Baseline firejail 0.9.28

author: netblue30 <netblue30@yahoo.com> 2015-08-08 19:12:30 -0400
committer: netblue30 <netblue30@yahoo.com> 2015-08-08 19:12:30 -0400
commit: 1379851360349d6617ad32944a25ee5e2bb74fc2 (patch)
tree: f69b48e90708bfa3c2723d5a27ed3e024c827b43 /src/firejail/cgroup.c
parent: delete files (diff)
download: firejail-1379851360349d6617ad32944a25ee5e2bb74fc2.tar.gz
firejail-1379851360349d6617ad32944a25ee5e2bb74fc2.tar.zst
firejail-1379851360349d6617ad32944a25ee5e2bb74fc2.zip
1 files changed, 118 insertions, 0 deletions
diff --git a/src/firejail/cgroup.c b/src/firejail/cgroup.c
new file mode 100644
index 000000000..7366a6699
--- /dev/null
+++ b/src/firejail/cgroup.c
@@ -0,0 +1,118 @@
+/*
+ * Copyright (C) 2014, 2015 netblue30 (netblue30@yahoo.com)
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "firejail.h"
+#include <sys/stat.h>
+#define MAXBUF 4096
+void save_cgroup(void) {
+        if (cfg.cgroup == NULL)
+                return;
+        
+        char *fname;
+        if (asprintf(&fname, "%s/cgroup", MNT_DIR) == -1)
+                errExit(fname);
+        
+        FILE *fp = fopen(fname, "w");
+        if (fp) {
+                fprintf(fp, "%s", cfg.cgroup);
+                fflush(0);
+                fclose(fp);
+                if (chown(fname, 0, 0) < 0)
+                        errExit("chown");
+        }
+        else {
+                fprintf(stderr, "Error: cannot save cgroup\n");
+                free(fname);
+                exit(1);
+        }
+        
+        free(fname);
+}
+void load_cgroup(const char *fname) {
+        if (!fname)
+                return;
+        FILE *fp = fopen(fname, "r");
+        if (fp) {
+                char buf[MAXBUF];
+                if (fgets(buf, MAXBUF, fp)) {
+                        cfg.cgroup = strdup(buf);
+                        if (!cfg.cgroup)
+                                errExit("strdup");
+                }
+                else
+                        goto errout;
+                
+                fclose(fp);
+                return;
+        }
+errout:
+        fprintf(stderr, "Warrning: cannot load control group\n");
+        if (fp)
+                fclose(fp);
+}
+void set_cgroup(const char *path) {
+        // path starts with /sys/fs/cgroup
+        if (strncmp(path, "/sys/fs/cgroup", 14) != 0)
+                goto errout;
+        
+        // path ends in tasks
+        char *ptr = strstr(path, "tasks");
+        if (!ptr)
+                goto errout;
+        if (*(ptr + 5) != '\0')
+                goto errout;
+        
+        // no .. traversal
+        ptr = strstr(path, "..");
+        if (ptr)
+                goto errout;
+        
+        // tasks file exists
+        struct stat s;
+        if (stat(path, &s) == -1)
+                goto errout;
+        
+        // task file belongs to the user running the sandbox
+        if (s.st_uid != getuid() && s.st_gid != getgid())
+                goto errout2;
+                
+        // add the task to cgroup
+        /* coverity[toctou] */
+        FILE *fp = fopen(path,  "a");
+        if (!fp)
+                goto errout;
+        pid_t pid = getpid();
+        int rv = fprintf(fp, "%d\n", pid);
+        (void) rv;
+        fclose(fp);
+        return;
+errout:         
+        fprintf(stderr, "Error: invalid cgroup\n");
+        exit(1);
+errout2:                
+        fprintf(stderr, "Error: you don't have permissions to use this control group\n");
+        exit(1);
+}
author	netblue30 <netblue30@yahoo.com>	2015-08-08 19:12:30 -0400
committer	netblue30 <netblue30@yahoo.com>	2015-08-08 19:12:30 -0400
commit	1379851360349d6617ad32944a25ee5e2bb74fc2 (patch)
tree	f69b48e90708bfa3c2723d5a27ed3e024c827b43 /src/firejail/cgroup.c
parent	delete files (diff)
download	firejail-1379851360349d6617ad32944a25ee5e2bb74fc2.tar.gz firejail-1379851360349d6617ad32944a25ee5e2bb74fc2.tar.zst firejail-1379851360349d6617ad32944a25ee5e2bb74fc2.zip

diff --git a/src/firejail/cgroup.c b/src/firejail/cgroup.c new file mode 100644 index 000000000..7366a6699 --- /dev/null +++ b/src/firejail/cgroup.c
@@ -0,0 +1,118 @@
	1	/*
	2	* Copyright (C) 2014, 2015 netblue30 (netblue30@yahoo.com)
	3	*
	4	* This file is part of firejail project
	5	*
	6	* This program is free software; you can redistribute it and/or modify
	7	* it under the terms of the GNU General Public License as published by
	8	* the Free Software Foundation; either version 2 of the License, or
	9	* (at your option) any later version.
	10	*
	11	* This program is distributed in the hope that it will be useful,
	12	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	14	* GNU General Public License for more details.
	15	*
	16	* You should have received a copy of the GNU General Public License along
	17	* with this program; if not, write to the Free Software Foundation, Inc.,
	18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
	19	*/
	20	#include "firejail.h"
	21	#include <sys/stat.h>
	22
	23	#define MAXBUF 4096
	24
	25	void save_cgroup(void) {
	26	if (cfg.cgroup == NULL)
	27	return;
	28
	29	char *fname;
	30	if (asprintf(&fname, "%s/cgroup", MNT_DIR) == -1)
	31	errExit(fname);
	32
	33	FILE *fp = fopen(fname, "w");
	34	if (fp) {
	35	fprintf(fp, "%s", cfg.cgroup);
	36	fflush(0);
	37	fclose(fp);
	38	if (chown(fname, 0, 0) < 0)
	39	errExit("chown");
	40	}
	41	else {
	42	fprintf(stderr, "Error: cannot save cgroup\n");
	43	free(fname);
	44	exit(1);
	45	}
	46
	47	free(fname);
	48	}
	49
	50	void load_cgroup(const char *fname) {
	51	if (!fname)
	52	return;
	53
	54	FILE *fp = fopen(fname, "r");
	55	if (fp) {
	56	char buf[MAXBUF];
	57	if (fgets(buf, MAXBUF, fp)) {
	58	cfg.cgroup = strdup(buf);
	59	if (!cfg.cgroup)
	60	errExit("strdup");
	61	}
	62	else
	63	goto errout;
	64
	65	fclose(fp);
	66	return;
	67	}
	68	errout:
	69	fprintf(stderr, "Warrning: cannot load control group\n");
	70	if (fp)
	71	fclose(fp);
	72	}
	73
	74
	75	void set_cgroup(const char *path) {
	76	// path starts with /sys/fs/cgroup
	77	if (strncmp(path, "/sys/fs/cgroup", 14) != 0)
	78	goto errout;
	79
	80	// path ends in tasks
	81	char *ptr = strstr(path, "tasks");
	82	if (!ptr)
	83	goto errout;
	84	if (*(ptr + 5) != '\0')
	85	goto errout;
	86
	87	// no .. traversal
	88	ptr = strstr(path, "..");
	89	if (ptr)
	90	goto errout;
	91
	92	// tasks file exists
	93	struct stat s;
	94	if (stat(path, &s) == -1)
	95	goto errout;
	96
	97	// task file belongs to the user running the sandbox
	98	if (s.st_uid != getuid() && s.st_gid != getgid())
	99	goto errout2;
	100
	101	// add the task to cgroup
	102	/* coverity[toctou] */
	103	FILE *fp = fopen(path, "a");
	104	if (!fp)
	105	goto errout;
	106	pid_t pid = getpid();
	107	int rv = fprintf(fp, "%d\n", pid);
	108	(void) rv;
	109	fclose(fp);
	110	return;
	111
	112	errout:
	113	fprintf(stderr, "Error: invalid cgroup\n");
	114	exit(1);
	115	errout2:
	116	fprintf(stderr, "Error: you don't have permissions to use this control group\n");
	117	exit(1);
	118	}