aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorLibravatar netblue30 <netblue30@yahoo.com>2015-11-03 08:55:40 -0500
committerLibravatar netblue30 <netblue30@yahoo.com>2015-11-03 08:55:40 -0500
commitdbb15d0067f1fce7478ff4059a5e1d78dec37804 (patch)
treefb9d4cc6902c65d69df90e8a2fc108b58c4d6afa /src
parentcleanup (diff)
downloadfirejail-dbb15d0067f1fce7478ff4059a5e1d78dec37804.tar.gz
firejail-dbb15d0067f1fce7478ff4059a5e1d78dec37804.tar.zst
firejail-dbb15d0067f1fce7478ff4059a5e1d78dec37804.zip
--private.print option
Diffstat (limited to 'src')
-rw-r--r--src/firejail/cpu.c4
-rw-r--r--src/firejail/firejail.h3
-rw-r--r--src/firejail/join.c9
-rw-r--r--src/firejail/protocol.c145
-rw-r--r--src/firejail/sandbox.c3
-rw-r--r--src/firejail/seccomp.c5
6 files changed, 138 insertions, 31 deletions
diff --git a/src/firejail/cpu.c b/src/firejail/cpu.c
index 6dcbbd07b..807dc55a4 100644
--- a/src/firejail/cpu.c
+++ b/src/firejail/cpu.c
@@ -75,6 +75,8 @@ void save_cpu(void) {
75 if (fp) { 75 if (fp) {
76 fprintf(fp, "%x\n", cfg.cpus); 76 fprintf(fp, "%x\n", cfg.cpus);
77 fclose(fp); 77 fclose(fp);
78 if (chmod(CPU_CFG, 0600) < 0)
79 errExit("chmod");
78 if (chown(CPU_CFG, 0, 0) < 0) 80 if (chown(CPU_CFG, 0, 0) < 0)
79 errExit("chown"); 81 errExit("chown");
80 } 82 }
@@ -126,7 +128,7 @@ void set_cpu_affinity(void) {
126 fprintf(stderr, " "); 128 fprintf(stderr, " ");
127 perror("sched_getaffinity"); 129 perror("sched_getaffinity");
128 } 130 }
129 else { 131 else if (arg_debug) {
130 if (CPU_EQUAL(&mask, &mask2)) 132 if (CPU_EQUAL(&mask, &mask2))
131 printf("CPU affinity set\n"); 133 printf("CPU affinity set\n");
132 else 134 else
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 1068485ff..29ce77ca4 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -31,6 +31,7 @@
31#define CGROUP_CFG "/tmp/firejail/mnt/cgroup" 31#define CGROUP_CFG "/tmp/firejail/mnt/cgroup"
32#define CPU_CFG "/tmp/firejail/mnt/cpu" 32#define CPU_CFG "/tmp/firejail/mnt/cpu"
33#define GROUPS_CFG "/tmp/firejail/mnt/groups" 33#define GROUPS_CFG "/tmp/firejail/mnt/groups"
34#define PROTOCOL_CFG "/tmp/firejail/mnt/protocol"
34#define CP_COMMAND "/tmp/firejail/mnt/cp" 35#define CP_COMMAND "/tmp/firejail/mnt/cp"
35#define HOME_DIR "/tmp/firejail/mnt/home" 36#define HOME_DIR "/tmp/firejail/mnt/home"
36#define ETC_DIR "/tmp/firejail/mnt/etc" 37#define ETC_DIR "/tmp/firejail/mnt/etc"
@@ -447,5 +448,7 @@ void protocol_print_filter_name(const char *name);
447void protocol_print_filter(pid_t pid); 448void protocol_print_filter(pid_t pid);
448void protocol_store(const char *prlist); 449void protocol_store(const char *prlist);
449void protocol_filter(void); 450void protocol_filter(void);
451void protocol_filter_save(void);
452void protocol_filter_load(const char *fname);
450#endif 453#endif
451 454
diff --git a/src/firejail/join.c b/src/firejail/join.c
index 91dad420a..64e092197 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -144,7 +144,7 @@ static void extract_caps_seccomp(pid_t pid) {
144 free(file); 144 free(file);
145} 145}
146 146
147void extract_user_namespace(pid_t pid) { 147static void extract_user_namespace(pid_t pid) {
148 // test user namespaces available in the kernel 148 // test user namespaces available in the kernel
149 struct stat s1; 149 struct stat s1;
150 struct stat s2; 150 struct stat s2;
@@ -280,9 +280,16 @@ void join(pid_t pid, const char *homedir, int argc, char **argv, int index) {
280 if (apply_caps == 1) 280 if (apply_caps == 1)
281 caps_set(caps); 281 caps_set(caps);
282#ifdef HAVE_SECCOMP 282#ifdef HAVE_SECCOMP
283 // set protocol filter
284 protocol_filter_load(PROTOCOL_CFG);
285 if (cfg.protocol) {
286 protocol_filter();
287 }
288
283 // set seccomp filter 289 // set seccomp filter
284 if (apply_seccomp == 1) 290 if (apply_seccomp == 1)
285 seccomp_set(); 291 seccomp_set();
292
286#endif 293#endif
287 294
288 // fix qt 4.8 295 // fix qt 4.8
diff --git a/src/firejail/protocol.c b/src/firejail/protocol.c
index e71daaad8..8ee5fd3b8 100644
--- a/src/firejail/protocol.c
+++ b/src/firejail/protocol.c
@@ -114,27 +114,6 @@ void protocol_list(void) {
114 printf("\n"); 114 printf("\n");
115} 115}
116 116
117// --protocol.print
118void protocol_print_filter_name(const char *name) {
119 (void) name;
120#ifdef SYS_socket
121//todo
122#else
123 fprintf(stderr, "Warning: --protocol not supported on this platform\n");
124 return;
125#endif
126}
127
128// --protocol.print
129void protocol_print_filter(pid_t pid) {
130 (void) pid;
131#ifdef SYS_socket
132//todo
133#else
134 fprintf(stderr, "Warning: --protocol not supported on this platform\n");
135 return;
136#endif
137}
138 117
139// check protocol list and store it in cfg structure 118// check protocol list and store it in cfg structure
140void protocol_store(const char *prlist) { 119void protocol_store(const char *prlist) {
@@ -171,6 +150,8 @@ errout:
171// install protocol filter 150// install protocol filter
172void protocol_filter(void) { 151void protocol_filter(void) {
173 assert(cfg.protocol); 152 assert(cfg.protocol);
153 if (arg_debug)
154 printf("Set protocol filter: %s\n", cfg.protocol);
174 155
175#ifndef SYS_socket 156#ifndef SYS_socket
176 (void) find_protocol_domain; 157 (void) find_protocol_domain;
@@ -273,10 +254,126 @@ printf("entries %u\n", (unsigned) ((uint64_t) ptr - (uint64_t) (filter)) / (uns
273 fprintf(stderr, "Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n"); 254 fprintf(stderr, "Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n");
274 return; 255 return;
275 } 256 }
276 else if (arg_debug) {
277 printf("seccomp protocol filter enabled\n");
278 }
279#endif // SYS_socket 257#endif // SYS_socket
280} 258}
281 259
260void protocol_filter_save(void) {
261 // save protocol filter configuration in PROTOCOL_CFG
262 fs_build_mnt_dir();
263
264 FILE *fp = fopen(PROTOCOL_CFG, "w");
265 if (!fp)
266 errExit("fopen");
267 fprintf(fp, "%s\n", cfg.protocol);
268 fclose(fp);
269
270 if (chmod(PROTOCOL_CFG, 0600) < 0)
271 errExit("chmod");
272
273 if (chown(PROTOCOL_CFG, 0, 0) < 0)
274 errExit("chown");
275
276}
277
278void protocol_filter_load(const char *fname) {
279 assert(fname);
280
281 // read protocol filter configuration from PROTOCOL_CFG
282 FILE *fp = fopen(fname, "r");
283 if (!fp)
284 return;
285
286 const int MAXBUF = 4098;
287 char buf[MAXBUF];
288 if (fgets(buf, MAXBUF, fp) == NULL) {
289 // empty file
290 fclose(fp);
291 return;
292 }
293 fclose(fp);
294
295 char *ptr = strchr(buf, '\n');
296 if (ptr)
297 *ptr = '\0';
298 cfg.protocol = strdup(buf);
299 if (!cfg.protocol)
300 errExit("strdup");
301}
302
303
304// --protocol.print
305void protocol_print_filter_name(const char *name) {
306 (void) name;
307#ifdef SYS_socket
308 if (!name || strlen(name) == 0) {
309 fprintf(stderr, "Error: invalid sandbox name\n");
310 exit(1);
311 }
312 pid_t pid;
313 if (name2pid(name, &pid)) {
314 fprintf(stderr, "Error: cannot find sandbox %s\n", name);
315 exit(1);
316 }
317
318 protocol_print_filter(pid);
319#else
320 fprintf(stderr, "Warning: --protocol not supported on this platform\n");
321 return;
322#endif
323}
324
325// --protocol.print
326void protocol_print_filter(pid_t pid) {
327 (void) pid;
328#ifdef SYS_socket
329 // if the pid is that of a firejail process, use the pid of the first child process
330 char *comm = pid_proc_comm(pid);
331 if (comm) {
332 // remove \n
333 char *ptr = strchr(comm, '\n');
334 if (ptr)
335 *ptr = '\0';
336 if (strcmp(comm, "firejail") == 0) {
337 pid_t child;
338 if (find_child(pid, &child) == 0) {
339 pid = child;
340 }
341 }
342 free(comm);
343 }
344
345 // check privileges for non-root users
346 uid_t uid = getuid();
347 if (uid != 0) {
348 uid_t sandbox_uid = pid_get_uid(pid);
349 if (uid != sandbox_uid) {
350 fprintf(stderr, "Error: permission denied.\n");
351 exit(1);
352 }
353 }
354
355 // find the seccomp filter
356 char *fname;
357 if (asprintf(&fname, "/proc/%d/root%s", pid, PROTOCOL_CFG) == -1)
358 errExit("asprintf");
359
360 struct stat s;
361 if (stat(fname, &s) == -1) {
362 printf("Cannot access seccomp filter.\n");
363 exit(1);
364 }
365
366 // read and print the filter
367 protocol_filter_load(fname);
368 free(fname);
369 if (cfg.protocol)
370 printf("%s\n", cfg.protocol);
371 exit(0);
372#else
373 fprintf(stderr, "Warning: --protocol not supported on this platform\n");
374 return;
375#endif
376}
377
378
282#endif // HAVE_SECCOMP 379#endif // HAVE_SECCOMP
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index d9ce717e0..79ed473c0 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -425,7 +425,8 @@ int sandbox(void* sandbox_arg) {
425#ifdef HAVE_SECCOMP 425#ifdef HAVE_SECCOMP
426 // install protocol filter 426 // install protocol filter
427 if (cfg.protocol) { 427 if (cfg.protocol) {
428 protocol_filter(); 428 protocol_filter(); // install filter
429 protocol_filter_save(); // save filter in PROTOCOL_CFG
429 } 430 }
430 431
431 // if a keep list is available, disregard the drop list 432 // if a keep list is available, disregard the drop list
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index f8053d698..a3efa54df 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -385,7 +385,7 @@ void seccomp_filter_32(void) {
385 ; 385 ;
386 } 386 }
387 else if (arg_debug) { 387 else if (arg_debug) {
388 printf("dual i386/amd64 seccomp filter\n"); 388 printf("Dual i386/amd64 seccomp filter configured\n");
389 } 389 }
390} 390}
391 391
@@ -598,9 +598,6 @@ int seccomp_filter_drop(void) {
598 fprintf(stderr, "Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n"); 598 fprintf(stderr, "Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n");
599 return 1; 599 return 1;
600 } 600 }
601 else if (arg_debug) {
602 printf("seccomp enabled\n");
603 }
604 601
605 return 0; 602 return 0;
606} 603}
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-19 22:54:34 +0000