diff options
author | smitsohu <smitsohu@gmail.com> | 2022-01-12 18:25:11 +0100 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2022-01-12 18:25:11 +0100 |
commit | 4efbd78c7438aa5b869103ef9fe24f7035b984ba (patch) | |
tree | d60fe52b95b7140c13473a0f8dd98a6ef15b0b52 /src | |
parent | merges (diff) | |
download | firejail-4efbd78c7438aa5b869103ef9fe24f7035b984ba.tar.gz firejail-4efbd78c7438aa5b869103ef9fe24f7035b984ba.tar.zst firejail-4efbd78c7438aa5b869103ef9fe24f7035b984ba.zip |
refactor closing of file descriptors
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/dbus.c | 11 | ||||
-rw-r--r-- | src/firejail/firejail.h | 2 | ||||
-rw-r--r-- | src/firejail/sbox.c | 7 | ||||
-rw-r--r-- | src/firejail/util.c | 46 |
4 files changed, 55 insertions, 11 deletions
diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c index e1475870c..12256b833 100644 --- a/src/firejail/dbus.c +++ b/src/firejail/dbus.c | |||
@@ -297,11 +297,12 @@ void dbus_proxy_start(void) { | |||
297 | if (dbus_proxy_pid == -1) | 297 | if (dbus_proxy_pid == -1) |
298 | errExit("fork"); | 298 | errExit("fork"); |
299 | if (dbus_proxy_pid == 0) { | 299 | if (dbus_proxy_pid == 0) { |
300 | int i; | 300 | // close open files |
301 | for (i = STDERR_FILENO + 1; i < FIREJAIL_MAX_FD; i++) { | 301 | int keep_list[2]; |
302 | if (i != status_pipe[1] && i != args_pipe[0]) | 302 | keep_list[0] = status_pipe[1]; |
303 | close(i); // close open files | 303 | keep_list[1] = args_pipe[0]; |
304 | } | 304 | close_all(keep_list, ARRAY_SIZE(keep_list)); |
305 | |||
305 | if (arg_dbus_log_file != NULL) { | 306 | if (arg_dbus_log_file != NULL) { |
306 | int output_fd = creat(arg_dbus_log_file, 0666); | 307 | int output_fd = creat(arg_dbus_log_file, 0666); |
307 | if (output_fd < 0) | 308 | if (output_fd < 0) |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 7529256d0..7314c5350 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -551,6 +551,7 @@ int remount_by_fd(int dst, unsigned long mountflags); | |||
551 | int bind_mount_by_fd(int src, int dst); | 551 | int bind_mount_by_fd(int src, int dst); |
552 | int bind_mount_path_to_fd(const char *srcname, int dst); | 552 | int bind_mount_path_to_fd(const char *srcname, int dst); |
553 | int bind_mount_fd_to_path(int src, const char *destname); | 553 | int bind_mount_fd_to_path(int src, const char *destname); |
554 | void close_all(int *keep_list, size_t sz); | ||
554 | int has_handler(pid_t pid, int signal); | 555 | int has_handler(pid_t pid, int signal); |
555 | void enter_network_namespace(pid_t pid); | 556 | void enter_network_namespace(pid_t pid); |
556 | int read_pid(const char *name, pid_t *pid); | 557 | int read_pid(const char *name, pid_t *pid); |
@@ -881,7 +882,6 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc, | |||
881 | #define SBOX_CAPS_HIDEPID (1 << 7) // hidepid caps filter for running firemon | 882 | #define SBOX_CAPS_HIDEPID (1 << 7) // hidepid caps filter for running firemon |
882 | #define SBOX_CAPS_NET_SERVICE (1 << 8) // caps filter for programs running network services | 883 | #define SBOX_CAPS_NET_SERVICE (1 << 8) // caps filter for programs running network services |
883 | #define SBOX_KEEP_FDS (1 << 9) // keep file descriptors open | 884 | #define SBOX_KEEP_FDS (1 << 9) // keep file descriptors open |
884 | #define FIREJAIL_MAX_FD 20 // getdtablesize() is overkill for a firejail process | ||
885 | 885 | ||
886 | // run sbox | 886 | // run sbox |
887 | int sbox_run(unsigned filter, int num, ...); | 887 | int sbox_run(unsigned filter, int num, ...); |
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index e5e67c09d..7b5b61f2f 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c | |||
@@ -72,11 +72,8 @@ static int __attribute__((noreturn)) sbox_do_exec_v(unsigned filtermask, char * | |||
72 | } | 72 | } |
73 | 73 | ||
74 | // close all other file descriptors | 74 | // close all other file descriptors |
75 | if ((filtermask & SBOX_KEEP_FDS) == 0) { | 75 | if ((filtermask & SBOX_KEEP_FDS) == 0) |
76 | int i; | 76 | close_all(NULL, 0); |
77 | for (i = 3; i < FIREJAIL_MAX_FD; i++) | ||
78 | close(i); // close open files | ||
79 | } | ||
80 | 77 | ||
81 | umask(027); | 78 | umask(027); |
82 | 79 | ||
diff --git a/src/firejail/util.c b/src/firejail/util.c index dbbc1ea28..5b8fd0b0f 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -1398,6 +1398,52 @@ int bind_mount_path_to_fd(const char *srcname, int dst) { | |||
1398 | return rv; | 1398 | return rv; |
1399 | } | 1399 | } |
1400 | 1400 | ||
1401 | void close_all(int *keep_list, size_t sz) { | ||
1402 | DIR *dir; | ||
1403 | if (!(dir = opendir("/proc/self/fd"))) { | ||
1404 | // sleep 2 seconds and try again | ||
1405 | sleep(2); | ||
1406 | if (!(dir = opendir("/proc/self/fd"))) { | ||
1407 | fprintf(stderr, "Error: cannot open /proc/self/fd directory\n"); | ||
1408 | exit(1); | ||
1409 | } | ||
1410 | } | ||
1411 | struct dirent *entry; | ||
1412 | while ((entry = readdir(dir)) != NULL) { | ||
1413 | if (strcmp(entry->d_name, ".") == 0 || | ||
1414 | strcmp(entry->d_name, "..") == 0) | ||
1415 | continue; | ||
1416 | |||
1417 | int fd = atoi(entry->d_name); | ||
1418 | |||
1419 | // don't close standard streams | ||
1420 | if (fd == STDIN_FILENO || | ||
1421 | fd == STDOUT_FILENO || | ||
1422 | fd == STDERR_FILENO) | ||
1423 | continue; | ||
1424 | |||
1425 | if (fd == dirfd(dir)) | ||
1426 | continue; // just postponed | ||
1427 | |||
1428 | // dont't close file descriptors in keep list | ||
1429 | int keep = 0; | ||
1430 | if (keep_list) { | ||
1431 | size_t i; | ||
1432 | for (i = 0; i < sz; i++) { | ||
1433 | if (keep_list[i] == fd) { | ||
1434 | keep = 1; | ||
1435 | break; | ||
1436 | } | ||
1437 | } | ||
1438 | } | ||
1439 | if (keep) | ||
1440 | continue; | ||
1441 | |||
1442 | close(fd); | ||
1443 | } | ||
1444 | closedir(dir); | ||
1445 | } | ||
1446 | |||
1401 | int has_handler(pid_t pid, int signal) { | 1447 | int has_handler(pid_t pid, int signal) { |
1402 | if (signal > 0 && signal <= SIGRTMAX) { | 1448 | if (signal > 0 && signal <= SIGRTMAX) { |
1403 | char *fname; | 1449 | char *fname; |