diff options
author | netblue30 <netblue30@yahoo.com> | 2016-04-05 13:17:20 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-04-05 13:17:20 -0400 |
commit | 10c7565f9d414d745122dac2e441f5e816db7843 (patch) | |
tree | d6e56dacb20561abeb59c3bebd2ca857f4c35112 /src | |
parent | firecfg fixes (diff) | |
download | firejail-10c7565f9d414d745122dac2e441f5e816db7843.tar.gz firejail-10c7565f9d414d745122dac2e441f5e816db7843.tar.zst firejail-10c7565f9d414d745122dac2e441f5e816db7843.zip |
grsecurity: --caps.print
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/caps.c | 4 | ||||
-rw-r--r-- | src/firemon/firemon.c | 9 | ||||
-rw-r--r-- | src/firemon/usage.c | 3 | ||||
-rw-r--r-- | src/man/firejail.txt | 2 | ||||
-rw-r--r-- | src/man/firemon.txt | 3 |
5 files changed, 17 insertions, 4 deletions
diff --git a/src/firejail/caps.c b/src/firejail/caps.c index 896293fd1..6b934bda6 100644 --- a/src/firejail/caps.c +++ b/src/firejail/caps.c | |||
@@ -373,7 +373,9 @@ static uint64_t extract_caps(int pid) { | |||
373 | exit(1); | 373 | exit(1); |
374 | } | 374 | } |
375 | 375 | ||
376 | EUID_ROOT(); // grsecurity | ||
376 | FILE *fp = fopen(file, "r"); | 377 | FILE *fp = fopen(file, "r"); |
378 | EUID_USER(); // grsecurity | ||
377 | if (!fp) { | 379 | if (!fp) { |
378 | printf("Error: cannot open %s\n", file); | 380 | printf("Error: cannot open %s\n", file); |
379 | free(file); | 381 | free(file); |
@@ -417,7 +419,9 @@ void caps_print_filter(pid_t pid) { | |||
417 | EUID_ASSERT(); | 419 | EUID_ASSERT(); |
418 | 420 | ||
419 | // if the pid is that of a firejail process, use the pid of the first child process | 421 | // if the pid is that of a firejail process, use the pid of the first child process |
422 | EUID_ROOT(); // grsecurity | ||
420 | char *comm = pid_proc_comm(pid); | 423 | char *comm = pid_proc_comm(pid); |
424 | EUID_USER(); // grsecurity | ||
421 | if (comm) { | 425 | if (comm) { |
422 | if (strcmp(comm, "firejail") == 0) { | 426 | if (strcmp(comm, "firejail") == 0) { |
423 | pid_t child; | 427 | pid_t child; |
diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c index 0e38696ac..9c3558362 100644 --- a/src/firemon/firemon.c +++ b/src/firemon/firemon.c | |||
@@ -23,7 +23,8 @@ | |||
23 | #include <sys/ioctl.h> | 23 | #include <sys/ioctl.h> |
24 | #include <sys/prctl.h> | 24 | #include <sys/prctl.h> |
25 | #include <grp.h> | 25 | #include <grp.h> |
26 | 26 | #include <sys/stat.h> | |
27 | |||
27 | 28 | ||
28 | static int arg_route = 0; | 29 | static int arg_route = 0; |
29 | static int arg_arp = 0; | 30 | static int arg_arp = 0; |
@@ -111,6 +112,12 @@ int main(int argc, char **argv) { | |||
111 | unsigned pid = 0; | 112 | unsigned pid = 0; |
112 | int i; | 113 | int i; |
113 | 114 | ||
115 | struct stat s; | ||
116 | if (getuid() != 0 &&stat("/proc/sys/kernel/grsecurity", &s) == 0) { | ||
117 | fprintf(stderr, "Error: on Grsecurity systems only root user can run this program\n"); | ||
118 | exit(1); | ||
119 | } | ||
120 | |||
114 | // handle CTRL-C | 121 | // handle CTRL-C |
115 | signal (SIGINT, my_handler); | 122 | signal (SIGINT, my_handler); |
116 | signal (SIGTERM, my_handler); | 123 | signal (SIGTERM, my_handler); |
diff --git a/src/firemon/usage.c b/src/firemon/usage.c index 926e1c89f..74a2a61f0 100644 --- a/src/firemon/usage.c +++ b/src/firemon/usage.c | |||
@@ -24,7 +24,8 @@ void usage(void) { | |||
24 | printf("Usage: firemon [OPTIONS] [PID]\n\n"); | 24 | printf("Usage: firemon [OPTIONS] [PID]\n\n"); |
25 | printf("Monitor processes started in a Firejail sandbox. Without any PID specified,\n"); | 25 | printf("Monitor processes started in a Firejail sandbox. Without any PID specified,\n"); |
26 | printf("all processes started by Firejail are monitored. Descendants of these processes\n"); | 26 | printf("all processes started by Firejail are monitored. Descendants of these processes\n"); |
27 | printf("are also being monitored.\n\n"); | 27 | printf("are also being monitored. On Grsecurity systems only root user\n"); |
28 | printf("can run this program.\n\n"); | ||
28 | printf("Options:\n"); | 29 | printf("Options:\n"); |
29 | printf("\t--arp - print ARP table for each sandbox.\n\n"); | 30 | printf("\t--arp - print ARP table for each sandbox.\n\n"); |
30 | printf("\t--caps - print capabilities configuration for each sandbox.\n\n"); | 31 | printf("\t--caps - print capabilities configuration for each sandbox.\n\n"); |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 24dbff67a..2f3fb6d01 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -118,7 +118,7 @@ The filter is applied to all processes started in the sandbox. | |||
118 | .br | 118 | .br |
119 | Example: | 119 | Example: |
120 | .br | 120 | .br |
121 | $ sudo firejail \-\-caps "/etc/init.d/nginx start && sleep inf" | 121 | $ sudo firejail \-\-caps /etc/init.d/nginx start |
122 | 122 | ||
123 | .TP | 123 | .TP |
124 | \fB\-\-caps.drop=all | 124 | \fB\-\-caps.drop=all |
diff --git a/src/man/firemon.txt b/src/man/firemon.txt index 906b5cd9a..ef99b0927 100644 --- a/src/man/firemon.txt +++ b/src/man/firemon.txt | |||
@@ -6,7 +6,8 @@ firemon [OPTIONS] [PID] | |||
6 | .SH DESCRIPTION | 6 | .SH DESCRIPTION |
7 | Firemon monitors programs started in a Firejail sandbox. | 7 | Firemon monitors programs started in a Firejail sandbox. |
8 | Without a PID specified, all processes started by Firejail are monitored. Descendants of | 8 | Without a PID specified, all processes started by Firejail are monitored. Descendants of |
9 | these processes are also being monitored. | 9 | these processes are also being monitored. On Grsecurity systems only root user |
10 | can run this program. | ||
10 | .SH OPTIONS | 11 | .SH OPTIONS |
11 | .TP | 12 | .TP |
12 | \fB\-\-arp | 13 | \fB\-\-arp |