Implemenent require_pid

Separate jail existence checking and jail pid determination code into read_pid and require_pid, respectively. Signed-off-by: Antonio Russo <antonio.e.russo@gmail.com>
author: Antonio Russo <antonio.e.russo@gmail.com> 2018-04-23 02:04:20 -0400
committer: Antonio Russo <antonio.e.russo@gmail.com> 2018-04-23 02:28:33 -0400
commit: 926e8e954cce812ea0218acaef421a9e29c65e0d (patch)
tree: b06af39ea58c626b521c4ff51a2f0938d546dba5 /src
parent: Merge pull request #1904 from glitsj16/firefox (diff)
download: firejail-926e8e954cce812ea0218acaef421a9e29c65e0d.tar.gz
firejail-926e8e954cce812ea0218acaef421a9e29c65e0d.tar.zst
firejail-926e8e954cce812ea0218acaef421a9e29c65e0d.zip
1 files changed, 41 insertions, 31 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 909b5441e..017c6c843 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -161,37 +161,47 @@ static void my_handler(int s){
        myexit(1);
 }
-static pid_t extract_pid(const char *name) {
+// return 1 if error, 0 if a valid pid was found
+static int extract_pid(const char *name, pid_t *pid) {
+        int retval = 0;
        EUID_ASSERT();
        if (!name || strlen(name) == 0) {
                fprintf(stderr, "Error: invalid sandbox name\n");
                exit(1);
        }
-        pid_t pid;
        EUID_ROOT();
-        if (name2pid(name, &pid)) {
+        if (name2pid(name, pid)) {
-                fprintf(stderr, "Error: cannot find sandbox %s\n", name);
+                retval = 1;
-                exit(1);
        }
        EUID_USER();
-        return pid;
+        return retval;
 }
+// return 1 if error, 0 if a valid pid was found
-static pid_t read_pid(const char *str) {
+static int read_pid(const char *name, pid_t *pid) {
        char *endptr;
        errno = 0;
-        long int pidtmp = strtol(str, &endptr, 10);
+        long int pidtmp = strtol(name, &endptr, 10);
        if ((errno == ERANGE && (pidtmp == LONG_MAX || pidtmp == LONG_MIN))
                || (errno != 0 && pidtmp == 0)) {
-                return extract_pid(str);
+                return extract_pid(name,pid);
        }
-        // endptr points to '\0' char in str if the entire string is valid
+        // endptr points to '\0' char in name if the entire string is valid
        if (endptr == NULL || endptr[0]!='\0') {
-                return extract_pid(str);
+                return extract_pid(name,pid);
        }
-        return (pid_t)pidtmp;
+        *pid =(pid_t)pidtmp;
+        return 0;
+}
+static pid_t require_pid(const char *name) {
+        pid_t pid;
+        if (read_pid(name,&pid)) {
+                fprintf(stderr, "Error: cannot find sandbox %s\n", name);
+                exit(1);
+        }
+        return pid;
 }
 // init configuration
@@ -411,7 +421,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                        }
                        // extract pid or sandbox name
-                        pid_t pid = read_pid(argv[i] + 12);
+                        pid_t pid = require_pid(argv[i] + 12);
                        bandwidth_pid(pid, cmd, dev, down, up);
                }
                else
@@ -420,13 +430,13 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
        }
        else if (strncmp(argv[i], "--netfilter.print=", 18) == 0) {
                // extract pid or sandbox name
-                pid_t pid = read_pid(argv[i] + 18);
+                pid_t pid = require_pid(argv[i] + 18);
                netfilter_print(pid, 0);
                exit(0);
        }
        else if (strncmp(argv[i], "--netfilter6.print=", 19) == 0) {
                // extract pid or sandbox name
-                pid_t pid = read_pid(argv[i] + 19);
+                pid_t pid = require_pid(argv[i] + 19);
                netfilter_print(pid, 1);
                exit(0);
        }
@@ -455,7 +465,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
        else if (strncmp(argv[i], "--seccomp.print=", 16) == 0) {
                if (checkcfg(CFG_SECCOMP)) {
                        // print seccomp filter for a sandbox specified by pid or by name
-                        pid_t pid = read_pid(argv[i] + 16);
+                        pid_t pid = require_pid(argv[i] + 16);
                        seccomp_print_filter(pid);
                }
                else
@@ -469,7 +479,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
        else if (strncmp(argv[i], "--protocol.print=", 17) == 0) {
                if (checkcfg(CFG_SECCOMP)) {
                        // print seccomp filter for a sandbox specified by pid or by name
-                        pid_t pid = read_pid(argv[i] + 17);
+                        pid_t pid = require_pid(argv[i] + 17);
                        protocol_print_filter(pid);
                }
                else
@@ -478,7 +488,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
        }
 #endif
        else if (strncmp(argv[i], "--profile.print=", 16) == 0) {
-                pid_t pid = read_pid(argv[i] + 16);
+                pid_t pid = require_pid(argv[i] + 16);
                // print /run/firejail/profile/<PID> file
                char *fname;
@@ -499,13 +509,13 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
        }
        else if (strncmp(argv[i], "--cpu.print=", 12) == 0) {
                // join sandbox by pid or by name
-                pid_t pid = read_pid(argv[i] + 12);
+                pid_t pid = require_pid(argv[i] + 12);
                cpu_print_filter(pid);
                exit(0);
        }
        else if (strncmp(argv[i], "--apparmor.print=", 12) == 0) {
                // join sandbox by pid or by name
-                pid_t pid = read_pid(argv[i] + 17);
+                pid_t pid = require_pid(argv[i] + 17);
                char *pidstr;
                if (asprintf(&pidstr, "%u", pid) == -1)
                        errExit("asprintf");
@@ -515,19 +525,19 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
        }
        else if (strncmp(argv[i], "--caps.print=", 13) == 0) {
                // join sandbox by pid or by name
-                pid_t pid = read_pid(argv[i] + 13);
+                pid_t pid = require_pid(argv[i] + 13);
                caps_print_filter(pid);
                exit(0);
        }
        else if (strncmp(argv[i], "--fs.print=", 11) == 0) {
                // join sandbox by pid or by name
-                pid_t pid = read_pid(argv[i] + 11);
+                pid_t pid = require_pid(argv[i] + 11);
                fs_logger_print_log(pid);
                exit(0);
        }
        else if (strncmp(argv[i], "--dns.print=", 12) == 0) {
                // join sandbox by pid or by name
-                pid_t pid = read_pid(argv[i] + 12);
+                pid_t pid = require_pid(argv[i] + 12);
                net_dns_print(pid);
                exit(0);
        }
@@ -592,7 +602,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                         }
                        // get file
-                        pid_t pid = read_pid(argv[i] + 6);
+                        pid_t pid = require_pid(argv[i] + 6);
                        sandboxfs(SANDBOX_FS_GET, pid, path, NULL);
                        exit(0);
                }
@@ -622,7 +632,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                         }
                        // get file
-                        pid_t pid = read_pid(argv[i] + 6);
+                        pid_t pid = require_pid(argv[i] + 6);
                        sandboxfs(SANDBOX_FS_PUT, pid, path1, path2);
                        exit(0);
                }
@@ -646,7 +656,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                         }
                        // list directory contents
-                        pid_t pid = read_pid(argv[i] + 5);
+                        pid_t pid = require_pid(argv[i] + 5);
                        sandboxfs(SANDBOX_FS_LS, pid, path, NULL);
                        exit(0);
                }
@@ -670,7 +680,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                                cfg.shell = guess_shell();
                        // join sandbox by pid or by name
-                        pid_t pid = read_pid(argv[i] + 7);
+                        pid_t pid = require_pid(argv[i] + 7);
                        join(pid, argc, argv, i + 1);
                        exit(0);
                }
@@ -718,7 +728,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                                cfg.shell = guess_shell();
                        // join sandbox by pid or by name
-                        pid_t pid = read_pid(argv[i] + 15);
+                        pid_t pid = require_pid(argv[i] + 15);
                        join(pid, argc, argv, i + 1);
                }
                else
@@ -738,7 +748,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                        cfg.shell = guess_shell();
                // join sandbox by pid or by name
-                pid_t pid = read_pid(argv[i] + 18);
+                pid_t pid = require_pid(argv[i] + 18);
                join(pid, argc, argv, i + 1);
                exit(0);
        }
@@ -746,7 +756,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                logargs(argc, argv);
                // shutdown sandbox by pid or by name
-                pid_t pid = read_pid(argv[i] + 11);
+                pid_t pid = require_pid(argv[i] + 11);
                shut(pid);
                exit(0);
        }
author	Antonio Russo <antonio.e.russo@gmail.com>	2018-04-23 02:04:20 -0400
committer	Antonio Russo <antonio.e.russo@gmail.com>	2018-04-23 02:28:33 -0400
commit	926e8e954cce812ea0218acaef421a9e29c65e0d (patch)
tree	b06af39ea58c626b521c4ff51a2f0938d546dba5 /src
parent	Merge pull request #1904 from glitsj16/firefox (diff)
download	firejail-926e8e954cce812ea0218acaef421a9e29c65e0d.tar.gz firejail-926e8e954cce812ea0218acaef421a9e29c65e0d.tar.zst firejail-926e8e954cce812ea0218acaef421a9e29c65e0d.zip

diff --git a/src/firejail/main.c b/src/firejail/main.c index 909b5441e..017c6c843 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -161,37 +161,47 @@ static void my_handler(int s){
161	myexit(1);	161	myexit(1);
162	}	162	}
163		163
164	static pid_t extract_pid(const char *name) {	164	// return 1 if error, 0 if a valid pid was found
		165	static int extract_pid(const char name, pid_t pid) {
		166	int retval = 0;
165	EUID_ASSERT();	167	EUID_ASSERT();
166	if (!name \|\| strlen(name) == 0) {	168	if (!name \|\| strlen(name) == 0) {
167	fprintf(stderr, "Error: invalid sandbox name\n");	169	fprintf(stderr, "Error: invalid sandbox name\n");
168	exit(1);	170	exit(1);
169	}	171	}
170		172
171	pid_t pid;
172	EUID_ROOT();	173	EUID_ROOT();
173	if (name2pid(name, &pid)) {	174	if (name2pid(name, pid)) {
174	fprintf(stderr, "Error: cannot find sandbox %s\n", name);	175	retval = 1;
175	exit(1);
176	}	176	}
177	EUID_USER();	177	EUID_USER();
178	return pid;	178	return retval;
179	}	179	}
180		180
181		181	// return 1 if error, 0 if a valid pid was found
182	static pid_t read_pid(const char *str) {	182	static int read_pid(const char name, pid_t pid) {
183	char *endptr;	183	char *endptr;
184	errno = 0;	184	errno = 0;
185	long int pidtmp = strtol(str, &endptr, 10);	185	long int pidtmp = strtol(name, &endptr, 10);
186	if ((errno == ERANGE && (pidtmp == LONG_MAX \|\| pidtmp == LONG_MIN))	186	if ((errno == ERANGE && (pidtmp == LONG_MAX \|\| pidtmp == LONG_MIN))
187	\|\| (errno != 0 && pidtmp == 0)) {	187	\|\| (errno != 0 && pidtmp == 0)) {
188	return extract_pid(str);	188	return extract_pid(name,pid);
189	}	189	}
190	// endptr points to '\0' char in str if the entire string is valid	190	// endptr points to '\0' char in name if the entire string is valid
191	if (endptr == NULL \|\| endptr[0]!='\0') {	191	if (endptr == NULL \|\| endptr[0]!='\0') {
192	return extract_pid(str);	192	return extract_pid(name,pid);
193	}	193	}
194	return (pid_t)pidtmp;	194	*pid =(pid_t)pidtmp;
		195	return 0;
		196	}
		197
		198	static pid_t require_pid(const char *name) {
		199	pid_t pid;
		200	if (read_pid(name,&pid)) {
		201	fprintf(stderr, "Error: cannot find sandbox %s\n", name);
		202	exit(1);
		203	}
		204	return pid;
195	}	205	}
196		206
197	// init configuration	207	// init configuration
@@ -411,7 +421,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
411	}	421	}
412		422
413	// extract pid or sandbox name	423	// extract pid or sandbox name
414	pid_t pid = read_pid(argv[i] + 12);	424	pid_t pid = require_pid(argv[i] + 12);
415	bandwidth_pid(pid, cmd, dev, down, up);	425	bandwidth_pid(pid, cmd, dev, down, up);
416	}	426	}
417	else	427	else
@@ -420,13 +430,13 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
420	}	430	}
421	else if (strncmp(argv[i], "--netfilter.print=", 18) == 0) {	431	else if (strncmp(argv[i], "--netfilter.print=", 18) == 0) {
422	// extract pid or sandbox name	432	// extract pid or sandbox name
423	pid_t pid = read_pid(argv[i] + 18);	433	pid_t pid = require_pid(argv[i] + 18);
424	netfilter_print(pid, 0);	434	netfilter_print(pid, 0);
425	exit(0);	435	exit(0);
426	}	436	}
427	else if (strncmp(argv[i], "--netfilter6.print=", 19) == 0) {	437	else if (strncmp(argv[i], "--netfilter6.print=", 19) == 0) {
428	// extract pid or sandbox name	438	// extract pid or sandbox name
429	pid_t pid = read_pid(argv[i] + 19);	439	pid_t pid = require_pid(argv[i] + 19);
430	netfilter_print(pid, 1);	440	netfilter_print(pid, 1);
431	exit(0);	441	exit(0);
432	}	442	}
@@ -455,7 +465,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
455	else if (strncmp(argv[i], "--seccomp.print=", 16) == 0) {	465	else if (strncmp(argv[i], "--seccomp.print=", 16) == 0) {
456	if (checkcfg(CFG_SECCOMP)) {	466	if (checkcfg(CFG_SECCOMP)) {
457	// print seccomp filter for a sandbox specified by pid or by name	467	// print seccomp filter for a sandbox specified by pid or by name
458	pid_t pid = read_pid(argv[i] + 16);	468	pid_t pid = require_pid(argv[i] + 16);
459	seccomp_print_filter(pid);	469	seccomp_print_filter(pid);
460	}	470	}
461	else	471	else
@@ -469,7 +479,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
469	else if (strncmp(argv[i], "--protocol.print=", 17) == 0) {	479	else if (strncmp(argv[i], "--protocol.print=", 17) == 0) {
470	if (checkcfg(CFG_SECCOMP)) {	480	if (checkcfg(CFG_SECCOMP)) {
471	// print seccomp filter for a sandbox specified by pid or by name	481	// print seccomp filter for a sandbox specified by pid or by name
472	pid_t pid = read_pid(argv[i] + 17);	482	pid_t pid = require_pid(argv[i] + 17);
473	protocol_print_filter(pid);	483	protocol_print_filter(pid);
474	}	484	}
475	else	485	else
@@ -478,7 +488,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
478	}	488	}
479	#endif	489	#endif
480	else if (strncmp(argv[i], "--profile.print=", 16) == 0) {	490	else if (strncmp(argv[i], "--profile.print=", 16) == 0) {
481	pid_t pid = read_pid(argv[i] + 16);	491	pid_t pid = require_pid(argv[i] + 16);
482		492
483	// print /run/firejail/profile/<PID> file	493	// print /run/firejail/profile/<PID> file
484	char *fname;	494	char *fname;
@@ -499,13 +509,13 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
499	}	509	}
500	else if (strncmp(argv[i], "--cpu.print=", 12) == 0) {	510	else if (strncmp(argv[i], "--cpu.print=", 12) == 0) {
501	// join sandbox by pid or by name	511	// join sandbox by pid or by name
502	pid_t pid = read_pid(argv[i] + 12);	512	pid_t pid = require_pid(argv[i] + 12);
503	cpu_print_filter(pid);	513	cpu_print_filter(pid);
504	exit(0);	514	exit(0);
505	}	515	}
506	else if (strncmp(argv[i], "--apparmor.print=", 12) == 0) {	516	else if (strncmp(argv[i], "--apparmor.print=", 12) == 0) {
507	// join sandbox by pid or by name	517	// join sandbox by pid or by name
508	pid_t pid = read_pid(argv[i] + 17);	518	pid_t pid = require_pid(argv[i] + 17);
509	char *pidstr;	519	char *pidstr;
510	if (asprintf(&pidstr, "%u", pid) == -1)	520	if (asprintf(&pidstr, "%u", pid) == -1)
511	errExit("asprintf");	521	errExit("asprintf");
@@ -515,19 +525,19 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
515	}	525	}
516	else if (strncmp(argv[i], "--caps.print=", 13) == 0) {	526	else if (strncmp(argv[i], "--caps.print=", 13) == 0) {
517	// join sandbox by pid or by name	527	// join sandbox by pid or by name
518	pid_t pid = read_pid(argv[i] + 13);	528	pid_t pid = require_pid(argv[i] + 13);
519	caps_print_filter(pid);	529	caps_print_filter(pid);
520	exit(0);	530	exit(0);
521	}	531	}
522	else if (strncmp(argv[i], "--fs.print=", 11) == 0) {	532	else if (strncmp(argv[i], "--fs.print=", 11) == 0) {
523	// join sandbox by pid or by name	533	// join sandbox by pid or by name
524	pid_t pid = read_pid(argv[i] + 11);	534	pid_t pid = require_pid(argv[i] + 11);
525	fs_logger_print_log(pid);	535	fs_logger_print_log(pid);
526	exit(0);	536	exit(0);
527	}	537	}
528	else if (strncmp(argv[i], "--dns.print=", 12) == 0) {	538	else if (strncmp(argv[i], "--dns.print=", 12) == 0) {
529	// join sandbox by pid or by name	539	// join sandbox by pid or by name
530	pid_t pid = read_pid(argv[i] + 12);	540	pid_t pid = require_pid(argv[i] + 12);
531	net_dns_print(pid);	541	net_dns_print(pid);
532	exit(0);	542	exit(0);
533	}	543	}
@@ -592,7 +602,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
592	}	602	}
593		603
594	// get file	604	// get file
595	pid_t pid = read_pid(argv[i] + 6);	605	pid_t pid = require_pid(argv[i] + 6);
596	sandboxfs(SANDBOX_FS_GET, pid, path, NULL);	606	sandboxfs(SANDBOX_FS_GET, pid, path, NULL);
597	exit(0);	607	exit(0);
598	}	608	}
@@ -622,7 +632,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
622	}	632	}
623		633
624	// get file	634	// get file
625	pid_t pid = read_pid(argv[i] + 6);	635	pid_t pid = require_pid(argv[i] + 6);
626	sandboxfs(SANDBOX_FS_PUT, pid, path1, path2);	636	sandboxfs(SANDBOX_FS_PUT, pid, path1, path2);
627	exit(0);	637	exit(0);
628	}	638	}
@@ -646,7 +656,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
646	}	656	}
647		657
648	// list directory contents	658	// list directory contents
649	pid_t pid = read_pid(argv[i] + 5);	659	pid_t pid = require_pid(argv[i] + 5);
650	sandboxfs(SANDBOX_FS_LS, pid, path, NULL);	660	sandboxfs(SANDBOX_FS_LS, pid, path, NULL);
651	exit(0);	661	exit(0);
652	}	662	}
@@ -670,7 +680,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
670	cfg.shell = guess_shell();	680	cfg.shell = guess_shell();
671		681
672	// join sandbox by pid or by name	682	// join sandbox by pid or by name
673	pid_t pid = read_pid(argv[i] + 7);	683	pid_t pid = require_pid(argv[i] + 7);
674	join(pid, argc, argv, i + 1);	684	join(pid, argc, argv, i + 1);
675	exit(0);	685	exit(0);
676	}	686	}
@@ -718,7 +728,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
718	cfg.shell = guess_shell();	728	cfg.shell = guess_shell();
719		729
720	// join sandbox by pid or by name	730	// join sandbox by pid or by name
721	pid_t pid = read_pid(argv[i] + 15);	731	pid_t pid = require_pid(argv[i] + 15);
722	join(pid, argc, argv, i + 1);	732	join(pid, argc, argv, i + 1);
723	}	733	}
724	else	734	else
@@ -738,7 +748,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
738	cfg.shell = guess_shell();	748	cfg.shell = guess_shell();
739		749
740	// join sandbox by pid or by name	750	// join sandbox by pid or by name
741	pid_t pid = read_pid(argv[i] + 18);	751	pid_t pid = require_pid(argv[i] + 18);
742	join(pid, argc, argv, i + 1);	752	join(pid, argc, argv, i + 1);
743	exit(0);	753	exit(0);
744	}	754	}
@@ -746,7 +756,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
746	logargs(argc, argv);	756	logargs(argc, argv);
747		757
748	// shutdown sandbox by pid or by name	758	// shutdown sandbox by pid or by name
749	pid_t pid = read_pid(argv[i] + 11);	759	pid_t pid = require_pid(argv[i] + 11);
750	shut(pid);	760	shut(pid);
751	exit(0);	761	exit(0);
752	}	762	}