if a sandbox is already running, the program is started directly

author: netblue30 <netblue30@yahoo.com> 2015-08-23 07:17:30 -0400
committer: netblue30 <netblue30@yahoo.com> 2015-08-23 07:17:30 -0400
commit: 73c5236e195332ef0b8792712d4ff5c24399c19c (patch)
tree: adf41f9fe29b22c89cd430ec8302b23d9001cfc4 /src/firejail/no_sandbox.c
parent: support net none in profile files (diff)
download: firejail-73c5236e195332ef0b8792712d4ff5c24399c19c.tar.gz
firejail-73c5236e195332ef0b8792712d4ff5c24399c19c.tar.zst
firejail-73c5236e195332ef0b8792712d4ff5c24399c19c.zip
1 files changed, 119 insertions, 0 deletions
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c
new file mode 100644
index 000000000..9dc01435f
--- /dev/null
+++ b/src/firejail/no_sandbox.c
@@ -0,0 +1,119 @@
+#include "firejail.h"
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <unistd.h>
+// check process space for kernel processes
+// return 1 if found, 0 if not found
+int check_kernel_procs(void) {
+        char *kern_proc[] = {
+                "kthreadd",
+                "ksoftirqd",
+                "kworker",
+                "rcu_sched",
+                "rcu_bh",
+                NULL    // NULL terminated list
+        };
+        int i;
+        // look at the first 10 processes
+        // if a kernel process is found, return 1
+        for (i = 1; i <= 10; i++) { 
+                struct stat s;
+                char *fname;
+                if (asprintf(&fname, "/proc/%d/comm", i) == -1)
+                        errExit("asprintf");
+                if (stat(fname, &s) == -1) {
+                        free(fname);
+                        continue;
+                }
+                
+                // open file
+                FILE *fp = fopen(fname, "r");
+                if (!fp) {
+                        fprintf(stderr, "Warning: cannot open %s\n", fname);
+                        free(fname);
+                        continue;
+                }
+                
+                // read file
+                char buf[100];
+                if (fgets(buf, 10, fp) == NULL) {
+                        fprintf(stderr, "Warning: cannot read %s\n", fname);
+                        fclose(fp);
+                        free(fname);
+                        continue;
+                }
+                // clean /n
+                char *ptr;
+                if ((ptr = strchr(buf, '\n')) != NULL)
+                        *ptr = '\0';
+                
+                // check process name against the kernel list
+                int j = 0;
+                while (kern_proc[j] != NULL) {
+                        if (strncmp(buf, kern_proc[j], strlen(kern_proc[j])) == 0) {
+                                fclose(fp);
+                                free(fname);
+                                return 1;
+                        }
+                        j++;
+                }
+                
+                fclose(fp);
+                free(fname);
+        }
+        return 0;
+}
+void run_no_sandbox(int argc, char **argv) {
+        // drop privileges
+        int rv = setgroups(0, NULL); // this could fail
+        (void) rv;
+        if (setgid(getgid()) < 0)
+                errExit("setgid/getgid");
+        if (setuid(getuid()) < 0)
+                errExit("setuid/getuid");
+        // build command
+        char *command = NULL;
+        int allocated = 0;
+        if (argc == 1)
+                command = "/bin/bash";
+        else {
+                // calculate length
+                int len = 0;
+                int i;
+                for (i = 1; i < argc; i++) {
+                        if (*argv[i] == '-')
+                                continue;
+                        break;
+                }
+                int start_index = i;
+                for (i = start_index; i < argc; i++)
+                        len += strlen(argv[i]) + 1;
+                
+                // allocate
+                command = malloc(len + 1);
+                if (!command)
+                        errExit("malloc");
+                memset(command, 0, len + 1);
+                allocated = 1;
+                
+                // copy
+                for (i = start_index; i < argc; i++) {
+                        strcat(command, argv[i]);
+                        strcat(command, " ");
+                }
+        }
+        
+        // start the program in /bin/sh
+        fprintf(stderr, "Warning: an existing sandbox was detected. "
+                "%s will run without any additional sandboxing features in a /bin/sh shell\n", command);
+        system(command);
+        if (allocated)
+                free(command);
+        exit(1);
+}
author	netblue30 <netblue30@yahoo.com>	2015-08-23 07:17:30 -0400
committer	netblue30 <netblue30@yahoo.com>	2015-08-23 07:17:30 -0400
commit	73c5236e195332ef0b8792712d4ff5c24399c19c (patch)
tree	adf41f9fe29b22c89cd430ec8302b23d9001cfc4 /src/firejail/no_sandbox.c
parent	support net none in profile files (diff)
download	firejail-73c5236e195332ef0b8792712d4ff5c24399c19c.tar.gz firejail-73c5236e195332ef0b8792712d4ff5c24399c19c.tar.zst firejail-73c5236e195332ef0b8792712d4ff5c24399c19c.zip

diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c new file mode 100644 index 000000000..9dc01435f --- /dev/null +++ b/src/firejail/no_sandbox.c
@@ -0,0 +1,119 @@
	1	#include "firejail.h"
	2	#include <sys/types.h>
	3	#include <sys/stat.h>
	4	#include <unistd.h>
	5
	6	// check process space for kernel processes
	7	// return 1 if found, 0 if not found
	8	int check_kernel_procs(void) {
	9	char *kern_proc[] = {
	10	"kthreadd",
	11	"ksoftirqd",
	12	"kworker",
	13	"rcu_sched",
	14	"rcu_bh",
	15	NULL // NULL terminated list
	16	};
	17	int i;
	18
	19	// look at the first 10 processes
	20	// if a kernel process is found, return 1
	21	for (i = 1; i <= 10; i++) {
	22	struct stat s;
	23	char *fname;
	24	if (asprintf(&fname, "/proc/%d/comm", i) == -1)
	25	errExit("asprintf");
	26	if (stat(fname, &s) == -1) {
	27	free(fname);
	28	continue;
	29	}
	30
	31	// open file
	32	FILE *fp = fopen(fname, "r");
	33	if (!fp) {
	34	fprintf(stderr, "Warning: cannot open %s\n", fname);
	35	free(fname);
	36	continue;
	37	}
	38
	39	// read file
	40	char buf[100];
	41	if (fgets(buf, 10, fp) == NULL) {
	42	fprintf(stderr, "Warning: cannot read %s\n", fname);
	43	fclose(fp);
	44	free(fname);
	45	continue;
	46	}
	47	// clean /n
	48	char *ptr;
	49	if ((ptr = strchr(buf, '\n')) != NULL)
	50	*ptr = '\0';
	51
	52	// check process name against the kernel list
	53	int j = 0;
	54	while (kern_proc[j] != NULL) {
	55	if (strncmp(buf, kern_proc[j], strlen(kern_proc[j])) == 0) {
	56	fclose(fp);
	57	free(fname);
	58	return 1;
	59	}
	60	j++;
	61	}
	62
	63	fclose(fp);
	64	free(fname);
	65	}
	66
	67	return 0;
	68	}
	69
	70	void run_no_sandbox(int argc, char **argv) {
	71	// drop privileges
	72	int rv = setgroups(0, NULL); // this could fail
	73	(void) rv;
	74	if (setgid(getgid()) < 0)
	75	errExit("setgid/getgid");
	76	if (setuid(getuid()) < 0)
	77	errExit("setuid/getuid");
	78
	79
	80	// build command
	81	char *command = NULL;
	82	int allocated = 0;
	83	if (argc == 1)
	84	command = "/bin/bash";
	85	else {
	86	// calculate length
	87	int len = 0;
	88	int i;
	89	for (i = 1; i < argc; i++) {
	90	if (*argv[i] == '-')
	91	continue;
	92	break;
	93	}
	94	int start_index = i;
	95	for (i = start_index; i < argc; i++)
	96	len += strlen(argv[i]) + 1;
	97
	98	// allocate
	99	command = malloc(len + 1);
	100	if (!command)
	101	errExit("malloc");
	102	memset(command, 0, len + 1);
	103	allocated = 1;
	104
	105	// copy
	106	for (i = start_index; i < argc; i++) {
	107	strcat(command, argv[i]);
	108	strcat(command, " ");
	109	}
	110	}
	111
	112	// start the program in /bin/sh
	113	fprintf(stderr, "Warning: an existing sandbox was detected. "
	114	"%s will run without any additional sandboxing features in a /bin/sh shell\n", command);
	115	system(command);
	116	if (allocated)
	117	free(command);
	118	exit(1);
	119	}