diff options
| author |  netblue30 <netblue30@yahoo.com> | 2016-04-07 17:37:36 -0400 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2016-04-07 17:37:36 -0400 |
| commit | 752c3a43a322b40c1a43012735aa797d9e3c7435 (patch) | |
| tree | 0835b4d1bed77eb61cd1f6ef179541310d470881 /src | |
| parent | added dnsmasq profile (diff) | |
| download | firejail-752c3a43a322b40c1a43012735aa797d9e3c7435.tar.gz firejail-752c3a43a322b40c1a43012735aa797d9e3c7435.tar.zst firejail-752c3a43a322b40c1a43012735aa797d9e3c7435.zip | |
grsecurity fixes
Diffstat (limited to 'src')
| -rw-r--r-- | src/firejail/caps.c | 2 | ||||
| -rw-r--r-- | src/firejail/list.c | 7 | ||||
| -rw-r--r-- | src/firejail/sandbox.c | 2 | ||||
| -rw-r--r-- | src/firemon/firemon.c | 12 |
4 files changed, 12 insertions, 11 deletions
diff --git a/src/firejail/caps.c b/src/firejail/caps.c index 6b934bda6..2d42c7d8a 100644 --- a/src/firejail/caps.c +++ b/src/firejail/caps.c | |||
| @@ -247,11 +247,13 @@ void caps_print(void) { | |||
| 247 | // check current caps supported by the kernel | 247 | // check current caps supported by the kernel |
| 248 | int cnt = 0; | 248 | int cnt = 0; |
| 249 | unsigned long cap; | 249 | unsigned long cap; |
| 250 | EUID_ROOT(); // grsecurity fix | ||
| 250 | for (cap=0; cap <= 63; cap++) { | 251 | for (cap=0; cap <= 63; cap++) { |
| 251 | int code = prctl(PR_CAPBSET_DROP, cap, 0, 0, 0); | 252 | int code = prctl(PR_CAPBSET_DROP, cap, 0, 0, 0); |
| 252 | if (code == 0) | 253 | if (code == 0) |
| 253 | cnt++; | 254 | cnt++; |
| 254 | } | 255 | } |
| 256 | EUID_USER(); | ||
| 255 | printf("Your kernel supports %d capabilities.\n", cnt); | 257 | printf("Your kernel supports %d capabilities.\n", cnt); |
| 256 | 258 | ||
| 257 | for (i = 0; i < elems; i++) { | 259 | for (i = 0; i < elems; i++) { |
diff --git a/src/firejail/list.c b/src/firejail/list.c index 73feb48aa..b7c0b5264 100644 --- a/src/firejail/list.c +++ b/src/firejail/list.c | |||
| @@ -21,6 +21,7 @@ | |||
| 21 | #include <sys/types.h> | 21 | #include <sys/types.h> |
| 22 | #include <sys/stat.h> | 22 | #include <sys/stat.h> |
| 23 | 23 | ||
| 24 | #if 0 | ||
| 24 | static void grsec_elevate_privileges(void) { | 25 | static void grsec_elevate_privileges(void) { |
| 25 | struct stat s; | 26 | struct stat s; |
| 26 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { | 27 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { |
| @@ -33,10 +34,10 @@ static void grsec_elevate_privileges(void) { | |||
| 33 | errExit("setregid"); | 34 | errExit("setregid"); |
| 34 | } | 35 | } |
| 35 | } | 36 | } |
| 37 | #endif | ||
| 36 | 38 | ||
| 37 | void top(void) { | 39 | void top(void) { |
| 38 | EUID_ASSERT(); | 40 | EUID_ASSERT(); |
| 39 | grsec_elevate_privileges(); | ||
| 40 | 41 | ||
| 41 | char *arg[4]; | 42 | char *arg[4]; |
| 42 | arg[0] = "bash"; | 43 | arg[0] = "bash"; |
| @@ -48,7 +49,7 @@ void top(void) { | |||
| 48 | 49 | ||
| 49 | void netstats(void) { | 50 | void netstats(void) { |
| 50 | EUID_ASSERT(); | 51 | EUID_ASSERT(); |
| 51 | grsec_elevate_privileges(); | 52 | // grsec_elevate_privileges(); |
| 52 | 53 | ||
| 53 | char *arg[4]; | 54 | char *arg[4]; |
| 54 | arg[0] = "bash"; | 55 | arg[0] = "bash"; |
| @@ -60,7 +61,6 @@ void netstats(void) { | |||
| 60 | 61 | ||
| 61 | void list(void) { | 62 | void list(void) { |
| 62 | EUID_ASSERT(); | 63 | EUID_ASSERT(); |
| 63 | grsec_elevate_privileges(); | ||
| 64 | 64 | ||
| 65 | char *arg[4]; | 65 | char *arg[4]; |
| 66 | arg[0] = "bash"; | 66 | arg[0] = "bash"; |
| @@ -72,7 +72,6 @@ void list(void) { | |||
| 72 | 72 | ||
| 73 | void tree(void) { | 73 | void tree(void) { |
| 74 | EUID_ASSERT(); | 74 | EUID_ASSERT(); |
| 75 | grsec_elevate_privileges(); | ||
| 76 | 75 | ||
| 77 | char *arg[4]; | 76 | char *arg[4]; |
| 78 | arg[0] = "bash"; | 77 | arg[0] = "bash"; |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index d148c1f40..22e23d148 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
| @@ -131,7 +131,7 @@ static void chk_chroot(void) { | |||
| 131 | } | 131 | } |
| 132 | 132 | ||
| 133 | static int monitor_application(pid_t app_pid) { | 133 | static int monitor_application(pid_t app_pid) { |
| 134 | 134 | EUID_USER(); | |
| 135 | 135 | ||
| 136 | int status; | 136 | int status; |
| 137 | while (app_pid) { | 137 | while (app_pid) { |
diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c index 9c3558362..3140c5f70 100644 --- a/src/firemon/firemon.c +++ b/src/firemon/firemon.c | |||
| @@ -112,12 +112,6 @@ int main(int argc, char **argv) { | |||
| 112 | unsigned pid = 0; | 112 | unsigned pid = 0; |
| 113 | int i; | 113 | int i; |
| 114 | 114 | ||
| 115 | struct stat s; | ||
| 116 | if (getuid() != 0 &&stat("/proc/sys/kernel/grsecurity", &s) == 0) { | ||
| 117 | fprintf(stderr, "Error: on Grsecurity systems only root user can run this program\n"); | ||
| 118 | exit(1); | ||
| 119 | } | ||
| 120 | |||
| 121 | // handle CTRL-C | 115 | // handle CTRL-C |
| 122 | signal (SIGINT, my_handler); | 116 | signal (SIGINT, my_handler); |
| 123 | signal (SIGTERM, my_handler); | 117 | signal (SIGTERM, my_handler); |
| @@ -143,6 +137,12 @@ int main(int argc, char **argv) { | |||
| 143 | return 0; | 137 | return 0; |
| 144 | } | 138 | } |
| 145 | else if (strcmp(argv[i], "--netstats") == 0) { | 139 | else if (strcmp(argv[i], "--netstats") == 0) { |
| 140 | struct stat s; | ||
| 141 | if (getuid() != 0 && stat("/proc/sys/kernel/grsecurity", &s) == 0) { | ||
| 142 | fprintf(stderr, "Error: this feature is not available on Grsecurity systems\n"); | ||
| 143 | exit(1); | ||
| 144 | } | ||
| 145 | |||
| 146 | netstats(); | 146 | netstats(); |
| 147 | return 0; | 147 | return 0; |
| 148 | } | 148 | } |