diff options
author | netblue30 <netblue30@yahoo.com> | 2016-11-11 12:00:57 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-11-11 12:00:57 -0500 |
commit | cffa48d80ca5f93bb1e97fbfc96364e45166a399 (patch) | |
tree | 5a4d9610ad78dcb8e02d8d4097959ea5f7ac3bd7 | |
parent | hidepid part 3 (diff) | |
download | firejail-cffa48d80ca5f93bb1e97fbfc96364e45166a399.tar.gz firejail-cffa48d80ca5f93bb1e97fbfc96364e45166a399.tar.zst firejail-cffa48d80ca5f93bb1e97fbfc96364e45166a399.zip |
hidepid part 4
-rw-r--r-- | src/firejail/main.c | 32 | ||||
-rw-r--r-- | src/firemon/firemon.c | 73 | ||||
-rw-r--r-- | src/firemon/firemon.h | 2 | ||||
-rw-r--r-- | src/firemon/tree.c | 4 | ||||
-rw-r--r-- | src/include/common.h | 1 | ||||
-rw-r--r-- | src/lib/common.c | 21 | ||||
-rw-r--r-- | src/lib/pid.c | 1 |
7 files changed, 89 insertions, 45 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c index 3c061e607..65569ae5f 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -494,25 +494,39 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
494 | exit(0); | 494 | exit(0); |
495 | } | 495 | } |
496 | else if (strcmp(argv[i], "--list") == 0) { | 496 | else if (strcmp(argv[i], "--list") == 0) { |
497 | int rv = sbox_run(SBOX_ROOT| SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--list"); | 497 | if (pid_hidepid()) |
498 | exit(rv); | 498 | sbox_run(SBOX_ROOT| SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--list"); |
499 | else | ||
500 | sbox_run(SBOX_USER| SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--list"); | ||
501 | exit(0); | ||
499 | } | 502 | } |
500 | else if (strcmp(argv[i], "--tree") == 0) { | 503 | else if (strcmp(argv[i], "--tree") == 0) { |
501 | int rv = sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--tree"); | 504 | if (pid_hidepid()) |
502 | exit(rv); | 505 | sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--tree"); |
506 | else | ||
507 | sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--tree"); | ||
508 | exit(0); | ||
503 | } | 509 | } |
504 | else if (strcmp(argv[i], "--top") == 0) { | 510 | else if (strcmp(argv[i], "--top") == 0) { |
505 | int rv = sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN, | 511 | if (pid_hidepid()) |
506 | 2, PATH_FIREMON, "--top"); | 512 | sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN, |
507 | exit(rv); | 513 | 2, PATH_FIREMON, "--top"); |
514 | else | ||
515 | sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN, | ||
516 | 2, PATH_FIREMON, "--top"); | ||
517 | exit(0); | ||
508 | } | 518 | } |
509 | #ifdef HAVE_NETWORK | 519 | #ifdef HAVE_NETWORK |
510 | else if (strcmp(argv[i], "--netstats") == 0) { | 520 | else if (strcmp(argv[i], "--netstats") == 0) { |
511 | if (checkcfg(CFG_NETWORK)) { | 521 | if (checkcfg(CFG_NETWORK)) { |
512 | struct stat s; | 522 | struct stat s; |
513 | int rv = sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN, | 523 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0 || pid_hidepid()) |
524 | sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN, | ||
514 | 2, PATH_FIREMON, "--netstats"); | 525 | 2, PATH_FIREMON, "--netstats"); |
515 | exit(rv); | 526 | else |
527 | sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN, | ||
528 | 2, PATH_FIREMON, "--netstats"); | ||
529 | exit(0); | ||
516 | } | 530 | } |
517 | else { | 531 | else { |
518 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); | 532 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); |
diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c index 950311c00..1ec64bea8 100644 --- a/src/firemon/firemon.c +++ b/src/firemon/firemon.c | |||
@@ -35,6 +35,9 @@ static int arg_caps = 0; | |||
35 | static int arg_cpu = 0; | 35 | static int arg_cpu = 0; |
36 | static int arg_cgroup = 0; | 36 | static int arg_cgroup = 0; |
37 | static int arg_x11 = 0; | 37 | static int arg_x11 = 0; |
38 | static int arg_top = 0; | ||
39 | static int arg_list = 0; | ||
40 | static int arg_netstats = 0; | ||
38 | int arg_nowrap = 0; | 41 | int arg_nowrap = 0; |
39 | 42 | ||
40 | static struct termios tlocal; // startup terminal setting | 43 | static struct termios tlocal; // startup terminal setting |
@@ -118,53 +121,39 @@ int main(int argc, char **argv) { | |||
118 | } | 121 | } |
119 | 122 | ||
120 | // options without a pid argument | 123 | // options without a pid argument |
121 | else if (strcmp(argv[i], "--top") == 0) { | 124 | else if (strcmp(argv[i], "--top") == 0) |
122 | top(); // never to return | 125 | arg_top = 1; |
123 | } | 126 | else if (strcmp(argv[i], "--list") == 0) |
124 | else if (strcmp(argv[i], "--list") == 0) { | 127 | arg_list = 1; |
125 | list(); | 128 | else if (strcmp(argv[i], "--tree") == 0) |
126 | return 0; | 129 | arg_tree = 1; |
127 | } | ||
128 | else if (strcmp(argv[i], "--netstats") == 0) { | 130 | else if (strcmp(argv[i], "--netstats") == 0) { |
129 | struct stat s; | 131 | struct stat s; |
130 | if (getuid() != 0 && stat("/proc/sys/kernel/grsecurity", &s) == 0) { | 132 | if (getuid() != 0 && stat("/proc/sys/kernel/grsecurity", &s) == 0) { |
131 | fprintf(stderr, "Error: this feature is not available on Grsecurity systems\n"); | 133 | fprintf(stderr, "Error: this feature is not available on Grsecurity systems\n"); |
132 | exit(1); | 134 | exit(1); |
133 | } | 135 | } |
134 | 136 | arg_netstats = 1; | |
135 | netstats(); | ||
136 | return 0; | ||
137 | } | 137 | } |
138 | 138 | ||
139 | 139 | ||
140 | // cumulative options with or without a pid argument | 140 | // cumulative options with or without a pid argument |
141 | else if (strcmp(argv[i], "--x11") == 0) { | 141 | else if (strcmp(argv[i], "--x11") == 0) |
142 | arg_x11 = 1; | 142 | arg_x11 = 1; |
143 | } | 143 | else if (strcmp(argv[i], "--cgroup") == 0) |
144 | else if (strcmp(argv[i], "--cgroup") == 0) { | ||
145 | arg_cgroup = 1; | 144 | arg_cgroup = 1; |
146 | } | 145 | else if (strcmp(argv[i], "--cpu") == 0) |
147 | else if (strcmp(argv[i], "--cpu") == 0) { | ||
148 | arg_cpu = 1; | 146 | arg_cpu = 1; |
149 | } | 147 | else if (strcmp(argv[i], "--seccomp") == 0) |
150 | else if (strcmp(argv[i], "--seccomp") == 0) { | ||
151 | arg_seccomp = 1; | 148 | arg_seccomp = 1; |
152 | } | 149 | else if (strcmp(argv[i], "--caps") == 0) |
153 | else if (strcmp(argv[i], "--caps") == 0) { | ||
154 | arg_caps = 1; | 150 | arg_caps = 1; |
155 | } | 151 | else if (strcmp(argv[i], "--interface") == 0) |
156 | else if (strcmp(argv[i], "--tree") == 0) { | ||
157 | arg_tree = 1; | ||
158 | } | ||
159 | else if (strcmp(argv[i], "--interface") == 0) { | ||
160 | arg_interface = 1; | 152 | arg_interface = 1; |
161 | } | 153 | else if (strcmp(argv[i], "--route") == 0) |
162 | else if (strcmp(argv[i], "--route") == 0) { | ||
163 | arg_route = 1; | 154 | arg_route = 1; |
164 | } | 155 | else if (strcmp(argv[i], "--arp") == 0) |
165 | else if (strcmp(argv[i], "--arp") == 0) { | ||
166 | arg_arp = 1; | 156 | arg_arp = 1; |
167 | } | ||
168 | 157 | ||
169 | else if (strncmp(argv[i], "--name=", 7) == 0) { | 158 | else if (strncmp(argv[i], "--name=", 7) == 0) { |
170 | char *name = argv[i] + 7; | 159 | char *name = argv[i] + 7; |
@@ -201,8 +190,28 @@ int main(int argc, char **argv) { | |||
201 | } | 190 | } |
202 | } | 191 | } |
203 | 192 | ||
204 | if (arg_tree) | 193 | // allow only root user if /proc is mounted hidepid |
205 | tree((pid_t) pid); | 194 | if (pid_hidepid() && getuid() != 0) { |
195 | fprintf(stderr, "Error: /proc is mounted hidepid, you would need to be root to run this command\n"); | ||
196 | exit(1); | ||
197 | } | ||
198 | |||
199 | if (arg_top) | ||
200 | top(); // never to return | ||
201 | if (arg_tree) { | ||
202 | tree(); | ||
203 | return 0; | ||
204 | } | ||
205 | if (arg_list) { | ||
206 | list(); | ||
207 | return 0; | ||
208 | } | ||
209 | if (arg_netstats) { | ||
210 | netstats(); | ||
211 | return 0; | ||
212 | } | ||
213 | |||
214 | // cumulative options | ||
206 | if (arg_interface) | 215 | if (arg_interface) |
207 | interface((pid_t) pid); | 216 | interface((pid_t) pid); |
208 | if (arg_route) | 217 | if (arg_route) |
@@ -220,7 +229,7 @@ int main(int argc, char **argv) { | |||
220 | if (arg_x11) | 229 | if (arg_x11) |
221 | x11((pid_t) pid); | 230 | x11((pid_t) pid); |
222 | 231 | ||
223 | if (!arg_route && !arg_arp && !arg_interface && !arg_tree && !arg_caps && !arg_seccomp && !arg_x11) | 232 | if (!arg_interface && !arg_route && !arg_arp && !arg_seccomp && !arg_caps && !arg_cgroup && !arg_x11) |
224 | procevent((pid_t) pid); // never to return | 233 | procevent((pid_t) pid); // never to return |
225 | 234 | ||
226 | return 0; | 235 | return 0; |
diff --git a/src/firemon/firemon.h b/src/firemon/firemon.h index a873430a3..c5607a792 100644 --- a/src/firemon/firemon.h +++ b/src/firemon/firemon.h | |||
@@ -75,7 +75,7 @@ void cpu(pid_t pid); | |||
75 | void cgroup(pid_t pid); | 75 | void cgroup(pid_t pid); |
76 | 76 | ||
77 | // tree.c | 77 | // tree.c |
78 | void tree(pid_t pid); | 78 | void tree(void); |
79 | 79 | ||
80 | // netstats.c | 80 | // netstats.c |
81 | void netstats(void); | 81 | void netstats(void); |
diff --git a/src/firemon/tree.c b/src/firemon/tree.c index a4b92a11f..f6d22b517 100644 --- a/src/firemon/tree.c +++ b/src/firemon/tree.c | |||
@@ -19,8 +19,8 @@ | |||
19 | */ | 19 | */ |
20 | #include "firemon.h" | 20 | #include "firemon.h" |
21 | 21 | ||
22 | void tree(pid_t pid) { | 22 | void tree(void) { |
23 | pid_read(pid); // include all processes | 23 | pid_read(0); // include all processes |
24 | 24 | ||
25 | // print processes | 25 | // print processes |
26 | int i; | 26 | int i; |
diff --git a/src/include/common.h b/src/include/common.h index f7c8ea725..108820290 100644 --- a/src/include/common.h +++ b/src/include/common.h | |||
@@ -114,4 +114,5 @@ int name2pid(const char *name, pid_t *pid); | |||
114 | char *pid_proc_comm(const pid_t pid); | 114 | char *pid_proc_comm(const pid_t pid); |
115 | char *pid_proc_cmdline(const pid_t pid); | 115 | char *pid_proc_cmdline(const pid_t pid); |
116 | int pid_proc_cmdline_x11_xpra_xephyr(const pid_t pid); | 116 | int pid_proc_cmdline_x11_xpra_xephyr(const pid_t pid); |
117 | int pid_hidepid(void); | ||
117 | #endif | 118 | #endif |
diff --git a/src/lib/common.c b/src/lib/common.c index fc4c167ba..ea0ab781a 100644 --- a/src/lib/common.c +++ b/src/lib/common.c | |||
@@ -260,5 +260,26 @@ int pid_proc_cmdline_x11_xpra_xephyr(const pid_t pid) { | |||
260 | return 0; | 260 | return 0; |
261 | } | 261 | } |
262 | 262 | ||
263 | // return 1 if /proc is mounted hidepid, or if /proc/mouns access is denied | ||
264 | #define BUFLEN 4096 | ||
265 | int pid_hidepid(void) { | ||
266 | FILE *fp = fopen("/proc/mounts", "r"); | ||
267 | if (!fp) | ||
268 | return 1; | ||
269 | |||
270 | char buf[BUFLEN]; | ||
271 | while (fgets(buf, BUFLEN, fp)) { | ||
272 | if (strstr(buf, "proc /proc proc")) { | ||
273 | fclose(fp); | ||
274 | // check hidepid | ||
275 | if (strstr(buf, "hidepid=2") || strstr(buf, "hidepid=1")) | ||
276 | return 1; | ||
277 | return 0; | ||
278 | } | ||
279 | } | ||
280 | |||
281 | return 0; | ||
282 | } | ||
283 | |||
263 | 284 | ||
264 | 285 | ||
diff --git a/src/lib/pid.c b/src/lib/pid.c index ef1a428fb..ed583c51d 100644 --- a/src/lib/pid.c +++ b/src/lib/pid.c | |||
@@ -29,7 +29,6 @@ | |||
29 | //Process pids[max_pids]; | 29 | //Process pids[max_pids]; |
30 | Process *pids = NULL; | 30 | Process *pids = NULL; |
31 | int max_pids=32769; | 31 | int max_pids=32769; |
32 | #define PIDS_BUFLEN 4096 | ||
33 | 32 | ||
34 | // get the memory associated with this pid | 33 | // get the memory associated with this pid |
35 | void pid_getmem(unsigned pid, unsigned *rss, unsigned *shared) { | 34 | void pid_getmem(unsigned pid, unsigned *rss, unsigned *shared) { |