fixed --top

author: netblue30 <netblue30@yahoo.com> 2016-11-09 22:46:32 -0500
committer: netblue30 <netblue30@yahoo.com> 2016-11-09 22:46:32 -0500
commit: 0939f26a4f2f5d090baadb7f2a47269e9e456fb5 (patch)
tree: 43918f354aebaffbe66cdab3afb9d89b4de6fc41
parent: testing (diff)
download: firejail-0939f26a4f2f5d090baadb7f2a47269e9e456fb5.tar.gz
firejail-0939f26a4f2f5d090baadb7f2a47269e9e456fb5.tar.zst
firejail-0939f26a4f2f5d090baadb7f2a47269e9e456fb5.zip
3 files changed, 15 insertions, 10 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 56dbd6868..b8126cfe7 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -688,11 +688,13 @@ void build_cmdline(char **command_line, char **window_title, int argc, char **ar
 #define PATH_FIREMON (PREFIX "/bin/firemon")
 #define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp")
 // bitmapped filters for sbox_run
-#define SBOX_ROOT (1 << 0)
+#define SBOX_ROOT (1 << 0)                      // run the sandbox as root
-#define SBOX_USER (1 << 1)
+#define SBOX_USER (1 << 1)                      // run the sandbox as a regular user
-#define SBOX_SECCOMP (1 << 2)
+#define SBOX_SECCOMP (1 << 2)           // install seccomp 
 #define SBOX_CAPS_NONE (1 << 3)         // drop all capabilities
 #define SBOX_CAPS_NETWORK (1 << 4)      // caps filter for programs running network programs
+#define SBOX_ALLOW_STDIN (1 << 5)               // don't close stdin
 // run sbox
 int sbox_run(unsigned filter, int num, ...);
diff --git a/src/firejail/main.c b/src/firejail/main.c
index b6f3a7f59..f01094af9 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -507,7 +507,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                exit(rv);
        }
        else if (strcmp(argv[i], "--top") == 0) {
-                int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--top");
+                int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN,
+                        2, PATH_FIREMON, "--top");
                exit(rv);
        }
 #ifdef HAVE_NETWORK     
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c
index 3d4eef3aa..bca72c14a 100644
--- a/src/firejail/sbox.c
+++ b/src/firejail/sbox.c
@@ -141,14 +141,16 @@ int sbox_run(unsigned filter, int num, ...) {
                int max = 20; // getdtablesize() is overkill for a firejail process
                for (i = 3; i < max; i++)
                        close(i); // close open files
+                if ((filter & SBOX_ALLOW_STDIN) == 0) {
                int fd = open("/dev/null",O_RDWR, 0);
-                if (fd != -1) {
+                        if (fd != -1) {
-                        dup2 (fd, STDIN_FILENO);
+                                dup2 (fd, STDIN_FILENO);
-                        if (fd > 2)
+                                if (fd > 2)
-                                close (fd);
+                                        close (fd);
+                        }
+                        else // the user could run the sandbox without /dev/null
+                                close(STDIN_FILENO);
                }
-                else // the user could run the sandbox without /dev/null
-                        close(STDIN_FILENO);
                umask(027);     
                // apply filters
author	netblue30 <netblue30@yahoo.com>	2016-11-09 22:46:32 -0500
committer	netblue30 <netblue30@yahoo.com>	2016-11-09 22:46:32 -0500
commit	0939f26a4f2f5d090baadb7f2a47269e9e456fb5 (patch)
tree	43918f354aebaffbe66cdab3afb9d89b4de6fc41
parent	testing (diff)
download	firejail-0939f26a4f2f5d090baadb7f2a47269e9e456fb5.tar.gz firejail-0939f26a4f2f5d090baadb7f2a47269e9e456fb5.tar.zst firejail-0939f26a4f2f5d090baadb7f2a47269e9e456fb5.zip