diff options
author | netblue30 <netblue30@yahoo.com> | 2016-12-06 08:49:47 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-12-06 08:49:47 -0500 |
commit | 94abb4298e20bd1f9f89faf781defeb706462ac4 (patch) | |
tree | 412ebffd0bd1894edba14ed72a3d38b057b724a1 /src | |
parent | testing (diff) | |
download | firejail-94abb4298e20bd1f9f89faf781defeb706462ac4.tar.gz firejail-94abb4298e20bd1f9f89faf781defeb706462ac4.tar.zst firejail-94abb4298e20bd1f9f89faf781defeb706462ac4.zip |
testing
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/main.c | 130 | ||||
-rw-r--r-- | src/firejail/no_sandbox.c | 96 |
2 files changed, 51 insertions, 175 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c index 32769845d..545c38018 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -751,42 +751,6 @@ static void delete_x11_file(pid_t pid) { | |||
751 | free(fname); | 751 | free(fname); |
752 | } | 752 | } |
753 | 753 | ||
754 | static void detect_quiet(int argc, char **argv) { | ||
755 | int i; | ||
756 | |||
757 | // detect --quiet | ||
758 | for (i = 1; i < argc; i++) { | ||
759 | if (strcmp(argv[i], "--quiet") == 0) { | ||
760 | arg_quiet = 1; | ||
761 | break; | ||
762 | } | ||
763 | |||
764 | // detect end of firejail params | ||
765 | if (strcmp(argv[i], "--") == 0) | ||
766 | break; | ||
767 | if (strncmp(argv[i], "--", 2) != 0) | ||
768 | break; | ||
769 | } | ||
770 | } | ||
771 | |||
772 | static void detect_allow_debuggers(int argc, char **argv) { | ||
773 | int i; | ||
774 | |||
775 | // detect --allow-debuggers | ||
776 | for (i = 1; i < argc; i++) { | ||
777 | if (strcmp(argv[i], "--allow-debuggers") == 0) { | ||
778 | arg_allow_debuggers = 1; | ||
779 | break; | ||
780 | } | ||
781 | |||
782 | // detect end of firejail params | ||
783 | if (strcmp(argv[i], "--") == 0) | ||
784 | break; | ||
785 | if (strncmp(argv[i], "--", 2) != 0) | ||
786 | break; | ||
787 | } | ||
788 | } | ||
789 | |||
790 | char *guess_shell(void) { | 754 | char *guess_shell(void) { |
791 | char *shell = NULL; | 755 | char *shell = NULL; |
792 | // shells in order of preference | 756 | // shells in order of preference |
@@ -806,6 +770,25 @@ char *guess_shell(void) { | |||
806 | return shell; | 770 | return shell; |
807 | } | 771 | } |
808 | 772 | ||
773 | static int check_arg(int argc, char **argv, const char *argument) { | ||
774 | int i; | ||
775 | int found = 0; | ||
776 | for (i = 1; i < argc; i++) { | ||
777 | if (strcmp(argv[i], "--force") == 0) { | ||
778 | found = 1; | ||
779 | break; | ||
780 | } | ||
781 | |||
782 | // detect end of firejail params | ||
783 | if (strcmp(argv[i], "--") == 0) | ||
784 | break; | ||
785 | if (strncmp(argv[i], "--", 2) != 0) | ||
786 | break; | ||
787 | } | ||
788 | |||
789 | return found; | ||
790 | } | ||
791 | |||
809 | //******************************************* | 792 | //******************************************* |
810 | // Main program | 793 | // Main program |
811 | //******************************************* | 794 | //******************************************* |
@@ -822,8 +805,10 @@ int main(int argc, char **argv) { | |||
822 | // build /run/firejail directory structure | 805 | // build /run/firejail directory structure |
823 | preproc_build_firejail_dir(); | 806 | preproc_build_firejail_dir(); |
824 | 807 | ||
825 | detect_quiet(argc, argv); | 808 | if (check_arg(argc, argv, "--quiet")) |
826 | detect_allow_debuggers(argc, argv); | 809 | arg_quiet = 1; |
810 | if (check_arg(argc, argv, "--allow-debuggers")) | ||
811 | arg_allow_debuggers = 1; | ||
827 | 812 | ||
828 | // drop permissions by default and rise them when required | 813 | // drop permissions by default and rise them when required |
829 | EUID_INIT(); | 814 | EUID_INIT(); |
@@ -845,78 +830,27 @@ int main(int argc, char **argv) { | |||
845 | EUID_USER(); | 830 | EUID_USER(); |
846 | if (rv == 0) { | 831 | if (rv == 0) { |
847 | // if --force option is passed to the program, disregard the existing sandbox | 832 | // if --force option is passed to the program, disregard the existing sandbox |
848 | int found = 0; | 833 | if (check_arg(argc, argv, "--force")) |
849 | for (i = 1; i < argc; i++) { | 834 | option_force = 1; |
850 | if (strcmp(argv[i], "--force") == 0 || | 835 | else { |
851 | strcmp(argv[i], "--list") == 0 || | ||
852 | strcmp(argv[i], "--netstats") == 0 || | ||
853 | strcmp(argv[i], "--tree") == 0 || | ||
854 | strcmp(argv[i], "--top") == 0 || | ||
855 | strncmp(argv[i], "--ls=", 5) == 0 || | ||
856 | strncmp(argv[i], "--get=", 6) == 0 || | ||
857 | strcmp(argv[i], "--debug-caps") == 0 || | ||
858 | strcmp(argv[i], "--debug-errnos") == 0 || | ||
859 | strcmp(argv[i], "--debug-syscalls") == 0 || | ||
860 | strcmp(argv[i], "--debug-protocols") == 0 || | ||
861 | strcmp(argv[i], "--help") == 0 || | ||
862 | strcmp(argv[i], "--version") == 0 || | ||
863 | strcmp(argv[i], "--overlay-clean") == 0 || | ||
864 | strncmp(argv[i], "--dns.print=", 12) == 0 || | ||
865 | strncmp(argv[i], "--bandwidth=", 12) == 0 || | ||
866 | strncmp(argv[i], "--caps.print=", 13) == 0 || | ||
867 | strncmp(argv[i], "--cpu.print=", 12) == 0 || | ||
868 | //******************************************************************************** | ||
869 | // todo: fix the following problems | ||
870 | strncmp(argv[i], "--join=", 7) == 0 || | ||
871 | //[netblue@debian Downloads]$ firejail --join=896 | ||
872 | //Switching to pid 897, the first child process inside the sandbox | ||
873 | //Error: seccomp file not found | ||
874 | //******************************************************************************** | ||
875 | |||
876 | strncmp(argv[i], "--join-filesystem=", 18) == 0 || | ||
877 | strncmp(argv[i], "--join-network=", 15) == 0 || | ||
878 | strncmp(argv[i], "--fs.print=", 11) == 0 || | ||
879 | strncmp(argv[i], "--protocol.print=", 17) == 0 || | ||
880 | strncmp(argv[i], "--seccomp.print", 15) == 0 || | ||
881 | strncmp(argv[i], "--shutdown=", 11) == 0) { | ||
882 | found = 1; | ||
883 | break; | ||
884 | } | ||
885 | |||
886 | // detect end of firejail params | ||
887 | if (strcmp(argv[i], "--") == 0) | ||
888 | break; | ||
889 | if (strncmp(argv[i], "--", 2) != 0) | ||
890 | break; | ||
891 | } | ||
892 | |||
893 | if (found == 0) { | ||
894 | // start the program directly without sandboxing | 836 | // start the program directly without sandboxing |
895 | run_no_sandbox(argc, argv); | 837 | run_no_sandbox(argc, argv); |
896 | // it will never get here! | 838 | // it will never get here! |
897 | assert(0); | 839 | assert(0); |
898 | } | 840 | } |
899 | else | ||
900 | option_force = 1; | ||
901 | } | 841 | } |
902 | } | 842 | } |
903 | 843 | ||
904 | // check root/suid | 844 | // check root/suid |
905 | EUID_ROOT(); | 845 | EUID_ROOT(); |
906 | if (geteuid()) { | 846 | if (geteuid()) { |
907 | // detect --version | 847 | // only --version is supported without SUID support |
908 | for (i = 1; i < argc; i++) { | 848 | if (check_arg(argc, argv, "--force")) { |
909 | if (strcmp(argv[i], "--version") == 0) { | 849 | printf("firejail version %s\n", VERSION); |
910 | printf("firejail version %s\n", VERSION); | 850 | exit(0); |
911 | exit(0); | ||
912 | } | ||
913 | |||
914 | // detect end of firejail params | ||
915 | if (strcmp(argv[i], "--") == 0) | ||
916 | break; | ||
917 | if (strncmp(argv[i], "--", 2) != 0) | ||
918 | break; | ||
919 | } | 851 | } |
852 | |||
853 | fprintf(stderr, "Error: cannot rise privileges\n"); | ||
920 | exit(1); | 854 | exit(1); |
921 | } | 855 | } |
922 | EUID_USER(); | 856 | EUID_USER(); |
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index 8af555ea2..07ac25dca 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c | |||
@@ -165,84 +165,28 @@ void run_no_sandbox(int argc, char **argv) { | |||
165 | // process limited subset of options | 165 | // process limited subset of options |
166 | int i; | 166 | int i; |
167 | for (i = 0; i < argc; i++) { | 167 | for (i = 0; i < argc; i++) { |
168 | if (strcmp(argv[i], "--csh") == 0) { | 168 | if (strcmp(argv[i], "--debug") == 0) |
169 | if (arg_shell_none) { | 169 | arg_debug = 1; |
170 | fprintf(stderr, "Error: --shell=none was already specified.\n"); | 170 | else if (strcmp(argv[i], "--csh") == 0 || |
171 | exit(1); | 171 | strcmp(argv[i], "--zsh") == 0 || |
172 | } | 172 | strcmp(argv[i], "--shell=none") == 0 || |
173 | if (cfg.shell) { | 173 | strncmp(argv[i], "--shell=", 8) == 0) |
174 | fprintf(stderr, "Error: only one default user shell can be specified\n"); | 174 | fprintf(stderr, "Warning: shell-related command line options are disregarded - using SHELL environment variable"); |
175 | exit(1); | ||
176 | } | ||
177 | cfg.shell = "/bin/csh"; | ||
178 | } | ||
179 | else if (strcmp(argv[i], "--zsh") == 0) { | ||
180 | if (arg_shell_none) { | ||
181 | fprintf(stderr, "Error: --shell=none was already specified.\n"); | ||
182 | exit(1); | ||
183 | } | ||
184 | if (cfg.shell) { | ||
185 | fprintf(stderr, "Error: only one default user shell can be specified\n"); | ||
186 | exit(1); | ||
187 | } | ||
188 | cfg.shell = "/bin/zsh"; | ||
189 | } | ||
190 | else if (strcmp(argv[i], "--shell=none") == 0) { | ||
191 | arg_shell_none = 1; | ||
192 | if (cfg.shell) { | ||
193 | fprintf(stderr, "Error: a shell was already specified\n"); | ||
194 | exit(1); | ||
195 | } | ||
196 | } | ||
197 | else if (strncmp(argv[i], "--shell=", 8) == 0) { | ||
198 | if (arg_shell_none) { | ||
199 | fprintf(stderr, "Error: --shell=none was already specified.\n"); | ||
200 | exit(1); | ||
201 | } | ||
202 | invalid_filename(argv[i] + 8); | ||
203 | |||
204 | if (cfg.shell) { | ||
205 | fprintf(stderr, "Error: only one user shell can be specified\n"); | ||
206 | exit(1); | ||
207 | } | ||
208 | cfg.shell = argv[i] + 8; | ||
209 | |||
210 | if (is_dir(cfg.shell) || strstr(cfg.shell, "..")) { | ||
211 | fprintf(stderr, "Error: invalid shell\n"); | ||
212 | exit(1); | ||
213 | } | ||
214 | |||
215 | // access call checks as real UID/GID, not as effective UID/GID | ||
216 | if(cfg.chrootdir) { | ||
217 | char *shellpath; | ||
218 | if (asprintf(&shellpath, "%s%s", cfg.chrootdir, cfg.shell) == -1) | ||
219 | errExit("asprintf"); | ||
220 | if (access(shellpath, R_OK)) { | ||
221 | fprintf(stderr, "Error: cannot access shell file in chroot\n"); | ||
222 | exit(1); | ||
223 | } | ||
224 | free(shellpath); | ||
225 | } else if (access(cfg.shell, R_OK)) { | ||
226 | fprintf(stderr, "Error: cannot access shell file\n"); | ||
227 | exit(1); | ||
228 | } | ||
229 | } | ||
230 | } | 175 | } |
231 | 176 | ||
232 | // use $SHELL to get shell used in sandbox | 177 | // use $SHELL to get shell used in sandbox |
233 | if (!arg_shell_none && !cfg.shell) { | 178 | char *shell = getenv("SHELL"); |
234 | char *shell = getenv("SHELL"); | 179 | if (shell && access(shell, R_OK) == 0) |
235 | if (shell && access(shell, R_OK) == 0) | 180 | cfg.shell = shell; |
236 | cfg.shell = shell; | 181 | |
237 | } | ||
238 | // guess shell otherwise | 182 | // guess shell otherwise |
239 | if (!arg_shell_none && !cfg.shell) { | 183 | if (!cfg.shell) { |
240 | cfg.shell = guess_shell(); | 184 | cfg.shell = guess_shell(); |
241 | if (arg_debug) | 185 | if (arg_debug) |
242 | printf("Autoselecting %s as shell\n", cfg.shell); | 186 | printf("Autoselecting %s as shell\n", cfg.shell); |
243 | } | 187 | } |
244 | if (!arg_shell_none && !cfg.shell) { | 188 | if (!cfg.shell) { |
245 | fprintf(stderr, "Error: unable to guess your shell, please set explicitly by using --shell option.\n"); | 189 | fprintf(stderr, "Error: unable to guess your shell, please set SHELL environment variable\n"); |
246 | exit(1); | 190 | exit(1); |
247 | } | 191 | } |
248 | 192 | ||
@@ -266,13 +210,11 @@ void run_no_sandbox(int argc, char **argv) { | |||
266 | } | 210 | } |
267 | } | 211 | } |
268 | 212 | ||
269 | if (!arg_shell_none) { | 213 | if (prog_index == 0) { |
270 | if (prog_index == 0) { | 214 | cfg.command_line = cfg.shell; |
271 | cfg.command_line = cfg.shell; | 215 | cfg.window_title = cfg.shell; |
272 | cfg.window_title = cfg.shell; | 216 | } else { |
273 | } else { | 217 | build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index); |
274 | build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index); | ||
275 | } | ||
276 | } | 218 | } |
277 | 219 | ||
278 | cfg.original_argv = argv; | 220 | cfg.original_argv = argv; |