diff options
author | netblue30 <netblue30@yahoo.com> | 2016-04-07 17:37:36 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-04-07 17:37:36 -0400 |
commit | 752c3a43a322b40c1a43012735aa797d9e3c7435 (patch) | |
tree | 0835b4d1bed77eb61cd1f6ef179541310d470881 /src | |
parent | added dnsmasq profile (diff) | |
download | firejail-752c3a43a322b40c1a43012735aa797d9e3c7435.tar.gz firejail-752c3a43a322b40c1a43012735aa797d9e3c7435.tar.zst firejail-752c3a43a322b40c1a43012735aa797d9e3c7435.zip |
grsecurity fixes
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/caps.c | 2 | ||||
-rw-r--r-- | src/firejail/list.c | 7 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 2 | ||||
-rw-r--r-- | src/firemon/firemon.c | 12 |
4 files changed, 12 insertions, 11 deletions
diff --git a/src/firejail/caps.c b/src/firejail/caps.c index 6b934bda6..2d42c7d8a 100644 --- a/src/firejail/caps.c +++ b/src/firejail/caps.c | |||
@@ -247,11 +247,13 @@ void caps_print(void) { | |||
247 | // check current caps supported by the kernel | 247 | // check current caps supported by the kernel |
248 | int cnt = 0; | 248 | int cnt = 0; |
249 | unsigned long cap; | 249 | unsigned long cap; |
250 | EUID_ROOT(); // grsecurity fix | ||
250 | for (cap=0; cap <= 63; cap++) { | 251 | for (cap=0; cap <= 63; cap++) { |
251 | int code = prctl(PR_CAPBSET_DROP, cap, 0, 0, 0); | 252 | int code = prctl(PR_CAPBSET_DROP, cap, 0, 0, 0); |
252 | if (code == 0) | 253 | if (code == 0) |
253 | cnt++; | 254 | cnt++; |
254 | } | 255 | } |
256 | EUID_USER(); | ||
255 | printf("Your kernel supports %d capabilities.\n", cnt); | 257 | printf("Your kernel supports %d capabilities.\n", cnt); |
256 | 258 | ||
257 | for (i = 0; i < elems; i++) { | 259 | for (i = 0; i < elems; i++) { |
diff --git a/src/firejail/list.c b/src/firejail/list.c index 73feb48aa..b7c0b5264 100644 --- a/src/firejail/list.c +++ b/src/firejail/list.c | |||
@@ -21,6 +21,7 @@ | |||
21 | #include <sys/types.h> | 21 | #include <sys/types.h> |
22 | #include <sys/stat.h> | 22 | #include <sys/stat.h> |
23 | 23 | ||
24 | #if 0 | ||
24 | static void grsec_elevate_privileges(void) { | 25 | static void grsec_elevate_privileges(void) { |
25 | struct stat s; | 26 | struct stat s; |
26 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { | 27 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { |
@@ -33,10 +34,10 @@ static void grsec_elevate_privileges(void) { | |||
33 | errExit("setregid"); | 34 | errExit("setregid"); |
34 | } | 35 | } |
35 | } | 36 | } |
37 | #endif | ||
36 | 38 | ||
37 | void top(void) { | 39 | void top(void) { |
38 | EUID_ASSERT(); | 40 | EUID_ASSERT(); |
39 | grsec_elevate_privileges(); | ||
40 | 41 | ||
41 | char *arg[4]; | 42 | char *arg[4]; |
42 | arg[0] = "bash"; | 43 | arg[0] = "bash"; |
@@ -48,7 +49,7 @@ void top(void) { | |||
48 | 49 | ||
49 | void netstats(void) { | 50 | void netstats(void) { |
50 | EUID_ASSERT(); | 51 | EUID_ASSERT(); |
51 | grsec_elevate_privileges(); | 52 | // grsec_elevate_privileges(); |
52 | 53 | ||
53 | char *arg[4]; | 54 | char *arg[4]; |
54 | arg[0] = "bash"; | 55 | arg[0] = "bash"; |
@@ -60,7 +61,6 @@ void netstats(void) { | |||
60 | 61 | ||
61 | void list(void) { | 62 | void list(void) { |
62 | EUID_ASSERT(); | 63 | EUID_ASSERT(); |
63 | grsec_elevate_privileges(); | ||
64 | 64 | ||
65 | char *arg[4]; | 65 | char *arg[4]; |
66 | arg[0] = "bash"; | 66 | arg[0] = "bash"; |
@@ -72,7 +72,6 @@ void list(void) { | |||
72 | 72 | ||
73 | void tree(void) { | 73 | void tree(void) { |
74 | EUID_ASSERT(); | 74 | EUID_ASSERT(); |
75 | grsec_elevate_privileges(); | ||
76 | 75 | ||
77 | char *arg[4]; | 76 | char *arg[4]; |
78 | arg[0] = "bash"; | 77 | arg[0] = "bash"; |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index d148c1f40..22e23d148 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -131,7 +131,7 @@ static void chk_chroot(void) { | |||
131 | } | 131 | } |
132 | 132 | ||
133 | static int monitor_application(pid_t app_pid) { | 133 | static int monitor_application(pid_t app_pid) { |
134 | 134 | EUID_USER(); | |
135 | 135 | ||
136 | int status; | 136 | int status; |
137 | while (app_pid) { | 137 | while (app_pid) { |
diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c index 9c3558362..3140c5f70 100644 --- a/src/firemon/firemon.c +++ b/src/firemon/firemon.c | |||
@@ -112,12 +112,6 @@ int main(int argc, char **argv) { | |||
112 | unsigned pid = 0; | 112 | unsigned pid = 0; |
113 | int i; | 113 | int i; |
114 | 114 | ||
115 | struct stat s; | ||
116 | if (getuid() != 0 &&stat("/proc/sys/kernel/grsecurity", &s) == 0) { | ||
117 | fprintf(stderr, "Error: on Grsecurity systems only root user can run this program\n"); | ||
118 | exit(1); | ||
119 | } | ||
120 | |||
121 | // handle CTRL-C | 115 | // handle CTRL-C |
122 | signal (SIGINT, my_handler); | 116 | signal (SIGINT, my_handler); |
123 | signal (SIGTERM, my_handler); | 117 | signal (SIGTERM, my_handler); |
@@ -143,6 +137,12 @@ int main(int argc, char **argv) { | |||
143 | return 0; | 137 | return 0; |
144 | } | 138 | } |
145 | else if (strcmp(argv[i], "--netstats") == 0) { | 139 | else if (strcmp(argv[i], "--netstats") == 0) { |
140 | struct stat s; | ||
141 | if (getuid() != 0 && stat("/proc/sys/kernel/grsecurity", &s) == 0) { | ||
142 | fprintf(stderr, "Error: this feature is not available on Grsecurity systems\n"); | ||
143 | exit(1); | ||
144 | } | ||
145 | |||
146 | netstats(); | 146 | netstats(); |
147 | return 0; | 147 | return 0; |
148 | } | 148 | } |