diff options
author | netblue30 <netblue30@yahoo.com> | 2015-08-28 10:51:37 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2015-08-28 10:51:37 -0400 |
commit | 2c0adbb7c979365a6aec1a85a758198c88b44a0f (patch) | |
tree | b5aca47f685c18b8b0c7a235dfaa0835bbdf7bf2 | |
parent | testing default.profile (diff) | |
download | firejail-2c0adbb7c979365a6aec1a85a758198c88b44a0f.tar.gz firejail-2c0adbb7c979365a6aec1a85a758198c88b44a0f.tar.zst firejail-2c0adbb7c979365a6aec1a85a758198c88b44a0f.zip |
cleanup unfinished features
-rw-r--r-- | src/firejail/firejail.h | 2 | ||||
-rw-r--r-- | src/firejail/fs.c | 43 | ||||
-rw-r--r-- | src/firejail/main.c | 34 |
3 files changed, 0 insertions, 79 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 532a4797e..ce2b0e7a5 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -136,8 +136,6 @@ extern int arg_rlimit_nofile; // rlimit nofile | |||
136 | extern int arg_rlimit_nproc; // rlimit nproc | 136 | extern int arg_rlimit_nproc; // rlimit nproc |
137 | extern int arg_rlimit_fsize; // rlimit fsize | 137 | extern int arg_rlimit_fsize; // rlimit fsize |
138 | extern int arg_rlimit_sigpending;// rlimit sigpending | 138 | extern int arg_rlimit_sigpending;// rlimit sigpending |
139 | extern int arg_nox11; // kill the program if x11 unix domain socket is accessed | ||
140 | extern int arg_nodbus; // kill the program if D-Bus is accessed | ||
141 | extern int arg_nogroups; // disable supplementary groups | 139 | extern int arg_nogroups; // disable supplementary groups |
142 | extern int arg_noroot; // create a new user namespace and disable root user | 140 | extern int arg_noroot; // create a new user namespace and disable root user |
143 | extern int arg_netfilter; // enable netfilter | 141 | extern int arg_netfilter; // enable netfilter |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index ca73ae554..3f8f7176c 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -377,49 +377,6 @@ void fs_proc_sys_dev_boot(void) { | |||
377 | // if (mount("sysfs", "/sys", "sysfs", MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REC, NULL) < 0) | 377 | // if (mount("sysfs", "/sys", "sysfs", MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REC, NULL) < 0) |
378 | // errExit("mounting /sys"); | 378 | // errExit("mounting /sys"); |
379 | 379 | ||
380 | |||
381 | // mounting firejail kernel module files | ||
382 | if (stat("/proc/firejail-uptime", &s) == 0) { | ||
383 | errno = 0; | ||
384 | FILE *fp = fopen("/proc/firejail", "w"); | ||
385 | int cnt = 0; | ||
386 | while (errno == EBUSY && cnt < 10) { | ||
387 | if (!fp) { | ||
388 | int s = random(); | ||
389 | s /= 200000; | ||
390 | usleep(s); | ||
391 | fp = fopen("/proc/firejail", "w"); | ||
392 | } | ||
393 | else | ||
394 | break; | ||
395 | } | ||
396 | if (!fp) { | ||
397 | fprintf(stderr, "Error: cannot register sandbox with firejail-lkm\n"); | ||
398 | exit(1); | ||
399 | } | ||
400 | if (fp) { | ||
401 | // registration | ||
402 | fprintf(fp, "register\n"); | ||
403 | fflush(0); | ||
404 | // filtering x11 connect calls | ||
405 | if (arg_nox11) { | ||
406 | fprintf(fp, "no connect unix /tmp/.X11\n"); | ||
407 | fflush(0); | ||
408 | printf("X11 access disabled\n"); | ||
409 | } | ||
410 | if (arg_nodbus) { | ||
411 | fprintf(fp, "no connect unix /var/run/dbus/system_bus_socket\n"); | ||
412 | fflush(0); | ||
413 | fprintf(fp, "no connect unix /tmp/dbus\n"); | ||
414 | fflush(0); | ||
415 | printf("D-Bus access disabled\n"); | ||
416 | } | ||
417 | fclose(fp); | ||
418 | if (mount("/proc/firejail-uptime", "/proc/uptime", NULL, MS_BIND|MS_REC, NULL) < 0) | ||
419 | fprintf(stderr, "Warning: cannot mount /proc/firejail-uptime\n"); | ||
420 | } | ||
421 | } | ||
422 | |||
423 | // Disable SysRq | 380 | // Disable SysRq |
424 | // a linux box can be shut down easily using the following commands (as root): | 381 | // a linux box can be shut down easily using the following commands (as root): |
425 | // # echo 1 > /proc/sys/kernel/sysrq | 382 | // # echo 1 > /proc/sys/kernel/sysrq |
diff --git a/src/firejail/main.c b/src/firejail/main.c index bcff0e41f..3a5a21cad 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -73,8 +73,6 @@ int arg_rlimit_nofile = 0; // rlimit nofile | |||
73 | int arg_rlimit_nproc = 0; // rlimit nproc | 73 | int arg_rlimit_nproc = 0; // rlimit nproc |
74 | int arg_rlimit_fsize = 0; // rlimit fsize | 74 | int arg_rlimit_fsize = 0; // rlimit fsize |
75 | int arg_rlimit_sigpending = 0; // rlimit fsize | 75 | int arg_rlimit_sigpending = 0; // rlimit fsize |
76 | int arg_nox11 = 0; // kill the program if x11 unix domain socket is accessed | ||
77 | int arg_nodbus = 0; // kill the program if D-Bus is accessed | ||
78 | int arg_nogroups = 0; // disable supplementary groups | 76 | int arg_nogroups = 0; // disable supplementary groups |
79 | int arg_noroot = 0; // create a new user namespace and disable root user | 77 | int arg_noroot = 0; // create a new user namespace and disable root user |
80 | int arg_netfilter; // enable netfilter | 78 | int arg_netfilter; // enable netfilter |
@@ -99,18 +97,6 @@ static void myexit(int rv) { | |||
99 | if (!arg_command) | 97 | if (!arg_command) |
100 | printf("\nparent is shutting down, bye...\n"); | 98 | printf("\nparent is shutting down, bye...\n"); |
101 | 99 | ||
102 | struct stat s; | ||
103 | if (stat("/proc/firejail", &s) == 0) { | ||
104 | /* coverity[toctou] */ | ||
105 | FILE *fp = fopen("/proc/firejail", "w"); | ||
106 | if (fp) { | ||
107 | // deregistration | ||
108 | fprintf(fp, "release\n"); | ||
109 | fflush(0); | ||
110 | fclose(fp); | ||
111 | } | ||
112 | } | ||
113 | |||
114 | // delete sandbox files in shared memory | 100 | // delete sandbox files in shared memory |
115 | bandwidth_shm_del_file(sandbox_pid); // bandwidht file | 101 | bandwidth_shm_del_file(sandbox_pid); // bandwidht file |
116 | network_shm_del_file(sandbox_pid); // network map file | 102 | network_shm_del_file(sandbox_pid); // network map file |
@@ -556,26 +542,6 @@ int main(int argc, char **argv) { | |||
556 | arg_ipc = 1; | 542 | arg_ipc = 1; |
557 | else if (strncmp(argv[i], "--cpu=", 6) == 0) | 543 | else if (strncmp(argv[i], "--cpu=", 6) == 0) |
558 | read_cpu_list(argv[i] + 6); | 544 | read_cpu_list(argv[i] + 6); |
559 | else if (strcmp(argv[i], "--nox11") == 0) { | ||
560 | // check if firejail lkm is present | ||
561 | struct stat s; | ||
562 | if (stat("/proc/firejail", &s) < 0) { | ||
563 | fprintf(stderr, "Error: firejail Linux kernel module not found. The module" | ||
564 | " is required for --nox11 option to work.\n"); | ||
565 | exit(1); | ||
566 | } | ||
567 | arg_nox11 = 1; | ||
568 | } | ||
569 | else if (strcmp(argv[i], "--nodbus") == 0) { | ||
570 | // check if firejail lkm is present | ||
571 | struct stat s; | ||
572 | if (stat("/proc/firejail", &s) < 0) { | ||
573 | fprintf(stderr, "Error: firejail Linux kernel module not found. The module" | ||
574 | " is required for --nodbus option to work.\n"); | ||
575 | exit(1); | ||
576 | } | ||
577 | arg_nodbus = 1; | ||
578 | } | ||
579 | else if (strncmp(argv[i], "--cgroup=", 9) == 0) { | 545 | else if (strncmp(argv[i], "--cgroup=", 9) == 0) { |
580 | if (arg_cgroup) { | 546 | if (arg_cgroup) { |
581 | fprintf(stderr, "Error: only a cgroup can be defined\n"); | 547 | fprintf(stderr, "Error: only a cgroup can be defined\n"); |