grsecurity: --join, --shutdown

author: netblue30 <netblue30@yahoo.com> 2016-04-04 21:14:15 -0400
committer: netblue30 <netblue30@yahoo.com> 2016-04-04 21:14:15 -0400
commit: cb5a3046fc3f8d498af7bf1e6bc9e7c90e16a828 (patch)
tree: cf30efeb97177c84e5e7af036ea03b2cc486b7f4
parent: grsecurity: testing (diff)
download: firejail-cb5a3046fc3f8d498af7bf1e6bc9e7c90e16a828.tar.gz
firejail-cb5a3046fc3f8d498af7bf1e6bc9e7c90e16a828.tar.zst
firejail-cb5a3046fc3f8d498af7bf1e6bc9e7c90e16a828.zip
4 files changed, 11 insertions, 3 deletions
diff --git a/src/firejail/join.c b/src/firejail/join.c
index 251260091..98e140ce4 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -201,7 +201,9 @@ void join(pid_t pid, int argc, char **argv, int index) {
        extract_command(argc, argv, index);
        // if the pid is that of a firejail  process, use the pid of the first child process
+        EUID_ROOT();
        char *comm = pid_proc_comm(pid);
+        EUID_USER();
        if (comm) {
                if (strcmp(comm, "firejail") == 0) {
                        pid_t child;
diff --git a/src/firejail/shutdown.c b/src/firejail/shutdown.c
index 3671901d0..b7ef48c8d 100644
--- a/src/firejail/shutdown.c
+++ b/src/firejail/shutdown.c
@@ -44,7 +44,9 @@ void shut(pid_t pid) {
        
        pid_t parent = pid;
        // if the pid is that of a firejail  process, use the pid of a child process inside the sandbox
+        EUID_ROOT();
        char *comm = pid_proc_comm(pid);
+        EUID_USER();
        if (comm) {
                if (strcmp(comm, "firejail") == 0) {
                        pid_t child;
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 1fa60bb4d..da73bbfd5 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -346,6 +346,7 @@ int find_child(pid_t parent, pid_t *child) {
        *child = 0;                               // use it to flag a found child
        DIR *dir;
+        EUID_ROOT(); // grsecurity fix
        if (!(dir = opendir("/proc"))) {
                // sleep 2 seconds and try again
                sleep(2);
@@ -397,7 +398,7 @@ int find_child(pid_t parent, pid_t *child) {
                free(file);
        }
        closedir(dir);
+        EUID_USER();
        return (*child)? 0:1;                     // 0 = found, 1 = not found
 }
@@ -576,6 +577,7 @@ uid_t pid_get_uid(pid_t pid) {
                perror("asprintf");
                exit(1);
        }
+        EUID_ROOT();    // grsecurity fix
        FILE *fp = fopen(file, "r");
        if (!fp) {
                free(file);
@@ -602,6 +604,7 @@ uid_t pid_get_uid(pid_t pid) {
        fclose(fp);
        free(file);
+        EUID_USER();    // grsecurity fix
        
        if (rv == 0) {
                fprintf(stderr, "Error: cannot read /proc file\n");
diff --git a/test/pid.exp b/test/pid.exp
index d382feb96..fb5b90f04 100755
--- a/test/pid.exp
+++ b/test/pid.exp
@@ -37,7 +37,8 @@ sleep 1
 send -- "ps aux |wc -l; pwd\r"
 expect {
        timeout {puts "TESTING ERROR 5\n";exit}
-        "6"
+        "6" {puts "normal system\n'}
+        "5" {puts "grsecurity\n"}
 }
 expect {
        timeout {puts "TESTING ERROR 6\n";exit}
@@ -45,4 +46,4 @@ expect {
 }
 sleep 1
-puts "\n"
+puts "\nall done\n"
author	netblue30 <netblue30@yahoo.com>	2016-04-04 21:14:15 -0400
committer	netblue30 <netblue30@yahoo.com>	2016-04-04 21:14:15 -0400
commit	cb5a3046fc3f8d498af7bf1e6bc9e7c90e16a828 (patch)
tree	cf30efeb97177c84e5e7af036ea03b2cc486b7f4
parent	grsecurity: testing (diff)
download	firejail-cb5a3046fc3f8d498af7bf1e6bc9e7c90e16a828.tar.gz firejail-cb5a3046fc3f8d498af7bf1e6bc9e7c90e16a828.tar.zst firejail-cb5a3046fc3f8d498af7bf1e6bc9e7c90e16a828.zip

diff --git a/src/firejail/join.c b/src/firejail/join.c index 251260091..98e140ce4 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c
@@ -201,7 +201,9 @@ void join(pid_t pid, int argc, char **argv, int index) {
201	extract_command(argc, argv, index);	201	extract_command(argc, argv, index);
202		202
203	// if the pid is that of a firejail process, use the pid of the first child process	203	// if the pid is that of a firejail process, use the pid of the first child process
		204	EUID_ROOT();
204	char *comm = pid_proc_comm(pid);	205	char *comm = pid_proc_comm(pid);
		206	EUID_USER();
205	if (comm) {	207	if (comm) {
206	if (strcmp(comm, "firejail") == 0) {	208	if (strcmp(comm, "firejail") == 0) {
207	pid_t child;	209	pid_t child;


diff --git a/src/firejail/shutdown.c b/src/firejail/shutdown.c index 3671901d0..b7ef48c8d 100644 --- a/src/firejail/shutdown.c +++ b/src/firejail/shutdown.c
@@ -44,7 +44,9 @@ void shut(pid_t pid) {
44		44
45	pid_t parent = pid;	45	pid_t parent = pid;
46	// if the pid is that of a firejail process, use the pid of a child process inside the sandbox	46	// if the pid is that of a firejail process, use the pid of a child process inside the sandbox
		47	EUID_ROOT();
47	char *comm = pid_proc_comm(pid);	48	char *comm = pid_proc_comm(pid);
		49	EUID_USER();
48	if (comm) {	50	if (comm) {
49	if (strcmp(comm, "firejail") == 0) {	51	if (strcmp(comm, "firejail") == 0) {
50	pid_t child;	52	pid_t child;


diff --git a/src/firejail/util.c b/src/firejail/util.c index 1fa60bb4d..da73bbfd5 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c
@@ -346,6 +346,7 @@ int find_child(pid_t parent, pid_t *child) {
346	*child = 0; // use it to flag a found child	346	*child = 0; // use it to flag a found child
347		347
348	DIR *dir;	348	DIR *dir;
		349	EUID_ROOT(); // grsecurity fix
349	if (!(dir = opendir("/proc"))) {	350	if (!(dir = opendir("/proc"))) {
350	// sleep 2 seconds and try again	351	// sleep 2 seconds and try again
351	sleep(2);	352	sleep(2);
@@ -397,7 +398,7 @@ int find_child(pid_t parent, pid_t *child) {
397	free(file);	398	free(file);
398	}	399	}
399	closedir(dir);	400	closedir(dir);
400		401	EUID_USER();
401	return (*child)? 0:1; // 0 = found, 1 = not found	402	return (*child)? 0:1; // 0 = found, 1 = not found
402	}	403	}
403		404
@@ -576,6 +577,7 @@ uid_t pid_get_uid(pid_t pid) {
576	perror("asprintf");	577	perror("asprintf");
577	exit(1);	578	exit(1);
578	}	579	}
		580	EUID_ROOT(); // grsecurity fix
579	FILE *fp = fopen(file, "r");	581	FILE *fp = fopen(file, "r");
580	if (!fp) {	582	if (!fp) {
581	free(file);	583	free(file);
@@ -602,6 +604,7 @@ uid_t pid_get_uid(pid_t pid) {
602		604
603	fclose(fp);	605	fclose(fp);
604	free(file);	606	free(file);
		607	EUID_USER(); // grsecurity fix
605		608
606	if (rv == 0) {	609	if (rv == 0) {
607	fprintf(stderr, "Error: cannot read /proc file\n");	610	fprintf(stderr, "Error: cannot read /proc file\n");


diff --git a/test/pid.exp b/test/pid.exp index d382feb96..fb5b90f04 100755 --- a/test/pid.exp +++ b/test/pid.exp
@@ -37,7 +37,8 @@ sleep 1
37	send -- "ps aux \|wc -l; pwd\r"	37	send -- "ps aux \|wc -l; pwd\r"
38	expect {	38	expect {
39	timeout {puts "TESTING ERROR 5\n";exit}	39	timeout {puts "TESTING ERROR 5\n";exit}
40	"6"	40	"6" {puts "normal system\n'}
		41	"5" {puts "grsecurity\n"}
41	}	42	}
42	expect {	43	expect {
43	timeout {puts "TESTING ERROR 6\n";exit}	44	timeout {puts "TESTING ERROR 6\n";exit}
@@ -45,4 +46,4 @@ expect {
45	}	46	}
46	sleep 1	47	sleep 1
47		48
48	puts "\n"	49	puts "\nall done\n"