security fix

author: netblue30 <netblue30@yahoo.com> 2017-01-06 15:39:54 -0500
committer: netblue30 <netblue30@yahoo.com> 2017-01-06 15:39:54 -0500
commit: 85517885bece9209bbcace80fec115b0126263ad (patch)
tree: 40ad1c5a321e6e9d8977b00dba68b533900de5e1 /src/firejail
parent: security fixes (diff)
download: firejail-85517885bece9209bbcace80fec115b0126263ad.tar.gz
firejail-85517885bece9209bbcace80fec115b0126263ad.tar.zst
firejail-85517885bece9209bbcace80fec115b0126263ad.zip
1 files changed, 21 insertions, 1 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c
index e70e20eec..3a347b3d9 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -35,6 +35,7 @@
 #include <signal.h>
 #include <time.h>
 #include <net/if.h>
+#include <sys/utsname.h>
 #if 0
 #include <sys/times.h>
@@ -817,8 +818,27 @@ int main(int argc, char **argv) {
        
        if (check_arg(argc, argv, "--quiet"))
                arg_quiet = 1;
-        if (check_arg(argc, argv, "--allow-debuggers"))
+        if (check_arg(argc, argv, "--allow-debuggers")) {
+                // check kernel version
+                struct utsname u;
+                int rv = uname(&u);
+                if (rv != 0)
+                        errExit("uname");
+                int major;
+                int minor;
+                if (2 != sscanf(u.release, "%d.%d", &major, &minor)) {
+                        fprintf(stderr, "Error: cannot extract Linux kernel version: %s\n", u.version);
+                        exit(1);
+                }
+                if (major < 4 || (major == 4 && minor < 8)) {
+                        fprintf(stderr, "Error: --allow-debuggers is disabled on Linux kernels prior to 4.8. "
+                                "A bug in ptrace call allows a full bypass of the seccomp filter. "
+                                "Your current kernel version is %d.%d.\n", major, minor);
+                        exit(1);
+                }
                arg_allow_debuggers = 1;
+        }
        // drop permissions by default and rise them when required
        EUID_INIT();
author	netblue30 <netblue30@yahoo.com>	2017-01-06 15:39:54 -0500
committer	netblue30 <netblue30@yahoo.com>	2017-01-06 15:39:54 -0500
commit	85517885bece9209bbcace80fec115b0126263ad (patch)
tree	40ad1c5a321e6e9d8977b00dba68b533900de5e1 /src/firejail
parent	security fixes (diff)
download	firejail-85517885bece9209bbcace80fec115b0126263ad.tar.gz firejail-85517885bece9209bbcace80fec115b0126263ad.tar.zst firejail-85517885bece9209bbcace80fec115b0126263ad.zip

diff --git a/src/firejail/main.c b/src/firejail/main.c index e70e20eec..3a347b3d9 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -35,6 +35,7 @@
35	#include <signal.h>	35	#include <signal.h>
36	#include <time.h>	36	#include <time.h>
37	#include <net/if.h>	37	#include <net/if.h>
		38	#include <sys/utsname.h>
38		39
39	#if 0	40	#if 0
40	#include <sys/times.h>	41	#include <sys/times.h>
@@ -817,8 +818,27 @@ int main(int argc, char **argv) {
817		818
818	if (check_arg(argc, argv, "--quiet"))	819	if (check_arg(argc, argv, "--quiet"))
819	arg_quiet = 1;	820	arg_quiet = 1;
820	if (check_arg(argc, argv, "--allow-debuggers"))	821	if (check_arg(argc, argv, "--allow-debuggers")) {
		822	// check kernel version
		823	struct utsname u;
		824	int rv = uname(&u);
		825	if (rv != 0)
		826	errExit("uname");
		827	int major;
		828	int minor;
		829	if (2 != sscanf(u.release, "%d.%d", &major, &minor)) {
		830	fprintf(stderr, "Error: cannot extract Linux kernel version: %s\n", u.version);
		831	exit(1);
		832	}
		833	if (major < 4 \|\| (major == 4 && minor < 8)) {
		834	fprintf(stderr, "Error: --allow-debuggers is disabled on Linux kernels prior to 4.8. "
		835	"A bug in ptrace call allows a full bypass of the seccomp filter. "
		836	"Your current kernel version is %d.%d.\n", major, minor);
		837	exit(1);
		838	}
		839
821	arg_allow_debuggers = 1;	840	arg_allow_debuggers = 1;
		841	}
822		842
823	// drop permissions by default and rise them when required	843	// drop permissions by default and rise them when required
824	EUID_INIT();	844	EUID_INIT();