diff options
author | netblue30 <netblue30@yahoo.com> | 2019-07-04 12:22:07 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2019-07-04 12:22:07 -0400 |
commit | ccd01529adc647e75b618aa35c1742cffd17c694 (patch) | |
tree | 67a6bcaace93559f9f96aa620213b71997dbc798 /src | |
parent | Merge pull request #2825 from Bandie/master (diff) | |
download | firejail-ccd01529adc647e75b618aa35c1742cffd17c694.tar.gz firejail-ccd01529adc647e75b618aa35c1742cffd17c694.tar.zst firejail-ccd01529adc647e75b618aa35c1742cffd17c694.zip |
fix #2820 - adjustable file copy limit; export FIREJAIL_DEBUG into sbox
Diffstat (limited to 'src')
-rw-r--r-- | src/fcopy/main.c | 19 | ||||
-rw-r--r-- | src/firejail/checkcfg.c | 6 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/sbox.c | 24 |
4 files changed, 40 insertions, 10 deletions
diff --git a/src/fcopy/main.c b/src/fcopy/main.c index 9fca2a39b..3f507a361 100644 --- a/src/fcopy/main.c +++ b/src/fcopy/main.c | |||
@@ -25,9 +25,11 @@ | |||
25 | #include <pwd.h> | 25 | #include <pwd.h> |
26 | 26 | ||
27 | int arg_quiet = 0; | 27 | int arg_quiet = 0; |
28 | int arg_debug = 0; | ||
28 | static int arg_follow_link = 0; | 29 | static int arg_follow_link = 0; |
29 | 30 | ||
30 | #define COPY_LIMIT (500 * 1024 *1024) | 31 | static int copy_limit = 500 * 1024 *1024; // 500 MB |
32 | #define COPY_LIMIT ( | ||
31 | static int size_limit_reached = 0; | 33 | static int size_limit_reached = 0; |
32 | static unsigned file_cnt = 0; | 34 | static unsigned file_cnt = 0; |
33 | static unsigned size_cnt = 0; | 35 | static unsigned size_cnt = 0; |
@@ -184,8 +186,8 @@ static int fs_copydir(const char *infname, const struct stat *st, int ftype, str | |||
184 | mode_t mode = s.st_mode; | 186 | mode_t mode = s.st_mode; |
185 | 187 | ||
186 | // recalculate size | 188 | // recalculate size |
187 | if ((s.st_size + size_cnt) > COPY_LIMIT) { | 189 | if ((s.st_size + size_cnt) > copy_limit) { |
188 | fprintf(stderr, "Error fcopy: size limit of %dMB reached\n", (COPY_LIMIT / 1024) / 1024); | 190 | fprintf(stderr, "Error fcopy: size limit of %dMB reached\n", (copy_limit / 1024) / 1024); |
189 | size_limit_reached = 1; | 191 | size_limit_reached = 1; |
190 | free(outfname); | 192 | free(outfname); |
191 | return 0; | 193 | return 0; |
@@ -330,6 +332,9 @@ int main(int argc, char **argv) { | |||
330 | char *quiet = getenv("FIREJAIL_QUIET"); | 332 | char *quiet = getenv("FIREJAIL_QUIET"); |
331 | if (quiet && strcmp(quiet, "yes") == 0) | 333 | if (quiet && strcmp(quiet, "yes") == 0) |
332 | arg_quiet = 1; | 334 | arg_quiet = 1; |
335 | char *debug = getenv("FIREJAIL_DEBUG"); | ||
336 | if (debug && strcmp(debug, "yes") == 0) | ||
337 | arg_debug = 1; | ||
333 | 338 | ||
334 | char *src; | 339 | char *src; |
335 | char *dest; | 340 | char *dest; |
@@ -384,6 +389,14 @@ int main(int argc, char **argv) { | |||
384 | exit(1); | 389 | exit(1); |
385 | } | 390 | } |
386 | 391 | ||
392 | // extract copy limit size from env variable, if any | ||
393 | char *cl = getenv("FIREJAIL_FILE_COPY_LIMIT"); | ||
394 | if (cl) { | ||
395 | copy_limit = atoi(cl) * 1024 * 1024; | ||
396 | if (arg_debug) | ||
397 | printf("file copy limit %d bytes\n", copy_limit); | ||
398 | } | ||
399 | |||
387 | // copy files | 400 | // copy files |
388 | if ((arg_follow_link ? stat : lstat)(src, &s) == -1) { | 401 | if ((arg_follow_link ? stat : lstat)(src, &s) == -1) { |
389 | fprintf(stderr, "Error fcopy: src %s: %s\n", src, strerror(errno)); | 402 | fprintf(stderr, "Error fcopy: src %s: %s\n", src, strerror(errno)); |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index b11d795a9..f94b95d60 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -207,6 +207,12 @@ int checkcfg(int val) { | |||
207 | goto errout; | 207 | goto errout; |
208 | cfg_val[CFG_ARP_PROBES] = arp_probes; | 208 | cfg_val[CFG_ARP_PROBES] = arp_probes; |
209 | } | 209 | } |
210 | |||
211 | // file copy limit | ||
212 | else if (strncmp(ptr, "file-copy-limit ", 16) == 0) { | ||
213 | if (setenv("FIREJAIL_FILE_COPY_LIMIT", ptr + 16, 1) == -1) | ||
214 | errExit("setenv"); | ||
215 | } | ||
210 | else | 216 | else |
211 | goto errout; | 217 | goto errout; |
212 | 218 | ||
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 630adc3d7..7664c8037 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -720,6 +720,7 @@ enum { | |||
720 | CFG_PRIVATE_CACHE, | 720 | CFG_PRIVATE_CACHE, |
721 | CFG_CGROUP, | 721 | CFG_CGROUP, |
722 | CFG_NAME_CHANGE, | 722 | CFG_NAME_CHANGE, |
723 | // CFG_FILE_COPY_LIMIT - file copy limit handled using setenv/getenv | ||
723 | CFG_MAX // this should always be the last entry | 724 | CFG_MAX // this should always be the last entry |
724 | }; | 725 | }; |
725 | extern char *xephyr_screen; | 726 | extern char *xephyr_screen; |
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index 7dca9aa99..f387d25fa 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c | |||
@@ -129,8 +129,24 @@ int sbox_run(unsigned filter, int num, ...) { | |||
129 | if (child < 0) | 129 | if (child < 0) |
130 | errExit("fork"); | 130 | errExit("fork"); |
131 | if (child == 0) { | 131 | if (child == 0) { |
132 | // clean the new process | 132 | // preserve firejail-specific env vars |
133 | char *cl = getenv("FIREJAIL_FILE_COPY_LIMIT"); | ||
134 | if (cl) { | ||
135 | // duplicate the value, who knows what's going to happen with it in clearenv! | ||
136 | cl = strdup(cl); | ||
137 | if (!cl) | ||
138 | errExit("strdup"); | ||
139 | } | ||
133 | clearenv(); | 140 | clearenv(); |
141 | if (cl) { | ||
142 | if (setenv("FIREJAIL_FILE_COPY_LIMIT", cl, 1) == -1) | ||
143 | errExit("setenv"); | ||
144 | free(cl); | ||
145 | } | ||
146 | if (arg_quiet) // --quiet is passed as an environment variable | ||
147 | setenv("FIREJAIL_QUIET", "yes", 1); | ||
148 | if (arg_debug) // --debug is passed as an environment variable | ||
149 | setenv("FIREJAIL_DEBUG", "yes", 1); | ||
134 | 150 | ||
135 | if (filter & SBOX_STDIN_FROM_FILE) { | 151 | if (filter & SBOX_STDIN_FROM_FILE) { |
136 | int fd; | 152 | int fd; |
@@ -196,12 +212,6 @@ int sbox_run(unsigned filter, int num, ...) { | |||
196 | else if (filter & SBOX_USER) | 212 | else if (filter & SBOX_USER) |
197 | drop_privs(1); | 213 | drop_privs(1); |
198 | 214 | ||
199 | clearenv(); | ||
200 | |||
201 | // --quiet is passed as an environment variable | ||
202 | if (arg_quiet) | ||
203 | setenv("FIREJAIL_QUIET", "yes", 1); | ||
204 | |||
205 | if (arg[0]) // get rid of scan-build warning | 215 | if (arg[0]) // get rid of scan-build warning |
206 | execvp(arg[0], arg); | 216 | execvp(arg[0], arg); |
207 | else | 217 | else |