diff options
author | netblue30 <netblue30@yahoo.com> | 2016-08-17 10:27:58 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-08-17 10:27:58 -0400 |
commit | 46a15d38d347fe012b25a913c381a128a392edb0 (patch) | |
tree | c762a75fc45c169a4459a3d3666a8d9447999f92 /src | |
parent | slack profile integration (diff) | |
download | firejail-46a15d38d347fe012b25a913c381a128a392edb0.tar.gz firejail-46a15d38d347fe012b25a913c381a128a392edb0.tar.zst firejail-46a15d38d347fe012b25a913c381a128a392edb0.zip |
firemon fixes for x11 sandboxes
Diffstat (limited to 'src')
-rw-r--r-- | src/lib/common.c | 59 | ||||
-rw-r--r-- | src/lib/pid.c | 18 |
2 files changed, 66 insertions, 11 deletions
diff --git a/src/lib/common.c b/src/lib/common.c index 8ea926df1..885f31881 100644 --- a/src/lib/common.c +++ b/src/lib/common.c | |||
@@ -199,3 +199,62 @@ char *pid_proc_cmdline(const pid_t pid) { | |||
199 | } | 199 | } |
200 | return rv; | 200 | return rv; |
201 | } | 201 | } |
202 | |||
203 | // return 1 if firejail --x11 on command line | ||
204 | int pid_proc_cmdline_x11(const pid_t pid) { | ||
205 | // if comm is not firejail return 0 | ||
206 | char *comm = pid_proc_comm(pid); | ||
207 | if (strcmp(comm, "firejail") != 0) { | ||
208 | free(comm); | ||
209 | return 0; | ||
210 | } | ||
211 | free(comm); | ||
212 | |||
213 | // open /proc/pid/cmdline file | ||
214 | char *fname; | ||
215 | int fd; | ||
216 | if (asprintf(&fname, "/proc/%d/cmdline", pid) == -1) | ||
217 | return 0; | ||
218 | if ((fd = open(fname, O_RDONLY)) < 0) { | ||
219 | free(fname); | ||
220 | return 0; | ||
221 | } | ||
222 | free(fname); | ||
223 | |||
224 | // read file | ||
225 | unsigned char buffer[BUFLEN]; | ||
226 | ssize_t len; | ||
227 | if ((len = read(fd, buffer, sizeof(buffer) - 1)) <= 0) { | ||
228 | close(fd); | ||
229 | return 0; | ||
230 | } | ||
231 | buffer[len] = '\0'; | ||
232 | close(fd); | ||
233 | |||
234 | // skip the first argument | ||
235 | int i; | ||
236 | for (i = 0; buffer[i] != '\0'; i++); | ||
237 | |||
238 | // parse remaining command line options | ||
239 | while (1) { | ||
240 | // extract argument | ||
241 | i++; | ||
242 | if (i >= len) | ||
243 | break; | ||
244 | char *arg = buffer + i; | ||
245 | |||
246 | // detect the last command line option | ||
247 | if (strcmp(arg, "--") == 0) | ||
248 | break; | ||
249 | if (strncmp(arg, "--", 2) != 0) | ||
250 | break; | ||
251 | |||
252 | // check x11 | ||
253 | if (strcmp(arg, "--x11") == 0 || strncmp(arg, "--x11=", 6) == 0) | ||
254 | return 1; | ||
255 | } | ||
256 | return 0; | ||
257 | } | ||
258 | |||
259 | |||
260 | |||
diff --git a/src/lib/pid.c b/src/lib/pid.c index d1ade389e..4540247a0 100644 --- a/src/lib/pid.c +++ b/src/lib/pid.c | |||
@@ -340,18 +340,14 @@ void pid_read(pid_t mon_pid) { | |||
340 | exit(1); | 340 | exit(1); |
341 | } | 341 | } |
342 | 342 | ||
343 | if (mon_pid == 0 && strncmp(ptr, "firejail", 8) == 0) { | 343 | if ((strncmp(ptr, "firejail", 8) == 0) && (mon_pid == 0 || mon_pid == pid)) { |
344 | pids[pid].level = 1; | 344 | if (pid_proc_cmdline_x11(pid)) { |
345 | printf("--x11 detected for pid %d\n", pid); | ||
346 | pids[pid].level = -1; | ||
347 | } | ||
348 | else | ||
349 | pids[pid].level = 1; | ||
345 | } | 350 | } |
346 | else if (mon_pid == pid && strncmp(ptr, "firejail", 8) == 0) { | ||
347 | pids[pid].level = 1; | ||
348 | } | ||
349 | // else if (mon_pid == 0 && strncmp(ptr, "lxc-execute", 11) == 0) { | ||
350 | // pids[pid].level = 1; | ||
351 | // } | ||
352 | // else if (mon_pid == pid && strncmp(ptr, "lxc-execute", 11) == 0) { | ||
353 | // pids[pid].level = 1; | ||
354 | // } | ||
355 | else | 351 | else |
356 | pids[pid].level = -1; | 352 | pids[pid].level = -1; |
357 | } | 353 | } |