diff options
author | netblue30 <netblue30@yahoo.com> | 2016-02-19 09:30:46 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-02-19 09:30:46 -0500 |
commit | 07c05e8a54307118982fdb725664c9fcaef65f38 (patch) | |
tree | 90508984ef60851f95f4a8f64c00c88c73314bbc /src | |
parent | euid switching (diff) | |
download | firejail-07c05e8a54307118982fdb725664c9fcaef65f38.tar.gz firejail-07c05e8a54307118982fdb725664c9fcaef65f38.tar.zst firejail-07c05e8a54307118982fdb725664c9fcaef65f38.zip |
moved sandbox name to /run/firejail/name/<PID>
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/firejail.h | 3 | ||||
-rw-r--r-- | src/firejail/fs.c | 21 | ||||
-rw-r--r-- | src/firejail/main.c | 44 | ||||
-rw-r--r-- | src/lib/common.c | 67 |
4 files changed, 92 insertions, 43 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 577c1a9ae..4babc58e7 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -26,6 +26,9 @@ | |||
26 | // filesystem | 26 | // filesystem |
27 | #define RUN_FIREJAIL_BASEDIR "/run" | 27 | #define RUN_FIREJAIL_BASEDIR "/run" |
28 | #define RUN_FIREJAIL_DIR "/run/firejail" | 28 | #define RUN_FIREJAIL_DIR "/run/firejail" |
29 | #define RUN_FIREJAIL_NAME_DIR "/run/firejail/name" | ||
30 | #define RUN_FIREJAIL_NETWORK_DIR "/run/firejail/network" | ||
31 | #define RUN_FIREJAIL_BANDWIDTH_DIR "/run/firejail/bandwidth" | ||
29 | #define RUN_NETWORK_LOCK_FILE "/run/firejail/firejail.lock" | 32 | #define RUN_NETWORK_LOCK_FILE "/run/firejail/firejail.lock" |
30 | #define RUN_RO_DIR "/run/firejail/firejail.ro.dir" | 33 | #define RUN_RO_DIR "/run/firejail/firejail.ro.dir" |
31 | #define RUN_RO_FILE "/run/firejail/firejail.ro.file" | 34 | #define RUN_RO_FILE "/run/firejail/firejail.ro.file" |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index c3e9890b4..616b87562 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -85,6 +85,27 @@ void fs_build_firejail_dir(void) { | |||
85 | errExit("chown"); | 85 | errExit("chown"); |
86 | if (chmod(RUN_FIREJAIL_DIR, 0755) < 0) | 86 | if (chmod(RUN_FIREJAIL_DIR, 0755) < 0) |
87 | errExit("chmod"); | 87 | errExit("chmod"); |
88 | |||
89 | if (mkdir(RUN_FIREJAIL_NETWORK_DIR, 0755) == -1) | ||
90 | errExit("mkdir"); | ||
91 | if (chown(RUN_FIREJAIL_NETWORK_DIR, 0, 0) < 0) | ||
92 | errExit("chown"); | ||
93 | if (chmod(RUN_FIREJAIL_NETWORK_DIR, 0755) < 0) | ||
94 | errExit("chmod"); | ||
95 | |||
96 | if (mkdir(RUN_FIREJAIL_BANDWIDTH_DIR, 0755) == -1) | ||
97 | errExit("mkdir"); | ||
98 | if (chown(RUN_FIREJAIL_BANDWIDTH_DIR, 0, 0) < 0) | ||
99 | errExit("chown"); | ||
100 | if (chmod(RUN_FIREJAIL_BANDWIDTH_DIR, 0755) < 0) | ||
101 | errExit("chmod"); | ||
102 | |||
103 | if (mkdir(RUN_FIREJAIL_NAME_DIR, 0755) == -1) | ||
104 | errExit("mkdir"); | ||
105 | if (chown(RUN_FIREJAIL_NAME_DIR, 0, 0) < 0) | ||
106 | errExit("chown"); | ||
107 | if (chmod(RUN_FIREJAIL_NAME_DIR, 0755) < 0) | ||
108 | errExit("chmod"); | ||
88 | } | 109 | } |
89 | else { // check /tmp/firejail directory belongs to root end exit if doesn't! | 110 | else { // check /tmp/firejail directory belongs to root end exit if doesn't! |
90 | if (s.st_uid != 0 || s.st_gid != 0) { | 111 | if (s.st_uid != 0 || s.st_gid != 0) { |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 688653ce2..3c714f385 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -104,6 +104,9 @@ int fullargc = 0; | |||
104 | static pid_t child = 0; | 104 | static pid_t child = 0; |
105 | pid_t sandbox_pid; | 105 | pid_t sandbox_pid; |
106 | 106 | ||
107 | static void set_name_file(uid_t pid); | ||
108 | static void delete_name_file(uid_t pid); | ||
109 | |||
107 | static void myexit(int rv) { | 110 | static void myexit(int rv) { |
108 | logmsg("exiting..."); | 111 | logmsg("exiting..."); |
109 | if (!arg_command && !arg_quiet) | 112 | if (!arg_command && !arg_quiet) |
@@ -112,6 +115,7 @@ static void myexit(int rv) { | |||
112 | // delete sandbox files in shared memory | 115 | // delete sandbox files in shared memory |
113 | bandwidth_shm_del_file(sandbox_pid); // bandwidth file | 116 | bandwidth_shm_del_file(sandbox_pid); // bandwidth file |
114 | network_shm_del_file(sandbox_pid); // network map file | 117 | network_shm_del_file(sandbox_pid); // network map file |
118 | delete_name_file(sandbox_pid); | ||
115 | 119 | ||
116 | exit(rv); | 120 | exit(rv); |
117 | } | 121 | } |
@@ -477,6 +481,36 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
477 | 481 | ||
478 | } | 482 | } |
479 | 483 | ||
484 | static void set_name_file(uid_t pid) { | ||
485 | char *fname; | ||
486 | if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_NAME_DIR, pid) == -1) | ||
487 | errExit("asprintf"); | ||
488 | |||
489 | // the file is deleted first | ||
490 | FILE *fp = fopen(fname, "w"); | ||
491 | if (!fp) { | ||
492 | fprintf(stderr, "Error: cannot create %s\n", fname); | ||
493 | exit(1); | ||
494 | } | ||
495 | fprintf(fp, "%s\n", cfg.name); | ||
496 | fclose(fp); | ||
497 | |||
498 | // mode and ownership | ||
499 | if (chown(fname, 0, 0) == -1) | ||
500 | errExit("chown"); | ||
501 | if (chmod(fname, 0644) == -1) | ||
502 | errExit("chmod"); | ||
503 | |||
504 | } | ||
505 | |||
506 | static void delete_name_file(uid_t pid) { | ||
507 | char *fname; | ||
508 | if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_NAME_DIR, pid) == -1) | ||
509 | errExit("asprintf"); | ||
510 | int rv = unlink(fname); | ||
511 | (void) rv; | ||
512 | } | ||
513 | |||
480 | //******************************************* | 514 | //******************************************* |
481 | // Main program | 515 | // Main program |
482 | //******************************************* | 516 | //******************************************* |
@@ -1500,6 +1534,13 @@ int main(int argc, char **argv) { | |||
1500 | arg_noroot = 0; | 1534 | arg_noroot = 0; |
1501 | } | 1535 | } |
1502 | 1536 | ||
1537 | |||
1538 | // set name file | ||
1539 | EUID_ROOT(); | ||
1540 | if (cfg.name) | ||
1541 | set_name_file(sandbox_pid); | ||
1542 | EUID_USER(); | ||
1543 | |||
1503 | // clone environment | 1544 | // clone environment |
1504 | int flags = CLONE_NEWNS | CLONE_NEWPID | CLONE_NEWUTS | SIGCHLD; | 1545 | int flags = CLONE_NEWNS | CLONE_NEWPID | CLONE_NEWUTS | SIGCHLD; |
1505 | 1546 | ||
@@ -1627,6 +1668,9 @@ int main(int argc, char **argv) { | |||
1627 | if (lockfd != -1) | 1668 | if (lockfd != -1) |
1628 | flock(lockfd, LOCK_UN); | 1669 | flock(lockfd, LOCK_UN); |
1629 | 1670 | ||
1671 | // create name file under /run/firejail | ||
1672 | |||
1673 | |||
1630 | // handle CTRL-C in parent | 1674 | // handle CTRL-C in parent |
1631 | signal (SIGINT, my_handler); | 1675 | signal (SIGINT, my_handler); |
1632 | signal (SIGTERM, my_handler); | 1676 | signal (SIGTERM, my_handler); |
diff --git a/src/lib/common.c b/src/lib/common.c index 099bb54d3..f321c5a47 100644 --- a/src/lib/common.c +++ b/src/lib/common.c | |||
@@ -95,53 +95,34 @@ int name2pid(const char *name, pid_t *pid) { | |||
95 | free(comm); | 95 | free(comm); |
96 | } | 96 | } |
97 | 97 | ||
98 | char *cmd = pid_proc_cmdline(newpid); | 98 | // look for the sandbox name in /run/firejail/name/<PID> |
99 | if (cmd) { | 99 | // todo: use RUN_FIREJAIL_NAME_DIR define from src/firejail/firejail.h |
100 | // mark the end of the name | 100 | char *fname; |
101 | char *ptr = strstr(cmd, "--name="); | 101 | if (asprintf(&fname, "/run/firejail/name/%d", newpid) == -1) |
102 | char *start = ptr; | 102 | errExit("asprintf"); |
103 | if (!ptr) { | 103 | FILE *fp = fopen(fname, "r"); |
104 | free(cmd); | 104 | if (fp) { |
105 | 105 | char buf[BUFLEN]; | |
106 | // extract name for /run/mnt/firejail/fslogger file | 106 | if (fgets(buf, BUFLEN, fp)) { |
107 | char *fname; | 107 | // remove \n |
108 | if (asprintf(&fname, "/proc/%d/root/run/firejail/mnt/fslogger", newpid) == -1) | 108 | char *ptr = strchr(buf, '\n'); |
109 | errExit("asprintf"); | 109 | if (ptr) { |
110 | 110 | *ptr = '\0'; | |
111 | struct stat s; | 111 | if (strcmp(buf, name) == 0) { |
112 | if (stat(fname, &s) == 0) { | 112 | // we found it! |
113 | FILE *fp = fopen(fname, "r"); | ||
114 | if (fp) { | ||
115 | char buf[BUFLEN]; | ||
116 | if (fgets(buf, BUFLEN, fp)) { | ||
117 | if (strncmp(buf, "sandbox name: ", 14) == 0) { | ||
118 | char *ptr2 = buf + 14; | ||
119 | if (strncmp(name, ptr2, strlen(name)) == 0) { | ||
120 | fclose(fp); | ||
121 | *pid = newpid; | ||
122 | closedir(dir); | ||
123 | return 0; | ||
124 | } | ||
125 | } | ||
126 | } | ||
127 | fclose(fp); | 113 | fclose(fp); |
114 | free(fname); | ||
115 | *pid = newpid; | ||
116 | closedir(dir); | ||
117 | return 0; | ||
128 | } | 118 | } |
129 | } | 119 | } |
130 | 120 | else | |
131 | continue; | 121 | fprintf(stderr, "Error: invalid %s\n", fname); |
132 | } | 122 | } |
133 | while (*ptr != ' ' && *ptr != '\t' && *ptr != '\0') | 123 | fclose(fp); |
134 | ptr++; | ||
135 | *ptr = '\0'; | ||
136 | int rv = strcmp(start + 7, name); | ||
137 | if (rv == 0) { | ||
138 | free(cmd); | ||
139 | *pid = newpid; | ||
140 | closedir(dir); | ||
141 | return 0; | ||
142 | } | ||
143 | free(cmd); | ||
144 | } | 124 | } |
125 | free(fname); | ||
145 | } | 126 | } |
146 | closedir(dir); | 127 | closedir(dir); |
147 | return 1; | 128 | return 1; |