diff options
| author |  netblue30 <netblue30@yahoo.com> | 2015-08-28 07:23:19 -0400 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2015-08-28 07:23:19 -0400 |
| commit | f5b9be2a61d116a5005a3e41da2474a945aa1aa3 (patch) | |
| tree | e496d2a740f34a66ee930145119b510f1fc3085c | |
| parent | fixes (diff) | |
| download | firejail-f5b9be2a61d116a5005a3e41da2474a945aa1aa3.tar.gz firejail-f5b9be2a61d116a5005a3e41da2474a945aa1aa3.tar.zst firejail-f5b9be2a61d116a5005a3e41da2474a945aa1aa3.zip | |
firejail-in-firejail fixes
| -rw-r--r-- | src/firejail/bandwidth.c | 6 | ||||
| -rw-r--r-- | src/firejail/firejail.h | 1 | ||||
| -rw-r--r-- | src/firejail/fs.c | 6 | ||||
| -rw-r--r-- | src/firejail/main.c | 18 |
4 files changed, 23 insertions, 8 deletions
diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c index e0be1f06a..61d0acd4a 100644 --- a/src/firejail/bandwidth.c +++ b/src/firejail/bandwidth.c | |||
| @@ -125,8 +125,10 @@ void shm_create_firejail_dir(void) { | |||
| 125 | } | 125 | } |
| 126 | else { // check /dev/shm/firejail directory belongs to root end exit if doesn't! | 126 | else { // check /dev/shm/firejail directory belongs to root end exit if doesn't! |
| 127 | if (s.st_uid != 0 || s.st_gid != 0) { | 127 | if (s.st_uid != 0 || s.st_gid != 0) { |
| 128 | fprintf(stderr, "Error: non-root %s directory, exiting...\n", "/dev/shm/firejail"); | 128 | if (firejail_in_firejail == 0) { |
| 129 | exit(1); | 129 | fprintf(stderr, "Error: non-root %s directory, exiting...\n", "/dev/shm/firejail"); |
| 130 | exit(1); | ||
| 131 | } | ||
| 130 | } | 132 | } |
| 131 | } | 133 | } |
| 132 | } | 134 | } |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 351e9d045..532a4797e 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
| @@ -151,6 +151,7 @@ extern int arg_scan; // arp-scan all interfaces | |||
| 151 | extern int parent_to_child_fds[2]; | 151 | extern int parent_to_child_fds[2]; |
| 152 | extern int child_to_parent_fds[2]; | 152 | extern int child_to_parent_fds[2]; |
| 153 | extern pid_t sandbox_pid; | 153 | extern pid_t sandbox_pid; |
| 154 | extern int firejail_in_firejail; | ||
| 154 | 155 | ||
| 155 | 156 | ||
| 156 | 157 | ||
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 6beac3227..ca73ae554 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
| @@ -44,8 +44,10 @@ void fs_build_firejail_dir(void) { | |||
| 44 | } | 44 | } |
| 45 | else { // check /tmp/firejail directory belongs to root end exit if doesn't! | 45 | else { // check /tmp/firejail directory belongs to root end exit if doesn't! |
| 46 | if (s.st_uid != 0 || s.st_gid != 0) { | 46 | if (s.st_uid != 0 || s.st_gid != 0) { |
| 47 | fprintf(stderr, "Error: non-root %s directory, exiting...\n", FIREJAIL_DIR); | 47 | if (firejail_in_firejail == 0) { |
| 48 | exit(1); | 48 | fprintf(stderr, "Error: non-root %s directory, exiting...\n", FIREJAIL_DIR); |
| 49 | exit(1); | ||
| 50 | } | ||
| 49 | } | 51 | } |
| 50 | } | 52 | } |
| 51 | } | 53 | } |
diff --git a/src/firejail/main.c b/src/firejail/main.c index aeb85d724..bcff0e41f 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
| @@ -92,6 +92,7 @@ char *fullargv[MAX_ARGS]; // expanded argv for restricted shell | |||
| 92 | int fullargc = 0; | 92 | int fullargc = 0; |
| 93 | static pid_t child = 0; | 93 | static pid_t child = 0; |
| 94 | pid_t sandbox_pid; | 94 | pid_t sandbox_pid; |
| 95 | int firejail_in_firejail = 0; // firejail started in a firejail sandbox | ||
| 95 | 96 | ||
| 96 | static void myexit(int rv) { | 97 | static void myexit(int rv) { |
| 97 | logmsg("exiting..."); | 98 | logmsg("exiting..."); |
| @@ -127,8 +128,10 @@ static void my_handler(int s){ | |||
| 127 | static void extract_user_data(void) { | 128 | static void extract_user_data(void) { |
| 128 | // check suid | 129 | // check suid |
| 129 | if (geteuid()) { | 130 | if (geteuid()) { |
| 130 | fprintf(stderr, "Error: the sandbox is not setuid root\n"); | 131 | if (firejail_in_firejail == 0) { |
| 131 | exit(1); | 132 | fprintf(stderr, "Error: the sandbox is not setuid root\n"); |
| 133 | exit(1); | ||
| 134 | } | ||
| 132 | } | 135 | } |
| 133 | 136 | ||
| 134 | struct passwd *pw = getpwuid(getuid()); | 137 | struct passwd *pw = getpwuid(getuid()); |
| @@ -400,6 +403,14 @@ int main(int argc, char **argv) { | |||
| 400 | int arg_cgroup = 0; | 403 | int arg_cgroup = 0; |
| 401 | int custom_profile = 0; // custom profile loaded | 404 | int custom_profile = 0; // custom profile loaded |
| 402 | int arg_noprofile = 0; // use generic.profile if none other found/specified | 405 | int arg_noprofile = 0; // use generic.profile if none other found/specified |
| 406 | |||
| 407 | // check if we already have a sandbox running | ||
| 408 | int rv = check_kernel_procs(); | ||
| 409 | if (rv == 0) | ||
| 410 | firejail_in_firejail = 1; | ||
| 411 | |||
| 412 | |||
| 413 | |||
| 403 | 414 | ||
| 404 | // initialize globals | 415 | // initialize globals |
| 405 | init_cfg(); | 416 | init_cfg(); |
| @@ -998,8 +1009,7 @@ int main(int argc, char **argv) { | |||
| 998 | } | 1009 | } |
| 999 | 1010 | ||
| 1000 | // if a sandbox is already running, start the program directly without sandboxing | 1011 | // if a sandbox is already running, start the program directly without sandboxing |
| 1001 | int rv = check_kernel_procs(); | 1012 | if (firejail_in_firejail) { |
| 1002 | if (rv == 0) { | ||
| 1003 | run_no_sandbox(argc, argv); | 1013 | run_no_sandbox(argc, argv); |
| 1004 | // it will never get here! | 1014 | // it will never get here! |
| 1005 | assert(0); | 1015 | assert(0); |