fix --bandwidth, --cpu.print

author: netblue30 <netblue30@yahoo.com> 2018-09-15 11:27:48 -0400
committer: netblue30 <netblue30@yahoo.com> 2018-09-15 11:27:48 -0400
commit: b1d2966d180297c271e54e8c9fe83b2a65aeb0e7 (patch)
tree: 726082dc41a05d454c97ef4b27e747eb8ccdd98b
parent: add start-tor-browser.desktop profile (diff)
download: firejail-b1d2966d180297c271e54e8c9fe83b2a65aeb0e7.tar.gz
firejail-b1d2966d180297c271e54e8c9fe83b2a65aeb0e7.tar.zst
firejail-b1d2966d180297c271e54e8c9fe83b2a65aeb0e7.zip
2 files changed, 12 insertions, 9 deletions
diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c
index d7764682a..d0487d49a 100644
--- a/src/firejail/bandwidth.c
+++ b/src/firejail/bandwidth.c
@@ -338,6 +338,16 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in
                exit(1);
        }
+        // check privileges for non-root users
+        uid_t uid = getuid();
+        if (uid != 0) {
+                uid_t sandbox_uid = pid_get_uid(pid);
+                if (uid != sandbox_uid) {
+                        fprintf(stderr, "Error: permission is denied to join a sandbox created by a different user.\n");
+                        exit(1);
+                }
+        }
        EUID_ROOT();
        if (join_namespace(child, "net")) {
                fprintf(stderr, "Error: cannot join the network namespace\n");
diff --git a/src/firejail/cpu.c b/src/firejail/cpu.c
index a92562e67..e2517ddd7 100644
--- a/src/firejail/cpu.c
+++ b/src/firejail/cpu.c
@@ -162,6 +162,7 @@ static void print_cpu(int pid) {
        free(file);
 }
+// allow any user to run --cpu.print
 void cpu_print_filter(pid_t pid) {
        EUID_ASSERT();
@@ -174,15 +175,7 @@ void cpu_print_filter(pid_t pid) {
                exit(1);
        }
-        // check privileges for non-root users
-        uid_t uid = getuid();
-        if (uid != 0) {
-                uid_t sandbox_uid = pid_get_uid(pid);
-                if (uid != sandbox_uid) {
-                        fprintf(stderr, "Error: permission denied.\n");
-                        exit(1);
-                }
-        }
        print_cpu(pid);
        exit(0);
author	netblue30 <netblue30@yahoo.com>	2018-09-15 11:27:48 -0400
committer	netblue30 <netblue30@yahoo.com>	2018-09-15 11:27:48 -0400
commit	b1d2966d180297c271e54e8c9fe83b2a65aeb0e7 (patch)
tree	726082dc41a05d454c97ef4b27e747eb8ccdd98b
parent	add start-tor-browser.desktop profile (diff)
download	firejail-b1d2966d180297c271e54e8c9fe83b2a65aeb0e7.tar.gz firejail-b1d2966d180297c271e54e8c9fe83b2a65aeb0e7.tar.zst firejail-b1d2966d180297c271e54e8c9fe83b2a65aeb0e7.zip

diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c index d7764682a..d0487d49a 100644 --- a/src/firejail/bandwidth.c +++ b/src/firejail/bandwidth.c
@@ -338,6 +338,16 @@ void bandwidth_pid(pid_t pid, const char command, const char dev, int down, in
338	exit(1);	338	exit(1);
339	}	339	}
340		340
		341	// check privileges for non-root users
		342	uid_t uid = getuid();
		343	if (uid != 0) {
		344	uid_t sandbox_uid = pid_get_uid(pid);
		345	if (uid != sandbox_uid) {
		346	fprintf(stderr, "Error: permission is denied to join a sandbox created by a different user.\n");
		347	exit(1);
		348	}
		349	}
		350
341	EUID_ROOT();	351	EUID_ROOT();
342	if (join_namespace(child, "net")) {	352	if (join_namespace(child, "net")) {
343	fprintf(stderr, "Error: cannot join the network namespace\n");	353	fprintf(stderr, "Error: cannot join the network namespace\n");


diff --git a/src/firejail/cpu.c b/src/firejail/cpu.c index a92562e67..e2517ddd7 100644 --- a/src/firejail/cpu.c +++ b/src/firejail/cpu.c
@@ -162,6 +162,7 @@ static void print_cpu(int pid) {
162	free(file);	162	free(file);
163	}	163	}
164		164
		165	// allow any user to run --cpu.print
165	void cpu_print_filter(pid_t pid) {	166	void cpu_print_filter(pid_t pid) {
166	EUID_ASSERT();	167	EUID_ASSERT();
167		168
@@ -174,15 +175,7 @@ void cpu_print_filter(pid_t pid) {
174	exit(1);	175	exit(1);
175	}	176	}
176		177
177	// check privileges for non-root users	178
178	uid_t uid = getuid();
179	if (uid != 0) {
180	uid_t sandbox_uid = pid_get_uid(pid);
181	if (uid != sandbox_uid) {
182	fprintf(stderr, "Error: permission denied.\n");
183	exit(1);
184	}
185	}
186		179
187	print_cpu(pid);	180	print_cpu(pid);
188	exit(0);	181	exit(0);