firemon fixes for x11 sandboxes

author: netblue30 <netblue30@yahoo.com> 2016-08-17 10:27:58 -0400
committer: netblue30 <netblue30@yahoo.com> 2016-08-17 10:27:58 -0400
commit: 46a15d38d347fe012b25a913c381a128a392edb0 (patch)
tree: c762a75fc45c169a4459a3d3666a8d9447999f92 /src/lib
parent: slack profile integration (diff)
download: firejail-46a15d38d347fe012b25a913c381a128a392edb0.tar.gz
firejail-46a15d38d347fe012b25a913c381a128a392edb0.tar.zst
firejail-46a15d38d347fe012b25a913c381a128a392edb0.zip
2 files changed, 66 insertions, 11 deletions
diff --git a/src/lib/common.c b/src/lib/common.c
index 8ea926df1..885f31881 100644
--- a/src/lib/common.c
+++ b/src/lib/common.c
@@ -199,3 +199,62 @@ char *pid_proc_cmdline(const pid_t pid) {
        }
        return rv;
 }
+// return 1 if firejail --x11 on command line
+int pid_proc_cmdline_x11(const pid_t pid) {
+        // if comm is not firejail return 0
+        char *comm = pid_proc_comm(pid);
+        if (strcmp(comm, "firejail") != 0) {
+                free(comm);
+                return 0;
+        }
+        free(comm);
+        // open /proc/pid/cmdline file
+        char *fname;
+        int fd;
+        if (asprintf(&fname, "/proc/%d/cmdline", pid) == -1)
+                return 0;
+        if ((fd = open(fname, O_RDONLY)) < 0) {
+                free(fname);
+                return 0;
+        }
+        free(fname);
+        // read file
+        unsigned char buffer[BUFLEN];
+        ssize_t len;
+        if ((len = read(fd, buffer, sizeof(buffer) - 1)) <= 0) {
+                close(fd);
+                return 0;
+        }
+        buffer[len] = '\0';
+        close(fd);
+        // skip the first argument
+        int i;
+        for (i = 0; buffer[i] != '\0'; i++);
+        // parse remaining command line options
+        while (1) {
+                // extract argument
+                i++;
+                if (i >= len)
+                        break;
+                char *arg = buffer + i;
+                
+                // detect the last command line option
+                if (strcmp(arg, "--") == 0)
+                        break;
+                if (strncmp(arg, "--", 2) != 0)
+                        break;
+                        
+                // check x11
+                if (strcmp(arg, "--x11") == 0 || strncmp(arg, "--x11=", 6) == 0)
+                        return 1;
+        }
+        return 0;
+}
diff --git a/src/lib/pid.c b/src/lib/pid.c
index d1ade389e..4540247a0 100644
--- a/src/lib/pid.c
+++ b/src/lib/pid.c
@@ -340,18 +340,14 @@ void pid_read(pid_t mon_pid) {
                                        exit(1);
                                }
-                                if (mon_pid == 0 && strncmp(ptr, "firejail", 8) == 0) {
+                                if ((strncmp(ptr, "firejail", 8) == 0) && (mon_pid == 0 || mon_pid == pid)) {
-                                        pids[pid].level = 1;
+                                        if (pid_proc_cmdline_x11(pid)) {
+                                                printf("--x11 detected for pid %d\n", pid);
+                                                pids[pid].level = -1;
+                                        }
+                                        else
+                                                pids[pid].level = 1;
                                }
-                                else if (mon_pid == pid && strncmp(ptr, "firejail", 8) == 0) {
-                                        pids[pid].level = 1;
-                                }
-//                              else if (mon_pid == 0 && strncmp(ptr, "lxc-execute", 11) == 0) {
-//                                      pids[pid].level = 1;
-//                              }
-//                              else if (mon_pid == pid && strncmp(ptr, "lxc-execute", 11) == 0) {
-//                                      pids[pid].level = 1;
-//                              }
                                else
                                        pids[pid].level = -1;
                        }
author	netblue30 <netblue30@yahoo.com>	2016-08-17 10:27:58 -0400
committer	netblue30 <netblue30@yahoo.com>	2016-08-17 10:27:58 -0400
commit	46a15d38d347fe012b25a913c381a128a392edb0 (patch)
tree	c762a75fc45c169a4459a3d3666a8d9447999f92 /src/lib
parent	slack profile integration (diff)
download	firejail-46a15d38d347fe012b25a913c381a128a392edb0.tar.gz firejail-46a15d38d347fe012b25a913c381a128a392edb0.tar.zst firejail-46a15d38d347fe012b25a913c381a128a392edb0.zip

diff --git a/src/lib/common.c b/src/lib/common.c index 8ea926df1..885f31881 100644 --- a/src/lib/common.c +++ b/src/lib/common.c
@@ -199,3 +199,62 @@ char *pid_proc_cmdline(const pid_t pid) {
199	}	199	}
200	return rv;	200	return rv;
201	}	201	}
		202
		203	// return 1 if firejail --x11 on command line
		204	int pid_proc_cmdline_x11(const pid_t pid) {
		205	// if comm is not firejail return 0
		206	char *comm = pid_proc_comm(pid);
		207	if (strcmp(comm, "firejail") != 0) {
		208	free(comm);
		209	return 0;
		210	}
		211	free(comm);
		212
		213	// open /proc/pid/cmdline file
		214	char *fname;
		215	int fd;
		216	if (asprintf(&fname, "/proc/%d/cmdline", pid) == -1)
		217	return 0;
		218	if ((fd = open(fname, O_RDONLY)) < 0) {
		219	free(fname);
		220	return 0;
		221	}
		222	free(fname);
		223
		224	// read file
		225	unsigned char buffer[BUFLEN];
		226	ssize_t len;
		227	if ((len = read(fd, buffer, sizeof(buffer) - 1)) <= 0) {
		228	close(fd);
		229	return 0;
		230	}
		231	buffer[len] = '\0';
		232	close(fd);
		233
		234	// skip the first argument
		235	int i;
		236	for (i = 0; buffer[i] != '\0'; i++);
		237
		238	// parse remaining command line options
		239	while (1) {
		240	// extract argument
		241	i++;
		242	if (i >= len)
		243	break;
		244	char *arg = buffer + i;
		245
		246	// detect the last command line option
		247	if (strcmp(arg, "--") == 0)
		248	break;
		249	if (strncmp(arg, "--", 2) != 0)
		250	break;
		251
		252	// check x11
		253	if (strcmp(arg, "--x11") == 0 \|\| strncmp(arg, "--x11=", 6) == 0)
		254	return 1;
		255	}
		256	return 0;
		257	}
		258
		259
		260


diff --git a/src/lib/pid.c b/src/lib/pid.c index d1ade389e..4540247a0 100644 --- a/src/lib/pid.c +++ b/src/lib/pid.c
@@ -340,18 +340,14 @@ void pid_read(pid_t mon_pid) {
340	exit(1);	340	exit(1);
341	}	341	}
342		342
343	if (mon_pid == 0 && strncmp(ptr, "firejail", 8) == 0) {	343	if ((strncmp(ptr, "firejail", 8) == 0) && (mon_pid == 0 \|\| mon_pid == pid)) {
344	pids[pid].level = 1;	344	if (pid_proc_cmdline_x11(pid)) {
		345	printf("--x11 detected for pid %d\n", pid);
		346	pids[pid].level = -1;
		347	}
		348	else
		349	pids[pid].level = 1;
345	}	350	}
346	else if (mon_pid == pid && strncmp(ptr, "firejail", 8) == 0) {
347	pids[pid].level = 1;
348	}
349	// else if (mon_pid == 0 && strncmp(ptr, "lxc-execute", 11) == 0) {
350	// pids[pid].level = 1;
351	// }
352	// else if (mon_pid == pid && strncmp(ptr, "lxc-execute", 11) == 0) {
353	// pids[pid].level = 1;
354	// }
355	else	351	else
356	pids[pid].level = -1;	352	pids[pid].level = -1;
357	}	353	}