--cpu.print

author: netblue30 <netblue30@yahoo.com> 2016-04-06 20:40:45 -0400
committer: netblue30 <netblue30@yahoo.com> 2016-04-06 20:40:45 -0400
commit: 7526e567cd80ceec483ce3546f6fe9897e6ffd48 (patch)
tree: 5de7f1534ec0574b59c831838dd6d75a33d2f996 /src
parent: ssh/scp/sftp fixes (diff)
download: firejail-7526e567cd80ceec483ce3546f6fe9897e6ffd48.tar.gz
firejail-7526e567cd80ceec483ce3546f6fe9897e6ffd48.tar.zst
firejail-7526e567cd80ceec483ce3546f6fe9897e6ffd48.zip
5 files changed, 120 insertions, 0 deletions
diff --git a/src/firejail/cpu.c b/src/firejail/cpu.c
index 23906ae48..1802ad5e1 100644
--- a/src/firejail/cpu.c
+++ b/src/firejail/cpu.c
@@ -139,3 +139,81 @@ void set_cpu_affinity(void) {
                                printf("CPU affinity not set\n");
                }
 }
+static void print_cpu(int pid) {
+        char *file;
+        if (asprintf(&file, "/proc/%d/status", pid) == -1) {
+                errExit("asprintf");
+                exit(1);
+        }
+        EUID_ROOT();    // grsecurity
+        FILE *fp = fopen(file, "r");
+        EUID_USER();    // grsecurity
+        if (!fp) {
+                printf("  Error: cannot open %s\n", file);
+                free(file);
+                return;
+        }
+#define MAXBUF 4096     
+        char buf[MAXBUF];
+        while (fgets(buf, MAXBUF, fp)) {
+                if (strncmp(buf, "Cpus_allowed_list:", 18) == 0) {
+                        printf("  %s", buf);
+                        fflush(0);
+                        free(file);
+                        fclose(fp);
+                        return;
+                }
+        }
+        fclose(fp);
+        free(file);
+}
+void cpu_print_filter_name(const char *name) {
+        EUID_ASSERT();
+        if (!name || strlen(name) == 0) {
+                fprintf(stderr, "Error: invalid sandbox name\n");
+                exit(1);
+        }
+        pid_t pid;
+        if (name2pid(name, &pid)) {
+                fprintf(stderr, "Error: cannot find sandbox %s\n", name);
+                exit(1);
+        }
+        cpu_print_filter(pid);
+}
+void cpu_print_filter(pid_t pid) {
+        EUID_ASSERT();
+        
+        // if the pid is that of a firejail  process, use the pid of the first child process
+        EUID_ROOT();    // grsecurity
+        char *comm = pid_proc_comm(pid);
+        EUID_USER();    // grsecurity
+        if (comm) {
+                if (strcmp(comm, "firejail") == 0) {
+                        pid_t child;
+                        if (find_child(pid, &child) == 0) {
+                                pid = child;
+                        }
+                }
+                free(comm);
+        }
+        // check privileges for non-root users
+        uid_t uid = getuid();
+        if (uid != 0) {
+                uid_t sandbox_uid = pid_get_uid(pid);
+                if (uid != sandbox_uid) {
+                        fprintf(stderr, "Error: permission denied.\n");
+                        exit(1);
+                }
+        }
+        print_cpu(pid);
+        exit(0);
+}
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index e50b22b4e..f43f31f02 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -438,6 +438,8 @@ void read_cpu_list(const char *str);
 void set_cpu_affinity(void);
 void load_cpu(const char *fname);
 void save_cpu(void);
+void cpu_print_filter_name(const char *name);
+void cpu_print_filter(pid_t pid);
 // cgroup.c
 void save_cgroup(void);
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 9df4653cd..c9954d8c7 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -437,6 +437,15 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                exit(0);
        }
 #endif
+        else if (strncmp(argv[i], "--cpu.print=", 12) == 0) {
+                // join sandbox by pid or by name
+                pid_t pid;
+                if (read_pid(argv[i] + 12, &pid) == 0)          
+                        cpu_print_filter(pid);
+                else
+                        cpu_print_filter_name(argv[i] + 12);
+                exit(0);
+        }
        else if (strncmp(argv[i], "--caps.print=", 13) == 0) {
                // join sandbox by pid or by name
                pid_t pid;
@@ -726,6 +735,7 @@ int main(int argc, char **argv) {
                            strncmp(argv[i], "--dns.print=", 12) == 0 ||
                            strncmp(argv[i], "--bandwidth=", 12) == 0 ||
                            strncmp(argv[i], "--caps.print=", 13) == 0 ||
+                            strncmp(argv[i], "--cpu.print=", 12) == 0 ||
 //********************************************************************************
 // todo: fix the following problems
                            strncmp(argv[i], "--join=", 7) == 0 ||
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 597005128..3e4a0d1c3 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -56,6 +56,8 @@ void usage(void) {
        printf("    --chroot=dirname - chroot into directory.\n\n");
 #endif
        printf("    --cpu=cpu-number,cpu-number - set cpu affinity.\n\n");
+        printf("    --cpu.print=name|pid - print the cup in use by the sandbox identified\n");
+        printf("\tby name or PID.\n\n");
        printf("    --csh - use /bin/csh as default shell.\n\n");
        
        printf("    --debug - print sandbox debug messages.\n\n");
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 509461f0d..54d2b1e73 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -221,6 +221,34 @@ Example:
 $ firejail \-\-cpu=0,1 handbrake
 .TP
+\fB\-\-cpu.print=name
+Print the CPU cores in use by the sandbox identified by name.
+.br
+.br
+Example:
+.br
+$ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 &
+.br
+[...]
+.br
+$ firejail \-\-cpu.print=mygame
+.TP
+\fB\-\-caps.print=pid
+Print the CPU cores in use by the sandbox identified by PID.
+.br
+.br
+Example:
+.br
+$ firejail \-\-list
+.br
+3272:netblue:firejail \-\-private firefox
+.br
+$ firejail \-\-cpu.print=3272
+.TP
 \fB\-\-csh
 Use /bin/csh as default user shell.
 .br
author	netblue30 <netblue30@yahoo.com>	2016-04-06 20:40:45 -0400
committer	netblue30 <netblue30@yahoo.com>	2016-04-06 20:40:45 -0400
commit	7526e567cd80ceec483ce3546f6fe9897e6ffd48 (patch)
tree	5de7f1534ec0574b59c831838dd6d75a33d2f996 /src
parent	ssh/scp/sftp fixes (diff)
download	firejail-7526e567cd80ceec483ce3546f6fe9897e6ffd48.tar.gz firejail-7526e567cd80ceec483ce3546f6fe9897e6ffd48.tar.zst firejail-7526e567cd80ceec483ce3546f6fe9897e6ffd48.zip

diff --git a/src/firejail/cpu.c b/src/firejail/cpu.c index 23906ae48..1802ad5e1 100644 --- a/src/firejail/cpu.c +++ b/src/firejail/cpu.c
@@ -139,3 +139,81 @@ void set_cpu_affinity(void) {
139	printf("CPU affinity not set\n");	139	printf("CPU affinity not set\n");
140	}	140	}
141	}	141	}
		142
		143	static void print_cpu(int pid) {
		144	char *file;
		145	if (asprintf(&file, "/proc/%d/status", pid) == -1) {
		146	errExit("asprintf");
		147	exit(1);
		148	}
		149
		150	EUID_ROOT(); // grsecurity
		151	FILE *fp = fopen(file, "r");
		152	EUID_USER(); // grsecurity
		153	if (!fp) {
		154	printf(" Error: cannot open %s\n", file);
		155	free(file);
		156	return;
		157	}
		158
		159	#define MAXBUF 4096
		160	char buf[MAXBUF];
		161	while (fgets(buf, MAXBUF, fp)) {
		162	if (strncmp(buf, "Cpus_allowed_list:", 18) == 0) {
		163	printf(" %s", buf);
		164	fflush(0);
		165	free(file);
		166	fclose(fp);
		167	return;
		168	}
		169	}
		170	fclose(fp);
		171	free(file);
		172	}
		173
		174	void cpu_print_filter_name(const char *name) {
		175	EUID_ASSERT();
		176	if (!name \|\| strlen(name) == 0) {
		177	fprintf(stderr, "Error: invalid sandbox name\n");
		178	exit(1);
		179	}
		180	pid_t pid;
		181	if (name2pid(name, &pid)) {
		182	fprintf(stderr, "Error: cannot find sandbox %s\n", name);
		183	exit(1);
		184	}
		185
		186	cpu_print_filter(pid);
		187	}
		188
		189	void cpu_print_filter(pid_t pid) {
		190	EUID_ASSERT();
		191
		192	// if the pid is that of a firejail process, use the pid of the first child process
		193	EUID_ROOT(); // grsecurity
		194	char *comm = pid_proc_comm(pid);
		195	EUID_USER(); // grsecurity
		196	if (comm) {
		197	if (strcmp(comm, "firejail") == 0) {
		198	pid_t child;
		199	if (find_child(pid, &child) == 0) {
		200	pid = child;
		201	}
		202	}
		203	free(comm);
		204	}
		205
		206	// check privileges for non-root users
		207	uid_t uid = getuid();
		208	if (uid != 0) {
		209	uid_t sandbox_uid = pid_get_uid(pid);
		210	if (uid != sandbox_uid) {
		211	fprintf(stderr, "Error: permission denied.\n");
		212	exit(1);
		213	}
		214	}
		215
		216	print_cpu(pid);
		217	exit(0);
		218	}
		219


diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index e50b22b4e..f43f31f02 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -438,6 +438,8 @@ void read_cpu_list(const char *str);
438	void set_cpu_affinity(void);	438	void set_cpu_affinity(void);
439	void load_cpu(const char *fname);	439	void load_cpu(const char *fname);
440	void save_cpu(void);	440	void save_cpu(void);
		441	void cpu_print_filter_name(const char *name);
		442	void cpu_print_filter(pid_t pid);
441		443
442	// cgroup.c	444	// cgroup.c
443	void save_cgroup(void);	445	void save_cgroup(void);


diff --git a/src/firejail/main.c b/src/firejail/main.c index 9df4653cd..c9954d8c7 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -437,6 +437,15 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
437	exit(0);	437	exit(0);
438	}	438	}
439	#endif	439	#endif
		440	else if (strncmp(argv[i], "--cpu.print=", 12) == 0) {
		441	// join sandbox by pid or by name
		442	pid_t pid;
		443	if (read_pid(argv[i] + 12, &pid) == 0)
		444	cpu_print_filter(pid);
		445	else
		446	cpu_print_filter_name(argv[i] + 12);
		447	exit(0);
		448	}
440	else if (strncmp(argv[i], "--caps.print=", 13) == 0) {	449	else if (strncmp(argv[i], "--caps.print=", 13) == 0) {
441	// join sandbox by pid or by name	450	// join sandbox by pid or by name
442	pid_t pid;	451	pid_t pid;
@@ -726,6 +735,7 @@ int main(int argc, char **argv) {
726	strncmp(argv[i], "--dns.print=", 12) == 0 \|\|	735	strncmp(argv[i], "--dns.print=", 12) == 0 \|\|
727	strncmp(argv[i], "--bandwidth=", 12) == 0 \|\|	736	strncmp(argv[i], "--bandwidth=", 12) == 0 \|\|
728	strncmp(argv[i], "--caps.print=", 13) == 0 \|\|	737	strncmp(argv[i], "--caps.print=", 13) == 0 \|\|
		738	strncmp(argv[i], "--cpu.print=", 12) == 0 \|\|
729	//********************************************************************************	739	//********************************************************************************
730	// todo: fix the following problems	740	// todo: fix the following problems
731	strncmp(argv[i], "--join=", 7) == 0 \|\|	741	strncmp(argv[i], "--join=", 7) == 0 \|\|


diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 597005128..3e4a0d1c3 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c
@@ -56,6 +56,8 @@ void usage(void) {
56	printf(" --chroot=dirname - chroot into directory.\n\n");	56	printf(" --chroot=dirname - chroot into directory.\n\n");
57	#endif	57	#endif
58	printf(" --cpu=cpu-number,cpu-number - set cpu affinity.\n\n");	58	printf(" --cpu=cpu-number,cpu-number - set cpu affinity.\n\n");
		59	printf(" --cpu.print=name\|pid - print the cup in use by the sandbox identified\n");
		60	printf("\tby name or PID.\n\n");
59	printf(" --csh - use /bin/csh as default shell.\n\n");	61	printf(" --csh - use /bin/csh as default shell.\n\n");
60		62
61	printf(" --debug - print sandbox debug messages.\n\n");	63	printf(" --debug - print sandbox debug messages.\n\n");


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 509461f0d..54d2b1e73 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -221,6 +221,34 @@ Example:
221	$ firejail \-\-cpu=0,1 handbrake	221	$ firejail \-\-cpu=0,1 handbrake
222		222
223	.TP	223	.TP
		224	\fB\-\-cpu.print=name
		225	Print the CPU cores in use by the sandbox identified by name.
		226	.br
		227
		228	.br
		229	Example:
		230	.br
		231	$ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 &
		232	.br
		233	[...]
		234	.br
		235	$ firejail \-\-cpu.print=mygame
		236
		237	.TP
		238	\fB\-\-caps.print=pid
		239	Print the CPU cores in use by the sandbox identified by PID.
		240	.br
		241
		242	.br
		243	Example:
		244	.br
		245	$ firejail \-\-list
		246	.br
		247	3272:netblue:firejail \-\-private firefox
		248	.br
		249	$ firejail \-\-cpu.print=3272
		250
		251	.TP
224	\fB\-\-csh	252	\fB\-\-csh
225	Use /bin/csh as default user shell.	253	Use /bin/csh as default user shell.
226	.br	254	.br