diff options
| author |  smitsohu <smitsohu@gmail.com> | 2022-01-17 14:10:51 +0100 |
|---|---|---|
| committer | smitsohu <smitsohu@gmail.com> | 2022-01-17 14:11:43 +0100 |
| commit | 397a9080ea9b74aac9a03f9b5e740b966474ff09 (patch) | |
| tree | 15c6cffa6b243a4be90dd7d4341b72f119794a56 /src | |
| parent | some hardening (diff) | |
| download | firejail-397a9080ea9b74aac9a03f9b5e740b966474ff09.tar.gz firejail-397a9080ea9b74aac9a03f9b5e740b966474ff09.tar.zst firejail-397a9080ea9b74aac9a03f9b5e740b966474ff09.zip | |
keep-fd cleanup
Diffstat (limited to 'src')
| -rw-r--r-- | src/firejail/sandbox.c | 45 |
1 files changed, 20 insertions, 25 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index c351b8e94..9c96f976a 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
| @@ -399,28 +399,11 @@ static int monitor_application(pid_t app_pid) { | |||
| 399 | return arg_deterministic_exit_code ? app_status : status; | 399 | return arg_deterministic_exit_code ? app_status : status; |
| 400 | } | 400 | } |
| 401 | 401 | ||
| 402 | |||
| 403 | static void print_time(void) { | 402 | static void print_time(void) { |
| 404 | float delta = timetrace_end(); | 403 | float delta = timetrace_end(); |
| 405 | fmessage("Child process initialized in %.02f ms\n", delta); | 404 | fmessage("Child process initialized in %.02f ms\n", delta); |
| 406 | } | 405 | } |
| 407 | 406 | ||
| 408 | |||
| 409 | int *build_keep_fd_array(size_t *sz) { | ||
| 410 | if (!cfg.keep_fd) { | ||
| 411 | *sz = 0; | ||
| 412 | return NULL; | ||
| 413 | } | ||
| 414 | |||
| 415 | int *rv = str_to_int_array(cfg.keep_fd, sz); | ||
| 416 | if (!rv) { | ||
| 417 | fprintf(stderr, "Error: invalid keep-fd option\n"); | ||
| 418 | exit(1); | ||
| 419 | } | ||
| 420 | return rv; | ||
| 421 | } | ||
| 422 | |||
| 423 | |||
| 424 | // check execute permissions for the program | 407 | // check execute permissions for the program |
| 425 | // this is done typically by the shell | 408 | // this is done typically by the shell |
| 426 | // we are here because of --shell=none | 409 | // we are here because of --shell=none |
| @@ -477,17 +460,29 @@ static int ok_to_run(const char *program) { | |||
| 477 | return 0; | 460 | return 0; |
| 478 | } | 461 | } |
| 479 | 462 | ||
| 463 | static void close_file_descriptors(void) { | ||
| 464 | if (arg_keep_fd_all) | ||
| 465 | return; | ||
| 466 | |||
| 467 | if (!cfg.keep_fd) { | ||
| 468 | close_all(NULL, 0); | ||
| 469 | return; | ||
| 470 | } | ||
| 471 | |||
| 472 | size_t sz = 0; | ||
| 473 | int *keep = str_to_int_array(cfg.keep_fd, &sz); | ||
| 474 | if (!keep) { | ||
| 475 | fprintf(stderr, "Error: invalid keep-fd option\n"); | ||
| 476 | exit(1); | ||
| 477 | } | ||
| 478 | close_all(keep, sz); | ||
| 479 | free(keep); | ||
| 480 | } | ||
| 481 | |||
| 480 | 482 | ||
| 481 | void start_application(int no_sandbox, int fd, char *set_sandbox_status) { | 483 | void start_application(int no_sandbox, int fd, char *set_sandbox_status) { |
| 482 | if (no_sandbox == 0) { | 484 | if (no_sandbox == 0) { |
| 483 | // don't leak open file descriptors | 485 | close_file_descriptors(); |
| 484 | if (!arg_keep_fd_all) { | ||
| 485 | size_t sz; | ||
| 486 | int *keep = build_keep_fd_array(&sz); | ||
| 487 | close_all(keep, sz); | ||
| 488 | if (keep) | ||
| 489 | free(keep); | ||
| 490 | } | ||
| 491 | 486 | ||
| 492 | // set nice and rlimits | 487 | // set nice and rlimits |
| 493 | if (arg_nice) | 488 | if (arg_nice) |