diff options
author | layderv <20249311+layderv@users.noreply.github.com> | 2023-01-09 18:03:03 -0500 |
---|---|---|
committer | layderv <20249311+layderv@users.noreply.github.com> | 2023-01-24 00:36:34 -0500 |
commit | 4b6892092a77b61a0de485966a7561ec61c72928 (patch) | |
tree | a978e47dadbb00b26adedd7d47d988c89ccf5b18 | |
parent | build(deps): bump actions/checkout from 3.2.0 to 3.3.0 (diff) | |
download | firejail-4b6892092a77b61a0de485966a7561ec61c72928.tar.gz firejail-4b6892092a77b61a0de485966a7561ec61c72928.tar.zst firejail-4b6892092a77b61a0de485966a7561ec61c72928.zip |
Prevent sandbox name from containing only digits
Names should not contain only numbers,
as they are used in other commands as PIDs.
-rw-r--r-- | src/firejail/main.c | 13 | ||||
-rw-r--r-- | src/firejail/profile.c | 13 | ||||
-rw-r--r-- | src/man/firejail.txt | 1 |
3 files changed, 27 insertions, 0 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c index 18e9ae651..36b4d2477 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -2161,11 +2161,24 @@ int main(int argc, char **argv, char **envp) { | |||
2161 | // hostname, etc | 2161 | // hostname, etc |
2162 | //************************************* | 2162 | //************************************* |
2163 | else if (strncmp(argv[i], "--name=", 7) == 0) { | 2163 | else if (strncmp(argv[i], "--name=", 7) == 0) { |
2164 | int only_numbers = 1; | ||
2164 | cfg.name = argv[i] + 7; | 2165 | cfg.name = argv[i] + 7; |
2165 | if (strlen(cfg.name) == 0) { | 2166 | if (strlen(cfg.name) == 0) { |
2166 | fprintf(stderr, "Error: please provide a name for sandbox\n"); | 2167 | fprintf(stderr, "Error: please provide a name for sandbox\n"); |
2167 | return 1; | 2168 | return 1; |
2168 | } | 2169 | } |
2170 | const char *c = cfg.name; | ||
2171 | while (*c) { | ||
2172 | if (!isdigit(*c)) { | ||
2173 | only_numbers = 0; | ||
2174 | break; | ||
2175 | } | ||
2176 | ++c; | ||
2177 | } | ||
2178 | if (only_numbers) { | ||
2179 | fprintf(stderr, "Error: invalid sandbox name: it only contains digits\n"); | ||
2180 | return 1; | ||
2181 | } | ||
2169 | } | 2182 | } |
2170 | else if (strncmp(argv[i], "--hostname=", 11) == 0) { | 2183 | else if (strncmp(argv[i], "--hostname=", 11) == 0) { |
2171 | cfg.hostname = argv[i] + 11; | 2184 | cfg.hostname = argv[i] + 11; |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index acf206da6..c1419aada 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -326,11 +326,24 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
326 | } | 326 | } |
327 | // sandbox name | 327 | // sandbox name |
328 | else if (strncmp(ptr, "name ", 5) == 0) { | 328 | else if (strncmp(ptr, "name ", 5) == 0) { |
329 | int only_numbers = 1; | ||
329 | cfg.name = ptr + 5; | 330 | cfg.name = ptr + 5; |
330 | if (strlen(cfg.name) == 0) { | 331 | if (strlen(cfg.name) == 0) { |
331 | fprintf(stderr, "Error: invalid sandbox name\n"); | 332 | fprintf(stderr, "Error: invalid sandbox name\n"); |
332 | exit(1); | 333 | exit(1); |
333 | } | 334 | } |
335 | const char *c = cfg.name; | ||
336 | while (*c) { | ||
337 | if (!isdigit(*c)) { | ||
338 | only_numbers = 0; | ||
339 | break; | ||
340 | } | ||
341 | ++c; | ||
342 | } | ||
343 | if (only_numbers) { | ||
344 | fprintf(stderr, "Error: invalid sandbox name: it only contains digits\n"); | ||
345 | exit(1); | ||
346 | } | ||
334 | return 0; | 347 | return 0; |
335 | } | 348 | } |
336 | else if (strcmp(ptr, "ipc-namespace") == 0) { | 349 | else if (strcmp(ptr, "ipc-namespace") == 0) { |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 39c81312c..29f15a74f 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1330,6 +1330,7 @@ $ firejail \-\-net=eth0 \-\-mtu=1492 | |||
1330 | \fB\-\-name=name | 1330 | \fB\-\-name=name |
1331 | Set sandbox name. Several options, such as \-\-join and \-\-shutdown, can use | 1331 | Set sandbox name. Several options, such as \-\-join and \-\-shutdown, can use |
1332 | this name to identify a sandbox. | 1332 | this name to identify a sandbox. |
1333 | The name cannot contain only digits, as that is treated as a PID in the other options, such as in \-\-join. | ||
1333 | 1334 | ||
1334 | In case the name supplied by the user is already in use by another sandbox, Firejail will assign a | 1335 | In case the name supplied by the user is already in use by another sandbox, Firejail will assign a |
1335 | new name as "name-PID", where PID is the process ID of the sandbox. This functionality | 1336 | new name as "name-PID", where PID is the process ID of the sandbox. This functionality |