diff options
| author |  netblue30 <netblue30@yahoo.com> | 2015-08-28 10:51:37 -0400 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2015-08-28 10:51:37 -0400 |
| commit | 2c0adbb7c979365a6aec1a85a758198c88b44a0f (patch) | |
| tree | b5aca47f685c18b8b0c7a235dfaa0835bbdf7bf2 | |
| parent | testing default.profile (diff) | |
| download | firejail-2c0adbb7c979365a6aec1a85a758198c88b44a0f.tar.gz firejail-2c0adbb7c979365a6aec1a85a758198c88b44a0f.tar.zst firejail-2c0adbb7c979365a6aec1a85a758198c88b44a0f.zip | |
cleanup unfinished features
| -rw-r--r-- | src/firejail/firejail.h | 2 | ||||
| -rw-r--r-- | src/firejail/fs.c | 43 | ||||
| -rw-r--r-- | src/firejail/main.c | 34 |
3 files changed, 0 insertions, 79 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 532a4797e..ce2b0e7a5 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
| @@ -136,8 +136,6 @@ extern int arg_rlimit_nofile; // rlimit nofile | |||
| 136 | extern int arg_rlimit_nproc; // rlimit nproc | 136 | extern int arg_rlimit_nproc; // rlimit nproc |
| 137 | extern int arg_rlimit_fsize; // rlimit fsize | 137 | extern int arg_rlimit_fsize; // rlimit fsize |
| 138 | extern int arg_rlimit_sigpending;// rlimit sigpending | 138 | extern int arg_rlimit_sigpending;// rlimit sigpending |
| 139 | extern int arg_nox11; // kill the program if x11 unix domain socket is accessed | ||
| 140 | extern int arg_nodbus; // kill the program if D-Bus is accessed | ||
| 141 | extern int arg_nogroups; // disable supplementary groups | 139 | extern int arg_nogroups; // disable supplementary groups |
| 142 | extern int arg_noroot; // create a new user namespace and disable root user | 140 | extern int arg_noroot; // create a new user namespace and disable root user |
| 143 | extern int arg_netfilter; // enable netfilter | 141 | extern int arg_netfilter; // enable netfilter |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index ca73ae554..3f8f7176c 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
| @@ -377,49 +377,6 @@ void fs_proc_sys_dev_boot(void) { | |||
| 377 | // if (mount("sysfs", "/sys", "sysfs", MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REC, NULL) < 0) | 377 | // if (mount("sysfs", "/sys", "sysfs", MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REC, NULL) < 0) |
| 378 | // errExit("mounting /sys"); | 378 | // errExit("mounting /sys"); |
| 379 | 379 | ||
| 380 | |||
| 381 | // mounting firejail kernel module files | ||
| 382 | if (stat("/proc/firejail-uptime", &s) == 0) { | ||
| 383 | errno = 0; | ||
| 384 | FILE *fp = fopen("/proc/firejail", "w"); | ||
| 385 | int cnt = 0; | ||
| 386 | while (errno == EBUSY && cnt < 10) { | ||
| 387 | if (!fp) { | ||
| 388 | int s = random(); | ||
| 389 | s /= 200000; | ||
| 390 | usleep(s); | ||
| 391 | fp = fopen("/proc/firejail", "w"); | ||
| 392 | } | ||
| 393 | else | ||
| 394 | break; | ||
| 395 | } | ||
| 396 | if (!fp) { | ||
| 397 | fprintf(stderr, "Error: cannot register sandbox with firejail-lkm\n"); | ||
| 398 | exit(1); | ||
| 399 | } | ||
| 400 | if (fp) { | ||
| 401 | // registration | ||
| 402 | fprintf(fp, "register\n"); | ||
| 403 | fflush(0); | ||
| 404 | // filtering x11 connect calls | ||
| 405 | if (arg_nox11) { | ||
| 406 | fprintf(fp, "no connect unix /tmp/.X11\n"); | ||
| 407 | fflush(0); | ||
| 408 | printf("X11 access disabled\n"); | ||
| 409 | } | ||
| 410 | if (arg_nodbus) { | ||
| 411 | fprintf(fp, "no connect unix /var/run/dbus/system_bus_socket\n"); | ||
| 412 | fflush(0); | ||
| 413 | fprintf(fp, "no connect unix /tmp/dbus\n"); | ||
| 414 | fflush(0); | ||
| 415 | printf("D-Bus access disabled\n"); | ||
| 416 | } | ||
| 417 | fclose(fp); | ||
| 418 | if (mount("/proc/firejail-uptime", "/proc/uptime", NULL, MS_BIND|MS_REC, NULL) < 0) | ||
| 419 | fprintf(stderr, "Warning: cannot mount /proc/firejail-uptime\n"); | ||
| 420 | } | ||
| 421 | } | ||
| 422 | |||
| 423 | // Disable SysRq | 380 | // Disable SysRq |
| 424 | // a linux box can be shut down easily using the following commands (as root): | 381 | // a linux box can be shut down easily using the following commands (as root): |
| 425 | // # echo 1 > /proc/sys/kernel/sysrq | 382 | // # echo 1 > /proc/sys/kernel/sysrq |
diff --git a/src/firejail/main.c b/src/firejail/main.c index bcff0e41f..3a5a21cad 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
| @@ -73,8 +73,6 @@ int arg_rlimit_nofile = 0; // rlimit nofile | |||
| 73 | int arg_rlimit_nproc = 0; // rlimit nproc | 73 | int arg_rlimit_nproc = 0; // rlimit nproc |
| 74 | int arg_rlimit_fsize = 0; // rlimit fsize | 74 | int arg_rlimit_fsize = 0; // rlimit fsize |
| 75 | int arg_rlimit_sigpending = 0; // rlimit fsize | 75 | int arg_rlimit_sigpending = 0; // rlimit fsize |
| 76 | int arg_nox11 = 0; // kill the program if x11 unix domain socket is accessed | ||
| 77 | int arg_nodbus = 0; // kill the program if D-Bus is accessed | ||
| 78 | int arg_nogroups = 0; // disable supplementary groups | 76 | int arg_nogroups = 0; // disable supplementary groups |
| 79 | int arg_noroot = 0; // create a new user namespace and disable root user | 77 | int arg_noroot = 0; // create a new user namespace and disable root user |
| 80 | int arg_netfilter; // enable netfilter | 78 | int arg_netfilter; // enable netfilter |
| @@ -99,18 +97,6 @@ static void myexit(int rv) { | |||
| 99 | if (!arg_command) | 97 | if (!arg_command) |
| 100 | printf("\nparent is shutting down, bye...\n"); | 98 | printf("\nparent is shutting down, bye...\n"); |
| 101 | 99 | ||
| 102 | struct stat s; | ||
| 103 | if (stat("/proc/firejail", &s) == 0) { | ||
| 104 | /* coverity[toctou] */ | ||
| 105 | FILE *fp = fopen("/proc/firejail", "w"); | ||
| 106 | if (fp) { | ||
| 107 | // deregistration | ||
| 108 | fprintf(fp, "release\n"); | ||
| 109 | fflush(0); | ||
| 110 | fclose(fp); | ||
| 111 | } | ||
| 112 | } | ||
| 113 | |||
| 114 | // delete sandbox files in shared memory | 100 | // delete sandbox files in shared memory |
| 115 | bandwidth_shm_del_file(sandbox_pid); // bandwidht file | 101 | bandwidth_shm_del_file(sandbox_pid); // bandwidht file |
| 116 | network_shm_del_file(sandbox_pid); // network map file | 102 | network_shm_del_file(sandbox_pid); // network map file |
| @@ -556,26 +542,6 @@ int main(int argc, char **argv) { | |||
| 556 | arg_ipc = 1; | 542 | arg_ipc = 1; |
| 557 | else if (strncmp(argv[i], "--cpu=", 6) == 0) | 543 | else if (strncmp(argv[i], "--cpu=", 6) == 0) |
| 558 | read_cpu_list(argv[i] + 6); | 544 | read_cpu_list(argv[i] + 6); |
| 559 | else if (strcmp(argv[i], "--nox11") == 0) { | ||
| 560 | // check if firejail lkm is present | ||
| 561 | struct stat s; | ||
| 562 | if (stat("/proc/firejail", &s) < 0) { | ||
| 563 | fprintf(stderr, "Error: firejail Linux kernel module not found. The module" | ||
| 564 | " is required for --nox11 option to work.\n"); | ||
| 565 | exit(1); | ||
| 566 | } | ||
| 567 | arg_nox11 = 1; | ||
| 568 | } | ||
| 569 | else if (strcmp(argv[i], "--nodbus") == 0) { | ||
| 570 | // check if firejail lkm is present | ||
| 571 | struct stat s; | ||
| 572 | if (stat("/proc/firejail", &s) < 0) { | ||
| 573 | fprintf(stderr, "Error: firejail Linux kernel module not found. The module" | ||
| 574 | " is required for --nodbus option to work.\n"); | ||
| 575 | exit(1); | ||
| 576 | } | ||
| 577 | arg_nodbus = 1; | ||
| 578 | } | ||
| 579 | else if (strncmp(argv[i], "--cgroup=", 9) == 0) { | 545 | else if (strncmp(argv[i], "--cgroup=", 9) == 0) { |
| 580 | if (arg_cgroup) { | 546 | if (arg_cgroup) { |
| 581 | fprintf(stderr, "Error: only a cgroup can be defined\n"); | 547 | fprintf(stderr, "Error: only a cgroup can be defined\n"); |