--private.print option

author: netblue30 <netblue30@yahoo.com> 2015-11-03 08:55:40 -0500
committer: netblue30 <netblue30@yahoo.com> 2015-11-03 08:55:40 -0500
commit: dbb15d0067f1fce7478ff4059a5e1d78dec37804 (patch)
tree: fb9d4cc6902c65d69df90e8a2fc108b58c4d6afa /src/firejail/protocol.c
parent: cleanup (diff)
download: firejail-dbb15d0067f1fce7478ff4059a5e1d78dec37804.tar.gz
firejail-dbb15d0067f1fce7478ff4059a5e1d78dec37804.tar.zst
firejail-dbb15d0067f1fce7478ff4059a5e1d78dec37804.zip
1 files changed, 121 insertions, 24 deletions
diff --git a/src/firejail/protocol.c b/src/firejail/protocol.c
index e71daaad8..8ee5fd3b8 100644
--- a/src/firejail/protocol.c
+++ b/src/firejail/protocol.c
@@ -114,27 +114,6 @@ void protocol_list(void) {
        printf("\n");
 }
-// --protocol.print
-void protocol_print_filter_name(const char *name) {
-        (void) name;
-#ifdef SYS_socket
-//todo
-#else
-        fprintf(stderr, "Warning: --protocol not supported on this platform\n");
-        return;
-#endif
-}
-// --protocol.print
-void protocol_print_filter(pid_t pid) {
-        (void) pid;
-#ifdef SYS_socket
-//todo
-#else
-        fprintf(stderr, "Warning: --protocol not supported on this platform\n");
-        return;
-#endif  
-}
 // check protocol list and store it in cfg structure
 void protocol_store(const char *prlist) {
@@ -171,6 +150,8 @@ errout:
 // install protocol filter
 void protocol_filter(void) {
        assert(cfg.protocol);
+        if (arg_debug)
+                printf("Set protocol filter: %s\n", cfg.protocol);
 #ifndef SYS_socket
        (void) find_protocol_domain;
@@ -273,10 +254,126 @@ printf("entries %u\n",  (unsigned) ((uint64_t) ptr - (uint64_t) (filter)) / (uns
                fprintf(stderr, "Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n");
                return;
        }
-        else if (arg_debug) {
-                printf("seccomp protocol filter enabled\n");
-        }
 #endif // SYS_socket    
 }
+void protocol_filter_save(void) {
+        // save protocol filter configuration in PROTOCOL_CFG
+        fs_build_mnt_dir();
+        FILE *fp = fopen(PROTOCOL_CFG, "w");
+        if (!fp)
+                errExit("fopen");
+        fprintf(fp, "%s\n", cfg.protocol);
+        fclose(fp);
+        if (chmod(PROTOCOL_CFG, 0600) < 0)
+                errExit("chmod");
+        if (chown(PROTOCOL_CFG, 0, 0) < 0)
+                errExit("chown");
+}
+void protocol_filter_load(const char *fname) {
+        assert(fname);
+        
+        // read protocol filter configuration from PROTOCOL_CFG
+        FILE *fp = fopen(fname, "r");
+        if (!fp)
+                return;
+        const int MAXBUF = 4098;
+        char buf[MAXBUF];
+        if (fgets(buf, MAXBUF, fp) == NULL) {
+                // empty file
+                fclose(fp);
+                return;
+        }
+        fclose(fp);
+        
+        char *ptr = strchr(buf, '\n');
+        if (ptr)
+                *ptr = '\0';
+        cfg.protocol = strdup(buf);
+        if (!cfg.protocol)
+                errExit("strdup");
+}
+// --protocol.print
+void protocol_print_filter_name(const char *name) {
+        (void) name;
+#ifdef SYS_socket
+        if (!name || strlen(name) == 0) {
+                fprintf(stderr, "Error: invalid sandbox name\n");
+                exit(1);
+        }
+        pid_t pid;
+        if (name2pid(name, &pid)) {
+                fprintf(stderr, "Error: cannot find sandbox %s\n", name);
+                exit(1);
+        }
+        protocol_print_filter(pid);
+#else
+        fprintf(stderr, "Warning: --protocol not supported on this platform\n");
+        return;
+#endif
+}
+// --protocol.print
+void protocol_print_filter(pid_t pid) {
+        (void) pid;
+#ifdef SYS_socket
+        // if the pid is that of a firejail  process, use the pid of the first child process
+        char *comm = pid_proc_comm(pid);
+        if (comm) {
+                // remove \n
+                char *ptr = strchr(comm, '\n');
+                if (ptr)
+                        *ptr = '\0';
+                if (strcmp(comm, "firejail") == 0) {
+                        pid_t child;
+                        if (find_child(pid, &child) == 0) {
+                                pid = child;
+                        }
+                }
+                free(comm);
+        }
+        // check privileges for non-root users
+        uid_t uid = getuid();
+        if (uid != 0) {
+                uid_t sandbox_uid = pid_get_uid(pid);
+                if (uid != sandbox_uid) {
+                        fprintf(stderr, "Error: permission denied.\n");
+                        exit(1);
+                }
+        }
+        // find the seccomp filter
+        char *fname;
+        if (asprintf(&fname, "/proc/%d/root%s", pid, PROTOCOL_CFG) == -1)
+                errExit("asprintf");
+        struct stat s;
+        if (stat(fname, &s) == -1) {
+                printf("Cannot access seccomp filter.\n");
+                exit(1);
+        }
+        // read and print the filter
+        protocol_filter_load(fname);
+        free(fname);
+        if (cfg.protocol)
+                printf("%s\n", cfg.protocol);
+        exit(0);
+#else
+        fprintf(stderr, "Warning: --protocol not supported on this platform\n");
+        return;
+#endif  
+}
 #endif // HAVE_SECCOMP
author	netblue30 <netblue30@yahoo.com>	2015-11-03 08:55:40 -0500
committer	netblue30 <netblue30@yahoo.com>	2015-11-03 08:55:40 -0500
commit	dbb15d0067f1fce7478ff4059a5e1d78dec37804 (patch)
tree	fb9d4cc6902c65d69df90e8a2fc108b58c4d6afa /src/firejail/protocol.c
parent	cleanup (diff)
download	firejail-dbb15d0067f1fce7478ff4059a5e1d78dec37804.tar.gz firejail-dbb15d0067f1fce7478ff4059a5e1d78dec37804.tar.zst firejail-dbb15d0067f1fce7478ff4059a5e1d78dec37804.zip

diff --git a/src/firejail/protocol.c b/src/firejail/protocol.c index e71daaad8..8ee5fd3b8 100644 --- a/src/firejail/protocol.c +++ b/src/firejail/protocol.c
@@ -114,27 +114,6 @@ void protocol_list(void) {
114	printf("\n");	114	printf("\n");
115	}	115	}
116		116
117	// --protocol.print
118	void protocol_print_filter_name(const char *name) {
119	(void) name;
120	#ifdef SYS_socket
121	//todo
122	#else
123	fprintf(stderr, "Warning: --protocol not supported on this platform\n");
124	return;
125	#endif
126	}
127
128	// --protocol.print
129	void protocol_print_filter(pid_t pid) {
130	(void) pid;
131	#ifdef SYS_socket
132	//todo
133	#else
134	fprintf(stderr, "Warning: --protocol not supported on this platform\n");
135	return;
136	#endif
137	}
138		117
139	// check protocol list and store it in cfg structure	118	// check protocol list and store it in cfg structure
140	void protocol_store(const char *prlist) {	119	void protocol_store(const char *prlist) {
@@ -171,6 +150,8 @@ errout:
171	// install protocol filter	150	// install protocol filter
172	void protocol_filter(void) {	151	void protocol_filter(void) {
173	assert(cfg.protocol);	152	assert(cfg.protocol);
		153	if (arg_debug)
		154	printf("Set protocol filter: %s\n", cfg.protocol);
174		155
175	#ifndef SYS_socket	156	#ifndef SYS_socket
176	(void) find_protocol_domain;	157	(void) find_protocol_domain;
@@ -273,10 +254,126 @@ printf("entries %u\n", (unsigned) ((uint64_t) ptr - (uint64_t) (filter)) / (uns
273	fprintf(stderr, "Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n");	254	fprintf(stderr, "Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n");
274	return;	255	return;
275	}	256	}
276	else if (arg_debug) {
277	printf("seccomp protocol filter enabled\n");
278	}
279	#endif // SYS_socket	257	#endif // SYS_socket
280	}	258	}
281		259
		260	void protocol_filter_save(void) {
		261	// save protocol filter configuration in PROTOCOL_CFG
		262	fs_build_mnt_dir();
		263
		264	FILE *fp = fopen(PROTOCOL_CFG, "w");
		265	if (!fp)
		266	errExit("fopen");
		267	fprintf(fp, "%s\n", cfg.protocol);
		268	fclose(fp);
		269
		270	if (chmod(PROTOCOL_CFG, 0600) < 0)
		271	errExit("chmod");
		272
		273	if (chown(PROTOCOL_CFG, 0, 0) < 0)
		274	errExit("chown");
		275
		276	}
		277
		278	void protocol_filter_load(const char *fname) {
		279	assert(fname);
		280
		281	// read protocol filter configuration from PROTOCOL_CFG
		282	FILE *fp = fopen(fname, "r");
		283	if (!fp)
		284	return;
		285
		286	const int MAXBUF = 4098;
		287	char buf[MAXBUF];
		288	if (fgets(buf, MAXBUF, fp) == NULL) {
		289	// empty file
		290	fclose(fp);
		291	return;
		292	}
		293	fclose(fp);
		294
		295	char *ptr = strchr(buf, '\n');
		296	if (ptr)
		297	*ptr = '\0';
		298	cfg.protocol = strdup(buf);
		299	if (!cfg.protocol)
		300	errExit("strdup");
		301	}
		302
		303
		304	// --protocol.print
		305	void protocol_print_filter_name(const char *name) {
		306	(void) name;
		307	#ifdef SYS_socket
		308	if (!name \|\| strlen(name) == 0) {
		309	fprintf(stderr, "Error: invalid sandbox name\n");
		310	exit(1);
		311	}
		312	pid_t pid;
		313	if (name2pid(name, &pid)) {
		314	fprintf(stderr, "Error: cannot find sandbox %s\n", name);
		315	exit(1);
		316	}
		317
		318	protocol_print_filter(pid);
		319	#else
		320	fprintf(stderr, "Warning: --protocol not supported on this platform\n");
		321	return;
		322	#endif
		323	}
		324
		325	// --protocol.print
		326	void protocol_print_filter(pid_t pid) {
		327	(void) pid;
		328	#ifdef SYS_socket
		329	// if the pid is that of a firejail process, use the pid of the first child process
		330	char *comm = pid_proc_comm(pid);
		331	if (comm) {
		332	// remove \n
		333	char *ptr = strchr(comm, '\n');
		334	if (ptr)
		335	*ptr = '\0';
		336	if (strcmp(comm, "firejail") == 0) {
		337	pid_t child;
		338	if (find_child(pid, &child) == 0) {
		339	pid = child;
		340	}
		341	}
		342	free(comm);
		343	}
		344
		345	// check privileges for non-root users
		346	uid_t uid = getuid();
		347	if (uid != 0) {
		348	uid_t sandbox_uid = pid_get_uid(pid);
		349	if (uid != sandbox_uid) {
		350	fprintf(stderr, "Error: permission denied.\n");
		351	exit(1);
		352	}
		353	}
		354
		355	// find the seccomp filter
		356	char *fname;
		357	if (asprintf(&fname, "/proc/%d/root%s", pid, PROTOCOL_CFG) == -1)
		358	errExit("asprintf");
		359
		360	struct stat s;
		361	if (stat(fname, &s) == -1) {
		362	printf("Cannot access seccomp filter.\n");
		363	exit(1);
		364	}
		365
		366	// read and print the filter
		367	protocol_filter_load(fname);
		368	free(fname);
		369	if (cfg.protocol)
		370	printf("%s\n", cfg.protocol);
		371	exit(0);
		372	#else
		373	fprintf(stderr, "Warning: --protocol not supported on this platform\n");
		374	return;
		375	#endif
		376	}
		377
		378
282	#endif // HAVE_SECCOMP	379	#endif // HAVE_SECCOMP