 100 | 20 | after 100 |
21 | 21 | ||
22 | send -- "firejail --profile=rlimit-bad3.profile\r" | 22 | send -- "firejail --profile=rlimit-bad3.profile\r" |
23 | expect { | 23 | expect { |
24 | timeout {puts "TESTING ERROR 6\n";exit} | 24 | timeout {puts "TESTING ERROR 6\n";exit} |
25 | "Invalid rlimit option" | 25 | "invalid rlimit" |
26 | } | 26 | } |
27 | after 100 | 27 | after 100 |
28 | send -- "firejail --profile=rlimit-bad4.profile\r" | 28 | send -- "firejail --profile=rlimit-bad4.profile\r" |
29 | expect { | 29 | expect { |
30 | timeout {puts "TESTING ERROR 7\n";exit} | 30 | timeout {puts "TESTING ERROR 7\n";exit} |
31 | "Invalid rlimit option" | 31 | "invalid rlimit" |
32 | } | 32 | } |
33 | after 100 | 33 | after 100 |
34 | 34 | ||
diff --git a/test/environment/rlimit-bad.exp b/test/environment/rlimit-bad.exp index 574e7e174..0a2fe9c98 100755 --- a/test/environment/rlimit-bad.exp +++ b/test/environment/rlimit-bad.exp | |||
@@ -7,27 +7,27 @@ match_max 100000 | |||
7 | send -- "firejail --rlimit-fsize=-1024\r" | 7 | send -- "firejail --rlimit-fsize=-1024\r" |
8 | expect { | 8 | expect { |
9 | timeout {puts "TESTING ERROR 0\n";exit} | 9 | timeout {puts "TESTING ERROR 0\n";exit} |
10 | "invalid rlimt fsize" | 10 | "invalid rlimit" |
11 | } | 11 | } |
12 | after 100 | 12 | after 100 |
13 | 13 | ||
14 | send -- "firejail --rlimit-nofile=asdf\r" | 14 | send -- "firejail --rlimit-nofile=asdf\r" |
15 | expect { | 15 | expect { |
16 | timeout {puts "TESTING ERROR 1\n";exit} | 16 | timeout {puts "TESTING ERROR 1\n";exit} |
17 | "invalid rlimt nofile" | 17 | "invalid rlimit" |
18 | } | 18 | } |
19 | after 100 | 19 | after 100 |
20 | 20 | ||
21 | send -- "firejail --rlimit-nproc=100.23\r" | 21 | send -- "firejail --rlimit-nproc=100.23\r" |
22 | expect { | 22 | expect { |
23 | timeout {puts "TESTING ERROR 2\n";exit} | 23 | timeout {puts "TESTING ERROR 2\n";exit} |
24 | "invalid rlimt nproc" | 24 | "invalid rlimit" |
25 | } | 25 | } |
26 | after 100 | 26 | after 100 |
27 | send -- "firejail --rlimit-sigpending=2345-78\r" | 27 | send -- "firejail --rlimit-sigpending=2345-78\r" |
28 | expect { | 28 | expect { |
29 | timeout {puts "TESTING ERROR 3\n";exit} | 29 | timeout {puts "TESTING ERROR 3\n";exit} |
30 | "invalid rlimt sigpending" | 30 | "invalid rlimit" |
31 | } | 31 | } |
32 | after 100 | 32 | after 100 |
33 | 33 | ||
diff --git a/test/environment/rlimit.exp b/test/environment/rlimit.exp index 611f69821..ecbe2a3b7 100755 --- a/test/environment/rlimit.exp +++ b/test/environment/rlimit.exp | |||
@@ -34,4 +34,4 @@ expect { | |||
34 | "home" | 34 | "home" |
35 | } | 35 | } |
36 | after 100 | 36 | after 100 |
37 | puts "\n" | 37 | puts "\nall done\n" |