fixes

author: netblue30 <netblue30@yahoo.com> 2016-03-09 09:51:47 -0500
committer: netblue30 <netblue30@yahoo.com> 2016-03-09 09:51:47 -0500
commit: dc3564b18f1eafde1ccf46e722f8c2a9c1ee8555 (patch)
tree: 6178c2c6fc5912a63f5d54b1e3562d7049270418
parent: fs work (diff)
download: firejail-dc3564b18f1eafde1ccf46e722f8c2a9c1ee8555.tar.gz
firejail-dc3564b18f1eafde1ccf46e722f8c2a9c1ee8555.tar.zst
firejail-dc3564b18f1eafde1ccf46e722f8c2a9c1ee8555.zip
7 files changed, 139 insertions, 3 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index b526b5e00..9c4dcc9a6 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -369,6 +369,7 @@ char *expand_home(const char *path, const char* homedir);
 const char *gnu_basename(const char *path);
 uid_t pid_get_uid(pid_t pid);
 void invalid_filename(const char *fname);
+uid_t get_tty_gid(void);
 // fs_var.c
 void fs_var_log(void);  // mounting /var/log
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index 5c645b8da..2fd450391 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -178,9 +178,21 @@ void fs_private_dev(void){
        create_char_dev("/dev/pts/ptmx", 0666, 5, 2); //"mknod -m 666 /dev/pts/ptmx c 5 2");
        fs_logger("mknod /dev/pts/ptmx");
        create_link("/dev/pts/ptmx", "/dev/ptmx");
+// code before github issue #351
        // mount -vt devpts -o newinstance -o ptmxmode=0666 devpts //dev/pts
-        if (mount("devpts", "/dev/pts", "devpts", MS_MGC_VAL,  "newinstance,ptmxmode=0666") < 0)
+//      if (mount("devpts", "/dev/pts", "devpts", MS_MGC_VAL,  "newinstance,ptmxmode=0666") < 0)
+//              errExit("mounting /dev/pts");
+        // mount /dev/pts
+        gid_t ttygid = get_tty_gid();
+        char *data;
+        if (asprintf(&data, "newinstance,gid=%d,mode=620,ptmxmode=0666", (int) ttygid) == -1)
+                errExit("asprintf");
+        if (mount("devpts", "/dev/pts", "devpts", MS_MGC_VAL,  data) < 0)
                errExit("mounting /dev/pts");
+        free(data);
        fs_logger("clone /dev/pts");
 #if 0
diff --git a/src/firejail/ls.c b/src/firejail/ls.c
index b814af445..90ef43a62 100644
--- a/src/firejail/ls.c
+++ b/src/firejail/ls.c
@@ -255,6 +255,12 @@ void ls(pid_t pid, const char *path) {
                exit(1);
        }
+        // access chek is performed with the real UID
+        if (access(fname, R_OK) == -1) {
+                fprintf(stderr, "Error: Cannot access file %s\n", fname);
+                exit(1);
+        }
        // list directory contents
        struct stat s;
        if (stat(fname, &s) == -1) {
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 68606a313..e2f197a92 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1746,8 +1746,15 @@ int main(int argc, char **argv) {
                if (asprintf(&map_path, "/proc/%d/gid_map", child) == -1)
                        errExit("asprintf");
                gid_t gid = getgid();
-                if (asprintf(&map, "%d %d 1", gid, gid) == -1)
+                gid_t ttygid = get_tty_gid();
-                        errExit("asprintf");
+                if (ttygid == 0)  {
+                        if (asprintf(&map, "%d %d 1", gid, gid) == -1)
+                                errExit("asprintf");
+                }
+                else {
+                        if (asprintf(&map, "%d %d 1\n%d %d 1", gid, gid, ttygid, ttygid) == -1)
+                                errExit("asprintf");
+                }
                EUID_ROOT();
                update_map(map, map_path);
                EUID_USER();
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 3463095f9..c62f4285c 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -629,3 +629,13 @@ void invalid_filename(const char *fname) {
                exit(1);
        }
 }
+uid_t get_tty_gid(void) {
+        // find tty group id
+        gid_t ttygid = 0;
+        struct group *g = getgrnam("tty");
+        if (g)
+                ttygid = g->gr_gid;
+        return ttygid;
+}
diff --git a/test/test.sh b/test/test.sh
index d7e9e2aed..0ef816717 100755
--- a/test/test.sh
+++ b/test/test.sh
@@ -9,6 +9,9 @@
 echo "TESTING: nice (nice.exp)"
 ./nice.exp
+echo "TESTING: tty (tty.exp)"
+./tty.exp
 echo "TESTING: protocol (protocol.exp)"
 ./protocol.exp
diff --git a/test/tty.exp b/test/tty.exp
new file mode 100755
index 000000000..116f297b2
--- /dev/null
+++ b/test/tty.exp
@@ -0,0 +1,97 @@
+#!/usr/bin/expect -f
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 2
+send -- "xterm &\r"
+sleep 2
+send -- "urxvt &\r"
+sleep 2
+send -- "rxvt &\r"
+sleep 2
+send -- "ps aux\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "USER"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "xterm"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "urxvt"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "rxvt"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "ps aux"
+}
+send -- "pkill xterm\r"
+sleep 1
+send -- "pkill urxvt\r"
+sleep 1
+send -- "pkill rxvt\r"
+sleep 1
+send -- "exit\r"
+sleep 2
+send -- "firejail --private-dev\r"
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "Child process initialized"
+}
+sleep 2
+send -- "xterm &\r"
+sleep 2
+send -- "urxvt &\r"
+sleep 2
+send -- "rxvt &\r"
+sleep 2
+send -- "ps aux\r"
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "USER"
+}
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
+        "xterm"
+}
+expect {
+        timeout {puts "TESTING ERROR 13\n";exit}
+        "urxvt"
+}
+expect {
+        timeout {puts "TESTING ERROR 14\n";exit}
+        "rxvt"
+}
+expect {
+        timeout {puts "TESTING ERROR 15\n";exit}
+        "ps aux"
+}
+send -- "pkill xterm\r"
+sleep 1
+send -- "pkill urxvt\r"
+sleep 1
+send -- "pkill rxvt\r"
+sleep 1
+send -- "exit\r"
+sleep 2
+puts "\n"
author	netblue30 <netblue30@yahoo.com>	2016-03-09 09:51:47 -0500
committer	netblue30 <netblue30@yahoo.com>	2016-03-09 09:51:47 -0500
commit	dc3564b18f1eafde1ccf46e722f8c2a9c1ee8555 (patch)
tree	6178c2c6fc5912a63f5d54b1e3562d7049270418
parent	fs work (diff)
download	firejail-dc3564b18f1eafde1ccf46e722f8c2a9c1ee8555.tar.gz firejail-dc3564b18f1eafde1ccf46e722f8c2a9c1ee8555.tar.zst firejail-dc3564b18f1eafde1ccf46e722f8c2a9c1ee8555.zip

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index b526b5e00..9c4dcc9a6 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -369,6 +369,7 @@ char expand_home(const char path, const char* homedir);
369	const char gnu_basename(const char path);	369	const char gnu_basename(const char path);
370	uid_t pid_get_uid(pid_t pid);	370	uid_t pid_get_uid(pid_t pid);
371	void invalid_filename(const char *fname);	371	void invalid_filename(const char *fname);
		372	uid_t get_tty_gid(void);
372		373
373	// fs_var.c	374	// fs_var.c
374	void fs_var_log(void); // mounting /var/log	375	void fs_var_log(void); // mounting /var/log


diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index 5c645b8da..2fd450391 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c
@@ -178,9 +178,21 @@ void fs_private_dev(void){
178	create_char_dev("/dev/pts/ptmx", 0666, 5, 2); //"mknod -m 666 /dev/pts/ptmx c 5 2");	178	create_char_dev("/dev/pts/ptmx", 0666, 5, 2); //"mknod -m 666 /dev/pts/ptmx c 5 2");
179	fs_logger("mknod /dev/pts/ptmx");	179	fs_logger("mknod /dev/pts/ptmx");
180	create_link("/dev/pts/ptmx", "/dev/ptmx");	180	create_link("/dev/pts/ptmx", "/dev/ptmx");
		181
		182	// code before github issue #351
181	// mount -vt devpts -o newinstance -o ptmxmode=0666 devpts //dev/pts	183	// mount -vt devpts -o newinstance -o ptmxmode=0666 devpts //dev/pts
182	if (mount("devpts", "/dev/pts", "devpts", MS_MGC_VAL, "newinstance,ptmxmode=0666") < 0)	184	// if (mount("devpts", "/dev/pts", "devpts", MS_MGC_VAL, "newinstance,ptmxmode=0666") < 0)
		185	// errExit("mounting /dev/pts");
		186
		187
		188	// mount /dev/pts
		189	gid_t ttygid = get_tty_gid();
		190	char *data;
		191	if (asprintf(&data, "newinstance,gid=%d,mode=620,ptmxmode=0666", (int) ttygid) == -1)
		192	errExit("asprintf");
		193	if (mount("devpts", "/dev/pts", "devpts", MS_MGC_VAL, data) < 0)
183	errExit("mounting /dev/pts");	194	errExit("mounting /dev/pts");
		195	free(data);
184	fs_logger("clone /dev/pts");	196	fs_logger("clone /dev/pts");
185		197
186	#if 0	198	#if 0


diff --git a/src/firejail/ls.c b/src/firejail/ls.c index b814af445..90ef43a62 100644 --- a/src/firejail/ls.c +++ b/src/firejail/ls.c
@@ -255,6 +255,12 @@ void ls(pid_t pid, const char *path) {
255	exit(1);	255	exit(1);
256	}	256	}
257		257
		258	// access chek is performed with the real UID
		259	if (access(fname, R_OK) == -1) {
		260	fprintf(stderr, "Error: Cannot access file %s\n", fname);
		261	exit(1);
		262	}
		263
258	// list directory contents	264	// list directory contents
259	struct stat s;	265	struct stat s;
260	if (stat(fname, &s) == -1) {	266	if (stat(fname, &s) == -1) {


diff --git a/src/firejail/main.c b/src/firejail/main.c index 68606a313..e2f197a92 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -1746,8 +1746,15 @@ int main(int argc, char **argv) {
1746	if (asprintf(&map_path, "/proc/%d/gid_map", child) == -1)	1746	if (asprintf(&map_path, "/proc/%d/gid_map", child) == -1)
1747	errExit("asprintf");	1747	errExit("asprintf");
1748	gid_t gid = getgid();	1748	gid_t gid = getgid();
1749	if (asprintf(&map, "%d %d 1", gid, gid) == -1)	1749	gid_t ttygid = get_tty_gid();
1750	errExit("asprintf");	1750	if (ttygid == 0) {
		1751	if (asprintf(&map, "%d %d 1", gid, gid) == -1)
		1752	errExit("asprintf");
		1753	}
		1754	else {
		1755	if (asprintf(&map, "%d %d 1\n%d %d 1", gid, gid, ttygid, ttygid) == -1)
		1756	errExit("asprintf");
		1757	}
1751	EUID_ROOT();	1758	EUID_ROOT();
1752	update_map(map, map_path);	1759	update_map(map, map_path);
1753	EUID_USER();	1760	EUID_USER();


diff --git a/src/firejail/util.c b/src/firejail/util.c index 3463095f9..c62f4285c 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c
@@ -629,3 +629,13 @@ void invalid_filename(const char *fname) {
629	exit(1);	629	exit(1);
630	}	630	}
631	}	631	}
		632
		633	uid_t get_tty_gid(void) {
		634	// find tty group id
		635	gid_t ttygid = 0;
		636	struct group *g = getgrnam("tty");
		637	if (g)
		638	ttygid = g->gr_gid;
		639
		640	return ttygid;
		641	}


diff --git a/test/test.sh b/test/test.sh index d7e9e2aed..0ef816717 100755 --- a/test/test.sh +++ b/test/test.sh
@@ -9,6 +9,9 @@
9	echo "TESTING: nice (nice.exp)"	9	echo "TESTING: nice (nice.exp)"
10	./nice.exp	10	./nice.exp
11		11
		12	echo "TESTING: tty (tty.exp)"
		13	./tty.exp
		14
12	echo "TESTING: protocol (protocol.exp)"	15	echo "TESTING: protocol (protocol.exp)"
13	./protocol.exp	16	./protocol.exp
14		17


diff --git a/test/tty.exp b/test/tty.exp new file mode 100755 index 000000000..116f297b2 --- /dev/null +++ b/test/tty.exp
@@ -0,0 +1,97 @@
		1	#!/usr/bin/expect -f
		2
		3	set timeout 10
		4	spawn $env(SHELL)
		5	match_max 100000
		6
		7	send -- "firejail\r"
		8	expect {
		9	timeout {puts "TESTING ERROR 0\n";exit}
		10	"Child process initialized"
		11	}
		12	sleep 2
		13	send -- "xterm &\r"
		14	sleep 2
		15	send -- "urxvt &\r"
		16	sleep 2
		17	send -- "rxvt &\r"
		18	sleep 2
		19
		20	send -- "ps aux\r"
		21	expect {
		22	timeout {puts "TESTING ERROR 1\n";exit}
		23	"USER"
		24	}
		25	expect {
		26	timeout {puts "TESTING ERROR 2\n";exit}
		27	"xterm"
		28	}
		29	expect {
		30	timeout {puts "TESTING ERROR 3\n";exit}
		31	"urxvt"
		32	}
		33	expect {
		34	timeout {puts "TESTING ERROR 4\n";exit}
		35	"rxvt"
		36	}
		37	expect {
		38	timeout {puts "TESTING ERROR 5\n";exit}
		39	"ps aux"
		40	}
		41
		42	send -- "pkill xterm\r"
		43	sleep 1
		44	send -- "pkill urxvt\r"
		45	sleep 1
		46	send -- "pkill rxvt\r"
		47	sleep 1
		48	send -- "exit\r"
		49	sleep 2
		50
		51
		52	send -- "firejail --private-dev\r"
		53	expect {
		54	timeout {puts "TESTING ERROR 10\n";exit}
		55	"Child process initialized"
		56	}
		57	sleep 2
		58	send -- "xterm &\r"
		59	sleep 2
		60	send -- "urxvt &\r"
		61	sleep 2
		62	send -- "rxvt &\r"
		63	sleep 2
		64
		65	send -- "ps aux\r"
		66	expect {
		67	timeout {puts "TESTING ERROR 11\n";exit}
		68	"USER"
		69	}
		70	expect {
		71	timeout {puts "TESTING ERROR 12\n";exit}
		72	"xterm"
		73	}
		74	expect {
		75	timeout {puts "TESTING ERROR 13\n";exit}
		76	"urxvt"
		77	}
		78	expect {
		79	timeout {puts "TESTING ERROR 14\n";exit}
		80	"rxvt"
		81	}
		82	expect {
		83	timeout {puts "TESTING ERROR 15\n";exit}
		84	"ps aux"
		85	}
		86
		87	send -- "pkill xterm\r"
		88	sleep 1
		89	send -- "pkill urxvt\r"
		90	sleep 1
		91	send -- "pkill rxvt\r"
		92	sleep 1
		93	send -- "exit\r"
		94	sleep 2
		95
		96	puts "\n"
		97