diff options
author | smitsohu <smitsohu@gmail.com> | 2018-08-20 23:34:28 +0200 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2018-08-20 23:34:28 +0200 |
commit | ec7f59b8d370c29bd229fa9124640611c0667159 (patch) | |
tree | 30b12ce89fd04343aa5cbf5b5254ce63cb8af9fc /src/firejail/util.c | |
parent | Document how to access local mail with thunderbird and claws-mail (fixes #1509) (diff) | |
download | firejail-ec7f59b8d370c29bd229fa9124640611c0667159.tar.gz firejail-ec7f59b8d370c29bd229fa9124640611c0667159.tar.zst firejail-ec7f59b8d370c29bd229fa9124640611c0667159.zip |
refactor, check the sandbox status for all join options
Diffstat (limited to 'src/firejail/util.c')
-rw-r--r-- | src/firejail/util.c | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/src/firejail/util.c b/src/firejail/util.c index 5738e7cf8..c15e3b691 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -1090,3 +1090,65 @@ errexit: | |||
1090 | fprintf(stderr, "Error: cannot open \"%s\", invalid filename\n", path); | 1090 | fprintf(stderr, "Error: cannot open \"%s\", invalid filename\n", path); |
1091 | exit(1); | 1091 | exit(1); |
1092 | } | 1092 | } |
1093 | |||
1094 | |||
1095 | // return 1 if the sandbox identified by pid is not fully set up yet or if | ||
1096 | // it is no firejail sandbox at all, return 0 if the sandbox is complete | ||
1097 | int invalid_sandbox(const pid_t pid) { | ||
1098 | // check if a file "ready-for-join" exists | ||
1099 | char *fname; | ||
1100 | if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_READY_FOR_JOIN) == -1) | ||
1101 | errExit("asprintf"); | ||
1102 | EUID_ROOT(); | ||
1103 | FILE *fp = fopen(fname, "re"); | ||
1104 | EUID_USER(); | ||
1105 | free(fname); | ||
1106 | if (!fp) | ||
1107 | return 1; | ||
1108 | // regular file owned by root | ||
1109 | int fd = fileno(fp); | ||
1110 | if (fd == -1) | ||
1111 | errExit("fileno"); | ||
1112 | struct stat s; | ||
1113 | if (fstat(fd, &s) == -1) | ||
1114 | errExit("fstat"); | ||
1115 | if (!S_ISREG(s.st_mode) || s.st_uid != 0) { | ||
1116 | fclose(fp); | ||
1117 | return 1; | ||
1118 | } | ||
1119 | // check if it is non-empty | ||
1120 | char buf[BUFLEN]; | ||
1121 | if (fgets(buf, BUFLEN, fp) == NULL) { | ||
1122 | fclose(fp); | ||
1123 | return 1; | ||
1124 | } | ||
1125 | fclose(fp); | ||
1126 | // confirm "ready" string was written | ||
1127 | if (strncmp(buf, "ready\n", 6) != 0) | ||
1128 | return 1; | ||
1129 | |||
1130 | // walk down the process tree a few nodes, there should be no firejail leaf | ||
1131 | #define MAXNODES 5 | ||
1132 | pid_t current = pid, next; | ||
1133 | int i; | ||
1134 | for (i = 0; i < MAXNODES; i++) { | ||
1135 | if (find_child(current, &next) == 1) { | ||
1136 | EUID_ROOT(); | ||
1137 | char *comm = pid_proc_comm(current); | ||
1138 | EUID_USER(); | ||
1139 | if (!comm) { | ||
1140 | fprintf(stderr, "Error: cannot read /proc file\n"); | ||
1141 | exit(1); | ||
1142 | } | ||
1143 | if (strcmp(comm, "firejail") == 0) { | ||
1144 | free(comm); | ||
1145 | return 1; | ||
1146 | } | ||
1147 | free(comm); | ||
1148 | break; | ||
1149 | } | ||
1150 | current = next; | ||
1151 | } | ||
1152 | |||
1153 | return 0; | ||
1154 | } | ||