diff options
author | netblue30 <netblue30@yahoo.com> | 2016-05-19 12:14:18 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-05-19 12:14:18 -0400 |
commit | d221aada89e79d92d758d508475c443064a9da48 (patch) | |
tree | b624531d262ef13b86f9e59e49318cec4338f8e2 | |
parent | --read-only fix (diff) | |
download | firejail-d221aada89e79d92d758d508475c443064a9da48.tar.gz firejail-d221aada89e79d92d758d508475c443064a9da48.tar.zst firejail-d221aada89e79d92d758d508475c443064a9da48.zip |
fixes
-rw-r--r-- | src/firejail/list.c | 34 | ||||
-rw-r--r-- | src/firejail/output.c | 2 | ||||
-rw-r--r-- | src/firejail/run_symlink.c | 6 | ||||
-rw-r--r-- | src/firejail/util.c | 1 | ||||
-rw-r--r-- | src/firejail/x11.c | 2 |
5 files changed, 37 insertions, 8 deletions
diff --git a/src/firejail/list.c b/src/firejail/list.c index cd53264b6..d093a1f85 100644 --- a/src/firejail/list.c +++ b/src/firejail/list.c | |||
@@ -21,7 +21,7 @@ | |||
21 | #include <sys/types.h> | 21 | #include <sys/types.h> |
22 | #include <sys/stat.h> | 22 | #include <sys/stat.h> |
23 | 23 | ||
24 | static void grsec_elevate_privileges(void) { | 24 | static void set_privileges(void) { |
25 | struct stat s; | 25 | struct stat s; |
26 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { | 26 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { |
27 | EUID_ROOT(); | 27 | EUID_ROOT(); |
@@ -32,49 +32,69 @@ static void grsec_elevate_privileges(void) { | |||
32 | if (setregid(0, 0)) | 32 | if (setregid(0, 0)) |
33 | errExit("setregid"); | 33 | errExit("setregid"); |
34 | } | 34 | } |
35 | else | ||
36 | drop_privs(1); | ||
37 | } | ||
38 | |||
39 | static char *get_firemon_path(const char *cmd) { | ||
40 | assert(cmd); | ||
41 | |||
42 | // start the argv[0] program in a new sandbox | ||
43 | char *firemon; | ||
44 | if (asprintf(&firemon, "%s/bin/firemon %s", PREFIX, cmd) == -1) | ||
45 | errExit("asprintf"); | ||
46 | |||
47 | return firemon; | ||
35 | } | 48 | } |
36 | 49 | ||
37 | void top(void) { | 50 | void top(void) { |
38 | EUID_ASSERT(); | 51 | EUID_ASSERT(); |
39 | 52 | drop_privs(1); | |
53 | char *cmd = get_firemon_path("--top"); | ||
54 | |||
40 | char *arg[4]; | 55 | char *arg[4]; |
41 | arg[0] = "bash"; | 56 | arg[0] = "bash"; |
42 | arg[1] = "-c"; | 57 | arg[1] = "-c"; |
43 | arg[2] = "firemon --top"; | 58 | arg[2] = cmd; |
44 | arg[3] = NULL; | 59 | arg[3] = NULL; |
45 | execvp("/bin/bash", arg); | 60 | execvp("/bin/bash", arg); |
46 | } | 61 | } |
47 | 62 | ||
48 | void netstats(void) { | 63 | void netstats(void) { |
49 | EUID_ASSERT(); | 64 | EUID_ASSERT(); |
50 | grsec_elevate_privileges(); | 65 | set_privileges(); |
66 | char *cmd = get_firemon_path("--netstats"); | ||
51 | 67 | ||
52 | char *arg[4]; | 68 | char *arg[4]; |
53 | arg[0] = "bash"; | 69 | arg[0] = "bash"; |
54 | arg[1] = "-c"; | 70 | arg[1] = "-c"; |
55 | arg[2] = "firemon --netstats"; | 71 | arg[2] = cmd; |
56 | arg[3] = NULL; | 72 | arg[3] = NULL; |
57 | execvp("/bin/bash", arg); | 73 | execvp("/bin/bash", arg); |
58 | } | 74 | } |
59 | 75 | ||
60 | void list(void) { | 76 | void list(void) { |
61 | EUID_ASSERT(); | 77 | EUID_ASSERT(); |
78 | drop_privs(1); | ||
79 | char *cmd = get_firemon_path("--list"); | ||
62 | 80 | ||
63 | char *arg[4]; | 81 | char *arg[4]; |
64 | arg[0] = "bash"; | 82 | arg[0] = "bash"; |
65 | arg[1] = "-c"; | 83 | arg[1] = "-c"; |
66 | arg[2] = "firemon --list"; | 84 | arg[2] = cmd; |
67 | arg[3] = NULL; | 85 | arg[3] = NULL; |
68 | execvp("/bin/bash", arg); | 86 | execvp("/bin/bash", arg); |
69 | } | 87 | } |
70 | 88 | ||
71 | void tree(void) { | 89 | void tree(void) { |
72 | EUID_ASSERT(); | 90 | EUID_ASSERT(); |
91 | drop_privs(1); | ||
92 | char *cmd = get_firemon_path("--tree"); | ||
73 | 93 | ||
74 | char *arg[4]; | 94 | char *arg[4]; |
75 | arg[0] = "bash"; | 95 | arg[0] = "bash"; |
76 | arg[1] = "-c"; | 96 | arg[1] = "-c"; |
77 | arg[2] = "firemon --tree"; | 97 | arg[2] = cmd; |
78 | arg[3] = NULL; | 98 | arg[3] = NULL; |
79 | execvp("/bin/bash", arg); | 99 | execvp("/bin/bash", arg); |
80 | } | 100 | } |
diff --git a/src/firejail/output.c b/src/firejail/output.c index 269ac25ea..91fe7f164 100644 --- a/src/firejail/output.c +++ b/src/firejail/output.c | |||
@@ -27,7 +27,6 @@ void check_output(int argc, char **argv) { | |||
27 | 27 | ||
28 | int i; | 28 | int i; |
29 | char *outfile = NULL; | 29 | char *outfile = NULL; |
30 | // drop_privs(0); | ||
31 | 30 | ||
32 | int found = 0; | 31 | int found = 0; |
33 | for (i = 1; i < argc; i++) { | 32 | for (i = 1; i < argc; i++) { |
@@ -91,6 +90,7 @@ void check_output(int argc, char **argv) { | |||
91 | sprintf(ptr, "2>&1 | %s/firejail/ftee %s", LIBDIR, outfile); | 90 | sprintf(ptr, "2>&1 | %s/firejail/ftee %s", LIBDIR, outfile); |
92 | 91 | ||
93 | // run command | 92 | // run command |
93 | drop_privs(0); | ||
94 | char *a[4]; | 94 | char *a[4]; |
95 | a[0] = "/bin/bash"; | 95 | a[0] = "/bin/bash"; |
96 | a[1] = "-c"; | 96 | a[1] = "-c"; |
diff --git a/src/firejail/run_symlink.c b/src/firejail/run_symlink.c index d57816e12..cc6f6b3e9 100644 --- a/src/firejail/run_symlink.c +++ b/src/firejail/run_symlink.c | |||
@@ -91,6 +91,12 @@ void run_symlink(int argc, char **argv) { | |||
91 | 91 | ||
92 | printf("Redirecting symlink to %s\n", program); | 92 | printf("Redirecting symlink to %s\n", program); |
93 | 93 | ||
94 | // drop privileges | ||
95 | if (setgid(getgid()) < 0) | ||
96 | errExit("setgid/getgid"); | ||
97 | if (setuid(getuid()) < 0) | ||
98 | errExit("setuid/getuid"); | ||
99 | |||
94 | // run command | 100 | // run command |
95 | char *a[3 + argc]; | 101 | char *a[3 + argc]; |
96 | a[0] = firejail; | 102 | a[0] = firejail; |
diff --git a/src/firejail/util.c b/src/firejail/util.c index 3d5fc214d..dc906532f 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -29,6 +29,7 @@ | |||
29 | // drop privileges | 29 | // drop privileges |
30 | // - for root group or if nogroups is set, supplementary groups are not configured | 30 | // - for root group or if nogroups is set, supplementary groups are not configured |
31 | void drop_privs(int nogroups) { | 31 | void drop_privs(int nogroups) { |
32 | EUID_ROOT(); | ||
32 | gid_t gid = getgid(); | 33 | gid_t gid = getgid(); |
33 | 34 | ||
34 | // configure supplementary groups | 35 | // configure supplementary groups |
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 985ca9337..300078872 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
@@ -173,6 +173,7 @@ void x11_start_xephyr(int argc, char **argv) { | |||
173 | fprintf(stderr, "Error: X11 sandboxing is not available when running as root\n"); | 173 | fprintf(stderr, "Error: X11 sandboxing is not available when running as root\n"); |
174 | exit(1); | 174 | exit(1); |
175 | } | 175 | } |
176 | drop_privs(0); | ||
176 | 177 | ||
177 | // check xephyr | 178 | // check xephyr |
178 | if (x11_check_xephyr() == 0) { | 179 | if (x11_check_xephyr() == 0) { |
@@ -295,6 +296,7 @@ void x11_start_xpra(int argc, char **argv) { | |||
295 | fprintf(stderr, "Error: X11 sandboxing is not available when running as root\n"); | 296 | fprintf(stderr, "Error: X11 sandboxing is not available when running as root\n"); |
296 | exit(1); | 297 | exit(1); |
297 | } | 298 | } |
299 | drop_privs(0); | ||
298 | 300 | ||
299 | // check xpra | 301 | // check xpra |
300 | if (x11_check_xpra() == 0) { | 302 | if (x11_check_xpra() == 0) { |