diff options
| author |  smitsohu <smitsohu@gmail.com> | 2022-07-11 23:01:06 +0200 |
|---|---|---|
| committer | smitsohu <smitsohu@gmail.com> | 2022-07-11 23:01:06 +0200 |
| commit | 5d4c2b3e6a6046b605c23bd09eda70d7937334a7 (patch) | |
| tree | 461fe255133f48d58b391e466be3948ff5a404d5 | |
| parent | cleanup (diff) | |
| download | firejail-5d4c2b3e6a6046b605c23bd09eda70d7937334a7.tar.gz firejail-5d4c2b3e6a6046b605c23bd09eda70d7937334a7.tar.zst firejail-5d4c2b3e6a6046b605c23bd09eda70d7937334a7.zip | |
minor sandbox lock improvements
| -rw-r--r-- | src/firejail/firejail.h | 3 | ||||
| -rw-r--r-- | src/firejail/main.c | 8 | ||||
| -rw-r--r-- | src/firejail/run_files.c | 20 |
3 files changed, 19 insertions, 12 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index c5004ef8a..aec320c1f 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
| @@ -907,7 +907,8 @@ void delete_bandwidth_run_file(pid_t pid); | |||
| 907 | void set_name_run_file(pid_t pid); | 907 | void set_name_run_file(pid_t pid); |
| 908 | void set_x11_run_file(pid_t pid, int display); | 908 | void set_x11_run_file(pid_t pid, int display); |
| 909 | void set_profile_run_file(pid_t pid, const char *fname); | 909 | void set_profile_run_file(pid_t pid, const char *fname); |
| 910 | int set_sandbox_run_file(pid_t pid, pid_t child); | 910 | void set_sandbox_run_file(pid_t pid, pid_t child); |
| 911 | void release_sandbox_run_file_lock(void); | ||
| 911 | 912 | ||
| 912 | // dbus.c | 913 | // dbus.c |
| 913 | int dbus_check_name(const char *name); | 914 | int dbus_check_name(const char *name); |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 6466be7d4..539760535 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
| @@ -190,6 +190,8 @@ static void myexit(int rv) { | |||
| 190 | } | 190 | } |
| 191 | 191 | ||
| 192 | static void my_handler(int s) { | 192 | static void my_handler(int s) { |
| 193 | release_sandbox_run_file_lock(); | ||
| 194 | |||
| 193 | fmessage("\nParent received signal %d, shutting down the child process...\n", s); | 195 | fmessage("\nParent received signal %d, shutting down the child process...\n", s); |
| 194 | logsignal(s); | 196 | logsignal(s); |
| 195 | 197 | ||
| @@ -961,7 +963,6 @@ int main(int argc, char **argv, char **envp) { | |||
| 961 | int prog_index = -1; // index in argv where the program command starts | 963 | int prog_index = -1; // index in argv where the program command starts |
| 962 | int lockfd_network = -1; | 964 | int lockfd_network = -1; |
| 963 | int lockfd_directory = -1; | 965 | int lockfd_directory = -1; |
| 964 | int lockfd_sandboxfile = -1; | ||
| 965 | int custom_profile = 0; // custom profile loaded | 966 | int custom_profile = 0; // custom profile loaded |
| 966 | int arg_caps_cmdline = 0; // caps requested on command line (used to break out of --chroot) | 967 | int arg_caps_cmdline = 0; // caps requested on command line (used to break out of --chroot) |
| 967 | int arg_netlock = 0; | 968 | int arg_netlock = 0; |
| @@ -2997,7 +2998,7 @@ int main(int argc, char **argv, char **envp) { | |||
| 2997 | EUID_USER(); | 2998 | EUID_USER(); |
| 2998 | 2999 | ||
| 2999 | // sandbox pidfile | 3000 | // sandbox pidfile |
| 3000 | lockfd_sandboxfile = set_sandbox_run_file(getpid(), child); | 3001 | set_sandbox_run_file(getpid(), child); |
| 3001 | 3002 | ||
| 3002 | if (!arg_command && !arg_quiet) { | 3003 | if (!arg_command && !arg_quiet) { |
| 3003 | fmessage("Parent pid %u, child pid %u\n", sandbox_pid, child); | 3004 | fmessage("Parent pid %u, child pid %u\n", sandbox_pid, child); |
| @@ -3222,8 +3223,7 @@ int main(int argc, char **argv, char **envp) { | |||
| 3222 | // end of signal-safe code | 3223 | // end of signal-safe code |
| 3223 | //***************************** | 3224 | //***************************** |
| 3224 | 3225 | ||
| 3225 | // release lock | 3226 | release_sandbox_run_file_lock(); |
| 3226 | close(lockfd_sandboxfile); | ||
| 3227 | 3227 | ||
| 3228 | if (WIFEXITED(status)){ | 3228 | if (WIFEXITED(status)){ |
| 3229 | myexit(WEXITSTATUS(status)); | 3229 | myexit(WEXITSTATUS(status)); |
diff --git a/src/firejail/run_files.c b/src/firejail/run_files.c index 8b8bbae12..6724e2cd8 100644 --- a/src/firejail/run_files.c +++ b/src/firejail/run_files.c | |||
| @@ -164,7 +164,8 @@ void set_profile_run_file(pid_t pid, const char *fname) { | |||
| 164 | free(runfile); | 164 | free(runfile); |
| 165 | } | 165 | } |
| 166 | 166 | ||
| 167 | int set_sandbox_run_file(pid_t pid, pid_t child) { | 167 | static int sandbox_run_file_fd = -1; |
| 168 | void set_sandbox_run_file(pid_t pid, pid_t child) { | ||
| 168 | char *runfile; | 169 | char *runfile; |
| 169 | if (asprintf(&runfile, "%s/%d", RUN_FIREJAIL_SANDBOX_DIR, pid) == -1) | 170 | if (asprintf(&runfile, "%s/%d", RUN_FIREJAIL_SANDBOX_DIR, pid) == -1) |
| 170 | errExit("asprintf"); | 171 | errExit("asprintf"); |
| @@ -172,8 +173,8 @@ int set_sandbox_run_file(pid_t pid, pid_t child) { | |||
| 172 | EUID_ROOT(); | 173 | EUID_ROOT(); |
| 173 | // the file is deleted first | 174 | // the file is deleted first |
| 174 | // this file should be opened with O_CLOEXEC set | 175 | // this file should be opened with O_CLOEXEC set |
| 175 | int fd = open(runfile, O_CREAT | O_WRONLY | O_TRUNC | O_CLOEXEC, S_IRUSR | S_IWUSR); | 176 | sandbox_run_file_fd = open(runfile, O_CREAT | O_WRONLY | O_TRUNC | O_CLOEXEC, S_IRUSR | S_IWUSR); |
| 176 | if (fd < 0) { | 177 | if (sandbox_run_file_fd < 0) { |
| 177 | fprintf(stderr, "Error: cannot create %s\n", runfile); | 178 | fprintf(stderr, "Error: cannot create %s\n", runfile); |
| 178 | exit(1); | 179 | exit(1); |
| 179 | } | 180 | } |
| @@ -185,7 +186,7 @@ int set_sandbox_run_file(pid_t pid, pid_t child) { | |||
| 185 | size_t len = strlen(buf); | 186 | size_t len = strlen(buf); |
| 186 | size_t done = 0; | 187 | size_t done = 0; |
| 187 | while (done != len) { | 188 | while (done != len) { |
| 188 | ssize_t rv = write(fd, buf + done, len - done); | 189 | ssize_t rv = write(sandbox_run_file_fd, buf + done, len - done); |
| 189 | if (rv < 0) | 190 | if (rv < 0) |
| 190 | errExit("write"); | 191 | errExit("write"); |
| 191 | done += rv; | 192 | done += rv; |
| @@ -193,14 +194,19 @@ int set_sandbox_run_file(pid_t pid, pid_t child) { | |||
| 193 | 194 | ||
| 194 | // set exclusive lock on the file | 195 | // set exclusive lock on the file |
| 195 | // the lock is never inherited, and is released if this process dies ungracefully | 196 | // the lock is never inherited, and is released if this process dies ungracefully |
| 196 | struct flock sandboxlock = { | 197 | struct flock sandbox_lock = { |
| 197 | .l_type = F_WRLCK, | 198 | .l_type = F_WRLCK, |
| 198 | .l_whence = SEEK_SET, | 199 | .l_whence = SEEK_SET, |
| 199 | .l_start = 0, | 200 | .l_start = 0, |
| 200 | .l_len = 0, | 201 | .l_len = 0, |
| 201 | }; | 202 | }; |
| 202 | if (fcntl(fd, F_SETLK, &sandboxlock) < 0) | 203 | if (fcntl(sandbox_run_file_fd, F_SETLK, &sandbox_lock) < 0) |
| 203 | errExit("fcntl"); | 204 | errExit("fcntl"); |
| 205 | } | ||
| 206 | |||
| 207 | void release_sandbox_run_file_lock(void) { | ||
| 208 | assert(sandbox_run_file_fd > -1); | ||
| 204 | 209 | ||
| 205 | return fd; | 210 | close(sandbox_run_file_fd); |
| 211 | sandbox_run_file_fd = -1; | ||
| 206 | } | 212 | } |