diff options
author | netblue30 <netblue30@yahoo.com> | 2015-10-19 14:46:24 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2015-10-19 14:46:24 -0400 |
commit | 0021c29f7f25a5020091182c690407a753f933e4 (patch) | |
tree | 3f3eb4172c96cc6f92ddfa636053d19c7e55f1ab /src | |
parent | testing (diff) | |
download | firejail-0021c29f7f25a5020091182c690407a753f933e4.tar.gz firejail-0021c29f7f25a5020091182c690407a753f933e4.tar.zst firejail-0021c29f7f25a5020091182c690407a753f933e4.zip |
fixed join/shutdown problem, moving browsers and mail clients to a --shell=none default in profile files
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/caps.c | 11 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/join.c | 9 | ||||
-rw-r--r-- | src/firejail/seccomp.c | 11 | ||||
-rw-r--r-- | src/firejail/shutdown.c | 9 | ||||
-rw-r--r-- | src/firejail/util.c | 43 | ||||
-rw-r--r-- | src/lib/pid.c | 4 |
7 files changed, 56 insertions, 32 deletions
diff --git a/src/firejail/caps.c b/src/firejail/caps.c index 12d0eec57..7c5f9d2d9 100644 --- a/src/firejail/caps.c +++ b/src/firejail/caps.c | |||
@@ -427,14 +427,9 @@ void caps_print_filter(pid_t pid) { | |||
427 | // check privileges for non-root users | 427 | // check privileges for non-root users |
428 | uid_t uid = getuid(); | 428 | uid_t uid = getuid(); |
429 | if (uid != 0) { | 429 | if (uid != 0) { |
430 | struct stat s; | 430 | uid_t sandbox_uid = pid_get_uid(pid); |
431 | char *dir; | 431 | if (uid != sandbox_uid) { |
432 | if (asprintf(&dir, "/proc/%u/ns", pid) == -1) | 432 | fprintf(stderr, "Error: permission denied.\n"); |
433 | errExit("asprintf"); | ||
434 | if (stat(dir, &s) < 0) | ||
435 | errExit("stat"); | ||
436 | if (s.st_uid != uid) { | ||
437 | printf("Error: permission denied.\n"); | ||
438 | exit(1); | 433 | exit(1); |
439 | } | 434 | } |
440 | } | 435 | } |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 6a88d7e17..2e82dabc9 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -295,6 +295,7 @@ void wait_for_other(int fd); | |||
295 | void notify_other(int fd); | 295 | void notify_other(int fd); |
296 | char *expand_home(const char *path, const char* homedir); | 296 | char *expand_home(const char *path, const char* homedir); |
297 | const char *gnu_basename(const char *path); | 297 | const char *gnu_basename(const char *path); |
298 | uid_t pid_get_uid(pid_t pid); | ||
298 | 299 | ||
299 | // fs_var.c | 300 | // fs_var.c |
300 | void fs_var_log(void); // mounting /var/log | 301 | void fs_var_log(void); // mounting /var/log |
diff --git a/src/firejail/join.c b/src/firejail/join.c index fcc5e05d1..acd17366a 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -215,13 +215,8 @@ void join(pid_t pid, const char *homedir, int argc, char **argv, int index) { | |||
215 | // check privileges for non-root users | 215 | // check privileges for non-root users |
216 | uid_t uid = getuid(); | 216 | uid_t uid = getuid(); |
217 | if (uid != 0) { | 217 | if (uid != 0) { |
218 | struct stat s; | 218 | uid_t sandbox_uid = pid_get_uid(pid); |
219 | char *dir; | 219 | if (uid != sandbox_uid) { |
220 | if (asprintf(&dir, "/proc/%u/ns", pid) == -1) | ||
221 | errExit("asprintf"); | ||
222 | if (stat(dir, &s) < 0) | ||
223 | errExit("stat"); | ||
224 | if (s.st_uid != uid) { | ||
225 | fprintf(stderr, "Error: permission is denied to join a sandbox created by a different user.\n"); | 220 | fprintf(stderr, "Error: permission is denied to join a sandbox created by a different user.\n"); |
226 | exit(1); | 221 | exit(1); |
227 | } | 222 | } |
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 7c0bd322d..5d6bc1de9 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -783,14 +783,9 @@ void seccomp_print_filter(pid_t pid) { | |||
783 | // check privileges for non-root users | 783 | // check privileges for non-root users |
784 | uid_t uid = getuid(); | 784 | uid_t uid = getuid(); |
785 | if (uid != 0) { | 785 | if (uid != 0) { |
786 | struct stat s; | 786 | uid_t sandbox_uid = pid_get_uid(pid); |
787 | char *dir; | 787 | if (uid != sandbox_uid) { |
788 | if (asprintf(&dir, "/proc/%u/ns", pid) == -1) | 788 | fprintf(stderr, "Error: permission denied.\n"); |
789 | errExit("asprintf"); | ||
790 | if (stat(dir, &s) < 0) | ||
791 | errExit("stat"); | ||
792 | if (s.st_uid != uid) { | ||
793 | printf("Error: permission denied.\n"); | ||
794 | exit(1); | 789 | exit(1); |
795 | } | 790 | } |
796 | } | 791 | } |
diff --git a/src/firejail/shutdown.c b/src/firejail/shutdown.c index f37869bd0..649f86800 100644 --- a/src/firejail/shutdown.c +++ b/src/firejail/shutdown.c | |||
@@ -60,13 +60,8 @@ void shut(pid_t pid) { | |||
60 | // check privileges for non-root users | 60 | // check privileges for non-root users |
61 | uid_t uid = getuid(); | 61 | uid_t uid = getuid(); |
62 | if (uid != 0) { | 62 | if (uid != 0) { |
63 | struct stat s; | 63 | uid_t sandbox_uid = pid_get_uid(pid); |
64 | char *dir; | 64 | if (uid != sandbox_uid) { |
65 | if (asprintf(&dir, "/proc/%u/ns", pid) == -1) | ||
66 | errExit("asprintf"); | ||
67 | if (stat(dir, &s) < 0) | ||
68 | errExit("stat"); | ||
69 | if (s.st_uid != uid) { | ||
70 | fprintf(stderr, "Error: permission is denied to shutdown a sandbox created by a different user.\n"); | 65 | fprintf(stderr, "Error: permission is denied to shutdown a sandbox created by a different user.\n"); |
71 | exit(1); | 66 | exit(1); |
72 | } | 67 | } |
diff --git a/src/firejail/util.c b/src/firejail/util.c index a9e96266c..9ad937f55 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -492,3 +492,46 @@ const char *gnu_basename(const char *path) | |||
492 | return path; | 492 | return path; |
493 | return last_slash+1; | 493 | return last_slash+1; |
494 | } | 494 | } |
495 | |||
496 | uid_t pid_get_uid(pid_t pid) { | ||
497 | uid_t rv = 0; | ||
498 | |||
499 | // open status file | ||
500 | char *file; | ||
501 | if (asprintf(&file, "/proc/%u/status", pid) == -1) { | ||
502 | perror("asprintf"); | ||
503 | exit(1); | ||
504 | } | ||
505 | FILE *fp = fopen(file, "r"); | ||
506 | if (!fp) { | ||
507 | free(file); | ||
508 | fprintf(stderr, "Error: cannot open /proc file\n"); | ||
509 | exit(1); | ||
510 | } | ||
511 | |||
512 | // extract uid | ||
513 | static const int PIDS_BUFLEN = 1024; | ||
514 | char buf[PIDS_BUFLEN]; | ||
515 | while (fgets(buf, PIDS_BUFLEN - 1, fp)) { | ||
516 | if (strncmp(buf, "Uid:", 4) == 0) { | ||
517 | char *ptr = buf + 5; | ||
518 | while (*ptr != '\0' && (*ptr == ' ' || *ptr == '\t')) { | ||
519 | ptr++; | ||
520 | } | ||
521 | if (*ptr == '\0') | ||
522 | break; | ||
523 | |||
524 | rv = atoi(ptr); | ||
525 | break; // break regardless! | ||
526 | } | ||
527 | } | ||
528 | |||
529 | fclose(fp); | ||
530 | free(file); | ||
531 | |||
532 | if (rv == 0) { | ||
533 | fprintf(stderr, "Error: cannot read /proc file\n"); | ||
534 | exit(1); | ||
535 | } | ||
536 | return rv; | ||
537 | } | ||
diff --git a/src/lib/pid.c b/src/lib/pid.c index 1a1797ce2..720d4eeb6 100644 --- a/src/lib/pid.c +++ b/src/lib/pid.c | |||
@@ -137,7 +137,7 @@ char *pid_get_user_name(uid_t uid) { | |||
137 | uid_t pid_get_uid(pid_t pid) { | 137 | uid_t pid_get_uid(pid_t pid) { |
138 | uid_t rv = 0; | 138 | uid_t rv = 0; |
139 | 139 | ||
140 | // open stat file | 140 | // open statua file |
141 | char *file; | 141 | char *file; |
142 | if (asprintf(&file, "/proc/%u/status", pid) == -1) { | 142 | if (asprintf(&file, "/proc/%u/status", pid) == -1) { |
143 | perror("asprintf"); | 143 | perror("asprintf"); |
@@ -149,7 +149,7 @@ uid_t pid_get_uid(pid_t pid) { | |||
149 | return 0; | 149 | return 0; |
150 | } | 150 | } |
151 | 151 | ||
152 | // look for firejail executable name | 152 | // extract uid |
153 | char buf[PIDS_BUFLEN]; | 153 | char buf[PIDS_BUFLEN]; |
154 | while (fgets(buf, PIDS_BUFLEN - 1, fp)) { | 154 | while (fgets(buf, PIDS_BUFLEN - 1, fp)) { |
155 | if (strncmp(buf, "Uid:", 4) == 0) { | 155 | if (strncmp(buf, "Uid:", 4) == 0) { |