disallow overriding of global rlimits, tiny improvements

author: smitsohu <smitsohu@gmail.com> 2018-09-06 19:40:11 +0200
committer: smitsohu <smitsohu@gmail.com> 2018-09-06 19:40:11 +0200
commit: 2cbffc072197b72ac234b969d77ab9c1def41f1d (patch)
tree: 97294f67c7c195527d56ecb42f3b76fdf6469344
parent: cleanup (diff)
download: firejail-2cbffc072197b72ac234b969d77ab9c1def41f1d.tar.gz
firejail-2cbffc072197b72ac234b969d77ab9c1def41f1d.tar.zst
firejail-2cbffc072197b72ac234b969d77ab9c1def41f1d.zip
5 files changed, 39 insertions, 8 deletions
diff --git a/src/firejail/join.c b/src/firejail/join.c
index cdd95b6a8..c2b207c52 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -383,6 +383,7 @@ void join(pid_t pid, int argc, char **argv, int index) {
                                caps_set(caps);
                }
+                EUID_USER();
                // set nice
                if (arg_nice) {
                        errno = 0;
@@ -395,8 +396,6 @@ void join(pid_t pid, int argc, char **argv, int index) {
                }
                // set environment, add x11 display
-                EUID_USER();
                env_defaults();
                if (display) {
                        char *display_str;
diff --git a/src/firejail/macros.c b/src/firejail/macros.c
index 283de57f2..27893938f 100644
--- a/src/firejail/macros.c
+++ b/src/firejail/macros.c
@@ -92,6 +92,7 @@ int is_macro(const char *name) {
 // returns mallocated memory
 static char *resolve_xdg(const char *var) {
+        EUID_ASSERT();
        char *fname;
        struct stat s;
        size_t length = strlen(var);
diff --git a/src/firejail/rlimit.c b/src/firejail/rlimit.c
index e9d459ac2..8d62a5b6b 100644
--- a/src/firejail/rlimit.c
+++ b/src/firejail/rlimit.c
@@ -22,9 +22,15 @@
 #include <sys/resource.h>
 void set_rlimits(void) {
+        EUID_ASSERT();
        // resource limits
        struct rlimit rl;
        if (arg_rlimit_cpu) {
+                if (getrlimit(RLIMIT_CPU, &rl) == -1)
+                        errExit("getrlimit");
+                if (cfg.rlimit_cpu > rl.rlim_max && getuid() != 0)
+                        cfg.rlimit_cpu = rl.rlim_max;
+                // set the new limit
                rl.rlim_cur = (rlim_t) cfg.rlimit_cpu;
                rl.rlim_max = (rlim_t) cfg.rlimit_cpu;
 #ifdef HAVE_GCOV
@@ -37,6 +43,11 @@ void set_rlimits(void) {
        }
        if (arg_rlimit_nofile) {
+                if (getrlimit(RLIMIT_NOFILE, &rl) == -1)
+                        errExit("getrlimit");
+                if (cfg.rlimit_nofile > rl.rlim_max && getuid() != 0)
+                        cfg.rlimit_nofile = rl.rlim_max;
+                // set the new limit
                rl.rlim_cur = (rlim_t) cfg.rlimit_nofile;
                rl.rlim_max = (rlim_t) cfg.rlimit_nofile;
 #ifdef HAVE_GCOV        // gcov-instrumented programs might crash at this point
@@ -49,6 +60,11 @@ void set_rlimits(void) {
        }
        if (arg_rlimit_nproc) {
+                if (getrlimit(RLIMIT_NPROC, &rl) == -1)
+                        errExit("getrlimit");
+                if (cfg.rlimit_nproc > rl.rlim_max && getuid() != 0)
+                        cfg.rlimit_nproc = rl.rlim_max;
+                // set the new limit
                rl.rlim_cur = (rlim_t) cfg.rlimit_nproc;
                rl.rlim_max = (rlim_t) cfg.rlimit_nproc;
 #ifdef HAVE_GCOV
@@ -61,6 +77,11 @@ void set_rlimits(void) {
        }
        if (arg_rlimit_fsize) {
+                if (getrlimit(RLIMIT_FSIZE, &rl) == -1)
+                        errExit("getrlimit");
+                if (cfg.rlimit_fsize > rl.rlim_max && getuid() != 0)
+                        cfg.rlimit_fsize = rl.rlim_max;
+                // set the new limit
                rl.rlim_cur = (rlim_t) cfg.rlimit_fsize;
                rl.rlim_max = (rlim_t) cfg.rlimit_fsize;
 #ifdef HAVE_GCOV
@@ -73,6 +94,11 @@ void set_rlimits(void) {
        }
        if (arg_rlimit_sigpending) {
+                if (getrlimit(RLIMIT_SIGPENDING, &rl) == -1)
+                        errExit("getrlimit");
+                if (cfg.rlimit_sigpending > rl.rlim_max && getuid() != 0)
+                        cfg.rlimit_sigpending = rl.rlim_max;
+                // set the new limit
                rl.rlim_cur = (rlim_t) cfg.rlimit_sigpending;
                rl.rlim_max = (rlim_t) cfg.rlimit_sigpending;
 #ifdef HAVE_GCOV
@@ -85,6 +111,11 @@ void set_rlimits(void) {
        }
        if (arg_rlimit_as) {
+                if (getrlimit(RLIMIT_AS, &rl) == -1)
+                        errExit("getrlimit");
+                if (cfg.rlimit_as > rl.rlim_max && getuid() != 0)
+                        cfg.rlimit_as = rl.rlim_max;
+                // set the new limit
                rl.rlim_cur = (rlim_t) cfg.rlimit_as;
                rl.rlim_max = (rlim_t) cfg.rlimit_as;
 #ifdef HAVE_GCOV
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 0e719ceaf..f5abb18ba 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -1008,7 +1008,9 @@ int sandbox(void* sandbox_arg) {
                }
        }
-        EUID_ROOT();
+        // set rlimits
+        set_rlimits();
        // set nice
        if (arg_nice) {
                errno = 0;
@@ -1020,6 +1022,7 @@ int sandbox(void* sandbox_arg) {
                }
        }
+        EUID_ROOT();
        // clean /tmp/.X11-unix sockets
        fs_x11();
        if (arg_x11_xorg)
@@ -1031,9 +1034,6 @@ int sandbox(void* sandbox_arg) {
        // set capabilities
        set_caps();
-        // set rlimits
-        set_rlimits();
        // set cpu affinity
        if (cfg.cpus) {
                save_cpu(); // save cpu affinity mask to CPU_CFG file
diff --git a/src/firejail/util.c b/src/firejail/util.c
index f677b44eb..4a164901d 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -33,7 +33,7 @@
 #define MAX_GROUPS 1024
 #define MAXBUF 4098
+#define EMPTY_STRING ("")
 // send the error to /var/log/auth.log and exit after a small delay
@@ -1079,7 +1079,7 @@ int safe_fd(const char *path, int flags) {
        // traverse the path and return -1 if a symlink is encountered
        int fd = -1;
-        char *current_tok = NULL;
+        char *current_tok = EMPTY_STRING;
        char *tok = strtok(dup, "/");
        assert(tok);
        while (tok) {
author	smitsohu <smitsohu@gmail.com>	2018-09-06 19:40:11 +0200
committer	smitsohu <smitsohu@gmail.com>	2018-09-06 19:40:11 +0200
commit	2cbffc072197b72ac234b969d77ab9c1def41f1d (patch)
tree	97294f67c7c195527d56ecb42f3b76fdf6469344
parent	cleanup (diff)
download	firejail-2cbffc072197b72ac234b969d77ab9c1def41f1d.tar.gz firejail-2cbffc072197b72ac234b969d77ab9c1def41f1d.tar.zst firejail-2cbffc072197b72ac234b969d77ab9c1def41f1d.zip

diff --git a/src/firejail/join.c b/src/firejail/join.c index cdd95b6a8..c2b207c52 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c
@@ -383,6 +383,7 @@ void join(pid_t pid, int argc, char **argv, int index) {
383	caps_set(caps);	383	caps_set(caps);
384	}	384	}
385		385
		386	EUID_USER();
386	// set nice	387	// set nice
387	if (arg_nice) {	388	if (arg_nice) {
388	errno = 0;	389	errno = 0;
@@ -395,8 +396,6 @@ void join(pid_t pid, int argc, char **argv, int index) {
395	}	396	}
396		397
397	// set environment, add x11 display	398	// set environment, add x11 display
398	EUID_USER();
399
400	env_defaults();	399	env_defaults();
401	if (display) {	400	if (display) {
402	char *display_str;	401	char *display_str;


diff --git a/src/firejail/macros.c b/src/firejail/macros.c index 283de57f2..27893938f 100644 --- a/src/firejail/macros.c +++ b/src/firejail/macros.c
@@ -92,6 +92,7 @@ int is_macro(const char *name) {
92		92
93	// returns mallocated memory	93	// returns mallocated memory
94	static char resolve_xdg(const char var) {	94	static char resolve_xdg(const char var) {
		95	EUID_ASSERT();
95	char *fname;	96	char *fname;
96	struct stat s;	97	struct stat s;
97	size_t length = strlen(var);	98	size_t length = strlen(var);


diff --git a/src/firejail/rlimit.c b/src/firejail/rlimit.c index e9d459ac2..8d62a5b6b 100644 --- a/src/firejail/rlimit.c +++ b/src/firejail/rlimit.c
@@ -22,9 +22,15 @@
22	#include <sys/resource.h>	22	#include <sys/resource.h>
23		23
24	void set_rlimits(void) {	24	void set_rlimits(void) {
		25	EUID_ASSERT();
25	// resource limits	26	// resource limits
26	struct rlimit rl;	27	struct rlimit rl;
27	if (arg_rlimit_cpu) {	28	if (arg_rlimit_cpu) {
		29	if (getrlimit(RLIMIT_CPU, &rl) == -1)
		30	errExit("getrlimit");
		31	if (cfg.rlimit_cpu > rl.rlim_max && getuid() != 0)
		32	cfg.rlimit_cpu = rl.rlim_max;
		33	// set the new limit
28	rl.rlim_cur = (rlim_t) cfg.rlimit_cpu;	34	rl.rlim_cur = (rlim_t) cfg.rlimit_cpu;
29	rl.rlim_max = (rlim_t) cfg.rlimit_cpu;	35	rl.rlim_max = (rlim_t) cfg.rlimit_cpu;
30	#ifdef HAVE_GCOV	36	#ifdef HAVE_GCOV
@@ -37,6 +43,11 @@ void set_rlimits(void) {
37	}	43	}
38		44
39	if (arg_rlimit_nofile) {	45	if (arg_rlimit_nofile) {
		46	if (getrlimit(RLIMIT_NOFILE, &rl) == -1)
		47	errExit("getrlimit");
		48	if (cfg.rlimit_nofile > rl.rlim_max && getuid() != 0)
		49	cfg.rlimit_nofile = rl.rlim_max;
		50	// set the new limit
40	rl.rlim_cur = (rlim_t) cfg.rlimit_nofile;	51	rl.rlim_cur = (rlim_t) cfg.rlimit_nofile;
41	rl.rlim_max = (rlim_t) cfg.rlimit_nofile;	52	rl.rlim_max = (rlim_t) cfg.rlimit_nofile;
42	#ifdef HAVE_GCOV // gcov-instrumented programs might crash at this point	53	#ifdef HAVE_GCOV // gcov-instrumented programs might crash at this point
@@ -49,6 +60,11 @@ void set_rlimits(void) {
49	}	60	}
50		61
51	if (arg_rlimit_nproc) {	62	if (arg_rlimit_nproc) {
		63	if (getrlimit(RLIMIT_NPROC, &rl) == -1)
		64	errExit("getrlimit");
		65	if (cfg.rlimit_nproc > rl.rlim_max && getuid() != 0)
		66	cfg.rlimit_nproc = rl.rlim_max;
		67	// set the new limit
52	rl.rlim_cur = (rlim_t) cfg.rlimit_nproc;	68	rl.rlim_cur = (rlim_t) cfg.rlimit_nproc;
53	rl.rlim_max = (rlim_t) cfg.rlimit_nproc;	69	rl.rlim_max = (rlim_t) cfg.rlimit_nproc;
54	#ifdef HAVE_GCOV	70	#ifdef HAVE_GCOV
@@ -61,6 +77,11 @@ void set_rlimits(void) {
61	}	77	}
62		78
63	if (arg_rlimit_fsize) {	79	if (arg_rlimit_fsize) {
		80	if (getrlimit(RLIMIT_FSIZE, &rl) == -1)
		81	errExit("getrlimit");
		82	if (cfg.rlimit_fsize > rl.rlim_max && getuid() != 0)
		83	cfg.rlimit_fsize = rl.rlim_max;
		84	// set the new limit
64	rl.rlim_cur = (rlim_t) cfg.rlimit_fsize;	85	rl.rlim_cur = (rlim_t) cfg.rlimit_fsize;
65	rl.rlim_max = (rlim_t) cfg.rlimit_fsize;	86	rl.rlim_max = (rlim_t) cfg.rlimit_fsize;
66	#ifdef HAVE_GCOV	87	#ifdef HAVE_GCOV
@@ -73,6 +94,11 @@ void set_rlimits(void) {
73	}	94	}
74		95
75	if (arg_rlimit_sigpending) {	96	if (arg_rlimit_sigpending) {
		97	if (getrlimit(RLIMIT_SIGPENDING, &rl) == -1)
		98	errExit("getrlimit");
		99	if (cfg.rlimit_sigpending > rl.rlim_max && getuid() != 0)
		100	cfg.rlimit_sigpending = rl.rlim_max;
		101	// set the new limit
76	rl.rlim_cur = (rlim_t) cfg.rlimit_sigpending;	102	rl.rlim_cur = (rlim_t) cfg.rlimit_sigpending;
77	rl.rlim_max = (rlim_t) cfg.rlimit_sigpending;	103	rl.rlim_max = (rlim_t) cfg.rlimit_sigpending;
78	#ifdef HAVE_GCOV	104	#ifdef HAVE_GCOV
@@ -85,6 +111,11 @@ void set_rlimits(void) {
85	}	111	}
86		112
87	if (arg_rlimit_as) {	113	if (arg_rlimit_as) {
		114	if (getrlimit(RLIMIT_AS, &rl) == -1)
		115	errExit("getrlimit");
		116	if (cfg.rlimit_as > rl.rlim_max && getuid() != 0)
		117	cfg.rlimit_as = rl.rlim_max;
		118	// set the new limit
88	rl.rlim_cur = (rlim_t) cfg.rlimit_as;	119	rl.rlim_cur = (rlim_t) cfg.rlimit_as;
89	rl.rlim_max = (rlim_t) cfg.rlimit_as;	120	rl.rlim_max = (rlim_t) cfg.rlimit_as;
90	#ifdef HAVE_GCOV	121	#ifdef HAVE_GCOV


diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 0e719ceaf..f5abb18ba 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c
@@ -1008,7 +1008,9 @@ int sandbox(void* sandbox_arg) {
1008	}	1008	}
1009	}	1009	}
1010		1010
1011	EUID_ROOT();	1011	// set rlimits
		1012	set_rlimits();
		1013
1012	// set nice	1014	// set nice
1013	if (arg_nice) {	1015	if (arg_nice) {
1014	errno = 0;	1016	errno = 0;
@@ -1020,6 +1022,7 @@ int sandbox(void* sandbox_arg) {
1020	}	1022	}
1021	}	1023	}
1022		1024
		1025	EUID_ROOT();
1023	// clean /tmp/.X11-unix sockets	1026	// clean /tmp/.X11-unix sockets
1024	fs_x11();	1027	fs_x11();
1025	if (arg_x11_xorg)	1028	if (arg_x11_xorg)
@@ -1031,9 +1034,6 @@ int sandbox(void* sandbox_arg) {
1031	// set capabilities	1034	// set capabilities
1032	set_caps();	1035	set_caps();
1033		1036
1034	// set rlimits
1035	set_rlimits();
1036
1037	// set cpu affinity	1037	// set cpu affinity
1038	if (cfg.cpus) {	1038	if (cfg.cpus) {
1039	save_cpu(); // save cpu affinity mask to CPU_CFG file	1039	save_cpu(); // save cpu affinity mask to CPU_CFG file


diff --git a/src/firejail/util.c b/src/firejail/util.c index f677b44eb..4a164901d 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c
@@ -33,7 +33,7 @@
33		33
34	#define MAX_GROUPS 1024	34	#define MAX_GROUPS 1024
35	#define MAXBUF 4098	35	#define MAXBUF 4098
36		36	#define EMPTY_STRING ("")
37		37
38		38
39	// send the error to /var/log/auth.log and exit after a small delay	39	// send the error to /var/log/auth.log and exit after a small delay
@@ -1079,7 +1079,7 @@ int safe_fd(const char *path, int flags) {
1079		1079
1080	// traverse the path and return -1 if a symlink is encountered	1080	// traverse the path and return -1 if a symlink is encountered
1081	int fd = -1;	1081	int fd = -1;
1082	char *current_tok = NULL;	1082	char *current_tok = EMPTY_STRING;
1083	char *tok = strtok(dup, "/");	1083	char *tok = strtok(dup, "/");
1084	assert(tok);	1084	assert(tok);
1085	while (tok) {	1085	while (tok) {