moved sandbox name to /run/firejail/name/<PID>

author: netblue30 <netblue30@yahoo.com> 2016-02-19 09:30:46 -0500
committer: netblue30 <netblue30@yahoo.com> 2016-02-19 09:30:46 -0500
commit: 07c05e8a54307118982fdb725664c9fcaef65f38 (patch)
tree: 90508984ef60851f95f4a8f64c00c88c73314bbc
parent: euid switching (diff)
download: firejail-07c05e8a54307118982fdb725664c9fcaef65f38.tar.gz
firejail-07c05e8a54307118982fdb725664c9fcaef65f38.tar.zst
firejail-07c05e8a54307118982fdb725664c9fcaef65f38.zip
4 files changed, 92 insertions, 43 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 577c1a9ae..4babc58e7 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -26,6 +26,9 @@
 // filesystem
 #define RUN_FIREJAIL_BASEDIR    "/run"
 #define RUN_FIREJAIL_DIR        "/run/firejail"
+#define RUN_FIREJAIL_NAME_DIR   "/run/firejail/name"
+#define RUN_FIREJAIL_NETWORK_DIR        "/run/firejail/network"
+#define RUN_FIREJAIL_BANDWIDTH_DIR      "/run/firejail/bandwidth"
 #define RUN_NETWORK_LOCK_FILE   "/run/firejail/firejail.lock"
 #define RUN_RO_DIR      "/run/firejail/firejail.ro.dir"
 #define RUN_RO_FILE     "/run/firejail/firejail.ro.file"
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index c3e9890b4..616b87562 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -85,6 +85,27 @@ void fs_build_firejail_dir(void) {
                        errExit("chown");
                if (chmod(RUN_FIREJAIL_DIR, 0755) < 0)
                        errExit("chmod");
+                
+                if (mkdir(RUN_FIREJAIL_NETWORK_DIR, 0755) == -1)
+                        errExit("mkdir");
+                if (chown(RUN_FIREJAIL_NETWORK_DIR, 0, 0) < 0)
+                        errExit("chown");
+                if (chmod(RUN_FIREJAIL_NETWORK_DIR, 0755) < 0)
+                        errExit("chmod");
+                
+                if (mkdir(RUN_FIREJAIL_BANDWIDTH_DIR, 0755) == -1)
+                        errExit("mkdir");
+                if (chown(RUN_FIREJAIL_BANDWIDTH_DIR, 0, 0) < 0)
+                        errExit("chown");
+                if (chmod(RUN_FIREJAIL_BANDWIDTH_DIR, 0755) < 0)
+                        errExit("chmod");
+                
+                if (mkdir(RUN_FIREJAIL_NAME_DIR, 0755) == -1)
+                        errExit("mkdir");
+                if (chown(RUN_FIREJAIL_NAME_DIR, 0, 0) < 0)
+                        errExit("chown");
+                if (chmod(RUN_FIREJAIL_NAME_DIR, 0755) < 0)
+                        errExit("chmod");
        }
        else { // check /tmp/firejail directory belongs to root end exit if doesn't!
                if (s.st_uid != 0 || s.st_gid != 0) {
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 688653ce2..3c714f385 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -104,6 +104,9 @@ int fullargc = 0;
 static pid_t child = 0;
 pid_t sandbox_pid;
+static void set_name_file(uid_t pid);
+static void delete_name_file(uid_t pid);
 static void myexit(int rv) {
        logmsg("exiting...");
        if (!arg_command && !arg_quiet)
@@ -112,6 +115,7 @@ static void myexit(int rv) {
        // delete sandbox files in shared memory
        bandwidth_shm_del_file(sandbox_pid);            // bandwidth file
        network_shm_del_file(sandbox_pid);              // network map file
+        delete_name_file(sandbox_pid);
        
        exit(rv); 
 }
@@ -477,6 +481,36 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
 }
+static void set_name_file(uid_t pid) {
+        char *fname;
+        if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_NAME_DIR, pid) == -1)
+                errExit("asprintf");
+        // the file is deleted first
+        FILE *fp = fopen(fname, "w");
+        if (!fp) {
+                fprintf(stderr, "Error: cannot create %s\n", fname);
+                exit(1);
+        }
+        fprintf(fp, "%s\n", cfg.name);
+        fclose(fp);
+        
+        // mode and ownership
+        if (chown(fname, 0, 0) == -1)
+                errExit("chown");
+        if (chmod(fname, 0644) == -1)
+                errExit("chmod");
+        
+}
+static void delete_name_file(uid_t pid) {
+        char *fname;
+        if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_NAME_DIR, pid) == -1)
+                errExit("asprintf");
+        int rv = unlink(fname);
+        (void) rv;
+}
 //*******************************************
 // Main program
 //*******************************************
@@ -1500,6 +1534,13 @@ int main(int argc, char **argv) {
                arg_noroot = 0;
        }
+        // set name file
+        EUID_ROOT();
+        if (cfg.name)
+                set_name_file(sandbox_pid);
+        EUID_USER();
+        
        // clone environment
        int flags = CLONE_NEWNS | CLONE_NEWPID | CLONE_NEWUTS | SIGCHLD;
        
@@ -1627,6 +1668,9 @@ int main(int argc, char **argv) {
        if (lockfd != -1)
                flock(lockfd, LOCK_UN);
+        // create name file under /run/firejail
+        
        // handle CTRL-C in parent
        signal (SIGINT, my_handler);
        signal (SIGTERM, my_handler);
diff --git a/src/lib/common.c b/src/lib/common.c
index 099bb54d3..f321c5a47 100644
--- a/src/lib/common.c
+++ b/src/lib/common.c
@@ -95,53 +95,34 @@ int name2pid(const char *name, pid_t *pid) {
                        free(comm);
                }
                
-                char *cmd = pid_proc_cmdline(newpid);
+                // look for the sandbox name in /run/firejail/name/<PID>
-                if (cmd) {
+                // todo: use RUN_FIREJAIL_NAME_DIR define from src/firejail/firejail.h
-                        // mark the end of the name
+                char *fname;
-                        char *ptr = strstr(cmd, "--name=");
+                if (asprintf(&fname, "/run/firejail/name/%d", newpid) == -1)
-                        char *start = ptr;
+                        errExit("asprintf");
-                        if (!ptr) {
+                FILE *fp = fopen(fname, "r");
-                                free(cmd);
+                if (fp) {
-                                
+                        char buf[BUFLEN];
-                                // extract name for /run/mnt/firejail/fslogger file
+                        if (fgets(buf, BUFLEN, fp)) {
-                                char *fname;
+                                // remove \n
-                                if (asprintf(&fname, "/proc/%d/root/run/firejail/mnt/fslogger", newpid) == -1)
+                                char *ptr = strchr(buf, '\n');
-                                        errExit("asprintf");
+                                if (ptr) {
+                                        *ptr = '\0';
-                                struct stat s;
+                                        if (strcmp(buf, name) == 0) {
-                                if (stat(fname, &s) == 0) {
+                                                // we found it!
-                                        FILE *fp = fopen(fname, "r");
-                                        if (fp) {
-                                                char buf[BUFLEN];
-                                                if (fgets(buf, BUFLEN, fp)) {
-                                                        if (strncmp(buf, "sandbox name: ", 14) == 0) {
-                                                                char *ptr2 = buf + 14;
-                                                                if (strncmp(name, ptr2, strlen(name)) == 0) {
-                                                                        fclose(fp);
-                                                                        *pid = newpid;
-                                                                        closedir(dir);
-                                                                        return 0;
-                                                                }
-                                                        }
-                                                }
                                                fclose(fp);
+                                                free(fname);
+                                                *pid = newpid;
+                                                closedir(dir);
+                                                return 0;
                                        }
-                                }       
+                                }
-                                
+                                else
-                                continue;
+                                        fprintf(stderr, "Error: invalid %s\n", fname);
                        }
-                        while (*ptr != ' ' && *ptr != '\t' && *ptr != '\0')
+                        fclose(fp);
-                                ptr++;
-                        *ptr = '\0';
-                        int rv = strcmp(start + 7, name);
-                        if (rv == 0) {
-                                free(cmd);
-                                *pid = newpid;
-                                closedir(dir);
-                                return 0;
-                        }
-                        free(cmd);
                }
+                free(fname);
        }
        closedir(dir);
        return 1;
author	netblue30 <netblue30@yahoo.com>	2016-02-19 09:30:46 -0500
committer	netblue30 <netblue30@yahoo.com>	2016-02-19 09:30:46 -0500
commit	07c05e8a54307118982fdb725664c9fcaef65f38 (patch)
tree	90508984ef60851f95f4a8f64c00c88c73314bbc
parent	euid switching (diff)
download	firejail-07c05e8a54307118982fdb725664c9fcaef65f38.tar.gz firejail-07c05e8a54307118982fdb725664c9fcaef65f38.tar.zst firejail-07c05e8a54307118982fdb725664c9fcaef65f38.zip

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 577c1a9ae..4babc58e7 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -26,6 +26,9 @@
26	// filesystem	26	// filesystem
27	#define RUN_FIREJAIL_BASEDIR "/run"	27	#define RUN_FIREJAIL_BASEDIR "/run"
28	#define RUN_FIREJAIL_DIR "/run/firejail"	28	#define RUN_FIREJAIL_DIR "/run/firejail"
		29	#define RUN_FIREJAIL_NAME_DIR "/run/firejail/name"
		30	#define RUN_FIREJAIL_NETWORK_DIR "/run/firejail/network"
		31	#define RUN_FIREJAIL_BANDWIDTH_DIR "/run/firejail/bandwidth"
29	#define RUN_NETWORK_LOCK_FILE "/run/firejail/firejail.lock"	32	#define RUN_NETWORK_LOCK_FILE "/run/firejail/firejail.lock"
30	#define RUN_RO_DIR "/run/firejail/firejail.ro.dir"	33	#define RUN_RO_DIR "/run/firejail/firejail.ro.dir"
31	#define RUN_RO_FILE "/run/firejail/firejail.ro.file"	34	#define RUN_RO_FILE "/run/firejail/firejail.ro.file"


diff --git a/src/firejail/fs.c b/src/firejail/fs.c index c3e9890b4..616b87562 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c
@@ -85,6 +85,27 @@ void fs_build_firejail_dir(void) {
85	errExit("chown");	85	errExit("chown");
86	if (chmod(RUN_FIREJAIL_DIR, 0755) < 0)	86	if (chmod(RUN_FIREJAIL_DIR, 0755) < 0)
87	errExit("chmod");	87	errExit("chmod");
		88
		89	if (mkdir(RUN_FIREJAIL_NETWORK_DIR, 0755) == -1)
		90	errExit("mkdir");
		91	if (chown(RUN_FIREJAIL_NETWORK_DIR, 0, 0) < 0)
		92	errExit("chown");
		93	if (chmod(RUN_FIREJAIL_NETWORK_DIR, 0755) < 0)
		94	errExit("chmod");
		95
		96	if (mkdir(RUN_FIREJAIL_BANDWIDTH_DIR, 0755) == -1)
		97	errExit("mkdir");
		98	if (chown(RUN_FIREJAIL_BANDWIDTH_DIR, 0, 0) < 0)
		99	errExit("chown");
		100	if (chmod(RUN_FIREJAIL_BANDWIDTH_DIR, 0755) < 0)
		101	errExit("chmod");
		102
		103	if (mkdir(RUN_FIREJAIL_NAME_DIR, 0755) == -1)
		104	errExit("mkdir");
		105	if (chown(RUN_FIREJAIL_NAME_DIR, 0, 0) < 0)
		106	errExit("chown");
		107	if (chmod(RUN_FIREJAIL_NAME_DIR, 0755) < 0)
		108	errExit("chmod");
88	}	109	}
89	else { // check /tmp/firejail directory belongs to root end exit if doesn't!	110	else { // check /tmp/firejail directory belongs to root end exit if doesn't!
90	if (s.st_uid != 0 \|\| s.st_gid != 0) {	111	if (s.st_uid != 0 \|\| s.st_gid != 0) {


diff --git a/src/firejail/main.c b/src/firejail/main.c index 688653ce2..3c714f385 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -104,6 +104,9 @@ int fullargc = 0;
104	static pid_t child = 0;	104	static pid_t child = 0;
105	pid_t sandbox_pid;	105	pid_t sandbox_pid;
106		106
		107	static void set_name_file(uid_t pid);
		108	static void delete_name_file(uid_t pid);
		109
107	static void myexit(int rv) {	110	static void myexit(int rv) {
108	logmsg("exiting...");	111	logmsg("exiting...");
109	if (!arg_command && !arg_quiet)	112	if (!arg_command && !arg_quiet)
@@ -112,6 +115,7 @@ static void myexit(int rv) {
112	// delete sandbox files in shared memory	115	// delete sandbox files in shared memory
113	bandwidth_shm_del_file(sandbox_pid); // bandwidth file	116	bandwidth_shm_del_file(sandbox_pid); // bandwidth file
114	network_shm_del_file(sandbox_pid); // network map file	117	network_shm_del_file(sandbox_pid); // network map file
		118	delete_name_file(sandbox_pid);
115		119
116	exit(rv);	120	exit(rv);
117	}	121	}
@@ -477,6 +481,36 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
477		481
478	}	482	}
479		483
		484	static void set_name_file(uid_t pid) {
		485	char *fname;
		486	if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_NAME_DIR, pid) == -1)
		487	errExit("asprintf");
		488
		489	// the file is deleted first
		490	FILE *fp = fopen(fname, "w");
		491	if (!fp) {
		492	fprintf(stderr, "Error: cannot create %s\n", fname);
		493	exit(1);
		494	}
		495	fprintf(fp, "%s\n", cfg.name);
		496	fclose(fp);
		497
		498	// mode and ownership
		499	if (chown(fname, 0, 0) == -1)
		500	errExit("chown");
		501	if (chmod(fname, 0644) == -1)
		502	errExit("chmod");
		503
		504	}
		505
		506	static void delete_name_file(uid_t pid) {
		507	char *fname;
		508	if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_NAME_DIR, pid) == -1)
		509	errExit("asprintf");
		510	int rv = unlink(fname);
		511	(void) rv;
		512	}
		513
480	//*******************************************	514	//*******************************************
481	// Main program	515	// Main program
482	//*******************************************	516	//*******************************************
@@ -1500,6 +1534,13 @@ int main(int argc, char **argv) {
1500	arg_noroot = 0;	1534	arg_noroot = 0;
1501	}	1535	}
1502		1536
		1537
		1538	// set name file
		1539	EUID_ROOT();
		1540	if (cfg.name)
		1541	set_name_file(sandbox_pid);
		1542	EUID_USER();
		1543
1503	// clone environment	1544	// clone environment
1504	int flags = CLONE_NEWNS \| CLONE_NEWPID \| CLONE_NEWUTS \| SIGCHLD;	1545	int flags = CLONE_NEWNS \| CLONE_NEWPID \| CLONE_NEWUTS \| SIGCHLD;
1505		1546
@@ -1627,6 +1668,9 @@ int main(int argc, char **argv) {
1627	if (lockfd != -1)	1668	if (lockfd != -1)
1628	flock(lockfd, LOCK_UN);	1669	flock(lockfd, LOCK_UN);
1629		1670
		1671	// create name file under /run/firejail
		1672
		1673
1630	// handle CTRL-C in parent	1674	// handle CTRL-C in parent
1631	signal (SIGINT, my_handler);	1675	signal (SIGINT, my_handler);
1632	signal (SIGTERM, my_handler);	1676	signal (SIGTERM, my_handler);


diff --git a/src/lib/common.c b/src/lib/common.c index 099bb54d3..f321c5a47 100644 --- a/src/lib/common.c +++ b/src/lib/common.c
@@ -95,53 +95,34 @@ int name2pid(const char name, pid_t pid) {
95	free(comm);	95	free(comm);
96	}	96	}
97		97
98	char *cmd = pid_proc_cmdline(newpid);	98	// look for the sandbox name in /run/firejail/name/<PID>
99	if (cmd) {	99	// todo: use RUN_FIREJAIL_NAME_DIR define from src/firejail/firejail.h
100	// mark the end of the name	100	char *fname;
101	char *ptr = strstr(cmd, "--name=");	101	if (asprintf(&fname, "/run/firejail/name/%d", newpid) == -1)
102	char *start = ptr;	102	errExit("asprintf");
103	if (!ptr) {	103	FILE *fp = fopen(fname, "r");
104	free(cmd);	104	if (fp) {
105		105	char buf[BUFLEN];
106	// extract name for /run/mnt/firejail/fslogger file	106	if (fgets(buf, BUFLEN, fp)) {
107	char *fname;	107	// remove \n
108	if (asprintf(&fname, "/proc/%d/root/run/firejail/mnt/fslogger", newpid) == -1)	108	char *ptr = strchr(buf, '\n');
109	errExit("asprintf");	109	if (ptr) {
110		110	*ptr = '\0';
111	struct stat s;	111	if (strcmp(buf, name) == 0) {
112	if (stat(fname, &s) == 0) {	112	// we found it!
113	FILE *fp = fopen(fname, "r");
114	if (fp) {
115	char buf[BUFLEN];
116	if (fgets(buf, BUFLEN, fp)) {
117	if (strncmp(buf, "sandbox name: ", 14) == 0) {
118	char *ptr2 = buf + 14;
119	if (strncmp(name, ptr2, strlen(name)) == 0) {
120	fclose(fp);
121	*pid = newpid;
122	closedir(dir);
123	return 0;
124	}
125	}
126	}
127	fclose(fp);	113	fclose(fp);
		114	free(fname);
		115	*pid = newpid;
		116	closedir(dir);
		117	return 0;
128	}	118	}
129	}	119	}
130		120	else
131	continue;	121	fprintf(stderr, "Error: invalid %s\n", fname);
132	}	122	}
133	while (ptr != ' ' && ptr != '\t' && *ptr != '\0')	123	fclose(fp);
134	ptr++;
135	*ptr = '\0';
136	int rv = strcmp(start + 7, name);
137	if (rv == 0) {
138	free(cmd);
139	*pid = newpid;
140	closedir(dir);
141	return 0;
142	}
143	free(cmd);
144	}	124	}
		125	free(fname);
145	}	126	}
146	closedir(dir);	127	closedir(dir);
147	return 1;	128	return 1;