diff options
author | netblue30 <netblue30@yahoo.com> | 2016-02-27 16:18:00 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-02-27 16:18:00 -0500 |
commit | ab8c4dba69e3c2d92339d69f295acda1d55b296b (patch) | |
tree | 0daab9a9193267359e67693d8b8d9e57176b3c8f /src | |
parent | man page fixes (diff) | |
download | firejail-ab8c4dba69e3c2d92339d69f295acda1d55b296b.tar.gz firejail-ab8c4dba69e3c2d92339d69f295acda1d55b296b.tar.zst firejail-ab8c4dba69e3c2d92339d69f295acda1d55b296b.zip |
firemon fixes
Diffstat (limited to 'src')
-rw-r--r-- | src/firemon/procevent.c | 71 |
1 files changed, 57 insertions, 14 deletions
diff --git a/src/firemon/procevent.c b/src/firemon/procevent.c index 3c23dc44d..6396049e3 100644 --- a/src/firemon/procevent.c +++ b/src/firemon/procevent.c | |||
@@ -27,18 +27,20 @@ | |||
27 | #include <unistd.h> | 27 | #include <unistd.h> |
28 | #include <arpa/inet.h> | 28 | #include <arpa/inet.h> |
29 | #include <time.h> | 29 | #include <time.h> |
30 | #include <fcntl.h> | ||
30 | #define PIDS_BUFLEN 4096 | 31 | #define PIDS_BUFLEN 4096 |
31 | #define SERVER_PORT 889 // 889-899 is left unassigned by IANA | 32 | #define SERVER_PORT 889 // 889-899 is left unassigned by IANA |
32 | 33 | ||
33 | static int pid_is_firejail(pid_t pid) { | 34 | static int pid_is_firejail(pid_t pid) { |
34 | uid_t rv = 0; | 35 | uid_t rv = 0; |
35 | 36 | ||
36 | // open stat file | 37 | // open /proc/self/comm |
37 | char *file; | 38 | char *file; |
38 | if (asprintf(&file, "/proc/%u/status", pid) == -1) { | 39 | if (asprintf(&file, "/proc/%u/comm", pid) == -1) { |
39 | perror("asprintf"); | 40 | perror("asprintf"); |
40 | exit(1); | 41 | exit(1); |
41 | } | 42 | } |
43 | |||
42 | FILE *fp = fopen(file, "r"); | 44 | FILE *fp = fopen(file, "r"); |
43 | if (!fp) { | 45 | if (!fp) { |
44 | free(file); | 46 | free(file); |
@@ -47,21 +49,62 @@ static int pid_is_firejail(pid_t pid) { | |||
47 | 49 | ||
48 | // look for firejail executable name | 50 | // look for firejail executable name |
49 | char buf[PIDS_BUFLEN]; | 51 | char buf[PIDS_BUFLEN]; |
50 | while (fgets(buf, PIDS_BUFLEN - 1, fp)) { | 52 | if (fgets(buf, PIDS_BUFLEN - 1, fp)) { |
51 | if (strncmp(buf, "Name:", 5) == 0) { | 53 | if (strncmp(buf, "firejail", 8) == 0) |
52 | char *ptr = buf + 5; | 54 | rv = 1; |
53 | while (*ptr != '\0' && (*ptr == ' ' || *ptr == '\t')) { | 55 | } |
54 | ptr++; | 56 | |
57 | if (rv) { | ||
58 | // open /proc/pid/cmdline file | ||
59 | char *fname; | ||
60 | int fd; | ||
61 | if (asprintf(&fname, "/proc/%d/cmdline", pid) == -1) | ||
62 | errExit("asprintf"); | ||
63 | if ((fd = open(fname, O_RDONLY)) < 0) { | ||
64 | free(fname); | ||
65 | rv = 0; | ||
66 | goto doexit; | ||
67 | } | ||
68 | free(fname); | ||
69 | |||
70 | // read file | ||
71 | #define BUFLEN 4096 | ||
72 | unsigned char buffer[BUFLEN]; | ||
73 | ssize_t len; | ||
74 | if ((len = read(fd, buffer, sizeof(buffer) - 1)) <= 0) { | ||
75 | close(fd); | ||
76 | rv = 0; | ||
77 | goto doexit; | ||
78 | } | ||
79 | buffer[len] = '\0'; | ||
80 | close(fd); | ||
81 | |||
82 | // list of firejail arguments that don't trigger sandbox creation | ||
83 | // the initial -- is not included | ||
84 | char *firejail_args = "list tree x11 help version top netstats debug-syscalls debug-errnos debug-protocols"; | ||
85 | |||
86 | int i; | ||
87 | char *start; | ||
88 | int first = 1; | ||
89 | for (i = 0; i < len; i++) { | ||
90 | if (buffer[i] != '\0') | ||
91 | continue; | ||
92 | if (first) { | ||
93 | first = 0; | ||
94 | start = buffer + i + 1; | ||
95 | continue; | ||
55 | } | 96 | } |
56 | if (*ptr == '\0') | 97 | if (strncmp(start, "--", 2) != 0) |
57 | goto doexit; | 98 | break; |
58 | if (strncmp(ptr, "firejail", 8) == 0) | 99 | |
59 | rv = 1; | 100 | if (strstr(firejail_args, start + 2)) { |
60 | // if (strncmp(ptr, "lxc-execute", 11) == 0) | 101 | rv = 0; |
61 | // rv = 1; | 102 | break; |
62 | break; | 103 | } |
104 | start = buffer + i + 1; | ||
63 | } | 105 | } |
64 | } | 106 | } |
107 | |||
65 | doexit: | 108 | doexit: |
66 | fclose(fp); | 109 | fclose(fp); |
67 | free(file); | 110 | free(file); |