lxc support

author: netblue30 <netblue30@yahoo.com> 2016-06-08 10:30:14 -0400
committer: netblue30 <netblue30@yahoo.com> 2016-06-08 10:30:14 -0400
commit: 9fafef8e0054176a7af4eb8786fb7ceefaf73026 (patch)
tree: 63a5970a7c97db997b19746615f0fdc9fd33369e
parent: removed noroot from midori profile (diff)
download: firejail-9fafef8e0054176a7af4eb8786fb7ceefaf73026.tar.gz
firejail-9fafef8e0054176a7af4eb8786fb7ceefaf73026.tar.zst
firejail-9fafef8e0054176a7af4eb8786fb7ceefaf73026.zip
1 files changed, 55 insertions, 7 deletions
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c
index cc7f6d234..9672d003e 100644
--- a/src/firejail/no_sandbox.c
+++ b/src/firejail/no_sandbox.c
@@ -23,16 +23,64 @@
 #include <unistd.h>
 #include <grp.h>
+#define MAX_BUF 4096
+int is_container(const char *str) {
+        assert(str);
+        if (strcmp(str, "lxc") == 0 ||
+             strcmp(str, "docker") == 0 ||
+             strcmp(str, "lxc-libvirt") == 0 ||
+             strcmp(str, "systemd-nspawn") == 0 ||
+             strcmp(str, "rkt") == 0)
+                return 1;
+        return 0;
+}
 // returns 1 if we are running under LXC
 int check_namespace_virt(void) {
-        char *container = getenv("container");
+        EUID_ASSERT();
-        if (container &&
+        
-            (strcmp(container, "lxc") == 0 ||
+        // check container environment variable
-             strcmp(container, "docker") == 0 ||
+        char *str = getenv("container");
-             strcmp(container, "lxc-libvirt") == 0 ||
+        if (str && is_container(str))
-             strcmp(container, "systemd-nspawn") == 0 ||
-             strcmp(container, "rkt") == 0))
                return 1;
+        
+        // check PID 1 container environment variable
+        EUID_ROOT();
+        FILE *fp = fopen("/proc/1/environ", "r");
+        if (fp) {
+                int c = 0;
+                while (c != EOF) {
+                        // read one line
+                        char buf[MAX_BUF];
+                        int i = 0;
+                        while ((c = fgetc(fp)) != EOF) {
+                                if (c == 0)
+                                        break;
+                                buf[i] = (char) c;
+                                if (++i == (MAX_BUF - 1))
+                                        break;
+                        }
+                        buf[i] = '\0';
+                        
+                        // check env var name
+                        if (strncmp(buf, "container=", 10) == 0) {
+                                // found it
+                                if (is_container(buf + 10)) {
+                                        fclose(fp);
+                                        EUID_USER();
+                                        return 1;
+                                }
+                        }
+//                      printf("i %d c %d, buf #%s#\n", i, c, buf);
+                }
+                
+                fclose(fp);
+        }
+                
+        EUID_USER();
        return 0;
 }
author	netblue30 <netblue30@yahoo.com>	2016-06-08 10:30:14 -0400
committer	netblue30 <netblue30@yahoo.com>	2016-06-08 10:30:14 -0400
commit	9fafef8e0054176a7af4eb8786fb7ceefaf73026 (patch)
tree	63a5970a7c97db997b19746615f0fdc9fd33369e
parent	removed noroot from midori profile (diff)
download	firejail-9fafef8e0054176a7af4eb8786fb7ceefaf73026.tar.gz firejail-9fafef8e0054176a7af4eb8786fb7ceefaf73026.tar.zst firejail-9fafef8e0054176a7af4eb8786fb7ceefaf73026.zip

diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index cc7f6d234..9672d003e 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c
@@ -23,16 +23,64 @@
23	#include <unistd.h>	23	#include <unistd.h>
24	#include <grp.h>	24	#include <grp.h>
25		25
		26	#define MAX_BUF 4096
		27
		28	int is_container(const char *str) {
		29	assert(str);
		30	if (strcmp(str, "lxc") == 0 \|\|
		31	strcmp(str, "docker") == 0 \|\|
		32	strcmp(str, "lxc-libvirt") == 0 \|\|
		33	strcmp(str, "systemd-nspawn") == 0 \|\|
		34	strcmp(str, "rkt") == 0)
		35	return 1;
		36	return 0;
		37
		38
		39	}
		40
26	// returns 1 if we are running under LXC	41	// returns 1 if we are running under LXC
27	int check_namespace_virt(void) {	42	int check_namespace_virt(void) {
28	char *container = getenv("container");	43	EUID_ASSERT();
29	if (container &&	44
30	(strcmp(container, "lxc") == 0 \|\|	45	// check container environment variable
31	strcmp(container, "docker") == 0 \|\|	46	char *str = getenv("container");
32	strcmp(container, "lxc-libvirt") == 0 \|\|	47	if (str && is_container(str))
33	strcmp(container, "systemd-nspawn") == 0 \|\|
34	strcmp(container, "rkt") == 0))
35	return 1;	48	return 1;
		49
		50	// check PID 1 container environment variable
		51	EUID_ROOT();
		52	FILE *fp = fopen("/proc/1/environ", "r");
		53	if (fp) {
		54	int c = 0;
		55	while (c != EOF) {
		56	// read one line
		57	char buf[MAX_BUF];
		58	int i = 0;
		59	while ((c = fgetc(fp)) != EOF) {
		60	if (c == 0)
		61	break;
		62	buf[i] = (char) c;
		63	if (++i == (MAX_BUF - 1))
		64	break;
		65	}
		66	buf[i] = '\0';
		67
		68	// check env var name
		69	if (strncmp(buf, "container=", 10) == 0) {
		70	// found it
		71	if (is_container(buf + 10)) {
		72	fclose(fp);
		73	EUID_USER();
		74	return 1;
		75	}
		76	}
		77	// printf("i %d c %d, buf #%s#\n", i, c, buf);
		78	}
		79
		80	fclose(fp);
		81	}
		82
		83	EUID_USER();
36	return 0;	84	return 0;
37	}	85	}
38		86