firemon fixes

author: netblue30 <netblue30@yahoo.com> 2016-02-27 16:18:00 -0500
committer: netblue30 <netblue30@yahoo.com> 2016-02-27 16:18:00 -0500
commit: ab8c4dba69e3c2d92339d69f295acda1d55b296b (patch)
tree: 0daab9a9193267359e67693d8b8d9e57176b3c8f /src/firemon/procevent.c
parent: man page fixes (diff)
download: firejail-ab8c4dba69e3c2d92339d69f295acda1d55b296b.tar.gz
firejail-ab8c4dba69e3c2d92339d69f295acda1d55b296b.tar.zst
firejail-ab8c4dba69e3c2d92339d69f295acda1d55b296b.zip
1 files changed, 57 insertions, 14 deletions
diff --git a/src/firemon/procevent.c b/src/firemon/procevent.c
index 3c23dc44d..6396049e3 100644
--- a/src/firemon/procevent.c
+++ b/src/firemon/procevent.c
@@ -27,18 +27,20 @@
 #include <unistd.h>
 #include <arpa/inet.h>
 #include <time.h>
+#include <fcntl.h>
 #define PIDS_BUFLEN 4096
 #define SERVER_PORT 889 // 889-899 is left unassigned by IANA
 static int pid_is_firejail(pid_t pid) {
        uid_t rv = 0;
        
-        // open stat file
+        // open /proc/self/comm
        char *file;
-        if (asprintf(&file, "/proc/%u/status", pid) == -1) {
+        if (asprintf(&file, "/proc/%u/comm", pid) == -1) {
                perror("asprintf");
                exit(1);
        }
+        
        FILE *fp = fopen(file, "r");
        if (!fp) {
                free(file);
@@ -47,21 +49,62 @@ static int pid_is_firejail(pid_t pid) {
        // look for firejail executable name
        char buf[PIDS_BUFLEN];
-        while (fgets(buf, PIDS_BUFLEN - 1, fp)) {
+        if (fgets(buf, PIDS_BUFLEN - 1, fp)) {
-                if (strncmp(buf, "Name:", 5) == 0) {
+                if (strncmp(buf, "firejail", 8) == 0)
-                        char *ptr = buf + 5;
+                        rv = 1;
-                        while (*ptr != '\0' && (*ptr == ' ' || *ptr == '\t')) {
+        }
-                                ptr++;
+        
+        if (rv) {
+                // open /proc/pid/cmdline file
+                char *fname;
+                int fd;
+                if (asprintf(&fname, "/proc/%d/cmdline", pid) == -1)
+                        errExit("asprintf");
+                if ((fd = open(fname, O_RDONLY)) < 0) {
+                        free(fname);
+                        rv = 0;
+                        goto doexit;
+                }
+                free(fname);
+        
+                // read file
+#define BUFLEN 4096
+                unsigned char buffer[BUFLEN];
+                ssize_t len;
+                if ((len = read(fd, buffer, sizeof(buffer) - 1)) <= 0) {
+                        close(fd);
+                        rv = 0;
+                        goto doexit;
+                }
+                buffer[len] = '\0';
+                close(fd);
+        
+                // list of firejail arguments that don't trigger sandbox creation
+                // the initial -- is not included 
+                char *firejail_args = "list tree x11 help version top netstats debug-syscalls debug-errnos debug-protocols";
+                
+                int i;
+                char *start;
+                int first = 1;
+                for (i = 0; i < len; i++) {
+                        if (buffer[i] != '\0')
+                                continue;
+                        if (first) {
+                                first = 0;
+                                start = buffer + i + 1;
+                                continue;
                        }
-                        if (*ptr == '\0')
+                        if (strncmp(start, "--", 2) != 0)
-                                goto doexit;
+                                break;
-                        if (strncmp(ptr, "firejail", 8) == 0)
+                        
-                                rv = 1;
+                        if (strstr(firejail_args, start + 2)) {
-//                      if (strncmp(ptr, "lxc-execute", 11) == 0)
+                                rv = 0;
-//                              rv = 1;
+                                break;
-                        break;
+                        }
+                        start = buffer + i + 1;
                }
        }
 doexit: 
        fclose(fp);
        free(file);
author	netblue30 <netblue30@yahoo.com>	2016-02-27 16:18:00 -0500
committer	netblue30 <netblue30@yahoo.com>	2016-02-27 16:18:00 -0500
commit	ab8c4dba69e3c2d92339d69f295acda1d55b296b (patch)
tree	0daab9a9193267359e67693d8b8d9e57176b3c8f /src/firemon/procevent.c
parent	man page fixes (diff)
download	firejail-ab8c4dba69e3c2d92339d69f295acda1d55b296b.tar.gz firejail-ab8c4dba69e3c2d92339d69f295acda1d55b296b.tar.zst firejail-ab8c4dba69e3c2d92339d69f295acda1d55b296b.zip

diff --git a/src/firemon/procevent.c b/src/firemon/procevent.c index 3c23dc44d..6396049e3 100644 --- a/src/firemon/procevent.c +++ b/src/firemon/procevent.c
@@ -27,18 +27,20 @@
27	#include <unistd.h>	27	#include <unistd.h>
28	#include <arpa/inet.h>	28	#include <arpa/inet.h>
29	#include <time.h>	29	#include <time.h>
		30	#include <fcntl.h>
30	#define PIDS_BUFLEN 4096	31	#define PIDS_BUFLEN 4096
31	#define SERVER_PORT 889 // 889-899 is left unassigned by IANA	32	#define SERVER_PORT 889 // 889-899 is left unassigned by IANA
32		33
33	static int pid_is_firejail(pid_t pid) {	34	static int pid_is_firejail(pid_t pid) {
34	uid_t rv = 0;	35	uid_t rv = 0;
35		36
36	// open stat file	37	// open /proc/self/comm
37	char *file;	38	char *file;
38	if (asprintf(&file, "/proc/%u/status", pid) == -1) {	39	if (asprintf(&file, "/proc/%u/comm", pid) == -1) {
39	perror("asprintf");	40	perror("asprintf");
40	exit(1);	41	exit(1);
41	}	42	}
		43
42	FILE *fp = fopen(file, "r");	44	FILE *fp = fopen(file, "r");
43	if (!fp) {	45	if (!fp) {
44	free(file);	46	free(file);
@@ -47,21 +49,62 @@ static int pid_is_firejail(pid_t pid) {
47		49
48	// look for firejail executable name	50	// look for firejail executable name
49	char buf[PIDS_BUFLEN];	51	char buf[PIDS_BUFLEN];
50	while (fgets(buf, PIDS_BUFLEN - 1, fp)) {	52	if (fgets(buf, PIDS_BUFLEN - 1, fp)) {
51	if (strncmp(buf, "Name:", 5) == 0) {	53	if (strncmp(buf, "firejail", 8) == 0)
52	char *ptr = buf + 5;	54	rv = 1;
53	while (ptr != '\0' && (ptr == ' ' \|\| *ptr == '\t')) {	55	}
54	ptr++;	56
		57	if (rv) {
		58	// open /proc/pid/cmdline file
		59	char *fname;
		60	int fd;
		61	if (asprintf(&fname, "/proc/%d/cmdline", pid) == -1)
		62	errExit("asprintf");
		63	if ((fd = open(fname, O_RDONLY)) < 0) {
		64	free(fname);
		65	rv = 0;
		66	goto doexit;
		67	}
		68	free(fname);
		69
		70	// read file
		71	#define BUFLEN 4096
		72	unsigned char buffer[BUFLEN];
		73	ssize_t len;
		74	if ((len = read(fd, buffer, sizeof(buffer) - 1)) <= 0) {
		75	close(fd);
		76	rv = 0;
		77	goto doexit;
		78	}
		79	buffer[len] = '\0';
		80	close(fd);
		81
		82	// list of firejail arguments that don't trigger sandbox creation
		83	// the initial -- is not included
		84	char *firejail_args = "list tree x11 help version top netstats debug-syscalls debug-errnos debug-protocols";
		85
		86	int i;
		87	char *start;
		88	int first = 1;
		89	for (i = 0; i < len; i++) {
		90	if (buffer[i] != '\0')
		91	continue;
		92	if (first) {
		93	first = 0;
		94	start = buffer + i + 1;
		95	continue;
55	}	96	}
56	if (*ptr == '\0')	97	if (strncmp(start, "--", 2) != 0)
57	goto doexit;	98	break;
58	if (strncmp(ptr, "firejail", 8) == 0)	99
59	rv = 1;	100	if (strstr(firejail_args, start + 2)) {
60	// if (strncmp(ptr, "lxc-execute", 11) == 0)	101	rv = 0;
61	// rv = 1;	102	break;
62	break;	103	}
		104	start = buffer + i + 1;
63	}	105	}
64	}	106	}
		107
65	doexit:	108	doexit:
66	fclose(fp);	109	fclose(fp);
67	free(file);	110	free(file);