diff options
author | smitsohu <smitsohu@gmail.com> | 2022-01-17 14:09:43 +0100 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2022-01-17 14:09:43 +0100 |
commit | 493a0ef306a8b610f3ed6a1b88a4dbea25e8498b (patch) | |
tree | a8a9fc51ec94be5f284b988edb15668ece64c07a | |
parent | gcov (diff) | |
download | firejail-493a0ef306a8b610f3ed6a1b88a4dbea25e8498b.tar.gz firejail-493a0ef306a8b610f3ed6a1b88a4dbea25e8498b.tar.zst firejail-493a0ef306a8b610f3ed6a1b88a4dbea25e8498b.zip |
some hardening
-rw-r--r-- | src/firejail/fs_etc.c | 2 | ||||
-rw-r--r-- | src/firejail/sbox.c | 8 |
2 files changed, 8 insertions, 2 deletions
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index baa707741..786e0d360 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c | |||
@@ -142,7 +142,7 @@ errexit: | |||
142 | static void duplicate(const char *fname, const char *private_dir, const char *private_run_dir) { | 142 | static void duplicate(const char *fname, const char *private_dir, const char *private_run_dir) { |
143 | assert(fname); | 143 | assert(fname); |
144 | 144 | ||
145 | if (*fname == '~' || *fname == '/' || strncmp(fname, "..", 2) == 0) { | 145 | if (*fname == '~' || *fname == '/' || strstr(fname, "..")) { |
146 | fprintf(stderr, "Error: \"%s\" is an invalid filename\n", fname); | 146 | fprintf(stderr, "Error: \"%s\" is an invalid filename\n", fname); |
147 | exit(1); | 147 | exit(1); |
148 | } | 148 | } |
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index 7b5b61f2f..d7147b8ea 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c | |||
@@ -23,6 +23,7 @@ | |||
23 | #include <unistd.h> | 23 | #include <unistd.h> |
24 | #include <net/if.h> | 24 | #include <net/if.h> |
25 | #include <stdarg.h> | 25 | #include <stdarg.h> |
26 | #include <sys/resource.h> | ||
26 | #include <sys/wait.h> | 27 | #include <sys/wait.h> |
27 | #include "../include/seccomp.h" | 28 | #include "../include/seccomp.h" |
28 | 29 | ||
@@ -77,6 +78,11 @@ static int __attribute__((noreturn)) sbox_do_exec_v(unsigned filtermask, char * | |||
77 | 78 | ||
78 | umask(027); | 79 | umask(027); |
79 | 80 | ||
81 | // https://seclists.org/oss-sec/2021/q4/43 | ||
82 | struct rlimit tozero = { .rlim_cur = 0, .rlim_max = 0 }; | ||
83 | if (setrlimit(RLIMIT_CORE, &tozero)) | ||
84 | errExit("setrlimit"); | ||
85 | |||
80 | // apply filters | 86 | // apply filters |
81 | if (filtermask & SBOX_CAPS_NONE) { | 87 | if (filtermask & SBOX_CAPS_NONE) { |
82 | caps_drop_all(); | 88 | caps_drop_all(); |
@@ -289,7 +295,7 @@ int sbox_run_v(unsigned filtermask, char * const arg[]) { | |||
289 | if (waitpid(child, &status, 0) == -1 ) { | 295 | if (waitpid(child, &status, 0) == -1 ) { |
290 | errExit("waitpid"); | 296 | errExit("waitpid"); |
291 | } | 297 | } |
292 | if (WIFEXITED(status) && WEXITSTATUS(status) != 0) { | 298 | if (!WIFEXITED(status) || WEXITSTATUS(status) != 0) { |
293 | fprintf(stderr, "Error: failed to run %s, exiting...\n", arg[0]); | 299 | fprintf(stderr, "Error: failed to run %s, exiting...\n", arg[0]); |
294 | exit(1); | 300 | exit(1); |
295 | } | 301 | } |