diff options
author | netblue30 <netblue30@yahoo.com> | 2017-02-04 16:01:49 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2017-02-04 16:01:49 -0500 |
commit | d580c3454f59d10d6e0d63280658a40cd575dffa (patch) | |
tree | 32041411c62af8b04b33bde0bddc2990db231305 | |
parent | --git-install (diff) | |
download | firejail-d580c3454f59d10d6e0d63280658a40cd575dffa.tar.gz firejail-d580c3454f59d10d6e0d63280658a40cd575dffa.tar.zst firejail-d580c3454f59d10d6e0d63280658a40cd575dffa.zip |
--git-install
-rw-r--r-- | src/firejail/git.c | 44 |
1 files changed, 16 insertions, 28 deletions
diff --git a/src/firejail/git.c b/src/firejail/git.c index aaae44de7..1cfbb1bf4 100644 --- a/src/firejail/git.c +++ b/src/firejail/git.c | |||
@@ -23,6 +23,7 @@ | |||
23 | #include <sys/mount.h> | 23 | #include <sys/mount.h> |
24 | 24 | ||
25 | // install a very simple mount namespace sandbox with a tmpfs on top of /tmp | 25 | // install a very simple mount namespace sandbox with a tmpfs on top of /tmp |
26 | // and drop privileges | ||
26 | static void sbox_ns(void) { | 27 | static void sbox_ns(void) { |
27 | if (unshare(CLONE_NEWNS) < 0) | 28 | if (unshare(CLONE_NEWNS) < 0) |
28 | errExit("unshare"); | 29 | errExit("unshare"); |
@@ -32,20 +33,11 @@ static void sbox_ns(void) { | |||
32 | errExit("mount"); | 33 | errExit("mount"); |
33 | } | 34 | } |
34 | 35 | ||
35 | // moount a tmpfs on top of /tmp | 36 | // mount a tmpfs on top of /tmp |
36 | if (mount(NULL, "/tmp", "tmpfs", 0, NULL) < 0) | 37 | if (mount(NULL, "/tmp", "tmpfs", 0, NULL) < 0) |
37 | errExit("mount"); | 38 | errExit("mount"); |
38 | } | ||
39 | |||
40 | 39 | ||
41 | void git_install() { | 40 | |
42 | // redirect to "/usr/bin/firejail --noprofile --private-tmp /usr/lib/firejail/fgit-install.sh" | ||
43 | EUID_ASSERT(); | ||
44 | EUID_ROOT(); | ||
45 | |||
46 | // install a mount namespace with a tmpfs on top of /tmp | ||
47 | sbox_ns(); | ||
48 | |||
49 | // drop privileges | 41 | // drop privileges |
50 | if (setgid(getgid()) < 0) | 42 | if (setgid(getgid()) < 0) |
51 | errExit("setgid/getgid"); | 43 | errExit("setgid/getgid"); |
@@ -59,15 +51,25 @@ void git_install() { | |||
59 | printf("/tmp directory: "); fflush(0); | 51 | printf("/tmp directory: "); fflush(0); |
60 | rv = system("ls -l /tmp"); | 52 | rv = system("ls -l /tmp"); |
61 | (void) rv; | 53 | (void) rv; |
54 | } | ||
55 | |||
62 | 56 | ||
57 | void git_install(void) { | ||
58 | // redirect to "/usr/bin/firejail --noprofile --private-tmp /usr/lib/firejail/fgit-install.sh" | ||
59 | EUID_ASSERT(); | ||
60 | EUID_ROOT(); | ||
61 | |||
62 | // install a mount namespace with a tmpfs on top of /tmp | ||
63 | sbox_ns(); | ||
64 | |||
63 | // run command | 65 | // run command |
64 | const char *cmd = LIBDIR "/firejail/fgit-install.sh"; | 66 | const char *cmd = LIBDIR "/firejail/fgit-install.sh"; |
65 | rv = system(cmd); | 67 | int rv = system(cmd); |
66 | (void) rv; | 68 | (void) rv; |
67 | exit(0); | 69 | exit(0); |
68 | } | 70 | } |
69 | 71 | ||
70 | void git_uninstall() { | 72 | void git_uninstall(void) { |
71 | // redirect to "/usr/bin/firejail --noprofile --private-tmp /usr/lib/firejail/fgit-install.sh" | 73 | // redirect to "/usr/bin/firejail --noprofile --private-tmp /usr/lib/firejail/fgit-install.sh" |
72 | EUID_ASSERT(); | 74 | EUID_ASSERT(); |
73 | EUID_ROOT(); | 75 | EUID_ROOT(); |
@@ -75,23 +77,9 @@ void git_uninstall() { | |||
75 | // install a mount namespace with a tmpfs on top of /tmp | 77 | // install a mount namespace with a tmpfs on top of /tmp |
76 | sbox_ns(); | 78 | sbox_ns(); |
77 | 79 | ||
78 | // drop privileges | ||
79 | if (setgid(getgid()) < 0) | ||
80 | errExit("setgid/getgid"); | ||
81 | if (setuid(getuid()) < 0) | ||
82 | errExit("setuid/getuid"); | ||
83 | assert(getenv("LD_PRELOAD") == NULL); | ||
84 | |||
85 | printf("Running as "); fflush(0); | ||
86 | int rv = system("whoami"); | ||
87 | (void) rv; | ||
88 | printf("/tmp directory: "); fflush(0); | ||
89 | rv = system("ls -l /tmp"); | ||
90 | (void) rv; | ||
91 | |||
92 | // run command | 80 | // run command |
93 | const char *cmd = LIBDIR "/firejail/fgit-uninstall.sh"; | 81 | const char *cmd = LIBDIR "/firejail/fgit-uninstall.sh"; |
94 | rv = system(cmd); | 82 | int rv = system(cmd); |
95 | (void) rv; | 83 | (void) rv; |
96 | exit(0); | 84 | exit(0); |
97 | } | 85 | } |