diff options
author | netblue30 <netblue30@yahoo.com> | 2016-03-17 13:09:03 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-03-17 13:09:03 -0400 |
commit | 46f2bd2531324174f4e6e2f88c361cbddf5055ce (patch) | |
tree | e625bcfa7468a23aa568831f66f2c0441f1632d3 | |
parent | overlayfs work, fixed hedgwoars profile (diff) | |
download | firejail-46f2bd2531324174f4e6e2f88c361cbddf5055ce.tar.gz firejail-46f2bd2531324174f4e6e2f88c361cbddf5055ce.tar.zst firejail-46f2bd2531324174f4e6e2f88c361cbddf5055ce.zip |
various fixes
-rw-r--r-- | src/firejail/bandwidth.c | 4 | ||||
-rw-r--r-- | src/firejail/caps.c | 2 | ||||
-rw-r--r-- | src/firejail/main.c | 30 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 8 | ||||
-rw-r--r-- | src/firejail/seccomp.c | 6 |
5 files changed, 37 insertions, 13 deletions
diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c index 0be23b9bc..10032b87a 100644 --- a/src/firejail/bandwidth.c +++ b/src/firejail/bandwidth.c | |||
@@ -341,6 +341,7 @@ void bandwidth_shm_set(pid_t pid, const char *dev, int down, int up) { | |||
341 | // command execution | 341 | // command execution |
342 | //*********************************** | 342 | //*********************************** |
343 | void bandwidth_name(const char *name, const char *command, const char *dev, int down, int up) { | 343 | void bandwidth_name(const char *name, const char *command, const char *dev, int down, int up) { |
344 | EUID_ASSERT(); | ||
344 | if (!name || strlen(name) == 0) { | 345 | if (!name || strlen(name) == 0) { |
345 | fprintf(stderr, "Error: invalid sandbox name\n"); | 346 | fprintf(stderr, "Error: invalid sandbox name\n"); |
346 | exit(1); | 347 | exit(1); |
@@ -355,6 +356,7 @@ void bandwidth_name(const char *name, const char *command, const char *dev, int | |||
355 | } | 356 | } |
356 | 357 | ||
357 | void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, int up) { | 358 | void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, int up) { |
359 | EUID_ASSERT(); | ||
358 | //************************ | 360 | //************************ |
359 | // verify sandbox | 361 | // verify sandbox |
360 | //************************ | 362 | //************************ |
@@ -388,6 +390,8 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in | |||
388 | fprintf(stderr, "Error: cannot join the network namespace\n"); | 390 | fprintf(stderr, "Error: cannot join the network namespace\n"); |
389 | exit(1); | 391 | exit(1); |
390 | } | 392 | } |
393 | |||
394 | EUID_ROOT(); | ||
391 | if (join_namespace(child, "net")) { | 395 | if (join_namespace(child, "net")) { |
392 | fprintf(stderr, "Error: cannot join the network namespace\n"); | 396 | fprintf(stderr, "Error: cannot join the network namespace\n"); |
393 | exit(1); | 397 | exit(1); |
diff --git a/src/firejail/caps.c b/src/firejail/caps.c index de7c93b48..896293fd1 100644 --- a/src/firejail/caps.c +++ b/src/firejail/caps.c | |||
@@ -439,8 +439,6 @@ void caps_print_filter(pid_t pid) { | |||
439 | } | 439 | } |
440 | 440 | ||
441 | uint64_t caps = extract_caps(pid); | 441 | uint64_t caps = extract_caps(pid); |
442 | drop_privs(1); | ||
443 | |||
444 | int i; | 442 | int i; |
445 | uint64_t mask; | 443 | uint64_t mask; |
446 | int elems = sizeof(capslist) / sizeof(capslist[0]); | 444 | int elems = sizeof(capslist) / sizeof(capslist[0]); |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 476f9c39c..02a55ac70 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -343,7 +343,6 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
343 | 343 | ||
344 | // extract pid or sandbox name | 344 | // extract pid or sandbox name |
345 | pid_t pid; | 345 | pid_t pid; |
346 | EUID_ROOT(); | ||
347 | if (read_pid(argv[i] + 12, &pid) == 0) | 346 | if (read_pid(argv[i] + 12, &pid) == 0) |
348 | bandwidth_pid(pid, cmd, dev, down, up); | 347 | bandwidth_pid(pid, cmd, dev, down, up); |
349 | else | 348 | else |
@@ -669,10 +668,35 @@ int main(int argc, char **argv) { | |||
669 | int found = 0; | 668 | int found = 0; |
670 | for (i = 1; i < argc; i++) { | 669 | for (i = 1; i < argc; i++) { |
671 | if (strcmp(argv[i], "--force") == 0 || | 670 | if (strcmp(argv[i], "--force") == 0 || |
672 | strcmp(argv[i], "--netstats") == 0 || | ||
673 | strcmp(argv[i], "--list") == 0 || | 671 | strcmp(argv[i], "--list") == 0 || |
672 | strcmp(argv[i], "--netstats") == 0 || | ||
674 | strcmp(argv[i], "--tree") == 0 || | 673 | strcmp(argv[i], "--tree") == 0 || |
675 | strcmp(argv[i], "--top") == 0) { | 674 | strcmp(argv[i], "--top") == 0 || |
675 | strncmp(argv[i], "--ls=", 5) == 0 || | ||
676 | strncmp(argv[i], "--get=", 6) == 0 || | ||
677 | strcmp(argv[i], "--debug-caps") == 0 || | ||
678 | strcmp(argv[i], "--debug-errnos") == 0 || | ||
679 | strcmp(argv[i], "--debug-syscalls") == 0 || | ||
680 | strcmp(argv[i], "--debug-protocols") == 0 || | ||
681 | strcmp(argv[i], "--help") == 0 || | ||
682 | strcmp(argv[i], "--version") == 0 || | ||
683 | strncmp(argv[i], "--dns.print=", 12) == 0 || | ||
684 | strncmp(argv[i], "--bandwidth=", 12) == 0 || | ||
685 | strncmp(argv[i], "--caps.print=", 13) == 0 || | ||
686 | //******************************************************************************** | ||
687 | // todo: fix the following problems | ||
688 | strncmp(argv[i], "--join=", 7) == 0 || | ||
689 | //[netblue@debian Downloads]$ firejail --join=896 | ||
690 | //Switching to pid 897, the first child process inside the sandbox | ||
691 | //Error: seccomp file not found | ||
692 | //******************************************************************************** | ||
693 | |||
694 | strncmp(argv[i], "--join-filesystem=", 18) == 0 || | ||
695 | strncmp(argv[i], "--join-network=", 15) == 0 || | ||
696 | strncmp(argv[i], "--fs.print=", 11) == 0 || | ||
697 | strncmp(argv[i], "--protocol.print=", 17) == 0 || | ||
698 | strncmp(argv[i], "--seccomp.print", 15) == 0 || | ||
699 | strncmp(argv[i], "--shutdown=", 11) == 0) { | ||
676 | found = 1; | 700 | found = 1; |
677 | break; | 701 | break; |
678 | } | 702 | } |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 5bd86019a..c371f4c75 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -604,7 +604,7 @@ int sandbox(void* sandbox_arg) { | |||
604 | // set security filters | 604 | // set security filters |
605 | //**************************** | 605 | //**************************** |
606 | // set capabilities | 606 | // set capabilities |
607 | if (!arg_noroot) | 607 | // if (!arg_noroot) |
608 | set_caps(); | 608 | set_caps(); |
609 | 609 | ||
610 | // set rlimits | 610 | // set rlimits |
@@ -646,8 +646,7 @@ int sandbox(void* sandbox_arg) { | |||
646 | if (arg_noroot) { | 646 | if (arg_noroot) { |
647 | int rv = unshare(CLONE_NEWUSER); | 647 | int rv = unshare(CLONE_NEWUSER); |
648 | if (rv == -1) { | 648 | if (rv == -1) { |
649 | fprintf(stderr, "Warning: cannot mount a new user namespace, going forward without it\n"); | 649 | fprintf(stderr, "Warning: cannot mount a new user namespace, going forward without it...\n"); |
650 | perror("unshare"); | ||
651 | drop_privs(arg_nogroups); | 650 | drop_privs(arg_nogroups); |
652 | arg_noroot = 0; | 651 | arg_noroot = 0; |
653 | } | 652 | } |
@@ -667,12 +666,11 @@ int sandbox(void* sandbox_arg) { | |||
667 | // somehow, the new user namespace resets capabilities; | 666 | // somehow, the new user namespace resets capabilities; |
668 | // we need to do them again | 667 | // we need to do them again |
669 | if (arg_noroot) { | 668 | if (arg_noroot) { |
670 | set_caps(); | ||
671 | if (arg_debug) | 669 | if (arg_debug) |
672 | printf("noroot user namespace installed\n"); | 670 | printf("noroot user namespace installed\n"); |
671 | set_caps(); | ||
673 | } | 672 | } |
674 | 673 | ||
675 | |||
676 | //**************************************** | 674 | //**************************************** |
677 | // fork the application and monitor it | 675 | // fork the application and monitor it |
678 | //**************************************** | 676 | //**************************************** |
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index a5a77abab..d29184b7c 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -261,7 +261,7 @@ static void filter_end_whitelist(void) { | |||
261 | } | 261 | } |
262 | 262 | ||
263 | 263 | ||
264 | // save seccomp filter in /tmp/firejail/mnt/seccomp | 264 | // save seccomp filter in /run/firejail/mnt/seccomp |
265 | static void write_seccomp_file(void) { | 265 | static void write_seccomp_file(void) { |
266 | fs_build_mnt_dir(); | 266 | fs_build_mnt_dir(); |
267 | assert(sfilter); | 267 | assert(sfilter); |
@@ -283,10 +283,10 @@ static void write_seccomp_file(void) { | |||
283 | errExit("chown"); | 283 | errExit("chown"); |
284 | } | 284 | } |
285 | 285 | ||
286 | // read seccomp filter from /tmp/firejail/mnt/seccomp | 286 | // read seccomp filter from /run/firejail/mnt/seccomp |
287 | static void read_seccomp_file(const char *fname) { | 287 | static void read_seccomp_file(const char *fname) { |
288 | assert(sfilter == NULL && sfilter_index == 0); | 288 | assert(sfilter == NULL && sfilter_index == 0); |
289 | 289 | printf("***%s***\n", fname); | |
290 | // check file | 290 | // check file |
291 | struct stat s; | 291 | struct stat s; |
292 | if (stat(fname, &s) == -1) { | 292 | if (stat(fname, &s) == -1) { |