testing

author: netblue30 <netblue30@yahoo.com> 2016-12-06 08:49:47 -0500
committer: netblue30 <netblue30@yahoo.com> 2016-12-06 08:49:47 -0500
commit: 94abb4298e20bd1f9f89faf781defeb706462ac4 (patch)
tree: 412ebffd0bd1894edba14ed72a3d38b057b724a1
parent: testing (diff)
download: firejail-94abb4298e20bd1f9f89faf781defeb706462ac4.tar.gz
firejail-94abb4298e20bd1f9f89faf781defeb706462ac4.tar.zst
firejail-94abb4298e20bd1f9f89faf781defeb706462ac4.zip
2 files changed, 51 insertions, 175 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 32769845d..545c38018 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -751,42 +751,6 @@ static void delete_x11_file(pid_t pid) {
        free(fname);
 }
-static void detect_quiet(int argc, char **argv) {
-        int i;
-        
-        // detect --quiet
-        for (i = 1; i < argc; i++) {
-                if (strcmp(argv[i], "--quiet") == 0) {
-                        arg_quiet = 1;
-                        break;
-                }
-                
-                // detect end of firejail params
-                if (strcmp(argv[i], "--") == 0)
-                        break;
-                if (strncmp(argv[i], "--", 2) != 0)
-                        break;
-        }
-}
-static void detect_allow_debuggers(int argc, char **argv) {
-        int i;
-        
-        // detect --allow-debuggers
-        for (i = 1; i < argc; i++) {
-                if (strcmp(argv[i], "--allow-debuggers") == 0) {
-                        arg_allow_debuggers = 1;
-                        break;
-                }
-                
-                // detect end of firejail params
-                if (strcmp(argv[i], "--") == 0)
-                        break;
-                if (strncmp(argv[i], "--", 2) != 0)
-                        break;
-        }
-}
 char *guess_shell(void) {
        char *shell = NULL;
        // shells in order of preference
@@ -806,6 +770,25 @@ char *guess_shell(void) {
        return shell;
 }
+static int check_arg(int argc, char **argv, const char *argument) {
+        int i;
+        int found = 0;
+        for (i = 1; i < argc; i++) {
+                if (strcmp(argv[i], "--force") == 0) {
+                        found = 1;
+                        break;
+                }
+                // detect end of firejail params
+                if (strcmp(argv[i], "--") == 0)
+                        break;
+                if (strncmp(argv[i], "--", 2) != 0)
+                        break;
+        }
+        
+        return found;
+}
 //*******************************************
 // Main program
 //*******************************************
@@ -822,8 +805,10 @@ int main(int argc, char **argv) {
        // build /run/firejail directory structure
        preproc_build_firejail_dir();
        
-        detect_quiet(argc, argv);
+        if (check_arg(argc, argv, "--quiet"))
-        detect_allow_debuggers(argc, argv);
+                arg_quiet = 1;
+        if (check_arg(argc, argv, "--allow-debuggers"))
+                arg_allow_debuggers = 1;
        // drop permissions by default and rise them when required
        EUID_INIT();
@@ -845,78 +830,27 @@ int main(int argc, char **argv) {
                EUID_USER();
                if (rv == 0) {
                        // if --force option is passed to the program, disregard the existing sandbox
-                        int found = 0;
+                        if (check_arg(argc, argv, "--force"))
-                        for (i = 1; i < argc; i++) {
+                                option_force = 1;
-                                if (strcmp(argv[i], "--force") == 0 ||
+                        else {
-                                    strcmp(argv[i], "--list") == 0 ||   
-                                    strcmp(argv[i], "--netstats") == 0 ||       
-                                    strcmp(argv[i], "--tree") == 0 ||   
-                                    strcmp(argv[i], "--top") == 0 ||
-                                    strncmp(argv[i], "--ls=", 5) == 0 ||
-                                    strncmp(argv[i], "--get=", 6) == 0 ||
-                                    strcmp(argv[i], "--debug-caps") == 0 ||
-                                    strcmp(argv[i], "--debug-errnos") == 0 ||
-                                    strcmp(argv[i], "--debug-syscalls") == 0 ||
-                                    strcmp(argv[i], "--debug-protocols") == 0 ||
-                                    strcmp(argv[i], "--help") == 0 ||
-                                    strcmp(argv[i], "--version") == 0 ||
-                                    strcmp(argv[i], "--overlay-clean") == 0 ||
-                                    strncmp(argv[i], "--dns.print=", 12) == 0 ||
-                                    strncmp(argv[i], "--bandwidth=", 12) == 0 ||
-                                    strncmp(argv[i], "--caps.print=", 13) == 0 ||
-                                    strncmp(argv[i], "--cpu.print=", 12) == 0 ||
-        //********************************************************************************
-        // todo: fix the following problems
-                                    strncmp(argv[i], "--join=", 7) == 0 ||
-        //[netblue@debian Downloads]$ firejail --join=896
-        //Switching to pid 897, the first child process inside the sandbox
-        //Error: seccomp file not found
-        //********************************************************************************
-        
-                                    strncmp(argv[i], "--join-filesystem=", 18) == 0 ||
-                                    strncmp(argv[i], "--join-network=", 15) == 0 ||
-                                    strncmp(argv[i], "--fs.print=", 11) == 0 ||
-                                    strncmp(argv[i], "--protocol.print=", 17) == 0 ||
-                                    strncmp(argv[i], "--seccomp.print", 15) == 0 ||
-                                    strncmp(argv[i], "--shutdown=", 11) == 0) {
-                                        found = 1;
-                                        break;
-                                }
-        
-                                // detect end of firejail params
-                                if (strcmp(argv[i], "--") == 0)
-                                        break;
-                                if (strncmp(argv[i], "--", 2) != 0)
-                                        break;
-                        }
-                        
-                        if (found == 0) {
                                // start the program directly without sandboxing
                                run_no_sandbox(argc, argv);
                                // it will never get here!
                                assert(0);
                        }
-                        else
-                                option_force = 1;
                }
        }
        
        // check root/suid
        EUID_ROOT();
        if (geteuid()) {
-                // detect --version
+                // only --version is supported without SUID support
-                for (i = 1; i < argc; i++) {
+                if (check_arg(argc, argv, "--force")) {
-                        if (strcmp(argv[i], "--version") == 0) {
+                        printf("firejail version %s\n", VERSION);
-                                printf("firejail version %s\n", VERSION);
+                        exit(0);
-                                exit(0);
-                        }
-                        
-                        // detect end of firejail params
-                        if (strcmp(argv[i], "--") == 0)
-                                break;
-                        if (strncmp(argv[i], "--", 2) != 0)
-                                break;
                }
+                fprintf(stderr, "Error: cannot rise privileges\n");
                exit(1);
        }
        EUID_USER();
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c
index 8af555ea2..07ac25dca 100644
--- a/src/firejail/no_sandbox.c
+++ b/src/firejail/no_sandbox.c
@@ -165,84 +165,28 @@ void run_no_sandbox(int argc, char **argv) {
        // process limited subset of options
        int i;
        for (i = 0; i < argc; i++) {
-                if (strcmp(argv[i], "--csh") == 0) {
+                if (strcmp(argv[i], "--debug") == 0)
-                        if (arg_shell_none) {
+                        arg_debug = 1;
-                                fprintf(stderr, "Error: --shell=none was already specified.\n");
+                else if (strcmp(argv[i], "--csh") == 0 ||
-                                exit(1);
+                    strcmp(argv[i], "--zsh") == 0 ||
-                        }
+                    strcmp(argv[i], "--shell=none") == 0 ||
-                        if (cfg.shell) {
+                    strncmp(argv[i], "--shell=", 8) == 0)
-                                fprintf(stderr, "Error: only one default user shell can be specified\n");
+                        fprintf(stderr, "Warning: shell-related command line options are disregarded - using SHELL environment variable");
-                                exit(1);
-                        }
-                        cfg.shell = "/bin/csh";
-                }
-                else if (strcmp(argv[i], "--zsh") == 0) {
-                        if (arg_shell_none) {
-                                fprintf(stderr, "Error: --shell=none was already specified.\n");
-                                exit(1);
-                        }
-                        if (cfg.shell) {
-                                fprintf(stderr, "Error: only one default user shell can be specified\n");
-                                exit(1);
-                        }
-                        cfg.shell = "/bin/zsh";
-                }
-                else if (strcmp(argv[i], "--shell=none") == 0) {
-                        arg_shell_none = 1;
-                        if (cfg.shell) {
-                                fprintf(stderr, "Error: a shell was already specified\n");
-                                exit(1);
-                        }
-                }
-                else if (strncmp(argv[i], "--shell=", 8) == 0) {
-                        if (arg_shell_none) {
-                                fprintf(stderr, "Error: --shell=none was already specified.\n");
-                                exit(1);
-                        }
-                        invalid_filename(argv[i] + 8);
-                        if (cfg.shell) {
-                                fprintf(stderr, "Error: only one user shell can be specified\n");
-                                exit(1);
-                        }
-                        cfg.shell = argv[i] + 8;
-                        if (is_dir(cfg.shell) || strstr(cfg.shell, "..")) {
-                                fprintf(stderr, "Error: invalid shell\n");
-                                exit(1);
-                        }
-                        // access call checks as real UID/GID, not as effective UID/GID
-                        if(cfg.chrootdir) {
-                                char *shellpath;
-                                if (asprintf(&shellpath, "%s%s", cfg.chrootdir, cfg.shell) == -1)
-                                        errExit("asprintf");
-                                if (access(shellpath, R_OK)) {
-                                        fprintf(stderr, "Error: cannot access shell file in chroot\n");
-                                        exit(1);
-                                }
-                                free(shellpath);
-                        } else if (access(cfg.shell, R_OK)) {
-                                fprintf(stderr, "Error: cannot access shell file\n");
-                                exit(1);
-                        }
-                }
        }
        // use $SHELL to get shell used in sandbox
-        if (!arg_shell_none && !cfg.shell) {
+        char *shell =  getenv("SHELL");
-                char *shell =  getenv("SHELL");
+        if (shell && access(shell, R_OK) == 0)
-                if (shell && access(shell, R_OK) == 0)
+                cfg.shell = shell;
-                        cfg.shell = shell;
-        }
        // guess shell otherwise
-        if (!arg_shell_none && !cfg.shell) {
+        if (!cfg.shell) {
                cfg.shell = guess_shell();
                if (arg_debug)
                        printf("Autoselecting %s as shell\n", cfg.shell);
        }
-        if (!arg_shell_none && !cfg.shell) {
+        if (!cfg.shell) {
-                fprintf(stderr, "Error: unable to guess your shell, please set explicitly by using --shell option.\n");
+                fprintf(stderr, "Error: unable to guess your shell, please set SHELL environment variable\n");
                exit(1);
        }
@@ -266,13 +210,11 @@ void run_no_sandbox(int argc, char **argv) {
                }
        }
-        if (!arg_shell_none) {
+        if (prog_index == 0) {
-                if (prog_index == 0) {
+                cfg.command_line = cfg.shell;
-                        cfg.command_line = cfg.shell;
+                cfg.window_title = cfg.shell;
-                        cfg.window_title = cfg.shell;
+        } else {
-                } else {
+                build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index);
-                        build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index);
-                }
        }
        cfg.original_argv = argv;
author	netblue30 <netblue30@yahoo.com>	2016-12-06 08:49:47 -0500
committer	netblue30 <netblue30@yahoo.com>	2016-12-06 08:49:47 -0500
commit	94abb4298e20bd1f9f89faf781defeb706462ac4 (patch)
tree	412ebffd0bd1894edba14ed72a3d38b057b724a1
parent	testing (diff)
download	firejail-94abb4298e20bd1f9f89faf781defeb706462ac4.tar.gz firejail-94abb4298e20bd1f9f89faf781defeb706462ac4.tar.zst firejail-94abb4298e20bd1f9f89faf781defeb706462ac4.zip

diff --git a/src/firejail/main.c b/src/firejail/main.c index 32769845d..545c38018 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -751,42 +751,6 @@ static void delete_x11_file(pid_t pid) {
751	free(fname);	751	free(fname);
752	}	752	}
753		753
754	static void detect_quiet(int argc, char **argv) {
755	int i;
756
757	// detect --quiet
758	for (i = 1; i < argc; i++) {
759	if (strcmp(argv[i], "--quiet") == 0) {
760	arg_quiet = 1;
761	break;
762	}
763
764	// detect end of firejail params
765	if (strcmp(argv[i], "--") == 0)
766	break;
767	if (strncmp(argv[i], "--", 2) != 0)
768	break;
769	}
770	}
771
772	static void detect_allow_debuggers(int argc, char **argv) {
773	int i;
774
775	// detect --allow-debuggers
776	for (i = 1; i < argc; i++) {
777	if (strcmp(argv[i], "--allow-debuggers") == 0) {
778	arg_allow_debuggers = 1;
779	break;
780	}
781
782	// detect end of firejail params
783	if (strcmp(argv[i], "--") == 0)
784	break;
785	if (strncmp(argv[i], "--", 2) != 0)
786	break;
787	}
788	}
789
790	char *guess_shell(void) {	754	char *guess_shell(void) {
791	char *shell = NULL;	755	char *shell = NULL;
792	// shells in order of preference	756	// shells in order of preference
@@ -806,6 +770,25 @@ char *guess_shell(void) {
806	return shell;	770	return shell;
807	}	771	}
808		772
		773	static int check_arg(int argc, char *argv, const char argument) {
		774	int i;
		775	int found = 0;
		776	for (i = 1; i < argc; i++) {
		777	if (strcmp(argv[i], "--force") == 0) {
		778	found = 1;
		779	break;
		780	}
		781
		782	// detect end of firejail params
		783	if (strcmp(argv[i], "--") == 0)
		784	break;
		785	if (strncmp(argv[i], "--", 2) != 0)
		786	break;
		787	}
		788
		789	return found;
		790	}
		791
809	//*******************************************	792	//*******************************************
810	// Main program	793	// Main program
811	//*******************************************	794	//*******************************************
@@ -822,8 +805,10 @@ int main(int argc, char **argv) {
822	// build /run/firejail directory structure	805	// build /run/firejail directory structure
823	preproc_build_firejail_dir();	806	preproc_build_firejail_dir();
824		807
825	detect_quiet(argc, argv);	808	if (check_arg(argc, argv, "--quiet"))
826	detect_allow_debuggers(argc, argv);	809	arg_quiet = 1;
		810	if (check_arg(argc, argv, "--allow-debuggers"))
		811	arg_allow_debuggers = 1;
827		812
828	// drop permissions by default and rise them when required	813	// drop permissions by default and rise them when required
829	EUID_INIT();	814	EUID_INIT();
@@ -845,78 +830,27 @@ int main(int argc, char **argv) {
845	EUID_USER();	830	EUID_USER();
846	if (rv == 0) {	831	if (rv == 0) {
847	// if --force option is passed to the program, disregard the existing sandbox	832	// if --force option is passed to the program, disregard the existing sandbox
848	int found = 0;	833	if (check_arg(argc, argv, "--force"))
849	for (i = 1; i < argc; i++) {	834	option_force = 1;
850	if (strcmp(argv[i], "--force") == 0 \|\|	835	else {
851	strcmp(argv[i], "--list") == 0 \|\|
852	strcmp(argv[i], "--netstats") == 0 \|\|
853	strcmp(argv[i], "--tree") == 0 \|\|
854	strcmp(argv[i], "--top") == 0 \|\|
855	strncmp(argv[i], "--ls=", 5) == 0 \|\|
856	strncmp(argv[i], "--get=", 6) == 0 \|\|
857	strcmp(argv[i], "--debug-caps") == 0 \|\|
858	strcmp(argv[i], "--debug-errnos") == 0 \|\|
859	strcmp(argv[i], "--debug-syscalls") == 0 \|\|
860	strcmp(argv[i], "--debug-protocols") == 0 \|\|
861	strcmp(argv[i], "--help") == 0 \|\|
862	strcmp(argv[i], "--version") == 0 \|\|
863	strcmp(argv[i], "--overlay-clean") == 0 \|\|
864	strncmp(argv[i], "--dns.print=", 12) == 0 \|\|
865	strncmp(argv[i], "--bandwidth=", 12) == 0 \|\|
866	strncmp(argv[i], "--caps.print=", 13) == 0 \|\|
867	strncmp(argv[i], "--cpu.print=", 12) == 0 \|\|
868	//********************************************************************************
869	// todo: fix the following problems
870	strncmp(argv[i], "--join=", 7) == 0 \|\|
871	//[netblue@debian Downloads]$ firejail --join=896
872	//Switching to pid 897, the first child process inside the sandbox
873	//Error: seccomp file not found
874	//********************************************************************************
875
876	strncmp(argv[i], "--join-filesystem=", 18) == 0 \|\|
877	strncmp(argv[i], "--join-network=", 15) == 0 \|\|
878	strncmp(argv[i], "--fs.print=", 11) == 0 \|\|
879	strncmp(argv[i], "--protocol.print=", 17) == 0 \|\|
880	strncmp(argv[i], "--seccomp.print", 15) == 0 \|\|
881	strncmp(argv[i], "--shutdown=", 11) == 0) {
882	found = 1;
883	break;
884	}
885
886	// detect end of firejail params
887	if (strcmp(argv[i], "--") == 0)
888	break;
889	if (strncmp(argv[i], "--", 2) != 0)
890	break;
891	}
892
893	if (found == 0) {
894	// start the program directly without sandboxing	836	// start the program directly without sandboxing
895	run_no_sandbox(argc, argv);	837	run_no_sandbox(argc, argv);
896	// it will never get here!	838	// it will never get here!
897	assert(0);	839	assert(0);
898	}	840	}
899	else
900	option_force = 1;
901	}	841	}
902	}	842	}
903		843
904	// check root/suid	844	// check root/suid
905	EUID_ROOT();	845	EUID_ROOT();
906	if (geteuid()) {	846	if (geteuid()) {
907	// detect --version	847	// only --version is supported without SUID support
908	for (i = 1; i < argc; i++) {	848	if (check_arg(argc, argv, "--force")) {
909	if (strcmp(argv[i], "--version") == 0) {	849	printf("firejail version %s\n", VERSION);
910	printf("firejail version %s\n", VERSION);	850	exit(0);
911	exit(0);
912	}
913
914	// detect end of firejail params
915	if (strcmp(argv[i], "--") == 0)
916	break;
917	if (strncmp(argv[i], "--", 2) != 0)
918	break;
919	}	851	}
		852
		853	fprintf(stderr, "Error: cannot rise privileges\n");
920	exit(1);	854	exit(1);
921	}	855	}
922	EUID_USER();	856	EUID_USER();


diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index 8af555ea2..07ac25dca 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c
@@ -165,84 +165,28 @@ void run_no_sandbox(int argc, char **argv) {
165	// process limited subset of options	165	// process limited subset of options
166	int i;	166	int i;
167	for (i = 0; i < argc; i++) {	167	for (i = 0; i < argc; i++) {
168	if (strcmp(argv[i], "--csh") == 0) {	168	if (strcmp(argv[i], "--debug") == 0)
169	if (arg_shell_none) {	169	arg_debug = 1;
170	fprintf(stderr, "Error: --shell=none was already specified.\n");	170	else if (strcmp(argv[i], "--csh") == 0 \|\|
171	exit(1);	171	strcmp(argv[i], "--zsh") == 0 \|\|
172	}	172	strcmp(argv[i], "--shell=none") == 0 \|\|
173	if (cfg.shell) {	173	strncmp(argv[i], "--shell=", 8) == 0)
174	fprintf(stderr, "Error: only one default user shell can be specified\n");	174	fprintf(stderr, "Warning: shell-related command line options are disregarded - using SHELL environment variable");
175	exit(1);
176	}
177	cfg.shell = "/bin/csh";
178	}
179	else if (strcmp(argv[i], "--zsh") == 0) {
180	if (arg_shell_none) {
181	fprintf(stderr, "Error: --shell=none was already specified.\n");
182	exit(1);
183	}
184	if (cfg.shell) {
185	fprintf(stderr, "Error: only one default user shell can be specified\n");
186	exit(1);
187	}
188	cfg.shell = "/bin/zsh";
189	}
190	else if (strcmp(argv[i], "--shell=none") == 0) {
191	arg_shell_none = 1;
192	if (cfg.shell) {
193	fprintf(stderr, "Error: a shell was already specified\n");
194	exit(1);
195	}
196	}
197	else if (strncmp(argv[i], "--shell=", 8) == 0) {
198	if (arg_shell_none) {
199	fprintf(stderr, "Error: --shell=none was already specified.\n");
200	exit(1);
201	}
202	invalid_filename(argv[i] + 8);
203
204	if (cfg.shell) {
205	fprintf(stderr, "Error: only one user shell can be specified\n");
206	exit(1);
207	}
208	cfg.shell = argv[i] + 8;
209
210	if (is_dir(cfg.shell) \|\| strstr(cfg.shell, "..")) {
211	fprintf(stderr, "Error: invalid shell\n");
212	exit(1);
213	}
214
215	// access call checks as real UID/GID, not as effective UID/GID
216	if(cfg.chrootdir) {
217	char *shellpath;
218	if (asprintf(&shellpath, "%s%s", cfg.chrootdir, cfg.shell) == -1)
219	errExit("asprintf");
220	if (access(shellpath, R_OK)) {
221	fprintf(stderr, "Error: cannot access shell file in chroot\n");
222	exit(1);
223	}
224	free(shellpath);
225	} else if (access(cfg.shell, R_OK)) {
226	fprintf(stderr, "Error: cannot access shell file\n");
227	exit(1);
228	}
229	}
230	}	175	}
231		176
232	// use $SHELL to get shell used in sandbox	177	// use $SHELL to get shell used in sandbox
233	if (!arg_shell_none && !cfg.shell) {	178	char *shell = getenv("SHELL");
234	char *shell = getenv("SHELL");	179	if (shell && access(shell, R_OK) == 0)
235	if (shell && access(shell, R_OK) == 0)	180	cfg.shell = shell;
236	cfg.shell = shell;	181
237	}
238	// guess shell otherwise	182	// guess shell otherwise
239	if (!arg_shell_none && !cfg.shell) {	183	if (!cfg.shell) {
240	cfg.shell = guess_shell();	184	cfg.shell = guess_shell();
241	if (arg_debug)	185	if (arg_debug)
242	printf("Autoselecting %s as shell\n", cfg.shell);	186	printf("Autoselecting %s as shell\n", cfg.shell);
243	}	187	}
244	if (!arg_shell_none && !cfg.shell) {	188	if (!cfg.shell) {
245	fprintf(stderr, "Error: unable to guess your shell, please set explicitly by using --shell option.\n");	189	fprintf(stderr, "Error: unable to guess your shell, please set SHELL environment variable\n");
246	exit(1);	190	exit(1);
247	}	191	}
248		192
@@ -266,13 +210,11 @@ void run_no_sandbox(int argc, char **argv) {
266	}	210	}
267	}	211	}
268		212
269	if (!arg_shell_none) {	213	if (prog_index == 0) {
270	if (prog_index == 0) {	214	cfg.command_line = cfg.shell;
271	cfg.command_line = cfg.shell;	215	cfg.window_title = cfg.shell;
272	cfg.window_title = cfg.shell;	216	} else {
273	} else {	217	build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index);
274	build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index);
275	}
276	}	218	}
277		219
278	cfg.original_argv = argv;	220	cfg.original_argv = argv;