diff options
author | smitsohu <smitsohu@gmail.com> | 2022-01-17 14:10:51 +0100 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2022-01-17 14:11:43 +0100 |
commit | 397a9080ea9b74aac9a03f9b5e740b966474ff09 (patch) | |
tree | 15c6cffa6b243a4be90dd7d4341b72f119794a56 /src | |
parent | some hardening (diff) | |
download | firejail-397a9080ea9b74aac9a03f9b5e740b966474ff09.tar.gz firejail-397a9080ea9b74aac9a03f9b5e740b966474ff09.tar.zst firejail-397a9080ea9b74aac9a03f9b5e740b966474ff09.zip |
keep-fd cleanup
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/sandbox.c | 45 |
1 files changed, 20 insertions, 25 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index c351b8e94..9c96f976a 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -399,28 +399,11 @@ static int monitor_application(pid_t app_pid) { | |||
399 | return arg_deterministic_exit_code ? app_status : status; | 399 | return arg_deterministic_exit_code ? app_status : status; |
400 | } | 400 | } |
401 | 401 | ||
402 | |||
403 | static void print_time(void) { | 402 | static void print_time(void) { |
404 | float delta = timetrace_end(); | 403 | float delta = timetrace_end(); |
405 | fmessage("Child process initialized in %.02f ms\n", delta); | 404 | fmessage("Child process initialized in %.02f ms\n", delta); |
406 | } | 405 | } |
407 | 406 | ||
408 | |||
409 | int *build_keep_fd_array(size_t *sz) { | ||
410 | if (!cfg.keep_fd) { | ||
411 | *sz = 0; | ||
412 | return NULL; | ||
413 | } | ||
414 | |||
415 | int *rv = str_to_int_array(cfg.keep_fd, sz); | ||
416 | if (!rv) { | ||
417 | fprintf(stderr, "Error: invalid keep-fd option\n"); | ||
418 | exit(1); | ||
419 | } | ||
420 | return rv; | ||
421 | } | ||
422 | |||
423 | |||
424 | // check execute permissions for the program | 407 | // check execute permissions for the program |
425 | // this is done typically by the shell | 408 | // this is done typically by the shell |
426 | // we are here because of --shell=none | 409 | // we are here because of --shell=none |
@@ -477,17 +460,29 @@ static int ok_to_run(const char *program) { | |||
477 | return 0; | 460 | return 0; |
478 | } | 461 | } |
479 | 462 | ||
463 | static void close_file_descriptors(void) { | ||
464 | if (arg_keep_fd_all) | ||
465 | return; | ||
466 | |||
467 | if (!cfg.keep_fd) { | ||
468 | close_all(NULL, 0); | ||
469 | return; | ||
470 | } | ||
471 | |||
472 | size_t sz = 0; | ||
473 | int *keep = str_to_int_array(cfg.keep_fd, &sz); | ||
474 | if (!keep) { | ||
475 | fprintf(stderr, "Error: invalid keep-fd option\n"); | ||
476 | exit(1); | ||
477 | } | ||
478 | close_all(keep, sz); | ||
479 | free(keep); | ||
480 | } | ||
481 | |||
480 | 482 | ||
481 | void start_application(int no_sandbox, int fd, char *set_sandbox_status) { | 483 | void start_application(int no_sandbox, int fd, char *set_sandbox_status) { |
482 | if (no_sandbox == 0) { | 484 | if (no_sandbox == 0) { |
483 | // don't leak open file descriptors | 485 | close_file_descriptors(); |
484 | if (!arg_keep_fd_all) { | ||
485 | size_t sz; | ||
486 | int *keep = build_keep_fd_array(&sz); | ||
487 | close_all(keep, sz); | ||
488 | if (keep) | ||
489 | free(keep); | ||
490 | } | ||
491 | 486 | ||
492 | // set nice and rlimits | 487 | // set nice and rlimits |
493 | if (arg_nice) | 488 | if (arg_nice) |