fixes

author: netblue30 <netblue30@yahoo.com> 2016-05-19 12:14:18 -0400
committer: netblue30 <netblue30@yahoo.com> 2016-05-19 12:14:18 -0400
commit: d221aada89e79d92d758d508475c443064a9da48 (patch)
tree: b624531d262ef13b86f9e59e49318cec4338f8e2
parent: --read-only fix (diff)
download: firejail-d221aada89e79d92d758d508475c443064a9da48.tar.gz
firejail-d221aada89e79d92d758d508475c443064a9da48.tar.zst
firejail-d221aada89e79d92d758d508475c443064a9da48.zip
5 files changed, 37 insertions, 8 deletions
diff --git a/src/firejail/list.c b/src/firejail/list.c
index cd53264b6..d093a1f85 100644
--- a/src/firejail/list.c
+++ b/src/firejail/list.c
@@ -21,7 +21,7 @@
 #include <sys/types.h>
 #include <sys/stat.h>
-static void grsec_elevate_privileges(void) {
+static void set_privileges(void) {
        struct stat s;
        if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {
                EUID_ROOT();
@@ -32,49 +32,69 @@ static void grsec_elevate_privileges(void) {
                if (setregid(0, 0))
                        errExit("setregid");
        }
+        else
+                drop_privs(1);
+}
+static char *get_firemon_path(const char *cmd) {
+        assert(cmd);
+        
+        // start the argv[0] program in a new sandbox
+        char *firemon;
+        if (asprintf(&firemon, "%s/bin/firemon %s", PREFIX, cmd) == -1)
+                errExit("asprintf");
+        return firemon;
 }
 void top(void) {
        EUID_ASSERT();
-        
+        drop_privs(1);
+        char *cmd = get_firemon_path("--top");
        char *arg[4];
        arg[0] = "bash";
        arg[1] = "-c";
-        arg[2] = "firemon --top";
+        arg[2] = cmd;
        arg[3] = NULL;
        execvp("/bin/bash", arg); 
 }
 void netstats(void) {
        EUID_ASSERT();
-        grsec_elevate_privileges();     
+        set_privileges();       
+        char *cmd = get_firemon_path("--netstats");
        
        char *arg[4];
        arg[0] = "bash";
        arg[1] = "-c";
-        arg[2] = "firemon --netstats";
+        arg[2] = cmd;
        arg[3] = NULL;
        execvp("/bin/bash", arg); 
 }
 void list(void) {
        EUID_ASSERT();
+        drop_privs(1);
+        char *cmd = get_firemon_path("--list");
        
        char *arg[4];
        arg[0] = "bash";
        arg[1] = "-c";
-        arg[2] = "firemon --list";
+        arg[2] = cmd;
        arg[3] = NULL;
        execvp("/bin/bash", arg); 
 }
 void tree(void) {
        EUID_ASSERT();
+        drop_privs(1);
+        char *cmd = get_firemon_path("--tree");
        
        char *arg[4];
        arg[0] = "bash";
        arg[1] = "-c";
-        arg[2] = "firemon --tree";
+        arg[2] = cmd;
        arg[3] = NULL;
        execvp("/bin/bash", arg); 
 }
diff --git a/src/firejail/output.c b/src/firejail/output.c
index 269ac25ea..91fe7f164 100644
--- a/src/firejail/output.c
+++ b/src/firejail/output.c
@@ -27,7 +27,6 @@ void check_output(int argc, char **argv) {
        
        int i;
        char *outfile = NULL;
-//      drop_privs(0);
        int found = 0;
        for (i = 1; i < argc; i++) {
@@ -91,6 +90,7 @@ void check_output(int argc, char **argv) {
        sprintf(ptr, "2>&1 | %s/firejail/ftee %s", LIBDIR, outfile);
        // run command
+        drop_privs(0);
        char *a[4];
        a[0] = "/bin/bash";
        a[1] = "-c";
diff --git a/src/firejail/run_symlink.c b/src/firejail/run_symlink.c
index d57816e12..cc6f6b3e9 100644
--- a/src/firejail/run_symlink.c
+++ b/src/firejail/run_symlink.c
@@ -91,6 +91,12 @@ void run_symlink(int argc, char **argv) {
        printf("Redirecting symlink to %s\n", program);
+        // drop privileges
+        if (setgid(getgid()) < 0)
+                errExit("setgid/getgid");
+        if (setuid(getuid()) < 0)
+                errExit("setuid/getuid");
        // run command
        char *a[3 + argc];
        a[0] = firejail;
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 3d5fc214d..dc906532f 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -29,6 +29,7 @@
 // drop privileges
 // - for root group or if nogroups is set, supplementary groups are not configured
 void drop_privs(int nogroups) {
+        EUID_ROOT();
        gid_t gid = getgid();
        // configure supplementary groups
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 985ca9337..300078872 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -173,6 +173,7 @@ void x11_start_xephyr(int argc, char **argv) {
                fprintf(stderr, "Error: X11 sandboxing is not available when running as root\n");
                exit(1);
        }
+        drop_privs(0);
        // check xephyr
        if (x11_check_xephyr() == 0) {
@@ -295,6 +296,7 @@ void x11_start_xpra(int argc, char **argv) {
                fprintf(stderr, "Error: X11 sandboxing is not available when running as root\n");
                exit(1);
        }
+        drop_privs(0);
        // check xpra
        if (x11_check_xpra() == 0) {
author	netblue30 <netblue30@yahoo.com>	2016-05-19 12:14:18 -0400
committer	netblue30 <netblue30@yahoo.com>	2016-05-19 12:14:18 -0400
commit	d221aada89e79d92d758d508475c443064a9da48 (patch)
tree	b624531d262ef13b86f9e59e49318cec4338f8e2
parent	--read-only fix (diff)
download	firejail-d221aada89e79d92d758d508475c443064a9da48.tar.gz firejail-d221aada89e79d92d758d508475c443064a9da48.tar.zst firejail-d221aada89e79d92d758d508475c443064a9da48.zip

diff --git a/src/firejail/list.c b/src/firejail/list.c index cd53264b6..d093a1f85 100644 --- a/src/firejail/list.c +++ b/src/firejail/list.c
@@ -21,7 +21,7 @@
21	#include <sys/types.h>	21	#include <sys/types.h>
22	#include <sys/stat.h>	22	#include <sys/stat.h>
23		23
24	static void grsec_elevate_privileges(void) {	24	static void set_privileges(void) {
25	struct stat s;	25	struct stat s;
26	if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {	26	if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {
27	EUID_ROOT();	27	EUID_ROOT();
@@ -32,49 +32,69 @@ static void grsec_elevate_privileges(void) {
32	if (setregid(0, 0))	32	if (setregid(0, 0))
33	errExit("setregid");	33	errExit("setregid");
34	}	34	}
		35	else
		36	drop_privs(1);
		37	}
		38
		39	static char get_firemon_path(const char cmd) {
		40	assert(cmd);
		41
		42	// start the argv[0] program in a new sandbox
		43	char *firemon;
		44	if (asprintf(&firemon, "%s/bin/firemon %s", PREFIX, cmd) == -1)
		45	errExit("asprintf");
		46
		47	return firemon;
35	}	48	}
36		49
37	void top(void) {	50	void top(void) {
38	EUID_ASSERT();	51	EUID_ASSERT();
39		52	drop_privs(1);
		53	char *cmd = get_firemon_path("--top");
		54
40	char *arg[4];	55	char *arg[4];
41	arg[0] = "bash";	56	arg[0] = "bash";
42	arg[1] = "-c";	57	arg[1] = "-c";
43	arg[2] = "firemon --top";	58	arg[2] = cmd;
44	arg[3] = NULL;	59	arg[3] = NULL;
45	execvp("/bin/bash", arg);	60	execvp("/bin/bash", arg);
46	}	61	}
47		62
48	void netstats(void) {	63	void netstats(void) {
49	EUID_ASSERT();	64	EUID_ASSERT();
50	grsec_elevate_privileges();	65	set_privileges();
		66	char *cmd = get_firemon_path("--netstats");
51		67
52	char *arg[4];	68	char *arg[4];
53	arg[0] = "bash";	69	arg[0] = "bash";
54	arg[1] = "-c";	70	arg[1] = "-c";
55	arg[2] = "firemon --netstats";	71	arg[2] = cmd;
56	arg[3] = NULL;	72	arg[3] = NULL;
57	execvp("/bin/bash", arg);	73	execvp("/bin/bash", arg);
58	}	74	}
59		75
60	void list(void) {	76	void list(void) {
61	EUID_ASSERT();	77	EUID_ASSERT();
		78	drop_privs(1);
		79	char *cmd = get_firemon_path("--list");
62		80
63	char *arg[4];	81	char *arg[4];
64	arg[0] = "bash";	82	arg[0] = "bash";
65	arg[1] = "-c";	83	arg[1] = "-c";
66	arg[2] = "firemon --list";	84	arg[2] = cmd;
67	arg[3] = NULL;	85	arg[3] = NULL;
68	execvp("/bin/bash", arg);	86	execvp("/bin/bash", arg);
69	}	87	}
70		88
71	void tree(void) {	89	void tree(void) {
72	EUID_ASSERT();	90	EUID_ASSERT();
		91	drop_privs(1);
		92	char *cmd = get_firemon_path("--tree");
73		93
74	char *arg[4];	94	char *arg[4];
75	arg[0] = "bash";	95	arg[0] = "bash";
76	arg[1] = "-c";	96	arg[1] = "-c";
77	arg[2] = "firemon --tree";	97	arg[2] = cmd;
78	arg[3] = NULL;	98	arg[3] = NULL;
79	execvp("/bin/bash", arg);	99	execvp("/bin/bash", arg);
80	}	100	}


diff --git a/src/firejail/output.c b/src/firejail/output.c index 269ac25ea..91fe7f164 100644 --- a/src/firejail/output.c +++ b/src/firejail/output.c
@@ -27,7 +27,6 @@ void check_output(int argc, char **argv) {
27		27
28	int i;	28	int i;
29	char *outfile = NULL;	29	char *outfile = NULL;
30	// drop_privs(0);
31		30
32	int found = 0;	31	int found = 0;
33	for (i = 1; i < argc; i++) {	32	for (i = 1; i < argc; i++) {
@@ -91,6 +90,7 @@ void check_output(int argc, char **argv) {
91	sprintf(ptr, "2>&1 \| %s/firejail/ftee %s", LIBDIR, outfile);	90	sprintf(ptr, "2>&1 \| %s/firejail/ftee %s", LIBDIR, outfile);
92		91
93	// run command	92	// run command
		93	drop_privs(0);
94	char *a[4];	94	char *a[4];
95	a[0] = "/bin/bash";	95	a[0] = "/bin/bash";
96	a[1] = "-c";	96	a[1] = "-c";


diff --git a/src/firejail/run_symlink.c b/src/firejail/run_symlink.c index d57816e12..cc6f6b3e9 100644 --- a/src/firejail/run_symlink.c +++ b/src/firejail/run_symlink.c
@@ -91,6 +91,12 @@ void run_symlink(int argc, char **argv) {
91		91
92	printf("Redirecting symlink to %s\n", program);	92	printf("Redirecting symlink to %s\n", program);
93		93
		94	// drop privileges
		95	if (setgid(getgid()) < 0)
		96	errExit("setgid/getgid");
		97	if (setuid(getuid()) < 0)
		98	errExit("setuid/getuid");
		99
94	// run command	100	// run command
95	char *a[3 + argc];	101	char *a[3 + argc];
96	a[0] = firejail;	102	a[0] = firejail;


diff --git a/src/firejail/util.c b/src/firejail/util.c index 3d5fc214d..dc906532f 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c
@@ -29,6 +29,7 @@
29	// drop privileges	29	// drop privileges
30	// - for root group or if nogroups is set, supplementary groups are not configured	30	// - for root group or if nogroups is set, supplementary groups are not configured
31	void drop_privs(int nogroups) {	31	void drop_privs(int nogroups) {
		32	EUID_ROOT();
32	gid_t gid = getgid();	33	gid_t gid = getgid();
33		34
34	// configure supplementary groups	35	// configure supplementary groups


diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 985ca9337..300078872 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c
@@ -173,6 +173,7 @@ void x11_start_xephyr(int argc, char **argv) {
173	fprintf(stderr, "Error: X11 sandboxing is not available when running as root\n");	173	fprintf(stderr, "Error: X11 sandboxing is not available when running as root\n");
174	exit(1);	174	exit(1);
175	}	175	}
		176	drop_privs(0);
176		177
177	// check xephyr	178	// check xephyr
178	if (x11_check_xephyr() == 0) {	179	if (x11_check_xephyr() == 0) {
@@ -295,6 +296,7 @@ void x11_start_xpra(int argc, char **argv) {
295	fprintf(stderr, "Error: X11 sandboxing is not available when running as root\n");	296	fprintf(stderr, "Error: X11 sandboxing is not available when running as root\n");
296	exit(1);	297	exit(1);
297	}	298	}
		299	drop_privs(0);
298		300
299	// check xpra	301	// check xpra
300	if (x11_check_xpra() == 0) {	302	if (x11_check_xpra() == 0) {