diff options
author | netblue30 <netblue30@yahoo.com> | 2016-06-02 13:39:20 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-06-02 13:39:20 -0400 |
commit | 28641d918e696b03f5c0c4deecac458986f35dec (patch) | |
tree | 1d0e1b0affd23022bbb5c7a5d2e1cc584445cfed | |
parent | fixed globbing dot files (diff) | |
download | firejail-28641d918e696b03f5c0c4deecac458986f35dec.tar.gz firejail-28641d918e696b03f5c0c4deecac458986f35dec.tar.zst firejail-28641d918e696b03f5c0c4deecac458986f35dec.zip |
lxc fixes
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/main.c | 120 | ||||
-rw-r--r-- | src/firejail/no_sandbox.c | 13 |
3 files changed, 77 insertions, 57 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 661073730..b0a3ac90d 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -483,6 +483,7 @@ void fs_check_etc_list(void); | |||
483 | void fs_private_etc_list(void); | 483 | void fs_private_etc_list(void); |
484 | 484 | ||
485 | // no_sandbox.c | 485 | // no_sandbox.c |
486 | int check_namespace_virt(void); | ||
486 | int check_kernel_procs(void); | 487 | int check_kernel_procs(void); |
487 | void run_no_sandbox(int argc, char **argv); | 488 | void run_no_sandbox(int argc, char **argv); |
488 | 489 | ||
diff --git a/src/firejail/main.c b/src/firejail/main.c index 607637802..0c843de9c 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -725,65 +725,71 @@ int main(int argc, char **argv) { | |||
725 | } | 725 | } |
726 | 726 | ||
727 | // check if we already have a sandbox running | 727 | // check if we already have a sandbox running |
728 | EUID_ROOT(); | 728 | // If LXC is detected, start firejail sandbox |
729 | int rv = check_kernel_procs(); | 729 | // otherwise try to detect a PID namespace by looking under /proc for specific kernel processes and: |
730 | EUID_USER(); | 730 | // - if --force flag is set, start firejail sandbox |
731 | if (rv == 0) { | 731 | // -- if --force flag is not set, start the application in a /bin/bash shell |
732 | // if --force option is passed to the program, disregard the existing sandbox | 732 | if (check_namespace_virt() == 0) { |
733 | int found = 0; | 733 | EUID_ROOT(); |
734 | for (i = 1; i < argc; i++) { | 734 | int rv = check_kernel_procs(); |
735 | if (strcmp(argv[i], "--force") == 0 || | 735 | EUID_USER(); |
736 | strcmp(argv[i], "--list") == 0 || | 736 | if (rv == 0) { |
737 | strcmp(argv[i], "--netstats") == 0 || | 737 | // if --force option is passed to the program, disregard the existing sandbox |
738 | strcmp(argv[i], "--tree") == 0 || | 738 | int found = 0; |
739 | strcmp(argv[i], "--top") == 0 || | 739 | for (i = 1; i < argc; i++) { |
740 | strncmp(argv[i], "--ls=", 5) == 0 || | 740 | if (strcmp(argv[i], "--force") == 0 || |
741 | strncmp(argv[i], "--get=", 6) == 0 || | 741 | strcmp(argv[i], "--list") == 0 || |
742 | strcmp(argv[i], "--debug-caps") == 0 || | 742 | strcmp(argv[i], "--netstats") == 0 || |
743 | strcmp(argv[i], "--debug-errnos") == 0 || | 743 | strcmp(argv[i], "--tree") == 0 || |
744 | strcmp(argv[i], "--debug-syscalls") == 0 || | 744 | strcmp(argv[i], "--top") == 0 || |
745 | strcmp(argv[i], "--debug-protocols") == 0 || | 745 | strncmp(argv[i], "--ls=", 5) == 0 || |
746 | strcmp(argv[i], "--help") == 0 || | 746 | strncmp(argv[i], "--get=", 6) == 0 || |
747 | strcmp(argv[i], "--version") == 0 || | 747 | strcmp(argv[i], "--debug-caps") == 0 || |
748 | strncmp(argv[i], "--dns.print=", 12) == 0 || | 748 | strcmp(argv[i], "--debug-errnos") == 0 || |
749 | strncmp(argv[i], "--bandwidth=", 12) == 0 || | 749 | strcmp(argv[i], "--debug-syscalls") == 0 || |
750 | strncmp(argv[i], "--caps.print=", 13) == 0 || | 750 | strcmp(argv[i], "--debug-protocols") == 0 || |
751 | strncmp(argv[i], "--cpu.print=", 12) == 0 || | 751 | strcmp(argv[i], "--help") == 0 || |
752 | //******************************************************************************** | 752 | strcmp(argv[i], "--version") == 0 || |
753 | // todo: fix the following problems | 753 | strncmp(argv[i], "--dns.print=", 12) == 0 || |
754 | strncmp(argv[i], "--join=", 7) == 0 || | 754 | strncmp(argv[i], "--bandwidth=", 12) == 0 || |
755 | //[netblue@debian Downloads]$ firejail --join=896 | 755 | strncmp(argv[i], "--caps.print=", 13) == 0 || |
756 | //Switching to pid 897, the first child process inside the sandbox | 756 | strncmp(argv[i], "--cpu.print=", 12) == 0 || |
757 | //Error: seccomp file not found | 757 | //******************************************************************************** |
758 | //******************************************************************************** | 758 | // todo: fix the following problems |
759 | 759 | strncmp(argv[i], "--join=", 7) == 0 || | |
760 | strncmp(argv[i], "--join-filesystem=", 18) == 0 || | 760 | //[netblue@debian Downloads]$ firejail --join=896 |
761 | strncmp(argv[i], "--join-network=", 15) == 0 || | 761 | //Switching to pid 897, the first child process inside the sandbox |
762 | strncmp(argv[i], "--fs.print=", 11) == 0 || | 762 | //Error: seccomp file not found |
763 | strncmp(argv[i], "--protocol.print=", 17) == 0 || | 763 | //******************************************************************************** |
764 | strncmp(argv[i], "--seccomp.print", 15) == 0 || | 764 | |
765 | strncmp(argv[i], "--shutdown=", 11) == 0) { | 765 | strncmp(argv[i], "--join-filesystem=", 18) == 0 || |
766 | found = 1; | 766 | strncmp(argv[i], "--join-network=", 15) == 0 || |
767 | break; | 767 | strncmp(argv[i], "--fs.print=", 11) == 0 || |
768 | } | 768 | strncmp(argv[i], "--protocol.print=", 17) == 0 || |
769 | 769 | strncmp(argv[i], "--seccomp.print", 15) == 0 || | |
770 | // detect end of firejail params | 770 | strncmp(argv[i], "--shutdown=", 11) == 0) { |
771 | if (strcmp(argv[i], "--") == 0) | 771 | found = 1; |
772 | break; | 772 | break; |
773 | if (strncmp(argv[i], "--", 2) != 0) | 773 | } |
774 | break; | 774 | |
775 | } | 775 | // detect end of firejail params |
776 | 776 | if (strcmp(argv[i], "--") == 0) | |
777 | if (found == 0) { | 777 | break; |
778 | // start the program directly without sandboxing | 778 | if (strncmp(argv[i], "--", 2) != 0) |
779 | run_no_sandbox(argc, argv); | 779 | break; |
780 | // it will never get here! | 780 | } |
781 | assert(0); | 781 | |
782 | if (found == 0) { | ||
783 | // start the program directly without sandboxing | ||
784 | run_no_sandbox(argc, argv); | ||
785 | // it will never get here! | ||
786 | assert(0); | ||
787 | } | ||
788 | else | ||
789 | option_force = 1; | ||
782 | } | 790 | } |
783 | else | ||
784 | option_force = 1; | ||
785 | } | 791 | } |
786 | 792 | ||
787 | // check root/suid | 793 | // check root/suid |
788 | EUID_ROOT(); | 794 | EUID_ROOT(); |
789 | if (geteuid()) { | 795 | if (geteuid()) { |
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index a9242f035..cc7f6d234 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c | |||
@@ -23,6 +23,19 @@ | |||
23 | #include <unistd.h> | 23 | #include <unistd.h> |
24 | #include <grp.h> | 24 | #include <grp.h> |
25 | 25 | ||
26 | // returns 1 if we are running under LXC | ||
27 | int check_namespace_virt(void) { | ||
28 | char *container = getenv("container"); | ||
29 | if (container && | ||
30 | (strcmp(container, "lxc") == 0 || | ||
31 | strcmp(container, "docker") == 0 || | ||
32 | strcmp(container, "lxc-libvirt") == 0 || | ||
33 | strcmp(container, "systemd-nspawn") == 0 || | ||
34 | strcmp(container, "rkt") == 0)) | ||
35 | return 1; | ||
36 | return 0; | ||
37 | } | ||
38 | |||
26 | // check process space for kernel processes | 39 | // check process space for kernel processes |
27 | // return 1 if found, 0 if not found | 40 | // return 1 if found, 0 if not found |
28 | int check_kernel_procs(void) { | 41 | int check_kernel_procs(void) { |