diff options
author | netblue30 <netblue30@yahoo.com> | 2016-03-09 09:51:47 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-03-09 09:51:47 -0500 |
commit | dc3564b18f1eafde1ccf46e722f8c2a9c1ee8555 (patch) | |
tree | 6178c2c6fc5912a63f5d54b1e3562d7049270418 | |
parent | fs work (diff) | |
download | firejail-dc3564b18f1eafde1ccf46e722f8c2a9c1ee8555.tar.gz firejail-dc3564b18f1eafde1ccf46e722f8c2a9c1ee8555.tar.zst firejail-dc3564b18f1eafde1ccf46e722f8c2a9c1ee8555.zip |
fixes
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/fs_dev.c | 14 | ||||
-rw-r--r-- | src/firejail/ls.c | 6 | ||||
-rw-r--r-- | src/firejail/main.c | 11 | ||||
-rw-r--r-- | src/firejail/util.c | 10 | ||||
-rwxr-xr-x | test/test.sh | 3 | ||||
-rwxr-xr-x | test/tty.exp | 97 |
7 files changed, 139 insertions, 3 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index b526b5e00..9c4dcc9a6 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -369,6 +369,7 @@ char *expand_home(const char *path, const char* homedir); | |||
369 | const char *gnu_basename(const char *path); | 369 | const char *gnu_basename(const char *path); |
370 | uid_t pid_get_uid(pid_t pid); | 370 | uid_t pid_get_uid(pid_t pid); |
371 | void invalid_filename(const char *fname); | 371 | void invalid_filename(const char *fname); |
372 | uid_t get_tty_gid(void); | ||
372 | 373 | ||
373 | // fs_var.c | 374 | // fs_var.c |
374 | void fs_var_log(void); // mounting /var/log | 375 | void fs_var_log(void); // mounting /var/log |
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index 5c645b8da..2fd450391 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c | |||
@@ -178,9 +178,21 @@ void fs_private_dev(void){ | |||
178 | create_char_dev("/dev/pts/ptmx", 0666, 5, 2); //"mknod -m 666 /dev/pts/ptmx c 5 2"); | 178 | create_char_dev("/dev/pts/ptmx", 0666, 5, 2); //"mknod -m 666 /dev/pts/ptmx c 5 2"); |
179 | fs_logger("mknod /dev/pts/ptmx"); | 179 | fs_logger("mknod /dev/pts/ptmx"); |
180 | create_link("/dev/pts/ptmx", "/dev/ptmx"); | 180 | create_link("/dev/pts/ptmx", "/dev/ptmx"); |
181 | |||
182 | // code before github issue #351 | ||
181 | // mount -vt devpts -o newinstance -o ptmxmode=0666 devpts //dev/pts | 183 | // mount -vt devpts -o newinstance -o ptmxmode=0666 devpts //dev/pts |
182 | if (mount("devpts", "/dev/pts", "devpts", MS_MGC_VAL, "newinstance,ptmxmode=0666") < 0) | 184 | // if (mount("devpts", "/dev/pts", "devpts", MS_MGC_VAL, "newinstance,ptmxmode=0666") < 0) |
185 | // errExit("mounting /dev/pts"); | ||
186 | |||
187 | |||
188 | // mount /dev/pts | ||
189 | gid_t ttygid = get_tty_gid(); | ||
190 | char *data; | ||
191 | if (asprintf(&data, "newinstance,gid=%d,mode=620,ptmxmode=0666", (int) ttygid) == -1) | ||
192 | errExit("asprintf"); | ||
193 | if (mount("devpts", "/dev/pts", "devpts", MS_MGC_VAL, data) < 0) | ||
183 | errExit("mounting /dev/pts"); | 194 | errExit("mounting /dev/pts"); |
195 | free(data); | ||
184 | fs_logger("clone /dev/pts"); | 196 | fs_logger("clone /dev/pts"); |
185 | 197 | ||
186 | #if 0 | 198 | #if 0 |
diff --git a/src/firejail/ls.c b/src/firejail/ls.c index b814af445..90ef43a62 100644 --- a/src/firejail/ls.c +++ b/src/firejail/ls.c | |||
@@ -255,6 +255,12 @@ void ls(pid_t pid, const char *path) { | |||
255 | exit(1); | 255 | exit(1); |
256 | } | 256 | } |
257 | 257 | ||
258 | // access chek is performed with the real UID | ||
259 | if (access(fname, R_OK) == -1) { | ||
260 | fprintf(stderr, "Error: Cannot access file %s\n", fname); | ||
261 | exit(1); | ||
262 | } | ||
263 | |||
258 | // list directory contents | 264 | // list directory contents |
259 | struct stat s; | 265 | struct stat s; |
260 | if (stat(fname, &s) == -1) { | 266 | if (stat(fname, &s) == -1) { |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 68606a313..e2f197a92 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1746,8 +1746,15 @@ int main(int argc, char **argv) { | |||
1746 | if (asprintf(&map_path, "/proc/%d/gid_map", child) == -1) | 1746 | if (asprintf(&map_path, "/proc/%d/gid_map", child) == -1) |
1747 | errExit("asprintf"); | 1747 | errExit("asprintf"); |
1748 | gid_t gid = getgid(); | 1748 | gid_t gid = getgid(); |
1749 | if (asprintf(&map, "%d %d 1", gid, gid) == -1) | 1749 | gid_t ttygid = get_tty_gid(); |
1750 | errExit("asprintf"); | 1750 | if (ttygid == 0) { |
1751 | if (asprintf(&map, "%d %d 1", gid, gid) == -1) | ||
1752 | errExit("asprintf"); | ||
1753 | } | ||
1754 | else { | ||
1755 | if (asprintf(&map, "%d %d 1\n%d %d 1", gid, gid, ttygid, ttygid) == -1) | ||
1756 | errExit("asprintf"); | ||
1757 | } | ||
1751 | EUID_ROOT(); | 1758 | EUID_ROOT(); |
1752 | update_map(map, map_path); | 1759 | update_map(map, map_path); |
1753 | EUID_USER(); | 1760 | EUID_USER(); |
diff --git a/src/firejail/util.c b/src/firejail/util.c index 3463095f9..c62f4285c 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -629,3 +629,13 @@ void invalid_filename(const char *fname) { | |||
629 | exit(1); | 629 | exit(1); |
630 | } | 630 | } |
631 | } | 631 | } |
632 | |||
633 | uid_t get_tty_gid(void) { | ||
634 | // find tty group id | ||
635 | gid_t ttygid = 0; | ||
636 | struct group *g = getgrnam("tty"); | ||
637 | if (g) | ||
638 | ttygid = g->gr_gid; | ||
639 | |||
640 | return ttygid; | ||
641 | } | ||
diff --git a/test/test.sh b/test/test.sh index d7e9e2aed..0ef816717 100755 --- a/test/test.sh +++ b/test/test.sh | |||
@@ -9,6 +9,9 @@ | |||
9 | echo "TESTING: nice (nice.exp)" | 9 | echo "TESTING: nice (nice.exp)" |
10 | ./nice.exp | 10 | ./nice.exp |
11 | 11 | ||
12 | echo "TESTING: tty (tty.exp)" | ||
13 | ./tty.exp | ||
14 | |||
12 | echo "TESTING: protocol (protocol.exp)" | 15 | echo "TESTING: protocol (protocol.exp)" |
13 | ./protocol.exp | 16 | ./protocol.exp |
14 | 17 | ||
diff --git a/test/tty.exp b/test/tty.exp new file mode 100755 index 000000000..116f297b2 --- /dev/null +++ b/test/tty.exp | |||
@@ -0,0 +1,97 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | |||
3 | set timeout 10 | ||
4 | spawn $env(SHELL) | ||
5 | match_max 100000 | ||
6 | |||
7 | send -- "firejail\r" | ||
8 | expect { | ||
9 | timeout {puts "TESTING ERROR 0\n";exit} | ||
10 | "Child process initialized" | ||
11 | } | ||
12 | sleep 2 | ||
13 | send -- "xterm &\r" | ||
14 | sleep 2 | ||
15 | send -- "urxvt &\r" | ||
16 | sleep 2 | ||
17 | send -- "rxvt &\r" | ||
18 | sleep 2 | ||
19 | |||
20 | send -- "ps aux\r" | ||
21 | expect { | ||
22 | timeout {puts "TESTING ERROR 1\n";exit} | ||
23 | "USER" | ||
24 | } | ||
25 | expect { | ||
26 | timeout {puts "TESTING ERROR 2\n";exit} | ||
27 | "xterm" | ||
28 | } | ||
29 | expect { | ||
30 | timeout {puts "TESTING ERROR 3\n";exit} | ||
31 | "urxvt" | ||
32 | } | ||
33 | expect { | ||
34 | timeout {puts "TESTING ERROR 4\n";exit} | ||
35 | "rxvt" | ||
36 | } | ||
37 | expect { | ||
38 | timeout {puts "TESTING ERROR 5\n";exit} | ||
39 | "ps aux" | ||
40 | } | ||
41 | |||
42 | send -- "pkill xterm\r" | ||
43 | sleep 1 | ||
44 | send -- "pkill urxvt\r" | ||
45 | sleep 1 | ||
46 | send -- "pkill rxvt\r" | ||
47 | sleep 1 | ||
48 | send -- "exit\r" | ||
49 | sleep 2 | ||
50 | |||
51 | |||
52 | send -- "firejail --private-dev\r" | ||
53 | expect { | ||
54 | timeout {puts "TESTING ERROR 10\n";exit} | ||
55 | "Child process initialized" | ||
56 | } | ||
57 | sleep 2 | ||
58 | send -- "xterm &\r" | ||
59 | sleep 2 | ||
60 | send -- "urxvt &\r" | ||
61 | sleep 2 | ||
62 | send -- "rxvt &\r" | ||
63 | sleep 2 | ||
64 | |||
65 | send -- "ps aux\r" | ||
66 | expect { | ||
67 | timeout {puts "TESTING ERROR 11\n";exit} | ||
68 | "USER" | ||
69 | } | ||
70 | expect { | ||
71 | timeout {puts "TESTING ERROR 12\n";exit} | ||
72 | "xterm" | ||
73 | } | ||
74 | expect { | ||
75 | timeout {puts "TESTING ERROR 13\n";exit} | ||
76 | "urxvt" | ||
77 | } | ||
78 | expect { | ||
79 | timeout {puts "TESTING ERROR 14\n";exit} | ||
80 | "rxvt" | ||
81 | } | ||
82 | expect { | ||
83 | timeout {puts "TESTING ERROR 15\n";exit} | ||
84 | "ps aux" | ||
85 | } | ||
86 | |||
87 | send -- "pkill xterm\r" | ||
88 | sleep 1 | ||
89 | send -- "pkill urxvt\r" | ||
90 | sleep 1 | ||
91 | send -- "pkill rxvt\r" | ||
92 | sleep 1 | ||
93 | send -- "exit\r" | ||
94 | sleep 2 | ||
95 | |||
96 | puts "\n" | ||
97 | |||