diff options
author | smitsohu <smitsohu@gmail.com> | 2018-09-06 19:40:11 +0200 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2018-09-06 19:40:11 +0200 |
commit | 2cbffc072197b72ac234b969d77ab9c1def41f1d (patch) | |
tree | 97294f67c7c195527d56ecb42f3b76fdf6469344 /src | |
parent | cleanup (diff) | |
download | firejail-2cbffc072197b72ac234b969d77ab9c1def41f1d.tar.gz firejail-2cbffc072197b72ac234b969d77ab9c1def41f1d.tar.zst firejail-2cbffc072197b72ac234b969d77ab9c1def41f1d.zip |
disallow overriding of global rlimits, tiny improvements
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/join.c | 3 | ||||
-rw-r--r-- | src/firejail/macros.c | 1 | ||||
-rw-r--r-- | src/firejail/rlimit.c | 31 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 8 | ||||
-rw-r--r-- | src/firejail/util.c | 4 |
5 files changed, 39 insertions, 8 deletions
diff --git a/src/firejail/join.c b/src/firejail/join.c index cdd95b6a8..c2b207c52 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -383,6 +383,7 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
383 | caps_set(caps); | 383 | caps_set(caps); |
384 | } | 384 | } |
385 | 385 | ||
386 | EUID_USER(); | ||
386 | // set nice | 387 | // set nice |
387 | if (arg_nice) { | 388 | if (arg_nice) { |
388 | errno = 0; | 389 | errno = 0; |
@@ -395,8 +396,6 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
395 | } | 396 | } |
396 | 397 | ||
397 | // set environment, add x11 display | 398 | // set environment, add x11 display |
398 | EUID_USER(); | ||
399 | |||
400 | env_defaults(); | 399 | env_defaults(); |
401 | if (display) { | 400 | if (display) { |
402 | char *display_str; | 401 | char *display_str; |
diff --git a/src/firejail/macros.c b/src/firejail/macros.c index 283de57f2..27893938f 100644 --- a/src/firejail/macros.c +++ b/src/firejail/macros.c | |||
@@ -92,6 +92,7 @@ int is_macro(const char *name) { | |||
92 | 92 | ||
93 | // returns mallocated memory | 93 | // returns mallocated memory |
94 | static char *resolve_xdg(const char *var) { | 94 | static char *resolve_xdg(const char *var) { |
95 | EUID_ASSERT(); | ||
95 | char *fname; | 96 | char *fname; |
96 | struct stat s; | 97 | struct stat s; |
97 | size_t length = strlen(var); | 98 | size_t length = strlen(var); |
diff --git a/src/firejail/rlimit.c b/src/firejail/rlimit.c index e9d459ac2..8d62a5b6b 100644 --- a/src/firejail/rlimit.c +++ b/src/firejail/rlimit.c | |||
@@ -22,9 +22,15 @@ | |||
22 | #include <sys/resource.h> | 22 | #include <sys/resource.h> |
23 | 23 | ||
24 | void set_rlimits(void) { | 24 | void set_rlimits(void) { |
25 | EUID_ASSERT(); | ||
25 | // resource limits | 26 | // resource limits |
26 | struct rlimit rl; | 27 | struct rlimit rl; |
27 | if (arg_rlimit_cpu) { | 28 | if (arg_rlimit_cpu) { |
29 | if (getrlimit(RLIMIT_CPU, &rl) == -1) | ||
30 | errExit("getrlimit"); | ||
31 | if (cfg.rlimit_cpu > rl.rlim_max && getuid() != 0) | ||
32 | cfg.rlimit_cpu = rl.rlim_max; | ||
33 | // set the new limit | ||
28 | rl.rlim_cur = (rlim_t) cfg.rlimit_cpu; | 34 | rl.rlim_cur = (rlim_t) cfg.rlimit_cpu; |
29 | rl.rlim_max = (rlim_t) cfg.rlimit_cpu; | 35 | rl.rlim_max = (rlim_t) cfg.rlimit_cpu; |
30 | #ifdef HAVE_GCOV | 36 | #ifdef HAVE_GCOV |
@@ -37,6 +43,11 @@ void set_rlimits(void) { | |||
37 | } | 43 | } |
38 | 44 | ||
39 | if (arg_rlimit_nofile) { | 45 | if (arg_rlimit_nofile) { |
46 | if (getrlimit(RLIMIT_NOFILE, &rl) == -1) | ||
47 | errExit("getrlimit"); | ||
48 | if (cfg.rlimit_nofile > rl.rlim_max && getuid() != 0) | ||
49 | cfg.rlimit_nofile = rl.rlim_max; | ||
50 | // set the new limit | ||
40 | rl.rlim_cur = (rlim_t) cfg.rlimit_nofile; | 51 | rl.rlim_cur = (rlim_t) cfg.rlimit_nofile; |
41 | rl.rlim_max = (rlim_t) cfg.rlimit_nofile; | 52 | rl.rlim_max = (rlim_t) cfg.rlimit_nofile; |
42 | #ifdef HAVE_GCOV // gcov-instrumented programs might crash at this point | 53 | #ifdef HAVE_GCOV // gcov-instrumented programs might crash at this point |
@@ -49,6 +60,11 @@ void set_rlimits(void) { | |||
49 | } | 60 | } |
50 | 61 | ||
51 | if (arg_rlimit_nproc) { | 62 | if (arg_rlimit_nproc) { |
63 | if (getrlimit(RLIMIT_NPROC, &rl) == -1) | ||
64 | errExit("getrlimit"); | ||
65 | if (cfg.rlimit_nproc > rl.rlim_max && getuid() != 0) | ||
66 | cfg.rlimit_nproc = rl.rlim_max; | ||
67 | // set the new limit | ||
52 | rl.rlim_cur = (rlim_t) cfg.rlimit_nproc; | 68 | rl.rlim_cur = (rlim_t) cfg.rlimit_nproc; |
53 | rl.rlim_max = (rlim_t) cfg.rlimit_nproc; | 69 | rl.rlim_max = (rlim_t) cfg.rlimit_nproc; |
54 | #ifdef HAVE_GCOV | 70 | #ifdef HAVE_GCOV |
@@ -61,6 +77,11 @@ void set_rlimits(void) { | |||
61 | } | 77 | } |
62 | 78 | ||
63 | if (arg_rlimit_fsize) { | 79 | if (arg_rlimit_fsize) { |
80 | if (getrlimit(RLIMIT_FSIZE, &rl) == -1) | ||
81 | errExit("getrlimit"); | ||
82 | if (cfg.rlimit_fsize > rl.rlim_max && getuid() != 0) | ||
83 | cfg.rlimit_fsize = rl.rlim_max; | ||
84 | // set the new limit | ||
64 | rl.rlim_cur = (rlim_t) cfg.rlimit_fsize; | 85 | rl.rlim_cur = (rlim_t) cfg.rlimit_fsize; |
65 | rl.rlim_max = (rlim_t) cfg.rlimit_fsize; | 86 | rl.rlim_max = (rlim_t) cfg.rlimit_fsize; |
66 | #ifdef HAVE_GCOV | 87 | #ifdef HAVE_GCOV |
@@ -73,6 +94,11 @@ void set_rlimits(void) { | |||
73 | } | 94 | } |
74 | 95 | ||
75 | if (arg_rlimit_sigpending) { | 96 | if (arg_rlimit_sigpending) { |
97 | if (getrlimit(RLIMIT_SIGPENDING, &rl) == -1) | ||
98 | errExit("getrlimit"); | ||
99 | if (cfg.rlimit_sigpending > rl.rlim_max && getuid() != 0) | ||
100 | cfg.rlimit_sigpending = rl.rlim_max; | ||
101 | // set the new limit | ||
76 | rl.rlim_cur = (rlim_t) cfg.rlimit_sigpending; | 102 | rl.rlim_cur = (rlim_t) cfg.rlimit_sigpending; |
77 | rl.rlim_max = (rlim_t) cfg.rlimit_sigpending; | 103 | rl.rlim_max = (rlim_t) cfg.rlimit_sigpending; |
78 | #ifdef HAVE_GCOV | 104 | #ifdef HAVE_GCOV |
@@ -85,6 +111,11 @@ void set_rlimits(void) { | |||
85 | } | 111 | } |
86 | 112 | ||
87 | if (arg_rlimit_as) { | 113 | if (arg_rlimit_as) { |
114 | if (getrlimit(RLIMIT_AS, &rl) == -1) | ||
115 | errExit("getrlimit"); | ||
116 | if (cfg.rlimit_as > rl.rlim_max && getuid() != 0) | ||
117 | cfg.rlimit_as = rl.rlim_max; | ||
118 | // set the new limit | ||
88 | rl.rlim_cur = (rlim_t) cfg.rlimit_as; | 119 | rl.rlim_cur = (rlim_t) cfg.rlimit_as; |
89 | rl.rlim_max = (rlim_t) cfg.rlimit_as; | 120 | rl.rlim_max = (rlim_t) cfg.rlimit_as; |
90 | #ifdef HAVE_GCOV | 121 | #ifdef HAVE_GCOV |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 0e719ceaf..f5abb18ba 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -1008,7 +1008,9 @@ int sandbox(void* sandbox_arg) { | |||
1008 | } | 1008 | } |
1009 | } | 1009 | } |
1010 | 1010 | ||
1011 | EUID_ROOT(); | 1011 | // set rlimits |
1012 | set_rlimits(); | ||
1013 | |||
1012 | // set nice | 1014 | // set nice |
1013 | if (arg_nice) { | 1015 | if (arg_nice) { |
1014 | errno = 0; | 1016 | errno = 0; |
@@ -1020,6 +1022,7 @@ int sandbox(void* sandbox_arg) { | |||
1020 | } | 1022 | } |
1021 | } | 1023 | } |
1022 | 1024 | ||
1025 | EUID_ROOT(); | ||
1023 | // clean /tmp/.X11-unix sockets | 1026 | // clean /tmp/.X11-unix sockets |
1024 | fs_x11(); | 1027 | fs_x11(); |
1025 | if (arg_x11_xorg) | 1028 | if (arg_x11_xorg) |
@@ -1031,9 +1034,6 @@ int sandbox(void* sandbox_arg) { | |||
1031 | // set capabilities | 1034 | // set capabilities |
1032 | set_caps(); | 1035 | set_caps(); |
1033 | 1036 | ||
1034 | // set rlimits | ||
1035 | set_rlimits(); | ||
1036 | |||
1037 | // set cpu affinity | 1037 | // set cpu affinity |
1038 | if (cfg.cpus) { | 1038 | if (cfg.cpus) { |
1039 | save_cpu(); // save cpu affinity mask to CPU_CFG file | 1039 | save_cpu(); // save cpu affinity mask to CPU_CFG file |
diff --git a/src/firejail/util.c b/src/firejail/util.c index f677b44eb..4a164901d 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -33,7 +33,7 @@ | |||
33 | 33 | ||
34 | #define MAX_GROUPS 1024 | 34 | #define MAX_GROUPS 1024 |
35 | #define MAXBUF 4098 | 35 | #define MAXBUF 4098 |
36 | 36 | #define EMPTY_STRING ("") | |
37 | 37 | ||
38 | 38 | ||
39 | // send the error to /var/log/auth.log and exit after a small delay | 39 | // send the error to /var/log/auth.log and exit after a small delay |
@@ -1079,7 +1079,7 @@ int safe_fd(const char *path, int flags) { | |||
1079 | 1079 | ||
1080 | // traverse the path and return -1 if a symlink is encountered | 1080 | // traverse the path and return -1 if a symlink is encountered |
1081 | int fd = -1; | 1081 | int fd = -1; |
1082 | char *current_tok = NULL; | 1082 | char *current_tok = EMPTY_STRING; |
1083 | char *tok = strtok(dup, "/"); | 1083 | char *tok = strtok(dup, "/"); |
1084 | assert(tok); | 1084 | assert(tok); |
1085 | while (tok) { | 1085 | while (tok) { |