diff options
author | netblue30 <netblue30@yahoo.com> | 2018-04-03 11:20:01 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2018-04-03 11:20:01 -0400 |
commit | 384312c9a5d125ecbb7a63bbe6827e4722e08d93 (patch) | |
tree | 11aa8ec2fac61971496ccee32d7bd2d4e89fb5d7 | |
parent | deprecating --force (diff) | |
download | firejail-384312c9a5d125ecbb7a63bbe6827e4722e08d93.tar.gz firejail-384312c9a5d125ecbb7a63bbe6827e4722e08d93.tar.zst firejail-384312c9a5d125ecbb7a63bbe6827e4722e08d93.zip |
EUID cleanup
-rw-r--r-- | src/firejail/main.c | 59 |
1 files changed, 27 insertions, 32 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c index 787fa28e1..0d53a24a8 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -830,16 +830,23 @@ int main(int argc, char **argv) { | |||
830 | int lockfd_directory = -1; | 830 | int lockfd_directory = -1; |
831 | int option_cgroup = 0; | 831 | int option_cgroup = 0; |
832 | int custom_profile = 0; // custom profile loaded | 832 | int custom_profile = 0; // custom profile loaded |
833 | |||
834 | atexit(clear_atexit); | 833 | atexit(clear_atexit); |
835 | 834 | ||
836 | // get starting timestamp | 835 | // drop permissions by default and rise them when required |
837 | start_timestamp = getticks(); | 836 | EUID_INIT(); |
837 | EUID_USER(); | ||
838 | |||
839 | // check if the user is allowed to use firejail | ||
840 | init_cfg(argc, argv); | ||
838 | 841 | ||
842 | // get starting timestamp, process --quiet | ||
843 | start_timestamp = getticks(); | ||
839 | if (check_arg(argc, argv, "--quiet", 1)) | 844 | if (check_arg(argc, argv, "--quiet", 1)) |
840 | arg_quiet = 1; | 845 | arg_quiet = 1; |
841 | 846 | ||
847 | |||
842 | // build /run/firejail directory structure | 848 | // build /run/firejail directory structure |
849 | EUID_ROOT(); | ||
843 | preproc_build_firejail_dir(); | 850 | preproc_build_firejail_dir(); |
844 | char *container_name = getenv("container"); | 851 | char *container_name = getenv("container"); |
845 | if (!container_name || strcmp(container_name, "firejail")) { | 852 | if (!container_name || strcmp(container_name, "firejail")) { |
@@ -853,7 +860,10 @@ int main(int argc, char **argv) { | |||
853 | flock(lockfd_directory, LOCK_UN); | 860 | flock(lockfd_directory, LOCK_UN); |
854 | close(lockfd_directory); | 861 | close(lockfd_directory); |
855 | } | 862 | } |
863 | EUID_USER(); | ||
864 | |||
856 | 865 | ||
866 | // process allow-debuggers | ||
857 | if (check_arg(argc, argv, "--allow-debuggers", 1)) { | 867 | if (check_arg(argc, argv, "--allow-debuggers", 1)) { |
858 | // check kernel version | 868 | // check kernel version |
859 | struct utsname u; | 869 | struct utsname u; |
@@ -874,11 +884,12 @@ int main(int argc, char **argv) { | |||
874 | } | 884 | } |
875 | 885 | ||
876 | arg_allow_debuggers = 1; | 886 | arg_allow_debuggers = 1; |
887 | char *cmd = strdup("noblacklist ${PATH}/strace"); | ||
888 | if (!cmd) | ||
889 | errExit("strdup"); | ||
890 | profile_add(cmd); | ||
877 | } | 891 | } |
878 | 892 | ||
879 | // drop permissions by default and rise them when required | ||
880 | EUID_INIT(); | ||
881 | EUID_USER(); | ||
882 | 893 | ||
883 | #ifdef HAVE_GIT_INSTALL | 894 | #ifdef HAVE_GIT_INSTALL |
884 | // process git-install and git-uninstall | 895 | // process git-install and git-uninstall |
@@ -916,28 +927,12 @@ int main(int argc, char **argv) { | |||
916 | assert(0); | 927 | assert(0); |
917 | } | 928 | } |
918 | } | 929 | } |
930 | EUID_ASSERT(); | ||
919 | 931 | ||
920 | // check root/suid | ||
921 | EUID_ROOT(); | ||
922 | if (geteuid()) { | ||
923 | // only --version is supported without SUID support | ||
924 | if (check_arg(argc, argv, "--version", 1)) { | ||
925 | printf("firejail version %s\n", VERSION); | ||
926 | exit(0); | ||
927 | } | ||
928 | |||
929 | fprintf(stderr, "Error: cannot rise privileges\n"); | ||
930 | exit(1); | ||
931 | } | ||
932 | EUID_USER(); | ||
933 | |||
934 | // initialize globals | ||
935 | init_cfg(argc, argv); | ||
936 | 932 | ||
937 | // check firejail directories | 933 | // check firejail directories |
938 | EUID_ROOT(); | 934 | EUID_ROOT(); |
939 | delete_run_files(sandbox_pid); | 935 | delete_run_files(sandbox_pid); |
940 | |||
941 | EUID_USER(); | 936 | EUID_USER(); |
942 | 937 | ||
943 | //check if the parent is sshd daemon | 938 | //check if the parent is sshd daemon |
@@ -991,6 +986,7 @@ int main(int argc, char **argv) { | |||
991 | free(comm); | 986 | free(comm); |
992 | } | 987 | } |
993 | } | 988 | } |
989 | EUID_ASSERT(); | ||
994 | 990 | ||
995 | // is this a login shell, or a command passed by sshd, insert command line options from /etc/firejail/login.users | 991 | // is this a login shell, or a command passed by sshd, insert command line options from /etc/firejail/login.users |
996 | if (*argv[0] == '-' || parent_sshd) { | 992 | if (*argv[0] == '-' || parent_sshd) { |
@@ -1040,26 +1036,19 @@ int main(int argc, char **argv) { | |||
1040 | // check --output option and execute it; | 1036 | // check --output option and execute it; |
1041 | check_output(argc, argv); // the function will not return if --output or --output-stderr option was found | 1037 | check_output(argc, argv); // the function will not return if --output or --output-stderr option was found |
1042 | } | 1038 | } |
1039 | EUID_ASSERT(); | ||
1043 | 1040 | ||
1044 | 1041 | ||
1045 | // check for force-nonewprivs in /etc/firejail/firejail.config file | 1042 | // check for force-nonewprivs in /etc/firejail/firejail.config file |
1046 | if (checkcfg(CFG_FORCE_NONEWPRIVS)) | 1043 | if (checkcfg(CFG_FORCE_NONEWPRIVS)) |
1047 | arg_nonewprivs = 1; | 1044 | arg_nonewprivs = 1; |
1048 | 1045 | ||
1049 | if (arg_allow_debuggers) { | ||
1050 | char *cmd = strdup("noblacklist ${PATH}/strace"); | ||
1051 | if (!cmd) | ||
1052 | errExit("strdup"); | ||
1053 | profile_add(cmd); | ||
1054 | } | ||
1055 | |||
1056 | // parse arguments | 1046 | // parse arguments |
1057 | for (i = 1; i < argc; i++) { | 1047 | for (i = 1; i < argc; i++) { |
1058 | run_cmd_and_exit(i, argc, argv); // will exit if the command is recognized | 1048 | run_cmd_and_exit(i, argc, argv); // will exit if the command is recognized |
1059 | 1049 | ||
1060 | if (strcmp(argv[i], "--debug") == 0 && !arg_quiet) { | 1050 | if (strcmp(argv[i], "--debug") == 0 && !arg_quiet) |
1061 | arg_debug = 1; | 1051 | arg_debug = 1; |
1062 | } | ||
1063 | else if (strcmp(argv[i], "--debug-check-filename") == 0) | 1052 | else if (strcmp(argv[i], "--debug-check-filename") == 0) |
1064 | arg_debug_check_filename = 1; | 1053 | arg_debug_check_filename = 1; |
1065 | else if (strcmp(argv[i], "--debug-blacklists") == 0) | 1054 | else if (strcmp(argv[i], "--debug-blacklists") == 0) |
@@ -2260,6 +2249,7 @@ int main(int argc, char **argv) { | |||
2260 | break; | 2249 | break; |
2261 | } | 2250 | } |
2262 | } | 2251 | } |
2252 | EUID_ASSERT(); | ||
2263 | 2253 | ||
2264 | // prog_index could still be -1 if no program was specified | 2254 | // prog_index could still be -1 if no program was specified |
2265 | if (prog_index == -1 && arg_shell_none) { | 2255 | if (prog_index == -1 && arg_shell_none) { |
@@ -2388,6 +2378,7 @@ int main(int argc, char **argv) { | |||
2388 | fmessage("\n** Note: you can use --noprofile to disable %s.profile **\n\n", profile_name); | 2378 | fmessage("\n** Note: you can use --noprofile to disable %s.profile **\n\n", profile_name); |
2389 | } | 2379 | } |
2390 | } | 2380 | } |
2381 | EUID_ASSERT(); | ||
2391 | 2382 | ||
2392 | // block X11 sockets | 2383 | // block X11 sockets |
2393 | if (arg_x11_block) | 2384 | if (arg_x11_block) |
@@ -2415,6 +2406,7 @@ int main(int argc, char **argv) { | |||
2415 | network_set_run_file(sandbox_pid); | 2406 | network_set_run_file(sandbox_pid); |
2416 | EUID_USER(); | 2407 | EUID_USER(); |
2417 | } | 2408 | } |
2409 | EUID_ASSERT(); | ||
2418 | 2410 | ||
2419 | // create the parent-child communication pipe | 2411 | // create the parent-child communication pipe |
2420 | if (pipe(parent_to_child_fds) < 0) | 2412 | if (pipe(parent_to_child_fds) < 0) |
@@ -2466,6 +2458,7 @@ int main(int argc, char **argv) { | |||
2466 | else if (arg_debug) | 2458 | else if (arg_debug) |
2467 | printf("Using the local network stack\n"); | 2459 | printf("Using the local network stack\n"); |
2468 | 2460 | ||
2461 | EUID_ASSERT(); | ||
2469 | EUID_ROOT(); | 2462 | EUID_ROOT(); |
2470 | child = clone(sandbox, | 2463 | child = clone(sandbox, |
2471 | child_stack + STACK_SIZE, | 2464 | child_stack + STACK_SIZE, |
@@ -2506,6 +2499,7 @@ int main(int argc, char **argv) { | |||
2506 | waitpid(net_child, NULL, 0); | 2499 | waitpid(net_child, NULL, 0); |
2507 | EUID_USER(); | 2500 | EUID_USER(); |
2508 | } | 2501 | } |
2502 | EUID_ASSERT(); | ||
2509 | 2503 | ||
2510 | // close each end of the unused pipes | 2504 | // close each end of the unused pipes |
2511 | close(parent_to_child_fds[0]); | 2505 | close(parent_to_child_fds[0]); |
@@ -2581,6 +2575,7 @@ int main(int argc, char **argv) { | |||
2581 | EUID_USER(); | 2575 | EUID_USER(); |
2582 | free(map_path); | 2576 | free(map_path); |
2583 | } | 2577 | } |
2578 | EUID_ASSERT(); | ||
2584 | 2579 | ||
2585 | // notify child that UID/GID mapping is complete | 2580 | // notify child that UID/GID mapping is complete |
2586 | notify_other(parent_to_child_fds[1]); | 2581 | notify_other(parent_to_child_fds[1]); |