refactor, check the sandbox status for all join options

author: smitsohu <smitsohu@gmail.com> 2018-08-20 23:34:28 +0200
committer: smitsohu <smitsohu@gmail.com> 2018-08-20 23:34:28 +0200
commit: ec7f59b8d370c29bd229fa9124640611c0667159 (patch)
tree: 30b12ce89fd04343aa5cbf5b5254ce63cb8af9fc /src/firejail/util.c
parent: Document how to access local mail with thunderbird and claws-mail (fixes #1509) (diff)
download: firejail-ec7f59b8d370c29bd229fa9124640611c0667159.tar.gz
firejail-ec7f59b8d370c29bd229fa9124640611c0667159.tar.zst
firejail-ec7f59b8d370c29bd229fa9124640611c0667159.zip
1 files changed, 62 insertions, 0 deletions
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 5738e7cf8..c15e3b691 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -1090,3 +1090,65 @@ errexit:
        fprintf(stderr, "Error: cannot open \"%s\", invalid filename\n", path);
        exit(1);
 }
+// return 1 if the sandbox identified by pid is not fully set up yet or if
+// it is no firejail sandbox at all, return 0 if the sandbox is complete
+int invalid_sandbox(const pid_t pid) {
+        // check if a file "ready-for-join" exists
+        char *fname;
+        if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_READY_FOR_JOIN) == -1)
+                errExit("asprintf");
+        EUID_ROOT();
+        FILE *fp = fopen(fname, "re");
+        EUID_USER();
+        free(fname);
+        if (!fp)
+                return 1;
+        // regular file owned by root
+        int fd = fileno(fp);
+        if (fd == -1)
+                errExit("fileno");
+        struct stat s;
+        if (fstat(fd, &s) == -1)
+                errExit("fstat");
+        if (!S_ISREG(s.st_mode) || s.st_uid != 0) {
+                fclose(fp);
+                return 1;
+        }
+        // check if it is non-empty
+        char buf[BUFLEN];
+        if (fgets(buf, BUFLEN, fp) == NULL) {
+                fclose(fp);
+                return 1;
+        }
+        fclose(fp);
+        // confirm "ready" string was written
+        if (strncmp(buf, "ready\n", 6) != 0)
+                return 1;
+        // walk down the process tree a few nodes, there should be no firejail leaf
+#define MAXNODES 5
+        pid_t current = pid, next;
+        int i;
+        for (i = 0; i < MAXNODES; i++) {
+                if (find_child(current, &next) == 1) {
+                        EUID_ROOT();
+                        char *comm = pid_proc_comm(current);
+                        EUID_USER();
+                        if (!comm) {
+                                fprintf(stderr, "Error: cannot read /proc file\n");
+                                exit(1);
+                        }
+                        if (strcmp(comm, "firejail") == 0) {
+                                free(comm);
+                                return 1;
+                        }
+                        free(comm);
+                        break;
+                }
+                current = next;
+        }
+        return 0;
+}
author	smitsohu <smitsohu@gmail.com>	2018-08-20 23:34:28 +0200
committer	smitsohu <smitsohu@gmail.com>	2018-08-20 23:34:28 +0200
commit	ec7f59b8d370c29bd229fa9124640611c0667159 (patch)
tree	30b12ce89fd04343aa5cbf5b5254ce63cb8af9fc /src/firejail/util.c
parent	Document how to access local mail with thunderbird and claws-mail (fixes #1509) (diff)
download	firejail-ec7f59b8d370c29bd229fa9124640611c0667159.tar.gz firejail-ec7f59b8d370c29bd229fa9124640611c0667159.tar.zst firejail-ec7f59b8d370c29bd229fa9124640611c0667159.zip

diff --git a/src/firejail/util.c b/src/firejail/util.c index 5738e7cf8..c15e3b691 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c
@@ -1090,3 +1090,65 @@ errexit:
1090	fprintf(stderr, "Error: cannot open \"%s\", invalid filename\n", path);	1090	fprintf(stderr, "Error: cannot open \"%s\", invalid filename\n", path);
1091	exit(1);	1091	exit(1);
1092	}	1092	}
		1093
		1094
		1095	// return 1 if the sandbox identified by pid is not fully set up yet or if
		1096	// it is no firejail sandbox at all, return 0 if the sandbox is complete
		1097	int invalid_sandbox(const pid_t pid) {
		1098	// check if a file "ready-for-join" exists
		1099	char *fname;
		1100	if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_READY_FOR_JOIN) == -1)
		1101	errExit("asprintf");
		1102	EUID_ROOT();
		1103	FILE *fp = fopen(fname, "re");
		1104	EUID_USER();
		1105	free(fname);
		1106	if (!fp)
		1107	return 1;
		1108	// regular file owned by root
		1109	int fd = fileno(fp);
		1110	if (fd == -1)
		1111	errExit("fileno");
		1112	struct stat s;
		1113	if (fstat(fd, &s) == -1)
		1114	errExit("fstat");
		1115	if (!S_ISREG(s.st_mode) \|\| s.st_uid != 0) {
		1116	fclose(fp);
		1117	return 1;
		1118	}
		1119	// check if it is non-empty
		1120	char buf[BUFLEN];
		1121	if (fgets(buf, BUFLEN, fp) == NULL) {
		1122	fclose(fp);
		1123	return 1;
		1124	}
		1125	fclose(fp);
		1126	// confirm "ready" string was written
		1127	if (strncmp(buf, "ready\n", 6) != 0)
		1128	return 1;
		1129
		1130	// walk down the process tree a few nodes, there should be no firejail leaf
		1131	#define MAXNODES 5
		1132	pid_t current = pid, next;
		1133	int i;
		1134	for (i = 0; i < MAXNODES; i++) {
		1135	if (find_child(current, &next) == 1) {
		1136	EUID_ROOT();
		1137	char *comm = pid_proc_comm(current);
		1138	EUID_USER();
		1139	if (!comm) {
		1140	fprintf(stderr, "Error: cannot read /proc file\n");
		1141	exit(1);
		1142	}
		1143	if (strcmp(comm, "firejail") == 0) {
		1144	free(comm);
		1145	return 1;
		1146	}
		1147	free(comm);
		1148	break;
		1149	}
		1150	current = next;
		1151	}
		1152
		1153	return 0;
		1154	}