grsecurity fix: check existing sandbox with euid set

author: netblue30 <netblue30@yahoo.com> 2016-04-04 08:36:16 -0400
committer: netblue30 <netblue30@yahoo.com> 2016-04-04 08:36:16 -0400
commit: 93a42ba22071befc6e2a9f37666b4c51e2314213 (patch)
tree: 511bc4011808cf113455d6eb3f0566aa1d16c6e9 /src
parent: moving to 0.9.40-rc2 (diff)
download: firejail-93a42ba22071befc6e2a9f37666b4c51e2314213.tar.gz
firejail-93a42ba22071befc6e2a9f37666b4c51e2314213.tar.zst
firejail-93a42ba22071befc6e2a9f37666b4c51e2314213.zip
2 files changed, 6 insertions, 2 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 24efae814..477c6ac7d 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -701,7 +701,9 @@ int main(int argc, char **argv) {
                run_symlink(argc, argv);
        // check if we already have a sandbox running
+        EUID_ROOT();
        int rv = check_kernel_procs();
+        EUID_USER();
        if (rv == 0) {
                // if --force option is passed to the program, disregard the existing sandbox
                int found = 0;
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c
index 9f9ace527..a9242f035 100644
--- a/src/firejail/no_sandbox.c
+++ b/src/firejail/no_sandbox.c
@@ -26,8 +26,10 @@
 // check process space for kernel processes
 // return 1 if found, 0 if not found
 int check_kernel_procs(void) {
-        EUID_ASSERT();
+        // we run this function with EUID set in order to detect grsecurity
-        
+        // only user processes are available in /proc when running grsecurity
+        // EUID_ASSERT();
        char *kern_proc[] = {
                "kthreadd",
                "ksoftirqd",
author	netblue30 <netblue30@yahoo.com>	2016-04-04 08:36:16 -0400
committer	netblue30 <netblue30@yahoo.com>	2016-04-04 08:36:16 -0400
commit	93a42ba22071befc6e2a9f37666b4c51e2314213 (patch)
tree	511bc4011808cf113455d6eb3f0566aa1d16c6e9 /src
parent	moving to 0.9.40-rc2 (diff)
download	firejail-93a42ba22071befc6e2a9f37666b4c51e2314213.tar.gz firejail-93a42ba22071befc6e2a9f37666b4c51e2314213.tar.zst firejail-93a42ba22071befc6e2a9f37666b4c51e2314213.zip

diff --git a/src/firejail/main.c b/src/firejail/main.c index 24efae814..477c6ac7d 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -701,7 +701,9 @@ int main(int argc, char **argv) {
701	run_symlink(argc, argv);	701	run_symlink(argc, argv);
702		702
703	// check if we already have a sandbox running	703	// check if we already have a sandbox running
		704	EUID_ROOT();
704	int rv = check_kernel_procs();	705	int rv = check_kernel_procs();
		706	EUID_USER();
705	if (rv == 0) {	707	if (rv == 0) {
706	// if --force option is passed to the program, disregard the existing sandbox	708	// if --force option is passed to the program, disregard the existing sandbox
707	int found = 0;	709	int found = 0;


diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index 9f9ace527..a9242f035 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c
@@ -26,8 +26,10 @@
26	// check process space for kernel processes	26	// check process space for kernel processes
27	// return 1 if found, 0 if not found	27	// return 1 if found, 0 if not found
28	int check_kernel_procs(void) {	28	int check_kernel_procs(void) {
29	EUID_ASSERT();	29	// we run this function with EUID set in order to detect grsecurity
30		30	// only user processes are available in /proc when running grsecurity
		31	// EUID_ASSERT();
		32
31	char *kern_proc[] = {	33	char *kern_proc[] = {
32	"kthreadd",	34	"kthreadd",
33	"ksoftirqd",	35	"ksoftirqd",