diff options
| author |  netblue30 <netblue30@yahoo.com> | 2016-11-11 09:22:07 -0500 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2016-11-11 09:22:07 -0500 |
| commit | 3374e24eb39123170fe463c93d38e2f49918e655 (patch) | |
| tree | 285589aa97fb9cd2513a6862bd60c7d50b24cd29 | |
| parent | hidepid part 1 (diff) | |
| download | firejail-3374e24eb39123170fe463c93d38e2f49918e655.tar.gz firejail-3374e24eb39123170fe463c93d38e2f49918e655.tar.zst firejail-3374e24eb39123170fe463c93d38e2f49918e655.zip | |
hidepid part 2
| -rw-r--r-- | src/firejail/main.c | 128 | ||||
| -rwxr-xr-x | test/apps/apps.sh | 9 | ||||
| -rwxr-xr-x | test/apps/weechat.exp | 83 |
3 files changed, 52 insertions, 168 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c index e100e1f2c..3c061e607 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
| @@ -158,21 +158,37 @@ static void my_handler(int s){ | |||
| 158 | myexit(1); | 158 | myexit(1); |
| 159 | } | 159 | } |
| 160 | 160 | ||
| 161 | // return 1 if error, 0 if a valid pid was found | 161 | static pid_t extract_pid(const char *name) { |
| 162 | static inline int read_pid(char *str, pid_t *pid) { | 162 | EUID_ASSERT(); |
| 163 | if (!name || strlen(name) == 0) { | ||
| 164 | fprintf(stderr, "Error: invalid sandbox name\n"); | ||
| 165 | exit(1); | ||
| 166 | } | ||
| 167 | |||
| 168 | pid_t pid; | ||
| 169 | EUID_ROOT(); | ||
| 170 | if (name2pid(name, &pid)) { | ||
| 171 | fprintf(stderr, "Error: cannot find sandbox %s\n", name); | ||
| 172 | exit(1); | ||
| 173 | } | ||
| 174 | EUID_USER(); | ||
| 175 | return pid; | ||
| 176 | } | ||
| 177 | |||
| 178 | |||
| 179 | static pid_t read_pid(const char *str) { | ||
| 163 | char *endptr; | 180 | char *endptr; |
| 164 | errno = 0; | 181 | errno = 0; |
| 165 | long int pidtmp = strtol(str, &endptr, 10); | 182 | long int pidtmp = strtol(str, &endptr, 10); |
| 166 | if ((errno == ERANGE && (pidtmp == LONG_MAX || pidtmp == LONG_MIN)) | 183 | if ((errno == ERANGE && (pidtmp == LONG_MAX || pidtmp == LONG_MIN)) |
| 167 | || (errno != 0 && pidtmp == 0)) { | 184 | || (errno != 0 && pidtmp == 0)) { |
| 168 | return 1; | 185 | return extract_pid(str); |
| 169 | } | 186 | } |
| 170 | // endptr points to '\0' char in str if the entire string is valid | 187 | // endptr points to '\0' char in str if the entire string is valid |
| 171 | if (endptr == NULL || endptr[0]!='\0') { | 188 | if (endptr == NULL || endptr[0]!='\0') { |
| 172 | return 1; | 189 | return extract_pid(str); |
| 173 | } | 190 | } |
| 174 | *pid = (pid_t)pidtmp; | 191 | return (pid_t)pidtmp; |
| 175 | return 0; | ||
| 176 | } | 192 | } |
| 177 | 193 | ||
| 178 | // init configuration | 194 | // init configuration |
| @@ -385,11 +401,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
| 385 | } | 401 | } |
| 386 | 402 | ||
| 387 | // extract pid or sandbox name | 403 | // extract pid or sandbox name |
| 388 | pid_t pid; | 404 | pid_t pid = read_pid(argv[i] + 12); |
| 389 | if (read_pid(argv[i] + 12, &pid) == 0) | 405 | bandwidth_pid(pid, cmd, dev, down, up); |
| 390 | bandwidth_pid(pid, cmd, dev, down, up); | ||
| 391 | else | ||
| 392 | bandwidth_name(argv[i] + 12, cmd, dev, down, up); | ||
| 393 | } | 406 | } |
| 394 | else { | 407 | else { |
| 395 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); | 408 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); |
| @@ -426,11 +439,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
| 426 | else if (strncmp(argv[i], "--seccomp.print=", 16) == 0) { | 439 | else if (strncmp(argv[i], "--seccomp.print=", 16) == 0) { |
| 427 | if (checkcfg(CFG_SECCOMP)) { | 440 | if (checkcfg(CFG_SECCOMP)) { |
| 428 | // print seccomp filter for a sandbox specified by pid or by name | 441 | // print seccomp filter for a sandbox specified by pid or by name |
| 429 | pid_t pid; | 442 | pid_t pid = read_pid(argv[i] + 16); |
| 430 | if (read_pid(argv[i] + 16, &pid) == 0) | 443 | seccomp_print_filter(pid); |
| 431 | seccomp_print_filter(pid); | ||
| 432 | else | ||
| 433 | seccomp_print_filter_name(argv[i] + 16); | ||
| 434 | } | 444 | } |
| 435 | else { | 445 | else { |
| 436 | fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); | 446 | fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); |
| @@ -445,11 +455,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
| 445 | else if (strncmp(argv[i], "--protocol.print=", 17) == 0) { | 455 | else if (strncmp(argv[i], "--protocol.print=", 17) == 0) { |
| 446 | if (checkcfg(CFG_SECCOMP)) { | 456 | if (checkcfg(CFG_SECCOMP)) { |
| 447 | // print seccomp filter for a sandbox specified by pid or by name | 457 | // print seccomp filter for a sandbox specified by pid or by name |
| 448 | pid_t pid; | 458 | pid_t pid = read_pid(argv[i] + 17); |
| 449 | if (read_pid(argv[i] + 17, &pid) == 0) | 459 | protocol_print_filter(pid); |
| 450 | protocol_print_filter(pid); | ||
| 451 | else | ||
| 452 | protocol_print_filter_name(argv[i] + 17); | ||
| 453 | } | 460 | } |
| 454 | else { | 461 | else { |
| 455 | fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); | 462 | fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); |
| @@ -460,38 +467,26 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
| 460 | #endif | 467 | #endif |
| 461 | else if (strncmp(argv[i], "--cpu.print=", 12) == 0) { | 468 | else if (strncmp(argv[i], "--cpu.print=", 12) == 0) { |
| 462 | // join sandbox by pid or by name | 469 | // join sandbox by pid or by name |
| 463 | pid_t pid; | 470 | pid_t pid = read_pid(argv[i] + 12); |
| 464 | if (read_pid(argv[i] + 12, &pid) == 0) | 471 | cpu_print_filter(pid); |
| 465 | cpu_print_filter(pid); | ||
| 466 | else | ||
| 467 | cpu_print_filter_name(argv[i] + 12); | ||
| 468 | exit(0); | 472 | exit(0); |
| 469 | } | 473 | } |
| 470 | else if (strncmp(argv[i], "--caps.print=", 13) == 0) { | 474 | else if (strncmp(argv[i], "--caps.print=", 13) == 0) { |
| 471 | // join sandbox by pid or by name | 475 | // join sandbox by pid or by name |
| 472 | pid_t pid; | 476 | pid_t pid = read_pid(argv[i] + 13); |
| 473 | if (read_pid(argv[i] + 13, &pid) == 0) | 477 | caps_print_filter(pid); |
| 474 | caps_print_filter(pid); | ||
| 475 | else | ||
| 476 | caps_print_filter_name(argv[i] + 13); | ||
| 477 | exit(0); | 478 | exit(0); |
| 478 | } | 479 | } |
| 479 | else if (strncmp(argv[i], "--fs.print=", 11) == 0) { | 480 | else if (strncmp(argv[i], "--fs.print=", 11) == 0) { |
| 480 | // join sandbox by pid or by name | 481 | // join sandbox by pid or by name |
| 481 | pid_t pid; | 482 | pid_t pid = read_pid(argv[i] + 11); |
| 482 | if (read_pid(argv[i] + 11, &pid) == 0) | 483 | fs_logger_print_log(pid); |
| 483 | fs_logger_print_log(pid); | ||
| 484 | else | ||
| 485 | fs_logger_print_log_name(argv[i] + 11); | ||
| 486 | exit(0); | 484 | exit(0); |
| 487 | } | 485 | } |
| 488 | else if (strncmp(argv[i], "--dns.print=", 12) == 0) { | 486 | else if (strncmp(argv[i], "--dns.print=", 12) == 0) { |
| 489 | // join sandbox by pid or by name | 487 | // join sandbox by pid or by name |
| 490 | pid_t pid; | 488 | pid_t pid = read_pid(argv[i] + 12); |
| 491 | if (read_pid(argv[i] + 12, &pid) == 0) | 489 | net_dns_print(pid); |
| 492 | net_dns_print(pid); | ||
| 493 | else | ||
| 494 | net_dns_print_name(argv[i] + 12); | ||
| 495 | exit(0); | 490 | exit(0); |
| 496 | } | 491 | } |
| 497 | else if (strcmp(argv[i], "--debug-caps") == 0) { | 492 | else if (strcmp(argv[i], "--debug-caps") == 0) { |
| @@ -543,11 +538,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
| 543 | } | 538 | } |
| 544 | 539 | ||
| 545 | // get file | 540 | // get file |
| 546 | pid_t pid; | 541 | pid_t pid = read_pid(argv[i] + 6); |
| 547 | if (read_pid(argv[i] + 6, &pid) == 0) | 542 | sandboxfs(SANDBOX_FS_GET, pid, path, NULL); |
| 548 | sandboxfs(SANDBOX_FS_GET, pid, path, NULL); | ||
| 549 | else | ||
| 550 | sandboxfs_name(SANDBOX_FS_GET, argv[i] + 6, path, NULL); | ||
| 551 | exit(0); | 543 | exit(0); |
| 552 | } | 544 | } |
| 553 | else { | 545 | else { |
| @@ -578,11 +570,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
| 578 | } | 570 | } |
| 579 | 571 | ||
| 580 | // get file | 572 | // get file |
| 581 | pid_t pid; | 573 | pid_t pid = read_pid(argv[i] + 6); |
| 582 | if (read_pid(argv[i] + 6, &pid) == 0) | 574 | sandboxfs(SANDBOX_FS_PUT, pid, path1, path2); |
| 583 | sandboxfs(SANDBOX_FS_PUT, pid, path1, path2); | ||
| 584 | else | ||
| 585 | sandboxfs_name(SANDBOX_FS_PUT, argv[i] + 6, path1, path2); | ||
| 586 | exit(0); | 575 | exit(0); |
| 587 | } | 576 | } |
| 588 | else { | 577 | else { |
| @@ -607,11 +596,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
| 607 | } | 596 | } |
| 608 | 597 | ||
| 609 | // list directory contents | 598 | // list directory contents |
| 610 | pid_t pid; | 599 | pid_t pid = read_pid(argv[i] + 5); |
| 611 | if (read_pid(argv[i] + 5, &pid) == 0) | 600 | sandboxfs(SANDBOX_FS_LS, pid, path, NULL); |
| 612 | sandboxfs(SANDBOX_FS_LS, pid, path, NULL); | ||
| 613 | else | ||
| 614 | sandboxfs_name(SANDBOX_FS_LS, argv[i] + 5, path, NULL); | ||
| 615 | exit(0); | 601 | exit(0); |
| 616 | } | 602 | } |
| 617 | else { | 603 | else { |
| @@ -635,11 +621,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
| 635 | cfg.shell = guess_shell(); | 621 | cfg.shell = guess_shell(); |
| 636 | 622 | ||
| 637 | // join sandbox by pid or by name | 623 | // join sandbox by pid or by name |
| 638 | pid_t pid; | 624 | pid_t pid = read_pid(argv[i] + 7); |
| 639 | if (read_pid(argv[i] + 7, &pid) == 0) | 625 | join(pid, argc, argv, i + 1); |
| 640 | join(pid, argc, argv, i + 1); | ||
| 641 | else | ||
| 642 | join_name(argv[i] + 7, argc, argv, i + 1); | ||
| 643 | exit(0); | 626 | exit(0); |
| 644 | 627 | ||
| 645 | } | 628 | } |
| @@ -656,6 +639,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
| 656 | cfg.original_program_index = i + 1; | 639 | cfg.original_program_index = i + 1; |
| 657 | } | 640 | } |
| 658 | 641 | ||
| 642 | #if 0 // todo: redo it | ||
| 659 | // try to join by name only | 643 | // try to join by name only |
| 660 | pid_t pid; | 644 | pid_t pid; |
| 661 | if (!name2pid(argv[i] + 16, &pid)) { | 645 | if (!name2pid(argv[i] + 16, &pid)) { |
| @@ -665,6 +649,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
| 665 | join(pid, argc, argv, i + 1); | 649 | join(pid, argc, argv, i + 1); |
| 666 | exit(0); | 650 | exit(0); |
| 667 | } | 651 | } |
| 652 | #endif | ||
| 668 | // if there no such sandbox continue argument processing | 653 | // if there no such sandbox continue argument processing |
| 669 | } | 654 | } |
| 670 | #ifdef HAVE_NETWORK | 655 | #ifdef HAVE_NETWORK |
| @@ -681,11 +666,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
| 681 | cfg.shell = guess_shell(); | 666 | cfg.shell = guess_shell(); |
| 682 | 667 | ||
| 683 | // join sandbox by pid or by name | 668 | // join sandbox by pid or by name |
| 684 | pid_t pid; | 669 | pid_t pid = read_pid(argv[i] + 15); |
| 685 | if (read_pid(argv[i] + 15, &pid) == 0) | 670 | join(pid, argc, argv, i + 1); |
| 686 | join(pid, argc, argv, i + 1); | ||
| 687 | else | ||
| 688 | join_name(argv[i] + 15, argc, argv, i + 1); | ||
| 689 | } | 671 | } |
| 690 | else { | 672 | else { |
| 691 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); | 673 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); |
| @@ -707,22 +689,16 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
| 707 | cfg.shell = guess_shell(); | 689 | cfg.shell = guess_shell(); |
| 708 | 690 | ||
| 709 | // join sandbox by pid or by name | 691 | // join sandbox by pid or by name |
| 710 | pid_t pid; | 692 | pid_t pid = read_pid(argv[i] + 18); |
| 711 | if (read_pid(argv[i] + 18, &pid) == 0) | 693 | join(pid, argc, argv, i + 1); |
| 712 | join(pid, argc, argv, i + 1); | ||
| 713 | else | ||
| 714 | join_name(argv[i] + 18, argc, argv, i + 1); | ||
| 715 | exit(0); | 694 | exit(0); |
| 716 | } | 695 | } |
| 717 | else if (strncmp(argv[i], "--shutdown=", 11) == 0) { | 696 | else if (strncmp(argv[i], "--shutdown=", 11) == 0) { |
| 718 | logargs(argc, argv); | 697 | logargs(argc, argv); |
| 719 | 698 | ||
| 720 | // shutdown sandbox by pid or by name | 699 | // shutdown sandbox by pid or by name |
| 721 | pid_t pid; | 700 | pid_t pid = read_pid(argv[i] + 11); |
| 722 | if (read_pid(argv[i] + 11, &pid) == 0) | 701 | shut(pid); |
| 723 | shut(pid); | ||
| 724 | else | ||
| 725 | shut_name(argv[i] + 11); | ||
| 726 | exit(0); | 702 | exit(0); |
| 727 | } | 703 | } |
| 728 | 704 | ||
diff --git a/test/apps/apps.sh b/test/apps/apps.sh index c329c57e5..38307b284 100755 --- a/test/apps/apps.sh +++ b/test/apps/apps.sh | |||
| @@ -169,15 +169,6 @@ else | |||
| 169 | echo "TESTING SKIP: hexchat not found" | 169 | echo "TESTING SKIP: hexchat not found" |
| 170 | fi | 170 | fi |
| 171 | 171 | ||
| 172 | which weechat-curses | ||
| 173 | if [ "$?" -eq 0 ]; | ||
| 174 | then | ||
| 175 | echo "TESTING: weechat" | ||
| 176 | ./weechat.exp | ||
| 177 | else | ||
| 178 | echo "TESTING SKIP: weechat not found" | ||
| 179 | fi | ||
| 180 | |||
| 181 | which wine | 172 | which wine |
| 182 | if [ "$?" -eq 0 ]; | 173 | if [ "$?" -eq 0 ]; |
| 183 | then | 174 | then |
diff --git a/test/apps/weechat.exp b/test/apps/weechat.exp deleted file mode 100755 index b3e04da84..000000000 --- a/test/apps/weechat.exp +++ /dev/null | |||
| @@ -1,83 +0,0 @@ | |||
| 1 | #!/usr/bin/expect -f | ||
| 2 | # This file is part of Firejail project | ||
| 3 | # Copyright (C) 2014-2016 Firejail Authors | ||
| 4 | # License GPL v2 | ||
| 5 | |||
| 6 | set timeout 10 | ||
| 7 | spawn $env(SHELL) | ||
| 8 | match_max 100000 | ||
| 9 | |||
| 10 | send -- "firejail weechat-curses\r" | ||
| 11 | expect { | ||
| 12 | timeout {puts "TESTING ERROR 0\n";exit} | ||
| 13 | "Reading profile /etc/firejail/weechat.profile" | ||
| 14 | } | ||
| 15 | expect { | ||
| 16 | timeout {puts "TESTING ERROR 1\n";exit} | ||
| 17 | "Child process initialized" | ||
| 18 | } | ||
| 19 | sleep 3 | ||
| 20 | |||
| 21 | spawn $env(SHELL) | ||
| 22 | send -- "firejail --list\r" | ||
| 23 | expect { | ||
| 24 | timeout {puts "TESTING ERROR 3\n";exit} | ||
| 25 | ":firejail" | ||
| 26 | } | ||
| 27 | expect { | ||
| 28 | timeout {puts "TESTING ERROR 3.1\n";exit} | ||
| 29 | "weechat-curses" | ||
| 30 | } | ||
| 31 | after 100 | ||
| 32 | |||
| 33 | # grsecurity exit | ||
| 34 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
| 35 | expect { | ||
| 36 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
| 37 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
| 38 | "cannot open" {puts "grsecurity not present\n"} | ||
| 39 | } | ||
| 40 | |||
| 41 | send -- "firejail --name=blablabla\r" | ||
| 42 | expect { | ||
| 43 | timeout {puts "TESTING ERROR 4\n";exit} | ||
| 44 | "Child process initialized" | ||
| 45 | } | ||
| 46 | sleep 2 | ||
| 47 | |||
| 48 | spawn $env(SHELL) | ||
| 49 | send -- "firemon --seccomp\r" | ||
| 50 | expect { | ||
| 51 | timeout {puts "TESTING ERROR 5\n";exit} | ||
| 52 | "weechat-curses" | ||
| 53 | } | ||
| 54 | expect { | ||
| 55 | timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} | ||
| 56 | "Seccomp: 2" | ||
| 57 | } | ||
| 58 | expect { | ||
| 59 | timeout {puts "TESTING ERROR 5.1\n";exit} | ||
| 60 | "name=blablabla" | ||
| 61 | } | ||
| 62 | after 100 | ||
| 63 | send -- "firemon --caps\r" | ||
| 64 | expect { | ||
| 65 | timeout {puts "TESTING ERROR 6\n";exit} | ||
| 66 | "weechat-curses" | ||
| 67 | } | ||
| 68 | expect { | ||
| 69 | timeout {puts "TESTING ERROR 6.1\n";exit} | ||
| 70 | "CapBnd:" | ||
| 71 | } | ||
| 72 | expect { | ||
| 73 | timeout {puts "TESTING ERROR 6.2\n";exit} | ||
| 74 | "0000000000000000" | ||
| 75 | } | ||
| 76 | expect { | ||
| 77 | timeout {puts "TESTING ERROR 6.3\n";exit} | ||
| 78 | "name=blablabla" | ||
| 79 | } | ||
| 80 | after 100 | ||
| 81 | |||
| 82 | puts "\n" | ||
| 83 | |||