Merge pull request #3093 from smitsohu/join

add join timeout and make it configurable

10 files changed, 117 insertions, 183 deletions

diff --git a/src/firejail/caps.c b/src/firejail/caps.c
index 71dd9430b..738675766 100644
--- a/src/firejail/caps.c
+++ b/src/firejail/caps.c
@@ -404,21 +404,8 @@ void caps_print_filter(pid_t pid) {
         // in case the pid is that of a firejail process, use the pid of the first child process
         pid = switch_to_child(pid);
 
-        // now check if the pid belongs to a firejail sandbox
-        if (invalid_sandbox(pid)) {
-                fprintf(stderr, "Error: no valid sandbox\n");
-                exit(1);
-        }
-
-        // check privileges for non-root users
-        uid_t uid = getuid();
-        if (uid != 0) {
-                uid_t sandbox_uid = pid_get_uid(pid);
-                if (uid != sandbox_uid) {
-                        fprintf(stderr, "Error: permission denied.\n");
-                        exit(1);
-                }
-        }
+        // exit if no permission to join the sandbox
+        check_join_permission(pid);
 
         uint64_t caps = extract_caps(pid);
         int i;
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index f94b95d60..d6b591133 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -31,6 +31,7 @@ char *xpra_extra_params = "";
 char *xvfb_screen = "800x600x24";
 char *xvfb_extra_params = "";
 char *netfilter_default = NULL;
+unsigned long join_timeout = 5000000; // microseconds
 
 int checkcfg(int val) {
         assert(val < CFG_MAX);
@@ -213,6 +214,11 @@ int checkcfg(int val) {
                                 if (setenv("FIREJAIL_FILE_COPY_LIMIT", ptr + 16, 1) == -1)
                                         errExit("setenv");
                         }
+
+                        // timeout for join option
+                        else if (strncmp(ptr, "join-timeout ", 13) == 0)
+                                join_timeout = strtoul(ptr + 13, NULL, 10) * 1000000; // seconds to microseconds
+
                         else
                                 goto errout;
 
diff --git a/src/firejail/cpu.c b/src/firejail/cpu.c
index 7a0807257..702186eaf 100644
--- a/src/firejail/cpu.c
+++ b/src/firejail/cpu.c
@@ -170,13 +170,11 @@ void cpu_print_filter(pid_t pid) {
         pid = switch_to_child(pid);
 
         // now check if the pid belongs to a firejail sandbox
-        if (invalid_sandbox(pid)) {
+        if (is_ready_for_join(pid) == false) {
                 fprintf(stderr, "Error: no valid sandbox\n");
                 exit(1);
         }
 
-
-
         print_cpu(pid);
         exit(0);
 }
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index fdbeb4691..03bcbda46 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -426,6 +426,8 @@ void usage(void);
 
 // join.c
 void join(pid_t pid, int argc, char **argv, int index);
+bool is_ready_for_join(const pid_t pid);
+void check_join_permission(pid_t pid);
 pid_t switch_to_child(pid_t pid);
 
 // shutdown.c
@@ -491,7 +493,6 @@ unsigned extract_timeout(const char *str);
 void disable_file_or_dir(const char *fname);
 void disable_file_path(const char *path, const char *file);
 int safe_fd(const char *path, int flags);
-int invalid_sandbox(const pid_t pid);
 int has_handler(pid_t pid, int signal);
 void enter_network_namespace(pid_t pid);
 
@@ -737,6 +738,7 @@ extern char *xpra_extra_params;
 extern char *xvfb_screen;
 extern char *xvfb_extra_params;
 extern char *netfilter_default;
+extern unsigned long join_timeout;
 int checkcfg(int val);
 void print_compiletime_support(void);
 
diff --git a/src/firejail/join.c b/src/firejail/join.c
index 46dae0271..1494c782f 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -255,32 +255,114 @@ static void extract_umask(pid_t pid) {
         fclose(fp);
 }
 
+// return false if the sandbox identified by pid is not fully set up yet or if
+// it is no firejail sandbox at all, return true if the sandbox is complete
+bool is_ready_for_join(const pid_t pid) {
+        EUID_ASSERT();
+        // check if a file "ready-for-join" exists
+        char *fname;
+        if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_READY_FOR_JOIN) == -1)
+                errExit("asprintf");
+        EUID_ROOT();
+        FILE *fp = fopen(fname, "re");
+        EUID_USER();
+        free(fname);
+        if (!fp)
+                return false;
+        // regular file owned by root
+        int fd = fileno(fp);
+        if (fd == -1)
+                errExit("fileno");
+        struct stat s;
+        if (fstat(fd, &s) == -1)
+                errExit("fstat");
+        if (!S_ISREG(s.st_mode) || s.st_uid != 0) {
+                fclose(fp);
+                return false;
+        }
+        // check if it is non-empty
+        char buf[BUFLEN];
+        if (fgets(buf, BUFLEN, fp) == NULL) {
+                fclose(fp);
+                return false;
+        }
+        fclose(fp);
+        // confirm "ready" string was written
+        if (strcmp(buf, "ready\n") != 0)
+                return false;
+
+        // walk down the process tree a few nodes, there should be no firejail leaf
+#define MAXNODES 5
+        pid_t current = pid, next;
+        int i;
+        for (i = 0; i < MAXNODES; i++) {
+                if (find_child(current, &next) == 1) {
+                        // found a leaf
+                        EUID_ROOT();
+                        char *comm = pid_proc_comm(current);
+                        EUID_USER();
+                        if (!comm) {
+                                fprintf(stderr, "Error: cannot read /proc file\n");
+                                exit(1);
+                        }
+                        if (strcmp(comm, "firejail") == 0) {
+                                free(comm);
+                                return false;
+                        }
+                        free(comm);
+                        break;
+                }
+                current = next;
+        }
+
+        return true;
+}
+
+#define SNOOZE 100000 // sleep interval in microseconds
+void check_join_permission(pid_t pid) {
+        // check if pid belongs to a fully set up firejail sandbox
+        unsigned long i;
+        for (i = 0; is_ready_for_join(pid) == false; i += SNOOZE) { // give sandbox some time to start up
+                if (i >= join_timeout) {
+                        fprintf(stderr, "Error: no valid sandbox\n");
+                        exit(1);
+                }
+                usleep(SNOOZE);
+        }
+        // check privileges for non-root users
+        uid_t uid = getuid();
+        if (uid != 0) {
+                uid_t sandbox_uid = pid_get_uid(pid);
+                if (uid != sandbox_uid) {
+                        fprintf(stderr, "Error: permission is denied to join a sandbox created by a different user.\n");
+                        exit(1);
+                }
+        }
+}
+
 pid_t switch_to_child(pid_t pid) {
+        EUID_ASSERT();
         EUID_ROOT();
+        pid_t rv = pid;
         errno = 0;
         char *comm = pid_proc_comm(pid);
         if (!comm) {
-                if (errno == ENOENT) {
+                if (errno == ENOENT)
                         fprintf(stderr, "Error: cannot find process with pid %d\n", pid);
-                        exit(1);
-                }
-                else {
+                else
                         fprintf(stderr, "Error: cannot read /proc file\n");
-                        exit(1);
-                }
+                exit(1);
         }
         EUID_USER();
         if (strcmp(comm, "firejail") == 0) {
-                pid_t child;
-                if (find_child(pid, &child) == 1) {
+                if (find_child(pid, &rv) == 1) {
                         fprintf(stderr, "Error: no valid sandbox\n");
                         exit(1);
                 }
-                fmessage("Switching to pid %u, the first child process inside the sandbox\n", (unsigned) child);
-                pid = child;
+                fmessage("Switching to pid %u, the first child process inside the sandbox\n", (unsigned) rv);
         }
         free(comm);
-        return pid;
+        return rv;
 }
 
 
@@ -292,21 +374,8 @@ void join(pid_t pid, int argc, char **argv, int index) {
         // in case the pid is that of a firejail process, use the pid of the first child process
         pid = switch_to_child(pid);
 
-        // now check if the pid belongs to a firejail sandbox
-        if (invalid_sandbox(pid)) {
-                fprintf(stderr, "Error: no valid sandbox\n");
-                exit(1);
-        }
-
-        // check privileges for non-root users
-        uid_t uid = getuid();
-        if (uid != 0) {
-                uid_t sandbox_uid = pid_get_uid(pid);
-                if (uid != sandbox_uid) {
-                        fprintf(stderr, "Error: permission is denied to join a sandbox created by a different user.\n");
-                        exit(1);
-                }
-        }
+        // exit if no permission to join the sandbox
+        check_join_permission(pid);
 
         extract_x11_display(parent);
 
diff --git a/src/firejail/ls.c b/src/firejail/ls.c
index 08cf5f16a..75333fdc2 100644
--- a/src/firejail/ls.c
+++ b/src/firejail/ls.c
@@ -215,21 +215,8 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
         // in case the pid is that of a firejail process, use the pid of the first child process
         pid = switch_to_child(pid);
 
-        // now check if the pid belongs to a firejail sandbox
-        if (invalid_sandbox(pid)) {
-                fprintf(stderr, "Error: no valid sandbox\n");
-                exit(1);
-        }
-
-        // check privileges for non-root users
-        uid_t uid = getuid();
-        if (uid != 0) {
-                uid_t sandbox_uid = pid_get_uid(pid);
-                if (uid != sandbox_uid) {
-                        fprintf(stderr, "Error: permission denied.\n");
-                        exit(1);
-                }
-        }
+        // exit if no permission to join the sandbox
+        check_join_permission(pid);
 
         // expand paths
         char *fname1 = expand_path(path1);;
diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c
index 6a199469a..6800bde8d 100644
--- a/src/firejail/network_main.c
+++ b/src/firejail/network_main.c
@@ -272,21 +272,8 @@ void net_dns_print(pid_t pid) {
         // in case the pid is that of a firejail process, use the pid of the first child process
         pid = switch_to_child(pid);
 
-        // now check if the pid belongs to a firejail sandbox
-        if (invalid_sandbox(pid)) {
-                fprintf(stderr, "Error: no valid sandbox\n");
-                exit(1);
-        }
-
-        // check privileges for non-root users
-        uid_t uid = getuid();
-        if (uid != 0) {
-                uid_t sandbox_uid = pid_get_uid(pid);
-                if (uid != sandbox_uid) {
-                        fprintf(stderr, "Error: permission denied.\n");
-                        exit(1);
-                }
-        }
+        // exit if no permission to join the sandbox
+        check_join_permission(pid);
 
         EUID_ROOT();
         if (join_namespace(pid, "mnt"))
diff --git a/src/firejail/protocol.c b/src/firejail/protocol.c
index 72d29c671..d3a9e0153 100644
--- a/src/firejail/protocol.c
+++ b/src/firejail/protocol.c
@@ -67,21 +67,8 @@ void protocol_print_filter(pid_t pid) {
         // in case the pid is that of a firejail process, use the pid of the first child process
         pid = switch_to_child(pid);
 
-        // now check if the pid belongs to a firejail sandbox
-        if (invalid_sandbox(pid)) {
-                fprintf(stderr, "Error: no valid sandbox\n");
-                exit(1);
-        }
-
-        // check privileges for non-root users
-        uid_t uid = getuid();
-        if (uid != 0) {
-                uid_t sandbox_uid = pid_get_uid(pid);
-                if (uid != sandbox_uid) {
-                        fprintf(stderr, "Error: permission denied.\n");
-                        exit(1);
-                }
-        }
+        // exit if no permission to join the sandbox
+        check_join_permission(pid);
 
         // find the seccomp filter
         EUID_ROOT();
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 609ebb7be..648ce1612 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -332,21 +332,8 @@ void seccomp_print_filter(pid_t pid) {
         // in case the pid is that of a firejail process, use the pid of the first child process
         pid = switch_to_child(pid);
 
-        // now check if the pid belongs to a firejail sandbox
-        if (invalid_sandbox(pid)) {
-                fprintf(stderr, "Error: no valid sandbox\n");
-                exit(1);
-        }
-
-        // check privileges for non-root users
-        uid_t uid = getuid();
-        if (uid != 0) {
-                uid_t sandbox_uid = pid_get_uid(pid);
-                if (uid != sandbox_uid) {
-                        fprintf(stderr, "Error: permission denied.\n");
-                        exit(1);
-                }
-        }
+        // exit if no permission to join the sandbox
+        check_join_permission(pid);
 
         // find the seccomp list file
         EUID_ROOT();
diff --git a/src/firejail/util.c b/src/firejail/util.c
index dd70d68a9..18d121ca9 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -1200,69 +1200,6 @@ errexit:
         exit(1);
 }
 
-
-// return 1 if the sandbox identified by pid is not fully set up yet or if
-// it is no firejail sandbox at all, return 0 if the sandbox is complete
-int invalid_sandbox(const pid_t pid) {
-        // check if a file "ready-for-join" exists
-        char *fname;
-        if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_READY_FOR_JOIN) == -1)
-                errExit("asprintf");
-        EUID_ROOT();
-        FILE *fp = fopen(fname, "re");
-        EUID_USER();
-        free(fname);
-        if (!fp)
-                return 1;
-        // regular file owned by root
-        int fd = fileno(fp);
-        if (fd == -1)
-                errExit("fileno");
-        struct stat s;
-        if (fstat(fd, &s) == -1)
-                errExit("fstat");
-        if (!S_ISREG(s.st_mode) || s.st_uid != 0) {
-                fclose(fp);
-                return 1;
-        }
-        // check if it is non-empty
-        char buf[BUFLEN];
-        if (fgets(buf, BUFLEN, fp) == NULL) {
-                fclose(fp);
-                return 1;
-        }
-        fclose(fp);
-        // confirm "ready" string was written
-        if (strncmp(buf, "ready\n", 6) != 0)
-                return 1;
-
-        // walk down the process tree a few nodes, there should be no firejail leaf
-#define MAXNODES 5
-        pid_t current = pid, next;
-        int i;
-        for (i = 0; i < MAXNODES; i++) {
-                if (find_child(current, &next) == 1) {
-                        // found a leaf
-                        EUID_ROOT();
-                        char *comm = pid_proc_comm(current);
-                        EUID_USER();
-                        if (!comm) {
-                                fprintf(stderr, "Error: cannot read /proc file\n");
-                                exit(1);
-                        }
-                        if (strcmp(comm, "firejail") == 0) {
-                                free(comm);
-                                return 1;
-                        }
-                        free(comm);
-                        break;
-                }
-                current = next;
-        }
-
-        return 0;
-}
-
 int has_handler(pid_t pid, int signal) {
         if (signal > 0 && signal <= SIGRTMAX) {
                 char *fname;
@@ -1297,21 +1234,8 @@ void enter_network_namespace(pid_t pid) {
         // in case the pid is that of a firejail process, use the pid of the first child process
         pid_t child = switch_to_child(pid);
 
-        // now check if the pid belongs to a firejail sandbox
-        if (invalid_sandbox(child)) {
-                fprintf(stderr, "Error: no valid sandbox\n");
-                exit(1);
-        }
-
-        // check privileges for non-root users
-        uid_t uid = getuid();
-        if (uid != 0) {
-                uid_t sandbox_uid = pid_get_uid(pid);
-                if (uid != sandbox_uid) {
-                        fprintf(stderr, "Error: permission is denied to join a sandbox created by a different user.\n");
-                        exit(1);
-                }
-        }
+        // exit if no permission to join the sandbox
+        check_join_permission(child);
 
         // check network namespace
         char *name;